I did some reading following the discussion around securing the escrow keys for KES in Grease. I realised that what we really want is a crpytography-back equivalent of TEEs -- essentially allowing a smart contract to generate and store a secret that no external observer can know, but that is still common to all instances of that smart contract. Such a construct would open up a lot

of use cases and reduce or even eliminate the need to complicated BFT- + Game-theory based systems. This concept is apparently called "Indistinguishable Obfuscation (iO)". Can anyone here confirm that iO would provide this magical property? And is there any ongoing research into this field within the MRL?

From WICT the ethereum foundation has put some resources behind iO research. It's still a long way from being practical, and someone has already proved that a general "black box" system is impossible, thus any iO constructions mould necessarily be application-specific. However, just being able to generate and store a random 256 bit number would be sufficient to unlock a lot of

possibilities -- if I understand iO correctly.

<kayabanerve:matrix.org> CjS77: Not to be rude, but that's a joke.

<kayabanerve:matrix.org> You're asking how to slice a tomato and then asking if anyone's researched an atomic bomb to that purpose.

<kayabanerve:matrix.org> iO is a largely theoretical cryptographic idea that can build anything/everything because it allows executing an unknown program and only yielding the result if correctly executed.

<kayabanerve:matrix.org> Current schemes either compile down through Functional Encryption, except maybe one which us directly instantiated? But we'd be talking about days even for basic programs.

<kayabanerve:matrix.org> It also isn't a solution here afaict due to the issues around context.

<kayabanerve:matrix.org> Like, even if you had the holy grail, it still wouldn't work.

<kayabanerve:matrix.org> The reason it wouldn't work is because you can omit information when you can invoke it. You can claim the channel was never used, the time has passed, and you want your money back.

<kayabanerve:matrix.org> Even if you have to provide a Monero blockchain that asserts that, you can just provide a low-work altchain to such a claim. You can't prove you have the _best_ Monero blockchain.

<kayabanerve:matrix.org> > In this paper we have presented a non-trivial upper bound on the size and performance of the obfuscated versions of small circuits. To give an idea about the practicality of this construction, consider a 2-bit multiplication circuit. It requires 4 inputs and between 1 and 8 AND gates for each of its 4 output bits.

<kayabanerve:matrix.org> An obfuscation would be generated in about 1027 years on a 2,6 GHz CPU and would require 20 Zetta Bytes of memory for m = 1 and p = 1049. Executing this circuit on the same CPU would take 1.3 × 108 years. This clearly indicates that for the time being the candidate construction is highly unpractical.

<kayabanerve:matrix.org> To be fair, this is from one of the first proposed schemes (about a decade ago), but no, we aren't at a point we can consider more than very small toy programs even with incredible hardware.

<kayabanerve:matrix.org> I think there may be someone with an impl claiming like, 100 bit operations?

<kayabanerve:matrix.org> So even for the minimal form of iO, where it doesn't verify a program, just a constant-time, constant-size proof of a program (like a Groth16), we're still... Fifteen orders of magnitude away?

I'm asking in good faith, seriously. I don't know why everything seems like a joke to you. And I'm aware that iO is impractical today. I'm also aware that progress is being made, as progress has been in other fields that seemed impossible 10 years ago. And breakthroughs happen. I don't follow your argument: You use a channel, but you make a claim to the KES that the channel was

never used..ok, but Your counterparty has at least one signature showing that it has been used. It sounds like you're saying less something about iO but rather that there's a fundamental flaw in Monet / Grease?

<rbrunner7> CjS77: I think you can relax; @kayabanerve:matrix.org is also answering in good faith, and most probably not mocking you. It takes a bit to get used to his brutally direct communication style, but it's worth it. I think you call this in English "not mince your words".

<kayabanerve:matrix.org> I didn't think you were asking in bad faith. I think you were asking about something fifteen orders of magnitude away where if that's the solution for a KES, it's better as a comment there isn't a solution. I also tried to include commentary on exactly how slow it was and why it probably still wouldn't be a solution in order to provide educational value.

<kayabanerve:matrix.org> If I did want to be blunt, and unhelpful, I would've said that idea is a failure and not elaborated at all.

<kayabanerve:matrix.org> I do apologize if while being blunt, though IMO while legitimately answering your question about if iO would work, I came off as rude.

<kayabanerve:matrix.org> I also do know you said it was impractical when it opened, I just wanted to be absolutely clear about how far off it was.

<kayabanerve:matrix.org> The issue with iO, as I'd immediately assume but I could be wrong about, is that the key should favor one party, no?

<kayabanerve:matrix.org> Alice and Bob should be able to claim the key, or at least a signature from it, according to their claims?

<kayabanerve:matrix.org> IIRC, the Key Escrow service wasn't just a time vault and did have to weigh in on the validity of claims for one of the two parties. I apologize if that was a misunderstanding.

<kayabanerve:matrix.org> If both parties are supposed to present evidence, and the KES is supposed to weigh _both_ parties' evidence, the issue with proposing iO is how either party may independently approach the iO box and claim almost whatever they want, and simply say the other party is unresponsive and won't submit any evidence.

<kayabanerve:matrix.org> The iO box isn't a single box both people submit data to, for it to compare. It's a box copied and given to each participant, for them to query however.

<kayabanerve:matrix.org> Revisiting my thoughts on MoNet, and unidirectional payment channels from Alice -> Bob, the presumable case is Bob can close the channel at any time, or Alice needs to be able to force close it after some amount of time has passed?

<kayabanerve:matrix.org> In that case, the iO box has to evaluate time, when again, the fundamental issue is the iO box only has the context it's presented and anyone can prevent it any context.

<kayabanerve:matrix.org> You would need a way to cryptographically verify a timestamp, like by using a NTP server which authenticates its timestamps (I'm unsure if/when NTP does that), to use a finalized Ethereum block header, or for a completely decentralized structure, you could use a Proof of Work challenge? Except then we're effectively just back [... too long, see mrelay.p2pool.observer/e/vOrPyv0KVHBCNzd3 ]

<kayabanerve:matrix.org> But iO to verify a timestamp from Ethereum actually may work in theory, if not for being 30-50 years away, and my initial concerns about context may have been wrong, sorry.

<kayabanerve:matrix.org> If your proposed use has the iO box be fed 'the' Monero blockchain, my original concern is proven correctly stated though.

<kayabanerve:matrix.org> ... I guess the best way to say it is that anyone who sees the iO box may perform an eclipse attack against it.

<kayabanerve:matrix.org> *can present it any context

<kayabanerve:matrix.org> Also, I apologize if overuse the phrase "that's a joke" or similar. I don't mean to call you a clown (the rudest interpretation I can think of), solely to point the proposal is so absurd it isn't worth serious consideration, though it may be fun to discuss due to all the things it could be some decades from now. I apologize again if I insulted you and truly mean it would've been accidental.