05:47:31 Hello. Here's a "demo" of how the key image bug works: https://github.com/coinstudent2048/junks/blob/master/key_image_bug.py 05:47:31 dangerousfreedom the "simplest mitigation" part is what we can add in your checker. This is the use of the feature I added in `dumber25519 . py`. 13:56:46 > <@coinstudent2048:matrix.org> Hello. Here's a "demo" of how the key image bug works: https://github.com/coinstudent2048/junks/blob/master/key_image_bug.py 13:56:46 > dangerousfreedom the "simplest mitigation" part is what we can add in your checker. This is the use of the feature I added in `dumber25519 . py`. 13:56:46 Awesome! I will check what you did and create a section on the pre-ringCT explaining it (and citing you of course). Thank you very much coinstudent2048 ! 14:57:46 Meeting 2hr 17:00:22 meeting time https://github.com/monero-project/meta/issues/682 17:00:22 1. greetings 17:00:22 hello 17:00:30 Hi 17:00:35 Hi! 17:00:44 yoroshiku! 17:00:52 howdy 17:01:22 Hello 17:02:47 Hi 17:03:10 2. updates, what is everyone working on? 17:04:50 I think I understand MLSAG signatures now :) I will soon start writing about it. Can I use some of your phrases in ZtM, Koe ? 17:05:15 go for it 17:05:44 I'm currently looking through xmr-ack's current work to see what kind tx fee analysis I can contribute 17:06:09 hi 17:06:14 should have something neat to share in a couple weeks 17:06:35 My effort to uncover nonstandard Decoy Selection Algorithms (DSAs) by partitioning transactions by `unlock_time`, `tx_extra`, etc. has been bearing fruit. Not ready to share publicly yet. I think we should seriously consider enforcement of a standard DSA at the node rebroadcast-level in the hard fork after this upcoming one. 17:07:31 Eventually I hope to understand UkoeHB 's "deterministic" ring member selection proposal here: 17:07:31 https://github.com/monero-project/research-lab/issues/84 17:08:57 me: Still plugging away at seraphis multisig tx builders. I've been thinking about some software design ideas like correct by construction and validating preconditions. Multisig tx builders have this problem where a malicious participant could provide a malformed piece during a tx building ceremony that doesn't cause a failure until the final step. Trying to duplicate all tx semantic rules into custom semantic checkers 17:08:57 isn't robust/easy, and isn't easy to extend to match hard fork rule changes. 17:09:11 I am also reading a bunch of statistical methodology papers. 17:10:06 Me: I'm currently processing a preliminary dataset using gingeropolous server in hopes to start heavily focusing on feature engineering and also writing up my progress report for MAGIC 17:13:25 Me: on a "background sync mode" where the client uses just the view key to scan for incoming tx's that can be enabled/disabled, I was unsure (and am now more sure) how to proceed in a way that makes the feature most useful for a mobile wallet in practice. I believe upon enabling the mode, wiping the spend key from memory would be a tangible security improvement if e.g. a user has been idle for a long time. Can see my thoughts 17:13:25 here: https://github.com/m2049r/xmrwallet/issues/785#issuecomment-1067482984 17:13:53 Maybe more -dev than -research-lab not sure 17:15:52 I've also spent some time studying the multisig stuff again. I hope to eventually be able to provide a valuable review on this work some day in the near future and fully understand the attacks it is mitigating, though I'm still a ways off in my training. So I'm studying it more in my free time to try to "get there". I will probably get back over to reviewing other PR's (like rbrunner 's reducing trips to daemon PR) today 17:16:17 Hurray :) 17:16:39 3. discussion, any topics to discuss, questions, comments? 17:16:53 I do have a question I was curious about 17:18:18 With Seraphis, which is a massive change which will require new keys already, why not take advantage of the breakage and move to Ristretto? 17:19:20 Our entire crypto library is geared to ed25519, it would be a massive undertaking to implement an entire new library. 17:19:52 and we would have to keep the "old" one anyway. We would carry around two libraries, right? 17:20:26 Do you mean from an optimization standpoint regarding the various types with various properties? Or from an existence standpoint? Because it wouldn't be an entire new library vs just changing the frombytes and tobytes functions 17:21:03 rbrunner: And because of this, adding new from/to bytes functions 17:22:19 Was just thinking that "taking advantage of the breakage" is relative if you basically double the crypto code ... 17:22:22 I do understand not wanting to add extreme levels of technical debt. I just, immediately, don't actually believe it has any significant level of debt as it's functionally an encoder/decoder over Ed25519 and not actually a new curve 17:23:25 The win would be some speedup, I guess as a (still) crypto noob? 17:23:56 rbrunner: Thankfully not the case. I think the main issue post-impl would be the existing rct::key type would have to be deprecated for seraphis::key as rct::key is already encoded and uses the existing encoding functions. It's just a slight annoyance 17:25:19 Is maxwellsdemon here? 17:26:02 Ristretto removes torsion and guarantees canonical encodings at all times. It prevents two Ed25519 libraries from disagreeing on signatures if a signature isn't normal because everything must be normal. While Monero doesn't use traditional signatures, already bans torsion and canonicity, and isn't really looking for a multi node future, I just personally believe canonicity may be one of the most important things in 17:26:02 cryptocurrency and that ristretto is the way to do it for ed25519 17:27:06 Sightly faster equality checks, sightly slower encode/decode IIRC. It's basically just those pair of functions over an Ed25519 lib and we'd still keep all the Ed25519 arithmetic and point types. 17:27:17 I personally don't have the time/bandwidth to implement Ristretto. If someone can present a fully-featured library of manageable size that interfaces with the existing Ed25519 ops, then I would consider converting the existing seraphis library to use that. 17:27:35 It also voids the need to multiply by 8 and I think I saw an issue saying small scalar multiplication wasn't optimized. 17:27:54 UkoeHB: Got it. Completely understandable. Thanks for the heads up 17:28:46 Ristretto requires that group elements only be constructed by decode and from_uniform_bytes. So, hash to point would need updating as well 17:29:13 iirc the dalek ristretto library has a hash to point algorithm 17:29:26 Yeah, we have tons of code to implement and rework for Seraphis anyway, I am already dizzy thinking who will do all that, maybe moving even more is a luxury we simply can't afford ... 17:30:07 If I have time (haha) I plan on writing my implementation to be ablr to use both 17:30:16 as nice as it would probably be 17:30:34 Ristretto specifies Elligator 2 as THE hash to curve algorithm 17:30:54 I am not an optimize coder so there wont be a perfect comparison 17:31:15 While I think it'd be great for XMR to standardize on a modern hTC it should be possible to preserve the existing one and its benefits 17:33:21 rbrunner: I'll probably step up here when I have a moment and given how people use wallet2 all the time, this will hopefully have minimal impact on wallets. For tooling, they'll need to update as they already did, but there is R for C/C++, JS, Rust, Zig... 17:34:02 Maybe we will replace wallet2, just saying :) 17:34:10 And I'm actually not sure if the existing hTC has benefits over Elligator. It just should be technically possible to keep it 17:34:26 I can't wait for wallet4 personally 17:34:53 :) 17:35:09 Is there anything useful / sensible to discuss in this forum regarding hardfork preparation, and as preparation of Saturday's dev meeting? 17:35:20 mul8 does three doublings. It's fast AFAIK. 17:35:54 Got it. That may just be other small scalars then or I may be confusing my issues. Thanks for reminding me of mul8 :) 17:36:11 yeah ristretto would probably only give us on the order of 1% performance gains 17:37:04 variable base scalar multiplication is the main expense we pay for everything 17:37:39 AIUI, the benefit of ristretto is ensuring we never forget to ensure points are in the expected subgroup (or whatever the correct term is). 17:37:55 right 17:38:07 rbrunner: don't think so 17:38:23 Alright, thanks 17:40:27 anything else people want to discuss? 17:41:31 I would find it helpful if someone(s) could help convert the C++ code for old Monero decoy selection algorithms to mathematical expressions. jberman is working on the current one. My hypothesis is that some nonstandard wallets are using the older decoy selection algorithms. 17:42:10 I can see the historical empirical distributions here: 17:42:10 https://www.monero.observer/rucknium-shares-visualizations-monero-ring-member-age-distribution/ 17:42:46 But having the mathematical expressions for them would be a big improvement since it is tough to work with the empirical estimate. And it's less precise. 17:43:14 Old as in, the triangular one ? 17:43:19 Or earlier ? 17:43:52 It was uniform and then triangular at one point, I believe. 17:44:15 Yes. Then uniform with an exception for recent outs, I forget the details. 17:45:15 I think triangular is a priority, and then any earlier ones are a lesser priority. 17:45:20 I think I saw a mathematical version of the triangular pick, but I have no idea where. IIRC smooth made that change, he might know. 17:46:19 Rucknium[m]: I think dr_overdose may be capable of that. May be worth asking if he can and would. He seemed to be interested in contributing. 17:47:17 wernervasquez: Sounds great. I will reach out. 17:51:20 Ok I think we are at the end of the meeting. Thanks for attending everyone