<r​ucknium:monero.social> MRL meeting here in one hour.

Meeting time: monero-project/meta #888

1) Greetings

<v​tnerd:monero.social> Hi

Hello. Given the number of 888, this will be one lucky meeting.

<d​angerousfreedom:matrix.org> Hello

2) Updates: What is everyone working on?

me: N block lock analysis (scope expanded). Identifying nonstandard fees on the blockchain (analysis is paying off).

Announcements: CCS Retroactive funding for Full Chain Membership Proofs is expected to be decided by the end of the week: repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/403

<c​ompdec:matrix.org> I'm continuing on EAE stuff, hoping to hear more about my submission soon.

<v​tnerd:monero.social> I've got SSL+p2p coded up, including optional authentication, but there's still at least 1 bug for me to track down

bitcoincashautist has a proposal for BCH<>XMR atomic swaps: gitlab.com/0353F40E/cross-chain-swap-ves/-/blob/master/README.md

More discussion: bitcoincashresearch.org/t/monero-bch-atomic-swaps/545

There is a 10.5 XMR + 2 BCH bounty open: bounties.monero.social/posts/37/10-501m-bch-xmr-atomic-swaps

compdec: by "hoping to hear more about my submission soon" do you mean "hoping for feedback soon"?

<c​ompdec:matrix.org> yeah, Justin seems to want more before considering the milestone is completed, but I can only guess at that

3) Discussion. plowsof added two agenda items to the meeting GitHub issue:

"BP++ peer review: Do we return to cypherstack saying "yes, the out of scope things are fine, what are the next steps now" gist.github.com/plowsof/534778636eca474951e4661507cdc205 "

"Seraphis: this draft scope of work to make the papers(s) complete will be used to approach auditors for quotes unless someone states something is missing gist.github.com/plowsof/8cb33e2efe4bf0239927ad3bd92326e0 "

<c​ompdec:matrix.org> I'll update the document by Friday with more progress

compdec: Thanks.

Anyone have opinions about the BP++ peer review scope?

Pretty much out of my depth here ...

Me, too.

Here is the original scope: ccs.getmonero.org/proposals/bulletproofs-pp-peer-review.html

I guess we can agree on "Multi-asset transactions" being out of scope. We don't have multiple assets, and probably never will, if I understand "assets" correctly

(as something like different "coins" also living on the Monero blockchain)

The scope looks reasonable to me, but I don't know much about cryptography at this level.

I think plowsof was seeking input from tevador at least.

What about the Seraphis draft scope of work?

Pass :)

<d​angerousfreedom:matrix.org> At least the batch verification of bp++ should be done, right?

I think talk was it would be good to have, but well, if the paper is light on details? "it provides no details on the corresponding algebra"

That would be asking Cypherstack to develop the math for batch verification. That's different from reviewing what's already in the paper. It could be requested, maybe.

<g​hostway:matrix.org> If it doesn't slow you down, do you have a mid-analysis report? Sounds interesting

Sounds reasonable

Biu then they cannot review their open implementation

<d​angerousfreedom:matrix.org> Oh okay, sorry. I didnt read the bp++ paper yet

But*

own implementation*

The seraphis scope of things to be done has the approval of those who made it (kayaba/koe/jberman)

ghostway: I will post a gist about the fee analysis after the meeting. I don't have much about N block lock ready to go. Mostly just the table of attack success probabilities. Rosenfeld (2014) already has that for N <= 10.

<d​angerousfreedom:matrix.org> Where can I find the link of the c++ implementation of bp++ ?

Rosenfeld (2014). See Table 1: moneroresearch.info/index.php?actio…n=resource_RESOURCEVIEW_CORE&id=191

<g​hostway:matrix.org> Ok

<g​hostway:matrix.org> Is how to do the swap (in the bounty) already closed? Or are there problems still

Are you asking about the BCH-XMR swap?

<v​tnerd:monero.social> blog.blockstream.com/bulletproofs-a…nsactions-with-multiple-asset-types

<v​tnerd:monero.social> There's links in the post to the pr requests

<g​hostway:matrix.org> Yep rbrunner

ghostway: bitcoincashautist has not claimed the bounty by executing his swap on the mainnets. I'm not sure why.

<g​hostway:matrix.org> Huh

We would need a knowledgeable person to review the swap after it happened to make sure it is truly atomic.

"There's a 10 XMR bounty for the implementation! Feel free to go for it using my contract, you don't owe me anything."

<g​hostway:matrix.org> That's odd

<d​angerousfreedom:matrix.org> Thanks. So what is being done is just a theoretical review of the bp++ paper ? We still need to implement it using our curve?

dangerousfreedom: AFAIK, it's just a review of the mathematics. Not a code audit.

<v​tnerd:monero.social> Correct. The paper initially had no peer review, not sure about the latest iteration

The authors submitted it to a conference earlier this year, but it didn't make it in.

<d​angerousfreedom:matrix.org> Okay, thanks. Someone is working on implementing it to be used in Monero?

IIRC, we don't know if BP++ is compatible with kayabaNerve's Full Chain Membership Proofs proposal.

Didn't vtnerd go the way at least in part?

<k​ayabanerve:matrix.org> BP++ supports ACs.

<v​tnerd:monero.social> Yes I did, but I stopped as I couldn't figure out the last part, without just blindly copying the c variant

kayabaNerve: does that mean they are compatible?

<k​ayabanerve:matrix.org> The issue is that Curve Trees requires a VCS on top of a R1CS AC proof, and the only known applicable VCS is an unproven one for BPs (if you ignore my hack).

<v​tnerd:monero.social> And I think at least one portion of the c/blockstream variant had an unnecessary calculation in it, but who knows

<k​ayabanerve:matrix.org> sarang is currently researching a VCS for BP+, one of the reasons being BP++ argues its norm argument reduces to BP+'s weighted inner product argument, which BP+ in turn argues can be used in place of BP's inner product argument.

<d​angerousfreedom:matrix.org> Okay, cool! Thanks vtnerd ! Hopefully I will find some time this year to read the paper (and the code if ready)

<k​ayabanerve:matrix.org> So BP++ has the bones, an extra piece is needed, sarang is researching that piece for BP+, that piece for BP+ likely helps development of a similar piece for BP++.

Thanks for explaining, kayaba

Who finances that research?

<k​ayabanerve:matrix.org> Though of course, FCMPs can use BPs while range proofs use BP++s.

<k​ayabanerve:matrix.org> rbrunner: Right now, Firo.

Ah, ok, thanks.

<k​ayabanerve:matrix.org> It's part of the collaboration I orchestrated prior to and at Monerokon.

Yeah, yeah, I think I remember now.

kayabaNerve: iI the scope on the BP++ peer review satisfactory to you?

At least not in immediate danger of more "retroactive funding" drama, right?

More discussion? (If not, I can talk about N block lock and nonstandard fee analysis.)

My question is "What does Monero gain from having a 10 block lock instead of a 9 block lock? What does it lose from not having an 11 block lock?"

<k​ayabanerve:matrix.org> Rucknium: I don't know what the scope is, sorry

ccs.getmonero.org/proposals/bulletproofs-pp-peer-review.html is the original scope

gist.github.com/plowsof/534778636eca474951e4661507cdc205 is the modifications to the scope after they looked at the paper

I thought for a complete analysis we would want to know the security budgets of PoW coins that have had malicious deep block reorgs. Then compare with Monero's security budget.

A coin's "security budget" is the coin unit's purchasing power multiplied by its block reward emission to miners. endor00 and I are starting to gather that data.

<d​angerousfreedom:matrix.org> I add to your question, should the lock time be a wallet feature?

<k​ayabanerve:matrix.org> Feedback is sane. IIRC, the binary range proofs (optimized or not) don't need to be in scope as the way BP++ achieves its range proof perf is via a hexadecimal base.

Block time be a wallet feature? It used to be default in wallet2, but not consensus. Then it was changed to consensus since some wallet software did not use the N block lock.

<k​ayabanerve:matrix.org> dangerousfreedom: Considering it's a security function which would be a mess for opt-in wallets to track if wallets can opt-out, I'd vote no.

<g​hostway:matrix.org> Is it actually about double spending or is it about reorderingm

<g​hostway:matrix.org> ?

It's about lots of things.

<k​ayabanerve:matrix.org> To be clear on BP++, as my only other comment, it sounds infeasible to scope MPC at this time. That should be dropped, which it sounds like it may have been?

<k​ayabanerve:matrix.org> It's mainly about the chain reaction as one TX being reordered invalidates all future TXs, AFAIK

It prevents maliously double spends. Also, since ring members in Monero are referenced by index number in the chain and rings that reference outputs that are no longer in the chain are invalid, a deep re-org can invalidate txs completely.

<k​ayabanerve:matrix.org> Though also, I retract my comment on wallet implementation difficulties. I didn't think it through, yet I think we could make it opt-in/opt-out...

<g​hostway:matrix.org> That's what I guessed, making decoys invalid and reducing the ring size

<k​ayabanerve:matrix.org> Whether or not we should remains a discussion, just not impeded by wallet dev complexity.

Two issues on the 10 block lock: monero-project/research-lab #95

<d​angerousfreedom:matrix.org> I remember when you needed 6 confirmations in bitcoin to get a transaction accepted on an exchange for example. Today there are some that accepts even with 1 confirmation. I guess the limiting factor would be the hashing power of the network then? Is there any studies to correlate with hashing power to analyze that probabilistic ?

Originally, I thought the anti-double-spend justification for the 10 block lock was paternalistic. It is paternalistic, but there is also a moral hazard problem with centralized exchanges deciding to accept a low confirmation number.

dangerousfreedom: Yes, Rosenfeld (2014) does those calculations for minority hashpower share.

<g​hostway:matrix.org> Id imagine it's more about % of the total hashrate like rucknium's paper suggests

We know the attack success probabilities for any hsahpower share.

binance accepts Monero deposits after 3 confirmations

By "moral hazard" I mean the standard economics definition: An agent makes a risky decision where the agent does not bear 100% of the potential negative consequences for that decision

If an exchange becomes the victim of a double spend attack, they lose money. But the coin itself loses confidence, too.

We are past the hour. Let's end the meeting here. Thanks everyone.

<d​angerousfreedom:matrix.org> Thanks Rucknium[m] . I'm behind many papers in my schedule but hopefully will catch up :p

thanks Rucknium and all who attended, special thanks to kayabanerve for the feedback

Wait a minute. Am I wrong about the 10 block lock preventing hashpower-based double spend attacks? What plowsof said about Binance accepting deposits with 3 confirmations makes me think that the 10 block lock doesn't prevent these types of double spends.

The 10 block lock would prevent the potential victim from re-spending the outputs in fewer than 10 blocks. But it doesn't meaningfully constrain the attacker. The attacker only include the malicious self-spend transaction in its attacking chain, not the transaction to the victim of course. The 10 block lock on the transaction to the victim doesn't bind the attacker.

If true, that reduces the incentive for a block re-orgs of 10+ blocks to only the sabotage/vandalism "benefit" of invalidating transactions that don't belong to the attacker.

If an attacker has sufficient hash power to produce 10 blocks faster than everybody else, they can also produce 11 blocks faster than everybody else.

10 block lock has some important implications for stability and privacy, and security against probabilistic attacks from miners with minority hashrate. It doesn’t offer any protection against attackers with 50%+1 majority hashrate

isthmus: I agree except for "security against probabilistic attacks from miners with minority hashrate". The assumption in this discussion is minority hashpower share since with a majority, the no value for N in "N block lock" will protect as you said.

Rosenfeld (2014) Table 1 gives probabilities of a successful re-org of 1-10 blocks with 2-50% minority hashpower shares.

My question was "what is gained from having a 10 block lock instead of a 9 block lock? What is lost from not having an 11 block lock?"

Now I don't think that an N block lock on re-spending outputs prevents a malicious double spend by a party with minority hashpower share.

Are you familiar with stubborn and selfish mining, which have been observed on Monero? eprint.iacr.org/2015/796.pdf

That's all I meant

Last time NRL processed the archival node logs, we had seen evidence of occasional stubborn / selfish mining, but only to depth 2 I believe

But because the reorg depth is 10 it didn't invalidate any rings or anything

So one factor to inform N is how much hashrate we think might be inclined to selfish/stubborn mining (say 10%) and then from that we can say "okay, they'd be able to produce 2-deep on occasion, and 3-deep on VERY RARE occasion, and 4-deep with P<0.0000001" or whatever

So, circling back to your question, if P(9) < 10^-30 already, then not much would be lost by switching it from 10 to 9

(with respect to this specific aspect)

I've read a little about selfish mining, but I haven't gone in depth.

Scope creep :cry:

<c​ompdec:matrix.org> selfish mining has been observed on Monero?

Yea, I wrote up a little note the first time we saw something that fit the bill back in 2018 github.com/noncesense-research-lab/…work/wiki/Selfish-mining-at-1636647

It's not particularly disruptive on a scale of 2-deep with a 10 block lock time, besides cutting into the profit margins of miners that don't engage in the practice

Our nodes in Frankfurt, Tokyo, and London all saw the exact same order of events, so we know it was a global phenomenon and not a localized latency artifact.

<c​ompdec:matrix.org> cool, I had a student write a senior paper on selfish mining, read that paper a year ago or so