08:17:42 Not the room for this 15:01:43 MRL meeting in this room in two hours. 17:00:17 👋 17:00:46 Meeting time! https://github.com/monero-project/meta/issues/1003 17:01:00 hello 17:01:09 1) Greetings 17:01:14 Hello! 17:01:27 *waves* 17:01:30 Hi 17:01:40 Hello. 17:01:47 Hi 17:02:22 <0​xfffc:monero.social> hi everyone 17:03:26 2) Updates. What is everyone working on? 17:04:26 FCMP related work. I did an analysis of Ristretto and we had some discussions with kayabaNerve how to simplify the tree hashing. 17:05:45 me: started FCMP integration (initial task is working on the tree in C++ = table design, code flow, and tests). The async scanner PR (faster scanning) was also merged into ukoe's Seraphis lib, going to start making bite-sized PR's to monero core over the next week in preparation. Also opened a new CCS 17:05:56 me: Working on the fee/ring size tradeoff to deter or defeat black marble flooding. And started working on using the Dulmage-Mendelsohn decomposition to analyze black marble flooding combined with "chain reaction analysis" from Section 4 "Chain reaction graph attacks" of https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/monero-black-marble-flood.pdf 17:06:15 Me: Lws-remote-scanning *still*. Expect to be finished this week, unless I hit another snag 17:06:29 As I said in NWLB, I worked extensively on FCMPs. The spec has been iterated with feedback, the GGBP updates made, and two auditors plan to submit SoW within two weeks. I meet a third today and have also distinctly discussed work with CS. 17:07:38 <0​xfffc:monero.social> Me: Wasted a lot of time last week. I am submitting minor PRs here and there. But overall my main task is performance benchmarking suite and then fixing the locking bottleneck we have. 17:09:04 3) Potential measures against a black marble attack https://github.com/monero-project/research-lab/issues/119 17:09:38 For the fee/ring size tradeoff, I am computing these metrics for the most cost-effective fee/ringsize response to a specific adversary budget: 17:09:48 Adversary budget, nominal ring size, fee/byte, effective ring size when flooded by adversary's budget, user's cost for 2in/2out tx, user's tx size for 2in/2out tx, average block size (no flooding), Block size (continuous flooding), one year of blockchain growth (each combination of unpruned/pruned and no flooding/continuous flooding). 17:10:01 Any other metrics I should compute? 17:10:50 tx verification time 17:11:22 Howdy 17:11:44 How can we get that? Have a private testnet with a specific modified ring size and do benchmarks? 17:12:32 Rucknium I think that's doable without any networking element 17:12:34 Sorry, for a brief reminder, what's the ring size 40 verification time? 17:12:34 CLSAG benchmarks probably can be done without a private testnet 17:13:07 Verification time in practice and in theory may be different. 17:13:32 I think the seraphis github issue had some benchmarks 17:13:37 Yes and no. There's the unchanging verification time, and then the prep time. 17:13:39 If we just want to do theoretical verification time, I am ok with that, too. There is time to read the data from storage, too. 17:14:05 It's probably best to simulate the prep time off the mainnet DB? 17:14:09 https://github.com/monero-project/research-lab/issues/91 17:14:27 (So no actual testnet, just a DB) 17:15:41 tevador: that's quite a killer reference hardware koe used there 17:16:09 Tell a monero wallet to construct a K ring member tx from the mainnet database and then verify it? Ok. But probably it is better for someone else to code that since that's definitely not my comparative advantage. 17:16:48 IMHO the March suspected spam showed that monerod has hidden bottlenecks, so actual performance can be different from theoretical. 17:17:25 Grootle is 17ms no batching for 128. CLSAG is 24ms for 40? 17:18:05 https://github.com/monero-project/monero/blob/master/tests/performance_tests/sig_clsag.h 17:20:04 Ok. I will use koe's CLSAG benchmarks for now. If a C++ programmer wants to run more realistic benchmarks, that would be wonderful. 17:20:22 I started testing with a Rust implementation of the Dulmage-Mendelsohn decomposition released with this paper: Vijayakumaran (2023) "Analysis of Cryptonote transaction graphs using the Dulmage-Mendelsohn decomposition." https://moneroresearch.info/index.php?action=resource_RESOURCEVIEW_CORE&id=39 17:20:29 I am having some problems with the tests, but I don't know if it is a problem with the data I am submitting to the algorithm or if the algorithm is just slow (it is single-threaded for now). 17:20:42 That's all I have on this agenda item. Anything else on this item? 17:21:31 kayabanerve the benchmarks in koes's Seraphis paper are very close to 24 ms for a no-batch CLSAG 40 17:21:55 https://raw.githubusercontent.com/UkoeHB/Seraphis/master/seraphis/Seraphis-0-0-18.pdf#page=18 17:22:41 4) Generalized Bulletproofs Security Proofs https://github.com/cypherstack/generalized-bulletproofs/releases/tag/final Aaron Feickert 17:22:50 Yes! 17:23:15 kayabanerve identified an issue with the generalization in the report 17:23:24 It had to do with cross-terms in inner products 17:23:42 A fix was identified that works, but isn't as efficient as we'd hoped with the original idea 17:24:07 The report has been updated to reflect this; I reissued the tag so existing links point to the right one (but the full git history is there) 17:24:26 Kudos to kayabanerve for the find 17:24:38 Clarifying, the additional functionality isn't as efficient. 17:25:03 What is the performance impact? 17:25:20 The originally expected functionality is maintained for all intents and purposes. 17:25:26 Right 17:26:09 We went from a 17:26:11 2 + 2(c//2) poly 17:26:13 To a 17:26:15 2 * (1 + c) poly 17:26:17 Yet we can halve the amount of needed c. 17:26:21 (@rucknum : if you want complete end-to-end daemon testing with a larger ring size, then this PR is a good reference for what needs to change on the C++ side for the daemon to allow larger ring sizes if you get someone available to do that https://github.com/monero-project/monero/pull/8178/files) 17:26:29 Except for branches which demand a full c to themselves. 17:27:33 j​berman: Thanks. I remembered when you worked on the August 2022 hard fork you said that the ring size 11 -> 16 increase was not as simple as changing a few numbers in the code. 17:29:02 We can preserve the original formula without the new features. The new formula and new functionality is overall more efficient. 17:31:03 So everything is going according to the plan or better. 17:32:14 For GGBPs? Yes 17:33:11 I think we can move on to general FCMP discussion. 17:33:34 5) Research Pre-Seraphis Full-Chain Membership Proofs. https://www.getmonero.org/2024/04/27/fcmps.html 17:34:21 An interesting find was that Ristretto doesn't actually help us to remove torsion completely. So we decided to go with the simpler solution of mul8. 17:35:04 The spec, gadgets, layers, and circuit are done. There's some cleanup I want to do on the top-level FCMP code and I need to support aggregate input proofs (which is multiple calls to the circuit). 17:35:50 Performance is extremely hard to benchmark. I said I could not do a production grade lib and would only do one sufficient for working with. 17:35:54 Also the membership proof was simplified to proving that (+/-K,+/-I,+/-C) is in the tree. So we ignore the signs. This allows us to remove the complexity of "permissible points". 17:36:25 Possible downside of torsion is that someone can write a Monero tx construction implementation that has a torsioned tx that the consensus verification would consider valid, but it would be fingerprintable, right? Like the strange txs that dangerousfreedom found? 17:36:38 A side effect is that people will be able to "spend" -C, so effectively burn funds. But we don't see any issues with that. 17:37:12 I had the goal of 35ms in a batch of 10, the prior estimate. We are now clocking as low as 35ms for one and 10ms in a batch of 10. I hope a new Helios/Selene impl would get us ~2x further. 17:37:36 Rucknium: FCMPs torsion clears everything. 17:37:45 tevador: is it possible that a mathematics reviewer or a code auditor would see issues with that? 17:38:20 It should be reviewed during the audit, but I can't imagine what the problem would be. 17:38:29 To be clear, that does not preventing outputs with torsion. It just limits the torsion to that and that alone. 17:40:00 The more notable change of what tevador is discussing is the redefinition of key images from the point L to just the x coordinate. 17:40:13 re: torsion. Using Ristretto without torsion clearing actually reduces the anonymity set to 1/4 of the chain (all keys with the same torsion as the masked key). 17:40:26 So we need torsion clearing. 17:41:11 Yes, we are redefining key images by dropping the sign bit. Should be safe. 17:41:32 And Ristretto offers less torsion clearing (2 steps not 3), but that's not worth it. 17:42:52 I think there will be a migration of the key images table during the update. That's the most efficient solution. 17:43:31 The table in LMDB? 17:43:41 Yes. 17:44:24 jeffro256: Any comments on this LMDB key images table migration? ^ 17:45:20 It halves the amount of spendable outputs. 17:45:21 It means we need to ensure our address protocol can not only output uniqur keys yet keys with unique abs values. 17:45:23 We either need a LMDB migration OR to double our reads (one for +, one for -). 17:45:46 We may already need a migration. Are key images global or per pool? 17:46:40 what pool are you referring to there? 17:46:46 Amount 17:46:51 Global 17:46:57 ^global 17:47:01 Historical outputs are denominated. 17:47:19 Great, then we can either do 2x reads or a migration. 17:47:40 migration is fine 17:50:09 Btw, the migration of key images is effectively a soft fork. It makes double spend validation stricter. 17:51:33 It's justifications are on the gist, but it removes a minor DoS vector re: permissibility. 17:52:06 Crafted points could very feasibly trigger hundreds (thousands?) of additions on accumulation. 17:52:06 And it removes a lot of complexity from the specs and the implementation. 17:52:17 Monero hard forks are usually also soft forks, right? AFAIK, the definition of the two types of forks is that a hard fork allows new txs that used to be not valid and a soft fork prohibits types of txs that used to be valid. 17:53:11 Soft fork makes some previously valid transactions invalid, but previously valid remain valid. 17:53:13 Monero hard forks are hard. 17:53:19 handling compatibility between old nodes <> updated nodes before fork height sounds a bit tricky, but fine. sounds like we may have to keep the old table around up until the fork height 17:53:46 The addition of BP+ wouldn't be accepted by old nodes so BP+ was a HF. 17:54:04 Same with view tags, as we didn't use TX extra. 17:54:06 Correction: newly valid are also previously valid 17:54:09 or at least, nodes would need to keep key images around that don't pass the stricter height up until the fork height 17:54:24 stricter check* 17:54:59 Only if we expect someone to spend both KI and -KI. Otherwise both give the same result. 17:55:22 and producing both KI and -KI as valid key images implies solving the DLP 17:55:52 Due to the existence of the usage of a Htp tbc. 17:56:19 If we had a constant generator for key images, that would not be the case. 17:56:41 But since we use a hash to point, key images are binding to all components of the output key. 17:56:44 For example, when we fixed the octuple spending bug, we do the same check also for key images before the fix. 17:57:53 So we don't need to keep the less strict rule for old outputs. That was my point. 17:58:35 ok I follow, migration sounds fairly straightforward 17:58:58 Anyways, all this is just a performance optimization. AFAICS the math checks out. 18:00:02 In total, FCMP++s have had a lot of work done on development, have hit performance goals without the proper curve impls, and are moving steadily ahead on research. 18:00:29 integration moving full steam ahead as well 18:00:57 Fantastic. Any other business? 18:01:14 In the current trajectory, should we expect full public release in 1.5 years as planned ? 18:04:25 integration I think is still complete-able within 6 months fwiw 18:05:21 We can end the meeting here. Thanks everyone. 23:20:59 any retrospective thoughts on the May 3 consolidation flood, when we had a ~8 hour constant stream of 150/2's (https://i.opnxng.com/r/Monero/comments/1ci9l7g/in_todays_flood_attack_on_the_network/)? is there any indication that it's related to the March flood? are there any potential privacy implications or new insights into DDoS vectors? it still troubles me how this caused major 23:21:01 disruption to some nodes. 23:28:24 there is another consolidation event today and the backlog is presently being cleared 23:48:51 nice catch. it's interesting that it's around the same of the week. 23:57:38 The consolidation flood really affects nodes a lot. Feels like a DoS vector. 23:57:57 Moreso than the tx flood aka black marble attack.