15:02:19 MRL meeting in this room in two hours. 17:00:39 Meeting time! https://github.com/monero-project/meta/issues/1041 17:00:50 <0xfffc:monero.social> Hi everyone 17:00:51 1) Greetings 17:00:55 Hi 17:01:32 Hello 17:01:44 *waves* 17:03:17 2) Updates. What is everyone working on? 17:04:14 me: working on the migration of existing cryptonote outputs into the curve trees merkle tree so they can be used in fcmp's 17:04:34 Finally reviewing jeffro256 pr that really needs shipping 17:05:20 me: Helping with stressnet. Researching the fluff phase of the Dandelion++ protocol. 17:05:24 me: Jamtis-RCT testing 17:07:02 <0xfffc:monero.social> Basically did spend most of my time debugging this: https://github.com/spackle-xmr/monero/pull/13 17:07:02 <0xfffc:monero.social> There is one simple issue (by nature) that stuck. I have to disconnect the node before going to validation. But the core object doesn’t have any access to t_protocol_handler. So I am trying to find a way to fix this issue. Otherwise the PR is ready. 17:07:04 <0xfffc:monero.social> I am going to decide to add it as a flag (—sync-then-verify) or propose it as default way of monerod start up. 17:08:00 3) Stress testing monerod https://github.com/monero-project/monero/issues/9348 17:09:44 I tried jeffro256 's "Blockchain: fix temp fails causing alt blocks to be permanently invalid" https://github.com/monero-project/monero/pull/9395 . I didn't see any of the patched nodes get stuck because of incorrectly marking blocks as invalid. Two of my nodes that didn't have the patch got stuck. 17:10:41 Nice. Thanks for testing! 17:10:56 Stressnet is back to a lower tx volume, which makes the original bug harder to reproduce. Eventually the stressnet tx volume will rise back to the 3+MB block size where the issue was triggered a lot 17:14:17 No more comments on stressnet? Moving on: 17:14:27 4) Potential measures against a black marble attack. https://github.com/monero-project/research-lab/issues/119 17:15:59 I have been looking at the fluff phase of the Dandelion++ protocol. In "Fix embargo timeout in dandelion++" https://github.com/monero-project/monero/pull/9295 vtnerd notes that Monero's D++ implementation sets the time between fluffing to a Poisson-distributed random timer. The D++ paper assumed that the fluff phase would use BTC's diffusion protocol that used an exponential distribution. 17:17:23 In 2022 BTC Core developers changed the name of the random timer from Poisson to exponential because the name was misleading: "Rename and move PoissonNextSend functions" https://github.com/bitcoin/bitcoin/pull/24021 17:18:06 Why it's confusing: 17:19:08 Ahh that would explain why vtnerd used a Poisson dist 17:19:14 A random variable may be a _Poisson process_ if the arrival times between the values have an exponential distribution. The distribution of the number of arrivals in a fixed time period, e.g. one hour, is a Poisson distribution. 17:20:03 I don't know for sure what, if any, the privacy impact of this discrepancy may be (positive or negative). 17:20:33 Remember that this is the fluffing phase, which provides low privacy anyway 17:21:19 I could try to guess the impact. The best comparison I have is in Fanti and Viswanath (2017) "Anonymity Properties of the Bitcoin P2P Network" https://arxiv.org/abs/1703.08761 17:21:33 Fanti is also the lead author of the D++ paper. 17:21:57 I don't know much about the technical details of D++. Is the embargo timeout the delay from when you receive a fluffed tx to when you rebroadcast it? 17:22:18 Fanti and Viswanath (2017) analyze both the diffusion protocol (which has an exponentially-distributed timer) and "trickle", which was the pre-2015 BTC tx propagation protocol. 17:22:53 IMO we should move to the exponential distribution, however I don't think we have actually found the cause of nodes OOMs yet, right? 17:22:54 If the cause is the fluff queue, using the exponential distribution could make the problem worse as connections could go a lot longer without fluffing 17:23:45 AFAIK, the "Embargo" in PR #9295 was the "last defense" against a black hole attack when a defective node didn't send during the stem phase 17:24:07 no embargo timeout starts when you receive a stem tx. 17:24:51 Each stem node chooses a unique timeout randomly 17:25:28 boog900: Something I noticed: for a given mean (i.e. given rate lambda), an exponential distribution has a much higher variance than a poisson distribution. That could support your point 17:25:37 Ideally you cannot determine the order in the stem based on how the embargos timeout 17:26:51 Ah I see, thanks. Does the originating node have an embargo timeout, or does it just try stem again after a certain time period in the current impl? I cam imagine a scenario om which the first node of the stem drops the tx, and then it nevers gets broadcasted 17:28:27 BTC's pre-2015 trickle protocol randomly ordered a node's peers and then sent them with a 200ms delay one after the other. This is not the same as a Poisson distribution, but maybe we could get a rough idea of the privacy of the Poisson-distributed timer if we think that its privacy is somewhere between diffusion (true exponential) and trickle. 17:29:38 The originating node also has a timeout, due to the problem you identified 17:30:14 On a realistic simulation of the BTC network graph (Figure 8 of Fanti and Viswanath (2017)), the probability of correctly guessing the true originating node was 30% for diffusion and 60% for trickle when the adversary had one connection to each honest node. 17:31:11 ^ That's without any type of D++ stem protocol 17:32:11 Fanti and Viswanath (2017) didn't think diffusion with exponential delays was very good, anyway. That's why they (with others) wrote the D++ paper. 17:32:56 But in a practical attack scenario diffusion worked better than trickle at defense 17:34:10 By the way, I'm only looking at their results for the first-seen estimator instead of the graph-centrality-based estimators. The latter can be more powerful, but AFAIK we believe that it is not feasible to estimate Monero's p2p network graph after this patch: "p2p: add a reference to Cao, Tong et al. for the last_seen changes" https://github.com/monero-project/monero/pull/5682 17:39:07 That's as far as I've gotten. It may be difficult to directly compute the probability of detection for the diffusion protocol when the timer is Poisson-distributed. Fanti and Viswanath (2017) complain about it a little even when it is the easier exponential distribution. (AFAIK, the computation is much easier with exponential because it is memoryless. Many of the terms in the formulas simplify.) 17:39:59 My guess: It would be better to use the exponential distribution from the original diffusion protocol, but I cannot be 100% sure about it at this time. 17:41:21 Anything more on this agenda item? 17:42:59 5) Research Pre-Seraphis Full-Chain Membership Proofs. Brandon Goodell has submitted a quote for doing review of the GBP security proofs: https://repo.getmonero.org/-/project/54/uploads/e370fc495ccf32276aa40d2858366607/monero-gbp.pdf 17:43:17 kayabanerve , kayabanerve 17:44:03 Above quote is above, I believe we should move forward. 17:44:35 > Their estimate is less than Cypher Stack's quote for the Bulletproofs++ review (my closest comparable, though they're not really the same). Since the hours should be budgeting for the worst case, I personally endorse it 17:44:36 I read it. It looks good to me. 17:46:40 He does not mention payment in XMR? 17:47:08 Not sure that means much ... 17:47:20 I noticed that, too. How is he going to be paid? 17:47:31 But yeah, having him working again for Monero would certainly be nice 17:48:24 They did assume a stablecoin 🤔 Sorry, I didn't think much of that. I'll confirm XMR is viable, else we can ping [@sgp_](https://matrix.to/#/@sgp_:monero.social) to see if MAGIC makes sense, so long as we do want to move forward. 17:48:59 *they didn't explicitly state an option, leaving the examples as stablecoins. 17:50:00 I agree. Brandon accepting XMR would be preferable, especially for the stated rate 17:51:21 I guess the other approach to reviewing GBPs would be to have him not look at the security proofs and instead writing his own proofs, seeing if he reaches the same conclusion. What would be the upsides/downsides of this approach? 17:51:45 That was considered. [@Aaron Feickert](https://matrix.to/#/@aaron:cypherstack.com) spoke against the idea unless an independent methodology was used. 17:51:55 Brandon has probably already looked at the paper I assume, which would bias his thought process 17:52:13 Since practically, proofs will be derived from the existing BP AC proof, we won't actually get such a methodology. 17:52:59 Reviewing the currently stated proofs should be less work and still cause proper evaluation. 17:54:30 Are there objections to moving forward and working out XMR/MAGIC after the meeting *if there's not objections to the quote itself*? Or is the financial aspect something considered critical to work out prior to general consensus? 17:55:25 Just saw the mention, so I haven't checked the backlog... 17:55:58 The GBP work makes changes to the protocol as well, which any independent proof would need to account for 17:56:47 But yes, in this case I think a more efficient and useful approach would be to have a qualified reviewer conduct a review of Cypher Stack's modified protocol and security proof 17:59:41 the approach and price point of Brandon's proposal LGTM, agree XMR is preferable, and I'm fine with MAGIC as a backup for the stablecoin route 18:00:41 I also think payment will work out somehow, so no objection from me to move right after it does 18:05:56 Speaking of audits, I wanted to throw the idea up of auditing the addressing protocol for legacy Cryptonote addresses as detailed in the Jamtis-RCT document, so that we can use this protocol as soon as FCMPs hit (to leverage forward secrecy and so that there isn't a fingerprinting problem when we switch to Jamtis-RCT) 18:06:48 IMHO, there is rough consensus in favor of https://repo.getmonero.org/-/project/54/uploads/e370fc495ccf32276aa40d2858366607/monero-gbp.pdf 18:08:37 We can end the meeting here.