not sure if people have seen this paper already eprint.iacr.org/2022/132

have not thanks real_or_random

meeting 2.5hrs: monero-project/meta #662

No. This looks like groundbreaking work.

>Specifically, assuming two conjectures on certain distributions of random directed graphs (digraphs)

which we support by providing empirical evidence, we show that if the number of decoys _k_ of a partitioning

sampler is set to

> k >= ln(2* |U|) + sqrt(2 * ln(2 * |U|))

> then [some math]. In other words, a graph-analysing attack is at most twice as successful as a trivial attack does.

And U is defined as...

> In applications, it is common for a human user to own many pairs of public and secret keys. Nevertheless, to simplify terminologies, we will refer to a public key as a “user” and use the notation U to refer to the set of users (public keys) where signers belong to and where decoys are sampled from.

If U = 1,000,000, I'm getting ln(2U) + sqrt(2ln(2*U)) = 19.895

So ring size only 20 (?)

There's a bit later on where they look at "Black marble attacks" (ie. an active malicious observer creating transactions to partially deanonymize rings)

7.2

Though I wonder how this interacts with "chain reactions"

I wonder what a partioning ring sampler is. No obvious hits searching for it, though I see eprint.iacr.org/2020/1550 pop up, which studies with those (similar authors).

Anyone knows what they are ?

moneromooo: petsymposium.org/2021/files/papers/issue3/popets-2021-0047.pdf

Its definition is fairly tautological (to me).

I think you literally take a contiguous set of outputs and reference all of them

Thanks. So... binning, with a single bin ?

oh nvm, you randomly select from a segment

so yes, binning

randomly select from within a bin (which is selected from the set of all bins according to some other distribution, which could be non-uniform)

My deterministic binning proposal is combination of the 'mixed' and 'partition' strategies (mixed-style multiple-partition selection, uniform within a parition).

meeting time: monero-project/meta #662

1. greetings

hello

Hi

hi

Hello

Hola

oh hai

howdy

Hi

2. Today I don't think there are any pressing agenda items. Let's start with updates. What has everyone been busy with?

I've done a review for Ruck's paper over the weekend.

I have a draft of the MAGIC Monero Fund research request for proposals. Suggestions/edits welcome:

I think we will approve a final draft by early next week and start accepting applications.

I’ve been working on the dataset collection part of my research project. Have 5 servers right now running a collective 900 wallets that are transferring testnet xmr back and forth. I’ve also been working on polishing up a script to extract all the transaction metadata using xmr2csv and the native monero-wallet-cli exporter. Hopefully will have a full dataset by the end of the month and then can start neural network design.

reviewed the fee change PR, will be re-reviewing changes today, and various monero-lws related stuff (thinking through subaddress support, submitted a first pass general review of the code, getting a docker image set up)

Very good catch on the fee pr

me: After a couple weeks of work I now have unit tests running on the main part of jamtis (along with some refactors of my seraphis library). I am pretty satisfied with the library as it is now (although it is missing multisig stuff, which I won't add until PR 7877 is merged - getting close on that one, I just need to do a little cleanup and get final approvals from h4sh3d and vtnerd). My next steps are implementing

some grootle proof optimizations that the Firo team found, rerun perf tests for that, then start thinking about the larger wallet PoC (I might make a new CCS for this, since I used up all my hours on the previous one).

UkoeHB: There were some things brought up on Reddit recently regarding how the address format change will affect future improvements. Do you have any insight on whether the Seraphis address change can be compatible with something like Zcash's Halo2 down the road?

No idea

If there is anyone out there who actually understands Halo2, would be nice to learn/hear from them... I don't recall ever seeing such a person

Even without knowing any details, strikes me as improbable, with all that specific keys in the public Seraphis addresses, but yeah, who knows

I thought one of the critical ideas of Seraphis' tx modularity was to possibly enable an easier swap-in of something like full-chain membership proofs

It would be ideal if we could layer their proving stuff on top of Seraphis, to do the membership proof piece without changing anything else.

At least some people there were worried about changing their public Monero addresses yet again if we switch to something post-Seraphis later

But 'Halo2' is a quite opaque word lol, so who knows

And there I think it's improbable to keep addresses and switch to very different proofs underneath

Yep it's certainly possible, though I wouldn't really expect anything like that for another 3-5 years at least.

May depend in how positive a light one sees Seraphis :)

"Gras always greener over there"

In any case we will collect experience with the address change ...

yep...

Just a thought: It is probably possible to write a tool that calculates a Seraphis address for a given private key, maybe quite soon, right?

Does anyone have anything they want to discuss? Questions? Concerns?

rbrunner: I think tevador was working on test vectors...

Interesting.

Uh if someone wants to take my library and add a PoC for generating public addresses, that might be fine

Code is there then already?

Public addresses are a bit higher on the stack, so I haven't looked at it yet

But I have code to generate the address points.

Was just thinking it may help in the address switch process if people were able to publish their new addresses months before the hardfork already, to seed them wide and far

this guy: github.com/UkoeHB/monero/blob/da0c5…c/seraphis/jamtis_destination.h#L91

UkoeHB: Minor and somehow related to @maxwellsdemon 's adaptive mining proposal: I'll be building a small solar battery island as a test bed for the prediction (via tsqsim) of solar irradiation and battery load / drainage. The prediction will serve as an input signal to whatever controls the mining intensity.

Well there might be format changes, so I think it's better to wait a while for that rbrunner

Yes of course. That's probably next year's stuff. Just thinking ahead :)

mj-xmr[m]: I see

whats the word on memo fields / tx_extra?

What I like about the "On Defeating Graph Analysis of Anonymous Transactions" paper posted earlier is that it starts to get at the question of how many ring members is "enough", at least to defeat specific types of attacks. So if Seraphis gets us to "enough", then that would be great. If it doesn't, then we should still be thinking about the next generation + 1

gingeropolous: what word?

A long time since tx_extra came up the last time, as far as I remember

well i guess the question is whether jamtis has a useful memo field that can be done in a way that keeps all txs uniform

like encrypted or something?

I was planning to use the existing tx_extra strategy, with some additional rules about formatting (sorted TLV, like I have been preaching for years).

Regarding understanding Halo2, I have found Zcash developers are generally willing to explain things, on their Discourse forum or their R&D Discord. Maybe they could tell us what sort of restrictions apply to their address format.

Also, moving the tx pubkeys out of the tx_extra into a dedicated vector.

What means "TLV"?

type-length-value

tx_extra is already tlv

by convention*

ok, so as of now, tx_extra will live on as it is and possibly harbor fingerprints if ppl glob it up with stuff

we're using TLV in farcaster for the peer messages

gingeropolous: yes

then thats the word :)

By the way, just saw that Halo2 isn't even live on mainnet yet: "The new mainnet activation target is April 18, 2022."

don't they have it on testnet?

Yes, that.

do they actually have public code for everything?

Never checked

Rucknium[m], can u link that pdf again for "On Defeating Graph Analysis of Anonymous Transactions"

please :)

this seems a decent resource on halo2: zcash.github.io/halo2

gingeropolous: eprint.iacr.org/2022/132

danke

getting to "enough" would be .... great :)

Btw, there has been some effort by Firo/Mobilecoin toward confidential assets, if anyone is interested: mobilecoinfoundation/mcips #25#issuecomment-1033194827 .

Basically, it can be done extremely cheaply but runs into problems with tx fees.

is this like creating your own tokens on the monero chain or something?

yeah

and so the great compromise of 2022 left us with 1.7 ..... ?

fee scaling? yes

FYI, some people are also developing something similar on Zcash called Zcash Shielded Assets (ZSA).

oh yeah thanks Rucknium[m]

Don't want to miss the DeFi train, maybe. Too much money sloshing around in attempts to find a home ...

lulz

And when can I finally have NFTs on the Monero blockchain. It's about time :)

I think fees can be solved by requiring you add some base-asset inputs/outputs to all asset transfers. So a tx would have a 'base asset transfer' section and 'extra asset transfer' section.

Realistically, miners can't be expected to care about random assets people make, so fees should always be in the base asset.

yeah

rbrunner: It doesn't help with scaling though... imo we should maximize the utility of one asset.

oooh, i know a fun one for the last 5 minutes. any new ideas on the 10 block lock thing?

no

ok lol I think we can call it here

Thanks for attending everyone

thanks UkoeHB !

How useful would it be to reduce the lock to 5 blocks? How often have we had a 5 block reorg? Sounds like a research question.

i think noncesense may have reorg #s

although as blocks get bigger those #s could change

<UkoeHB> Basically, it can be done extremely cheaply but runs into problems with tx fees. <= What exactly is the issue with tx fees in this approach?

I guess the basic problem is you can't hide you are transferring a special asset, because you need to separate base asset transfers (for fees) from special asset transfers, within the same tx. Also, you can't use special assets for fees without revealing the asset ID.

I guess ideally you could do a multi-asset balance proof that hides all the assets, while providing a fee in the base asset. Idk if it's possible/practical though.

The nice thing is you can hide which outputs in the chains have a special vs base asset, and you can do asset-type-agnostic membership proofs.

I'm having a hard time grokking how initial issuance of the different confidential asset types work

You'd specify a new output type 'asset issuance', which must make a unique asset id and define the total supply of the new asset. Then add a big fee on top to discourage spamming new asset ids.

UkoeHB: sipa had this argument that these assets are parasitic to the mainchain, compete with the mainchain native asset, and add no value to it. btw 3 years ago people were paying bitcoin network fees on their credit cards to unstuck txs. maybe that happened because of the network centralization

yeah I agree they compete

however it's at least fun to see how it can be done elegantly :)

UkoeHB: "you" as in the user? or "you" as in the protocol? who's "you" here

the protocol would have a new output type, to make a new asset you construct such an output

so in theory, I as a user can use XMR as my input, and construct USD tokens as output (so long as the protocol supports USD output types), and no one would know what the input types and output types are in the tx?

Yes, although the XMR wouldn't be burnt. The XMR part would just be for fees.

The key is once you generate a certain asset, it can't be generated again (fixed supply).

Wait I got confused. There would not be any cross-asset conversions.

It's just a parallel asset transfer system hidden within the main asset transfer system (XMR).

so I tag an XMR output as being asset Y, and then all outputs that stem from asset Y in the future are henceforth also asset Y? something like that?

right

i think the argument was: miners are rewarded in the native asset, and this asset must have a utility, which typically is this asset is used as cash in this payment system and for fees. if u add new assets, that are not rewarded to miners (=no added security to the network), then non-native assets txs compete for the native asset txs for block space (reduce the utility of the

network that is used to secure the blockchain).

* reduce utility of the native asset that is used to secure the blockchain

> <@rucknium:monero.social> I have a draft of the MAGIC Monero Fund research request for proposals. Suggestions/edits welcome:

> cryptpad.sethforprivacy.com/pad/#/2…Vd6Bbr0nJHA6eNQtnMaTS-kPLWtvtVbAlAA

Awesome! I hope I can help someday when I finish building my tools and this other problem that I am very motivated to work on about inflation (that hopefully will benefit some people also)