-
m-relay
<rucknium:monero.social> MRL meeting in this channel in two hours. Anyone with a matrix.org homeserver Matrix account want to say here that matrix.org users sometimes cannot see all messages here, but we can see them? And to read invisible messages by refreshing
libera.monerologs.net/monero-research-lab
-
nioCat
reposting from IRC incase matrix dot org cant see ....
-
nioCat
<rucknium:monero.social> MRL meeting in this channel in two hours. Anyone with a matrix.org homeserver Matrix account want to say here that matrix.org users sometimes cannot see all messages here, but we can see them? And to read invisible messages by refreshing
libera.monerologs.net/monero-research-lab
-
m-relay
<rucknium:monero.social> nioCat: Thanks, but AFAIK when matrix.org users cannot see monero.social messages, they cannot see IRC messages either. The IRC relay is a monero.social user.
-
m-relay
<rbrunner7:monero.social> That's also my understanding regarding IRC, sadly it seems to help only if you leave Matrix aside for the moment and "step down" to IRC, with an IRC users, if your Matrix user is on matrix.org. In Monday's wallet group meeting we more or less all ended up on IRC ...
-
m-relay
<rucknium:monero.social> Meeting time!
monero-project/meta #983
-
m-relay
<rucknium:monero.social> 1) Greetings
-
m-relay
<aaron:cypherstack.com> Hello!
-
rbrunner
Hello
-
m-relay
<syntheticbird:monero.social> Hi
-
jberman
hello!
-
m-relay
<rucknium:monero.social> 2) Updates. What is everyone working on?
-
plowsof
Hi
-
m-relay
<diego:cypherstack.com> Hi hi
-
m-relay
<rucknium:monero.social> me: More analysis of the suspected spam. I think I can push the new draft by the time we get to the spam agenda item 😅
-
m-relay
<articmine:monero.social> Hi
-
m-relay
<syntheticbird:monero.social> Working on a monitoring software for monero nodes. I'll use it to build a dataset on which I want to train a neural network to identify network anomalies. This will be part of webpanel idea I had for a little while
-
jberman
me: finished reviewing @jeffro256 's PR to write txs to disk once instead of twice on sync (
monero-project/monero #9135), and wrapping up the Seraphis lib async scanner to speed up wallet scanning another ~20-40%
-
m-relay
<articmine:monero.social> Working on fees and scaling. In particular to support FCMP and ring sizes of 40 or higher
-
m-relay
<articmine:monero.social> Along the lines of what I mentioned before. Also taking a close look at minimum node relay fees
-
m-relay
<rucknium:monero.social> 3) Update from CypherStack on Bulletproofs++ Peer Review:
ccs.getmonero.org/proposals/bulletproofs-pp-peer-review.html
-
m-relay
<diego:cypherstack.com> That's us!
-
m-relay
<diego:cypherstack.com> Progress continues. Things are going smoothly. We expect to complete this proposal by the end of the month.
-
plowsof
0xFFFF has paused his current ccs for the foreseeable future (he is working on the lmdb read/write lock PR, so just wanted to share for visibility)
-
rbrunner
In a few days then? Splendid.
-
m-relay
<aaron:cypherstack.com> We're nearly finished with the report, yes
-
m-relay
<aaron:cypherstack.com> It will no doubt require some additional polish after that. I would be shocked if it were free of typos :D
-
rbrunner
Hoping for a positive outcome of course, i.e. that it will indeed make sense for Monero to switch to ++
-
m-relay
<rucknium:monero.social> Were you able to figure out if the security proofs were sound?
-
m-relay
<rucknium:monero.social> You can wait if you want, but I thought maybe you wanted to be on the agenda to give more details :)
-
m-relay
<aaron:cypherstack.com> We still have doubts based on a significant lack of clarity and some of the "base" results
-
m-relay
<rucknium:monero.social> When the full report is released I may have to figure out if "doubts" is a diplomatic way to say that the soundness proofs are not clearly safe.
-
m-relay
<rucknium:monero.social> "Base" = lemmas in the paper?
-
m-relay
<aaron:cypherstack.com> We haven't identified any particular exploits, if that's what you mean.
-
m-relay
<aaron:cypherstack.com> Generally, the idea is that the proof should convince the reader about the correctness of its reasoning. I will certainly say that several of the proofs in the preprint did not do that for this reader.
-
m-relay
<rucknium:monero.social> That's not really what I mean, but a conjecture is still unproven even if no counterexamples have been found yet.
-
m-relay
<aaron:cypherstack.com> For some we were able to determine the actual intent and make corrections, but for others we were not.
-
m-relay
<aaron:cypherstack.com> Can you be more specific?
-
m-relay
<aaron:cypherstack.com> I do want to be clear that "this proof does not appear to substantiate the claims to our satisfaction" is certainly not the same as "the protocol under question is definitively unsafe"
-
m-relay
<rucknium:monero.social> I think you answered my question with "Generally...". Thanks.
-
m-relay
<aaron:cypherstack.com> I was particularly concerned with the lack of clarity around a key soundness proof
-
m-relay
<diego:cypherstack.com> There is a certain amount of diplomacy here, yes. :P
-
m-relay
<aaron:cypherstack.com> The idea is that the proof needs to build an algorithm called an extractor that has to do very specific things
-
m-relay
<aaron:cypherstack.com> In this case, the proof is extremely informal about this, without detail that convinces me of its construction
-
m-relay
<aaron:cypherstack.com> You will also find the word "presumably" in many places in the report, where we had to make assumptions about intent
-
m-relay
<aaron:cypherstack.com> I'm certainly not trying to be wishy-washy here. Just professional and accurate.
-
rbrunner
This all also seems to confirm something you mentioned last time, that things are considerably more complex compared to "+". IMHO, that doesn't help either
-
m-relay
<aaron:cypherstack.com> Yeah, the second "+" in the name carries a _lot_ of weight
-
rbrunner
We will already have a quite a serious step up in complexity with Seraphis and Jamtis.
-
m-relay
<articmine:monero.social> What are the advantages of ++ in terms of size and verification time?
-
m-relay
<aaron:cypherstack.com> The authors claim single-proof verification time with BP++ (over secp256k1) at 0.840 ms
-
m-relay
<aaron:cypherstack.com> whereas for BP over secp256k1 they saw 2.223 ms
-
m-relay
<aaron:cypherstack.com> (There are other numbers for other implementations, but those are really hard to compare fairly)
-
m-relay
<aaron:cypherstack.com> They also get single proofs at 416 bytes, compared to BP+ at 576 bytes or so
-
m-relay
<aaron:cypherstack.com> I do have one question that wasn't directly addressed. Typically such a review will issue findings and corrections as appropriate, which is what our report does. But it's obviously not a pass/fail sort of thing (though I have seen this before...)
-
m-relay
<aaron:cypherstack.com> Is the community looking for something more cut and dry as a top-level sort of thing?
-
m-relay
<rucknium:monero.social> IMHO, cryptographers on the MRL end should give their interpretation of the final report instead of you needing to summarize it like that. I think I caused some confusion by saying "unsafe". I meant that something that is not definitely proven is not safe enough for Monero mainnet, even if it is not definitely proven wrong in the mathematics meaning.
-
m-relay
<rucknium:monero.social> In other words I don't think you need to put FAIL in bold red letters at the top. Or PASS in bold green as needed.
-
m-relay
<aaron:cypherstack.com> Rucknium: I would agree that Monero-specific interpretation should certainly be left up to community researchers
-
m-relay
<aaron:cypherstack.com> And no, there will not be a big red or green stamp at the top =p
-
m-relay
<articmine:monero.social> This can be a tough question. In my view we are looking at an incremental improvement vs what I see as serious concerns regarding the proofs themselves.
-
m-relay
<aaron:cypherstack.com> (I saw one audit that did issue a pass/fail, and was immediately suspicious...)
-
m-relay
<aaron:cypherstack.com> And anyone who has gone through journal- or conference-style review surely knows that three different reviewers may have three wildly different conclusions
-
jberman
"I will certainly say that several of the proofs in the preprint did not [convince the reader about the correctness of its reasoning] for this reader" -> I think this is a reasonable conclusion and a report that backs up that conclusion in its contents would be satisfactory, rather than a PASS/FAIL
-
m-relay
<articmine:monero.social> I agree this is not a pass / fail question, but the benefit of doubt has to be with the reader and auditor not the prover.
-
m-relay
<articmine:monero.social> In the case of doubt or concerns it becomes a fail
-
m-relay
<articmine:monero.social> For inclusion into the Monero code
-
m-relay
<aaron:cypherstack.com> We do certainly hope that the authors can find value in the report too, to make corrections and improvements as they see fit
-
m-relay
<reuben:firo.org> What about BP+ verification vs BP?
-
m-relay
<rucknium:monero.social> I agree. The stakes are very high. Any real doubts would mean not adopting it into Monero mainnet IMHO.
-
m-relay
<aaron:cypherstack.com> Reuben: they include numbers for that, but it's with different implementations over different curves. Not comparable IMO
-
m-relay
<reuben:firo.org> 🥲
-
m-relay
<aaron:cypherstack.com> In terms of raw numbers, I can say that at least one BP+ implementation (in Rust over Ristretto) is likely comparable to their BP++ implementation. But I haven't tested their benchmark on the same machine
-
m-relay
<aaron:cypherstack.com> Unless you're using the same curve library and fair optimizations between implementations, it's a crapshoot to make claims about raw numbers
-
jberman
+1 based on that conclusion, it would seem ideal next step would be to share the final report with the authors and see if able to fill in the gaps / beef up the proofs
-
m-relay
<aaron:cypherstack.com> Oh Reuben maybe I misread... you weren't asking about BP++ at all?
-
m-relay
<articmine:monero.social> Yes. I agree.
-
m-relay
<aaron:cypherstack.com> @jberman: How would the community like that handled?
-
m-relay
<diego:cypherstack.com> It's always been the plan to release the report publicly and let the original authors know about the report. But we don't want to send and wait for their response before delivery. We also don't care to dictate how the whole process is handled.
-
m-relay
<reuben:firo.org> Was just thinking if BP++ isn't a significant improvement over BP+ then I mean with the risks of BP++ doesn't seem to justify pushing too hard into it
-
m-relay
<aaron:cypherstack.com> Oh OK, you were asking about BP++ vs. BP+. Got it
-
m-relay
<aaron:cypherstack.com> (too many BPs floating around...)
-
m-relay
<reuben:firo.org> FCMP currently uses BP only yes ?
-
m-relay
<rucknium:monero.social> "It's always been the plan to release the report publicly and let the original authors know about the report." This sounds fine to me. There is no need to wait for a response from the original authors. You've already contacted them about a few things anyway IIRC.
-
m-relay
<reuben:firo.org> Forgot if we found a solution
-
m-relay
<aaron:cypherstack.com> Yes. To my knowledge, no one has used BP+ or BP++ arithmetic circuit modifications for that
-
jberman
original plan laid out by @diego makes sense. I think we can assess next steps after that point
-
m-relay
<aaron:cypherstack.com> Rucknium: We contacted them about a couple of initial findings, but nothing beyond that. We hadn't heard back from our latest question
-
rbrunner
I see things similarly to jberman
-
m-relay
<aaron:cypherstack.com> As a courtesy, we would certainly like to inform them directly to let them know about the report and where to read it
-
m-relay
<articmine:monero.social> In my opinion this comes down to the allocation of resources. For example are we better off coding parallel processing and graphics processing with the existing proofs to get the verification time advantage?
-
m-relay
<articmine:monero.social> I know I am thinking as an engineer and not a mathematician.
-
m-relay
<aaron:cypherstack.com> Development is likely to be quite complex compared to BP or BP+
-
m-relay
<aaron:cypherstack.com> For BP and BP+, range proofs work differently than the more general arithmetic circuit proofs they also support
-
m-relay
<aaron:cypherstack.com> For BP++, you basically need the full arithmetic circuit proving system implemented
-
m-relay
<rucknium:monero.social> IMHO the recent suspected spam has exposed a lot of cracks in the network that better engineering could patch. And some cracks that need better math or something.
-
m-relay
<aaron:cypherstack.com> And that doesn't account for optimizations needed to presumably get the numbers they saw
-
m-relay
<aaron:cypherstack.com> To be fair, they do have a reference implementation in C over secp256k1
-
m-relay
<aaron:cypherstack.com> Regardless of the report findings, I think it's safe to say that a complete from-scratch implementation would pose nontrivial engineering risk in itself
-
rbrunner
Yeah, we definitely won't run out of important work soon, so with these shadows of doubts over BP++ ...
-
m-relay
<aaron:cypherstack.com> I'm certainly not trying to influence any decisions here. Just wanted to provide my best assessment
-
m-relay
<articmine:monero.social> For a marginal benefit
-
m-relay
<aaron:cypherstack.com> Other reviewers may have different conclusions
-
m-relay
<aaron:cypherstack.com> ArticMine: the proof size difference is impressive
-
m-relay
<aaron:cypherstack.com> From a verification perspective, tough call. Batch verification is already pretty snappy, and it's not clear at what point the returns from that become diminished compared to the rest of transaction/network operations
-
m-relay
<aaron:cypherstack.com> Anyway, it sounds like the final report should be publicly delivered to the community? And then we can inform the authors directly as a professional courtesy?
-
m-relay
<diego:cypherstack.com> Cool. Can we move on to the next thing for Cypher Stack?
-
m-relay
<rucknium:monero.social> Aaron Feickert: Thank you! Tremendous work. Extremely useful.
-
jberman
Yep, that sounds great to me
-
rbrunner
+1
-
m-relay
<aaron:cypherstack.com> Thanks! Sorry to take up so much meeting time on it
-
m-relay
<rucknium:monero.social> Diego Salazar: Yes, you can move to the next CypherStack item.
-
m-relay
<diego:cypherstack.com> Thanks.
-
m-relay
<diego:cypherstack.com> Given that we're almost done with this proposal, I'd like to discuss the possibility of the next one.
-
m-relay
<aaron:cypherstack.com> BP#
-
m-relay
<diego:cypherstack.com> We've been asked by a few MRL individuals what it would mean to do a Seraphis review.
-
m-relay
<diego:cypherstack.com> Before we give a quote and time estimate, I'd like to discuss with you all hear what exactly you'd want out of such a review.
-
m-relay
<diego:cypherstack.com> Are we looking to formalize Seraphis? A holistic review?
-
rbrunner
Uh, I think the word "exactly" here will prove to be tough :)
-
m-relay
<rucknium:monero.social> Can jberman give the current status of the Seraphis paper?
-
m-relay
<rucknium:monero.social> The critical cryptography is Seraphis needs to be proven. I don't know what the journey there looks like.
-
m-relay
<rucknium:monero.social> The last thing I heard about the paper is that it is missing a few proofs at least. The entity that writes the proofs cannot be the one who peer reviews the proofs IMHO.
-
m-relay
<aaron:cypherstack.com> It had previously been my recommendation that a holistic review is more likely to provide practical benefit and return than a more exploratory formalization
-
m-relay
<rucknium:monero.social> So holistic review means basically figuring out where it needs work and maybe a plan to get it to finalization?
-
m-relay
<rucknium:monero.social> If the cryptographers in MRL want Seraphis to move forward, they need to move it forward. I'm not the best person to move it forward.
-
m-relay
<aaron:cypherstack.com> It would mean considering its security properties more informally, but from a more practical perspective than a strict security model and formalization
-
m-relay
<rucknium:monero.social> ^ This is not aimed at CypherStack, but at other MRL people
-
m-relay
<aaron:cypherstack.com> Seeing as developing a security model after the fact (or trying to use an existing one) may not prove fruitful, and still may not capture all practical risks and threats
-
rbrunner
Could it be said that with a "holistic review" you will "read and think the whole thing through, to find any possible problems"?
-
m-relay
<rucknium:monero.social> Are you familiar with the paper that formalized Monero's current security model?
-
m-relay
<aaron:cypherstack.com> One reason for my recommendation is also that the worst-case scenario for a formalization engagement is "we were not able to develop a security model that is amenable to the design", whereas the worst-case scenario for a holistic review is "here are findings and recommendations"
-
m-relay
<aaron:cypherstack.com> I recall seeing it, but at the time hadn't reviewed it in detail
-
m-relay
<aaron:cypherstack.com> Trying to hunt it down...
-
m-relay
<rucknium:monero.social>
eprint.iacr.org/2023/321 "A Holistic Security Analysis of Monero Transactions" . It even has "holistic" in the name :P
-
m-relay
<aaron:cypherstack.com> Cypher Stack has been engaged in the past to do non-security-model protocol reviews. And we've certainly provided findings.
-
m-relay
<rucknium:monero.social> AFAIK it will appear in EUROCRYPT 2024
-
m-relay
<aaron:cypherstack.com> Rucknium: that's it, thanks
-
m-relay
<aaron:cypherstack.com> Rucknium: keep in mind that AFAIK, reviewers are not required to even read security proofs for that conference
-
m-relay
<vtnerd:monero.social> I forgot about the meeting, sorry. Still working on LWS remote account scanning
-
m-relay
<rucknium:monero.social> And this paper is huge anyway
-
m-relay
<rucknium:monero.social> 87 pages
-
m-relay
<aaron:cypherstack.com> There are some aspects of its security definitions that would need modification for Seraphis
-
m-relay
<aaron:cypherstack.com> and are fairly specific to Monero's RingCT
-
m-relay
<rucknium:monero.social> rbrunner: IMHO you or someone you are working with needs to guide the way on Seraphis formalization. I will not push it forward since it is out of my area.
-
jberman
@rucknium the Seraphis paper sketches a rough informal security model in section 1.2 that's light on details and the Seraphis tx protocol does not have formal security proofs
-
m-relay
<rucknium:monero.social> Thanks, jberman
-
jberman
A holistic review with an eye toward laying groundwork for a formalization of the protocol I think seems a solid route based on @aaron 's recommendations
-
rbrunner
I am pretty innocent regarding all things crypto, I wouldn't put much hope that I can really advance something here, even if I wanted
-
m-relay
<rucknium:monero.social> I suggested you since you are semi-official Seraphis project manager.
-
m-relay
<reuben:firo.org> If a way is not found to formalize security, what then? Afaik some aspects of seraphis are hard to prove
-
rbrunner
I see. Yeah, for dev work, mostly, at least so far
-
m-relay
<rucknium:monero.social> If the Seraphis programmers want Seraphis on mainnet, they must get the math arranged.
-
m-relay
<aaron:cypherstack.com> One example of where formalization often comes up short is something like the mempool... this bit an initial iteration of the Spark design, whose security model didn't capture it. I _think_ this linked preprint similarly wouldn't capture it (but am not 100% sure on this)
-
m-relay
<aaron:cypherstack.com> @jberman: Right, an initial holistic review could certainly be done with an eye for future formalization
-
m-relay
<rucknium:monero.social> Probably mempool is out of scope IMHO.
-
m-relay
<aaron:cypherstack.com> Rucknium: ah, I'd disagree. That's how you get things like certain types of burning attacks
-
m-relay
<diego:cypherstack.com> Alright, would you like us to draft up a proposal for a holistic review? All things considered, it seems the logical first step on this Seraphis journey.
-
m-relay
<aaron:cypherstack.com> and is why protocols like Seraphis and Spark need to account for different structural components in transactions
-
m-relay
<rucknium:monero.social> Aaron Feickert: Thanks. I didn't think of that.
-
rbrunner
I think a first rough estimate how such a "holistic review" might cost would help to decide.
-
m-relay
<aaron:cypherstack.com> Anyway, I would have a few questions regarding scope. Namely the following
-
m-relay
<syntheticbird:monero.social> Lacking knowledge but since each methods have requirements for seraphis to be mainnet. Having a holostic and formal review seems like a necessity
-
m-relay
<aaron:cypherstack.com> 1. There are two papers on Seraphis: a general structure one, and an implementation-focused one that instantiates the protocol. Which should be in scope?
-
m-relay
<aaron:cypherstack.com> 2. I know JAMTIS has been under design for a while, and it's included in Chapter 8 of the implementation paper. Is it in scope?
-
m-relay
<aaron:cypherstack.com> 3. There are "information proofs" useful for proving various things about addresses and such to a third party, and they're in Appendix A of the implementation paper. Are they in scope?
-
m-relay
<aaron:cypherstack.com> (these are not security proofs)
-
m-relay
<aaron:cypherstack.com> 4. Are there other specific or general scope items we should consider?
-
jberman
The general structure paper is the paper in scope (the implementation-focused one is there as a helpful resource)
-
jberman
that should answer all 4 q's :)
-
m-relay
<aaron:cypherstack.com> @jberman: Am I understanding right? "Implementing Seraphis" is _not_ in scope?
-
m-relay
<aaron:cypherstack.com> If anything, I would have thought the opposite for a holistic review
-
m-relay
<diego:cypherstack.com> Perhaps one followed by the other?
-
jberman
hmm, a holistic review of the first paper I don't think should take too long in that case
-
m-relay
<aaron:cypherstack.com> True
-
m-relay
<aaron:cypherstack.com> Findings from it could be relevant to the implementation (if in fact the implementation is a proper instantiation of the general design)
-
m-relay
<aaron:cypherstack.com> But it obviously wouldn't capture anything specific to the instantiation, like JAMTIS or other particular components
-
m-relay
<diego:cypherstack.com> I think doing things in a stepwise fashion gives the community the most bang for its buck
-
m-relay
<aaron:cypherstack.com> That's fair. But any reason not to jump right to the implementation paper?
-
m-relay
<aaron:cypherstack.com> It's much closer to what would actually go into a deployed implementation
-
m-relay
<diego:cypherstack.com> The odds are very small, but if something is found in the general paper that makes the community rethink Seraphis entirely, it's helpful that they haven't already raised the funds for the instantiation paper
-
m-relay
<aaron:cypherstack.com> @Diego that's fair
-
m-relay
<reuben:firo.org> Isn't it incomplete just for the general design? Since there are various ways to instantiate seraphis with different security implications no ?
-
m-relay
<reuben:firo.org> Also assuming this doesn't include FCMPs either ?
-
m-relay
<aaron:cypherstack.com> @Reuben: Yeah, any specific instantiation would have security and design aspects specific to it
-
m-relay
<aaron:cypherstack.com> JAMTIS is probably the biggest example
-
m-relay
<reuben:firo.org> Would it also affect security proofs ? Different instantiations have different proofs too no ?
-
m-relay
<aaron:cypherstack.com> The best way to look at it would be that different components (_e.g._ a range proof, a membership proof) need particular security properties proven for any particular choice
-
m-relay
<aaron:cypherstack.com> But ideally you build the overall security model such that things are as plug-and-play as possible
-
m-relay
<aaron:cypherstack.com> So you get something like "assume a range proving system with security properties X, Y, Z"
-
jberman
I figure a review of the first paper could clarify areas in which it needs strengthening, and would be specifically helpful in laying a cleaner path toward formalization and structuring a security model
-
m-relay
<aaron:cypherstack.com> You still need to pick a range proving system and prove those properties
-
m-relay
<aaron:cypherstack.com> @jberman: Although I do wonder how many findings could be addressed simply by "read the implementation paper" =p
-
m-relay
<diego:cypherstack.com> Alright then. Aaron Feickert we'll first make a proposal for the first paper.
-
m-relay
<aaron:cypherstack.com> Anyway, we can certainly do an initial review of just the general design paper
-
m-relay
<diego:cypherstack.com> And then explore further options once that's complete.
-
m-relay
<aaron:cypherstack.com> It does provide a quicker stopping point in the event of major findings
-
m-relay
<aaron:cypherstack.com> But the paper is significantly general that, TBH, I would be surprised (as @Diego notes) if this were the case
-
m-relay
<aaron:cypherstack.com> and it's far more likely that relevant findings would exist for the implementation paper, where the nuts and bolts live
-
m-relay
<aaron:cypherstack.com> Just want to make sure that expectations are set appropriately, given the structure of the papers
-
m-relay
<diego:cypherstack.com> Alright. Then I think that we here at Cypher Stack have our marching orders.
-
jberman
I figure the first paper would be the first thing to review before reviewing the implementation paper anyway
-
m-relay
<aaron:cypherstack.com> I think the best way to look at it would be the following
-
m-relay
<aaron:cypherstack.com> A "positive review" of the first paper could basically say "there exist Seraphis instantiations that are likely secure"
-
m-relay
<aaron:cypherstack.com> Whereas a "negative review" could basically say "no Seraphis instantiation meets this informal security goal"
-
m-relay
<aaron:cypherstack.com> Any more specific conclusions would depend on the implementation paper, which could certainly be a follow-up engagement that I'd be excited to do :D
-
m-relay
<aaron:cypherstack.com> So I'll get information to @Diego for a proposal ASAP
-
m-relay
<diego:cypherstack.com> Great! Nothing else for us then?
-
m-relay
<rucknium:monero.social> Thank you, Diego Salazar and Aaron Feickert . Please put suggested milestones in the proposal if you want them.
-
m-relay
<aaron:cypherstack.com> Thanks everyone
-
» m-relay <aaron:cypherstack.com> hops out of the meeting
-
jberman
sounding reasonable to me
-
m-relay
<articmine:monero.social> Thanks everyone
-
m-relay
<rucknium:monero.social> We are past the hour. The suspected spam is still a topic:
bitinfocharts.com/comparison/monero-transactions.html#3m
-
m-relay
<rucknium:monero.social> I will just post a few more plots. The spam looks like it stopped recently. May be temporary. So, mean effective ring size is rising:
github.com/Rucknium/misc-research/b…s/empirical-effective-ring-size.png
-
m-relay
<rucknium:monero.social> I compared current suspected spam with the Chervinski et al. (2021) simulations:
github.com/Rucknium/misc-research/b…ffective-ring-size-binomial-pmf.png
-
m-relay
<rucknium:monero.social> There are more favorable parameters now (higher ring size and lower spam share of outputs), so less than 1% of rings have an effective ring size of 1. The Chervinski simulation had the share of rings with effective ring size one at 12%.
-
m-relay
<rucknium:monero.social> Chervinski also did a chain reaction analysis, which increased the effectiveness of the attack a little:
github.com/Rucknium/misc-research/b…mages/chervinski-chain-reaction.png
-
m-relay
<rucknium:monero.social> Mean delay to first confirmation from the mempool archive data:
github.com/Rucknium/misc-research/b…s/mean-delay-first-confirmation.png
-
m-relay
<rucknium:monero.social> Mostly below 15 minutes except for two periods that increased to 2+ hours
-
m-relay
<rucknium:monero.social> Input/Output tx types that show 1in/2out increased on March 4, but other types did not:
github.com/Rucknium/misc-research/b…df/images/in-out-tx-type-volume.png
-
m-relay
<rucknium:monero.social> Fee tiers. More non-spam txs paid the 2nd fee tier after the spam started:
github.com/Rucknium/misc-research/b…are-tx-in-fee-tier-spam-removed.png
-
m-relay
<articmine:monero.social> ... but the spam stayed at the low fee tier?
-
m-relay
<rucknium:monero.social> Two ways to look at the data. Maybe all spam was at 20 nanoneros/byte. But there was a burst of 320 nanoneros/byte (3rd tier) on March 12-13 that may have been the spammer switching tiers:
github.com/Rucknium/misc-research/b…es/share-tx-in-fee-tier-all-txs.png
-
m-relay
<rucknium:monero.social> There was also a burst of 320 nanonero/byte 1in/2out in the last day or two before the spammed appeared to stop.
-
m-relay
<articmine:monero.social> This is very helpful
-
m-relay
<rucknium:monero.social> We don't know the budget of the suspected spammer. Maybe they can go to 320 nanoneros/byte. That level would stop txs from the GUI/CLI using the auto fee level from confirming since auto only move from the 1st tier (20) to the 2nd (80).
-
m-relay
<articmine:monero.social> I am also trying to understand the psychology of both the ham and the soam
-
m-relay
<rucknium:monero.social> I have two sets of analysis. One assuming only 80 nanoneros/byte 1in/2out are spam. The other assuming both 20 and 320 nanoneros/byte 1in/2out are spam.
-
m-relay
<articmine:monero.social> If as I suspect the spammer is testing the waters then moving the ham to tier 2 would force the spam to tier 3
-
m-relay
<rucknium:monero.social> The 320 nanoneros/byte could be a central service that tried to get its txs confirmed quickly, too.
-
m-relay
<articmine:monero.social> ... but primarily 1/2?
-
m-relay
<rucknium:monero.social> But I doubt that some large number of ordinary users in unison decided to switch to 320 for a day or two and then switch back.
-
m-relay
<articmine:monero.social> I agree given the past behavior of the ham
-
m-relay
<rucknium:monero.social> Yes. When I use the broad definition of spam, I still use the 1in/2out definition. Just increase the criteria to include the 320 fee level, too. Actually, it is the level of txs that we observe minus the pre-spam "normal" volume of 1in/2out 320/byte txs.
-
m-relay
<rucknium:monero.social> Figuring out if 320 is spam is important to anticipate if increasing the fee may have a large effect on the spam. We don't know much about the suspected spammer.
-
m-relay
<articmine:monero.social> I suspect a BS company testing the waters., as a possible if not likely candidate
-
m-relay
<rucknium:monero.social> And even if this spammer would respond to a fee increase, maybe the next one would have a lower response.
-
m-relay
<articmine:monero.social> My take is that a ring size increase combined with a fee increase could deter this. The ultimate deterrent is FCMP.
-
m-relay
<articmine:monero.social> This brings me to my next question. Do we have a good estimate of a 2/2 tx under FCMP?
-
m-relay
<articmine:monero.social> At least a ballpark. Say between 5000 and 6000 bytes?
-
m-relay
<rucknium:monero.social> The last I heard was probably the same as you. 5.5kB for 2/2, estimated by kayabanerve in June 2023:
monero-project/research-lab #100#issuecomment-1609536076
-
UkoeHB
aaron thanks for your work and clarity on the way forward with the Seraphis papers. I honestly have no input beyond 'here are the papers I wrote as best I could'.
-
m-relay
<articmine:monero.social> Thanks. I have to read this thread carefully, but from what I see a 400000 minimum penalty free zone combined with a 8000 byte reference transaction size will do the trick.
-
m-relay
<articmine:monero.social> This will mean a 4x increase in fees for a 2% minimum growth rate for the short term median. With a dynamic suggested surge this means a 16x increase in fees
-
m-relay
<articmine:monero.social> It would also support ring 40 with the current proofs and tighten the number of transactions in the minimum penalty free zone.
-
m-relay
<articmine:monero.social> As for quadratic fee scaling this can be replaced with a one time additional fee level of 1/4 the minimum fee once the sanity median reaches a predetermined level 1600000 bytes or higher
-
m-relay
<rucknium:monero.social> I'm not familiar enough with the block size scaling model to comment on the dynamic rules. Ring size 40 seems to provide a good safety margin. A modest fee increase seems OK.
-
m-relay
<rucknium:monero.social> The Chervinski et al. (2021) simulation had high attack effectiveness because 1) Ring size was lower (obviously), but just as important (2) The spam assumptions they had only allowed the spam to grow to the 300kB block size. Because the non-spam txs filled less of the 300kB block than now in March 2024, Chervinski filled the rest of the block with a higher share of black marbles than we have now
-
m-relay
<rucknium:monero.social> Of course the spammer can push up the block size gradually. That hasn't happened yet, above 400kB at least.
-
m-relay
<rucknium:monero.social> IMHO more research is needed on fee prediction. The dynamic scaling requires full blocks, which usually requires mempool congestion. As much as possible, users should be able to avoid long waits if they are willing to pay for that convenience.
-
m-relay
<rucknium:monero.social> This goes for congestion due to spam and "real" usage growth.
-
m-relay
<rucknium:monero.social> And users cannot change their bid for block space. There is no replace-by-fee nor child-pays-for-parent in Monero. So users just have to wait in the queue if they don't know that the mempool is congested and they choose a low fee.
-
m-relay
<dave.jp:matrix.org> Rucknium: how many txs/day would attacker need to lower the effective ringsize to 5-6 if we increase ringsize to 40 and honest txs is average 10k ?
-
m-relay
<dave.jp:matrix.org> And how much they are expected to pay in case we bump fees 5x or 10x
-
m-relay
<dave.jp:matrix.org> And how much they are expected to pay in fees, in case we bump fees 5x or 10x
-
m-relay
<rucknium:monero.social> dave.jp: This says that blocks would have to be 1-1.25MB to lower effective ring size to 5-6 when nominal ring size is 40, assuming current "real" transaction volume:
github.com/Rucknium/misc-research/b…ted-effective-ring-size-log-log.png
-
m-relay
<articmine:monero.social> They currently can but the evidence is that psychologically they don't. At least initially.
-
m-relay
<articmine:monero.social> Dynamically changing the suggested fee based upon the transaction pool size together with increasing the initial default growth rate will mitigate this
-
m-relay
<rucknium:monero.social> Let me see if I can quickly get the exact number of spam txs per block
-
m-relay
<articmine:monero.social> Also my proposal of increasing the default growth rate from 1% to 2% will roughly reduce the number of transactions in the minimum penalty free zone to 1/2
-
m-relay
<rucknium:monero.social> What I see is that to get effective ring size to 5.5 when nominal ring size is 40, there will be 403 black marbles in each block (88.4% of all outputs in a block). About 290,000 spam txs per day. That's with the 4 week pre-spam txs considered as a "normal" level of real user txs
-
m-relay
<articmine:monero.social> So combining this with halving the penalty free zone interns it the number of transactions this puts our spammer deep into the penalty
-
m-relay
<articmine:monero.social> In terms of transactions
-
m-relay
<rucknium:monero.social> `(total_block_kb - real_tx_kn) * kb_to_byte * lowest_fee_tier_in_nanoneros * convert_nanoneros_to_XMR * blocks_per_hour * hours_in_day * higher_fee_factor`
-
m-relay
<rucknium:monero.social> `(1205.595 - 208) * 1000 * 20 * 0.000000001 * 30 * 24 * 10 = 143.7 XMR/day` to send spam at that level
-
m-relay
<articmine:monero.social> What was it costing the spammer now
-
m-relay
<articmine:monero.social> Per day
-
m-relay
<rucknium:monero.social> 2.68 XMR/day, assuming the spam is the 1/2 20 nanonero/byte.
-
m-relay
<rucknium:monero.social> 3.53 XMR/day, assuming the spam is the 1/2 20 _and_ 320 nanonero/byte.
-
m-relay
<rucknium:monero.social> But the 320 nanonero/byte suspected spam was low and only happened a couple of days.
-
m-relay
<articmine:monero.social> I believe your figure of 143 XMR per day is in the ballpark. The issue is surge vs maintenance in the penalty zone
-
m-relay
<articmine:monero.social> The spammer can maintain for less but if the spam stops for 100 blocks then the spammer has to surge the short term median again. There is where the cost is
-
m-relay
<dave.jp:matrix.org> How much less if they limit it ?
-
m-relay
<articmine:monero.social> To what?
-
m-relay
<dave.jp:matrix.org> Sorry I misunderstood, so ~140xmr if they continue the spam and would cost more if they stop for 100blocks
-
m-relay
<dave.jp:matrix.org> This looks good on paper, any idea when we go ahead with this fork ? do we wait for 6month or can expedite it.
-
m-relay
<articmine:monero.social> It is more like 80 XMR for maintenance but each drop would cost the spammer up 480 XMR
-
m-relay
<articmine:monero.social> The latter is the hard part for a spammer
-
m-relay
<articmine:monero.social> This is why these kinds of spammers tend to shy away from the penalty
-
m-relay
<articmine:monero.social> Well I have to develop the algorithms. Then it has to be coded. We have to get consensus, give notice etc
-
m-relay
<articmine:monero.social> I will do my best to get this started
-
m-relay
<dave.jp:matrix.org> Thanks articmine, looking forward to it.
-
m-relay
<blurt4949:matrix.org> Late to the party, but it's maybe worth mentioning that 2/2 FCMP transactions could be <4kb with proof aggregation, if I'm interpreting kayabanerve correctly. AFAICT it's similar to BP(+) aggregation, just on the input side rather than the output side. I haven't really heard of this before though.
monero-project/research-lab #100#issuecomment-1609586250
-
m-relay
<dave.jp:matrix.org> Rucknium: anything to change in decoy selection to get better effective ring size even if they spam and fill recent outputs ?
-
m-relay
<rucknium:monero.social> IMHO automatic spam detection is too difficult. An adversary can see the rules for spam detection in the wallet source code and just form the spam to fall outside of the rules.
-
m-relay
<alex:agoradesk.com> ArticMine: assuming that the black marble attack can be combatted without a hard fork prior to FCMP, would you still support the ring bump hard fork?
-
m-relay
<rucknium:monero.social> New version of my black marble flooding analysis:
github.com/Rucknium/misc-research/b…d/pdf/monero-black-marble-flood.pdf
-
m-relay
<rucknium:monero.social> I added sections "Chain reaction graph attacks", "Transaction confirmation delay", "Real user fee behavior", and "Evidence for and against the spam hypothesis"
-
m-relay
<articmine:monero.social> Yes.
-
m-relay
<articmine:monero.social> This is the second time this kind of attack has occurred recently and yes the first one fizzled out this one may also fizzle out.
-
m-relay
<articmine:monero.social> This type of attack looks attractive and when the spammer figures out the real cost tends to stop. Still it makes sense to harden Monero against this kind of thing. Furthermore once this HF is in place scaling and fees would support FCMP. There is also a good case to make the scaling change now when the transaction rates are low. For example transaction rates could increase sharpl<clipped messag
-
m-relay
<articmine:monero.social> y before FCMP making the scaling change much harder on the network then.
-
m-relay
<alex:agoradesk.com> Fair.