Meeting .5hr

meeting time monero-project/meta #849

1. greetings

hello

Hello

Hello

Hi

hi

2. updates, what's everyone working on?

bulletproofs++. Im a bit bogged down by it, and if someone has free cycles it might be best they do it. otherwise I will keep slowly hacking away at understanding it or just port from the c version

Im keeping my hours to a minimum so CCS isn't billed for poor output

OSPEAD, working with the formula for double spend races to analyze the 10 block lock, Dr. Borggren's MAGIC's research proposal to analyze the EAE attack and churning is 80% funded after just one week: monerofund.org/projects/eae_attack_and_churning

me: no updates this week

Thank you to the community

Was there a tentative time for the code audit firm to give a presentation?

tomorrow I think

3. discussion

they are presenting ... ?

plowsof: Do you have details about the presentation?

I think the tentative time is 15:30 UTC June 15th

On the 10 block lock: Can an adversary leverage a "benign" block reorg, say 2 blocks deep, as a step up to try to do something malicious against an N-block-lock? My guess is that they could only hurt privacy of users who have transactions confirmed in the first block of one of the benign orphaned chains.

And/or make some of those transactions invalid

And it seems like it would have a small probability of having an effect since you would have to have enough network "divergence" for many transactions to not reach the benign re-orged chain _and_ some of those transactions would have to have real spends or decoys exactly N (10) blocks old at the time they were spent

txs in those reorged blocks should not be invalidated

afaik they are returned to the tx pool, hyc ?

I recall that being the case (return to pool)

although a new block and force some out ? something like that, its been a while

*can force some out

I think they would reference invalid output indices in the re-orged chain. Since it's 2 blocks of benign chain plus 9 (or 8?) blocks of a malicious miner that uses the benign chain to get a head start.

Yeah, I think I remember that seeing in a test I did, an in this particular case wallet2 does not see those (again) and only notices after mining

I am trying to put more precise numbers on the risk

I am referring to this: "If an output created by the first group is used as a decoy by a random person, then that person's transaction will become invalid after the reorg. In other words, decoys are vulnerable to the 'confirmation' problem. A tx author should only use decoys that are 'strongly confirmed', i.e. decoys that are buried below the 'reorg zone'."

My scenario is: An adversary has many nodes throughout the network and occasionally observes a chain divergence. They know that one of the chain "stubs" will be re-orged, so they start mining on top of that one in secret. That gets them a boost since they won't have to mine the full 10 blocks by themselves.

Does this scenario make sense?

The adversary does not control the contents of those first 2 blocks. Honest miners do.

you only get an advantage equal to the network propagation time

On average, yes. But these blocks that are part of benign re-orgs are extreme cases. They are actually mined in a short period of time.

actually hmm I see your point, you can piggy-back off the work of a natural reorg

Rucknium[m]: Are you assuming that the attacker already controls a given percentage of the nethash, or do they have to provision extra hashrate separately for the attack?

Big difference in costs, especially since the upfront cost of the hardware is way bigger than the energy cost for the mining itself

I am assuming they need to provision extra hash rate (i.e. not mining normally), but maybe that's not the correct assumption.

Would it matter a lot? The difficulty would not adjust enough in just 10 blocks.

you'd need hardware ready to go at a moment's notice, which is a bit different from a targeted attack (that can use botnets, cloud mining, etc.)

The difficulty adjustment would be irrelevant, especially since the 60 highest and lowest block times get cut off from the adjustment calculation (assuming [this answer](monero.stackexchange.com/a/7981) is still valid)

The cost can be evaluated at the next step in the analysis. I am trying to figure out if I should plug N or N - 2 into the double-spend race formula

It's the cost of the hardware itself which makes a big difference

Ah, ok

The formula tells you the probability of a malicious re-org of any block depth with any hashpower share < 50%

Where is that formula from?

an active attack on the network may or may not be able to increase instability, which would increase natural reorg depths (although I don't think this has ever happened)

rbrunner: Grunspan & Pérez-Marco (2020) "Double spend races" arxiv.org/abs/1702.02867

It's a correction to Satoshi's formula in the bitcoin white paper

Nice, thanks.

Satoshi incorrectly assumed that honest hashpower would have a constant rate of finding blocks: once every 10 minutes.

That rate is actually varying, of course, since finding blocks is a Poisson process

The formula for the probability of malicious re-org is a regularized incomplete beta function

It can be found as the Rbeta function in the zipfR R package

are there any other topics we should discuss today?

I will make a comment on the MRL GitHub issue with some tables. I will include the possibility of an adversary building on a benign re-org, but it is unlikely to get them much benefit since the proportion of transactions that could be affected would be small.

What do you mean by "it is unlikely to get them much benefit since the proportion of transactions that could be affected would be small"?

There are two terms in this probability multiplication (assuming independence):

a) Probability that a particular transaction propagates through the network to one "subnet" but not the other. The subnets being basically the subnets that the two beningn, but competing, sets of miners are in.

b) Probability that a transaction includes a ring member that is exactly N (10) blocks old, i.e. has the youngest age possible according to consensus rules. This could be a decoy or real spend. Seraphis will increase this probability since ring size would be increased.

That's my opinion about how it could happen

I am not talking about a bitcoin-style double-spend (and its consequences) where the victim takes some action, i.e. sends the perpetrator some amount of another coin on another chain as an exchange) before waiting some M blocks.

All PoW chain have that issue. They don't use spending locks to stop it. They say that users should evaluate their own risks and determine their own waiting times.

Factor (a) would not be purely random chance though, the attacker could map out the network and the connections between nodes to see if there are any poorly-connected subnets

Oh wait, I'm not sure if that makes an actual difference though

The transaction propagation subnets and the block propagation subnets will overlap in different ways, with different levels of connectivity. Complicated.

You mean due to Dandelion++? I think the D++ tx propagation would still be a subset of the nodes' p2p connections though, right?

D++ affects it. The main factor is that the nodes that broadcast the most txs are different from the nodes that broadcast the most new blocks.

Oh, I see

e.g. Cake's nodes do not mine. Few users connect to mining pools' nodes to broadcast their txs.

ah the meeting is over, sorry

<Rucknium[m]> "I think they would reference..." <- I think the attacker would need 8 blocks on top of the original 2, and after that you'll start seeing transactions with 10-blocks-old outputs in the mempool (which would then be validated in a hypothetical 11th block)

(Or at least: Feather wallet is behaving that way with the testnet output I just received)

Do you mean validated or invalidated?

Validated if that were the "real" chain

Rucknium[m] UkoeHB Quarkslab informed me that the timeslot they gave us - they can not make it now, and suggest a new date/time 19th June 16:00 utc