-
UkoeHB
Meeting 2.5hr
-
UkoeHB
oh meeting time
-
Rucknium[m]
Hi
-
rbrunner
Hello
-
neromm[m]
Hi all
-
xmr-ack[m]
Hi
-
UkoeHB
-
UkoeHB
1. greetings
-
UkoeHB
hello (sorry was working lol)
-
jberman[m]
hello
-
dangerousfreedom
Hello
-
UkoeHB
2. updates, what is everyone working on?
-
dangerousfreedom
I'm still working on writing the codes and explanations for bulletproofs. I took a week of vacation this month so I will be a about a week late to deliver my second working package. But everything is on track. :)
-
Rucknium[m]
I think I have found a solution to all the challenges in my outline of the plan for OSPEAD. I think in 3-4 weeks I will have a document to submit to the "scientific review committee". If you want to be on that committee, let me know (subject to checks on substantial involvement in the Monero Project).
-
neromm[m]
I talked to Ukoe and decided to tackle
monero-project/monero #7353 (update InProofV2 to V3) and after that implement UnspentProof as described in Zero to Monero. Will start work on it next week because I still have other things planned for this week, but will start getting the picture this week hopefully :D
-
dangerousfreedom
I'm still scanning the blockchain too and haven't found anything suspicious (I finished the MLSAG era)
-
UkoeHB
me: 1) simplified the grootle proof implementation in my seraphis library to be less generic (this makes it a lot easier to read and understand); 2) implemented a 'transcript building' system for seraphis, which at the very least makes writing transcripts a lot easier e.g.
github.com/UkoeHB/monero/blob/ddc41…aphis/sp_composition_proof.cpp#L101 ); 3) reviewed the multisig audit
-
UkoeHB
report from inference ag
test.rino.io/rino-report-20220626.pdf (no major findings)
-
UkoeHB
Rucknium[m]: are you aiming for that to be a public document?
-
Rucknium[m]
(Also special thanks to kayabaNerve and plowsof for troubleshooting an issue with MoneroResearch.info
-
UkoeHB
3. we can move to discussion
-
Rucknium[m]
UkoeHB: Part of it is OK to be public immediately when ready. For other parts of it, that will be "to be determined". I think several people (jberman, isthmus, ArticMine) are leaning toward making everything public once a solution is estimated.
-
Rucknium[m]
I'm thinking if we go full public, then I can submit it to IACR and/or something like PoPETs in some form.
-
UkoeHB
Unless your research describes how to do an active attack on user privacy, there shouldn't be any problems with publicizing your work (since it will be public eventually, unless I'm mistaken)
-
Rucknium[m]
It does describe such an attack. Well, a "passive" attack.
-
UkoeHB
elaborate? an active attack means taking some actions on the network/chain
-
Rucknium[m]
As in, observation of the blockchain data without an observer creating their own transactions.
-
Rucknium[m]
^ Did that clarify
-
UkoeHB
if it's not an active attack, then anyone can do that analysis ex post (unless you need to collect network data that wouldn't otherwise be collected)
-
Rucknium[m]
Yes, anyone could do it ex-post.
-
UkoeHB
therefore, is there an advantage to not publicizing?
-
jberman[m]
+1 I lean toward public. Even FloodXMR is an active attack and that should definitely be public
-
Rucknium[m]
The main advantage to not publicizing is that it would not directly give chain analysis entities another tool in their toolbox.
-
Rucknium[m]
Security disclosure is not my area of knowledge, so I would mostly defer to others on this.
-
UkoeHB
are you implying it wouldn't eventually be disclosed? my question is about the timing of disclosure
-
UkoeHB
I've never heard of research that wasn't disclosed eventually
-
rbrunner
Not sure, but I think we have a small number of Hacker One entries that to this day are not public
-
merope
The benefit would have to outweigh the cost - in this case, potentially endangering a significant number of past transactions
-
Rucknium[m]
It is possible to avoid disclosure, yes. The improved decoy selection distribution could be disclosed without the method of determining it also being disclosed. I know that in the past there have been severe "issues" with cryptographic primitives not having sufficient justification so as to enable "back-dooring". IMHO, these statistical issues don't work like that, but I understand why people have a concern, for sure.
-
rbrunner
It's a bit optimistic to think we can keep that secret for years, no?
-
UkoeHB
rbrunner: sure, but did those lead to major code changes with opaque justifications? (guess it's hard to know for sure)
-
merope
Perhaps the method could be disclosed a certain amount of time after the solution has been implemented
-
Rucknium[m]
Main benefits: promote additional research into this area by publishing. Other people can examine my solution. Miantain "user trust" in the decoy selection algorithm
-
Rucknium[m]
Main benefits to disclosure, that is ^
-
Rucknium[m]
The main argument for not disclosing up to now is that it doesn't make sense to disclose until we have a full solution ready to implement. But then we can re-open the discussion once we have a full solution.
-
UkoeHB
sure I suppose that's fine
-
xmr-ack[m]
I would vote for disclosure and publication once a patch is proposed and verified
-
UkoeHB
are there any other topics? any questions/comments on the multisig audit?
-
Rucknium[m]
To be clear, the attack is probabilistic in nature. For many Monero users, a probabilistic attack is not relevant to their threat models.
-
UkoeHB
'attack' might not be the right word, since it is just an analysis that exposes weakness in the decoy selection algo (to be a little pedantic :p)
-
jberman[m]
UkoeHB: what are your thoughts on the optimal path forward with multisig from here :)
-
Rucknium[m]
To continue...it is important that I have some -dev resources for OSPEAD implementation. There are still some questions about some things that are written in C++ in existing codebases. The current estimation method is slow and can be made faster with a C++ implementation. I'm wondering what jberman plans to do for his next CCS. Are you still interested in decoy work? I think mj-xmr is interested, but I wanted to see if others
-
Rucknium[m]
are too.
-
UkoeHB
at this point I'm fine with merging 8149, doesn't seem like we will get any more reviews or useful comments; would be nice to expedite a fix for the fund burning issue after that; can discuss it more at the dev meeting tomorrow
-
rbrunner
That's good news
-
rbrunner
But well, after basically 0 bad surprises from the review not merging would probably hard to defend
-
jberman[m]
UkoeHB: SGTM
-
jberman[m]
Rucknium: if mj-xmr is interested they can take it, but yep I'm happy to help/provide eyes/code on it where needed as long as it's settled it'll all be made public. I was thinking for my next CCS to be a month long to complete the background sync cache + do more PR review work
-
Rucknium[m]
Right. Now I remember that a sticking point is you want to make sure that everything will be disclosed if you were to work on it, which is totally fair.
-
Rucknium[m]
I am thinking that we will want about two months of post-hardfork data for the final estimation, by the way.
-
jberman[m]
The reason to segregate post-HF data is because we'll be sure as we can be that everyone running the core wallet software will be running the latest algo?
-
Rucknium[m]
No, although that helps a bit. We can't be sure that everyone will be running the wallet2 algorithm, but nonstandard ones should be less prevalent. I gave a reason to you and isthmus.
-
Rucknium[m]
To be clear, on-chain nonstandard decoy selection algorithms will be dealt with in OSPEAD.
-
ArticMine[m]
I would not mind seeing the reason. I have my suspicions
-
Rucknium[m]
ArticMine: I will PM you. Would you like to be on the scientific review panel? I assumed you would.
-
ArticMine[m]
Which I will not reveal publicly
-
ArticMine[m]
Yes I am interested
-
Rucknium[m]
isthmus said he is willing to be a "minor reviewer"
-
UkoeHB
we are closing in on the end of the meeting; anyone have any burning questions to get out?
-
UkoeHB
ok seems like we are done; thanks for attending everyone
-
jberman[m]
thanks UkoeHB