Meeting 2hr

are meetings participation exclusive to MRL members or can external people ask questions during the meetings, ofc related to the ongoing subject? I'm not going to ask questions, its just to know

someoneelse49549: anyone may attend

alright

meeting time monero-project/meta #833

1. greetings

hello

Hi

Hello

hi

Hello

2. updates, what's everyone working on?

me: finished a draft of the 'implementing seraphis' paper github.com/UkoeHB/Seraphis and have been taking a break since then

Working on my Monerotopia talk: "A Statistical Research Agenda for Monero"

I was working on LWS unit-tests for webhooks and bp++

Im a little worried about delivering bp++ - the other implementation helps - I'll be able to give more guidance next week

vtnerd_: sounds good

vtnerd_: Thanks. What do you mean by "worried about delivering bp++"?

that I wont be able to complete the code

Ok. We are still at the stage of figuring out if BP++ is cryptographically sound, so the code implementation can be some time away.

2. discussion

A month ago tevador asked to discuss MRL issue #100. Any takers?

I have no comments

I'll probably be a lot less active, even more than I was, for the next 2 weeks. But I hope to then return and work on seraphis

2-3 weeks

same here

Rucknium[m]: Is there a specific requested topic or point to discuss regarding #100?

"MRL #100 should be added to the meeting agenda, so we can make some progress there." libera.monerologs.net/monero-research-lab/20230302#c212397

That was two months ago

Are any trustless zk-SNARKs under a bounty program? I don't think there are any. Anyone know? (Zcash has no bug bounty program.)

I think most people agree that eventually Monero should eventually have a membership proof which captures all historical outputs. As I see it, the big question is should we work towards the big step of replacing Ed25519 with a prime order curves with Seraphis so that we could implement it in the future?

As opposed to keeping ed25519 with Seraphis and changing the address scheme again later

Or....the next step could be quantum-resistant ring signatures :)

...which are less reviewed and battle-tested than trustless zk-SNARKs at this point

The main issue with PQ schemes is the lack of composability.

At this time, AFAIK, there really isn't the academia for PQ Seraphis

jeffro256: It's not just prime order. It's a cycle.

If we don't do it with Seraphis, we'd have to redo the migration. Why would anyone want that?

Yes, but composite order EC can never have cycles ;(

And then tevador found a curve competitive with ed25519 which is prime order

We have the academia to move commitments between curves

kayabanerve[m]: I tend to lean towards this, but it would add a lot of complexity

Also, as for bounties, I'd have to check zkEVM setups. There are a lot of SNARK-based systems on Immunefi. There may be even been a STARK...

kayabanerve[m]: Which curve?

1) We add the new curve library

2) We use the COPZ DLog Eq proof

That'd be the only immediate work

(and f+r all ed25519 mentions in Seraphis)

There are a few PQ ring sig proposals: dl.acm.org/doi/10.1145/3319535.3354200

It's one of their candidates. I've been calling it tevone.

^ AFAIK, they are not ready for production use

(Because they didn't name their most recent recent three candidates, and I've been experimenting with Tevador #1)

Rucknium @rucknium:monero.social: Horrible perf + doesn't fit under seraphis at this time.

I'll also reiterate I don't believe tevadors indirect cycle is possible as we have to prove an EC OP on the tower yet membership on the cycle. I'm unsure we can feasibly maintain ZK through that

does anyone else have anything on their mind? otherwise we can call it here

ok thanks for attending everyone

thanks Ukoe

👋