-
Rucknium[m]
I'm looking back at the BP+ paper. ZenGo found an error in one of the paper's math proofs and suggested a correction. (ZenGo said that the theorem itself was valid once the correction to the math proof had been made.)
-
Rucknium[m]
The BP+ paper was eventually published in April 2022 here:
ieeexplore.ieee.org/abstract/document/9758733
-
Rucknium[m]
It says that the math proofs are "relegated to Appendix", but I don't see an Appendix anywhere on that ^ page. Am I just missing something? Can anyone see an Appendix?
-
Rucknium[m]
I want to see if the authors changed the math proof in response to (or independently from) the ZenGo finding.
-
UkoeHB
Meeting 1.5hr
-
M0xtraffikriot[m
How to access the meeting?
-
nioc
it will be here
-
M0xtraffikriot[m
<nioc> "it will be here" <- 👍
-
UkoeHB
-
UkoeHB
1. greetings
-
UkoeHB
hello
-
vtnerd
hi
-
rehrar
hi
-
M0xtraffikriot[m
hi!
-
rbrunner
Hello
-
Rucknium[m]
Hi
-
UkoeHB
-
Rucknium[m]
UkoeHB: That's the version with the error in the appendix. We can return to that later.
-
UkoeHB
that's the version with an appendix lol
-
UkoeHB
2. updates, what's everyone working on?
-
vtnerd
my serialization changes/branch have been _basically_ completed, including replacement of the different ZeroMQ json implementation
-
vtnerd
only a few functional_rpc tests remain before issuing a pr
-
UkoeHB
me: have been sick, otherwise working on finishing touches for multisig + refactoring the library into multiple directories (half done); after that is just the coinbase tx type
-
vtnerd
-
Rucknium[m]
me: Familiarizing myself with previous BulletProofs+ audit process. I asked Diego Salazar from Cypherstack to be available for this meeting so we can discuss details of the BP++ audit CCS.
-
rehrar
das me
-
vtnerd
so it looks like someone audited the paper, and you are preparing for an audit of the yet-to-be-written bp++? or perhaps somene is writing that already
-
UkoeHB
-
vtnerd
I ah yeah we definitely discussed that, and I forgot initially
-
vtnerd
although Im a bit worried that we may need to re/write ? eh whatever it'll get done
-
UkoeHB
rewrite the bp++ paper?
-
vtnerd
no that mysterious implementation lol
-
selsta
we will have to write the code ourselves
-
UkoeHB
oh definitely
-
vtnerd
yeah thats fine, there's a few people that can do it around
-
UkoeHB
3. let's move to discussion
-
Rucknium[m]
We could perhaps reduce confusion by calling what CypherStack will do a "Peer review" rather than "audit".
-
Rucknium[m]
Since they are not auditing any code at this point
-
UkoeHB
-
Rucknium[m]
Yes but you cannot audit code you've written yourself
-
rehrar
As far as I was aware, the PoC wasn't to be included, but rather was to be used more or less as a benchmarking tool since the other implementation can't be verified.
-
plowsof
PoC not yet discussed/finalised/confirmed, only 1a) is covered in that ccs*
-
UkoeHB
ok then take it off the ccs if it's not included...
-
rehrar
So we would be doing two pieces of work. A peer review of the paper, and a PoC of the code for benchmarking purposes and comparison to BP+ so see if it's worth inclusion.
-
UkoeHB
now I'm frustrated
-
rbrunner
"with only (1a) being set in stone / to be achieved by this C" from the CCS
-
rehrar
We're obviously happy to do the PoC as well, pending the results of the peer review.
-
rbrunner
Yeah, maybe put that proposed total timeline somewhere else, so that the CCS text is single-topic without any room for doubt
-
UkoeHB
rehrar: would that be an additional funding round?
-
rehrar
yes
-
plowsof
got it rbrunner
-
plowsof
we can't raise funds for a proof of concept until the paper is audited? or am i totlaly off base here
-
selsta
I'm not convinced how useful a PoC is, unless it's required as a template for the real implementation.
-
UkoeHB
selsta: yes that's why I requested it
-
rbrunner
Well, maybe the whole BP++ comes crashing down in that peer review, worst case
-
rehrar
I mean, in theory both can be raised at once, and if something is found to be terribly wrong with the paper (unlikely), then we just don't do the PoC and the money goes to the GF.
-
selsta
The author has a proof of concept on git already.
-
plowsof
then we need to foamlise the scope of this PoC because there was 2 things going on - simply 'benchmarking in c++' (instead of haskell) and then creating something thats 'actually' usable for monero libraries
-
plowsof
formalise*
-
UkoeHB
selsta: ok if someone who can read haskell or whatever that is wants to translate it to python/c++...
-
rbrunner
Why Haskell? What is now in Haskell? The author's PoC?
-
UkoeHB
-
vtnerd
lol I've always secretly loved haskell ... Im not sure if signing myself up for this is a good idea given other stuff Im doing
-
vtnerd
but maybe this is more important
-
rbrunner
Oh wow
-
vtnerd
and I havent studied haskell in depth, just like what they are trying to do
-
vtnerd
the tasks Im trying to do are the p2p serialization and p2p e2e encryption
-
vtnerd
and few other side things, but those are the most relevant to monero
-
UkoeHB
vtnerd: what timeline do you have for those p2p things?
-
vtnerd
*the above is the most relevant to this discussion
-
selsta
p2p serialization is the one that's almost finished?
-
rbrunner
This goes over my head, but the "P" in "PoC" stands for "proof", and maybe we don't need any more proof and could directly go to the implementation in Monero codebase
-
vtnerd
yes. and the p2p encryption has some code but I stopped dead in my tracks because of the tracking issue with the initial proposal
-
UkoeHB
a big advantage of getting the code done in-house is we can ask cypherstack for a code audit in the future
-
vtnerd
I've actually got to re-write my proposal on that, and follow closer to what bitcoin is doing (I think), but theres a few other details I've got to work through
-
vtnerd
having a static-key is nice for a few reasons, but it makes the node trackable in a bunch of ways
-
Rucknium[m]
AFAIK, we're not in a rush here on BP++. We can take things step by step. Probably the only downside to separating the peer review and PoC into two CCS proposals is asking the community twice to fund something.
-
vtnerd
so Im still mulling over whether a --secret-p2p-key opti-in is a good idea
-
vtnerd
yeah bp++ seems like it would be more on the seraphis timeline ?
-
rbrunner
We estimated Seraphis 2 years out, or longer
-
vtnerd
like thats going to be a major fork anyway, and bp++ in the current mlsag/ringct setup is going to be annoying
-
rbrunner
More annoying than BP+ then?
-
vtnerd
I mean it would enable us to bump ringct further, but then we have maintenance on a bp++ w/mslag to think about
-
selsta
is it different from going from bp to bp+?
-
vtnerd
no its just that bp++ with mlsag adds additional technical debt that we have to maintain in perpuitity for the project
-
UkoeHB
the sooner BP++ is done, the sooner resources tied to that project can be used elsewhere
-
vtnerd
hmm. well I'll let the others decide whether is higher priority then
-
UkoeHB
plus the longer it takes to integrate, the less available I may end up being
-
vtnerd
it sounds like bp++ is high priority then
-
rbrunner
Well, otherwise we have a larger-than-would-have-been blockchain for perpetuity, no?
-
UkoeHB
yes, for me it's high priority
-
vtnerd
yeah theres that angle too.
-
vtnerd
ok, sounds like we need bp++ immediately then, if theres a haskell implementation Ill do a straight port
-
rbrunner
2 years without a hardfork are booring anyway :)
-
plowsof
the 'peer review' is promised to be completed in 'around' 12 ~ days
-
UkoeHB
vtnerd: the BP++ author's proof of concept is here
github.com/Liam-Eagen/BulletproofsPP
-
vtnerd
one complication with perf comparisons is that the existing bp+ could have speed perf improvements from what I recall
-
vtnerd
so if I do a port, then I'll probably simateulounyl have to improve the old two implementations to get a better compre
-
UkoeHB
however I'm thinking the existing BP/BP+ files have code duplication that can be pulled into a common library and also used with BP++ (probably)
-
UkoeHB
vtnerd: I don't think there are any perf improvements available, at least in terms of crypto ops
-
plowsof
title changed to Bp++ Peer Review, timeline removed. 2 seperate funding rounds for Peer Review and then PoC OR attempt 2 in 1 - if 2 in 1 is voted on - then we need koe to formally right the scope of the PoC
-
vtnerd
theres some small C++ stuff, like copies in a few areas, etc. Or at least that was my first impression
-
selsta
plowsof: for now I think we should only fund a paper audit / peer review
-
plowsof
it will take 'around' 12 days. and the other alternative for the review who got back to me are unavailable until Q2, CypherStack can start 'soon' / "next month"
-
vtnerd
Ukoehb: I'm only trying to get realistic numbers on bp++. presumably its guaranteed faster to due to algo analysis, etc., so I'll think about that as time permits
-
rbrunner
Q2, as in Q2, 2023? So many things to audit ...
-
Rucknium[m]
I support plowsof 's changes to the CCS. I also want to see more detail on exactly which statements and math logic will be checked. The BP++ does not have the familiar "Theorem: Proof" format, so it's not entirely clear what needs to be checked.
-
plowsof
yes q2 2023
-
UkoeHB
vtnerd: ok sounds great to me, glad to have your help :)
-
vtnerd
Im looking at this haskell for the first time, this language is pretty wild lol. but it seems like something I should be able to pick up
-
vtnerd
Ill notify immediately if I cannot
-
Rucknium[m]
Thanks, vtnerd
-
rbrunner
Reading is always easer than writing in a programming language :)
-
vtnerd
hmmm. maybe, dunno about that
-
plowsof
koe thoughts? feeling frustrated still? happy? - we still have time to play with
-
rehrar
Rucknium[m] Which statements and math logic do you all want checked?
-
UkoeHB
plowsof: yes this is fine, let's move forward with CCS for cypherstack to do paper audit
-
rehrar
We plan to touch on the soundness, completeness, and zero knowledge portions of the paper, as touched on in the paper. We also plan to look at efficiency, aggregation, batching, and MPC compatibility.
-
Rucknium[m]
rehrar: I'm hoping a cryptographer can answer that. Looks like there are certain statements about soundness, etc. under certain (standard) assumptions in the body of the paper, and then proofs in the appendix. I'm not sure what needs to be checked.
-
UkoeHB
rehrar: presumably the BP++ paper should satisfy the same security requirements as BP and BP+
-
Rucknium[m]
I want us to be specific in our understanding so there are no surprises down the road. I'm sure you will do a great job.
-
rehrar
UkoeHB that's probably a more realistic standard. Because otherwise we'd be responsible for deciding what needs to be checked, and then checking it.
-
rehrar
Which is doable...just a little weird. Us specifying our own work scope.
-
rehrar
Typically it's more like the client would provide the preprint and say "please check X, Y, Z on this" and we would, if that makes sense.
-
UkoeHB
yes well :)
-
rehrar
But yes, we do have a good understanding of Monero, and BP/BP+, so ensuring it meets the same security requirements as those seems like a solid scope
-
Rucknium[m]
"Bulletproofs++ use essentially the same model as Bulletproofs(+). The only important differences are either superficial, i.e. using additive vs multiplicative notation for the group operation or the manner in which vectors are decomposed, or in the case of the reciprocal argument a weakening from perfect completeness to statistical completeness."
-
Rucknium[m]
^ here is the claim from the paper
-
UkoeHB
One thing to watch out for is novel cryptographic assumptions. Those can be hazardous
-
rehrar
Right. So making sure it fits neatly and completely into the place that BP+ currently sits would be a good scope, imo. Disagreements?
-
ofrnxmr[m]
+1
-
UkoeHB
none from me, thanks rehrar
-
rehrar
Cool. We wouldn't be able to start until early December. Would that be an issue?
-
UkoeHB
that should be fine
-
vtnerd
makes sense to me rehrar
-
rehrar
Cool deal. If no more questions for me, then I'm off.
-
Rucknium[m]
To be clear, this includes checking the correctness of proofs when "fit[ting] neatly and completely into the place that BP+ currently sits" relies on any proofs in the paper, correct?
-
rehrar
yes
-
Rucknium[m]
Great. Thank you
-
UkoeHB
ok, any other last minute topics we should cover today?
-
UkoeHB
-
rehrar
I have zero control over how the funds on the old CCS are used.
-
rehrar
That seems like it'd be a question for core.
-
plowsof
they where/yet to be donated to the general fund
-
UkoeHB
ah
-
plowsof
seems a sensible request to go to this one , ill ask
-
rehrar
Until the money is in my hands, it's core stewarded money
-
rehrar
after that it's my money >:)
-
UkoeHB
ok seems like we can wrap it up here, thanks for attending everyone
-
plowsof
thanks all!
-
plowsof
how ever long it takes* - 'around' 12 days (which is a similar timeframe auditor QuarksLab quoted but they gave a daily cost of (i've not got the exact number now) but it was upwards of 2.x kusd/day)
-
sgp[m]
How many hours of work are covered in this CCS draft?
-
ajs_[m]
need some feedback on the draft CFP for monerokon 2023, in particular the topics section
-
ajs_[m]
-
rbrunner
"LOCATION: TBD" So still to be defined?
-
Rucknium[m]
Oops. I was supposed to say during the meeting that the MAGIC Monero Fund committee voted to say that it would partially or completely fund audits or reviews of BP++ after this one is complete.
-
ajs_[m]
depends on CCS funding
-
rbrunner
Ah, if more, it's Prague, if less, it's Neuchatel, right?
-
ajs_[m]
-
rbrunner
Thanks, now I remember to have seen that, yeah.
-
rbrunner
Neuchatel is only about a 1.5 hours train ride from my place ...
-
ajs_[m]
Still WIP, so any comments, suggests would be helpful
-
ajs_[m]
s/suggests/suggestions/
-
xmrack[m]
-
xmrack[m]
Towards Measuring The Fungibility and Anonymity of Cryptocurrencies
-
Rucknium[m]
"[Physical cash] fungibility is ensured and guaranteed by laws." [citation needed]
-
Rucknium[m]
Interesting paper though. I wonder how hard it would be to apply their measurement method to Monero.
-
NorrinRadd
Rucknium[m] "legal tender" means that you must accept. civilians legally can not distinguish one dollar from another dollar. the government can, but not civilians.
-
NorrinRadd
now... you can deny business potentially on different grounds, but not based on the serial number of paper money
-
NorrinRadd
"legally" is the key word. all bills have serial numbers on them but basically you're not supposed to be paying attention to thaht
-
NorrinRadd
that*
-
Rucknium[m]
NorrinRadd: This is not correct in many jurisdictions. When I requested a citation, I was serious.
-
NorrinRadd
-
NorrinRadd
Notes reference #1
-
Rucknium[m]
I think the citation supports my point
-
NorrinRadd
Rucknium[m] i's possible i'm missing some backlog. What is the point you were making?
-
NorrinRadd
it's*
-
Rucknium[m]
Taking this to #monero-research-lounge:monero.social ...
-
NorrinRadd
i thought this was linked to that
-
NorrinRadd
lol is the lounge on irc?
-
Rucknium[m]
Yes, lounge is on libera IRC