00:17:21 ArticMine: I have often wondered what it would take to set up a super public node whereby your have 500 in connections or a 1000 or more. Thanks for your math as it gives me a few ideas to look at. 13:46:09 kayabanerve: Could you add some links/references to papers to https://gist.github.com/kayabaNerve/0e1f7719e5797c826b87249f21ab6f86 ? E.g. Generalized Bulletproofs, Eagan's divisor technique, maybe Generalized Schnorr Protocol? Thanks. 15:15:28 I'll try to today. 15:30:11 MRL meeting in this room in 1.5 hours. 15:34:43 Matrix users on the matrix.org Matrix homeserver may have to refresh https://libera.monerologs.net/monero-research-lab a lot to see the conversation here because messages to matrix.org are delayed. We can see messages _from_ users on the matrix.org server with no problems AFAIK. (This message will probably arrive to their client with minutes or hours of latency.) 17:00:28 Meeting time! https://github.com/monero-project/meta/issues/986 17:00:36 1) Greetings 17:01:00 hello 17:01:02 Hi 17:01:03 Hello 17:01:04 Hello everybody! 17:01:10 hello 17:01:14 Hi 17:01:18 Hello hello! 17:01:24 hello 17:01:30 hello 17:01:34 Hi 17:01:47 Heyo 17:02:03 Hello 17:02:10 Hi! 17:03:46 2) Updates. What is everyone working on? 17:04:02 Meeting time? 17:04:08 Matrix is broken 17:04:11 I am here 17:04:49 FCMPs, as expected 17:05:21 me: I posted the preliminary report about the suspected black marble flooding: https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/monero-black-marble-flood.pdf 17:05:53 @rucknium Very good read! 17:06:17 As of 12:00 UTC today, estimated mean effective ring size is back up to 14 (assuming the spam was by an adversary creating black marble outputs): https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/images/empirical-effective-ring-size.png 17:06:27 me: the asynchronous wallet scanner, ironed out final kinks / started on benchmarking. pushing final changes and marking the PR ready for review today 17:07:25 I am also tracking an anomalous rise in 2nd tier fee transactions. We are over 50% without clear cause in the last 3-4 days: https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/images/share-tx-in-fee-tier-spam-removed.png 17:07:44 @rucknium do you think we see another wave of the attack rn with tx above 50k/day or is it rather organic? 17:08:27 I am working on the scaling and fees. 17:08:27 Now that we have estimates for FCMP transactions weights. I can say that a minimum penalty free zone of 600000 bytes is realistic. Also a 2% growth rate. Minimum fee about 5x to 6x the current 17:08:49 j​anowitz: I'm not sure. Maybe the increase of 2nd tier fee txs is the suspected spammer changing behavior. Thanks for your questions. 17:09:28 Blocks don't seem as full as last time though 17:09:31 ^ rucknium 17:09:33 At least for now 17:09:51 I also posted a CCS funding proposal to continue this research to help guide decisions on ring member size increases and fees to defend against black marble attacks. Feedback and questions are welcome :) https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/439 17:10:23 Is it not superseded by FCMPs /s 17:10:34 Yes, block/txpool are not full, which means that the auto fee increase in the CLI/GUI should not have been triggered according to what I understand. 17:11:12 I do support further research on rings, even if I'm hopeful to replace them quite soon 17:11:36 kayabanerve: In seriousness, CLSAG with higher ring size is proven battle-tested technology/cryptography. FCMP is not (yet). 17:12:02 3) Discussion on Research Pre-Seraphis Full-Chain Membership Proofs. @kayabaNerve @UkoeHB @AaronFeickert @cypherstack https://gist.github.com/kayabaNerve/0e1f7719e5797c826b87249f21ab6f86 17:12:36 It's also known to be vulnerable, but I wouldn't expect it to be forgeable. 17:12:38 see jtgrassie's comment at the bottom; is this description still valid? https://monero.stackexchange.com/a/11658/42 17:15:01 The scaling proposal will include lowering the surge of the short term median from 50 to 16. Combine this with ring 64 CLSAG and the math for a black marble attack gets real tough 17:15:16 sgp_: selsta can answer about what exactly `wallet2` does (or is supposed to do) with automatic fee increases. 17:15:41 I'm available for questions. This meeting, I'd call for agreement FCMPs replacing CLSAG is a valid goal and if it works out, should be integrated and deployed. 17:16:28 AFAIK the multipliers there are out of date. 17:16:36 Those fee level are for before the last HF in 2022 17:16:45 I'm disinterested in drawing this out for months and having it as delayed as Seraphis. I won't ask to rush it, yet I personally see an efficient path forward and would like to take it. 17:17:06 @kayabanerve I am full of hope for FCMPs but I wouldn't rush them too much until they are properly peer reviewed and audited, also their implementation. 17:17:14 If someone knowledgeable could update that SE post with the latest info, that would be appreciated :) 17:17:48 The linked proposal is comprehensive to the steps of review and auditing. 17:18:01 if there is a backlock or the last block is 90% full -> priority 2, otherwise it selects priority 1 17:18:06 FWIW, I fully support focusing on FCMP that can replace CLSAG before Seraphis. 17:18:10 anowitz: kayaba's proposal is quite thorough with the review process needed; is there any part of this that you feel in inadequate? 17:18:19 Question from a crypto-noob: What is described there in the FCMP gist probably works out, i.e. probably doesn't contain something that totally does not fly? 17:18:43 I have multiple months budgeted for its review in my timeline. One of the first steps on the list is immediately having Aaron Feickert: provide proofs of security for GBPs. 17:18:49 but i don't know what mobile wallets are doing, it's possible they have different auto fee selection code 17:19:07 It has multiple fallbacks rbrunner 17:19:34 If the super efficient DLog proof fail, we have less efficient ones. 17:19:38 There is a need for clarity on fees. I will address 17:19:54 So if there is a problem it probably a quite subtle one, that only a detailed analysis will show 17:20:00 They're still tolerable IMO. As slow as 3 16-out Bulletproofs. 17:20:32 I will repeat what I said on Monday about time allocation for mathematical security proofs: 17:20:34 IIRC "Fail fast and early" is a project management principle. Maybe a single large CCS by Cypher Stack could have this decision tree: 1) Try to write a security proof for GBP. If succeed: 2a) Research "FCMP on RingCT". If fail: 2b) Do the proposed "Seraphis General Paper Review". (2a) would also require another entity to review the security proofs before mainnet. (2b) could mean t hat another entity tries to write GBP security proofs. 17:20:50 No. Several components may not live up to expectations re: intended performance. If one doesn't, it's still acceptable IMO. 17:21:04 Does the "less efficient ones" still require GBP? 17:21:08 To be clear, a security review for GBP would apply to both FCMP-for-RingCT and FMCP-for-Seraphis 17:21:12 That leaves with almost everything having to fail for the effort to fail. 17:21:19 They both use the technique 17:21:31 So I believe it's quite tolerant to setbacks. 17:21:35 kayabanerve: what are the new crypto libraries that you would need to introduce to have FCMP working now? 17:22:22 I am also calling for proofs of all the components, have extensively timelined review, and it'd start with proofs of GBPs which at the biggest concern re: if they fail to work out. 17:22:33 BTW, due to kayabanerve's proposal, I revisited my tower-cycle for Ed25519 and managed to find an even better one where both curves have a = -3, which allows for more efficient formulas to be used. 17:22:46 I +1 FCMPs replacing CLSAG is a valid goal pre-Seraphis 17:23:01 Where do those "GBPs" come from? Somebody else invented them? 17:23:08 Rucknium: We could deploy a non-GBP variant if the divisor technique maintains its performance. 17:23:50 @dangerousfreedom Two curve libs, GBPs, divisors, the circuit, and some util libs 17:24:09 We can near immediately start review + audits of GBPs + divisors 17:24:16 kayabanerve: So we could flow: Try GBP security proofs. If unable: Try security proofs for Eagan's divisor technique. If unable: Start math review of Seraphis. 17:24:30 I mean for CypherStack's work 17:24:46 Happy to hear tevador. I'd love to have you contribute the impls, though they do probably have to be in Rust to minimize FFI traversals :/ 17:25:04 (Not an issue on the scale of the proof, an issue on the scale of EC adds) 17:25:09 Sorry forgot about this again, present in meeting now 17:25:22 kayabanerve: Your proposal would require monerod to include Rust code. Is this correct? 17:25:32 rbrunner: Authors of curve trees, with Aaron Feickert: having notated it 17:25:54 What does "notated" mean? 17:26:01 I'd have to check with Aaron Feickert: if they want to work on the divisors. 17:26:41 Eagen claims the techniques are common with BP++'s permutation argument, so Aaron may have prior experience and the appetite. I'd check before assuming. 17:27:18 Is already clear what Monero with FCMPs would probably mean for hardware wallets? 17:27:19 I have a meeting in two hours to discuss divisors and circuit auditing with a firm for what it's worth. 17:27:36 kayabanerve: You are aware that Aaron Feickert was unable to verify Eagan's BP++ security proofs, right? If they are the same as for the divisor technique, then? 17:27:38 Yes to needing Rust, unless completely rewritten. 17:27:50 (That's also a concern for Seraphis and Jamtis, of course) 17:28:43 Notated means Aaron literally typed up the modifications to the protocol that were proposed by the curve trees authors. 17:28:47 @Rucknium: we documented the GBP protocol, but did not prove it secure 17:29:00 It was not documented previously 17:29:04 The curve tree authors only commented the theory of the math, and did an implementation. 17:29:29 But yes, it is correct that we did not find all BP++ security proofs convincing as written 17:29:34 rbrunner: Hardware wallets would have reduced memory use, actually. 17:29:45 I understand. GBP was "left as an exercise to the reader" in the Curve Trees paper basically. 17:29:58 Rucknium: correct 17:30:11 I think the "bottleneck" for hardware wallets would be: How much new code, and what kind of code, would they have to implement? 17:30:13 They'd do a addendum proof, not the FCMP. This achieves the same proof separation as Seraphis. 17:30:29 Rucknium: The two sets of proofs are completely distinct. 17:31:20 "They'd" refers to the hardware wallets. 17:31:52 It'd be a generalized schnorr protocol of 4 points and three scalars. 17:32:19 It's a very simple protocol comparable to doing multiple schnorr signatures. 17:32:48 It'd also have the same additive blinding currently used w.r.t to the private spend key. 17:33:37 Sounds like "doable" as you describe it, then 17:33:46 Clarifying here, BP++ claims to use similar algebraic techniques to divisors. I'm aware Aaron wasn't convinced for the BP++ proofs. This is a much smaller topic with much more provenance. 17:34:21 Aaron may be interested in reviewing divisors, or they may not be. I'd have to ask. 17:34:49 Aaron Feickert: Would you be interested/claim to be capable of reviewing elliptic curve divisors as posited for use here? 17:35:14 AFAIK the main goal of today's meeting is to get as far as we can on developing a CCS proposal for Cypher Stack (AFAIK Aaron Feickert /Sarang doing most or all of the work) to work on mathematical security proofs and/or review of proposed cryptography for MRL for the next couple of months. 17:35:17 Would need to know the precise scope of this 17:35:24 Noob question, would supporting pre-Seraphis FCMPs require address generation/changes ? 17:35:39 But yes, I'd like to know what, if any, proposals from Cypher Stack the community would like to see 17:35:51 Right now Diego Salazar has one open for Seraphis 17:36:13 Eaten posted the calculation of an elliptic curve divisor which interpolates a series of points as useful for proving in-circuit an output point is the sum of a series of points. 17:36:14 *Eagen 17:36:25 https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/441 CS' open CCS 17:36:28 I'd previously commented on a few possible research areas https://github.com/monero-project/meta/issues/986#issuecomment-2030089046 17:36:48 They commented specifically on challenged evaluation, preventing forgeries, and using the logarithmic derivative to minimize in-circuit multiplications. 17:37:08 It's quite heavy on the group structure of the curve itself. 17:37:25 AFAIK no 17:37:40 No new address/privacy pool. 17:37:59 Well, that would probably also kill it as pre-Seraphis thing, no? 17:38:23 So lucky that we don't get new addresses ... 17:38:24 Aaron Feickert: I wouldn't mind having you also review divisors. I know you believe the review of the circuit may be best done by others. Would you also volunteer yourself as a candidate for this topic? 17:38:41 Something something Weil, Picard group? 17:38:52 kayabanerve: Can you remind me the source documentation for this? 17:39:10 And how you'd intend for this to fit in with any other desired research? 17:39:21 Eagen's EC IP proof using divisors as an IACR preprint. 17:39:50 https://eprint.iacr.org/2022/596 17:39:52 That's it, thanks 17:39:55 Is the current thinking still that much of the work done for pre-Seraphis FCMPs will carry over to Seraphis without massive additional effort? 17:40:09 FWIW, I fully support focusing on FCMP that can replace CLSAG before Seraphis. <= +1 17:40:41 Section 3.2, not 4.*. 17:41:26 On a brief glance, I don't see any particular security model, formal statements, or security proofs 17:41:38 Meaning it's not clear what exactly I'd be doing 17:41:43 I want to use the logarithmic derivative to efficiently prove sign-agnostic (x-coordinate only) knowledge of discrete log. 17:41:44 I also want to use the derivative to prove a series of bits is the discrete log. 17:42:00 They do comment on correctness/soundness, albeit potentially briefly. 17:42:17 3.2.1 17:42:32 3.3.1, 4.2 17:42:38 The authors only vaguely refer to the idea of soundness 17:42:49 TBH I am not interested in trying to extrapolate the intent of the authors 17:42:59 It's legitimately largely commentary on the algebraic nature of curves with a posited usage. 17:42:59 That is not a good use of time 17:43:24 If the authors intend to convince readers of formal properties, they need to state those properties and provide proofs 17:43:36 Sorry to be so blunt :/ 17:44:10 rbrunner: The proof itself would largely carry. The circuit would change. The integration would move to being integrated with Seraphis. 17:44:21 But the proof and techniques and review and audits carry. 17:44:44 Aaron Feickert: To be fair, I wouldn't ask you to certify the paper. I'd ask you to do the second half. 17:45:05 Say more about this? 17:45:29 That paper is on techniques and a posited use case. We'd need to design a R1CS gadget building on those techniques to offer a sound proof. That's what would be proven. 17:45:57 Designing a security model, formalizing the approach, and proving it secure is quite the ask 17:46:06 Much more than "review this preprint" :D 17:46:10 Also, divisors predate Eagen's writings. They apparently have extensive history when you read into them. 17:46:22 Things are getting a bit complicated and if they get even more so it really will take resources from something like Seraphis, no? 17:46:26 Sure, but that's much different than what I see here 17:46:33 Regardless, if they don't work out, we'd fallback to incomplete addition in circuit. It'd be fine. 17:47:15 The idea is to move quickly with this. Seems to me some proof / review work needs some parallelization, i.e. more capacity than simply Aaron's 17:47:22 Aaron Feickert: You have to understand the techniques posited and grok the idea of usage to take that next step ;) 17:47:24 I just want to make clear that "review this preprint" is not the apparent ask here 17:47:29 Incomplete addition in circuit = how much worse performance in verification time and tx size? 17:47:36 You're welcome to bow out and/or sign up for review of the fully posited gadget (again, I'm meeting another group in 2h about this) 17:48:26 I don't want to push Aaron Feickert: out. I'd explicitly next ask them to work on proving GBPs and suggest a distinct group for the divisor work currently posited. 17:48:32 What I figure could remain pre and post-Seraphis with FCMPs on the integration side: the flow of adding/removing to/from the tree in lmdb (even though the elements in the tree will be different), setting up the FFI to the Rust code for prove and verify, the logical flow of verify in the daemon 17:49:09 kayabanerve: I don't fully grok what the ask for divisors is 17:49:20 Rucknium: I believe 2x in time, but I'd have to redo the layout and check. No notable diff in size. 17:49:21 We decline to do the divisor preprint at this time. 17:49:25 "I'd explicitly next ask them to work on proving GBPs and suggest a distinct group for the divisor work currently posited." That sounds good to me. If we can get more people working on the formal security proofs, great. 17:49:36 rbrunner: Yes, my entire proposal is around multiple parallelized tracks. 17:49:48 The biggest change for post-Seraphis integration is probably switching curves and all code surrounding that. My initial estimate seems something like 30-50% of the work would be done 17:50:09 On the coding side, right? 17:50:10 jberman: And a lot of the cryptography ;) 17:50:36 of course, was talking strictly about integration :) 17:50:38 Aaron Feickert: , though this was a bit brief. 17:50:59 Doesn't sound too bad. 17:51:11 @jberman If this goes well, it may justify not moving curves. It also may further justify moving. 17:51:24 Together with the estimate that most of the "theory" side will carry over almost effortlessly 17:51:31 rbrunner: Parallelization of coding, review, and auditing. 17:52:01 Hope you don't rush headlong into a burnout with this ... 17:52:40 If all goes well probably have the time of your life :) 17:52:48 We could near immediately start formal review of parts, formal proofs of parts, and audits of parts of the code, while the next steps off those start development so they're ready for review when the prior wave finishes review. 17:53:12 Stepping back, given this discussion, what would be the desired proposals (if any) from Cypher Stack going forward? 17:53:23 GBP proofs. 17:53:24 There's no sense having a Seraphis review proposal open if this isn't the desired timeline 17:53:49 Even with the understanding that this could yield effectively no deliverable? 17:53:57 That's my immediate comment/request/priority/urge from this community. 17:54:23 Suggestion: Create a CCS proposal to put Cypher Stack "on retainer" for `k` months. Have a flexible plan of the menu of things they would be willing and able to do. Start with the plan and then set tasks based on intermediate outcomes of the research. Create a MRL committee to make the decisions about what the task flow should be as results come in. 17:54:23 (as in, it needs the community to agree, and I urge the community to agree) 17:54:34 Literally all of life ;) 17:54:39 The Seraphis proposal can either be rewritten for GBP proofs or temporarily put on hold whilst a new one is put out 17:54:57 So yes 17:54:58 Rucknium: I'm obviously biased on this topic, but how would tasks be defined and chosen? 17:55:07 I know that people claim differently, but I am pretty sure that Seraphis won't progress much until we hardfork to this new thing. So now review now does not seem to be a big loss. 17:55:29 I ask because such a committee doesn't currently exist :D 17:55:34 Other suggestion: A CCS proposal for FCMPs pre-Seraphis which covers its needs, with a well-documented set of intents and allowances. 17:55:34 rucknium: If such a proposal would be posted, it would have to at least include some examples of what Cypherstack is going to work on 17:55:55 I'm sorry to try to streamline things in this meeting, but I'd like to circle back to Cypher Stack's immediate upcoming work. 17:55:56 Choose who will be on the committee. This structure avoids having multiple CCSes and the delay that involves. 17:55:57 From developer(s), to CS (if not independently CCS'd), to other groups. 17:56:11 If the answer is "we don't really have an answer yet, that's fine. That's the answer." 17:56:23 Other suggestion: A CCS proposal for FCMPs pre-Seraphis which covers its needs, with a well-documented set of intents and allowances. <= Think this would actually be the best, as it will be specific and to the point 17:56:38 Aaron Feickert posted a possible list of things to work on: https://github.com/monero-project/meta/issues/986#issuecomment-2030089046 17:56:53 dEBRUYNE: Seraphis isn't inherently changed by this since it's a composition. We'd prove FCMPs meet the requirements of the composition. 17:57:36 I'm not against a CS retainer, starting with GBPs, and a FCMP slush. 17:58:06 That sounds optimal to me if we can agree on it, with further tasks defined however/whenever. 17:58:33 kayabanerve: Do you prefer a retainer over the specified proposal you mentioned before? 17:58:34 (further tasks re: CS) 17:58:34 AFAIK, no one is speaking up for a Seraphis paper review. If no one wants that in the near term, then that's fine. 17:58:52 The FCMPs side is already well defined 17:59:20 Rucknium: I'll explicitly chime in I don't have thoughts there :p 18:00:13 dEBRUYNE: I don't mind if CS has a retainer, is contracted for GBPs in a CCS, or is contracted for GBPs under the FCMPs slush CCS. It's up to y'all. 18:00:37 Diego Salazar: would appreciate the retainer and I'm sure we have enough work for them, so I'd say retain CS. 18:00:40 Still a bit surprising for me that nobody present here seems to have the slightest reservations to enter this adventure ... 18:00:54 That is distinct to any FCMP slush AFAIC. 18:00:55 From a community perspective, I think this will have best chances of getting funding relatively fast -> A CCS proposal for FCMPs pre-Seraphis which covers its needs, with a well-documented set of intents and allowances. 18:01:02 *AFAIAC 18:01:05 It can even be split up in 2 parts 18:01:09 IMHO retainer is a better idea to reduce delays and maximize time MRL has from CS 18:01:20 rbrunner: I did make a good proposal ;p 18:01:47 Yeah, have to give you that 18:02:03 rbrunner: I think that's why review is sought, to make everyone more aware of potential reservations 18:02:07 Except if the FCMP slush is funded and the first step, GBP review, is held up due it to being on a distinct CCS. 18:02:12 GBPs under FCMPs, separate CCS for retainer after? 18:02:18 *GBP proving 18:02:31 I don't like this :C it'd just solve that concern. 18:02:46 r​brunner: I have reservations. Maybe it hasn't been clear from what I've said. My main reservation is that MRL looks at new shiny objects and doesn't implement anything. Triptych was developed years ago, but Seraphis looked better for multisig IIRC. Now we are on FCMP. 18:03:05 dEBRUYNE: I meant mostly reservations from a "project management" point of view. E.g. "switch horses in the middle of the race" lines of reasoning. 18:03:22 I have some preliminary build system work for FCMPs here: https://github.com/tobtoht/monero/pull/2 18:03:29 I'm still concerned about the relatively large increase in our software supply chain attack surface (introducing 81 new dependencies from various authors + the rust toolchain) and would prefer a low(er) dependency solution or aggressive vendoring where possible. Also considering the extra maintenance burden that that number of deps would add. 18:03:31 FCMPs are almost like a half Seraphis if it makes you feel better Rucknium, and the whole point is actually getting it done. 18:03:59 Membership + Ownership proof separation 18:04:00 TX chaining, if we so choose. 18:04:01 Great multisig. 18:04:04 There is some type of space travel paradox analogy: It never makes sense to launch a ship to another star system because tech will always improve to outpace the ship you sent. 18:04:11 "MRL looks at new shiny objects and doesn't implement anything" smile 18:04:23 tobtoht: I do want to/plan to bring those down. 18:04:55 We'd audit and lock to specific git commits, if we didn't vendor our own tree entirely. 18:05:41 Do selsta and luigi want Rust in monerod? (And other protocol developers?) 18:05:51 Anyway, that's the normal garden variety IT project. It will at least twice as long as estimed now. Will probably fly nevertheless. 18:05:55 And the Core Team 18:07:10 I have the confidence to make the CCS and move forward on my end. Diego Salazar: CS can be included for the GBP proving under that proposal, if you wish in the name of expediency/expected likelihood, or you can independently seek a retainer for whatever tasks (presumably including GBPs at son point ;) ). I'd leave it to you 18:07:46 rbrunner: one year *is* the twice as long. 18:07:55 Realistically, Rust is probably unavoidable in the middle to long term 18:08:05 Even if we give it a hard pass for now 18:08:29 I am afraid we will have to learn to manage the additional complexity that this will bring 18:08:45 I'm so declarative in my prior message as I'm unsure we'll get stronger commentary this meeting and want to hand the terms of rehrar's engagement to rehrar's choice, in what and how it's funded. 18:09:07 I am going to defer to the consensus in MRL and Dev on this FCMP proposal. I am only speaking for myself here not the whole of corr 18:09:08 rbrunner: I'm happy we will have to learn :D 18:09:11 Rust :D 18:09:36 My humblest apologies everyone. My matrix client is acting up and sending and receiving is being finicky. 18:09:48 Core 18:10:25 I'm fine saying I don't speak for core, nor the community, and am moving forward out of my personal view giving me personally sufficiency confidence. 18:10:31 I can't speak re the implementation route, FCMP+RingCT seems like best of all worlds: fends off black marbles on the mid term, buys time for Seraphis development, but its inefficiencies relative to FCMP+Seraphis incentivize the eventual switch to Seraphis. 18:10:35 *sufficient 18:10:43 We had binaryFate saying hello at the start of the meeting? Any comment from them right now? 18:11:21 My next steps are a CCS and some meetings with third parties, including possibly Diego Salazar: (who should check monerologs to view messages) 18:11:35 So all of this to say... I will be opening an FCMP proposal. 18:11:43 To entail what exactly? 18:11:46 Which tasks? 18:12:19 There are many floating around here 18:12:43 I am fine with a CCS that only does GBP security proofs. Or a CCS that does that plus a possible menu of FCMP (if GBP sec proof is obtain) or Seraphis review. I don't really like the idea of a large FCMP-only CCS if the GBP security proofs cannot be established because you may they be wasting time on a protocol that cannot work. 18:12:51 Let's hope no new, even shinier object comes around the corner for quite a while :) 18:13:13 My desired discussion is over proving GBPs. AFAICT, Diego Salazar: can agree to handle that first or agree to handle another task first if a distinct request comes in. 18:13:27 you may then be wasting time* 18:13:36 Literally their company :p 18:13:59 Rucknium: We can fallback from GBPs. I said this earlier 18:14:16 What's the falback? 18:14:20 ^ 18:15:19 rbrunner: FCMPs can be made faster. Beyond that, the only improvements are forward secrecy (Seraphis being the shiny thing there) 18:15:48 BPs, which would still be sufficiently performant with divisors from my estimates. I wouldn't love that though :/// 18:15:59 Who is going to write the code for what is being proposed here? 18:16:14 And would need to double check the exact flow there. 18:16:26 I and jberman: have commented willingness to step up. 18:17:20 So to get enough performance, we would need GBP to be secure or Eagan's divisor technique to be secure. If both cannot be proven secure, then FCMP must have another cryptographic protocol? 18:17:21 I believe it's only if both fail the effort ends at this time (/ requires a new underlying proof). 18:17:41 If we wait for GBPs to finalize, I'd estimate a 3 month delay. 18:19:15 And Aaron Feickert and Diego Salazar said that they will not look at Eagan's divisor. We need someone else to look at that. 18:19:16 I'd rather make the assumption there than continue rings for so much longer. I was fine with Seraphis + FCMPs @ 1.5y. I don't want to hear FCMPs, no Seraphis, is that long :/// 18:19:22 We don't need GBP to be proven secure before any other work is done. But if the security proof attempt does not succeed, consider resource allocation toward FCMP. May not make sense if sec proof attempt does not succeed. 18:19:36 I'm tired, frustrated, and just want to move forward, even if that means some financial risk is accrued. 18:19:40 I have a meeting in 2h re: divisors. 18:19:52 As I've said before, my opinion is "prove it". 18:20:21 We had binaryFate saying hello at the start of the meeting? Any comment from them right now? <--- no specific comment from me. Just following meeting to better grasp various options ahead. 18:20:31 That's what the CCS would do. 18:20:39 But I'm not a cryptographer. But I do know math in other areas. Those areas need proofs too :) 18:20:44 The fallback becomes CLSAG with ring 64 followed by FCMP plus Seraphis 18:21:15 To be clear, do we have new comments or solely debate about a CCS I have yet to put forth? Because the latter will presumably have independent review as all CCSs do. 18:21:19 Personally, I don't see a reason to delay prematurely. Some calculated financial risk is acceptable for an accelerated timeline 18:21:26 If the whole FCMP for RingCT venture fails, so some kind of worst case reasoning? 18:21:38 I'd be happy to later discuss the CCS and breaking it down if we now cover research topics. 18:22:06 If donors don't want the risk, then we can reevaluate. But if the funding is there, it seems worthwhile to try a faster option 18:22:32 This will get funded in no time, I am sure. 18:22:35 I'm pretty sure, it will be funded even with the remaining risks. 18:22:39 @ArticMine I disagree ring 64 is a valid fallback but also don't want to have that disagreement talked through when we're well over the hour :p 18:22:42 sgp_: AFAIK the bottleneck isn't funds. It's Aaron Feickert 's time. Cannot work on FCMP and Seraphis at the same time. 18:23:13 I'm only asking Aaron prove GBPs now, as reusable. 18:23:18 I agree with sgp reasoning. I think the community will likely see this venture as a welcoming and worth risking improvement. 18:23:23 Sounds great to me 18:23:28 I personally think FCMPs are critically important for Monero and are reasonable to prioritize 18:23:35 Now that we have a potential way to do it before Seraphis and without requiring an address change (Seraphis I'd personally estimate is 3y out from deployment with FCMPs), I think it's reasonable to prioritize FCMPs today 18:23:45 As such I'm for CS next task advancing the needle toward FCMP, and holding the Seraphis proposal until later 18:24:58 AFAIK I don't see any disagreement with a CCS proposal for Cypher Stack to only try to write GBP security proofs. Except possibly rbrunner. rbrunner, any comments? 18:25:09 It's a bit funny, if not that important of course, that in the Monero subreddit the main argument against Zcash is "unproved moon math" :) 18:25:41 They will have to find something new after we enter this adventure 18:26:05 I've been against that label for a while :/ 18:26:14 Lol 18:26:23 @rbrunner did Zcash have proper external audits? 18:26:29 No idea. 18:26:34 rbrunner: That's why reviewed security proofs are so important. Zcash had an exploitable flaw in their cryptography that did not have a security proof. There was a security proof for a protocol that was very similar, but not exactly the same as, the Zcash protocol. 18:27:01 Zcash had a detailed writeup on what went wrong 18:27:13 I think we will be able to stay course and really insist on proper proofs, as a community 18:27:33 Fair enough. Ring 64 is the maximum the scaling is designed for and matches the estimated FCMP tx weight. There are lower ring options. 18:27:34 This being said the proper time for this discussion is IF the pre Seraphis FCMP fails. Otherwise it is moot. 18:27:38 It might take longer than now estimated, but still 18:28:25 https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated 18:28:29 Can confirm proofs are important. 18:28:51 We we plan here is probably bleeding edge alright, but not reckless. 18:29:38 Rucknium: I'm not sure it was unproven vs the proofs were broken. 18:29:48 "This being said the proper time for this discussion is IF the pre Seraphis FCMP fails." Shouldn't discussion of high-ring-size CLSAG still happen in parallel so that there is preparation instead of delay of FCMP does not succeed in its timeline? 18:30:10 kayabanerve: I am sure given my memory of Zcash's writeup 18:30:36 "Importantly, the [BCTV14] construction did not have a dedicated security proof, as noted in [Parno15], and relied mainly on the [PGHR13] security proof and the similarity between the two schemes. The Zcash Company team did attempt to write a security proof in [BGG17], but it did not uncover this vulnerability. Zcash has since upgraded to a new proving system [Groth16] which has m ultiple independent proofs and significantly better analysis." 18:30:38 The 2017 protocol was proven in 2017. 18:31:00 The protocol had a soundness vulnerability per the write up. That doesn't mean they didn't write proofs. 18:31:21 Ah, sorry, the 14 protocol was unproven. 18:31:30 Whatever it was, we probably won't go down the same route 18:31:40 Hopefully 18:32:09 AFAIK, we have reached the goal of this meeting: kayabanerve will draft a CCS for CypherStack to attempt to write a security proof for Generalized Bulletproofs. 18:32:13 The larger point about getting the proofs and the reviews stands in any case 18:32:25 Do we agree we have reached the goal? 18:32:38 Explicit timeline and steps for review, proofs, and auditing included :) 18:32:45 So there will _not_ be a current review of the (general) Seraphis paper? 18:33:21 Aaron Feickert: I do not see much support for that right now. It will probably come later. Sorry about the switch. 18:33:23 No. I'll make a CCS for FCMPs work. Diego Salazar: may or may not join or may or may not do their own CCS (with retainer?). 18:33:48 What do you mean by "may or may not join"? 18:33:55 I hate to be too annoying, but can you give a few sentences on what "FCMPs work" will entail? 18:34:13 There's a lot floating around about this 18:34:14 and I do not want anything left vague 18:34:15 I will not make a CCS on behalf of Diego nor force their participation. 18:34:27 If they want to be part of my CCS, they may. Else, they won't be. 18:34:42 Aaron Feickert: Read my gist. 18:34:49 It's an entire slew of work. 18:35:00 CS would be specifically involved re: proving GBPs. 18:35:09 This is different from what I understood, which is the CCS is _for_ Cypher Stack. Now it is not? 18:35:12 Right, it describes a fair amount. But I want to confirm what CS's scope is 18:35:24 My CCS was always my CCS. 18:35:25 "The gist" is not sufficient, sorry 18:35:48 That doesn't mean only I'd be paid. It means I'd write and manage it for the work in the gist. 18:36:00 If the scope is only "attempt to develop security proofs for the GBP protocol" then excellent, that's suitable 18:36:02 So you would be director of the FCMP project and CS could be a subcontractor? 18:36:26 kayabanerve, "my CCS" is your CCS to get paid for *your* work on FCMPs, right? 18:37:18 No. It's my CCS to manage the FCMPs effort. 18:37:21 I think we can leave it to these two groups to spurt out their specific scopes outside of the meeting (imo) 18:37:28 *sort 18:37:33 Agree :) 18:37:43 I prior stated I plan to make a CCS comprehensive to not only my work, yet ideally to also create a slush for future funding re: FCMPs. 18:37:48 They will find common ground, after some confusion, I am sure 18:37:59 Diego Salazar: would be welcome to be one of the first line items in that CCS. I will not speak on their behalf. 18:38:38 Will take some time until the dust settles 18:38:45 https://gist.github.com/kayabaNerve/0e1f7719e5797c826b87249f21ab6f86#steps-forward 18:39:05 Sorry. https://gist.github.com/kayabaNerve/0e1f7719e5797c826b87249f21ab6f86#steps-and-timeline 18:39:10 Section prior to the one I first linked. 18:39:34 I think it's time to let this poor overworked meeting come to an end. Tomorrow is another day :) 18:39:42 There is an entire slew of proposed work I'd like to create a CCS comprehensive to, so I don't re-request funding every month with new explanations and we don't get burn out from "yet another FCMP proposal". 18:40:00 I am uncertain what the current ask from CS is at this point :/ 18:40:01 While I don't claim it will be perfectly comprehensive, I believe I can create a well-reasoned and agreeable CCS. 18:40:06 And heaven forbid retroactively 18:40:37 Please delay review of my CCS until I actually write and submit it. There's no explicit need to review and debate a document I haven't even written yet. 18:41:28 Rucknium: I don't know if I'd be the director and CS would be a subcontractor. I will not speak for Diego. 18:41:49 I would like to explicitly request CS do the GBPs proving, as I have said many times. I will offer to Diego Salazar to be included under my CCS. I cannot confirm they're willing to be present under it. 18:42:01 If they do their own CCS/retainer, that is up to them. That just means my CCS has one less responsibility. 18:42:02 Yes, I think we can end the meeting. kayabanerve , Aaron Feickert , Diego Salazar you can discuss the details. 18:42:31 👍️ 18:42:40 kayabanerve: Ok, plans to reduce deps sounds good. "We'd audit and lock to specific git commits" <- Yes, prerequisite for reproducible builds. The thing is we can't realistically pin a commit forever. If we'd ever need to bump our Rust toolchain (e.g. to add platform support), I'd expect a number of deps to not build (deprecations, breaking 18:42:40 changes, whatever), so we'd have to update those along with their transitive dependencies, which means lots of external code to review in different places. 18:42:42 if large-ring CLSAG is interesting at all in any aspect, I think it's as a privacy hedge *before* FCMP, not instead of it. 18:42:43 It can. I just do not want to create yet another distraction. The "new shiny thing" is a vintage restoration. It is also dependent on the development of code for parallel processing on CPUs and the future state of technology. 18:43:12 I agree with that one 18:44:17 As a hypothetical... suppose we are not able to prove GBP secure. What would be the consequences? 18:44:36 It's possible to do Seraphis without them, but this is very suboptimal 18:44:53 (without them == without FCMPs, which require GBP for efficiency) 18:45:33 Assuming you mean FCMPs. We'd become reliant on a new proof (as in "of security", or as in protocol) or effectively require divisors to be performant. 18:46:19 And that'd still have notably degraded performance :/ If divisors are optimal though, I believe it'd still work out. 18:46:55 is the correct read of this: We would still consider other less-efficient FCMP options first 18:47:30 Keep in mind that if CS were unable to prove GBP secure, it is entirely possible that someone else could produce a convincing proof 18:47:47 (Though I'm equally sure that someone else could produce a non-convincing proof!) 18:47:59 Hence why I said we'd need a proof, potentially "of security" and not as in protocol ;) 18:48:08 hey its me, I can provide an unconvincing proof! 18:48:12 Our failure mode would _not_ be "a proof is not possible" 18:48:30 Because yes, exactly that. One person's lack of doing so in a timely manner doesn't preclude it ever happening. 18:48:35 sgp_: Yeah, we'd need failures at multiple layers for this effort to go into stasis. 18:49:16 Also keep in mind that Seraphis does work with non-FCMP techniques (like Groth/Bootle proofs) 18:49:26 albeit with footguns attached... 18:51:17 Oh, Seraphis would not go into statis. It'd just lose FCMPs. 18:51:38 (as you note) 18:51:40 *stasis 18:54:24 Thanks everyone for the discussion today 18:55:09 Thanks y'all. Sorry for any contention at the end 18:55:19 Then we are looking at large ring sizes under Seraphis 18:55:19 Which may not require an increase in the minimum penalty free zone. 18:56:04 I must say that I don't like the idea of CS not being able to produce a deliverable :/ 18:56:17 Given that we work hard to provide good value 18:56:35 Alright finally home 18:56:45 My mobile element was really crapping out so things have been spotty, my apologies 18:56:49 And I say this with full knowledge that research does not always yield desired results! 18:57:08 matrix gonna matrix 18:57:20 thank you all, and special thanks to Rucknium for the marbles paper and Kayaba for the new FCMP draft. 18:58:15 Thank you all. 18:58:15 Aaron Feickert: Research is expensive and can be fruitless but you have to do it to get ahead. 18:58:28 We at Cypher Stack would prefer to do our own proposal for this. 18:58:41 I'll draft one up for GBP since that seems to be the direction things are going. 18:59:18 Diego Salazar: definitely be super-duper clear about the nontrivial failure risk 18:59:20 Although my own personal opinion is that the Seraphis general review would need to get done one way or another, and that it would get the community the most bang for their buck at present. 18:59:55 If MRL wants to discuss a retainer-type scenario for CS, we would be open to this. But we would need a lot of things to be crystal clear around how this would happen. 19:02:41 While I don't claim it will be perfectly comprehensive, I believe I can create a well-reasoned and agreeable CCS. <= Looking forward to it! 19:04:16 kayabanerve: Just to confirm, FMCP doesn't require some sort of trusted set up right? 19:05:17 Diego Salazar: I would support a retainer, but I didn't see much support for this during the meeting. I don't want to go against the general sentiment as meeting chairperson. 19:05:49 I think it just needs to be a line item unto itself Rucknium 19:05:58 By the way, meeting chairperson can be taken by someone else if they want or it can rotate. It doesn't have much formal role anyway. 19:06:07 with a million thoughts swirling around about a thousand things, a lot falls through the cracks 19:06:49 We're happy to do one proposal at a time, however. 19:37:01 No trusted setup. 19:37:09 I'd support a retainer. 19:43:00 Proving GBPs 19:43:00 Seraphis composition proving 19:43:01 FCMP+SA+L composition proving, for either the literalized circuit or an abstract idea of a circuit 19:43:02 Review of the soundness proof for the dlog gadget I'm independently sourcing 19:44:38 > Seraphis composition proving 19:44:49 Meaning its authorization proof as given in the paper? 19:45:30 Seraphis isn't my field and I won't comment on it. 19:46:29 For FCMP+SA+L, it'd be the proof of unlinkability under the CDH, the proof of... spend was intended, and the proof... the member existed 19:46:29 Next step for Seraphis review is essentially the current outstanding proposal, which I also think would make sense to roll up into a retainer setup 19:46:35 I don't know the best way to notate it, sorry 19:47:30 Yet for a proof _whatever_ which takes a Pedersen Hash'd tree and outputs a member *re-randomized as described in the gist*, and for the following instantiation of a Generalized Schnorr Protocol, it'd meet the stated goals (membership, spend auth, linkability). 19:47:48 Then, once we have the exact proving system/gadgets/circuit, we'd argue it satisfies the requirements in the composition. 19:48:05 But I have no idea the exact details for Seraphis. I solely wanted to list line items justifying a retainer. 19:48:33 my 2 cents: this is plenty for a retainer 19:50:35 AFAIK, Aaron Feickert is frustrated by the lack of specific direction with some of the proposed work items. Probably people involved in Seraphis should give some specific direction if CS would do a CCS that is larger in scope than just the GBP security proof attempt. 19:50:45 ^ kayabanerve 19:51:10 Rucknium: the scope of GBP proving is well understood 19:51:23 I cannot give any commentary re: Seraphis. If I'm asking to give a specific list of tasks otherwise, I'd be happy to. 19:51:40 Anything past that seems uncertain given what I see as no strong consensus on where to go from where directly 19:51:51 *from there 19:51:51 I did not write all of that to be a specific list of tasks to start work on. I wrote it as a list of subjects which we can discuss here, in MRL, and come to fine details on together. 19:52:00 I solely meant to show there's enough topics to justify a retainer. 19:52:51 By people involved in Seraphis, I mean rbrunner, UkoeHB, jberman, jeffro256 , dangerousfreedom , SNeedlewoods , tevador, probably others. 19:53:06 If I am pointed to not start the conversation, yet to solely hold and perform the conversation, I will tell Diego Salazar and Aaron Feickert a list of what I think will benefit Monero, other developers' opinions be damned. If that's being asked of me, feel free to tell me so. I have plenty of opinions on research and project direction and can do that. 19:53:09 Well, to what extent does Cypher Stack need to be told what to do specifically? There are various tasks here with their own set of champions that CS can help with, but there's no Monero entity to be a direct point of contact to make decisions on the time scale, so.... I think that's the core of the issue. 19:53:09 If Cypher Stack needs a point person for this, then there should be a MRL project manager (or similar) that directs work to CS 19:53:30 But I want to be clear I was not prior intending to be the authority on this matter. I was intending to start the conversation. That's why I've had a lack of clarity. 19:54:02 sgp_: That is what I was suggesting for a "committee" 19:54:05 I share the desire of Diego Salazar to have a defined process for determining any scope and tasks we're there to be a retainer 19:54:16 The only thing I've actually requested of Cypher Stack is to work on proving GBPs, a sufficiently clear goal per Aaron Feickert 's own comment. The rest has been work efforts for us to discuss, as a community, and for me to organize (with no explicit relationship to CS). 19:54:18 silly autocorrect *were 19:54:42 Aaron specifically pinged me, calling my message out. I'm trying to be clear my messages which weren't clear for Aaron to work on weren't intended to be messages for Aaron to work on. 19:54:55 They were intended to be discussions of work topics. 19:55:08 Apologies if it seemed like I was singling out kayabanerve generally! 19:55:20 Assume questions on scope are to the room 19:57:49 Are people seriously open to the idea of their being a committee? That may be ideal. Historically, people have come together to discuss audit scopes and to pick auditors, so ideally this could do the same thing on managing work for the retainer 19:57:50 Four options moving forward: 19:57:50 1) I just move forward on my list of topics and bring finished CCS proposals to the table. I have enough to take over the next few months. 19:57:51 2) We form an explicit committee to vote on how research efforts should be prioritized and worked on, with an explicit structure, ideally using a retainer. 19:57:52 3) This room starts efficiently scoping and agreeing on tasks. 19:57:53 4) Diego/Aaron just make whatever proposals via the CCS and they get funded or don't. 19:58:19 There is a lack of clarity in this room, potentially simply due to people not being online right now. So yes, we probably should just step back and take a day or so. 19:58:58 But moving forward, I would personally support a retainer for Cypher Stack with an explicit work assignment structure. I'd initially point to the list of topics I just posted as evidence there's a sufficient amount of work to discuss, even if they're not fully fleshed out yet. 19:59:38 It's a bit difficult because of the amount of parties saying Seraphis is outside of their wheelhouse. 19:59:43 I'm ok with a committee defining and prioritizing tasks for CS work publicly in MRL meetings for the retainer, and would be ok with being part of it 19:59:56 Of course be advised that there would be tasks for which the company is not ideally suited 20:00:06 And for which we'd recommend going with someone else 20:00:24 I'm fine ignoring Seraphis for now. I'm not fine representing Monero and saying we're ignoring Seraphis for the immediate now. 20:01:13 If there is a retainer, I'd hope for at least two work items initially agreed on, with a third/fourth proposed, and work actually occurring by committee + CS agreement (giving the right to decline to CS). 20:01:43 It just occurred to me that I have no idea why the term "wheelhouse" is used. /me looks it up 20:02:17 Also, I apologize if I am being too... decisive here. I'm not trying to be a dick who overrules everyone. I'm solely trying to 1) push things forward 2) be clear that if I'm being asked to be decisive (due to the lack of clarity felt heavily today), that's the result. 20:04:57 The two work items there's solid consensus to seek to go with CS at this time are: 1) GBPs, 2) Seraphis first paper review (and if nothing gives pause, moving to the second paper) 20:05:02 It's possible FCMP-related tasks can come into the mix and would be deemed higher priority which CS is candidate #1 for 20:05:21 CS wants a clearer process for how that would be decided 20:05:51 Questions to be answered regarding the retainer: 20:05:52 1. Who decides our work priorities/who do we answer to regarding this. 20:05:53 2. Length of retainer and/or length of proposals before we must submit a new one 20:05:54 3. Given retainers are looser with deliverables than specific projects, what are the deliverables expected? 20:05:55 4. What sorts of correspondence is required? Monthly? Weekly? etc. 20:07:56 I know that number 3 can vary from month to month, depending on the project being worked on, but perhaps a consistent deliverable is a monthly write-up or whatever. 20:09:35 And I guess a 5th question, would the retainer be expected to last only until all currently discussed items are exhausted, or would people be open and willing for it to extend further in regards to exploratory things afterwards. 20:10:06 Suggestion: Making a dedicated *workgroup* and therefore matrix/irc channel to this regard. I understand Kayaba willingness to push things forward but that also requires centralizing discussion. I fear other topics of MRL might get shadowed by the ongoing discussion. A more direct communication method between volunteers and member of the pre Seraphis FCMPs effort could be more pro ductive. Not trying to shut out the conversation. I'm just genuinely encouraging at creating a dedicated discussion like what #no-wallet-left-behind:monero.social is. 20:28:16 my thoughts: 20:28:21 "1. Who decides our work priorities/who do we answer to regarding this." -> ideally MRL, but since that's not exactly a defined group tasked with explicit authority over anything, I'm for defining a committee strictly for this CCS retainer 20:28:30 "2. Length of retainer and/or length of proposals before we must submit a new one" -> proposal: a clip that is funded for 2 or 3 month periods and CS can request to refresh the clip when they want to (e.g. 1 month in advance) 20:28:37 "3. Given retainers are looser with deliverables than specific projects, what are the deliverables expected?" -> the retainer would be used to fund specific projects, with deliverables scoped the same 20:28:52 "4. What sorts of correspondence is required? Monthly? Weekly? etc." -> monthly would be nice I think, and payout upon reports / sign-off from committee/CCS 20:31:04 being blunt: ultimately it would be very similar to current CCS proposals except with more power placed into a committee that publicly decides what CS works on, with a quicker path to funding work with the expectation that CS works more consistently on Monero work 21:05:19 That sounds good to me. To elaborate on your point: MRL does not have a defined membership nor decision-making process. It doesn't need to, IMHO. A committee with a defined scope, defined membership, and defined decision-making process can make the retainer work efficiently. CS doesn't want and shouldn't need to have to deal with the undefined "whole MRL" process. 21:07:11 How do we know/how can we measure how well CS are prioritizing Monero work? 21:12:03 We can give you guys 60-80 hours a month. Since payouts aren't until milestone delivery rather than after hour completion, this becomes less of a concern, I think. 21:12:29 In addition, if it's a committee that will be doing this, they will be the ones that need to submit the proposal, not us, I think. 21:13:58 Not to scope creep this thing, but it may even be wiser to just have it be a general MRL funding committee type thing. Raise a bunch of money if you can. Use it to get stuff done quickly. 21:14:25 Because I will also be blunt, if we're going to be the ones making and submitting the proposals anyway, I don't see the benefit in doing a retainer type things vs project by project. 21:15:54 We'd be signing up for more overhead and extra work in terms of reporting. All for slightly expedited CCS money? 21:16:20 Especially if the milestones are going to be released upon project completions rather than time-based 21:43:55 Sorry, I couldnt read the messages on time. 21:45:50 These past years I have been trying to understand Seraphis and I would say that I have a good grasp on what is going on now (with all the crypto theory and codebase). I have not really tried to understand FCMP yet (neither theoretically nor play with the code). So if economy can be summarized with the word scarcity and if we have to choose what to prioritize, I would put kayabaner ve efforts with FCMP first in detriment of the seraphis wallet (and also my CCS). It would be a pity if his motivation on working on this is faded away. Though the theoretical part is the most important, I believe that a solid implementation (what he is proposing AFAIU) of FCMP that works with our current protocol would be an incredible achievement worth the risk to take it. I'm also sure that none of his efforts would be in vain. We would learn a lot about the way to achieve the Holy Grail of privacy. What I dont like is that the deliverable would be done in Rust, IMO we should not mix both though I am totally for different implementations of the same thing. I will try to better understand FCMP in the next weeks so I can contribute with something if ther e is a group dedicated to discuss that and if we redirect all our efforts to that. Thank you very much for the amazing work kayabanerve ! 21:46:09 If CS is on retainer, Monero knows we have a researcher who is there to work on it, and we don’t have to wait for CS to finish other task/work you might have undertaken. 21:47:02 I see the benefit to the Monero community, yes. 21:47:11 Regarding the auditing stuff, I would only pay for auditing when we are really really sure that we want to use that idea. Then I would hire 3 auditing companies (like was done in the past I guess) to review the theory AND the implementation. It seems to me that we don't know what we want to use neither we have the code with FCMP. With Seraphis the implementation is much more advan ced and the crypto used is less controversial I think, but I would still wait until we are on testnet at least so we could heavily test it on our side first. These are my thoughts. 22:01:30 MRL being funded by CCS and then subcontracting work, when required and decided/agreed by the committee, with less proposal writing and reporting overheads for the "subcontractor" does seem a relatively good idea. 22:03:48 Essentially MRL takes on the reputational risk of the "subcontractor", in return for being able to expedite research on directly relevant topics when required and/or recommended (by the commitee themselves or by the wider community).