05:49:17 "With all due respect" as they use to say in movies: 1 week is ridiculous if you ask me. Frankly, right now I have a hard time to not take this as an insult to Cypher Stack's researchers who must have sank weeks of hard (and competent) work into this, without any breakthrough yet, as I understand. Either the zkSecurity people know about these efforts, in which case I really cannot understand why they are not more careful estimating required work, or the zkSecurity people did not inform themselves yet about what Cypher Stack did exactly already, in which case I claim they are not yet prepared enough to offer a quote. Take your pick ... 06:41:07 image.png 06:41:25 guess we have to get out the night vision googles 08:34:33 does it matter how long they think it will take though? surely the confirmed/stated deliverable and the price are the important bits? 09:04:03 Listening to the reports from Cypher Stack, this could well take a full month or even two instead of merely 1 week. Do we trust that their "pro bono" assurance still holds after they enter, say, work week 8, as an extreme? Or do we insist they have a better look at the situation first, or at least give a credible explanation why they think they can do it in a mere week? 09:37:57 a working week so 5 (five) days :) but "Should the effort take longer, due to unforeseen complexities, we commit to providing these additional hours pro-bono until the goal of the engagement is met." i'll just say this is open to interpretation 10:44:19 > or at least give a credible explanation why they think they can do it in a mere week? << yeah maybe this is the best solution 10:46:21 though perhaps easier for them just to change the 1 to an 8. 11:21:25 Anyway, the information from sgp_ is quite short: "MAGIC Grants solicited this quote". I don't know what they told zkSecurity. Maybe they should have told "Careful, Cypher Stack is wrestling with that dragon for weeks, warriors came back full of wounds and covered in blood before going back to battle, and the dragon might finally win". 12:18:47 I provided the full context. They seem to have a specific plan in mind for the quotes time to be one week. I can confirm this but I also don't want to negotiate against ourselves 12:54:34 Fair enough. I am looking forward to what kayabanerve will say. His opinion will be interesting. 17:41:28 Honestly, I'd say go for it. They may have an insight we don't. Improbable, but possible. 17:43:30 And a week's worth of work we can see their conclusions pretty quick. 17:47:16 Honestly, power Up Privacy would also help partially fund this. 17:49:24 Also $50k for one week's worth of work? 17:49:31 I need to astronomically raise my prices. 17:49:47 audit multithreading 17:49:57 dispatching 1 week of audit to 100 auditors 17:50:08 100x price 17:50:26 maf Ematiks 18:02:57 And indefinite pro-bono overtime until it's done? Best of luck to them... 18:03:12 It's a fixed price, not variable rate 18:05:00 I emphasized very clearly that I _didn't_ want their deliverable to be them saying there was this one issue or potential issue and then leave it at that; they need to thoroughly address the issues, pick a totally different approach and support that, or suggest a better approach with supporting evidence 18:06:11 There's always a risk with fixed rate contracts that quality can suffer, but them skimping on that will harm their reputation, so that helps counterbalance that risk 18:07:16 Sorry Rucknium: , I didn't see your request yesterday. I'm here now 18:07:43 I emphasized very clearly that I _didn't_ want their deliverable to be them saying there was this one issue or potential issue and then leave it at that; they need to thoroughly address the issues, pick a totally different approach and support that, or suggest a modification with supporting evidence (proof that method works and is compatible with Monero's use-case) 18:07:49 And MRL is tomorrow. I can try to be there 👍 18:10:45 I truly am not being catty in the slightest. I want FCMPs live. Anything that can help make it so, let's do it. 18:12:17 Yeah ik, and I hope you aren't mad at me for getting a third quote. I know your team tried hard at this (and is still trying) 18:13:03 Some problems are just hard and need teamwork 18:13:08 Zero negativity from me 18:13:35 Just buy me a pizza and we're square 18:14:04 square pizza or circular? 18:14:20 hexagonal 18:14:23 obviously 18:14:55 An elliptic curve shaped one 18:16:30 But fr, im not mad. The sooner divisors is done the sooner CS can move to post quantum stuff and other things. 18:16:51 Yeah there is a ton of work 18:19:33 kayabanerve: Thanks. As you are co-chair of the FCMP research CCS, and this zkSecurity quote could be funded from that, it would be great to have your viewpoint. 18:41:21 Are there already payment modalities proposed, i.e. when to pay? First half in advance, second half after success, something like that? 18:48:33 It doesn't currently say 18:49:20 I can ask for 50-50 19:00:44 zkSecurity is underestimating, has lower standards, see something not prior seen, or truly just have a domain expert. I'll note the divisors technique, without proofs, has been incorporated into a major paper by cryptographers who presumably believe it tracks. Obviously, the issue is the security proofs, but as zkSecurity's estimate is non-binding, payment is an acceptable flat ra te, and the seemingly worst case is we get another set of security proofs CS still doesn't find up to standards, I'm in favor. 19:10:40 kayabanerve: Which major paper is that? I can't find any citations of it except in Eagen's own papers and a Cypher Stack paper. 19:11:26 https://eprint.iacr.org/2024/397 19:12:41 The zkSecurity quote states the two researchers they intend to have working on it: Mathias Hall-Andersen and Diego Aranha. Maybe someone could look at their research areas to see if they would have a head-start on the divisor proof(s). 19:28:52 https://dfaranha.github.io/ 19:28:53 https://rot256.dev/ 19:29:01 great websites 19:38:53 Mathias Hall-Andersen is a co-author of curve trees: https://eprint.iacr.org/2022/756 19:50:39 I like that his name is Diego 19:50:41 Approved 20:19:55 <3​21bob321:monero.social> Question this the third audit on the same thing ? What's wrong with the first two ? 20:24:39 If the first is Bassa's (Veridise) and the second is Cypher Stack's, then the second review judged that the first review was insufficient. The second review is ongoing https://moneroresearch.info/268 20:24:40 > Even after Bassa’s clarifications in [Bas24c], [Bas24a], and [Bas24b], there still still seems to be some mistakes related to calculus and the application of the Schwartz-Zippel lemma. Specifically, the verification equations may have terms excluded which have no impact on correctness but do impact soundness. These mistakes seem to be restricted to generalizations over higher multiplicities, and they seem to be correctable. Nevertheless, such mistakes would not be caught by typical correctness tests, and fixing them will require a nontrivial amount of work. 21:40:13 <3​21bob321:monero.social> I'd go back to the first and give them the feedback and make them redo 21:40:14 AFAIK, these firms always attach a disclaimer saying if anything is wrong, there is no liability. 21:40:16 zkSecurity was willing to do a formalization of Seraphis, back when that was still being considered. More details can be found by saerching in this chat room. 21:40:18 https://libera.monerologs.net/monero-research-lab/20230927 21:40:20 https://libera.monerologs.net/monero-research-lab/20231018 21:40:22 <3​21bob321:monero.social> I dont think its a liability thing, but it will affect their image. “Dont use ___ they got their work wrong” 21:40:24 <3​21bob321:monero.social> Like from now on would you reuse them on the rest of the audits ? 21:40:26 We raised the concerns with Veridise and they declined to make modifications (they felt their documents were acceptable/sufficient), which is another reason why the third reviewer could be helpful 21:41:30 My opinion is that if the budget allows, it's worth getting this review. If this results in Monero feeling comfortable using divisors, then that saves a _lot_ of performance _and_ money (no further reviews of other things that need to be modified). If a critical issue is found, then we know to move on. If for some reason this still stalls, then that's probably also an indicator to 21:41:32 move on, for a relatively low cost relative to the total research budget. And we can make sure that this "stall" risk is as mitigated as possible (you can see with the current SoW that a lot of protective language is already included) 21:42:26 The counterargument is that if this is expected to fail anyway, we should stop lighting money on fire and cut our losses 21:43:37 doesn't the SoW sort of guarantee that it won't fail? ie., they are saying they will provide the modifications to ensure it works (or am i missing something?) 21:44:05 (maybe i should read the fineprint) 21:44:19 Right, but in practice that doesn't guarantee infinite work on this 21:44:48 well, say we'll pay on delivery and it will be fine? or something like 20/80 21:45:00 IMHO, it would be good for that statement to have guardrails, i.e. it shouldn't result in something that has worse verification performance than non-divisor FCMP txs. 21:45:19 ^ oh yeah, that's smarter 21:45:41 Sure, I can put something about the modifications not being X% worse. Idk how that would exactly materialize but I can play with some wordings 21:48:11 By meeting time, it would be good to have an estimate of how much XMR is left in the FCMP research budget and how much is expected to be expended by the remaining non-divisor work. 21:52:44 Diego Salazar: can you remind me what your current, unpaid research CCS invoice balances are, if any? 21:55:13 70 XMR? 21:55:14 Let me double check. 21:56:52 Yeah its 70. 21:56:59 Which was nowhere near enough, but no matter. 21:57:16 Is that in addition to this one? https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/449#note_29312 22:03:26 If the only unpaid invoice is 70 XMR, then I believe there is 1002 XMR left 22:03:31 (after the 70 is paid)