Meeting 3hr

meeting time: monero-project/meta #709

1. greetings

hello

hello

Hi there

Hi

o/

Hi

Hello

Hello

2. updates; what is everyone working on?

hello

me: working on seraphis enote scanning workflow, and in the middle of a detour to rework the tx building workflows for this gist.github.com/tevador/50160d160d2…ment_id=4176179#gistcomment-4176179

Me: lots of travel this last week, but continuing to work on feature engineering. Neptune is helping me out with setting up a database with all references to decoy occurrences on chain.

mainly been working through understanding the changes to the server code in 7760, stepping through old and new code with provided tests + setting up my own mini boost asio test env to figure it out. taking me quite a bit to get up to speed with boost asio but making progress

I will hand my first delivery for the first part of my ccs next week. I believe I understand MLSAG and the first rangeproofs. I will be working on CLSAG and Bulletproofs next month. Meanwhile, I have been scanning the blockchain looking for some leaks or strange things that could lead to inflation. I have to thank gingeropolous because now my work is much faster as I have access to some computing resources :)

Doing some statistical analysis of personal characteristics that are associated with using cryptocurrency as a means of payment, based on the U.S. Federal Reserve's recently-released Survey of Household Economics and Decisionmaking 2021 microdata. Preliminary results suggest that financial marginalization is positively correlated with use of cryptocurrency as a means of payment in the U.S., somewhat to my surprise. I think I can

push something out by tomorrow.

thanks for the updates

3. discussion, anything to discuss?

I've been busy preparing the 1st milestone of SolOptXMR with endor00 . After this, I'll return to my decoy task.

Do you expect any more changes to #8149, or do you think it's complete now? Was somewhat surprised to see how much changed 2 days ago.

For seraphis, I want to emphasize that the update I mentioned basically kills collaborative funding and isolated enotes. Those were both mostly 'nice-to-haves', so while unfortunate I'm not that sad. My multisig verification code is a lot easier with this.

rbrunner: no more changes. I rolled back some stuff I shoved in their since it was out of scope.

there*

Ok, thanks

dangerousfreedom: Thanks. Any non-uniformities in the transactions that are in the cryptography (like you have already found) can be beneficial for identifying nonstandard wallet implementations. So keep collecting them :)

does anyone have more opinions about monero-project/monero #8351 ?

UkoeHB: can you give a refresher description of isolated enotes/what functionality would be lost as a result?

Thanks, so far I have some issues with these stealth addressess being outside the prime group. They can be members of ring signatures later and then compromise fungibility... yeah give your thoughts

UkoeHB: Is collaborative funding something that the underlying cryptography would still support, i.e. is this just a wallet implementation simplification?

jberman[m]: 'isolated enote' means creating an enote without any surrounding context (no other tx outputs, no tx inputs). There are no known tx engineering protocols that could use that. Now you need to know the full input set when defining your enotes (or block height for coinbase txs).

Rucknium[m]: previously, collaborative funding could have an easy interface (so it could be supported by the core wallet API), but now you need an interactive protocol between all tx participants (which won't be supported by my PoC, and shouldn't be supported by the core wallet).

so yes, it can still be done, but it's harder and more constrained

Collaborative funding being... Alice and Bob both sign a ring in the same tx ?

moneromooo: yes

From what I can grasp right now, I agree with that trade-off: Robust core protocol trumps nice-to-have features as this one

wouldn't collaborative funding be interactive by definition either way? little confused on that

jberman[m]: old version: define outputs, publish output set proposal, anyone can send in partial inputs funding the output set; new version: define destination set, define input set, finish defining outputs as function of inputs, make partial inputs, complete tx (so you need to interact with other input contributors + the output set definer in order to make input sigs)

Does Seraphis use bulletproofs ?

moneromooo: yes

When I coded collaborative inputs, it turned out it was impossible (as far as Sarang found) to create the BPs without leaking the real spends to other funders.

not sure why that would be

I couldn't tell you, sorry. I'm just a code monkey :)

but yeah it does take some careful thought to prevent info leaks

moneromooo: was it MoJoin?

Oh I think it might have taken that name at some point...

I don't remmeber the timeline tbh.

the TxTangle protocol in ZtM2 is an evolution on MoJoin, you'd probably need something like that to get collaborative funding with seraphis (maybe a bit simpler though)

Anyway, the reason I mentioned this is (1) it'd be nice to get it and (2) if we use BP anyway, it's already DoA due to the leak anyway so no big loss.

Unless someone found a way to avoid the leak since then.

it would need to be a third-party solution like atomic swaps

Losing that collaborative funding flow does seem a bit of an unfortunate loss. sounds like the old could enable a nicer crowdfunding model (something Rucknium has brought up in the past about an approach to CCS that doesn't involve trusted parties e.g.)

yeah it was originally inspired by Rucknium[m]'s comments

FWIW, BCH's Flipstarter is basically a third-party implementation. The first generation version of Flipstarter needed some software running on a VPS for the Flipstarter "host" and a plugin on the Electron Cash wallet for donors.

Any other topics people want to discuss?

ok I think we can close it out here; thanks for attending everyone

Does anyone have any ideas on "sanity checks" I can run on this Federal Reserve Household Economics data? Basically, what characteristics might we assume be correlated with use of cryptocurrency as a means of payment? I have checked education degree (computer science is the only statistically significant degree associated with use of cryptocurrency as a means of payment) and willingness to take risks (yes, it's positively

correlated).

nvm meeting continues lol

I want to make sure that the data is not just random responses. So far, the data seems legit.

Also, use of cryptocurrency as a means of payment is associated with lower life satisfaction. That's consistent with everyone's personal experience, right? :P

Usage in DNMs/association with crime, maybe? But I don't know if/how that could be measured

I'd expect predominantly men age ~18-35

Would be nice to be able to compare fiat usage in criminal activity (as a means of payment) vs crypto criminal activity

UkoeHB: Yes, youth and male are associated with use as a means of payment. In fact, I'm using age in most of my regressions since financial marginalization and age are also likely correlated, so I don't want to introduce omitted variable bias.

Maybe crypto usage vs "tech skills" (not as a degree, but general tech savyness)

<Rucknium[m]> "Does anyone have any ideas on "..." <- How it can be used for cryptocurrency development in the best case ?

endor00: There is a question on device type that was used to complete the survey. So I can look at that. On DNM: I didn't see anything relevant in the data dictionary on that.

dspringer71: Adoption is arguably as difficult as protocol development. We don't understand adoption well. Once it is understood, maybe we can figure out ways to promote it.

Wider adoption improves the anonymity set, enhancing privacy.

I'd predict that adoption is anti-correlated with promotion lol

Rucknium[m]: Goals of project aren't compatible with wider adoption

Why wouldn't they be?

UkoeHB: Maybe we can eventually test that hypothesis!

Rucknium[m]: that would really be something to see

I guess 'grassroots' promotion would be forward-correlated, and any 'centralized' promotion would be anti-correlated.

Oooh, what about usage in large urban areas vs rural areas?

UkoeHB: are there any link to the most comprehensive benchmark for view tag available somewhere ?

although the causal order between adoption and grassroots promotion is worth pondering

Rucknium[m]: "likes privacy and uses cryptocurrency to give it hard to visa/mastercard spying ops"

(about "what characteristics might we assume be correlated...")

endor00: Yes there is a question on if the survey respondent is in a metropolitan statistical area or not. I'm not sure that would be a data quality check per se, but it would be interesting.

and the failure of centralized promotion may be as much as, or more than, a symptom of deeper issues

I have low life satisfaction because I realize the world spies on me, indeed.

wow word salad: as much a symptom as a cause*

There's the good old "works in a sector that's legal but frowned upon".

Like gambling, sex, weapons.

(depending on your jurisdiction

moneromooo: Interesting idea. There are some questions in the survey that may capture how much trust survey respondents have in government and business institutions.

There are some questions on occupation and industry. Sort of broad categories, though, so it may not have "frowned upon" activities isolated well.

An also commonly mention characteristics is "works in a rich country, but family is in a poor country, and money transfer services charge loads (except hawala)).

Might not be "payments" though, depending on how you look at it.

Is there any data about usage of the "frowned upon" services?

Oh, cannabis is a good one probably.

"works in a rich country, but family is in a poor country" <- but family is in Russia, and money transfer services don't work at all

Respondents that did not have U.S. citizenship were more likely to use cryptocurrency as a means of exchange, according to preliminary results.

Can you sell crypto for roubles in russia nowadays ?

I also have number of years the respondent has lived in the U.S. and language spoken at home, but I have not analyzed them yet.

ok we are past the hour now; thanks for attending everyone

"is an immigrant" might be, since those people often have difficulties opening a bank account in the new country.

Rucknium[m]: I don't believe that usage of surveillance data can be used for the sake of cryptocurrency promotion. Centralized money has huge advantage in access to any surveillance data.

The goal of this project is to prevent surveillance.

github is ded ^.^

Embrace, extend, extinguish ? ^_^

UkoeHB: how to check ?

seems like a good operating model

<dspringer71[m]> "UkoeHB: are there any link to..." <- poc benchmarks: github.com/UkoeHB/monero/blob/86b25…tests/performance_tests/view_scan.h + github.com/SarangNoether/monero/blo…/tests/performance_tests/view_tag.h

I don't have a good link to share on my mainnet benchmarking that arrived at 30-40%, but my methodology was:

"Can you sell crypto for roubles in russia nowadays ?" yes, lots of instant exchanges in Russia

- disconnect my node from the rest of the network

- create new wallet using old and new code, with consistent restore heights (10k, 100k, whole chain) and measure time it takes to scan

- to test view tags, I tested for equality to a static 0x00 right here: github.com/monero-project/monero/bl…c/cryptonote_format_utils.cpp#L1006

Also "self employed in a tech sector".

moneromooo: Thanks for the suggestions. I will see what the data can do.

Oh. Has a criminal record for drug usage ^_^

jberman: In my performance test for upper boundary ratio is: --max-concurrency=0 + just view tags <= 75%, --max-concurrency=0 + view tags + thread pool modification <= 71%;

Sorry for missing the meeting. I just wanted to chime in, regarding Bulletproofs, dalek's impl has collaboration and sarang has acked it IIRC.

What to add for potential -40% ?

as in you modified the thread pool with your own code?

offline, 2000k, the rest as you did

s/2000k/2000 blocks/

Regarding that subgroup discussion, I do endorse Ristretto, as I've stated in the past, just to simplify things and end these discussions while guaranteeing security there.

jberman[m]: I mean, do you remember what was important for so big fluctuation of performance 30%, 40% ?

various block ranges produced different results. closer to 30% was more common from what I remember

why not test with concurrency?

The only way I see to get ~40% drop, is to use --max-concurrency=1; after that performance ratio is --max-concurrency=1 + just view tags <= 62%, --max-concurrency=1 + view tags + thread pool modification <= 62%;

did you do something like this or it was just fluctuation due to different ranges of scanning ?

I did test with concurrency enabled/disabled as I was working on it, but the 30-40% was with concurrency enabled with my machine's max (8 threads)

jberman[m]: Did you disable turbo boost on that machine ?

the fluctuation between 30-40% was just over different block ranges

nope

jberman[m]: probably this then

I also added isolated test for txs with different number of destinations: std / subaddr

and it shows the same ratio 75% as in wallet2 without thread pool test, so everything in accordance with theory

when you say ratio 75%, you mean 10s -> 7.5s, right?

yes, fastest / slowest

"monero-project/research-lab #73#issuecomment-634961245", this 60% is for tx with 2 outputs including change or not including change ?

In isolated test I get 75% (124ms / 144ms) for 2 outputs including change, 66% (124ms / 188ms) for 2 outputs excluding change (so it's 3 outputs in reality)

No questions regarding performance savings except for enabled concurrency and 40% with different block ranges 10k, 100k, whole chain (maybe will test too, but I doubt that I will reproduce it)

In theory it's possible if older outputs have only std addresses in destinations, since this is case of the most performance benefit

But it isn't applicable to fresh data (2000 fresh blocks shows ~71% ratio)

<kayabanerve[m]> "Regarding that subgroup discussi..." <- Maybe Ristretto would be overkill. I am not an specialist (yet :p) but if we ensure that only Points of our subgroup are stored in the blockchain we don't need to make big modifications and would play safe. What do you think?

I think you don't know what Ristretto is :p

But you may and simply believe the series of ed25519consensus rules is sufficient

kayabanerve[m]: Not much :p

dangerousfreedom: It's solely a point encoding

It's the same exact curve and scalar field.

But all points are encoded canonically and decoded canonically.

dangerousfreedom: check out the Ristretto section in mechanics of mobilecoin

There is edcon, which is a series of rules, no torsion, not above curve order, etc, and I believe they end up slower than ristretto as they're ecc ops themselves

Yeah, the thing is the speed. Thats what I meant. We don't need to touch the cryptography schemes if we ensure that the recorded points are in this subgroup.

And ristretto does have a slight performance penalty but it ends this discussion .-.

dangerousfreedom: I mean, it's much more than that, and I wouldn't be surprised if a torsion check is slower than ristretto with the rest of the rules

UkoeHB: do you happen to know?

I think Ristretto is quoted at 5% or so and I'm unsure how the scalar mul compares

Oh. It's also faster to test equality

dspringer71: try block height 2484065, restore height 2459065

kayabanerve[m] don't know

I'll write a snippet now

13ms R encode... (full message at libera.ems.host/_matrix/media/r0/do…fc22b1e2148999828f54b140743b7ae6863)

UkoeHB:

> <@kayabanerve:matrix.org> 13ms R encode... (full message at libera.ems.host/_matrix/media/r0/do…a1d970fc56f783ca1843733f0075fd9340a)

1000 runs per op. Two runs each with the same results for all except inv 8, 8 was 288ms on its first. Rust dalek debug.

kayabanerve[m]: would be interesting to know the proportion of tx verification cost used by encoding/decoding

hard to get that data though

Or what is R and E?

dangerousfreedom: That should be theoretical numbers capable of comparison. Subgroup checks, as monero does them, increases decode 24x

kayabanerve[m]: monero's subgroup check is to mul l

So it's ~50% slower encode with 25% slower decode but it's 20x faster in subgroup decode

UkoeHB: Yeah but we don't actually do that .-.

Like BP data is inv 8 8

for key images it's mul l

Though tbf, if sender inv 8, this is just a series of doubling which should be performant

BP points are pre-multiplied by inv 8

UkoeHB: Fair. I'll get numbers simply 8 and l

dangerousfreedom: 18ms with 8. Still slower.

Considering this is constant time, the 286 - 18 should be the scalar mul speed. That means by l would be 268ms per 1000.

> <@kayabanerve:matrix.org> 13ms R encode... (full message at libera.ems.host/_matrix/media/r0/do…f1f7dfee51559ed5487b99f0b51b01b7575)

So dalek places Ristretto as more performant than cofactor mul and far more performant than any scalar mul, as done by senders and for key images

Monero also constantly encodes/decodes, which is idiotic, yet we can do Ristretto over the wire and Ed25519 internally so we get the benefits of Ristretto without decreasing performance. Proper scalar/point type usage would speed both up equally after that

So no matter what the subgroup guarantee is, Ristretto is always more performant, and I assume it'll be more comprehensive in a lot of ways. We no longer have to add additional checks for points. We just have it. The end.

There's also libs from C++ to Rust to Python to JS to Zig

So when everyone just uses wallet2, and then people who do rebuild wallet2 still have the necessary options... I don't see this as unsupported, bleeding edge crypto. It's established, with an IETF draft, accepted, and supported

jberman: would also speed up wallet scanning time 👀 The ECDH are 8Ra. This would make it *just* Ra with a smaller penalty to extra parsing

Anyways. I said I'll take a stab at adding Ristretto to koe's work when I had a chance, and have been busy with a few things. I'll try to re-prio time for that...

kayabanerve: Nice comments. I read some stuff that there are some possible attacks when you multiply stuff outside the subgroup. I didnt go deep into the details but do you believe it is safer also or only faster?

<dangerousfreedom> "kayabanerve: Nice comments. I..." <- Ristretto's safety is faster than our current safety. Globally using safety means we can never forget about it or have oversights.

Right now, Bulletproofs are doing mul by cofactor to correct for out of subgroup. Key images aren't corrected yet are verified to be in subgroup. Then we have > order checks when decoding and a -0 check. Output keys used to not even be checked to be points and I think they're now solely required to be decodable points.

Which presumably would be < order, not negative zero, yet in any subgroup

It's an uber sporadic series of checks creating a ton of edge cases which now that I think about it, probably break my code as currently written .-.

Ristretto would be a uniform set of rules applied to all points removing these questions and concerns though.

Oh. I think ristretto also has batch decoding... I'd have to check if ed25519 does before claiming that as an advantage though

*that is not distinct to ristretto