15:12:43 MRL meeting in this room in about two hours. 17:00:33 Meeting time! https://github.com/monero-project/meta/issues/1061 17:00:40 1) Greetings 17:00:55 Hello. 17:01:08 Hi 17:01:17 Hello 17:03:45 2) Updates. What is everyone working on? 17:03:55 👋 17:04:05 Managing academia, largely. 17:04:24 *waves* 17:04:52 continuing fcmp++ integration, opened a new CCS 17:05:24 me: Finishing initial research on boog900 's transaction relay proposal: https://github.com/monero-project/monero/issues/9334 . I will post it in a few hours. Also discovered that you can natively render LaTeX in GitHub comments now :D 17:06:54 3) Stress testing `monerod` https://github.com/monero-project/monero/issues/9348 17:07:55 0xfffc has a WIP PR to implement dynamic block sync size: https://github.com/spackle-xmr/monero/pull/26 17:09:10 In the previous stressnet we encountered a limit when the block sync size was set to the default 20. Too much data in 20 blocks. Then we cut block sync size to 1 to be safe, but that's inefficient. 17:10:46 <0​xfffc:monero.social> Hi everyone. I am debugging the dynamic-bss algorithm. I will be absent from today's meeting. my apologies. ( if you want to take a quick look, you can find the code here: https://github.com/0xFFFC0000/monero/pull/35 ) 17:10:49 Stressnet is actually not being spammed right now. AFAIK, we will merge this dynamic BSS code plus the newest Monero release code and then start spamming to test it. 17:12:17 Anything else about stressnet? 17:13:16 4) Research Pre-Seraphis Full-Chain Membership Proofs. https://www.getmonero.org/2024/04/27/fcmps.html 17:14:27 howdy 17:16:13 that BSS PR doesn't touch the serialization limits, right? 17:18:00 GBP review is almost back (should have a shareable copy in a couple hours) and should be good to move forward with. It opened a new topic on quantifying security, former and upcoming, which may be worth spending the time on. 17:18:02 <0​xfffc:monero.social> 1. Not directly. But indirectly can user have huge values for their BSS size. 17:18:03 <0​xfffc:monero.social> 2. Serialization limit proposal is here and approved ( https://github.com/monero-project/monero/pull/9433 ). Although obviously extra reviews can help. 17:18:39 Quantifying security meaning N-bit security? 17:18:42 <0​xfffc:monero.social> "New serialization limit" I should say. 17:18:50 Goodell did the GBP review and raised this note, so they'd be an obvious candidate to do such work, yet I believe they're unavailable. Considering we in general don't have researchers to spare, I'd kick the work to the backburner. 17:19:16 Rucknium: Yes, there's a question of if on paper, we should be using 700-bit elliptic curves even today. 17:19:32 The security of GBPs should follow BPs and shouldn't aggravate the problem though. 17:20:07 And that 'on paper' number is largely worthless. The open question was raised for more precise quantification however. 17:20:35 So it isn't in any way a delay to GBPs and their deployment. 17:21:36 Once that's published, we can move forward with auditing the GBP crate I wrote? I believe that's ready and I'll commit my final touches. 17:22:49 The divisor review by CS came back. I forgot if we discussed that. The technique itself holds. Aaron was concerned about the method of taking the logarithmic derivative being unspecified *and* the lack of an exact proof being specified premised on the technique. 17:23:41 I did specify an exact proof, somewhat. I wrote out the exact R1CS gadget, defined how it's instantiated, etc. That was part of Veridise's work conducted while Aaron reviewed the technique itself. 17:24:38 Veridise did share their review with me, as it stands. It correctly takes the logarithmic derivative per their confirmation, and is secure, except for an open question on how I handled some variables. 17:25:39 The technique assumes all variables are positive. That definition loses meaning over a prime field. Numbers are [0, p). The best definition would likely be [0, p/2]? But even that is largely meaningless. 17:27:13 So the next step re: Veridise would presumably be to have them respond to Aaron's review, expand on variables being 'positive' when applied to a prime field (expanding the security proofs as necessary/clarifying them), and update their review of the gadget itself. 17:27:34 Then to kick that back to Aaron. 17:28:28 I'll also note I personally consider the technique being proven yet the application of the technique being questioned the first hitch in this academic process, and effectively a perfect exemplification of Aaron's concerns. 17:28:30 cc Aaron Feickert: who I forgot to ping, sorry. 17:30:00 I'm still discussing hours and timeline with Veridise to get the quote there. The MRL prior approved a limited set of extended hours (I believe bringing Veridise's total approved expenditure up to ~15k). I'm unsure how those hours have been exhausted. 17:32:08 We can get the quote and discuss it at the next meeting or continue discussing approving extended hours. I'll also contextualize even with this discussion, I believe Veridise is still less than the other quotes we received. I don't have an inclination either way as I don't like how handwavy I'm being and not having the firm numbers in front of me. 17:33:08 TL;DR 1) GBPs should be able to move to auditing. 2) Divisors had a hitch in conversion to a proof we're following up on. 17:33:21 So Veridise would be asked to create a new proof of a new proposition or repair a proof? 17:33:43 I've also now asked 3 researchers regarding investigating our HtP to no success yet. 17:33:58 That summarizes research, can hand over to jberman for development. 17:34:13 HtP = Hash-to-point. The one that exists now on mainnet 17:34:37 I don't know if they'd provide the necessary commentary on why integers over a prime field qualify as positive, or if they'd remove the bound on it being positive. 17:35:22 I discussed the work with Veridise's researcher and they seemed to enjoy the work and want to continue, and also believed (with their initial thoughts as a fallible person) it'd be resolvable. 17:36:03 I do support their continued engagement. Their researcher has an extensive track record regarding fields, and their rates have been solid, so I do think they're still the best fit. 17:36:17 And yes, sorry for the unexplained acronym. 17:36:25 "We can get the quote and discuss it at the next meeting or continue discussing approving extended hours. " Is this something to discuss at this meeting? I don't know the difference between these two options. 17:37:36 If y'all agree it makes sense to continue the work, and want to approve *some* hour extension even though I don't have the details on it, that'd be at this meeting. 17:38:20 If we want to quantify the expected extension, current used hours, running total, and new total (upper bound based on hours), I need to wait for their updated quote. 17:39:13 Maybe state a reasonable limit now and we can get loose consensus for that limit. If the new "quote" exceeds the limit, then come back next meeting 17:39:15 I think the latter feels better but I also don't think there's a practical issue with the former and it may get things dome a few days faster, but eh, a few days isn't the end of the world. 17:40:03 Setting a limit on our end so we do properly quantify it, despite the unknown quantities, also works out. 17:40:08 Although no one else is talking so it's hard to measure loose consensus :) 17:40:32 I'd expect 5-10k to be the scale of extended work. 17:40:59 Most of this stuff is over my head, I don't know how to evaluate how much this work should cost ;) 17:41:32 How much of the original CCS fund has been exhausted BTW? 17:42:15 Though I'll practically note 10k, that upper bound, may put us a few k past Cypher Stack raising the question of if we could've gotten more affordable work by choosing them originally. I think that depends on if Aaron would've done the work successfully to this depth, and if work was kicked back to me on issue, it was graced into the existing work without additional cost. Somethin g to potentially consider in the future, despite our inability to change the past. 17:42:55 I also don't regret it as Aaron has done the review and if we didn't have Aaron do the review, we'd need another entity for that purpose which... would've been back to Veridise? 17:43:49 I'll pull up how much of the CCS has been exhausted... I believe less than or about half. 17:48:49 Without knowing too much about the depth of work, 10k is a reasonable enough extension... 17:49:06 Initial GBP review was a separate CCS 17:49:07 GBP review by Goodell - still pulling up the amount 17:49:09 Veridise on divisors - ~15k USD 17:49:11 CS on composition review @ 198 XMR 17:49:13 CS on divisor review @ 38 XMR 17:49:15 That's the only scopes done under this CCS at this time. We haven't moved to code audits. 17:49:50 I did have a gut feeling that Veredise might have underestimated the work somewhat given the disparity of the quotes, but it seems like they have been doing good work thus far 17:50:05 So I'd have to ask sgp_: how much XMR they received for the 10k USD initially for Veridise. 17:50:45 Goodell was 20-24k USD. 17:51:10 So 40k USD liability and 240 XMR of 2000 XMR raised. 17:51:21 *236 to be specific. 17:52:14 MAGIC's current balance for an audit program is $5,151.73, though I believe I am waiting on an invoice from Veridise 17:52:35 300 grand if 150 a XMR, now just 225 grand. We have only spent 25% of the CCS. 17:53:09 sgp_: I was asking the XMR quantity you received for the 10k USD MAGIC handled. 17:53:33 70 I think? I need to check 17:54:21 IMHO, 10K USD to Veridise would be acceptable, but 5K is more reasonable since AFAIK they are sort of fixing a hole in the original work. 17:54:52 yes, MAGIC received 70 XMR 17:54:54 In that case, 306 XMR spent with a ~27k USD liability. 17:55:47 I'll keep 10k as the upper limit approved, barring objections here. I'd like Veridise in total to still be cheaper than other quotes we received so I'd try and keep notably under that. 17:56:03 On the alternative of having gone with CS from the start: to be clear you're saying CS may have caught this issue (this issue that Aaron identified reviewing the application of the technique) that Veridise did not, and so it may have made sense to go with CS from the start? 17:57:37 Another candidate, who provided a flat quote, may have successfully performed and upon noting the positive bound didn't enable a proof in practice, removed that bound successfully. 17:58:22 If Veridise's work ends up more expensive than the flat quotes we received as we pay by the hour for this unexpected edge, then yes, for this work it'd have made sense to go with a flat quote (assuming their success). 17:59:00 Though again, Veridise would then become the candidate for proof review so the quotes for review would change. It's impossible to comment in totality. 17:59:22 I'm just being mindful of this position and trying to be responsible about that it. 18:01:58 Got it. Sounding like a natural review process to me. 10k seems a reasonable upper bound to me, especially considering that's still within the ballpark of the altnerantive quote 18:03:10 Hopefully Veridise aren't reading this chat and know our exact negotiation limits :P 18:03:21 To be clear, Aaron's review was there was a lack of a proof provided by Veridise. That was because I provided a proof. When they moved to reviewing my proof, they didn't mesh seamlessly, creating this hitch. 18:04:00 We already have an hourly rate. I'm not saying it's static across the now months we've been working together, but them changing their rates would be explicitly discussed. 18:04:29 *When Veridise moved to reviewing my proof 18:04:51 I think we have loose consensus to go forward if their quote is 10K USD and below. If above, then bring the quote to the next MRL meeting. 18:08:01 5) Confirm next meeting agenda 18:08:07 I want to ask if boog900 , 0xfffc , and vtnerd want to discuss possible next-generation transaction relay protocols for Monero next MRL meeting, especially this proposal: https://github.com/monero-project/monero/issues/9334 18:08:33 Or another meeting date is OK too. Or never, but that's not as good ;) 18:10:28 <0​xfffc:monero.social> ( quick update: I am close to finishing BSS PR, final testing right now. Once finished, I will work on 9334 full capacity. ) 18:11:12 Maybe MRL should discuss if issue #9334 is a good idea first :D 18:11:38 IMHO, it has some privacy issues that might be fixed by injecting some noise 18:11:42 This broadcast proposal is critical for determining bandwidth propagation limits for scaling 18:12:18 Limiting unnecessary tx broadcasts 18:12:26 Kayabanerve 70 from ccs to magic 18:12:52 https://repo.getmonero.org/monero-project/ccs-proposals/-/blob/master/fcmp++-research.md 18:12:59 <0​xfffc:monero.social> In my opinion it is critical too. Bitcoin is using it right now IIRC. 18:13:22 <0​xfffc:monero.social> ( approach similar to 9334 ) 18:14:58 Yes there is a lot of wasted bandwidth now. Adding some "pull" methods can allow an adversary to query a node's transaction pool. 18:16:01 <0​xfffc:monero.social> I am sure there are some defensive mechanism for that. I have to look at the literature. 18:16:21 I already have. That's the comment I will post in a few hours 18:17:48 The comment is about where the risks come from (black hole attack scenario and network topology learning) and what some of the options are. 18:20:06 We can end the meeting here. 18:20:22 <0​xfffc:monero.social> Great. Thanks :) 18:28:45 Thanks for hosting 18:41:58 Rucknium: yeah I would be happy to discuss that next meeting, I'm waiting for your comment on 9334 but FWIW 9334 does not make the problem worse, we already have methods to directly query a nodes pool + some other methods that allow it as a side effect. 18:41:59 IMO we shouldn't delay work on 9334 when we are still exposed to this attack vector. 18:47:22 I have also been thinking about ways we can stop peers from using the new messages in 9334 to query a nodes pool, and one way would be to send a 1 byte random token with the tx hash and require this same token to be sent when the tx is requested 18:48:06 Slightly more data would need to be sent but still a lot better than the current protocol 18:52:28 boog900: Yes, those existing methods could be modified 18:53:39 Maybe it could be rushed, but is that necessary? Have all the options been evaluated? Will more technical debt be created if #9334 is implemented, then a better way is discovered? 18:54:12 Probably it would be good to have the next generation relay protocol ready for the next hard fork. 18:55:51 The bandwidth could be cut in half without new methods by setting a maximum limit on the connection fluff timer. If above the 50 percentile, then don't relay. 18:57:11 I don't think that's a good long-term solution, but it's just another option 19:19:15 To completely remove this attack vector would not be a small task IMO 19:20:33 Rucknium: do we have numbers on how knowledge of the P2P graph affects D++ stem stage 19:20:47 Yes 19:21:34 Section "How much does p2p network topology discovery help an adversary link a transaction to an IP?" of my https://github.com/monero-project/monero/pull/9218#issuecomment-2260917643 19:22:02 Actually some of the D++ paper's graphs are hard to interpret since their scales have just one labeled tick 19:22:14 and they are log-scaled 19:23:12 So I tried my best to use eyeballs. Their simulation code is open source on GitHub (recently updated for Python3) so we could re-run a lot of that 19:23:44 Fig 3 is made with knowledge of the anonymity graph right? 19:25:14 anonymity graph = exact 4-regular 19:25:15 graph in this case 19:25:27 IIRC, the Max Weight estimator is what the adversary would use if it knows the p2p graph 19:26:32 I think knowing the private subgraph (4-regular) or the p2p wasn't completely clear from how they explained it, but later in the paper it looks like they mean knowledge of the p2p graph 19:26:57 `On the other hand, if a 4-regular graph is unknown to the adversary, it has a precision very 19:26:59 close to that of line graphs (orange solid line in Figure 3). But if the graph becomes known to the 19:27:01 adversary (orange dotted line), the increase in precision is smaller. At p = 0.15, the gain is 0.06—half 19:27:03 as large as the gain for line graphs. This suggests that 4-regular graphs are more robust than lines 19:27:05 to adversaries learning the graph, while sacrificing minimal precision when the adversary does not 19:27:07 know the graph.` 19:28:35 Ah. Hm. I was looking at appendix C too. 19:36:24 I think C is also talking about knowledge of the anonymity graph: 19:36:25 `However, Figure 15 illustrates the average precision for an adversary that 19:36:27 knows both the graph and the internal routing decisions of each node. Here, the trend is reversed: 19:36:29 line graphs have a precision that is upper bounded by p, whereas on 4-regular graphs, the precision 19:36:31 can be higher than p. This makes sense because on line graphs, each node has only one possible 19:36:33 routing decision, so the additional routing knowledge of the adversary does not help.` 19:39:26 I think you could be right. I was thinking they were talking about the overall p2p graph since their earlier paper of bitcoin diffusion analyzed what additional accuracy an adversary could get from knowing the p2p graph. So maybe the D++ paper doesn't analyze how an adversary could use the overall p2p graph to de-anonymize the stem phase. 19:42:31 At the end of Appendix C, they say that an attack to learn the routing dicisions (deeper knowledge than just the 4-regular graph) is very expensive. Basically Sharma, Gosain, & Diaz (2022) took that as a challenge and developed an estimator and simulations of how to learn the 4-regular private subgraph https://moneroresearch.info/index.php?action=resource_RESOURCEVIEW_CORE&id=130 19:44:00 Sharma, Gosain, & Diaz (2022) needed to create an unreasonable (IMHO) large number of transactions per node to estimate the private subgraph. AFAIK they needs the overall p2p graph first to run their estimator. 19:45:36 But knowledge of the p2p graph still helps an adversary that black holes a transaction since honest node(s) in the preceding stem path go into fluff mode. 19:47:36 There are other attacks that use knowledge of the network graph like 0-conf double spending, partitioning, and eclipse. (But some researchers think these attacks are hard to execute anyway.) 19:52:49 Granted, those same researchers said "please use our new protocol that makes the p2p graph public, because those possible attacks aren't so bad." 19:53:30 Same researchers that suggested the Clover protocol as an alternative to D++ 19:55:28 I'll revise my comment on PR #9218. Thanks for catching my misinterpretation, boog900 20:44:19 <0​xfffc:monero.social> ( I skimmed this last week. Basically very similar to dandelion++. I didn’t see a substantial redesign. ) 20:49:54 ehh it is different, from routing txs from inbound peers to other inbound peers and vice versa for outbound peers. 20:49:55 My initial thoughts are it probably is an improvement from D++ given that peers that don't accept inbound connections are not useful for D++ but I agree with Rucknium that they did not do as deep a dive as the D++ paper. 20:54:07 according to the clover paper only 10% of the Bitcoin network is reachable