15:00:46 <m-relay> <r​ucknium:monero.social> MRL meeting in this channel in two hours.
16:17:16 <m-relay> <j​effro256:monero.social> I'm attaching a document from Trail of Bit
16:17:37 <m-relay> <j​effro256:monero.social> It's from their Statement of Work and describes who would work on the Carrot audit
16:17:55 <m-relay> <j​effro256:monero.social> Those on IRC, if you want a copy, email me at jeffro256⊙tc
16:18:09 <m-relay> <j​effro256:monero.social> https://matrix.monero.social/_matrix/media/v1/download/monero.social/wJNcQpFYWVQwITphJvOSQhEo
16:22:50 <geonic> link works on irc too
16:27:03 <m-relay> <j​effro256:monero.social> Ok, sweet. TIL
16:43:08 <m-relay> <r​ottenwheel:kernal.eu> Nice jeffro256!
16:44:58 <m-relay> <s​yntheticbird:monero.social> So, do we expect an Audit arena once again in this meeting? (Will all auditors from last meeting be present?)
16:45:25 <m-relay> <j​effro256:monero.social> Nope
16:46:02 <m-relay> <j​effro256:monero.social> Well, I guess I can't stop them from being present ;). But they weren't explicitly invited to this meeting
16:47:00 <m-relay> <s​yntheticbird:monero.social> ack
16:47:02 <m-relay> <r​euben:firo.org> Jim Miller worked on our earlier Lelantus audit
16:48:50 <m-relay> <j​effro256:monero.social> How did that go?
16:48:56 <m-relay> <r​euben:firo.org> While I think they did a good job, they did miss a fiat-shamir thing (which was exploited) which lead to his article :)
16:49:27 <m-relay> <j​effro256:monero.social> Was it the Bulletproof Fiat-Shamir issue?
16:49:30 <m-relay> <r​euben:firo.org> I got feedback from others to say it should have been caught
16:49:56 <m-relay> <r​euben:firo.org> I think so I'm not technical so yeah but thought it was worth pointing out
16:50:54 <m-relay> <k​ayabanerve:matrix.org> FCMP++s mirrors Orchard and kills it accordingly.
16:51:19 <m-relay> <r​euben:firo.org> https://github.com/trailofbits/publications/blob/master/reviews/zcoin-lelantus-summary.pdf
16:51:50 <m-relay> <k​ayabanerve:matrix.org> Proofs are an opaque byte buffer. Any item read is automatically transcripted. You can't have a proof element not transcripted accordingly.
17:00:34 <m-relay> <r​ucknium:monero.social> Meeting time! https://github.com/monero-project/meta/issues/1090
17:00:39 <m-relay> <r​ucknium:monero.social> 1) Greetings
17:01:03 <rbrunner> Hello
17:01:07 <m-relay> <j​effro256:monero.social> Howdy
17:01:17 <m-relay> <r​ucknium:monero.social> Reuben: Thanks for the info!
17:01:40 <m-relay> <j​effro256:monero.social> Yes, thanks for the input, Reuben
17:03:49 <m-relay> <o​ne-horse-wagon:monero.social> Hello.
17:05:15 <m-relay> <r​ucknium:monero.social> 2) Updates. What is everyone working on?
17:05:19 <m-relay> <v​tnerd:monero.social> Hi
17:06:00 <m-relay> <k​ayabanerve:matrix.org> 👋
17:06:13 <m-relay> <v​tnerd:monero.social> Nearing completion on a separate span update patch in monerod, and testing the LWS to boost::beast conversion
17:07:08 <m-relay> <k​ayabanerve:matrix.org> Discussed next step of divisors is moving forward. I'm still working on tidying FCMP++ for the next steps of integration.
17:07:38 <m-relay> <r​ucknium:monero.social> me: Finished Dulmage-Mendelsohn decomposition analysis of the suspected black marble attack. The DM decomposition increased the number of rings with effective ring size zero from 0.57 percent to 0.82 percent (an increase of 44 percent). Also finished analysis of tx fluff phase log data. Will post the write-up after the meeting.
17:07:46 <m-relay> <j​effro256:monero.social> me: Carrot balance recovery integration, still. I'm trying to tie it into @jberman's async scanning framework as well
17:08:15 <m-relay> <j​berman:monero.social> *waves*, continuing work on wallet syncing the tree for fcmp++ with minimal data stored, so full wallets can construct fcmp++ referencing updated owned output paths in the tree
17:08:59 <m-relay> <r​ucknium:monero.social> 3) Stress testing monerod. https://github.com/monero-project/monero/issues/9348
17:09:52 <m-relay> <r​ucknium:monero.social> The current streessnet is scheduled to be deprecated in two days (unless someone makes a compelling argument to not deprecate it). I think we will set up a new stressnet when FCMP++ is testnet-ready.
17:10:15 <m-relay> <r​ucknium:monero.social> Deprecation = I'll stop sending spam and shut down a few of my nodes
17:10:42 <m-relay> <j​effro256:monero.social> Rucknium rules the stressnet with an iron fist
17:11:59 <m-relay> <r​ucknium:monero.social> 4) Research Pre-Seraphis Full-Chain Membership Proofs. Reviews for Carrot. https://www.getmonero.org/2024/04/27/fcmps.html https://github.com/jeffro256/carrot/blob/master/carrot.md
17:12:54 <m-relay> <j​effro256:monero.social> It would be nice to make a decision today for Carrot auditing so we can set up the CCS / MAGIC, etc and get the ball rolling
17:13:28 <m-relay> <j​effro256:monero.social> I have an opinion, but I'll save it until after others get their chance to chime in
17:14:04 <m-relay> <r​ucknium:monero.social> Here is my rank (1 being most preferred). 1 Cypherstack. 2 Quarkslab. 3 Veridise. 4 Trail of Bits. 5 Zellic. I post this to be provocative so that others who are more knowledgeable tell me why I am wrong.
17:15:06 <m-relay> <s​yntheticbird:monero.social> Yeah that was pretty obvious with Zellic being last.
17:15:49 <m-relay> <r​ucknium:monero.social> I looked at the example reviews/audits that some of the firms provided. I looked for the level of cryptographic review and how similar the work was to what Carrot requires.
17:16:02 <rbrunner> That's interesting. I found that Zellic company and their people quite interesting, and would find it interesting having them work for us. Why definitely last, for all things?
17:16:42 <rbrunner> Working in very different areas?
17:16:54 <m-relay> <r​ucknium:monero.social> Trail of Bits did a Stealth Address review, but the team that did that review is not the same as who would work on Carrot.
17:17:43 <rbrunner> Beside finding Zellic, I only have an opinion about 1 other company: Cypherstack, because known quantity, track record and "closeness" to our ecosystem
17:17:53 <rbrunner> *Beside finding Zellic interesting
17:17:58 <m-relay> <r​ucknium:monero.social> The examples that Zellic gave analyzed code more than the cryptography and were basically smart contract audits AFAIK.
17:18:43 <rbrunner> Alright, I did not look that closely.
17:19:12 <rbrunner> Maybe code reviews would be more appropriate giving to them, later on?
17:21:27 <m-relay> <r​ucknium:monero.social> I like that Quarkslab analyzed BP+ and found at least one issue in its mathematical proof. On Veridise, maybe it's unfair, but their divisor proof we commissioned them for was not tight enough, so that lowers their rating IMHO.
17:26:31 <m-relay> <r​ucknium:monero.social> kayabanerve: Do you plan to give an opinion on Carrot reviews? I would like to hear from more cryptographers on this.
17:27:54 <m-relay> <k​ayabanerve:matrix.org> I'd endorse CS personally. They're the best priced on a reasonable timeline and completely trusted.
17:30:15 <m-relay> <s​yntheticbird:monero.social> Not a cryptographer, but I've heard of Zellic (and perfect blue team) reputation before even joining the Monero community. I think they may be the most inclined to *think out of the box*. But again, not a cryptographer and no data to back it.
17:32:02 <m-relay> <r​ucknium:monero.social> jeffro256: Can you share your opinion?
17:33:59 <m-relay> <k​ayabanerve:matrix.org> The only reason not to go with CS is a limited availability argument or we want to build relationships with other groups *at cost* IMO
17:38:58 <m-relay> <j​effro256:monero.social> Not to be a copycat, but my ranking was very similar to Rucknium's: 1. Cypherstack 2. QuarksLabs 3. Veridise, and then a tie between Trail of Bits and Zellic. Cypherstack was the most affordable and would have Surae, a coauthor of CLSAG overseeing the audit. That means that they would be able to being over their knowledge of RingCT composition to apply in many ways to FCMP++ compo<clipped messag
17:38:59 <m-relay> <j​effro256:monero.social> sition. QuarksLabs is also a great candidate because they are very familiar with Pederson commitment related cryptography and rerandomization, making their previous knowledge applicable to FCMP++ composition. As for Trail of Bits, they were on the higher end of price, but tend to produce decent results consistently. Zellic was somewhat of a wild card, as their main focus AFAICT ha<clipped messag
17:39:01 <m-relay> <j​effro256:monero.social> s mainly been smart contract code, but they seem exceedingly capable at finding High and Critical level vulnerabilities, if their published track record is to be believed. They are also the only firm who hasn't worked with Monero yet, AFAIK. As was mentioned earlier, they might be a better candidate for the reviewing a concrete implementation.
17:40:51 <m-relay> <j​effro256:monero.social> If Cypherstack can confirm that the turnaround time would be <= 6 weeks, then that would be on par with the rest, and I would recommend that we go with them
17:41:25 <m-relay> <r​ucknium:monero.social> Diego Salazar: Question for you ^
17:41:34 <m-relay> <d​iego:cypherstack.com> ye
17:41:56 <m-relay> <d​iego:cypherstack.com> damn I really need to raise my prices
17:43:29 <m-relay> <d​iego:cypherstack.com> yes turnaround time will be 6 weeks or less
17:44:06 <m-relay> <r​ucknium:monero.social> I think we are close to loose consensus in favor of contracting Cypher Stack to perform the Carrot review.
17:44:37 <rbrunner> Yeah, still waiting for a dissenting voice :)
17:44:40 <m-relay> <k​ayabanerve:matrix.org> I also vote we no longer publicize prices so CS cannot learn how 'competitive' they are or are not /s
17:44:51 <m-relay> <d​iego:cypherstack.com> As a bonus I can have one of my illustrators draw Monero Chan holding a carrot
17:44:53 <m-relay> <r​ucknium:monero.social> Does anyone want to suggest another plan of action?
17:48:07 <m-relay> <d​iego:cypherstack.com> I say this every time but never do for you guys at MRL. Just love you guys too much.
17:48:30 <m-relay> <s​yntheticbird:monero.social> Diego. The community answered yes to your illustration proposal.
17:48:43 <m-relay> <r​ottenwheel:kernal.eu> Please do not. 😅
17:48:45 <m-relay> <r​ucknium:monero.social> I see loose consensus in favor of contracting Cypher Stack to perform the Carrot review. Thanks all for reviewing the reviewers and especially jeffro256  for writing the Carrot specification and working with firms to get quotes, etc.
17:49:20 <m-relay> <r​ottenwheel:kernal.eu> 🤨👎
17:49:45 <m-relay> <d​iego:cypherstack.com> ok, and to understand a separate CCS is being opened for this, yes?
17:49:50 <m-relay> <s​yntheticbird:monero.social> Cypherstack theory and Zellic on code seems to be a balance plan of action.
17:49:51 <m-relay> <d​iego:cypherstack.com> That's what I recall after the last meeting
17:50:33 <m-relay> <r​ucknium:monero.social> Diego Salazar: Yes. AFAIK jeffro256 will handle bureaucracy from here.
17:51:08 <m-relay> <d​iego:cypherstack.com> Sounds good.
17:51:43 <m-relay> <j​effro256:monero.social> Yes. Carrot wasn't defined as part of the scope for kayabanerve FCMP++ CCS, so it shouldn't thrown in now IMO even though it is applicable
17:52:43 <rbrunner> We had people asking on Reddit how they can donate, and I mentioned that probably soon a "Carrot" CCS will go up
17:52:54 <m-relay> <r​ucknium:monero.social> Do we have more items to discuss on FCMP? Or any other agenda items?
17:53:05 <m-relay> <o​ne-horse-wagon:monero.social> Rucknium:
17:53:19 <m-relay> <k​ayabanerve:matrix.org> 1) It isn't in-scope
17:53:19 <m-relay> <k​ayabanerve:matrix.org> 2) I wasn't involved with quote solicitation
17:53:21 <m-relay> <k​ayabanerve:matrix.org> 3) Adding extraneous scopes risks budget exhaustion
17:53:23 <m-relay> <k​ayabanerve:matrix.org> 4) carrot is great yet extraneous
17:53:33 <m-relay> <k​ayabanerve:matrix.org> I have nothing beyond my already provided update.
17:54:54 <m-relay> <r​ucknium:monero.social> I took the 10 block lock off of the agenda for now. I posted the cleaned-up version of my double-spend attack success tables on the relevant MRL issue: https://github.com/monero-project/research-lab/issues/102#issuecomment-2402750881
17:55:43 <m-relay> <r​ucknium:monero.social> I think we can end the meeting here. Thanks everyone!
17:56:32 <m-relay> <s​yntheticbird:monero.social> Delicious meeting. Thanks
17:57:43 <m-relay> <j​effro256:monero.social> Thanks, everyone! Great input and feels great to make a decison finally
19:50:34 <m-relay> <r​ucknium:monero.social> The Dulmage-Mendelsohn decomposition results and analysis of p2p tx relay logs is at https://github.com/Rucknium/misc-research/blob/main/Monero-Black-Marble-Flood/pdf/monero-black-marble-flood.pdf . The new additions are page 14, lines 183-203 and pages 19-25, lines 310-434, figures 14-16, tables 1-2.
19:51:50 <m-relay> <r​ucknium:monero.social> The p2p tx logs analysis may be interesting to people who work with the p2p code (e.g. vtnerd and boog900 ). This was a case of making lemonade out of lemons since originally I wanted to use the logs submitted by community members (thank you!) to try to find the node origin of the spam. I changed the scope to producing a statistical profile of p2p transaction relay behavior under <clipped message
19:51:51 <m-relay> <r​ucknium:monero.social> normal conditions.
19:52:17 <m-relay> <r​ucknium:monero.social> Main findings: Total number of IP addresses in the p2p log data was about 13,600, which backs up the estimates of the number of nodes on the network from monero.fail/map . The average duration of a peer connection is 23 minutes, shorter than I would have expected. The probability that a node relays a transaction to two different peers at the same time is higher than what is expect<clipped message
19:52:17 <m-relay> <r​ucknium:monero.social> ed with the theoretical distribution.
22:25:50 <m-relay> <b​oog900:monero.social> Nice work!
22:25:51 <m-relay> <b​oog900:monero.social> Yeah I was wrong about the amount of time between rebroadcasts here are some actual timings: https://github.com/monero-project/monero/pull/8326 which follows the data. 
22:25:53 <m-relay> <b​oog900:monero.social> I had a quick look at the code and I couldn't see anything obvious for why the time between when a txs is sent drops so low after the 7th time
22:28:49 <m-relay> <b​oog900:monero.social> Do you know if there are still a lot of txs being sent every 2 to 4 minutes from the 2nd to 7th time, which aren't showing in the median?
22:42:08 <m-relay> <b​oog900:monero.social> > The probability that a node relays a transaction to two different peers at the same time is higher than what is expected with the theoretical distribution
22:42:09 <m-relay> <b​oog900:monero.social> If you have multiple Poisson-distributed independent random variables and took the smallest output out of all of them, the output would no longer be Poisson-distributed, right?
22:42:11 <m-relay> <b​oog900:monero.social> If you had multiple connections all with a tx waiting for their Poisson-distributed timer to fire, then the distribution of the time to receive the tx would be skewed downwards due to taking the smallest value from all the timers.
22:50:00 <m-relay> <b​oog900:monero.social> Just to be clear there I was talking about this from the last section of that paper:
22:50:01 <m-relay> <b​oog900:monero.social> > If a node is following the protocol, we should observe two data patterns when we compute
22:50:03 <m-relay> <b​oog900:monero.social> the difference between the arrival times of a transaction between two logging nodes. First, the differences
22:50:05 <m-relay> <b​oog900:monero.social> should usually be in quarter second intervals. Second, the difference should follow a Skellam distribution,
22:50:07 <m-relay> <b​oog900:monero.social> which is the distribution that describes the difference between two Poisson-distributed independent random
22:50:09 <m-relay> <b​oog900:monero.social> variables
22:55:18 <m-relay> <b​oog900:monero.social> If that did mean from the same origin node then ignore what I said.
23:47:55 <m-relay> <r​ucknium:monero.social> IMHO, it's misbehaving nodes. I looked at some of the raw log data and some nodes were just re-broadcasting every 2-4 minutes. I will make some histograms to show the full distribution at each re-broadcast iteration for you.
23:50:05 <m-relay> <r​ucknium:monero.social> Same origin node. Sorry that it wasn't clear. By chance, some of the listening nodes connected to the same node occasionally. So we could see what a node was doing on two of its connections.
23:52:45 <m-relay> <r​ucknium:monero.social> Maybe I should make a little diagram to show clearly the situation I was talking about.
23:58:49 <m-relay> <r​ucknium:monero.social> Do you know why connections last for about 23 minutes? Is there a timer in the code?