Closed Rucknium closed 5 months ago
Log:
< rucknium:monero.social > Meeting time!
< rucknium:monero.social > https://github.com/monero-project/meta/issues/1012
< rucknium:monero.social > 1) Greetings
< vtnerd:monero.social > Hi
< rbrunner > Hello
_< sgp:monero.social >__ hello
< chaser:monero.social > hello
< jberman > waves
< hinto:monero.social > hi
< jeffro256:monero.social > howdy
< kayabanerve:matrix.org > 👋
< rucknium:monero.social > 2) Updates. What is everyone working on?
< rucknium:monero.social > me: Monitoring the high 1in/16out transaction volume. Finishing the draft of the cost-effectiveness analysis of different ring size and fee options to defend against black marble flooding.
< jeffro256:monero.social > me: I believe I found a way for a DLP solver to find view-balance key in Jamtis on Seraphis if they know the address index extensions for a public address and a linking tag spending an enote to that address https://gist.github.com/tevador/50160d160d24cfc6c52ae02eb3d17024?permalink_comment_id=5064990#gistcomment-5064990
< jberman > me: implemented growing an existing tree for fcmp's, currently making it cleaner, then implementing in the DB, then implementing
trim
< kayabanerve:monero.social > Just audit management, and I noticed an improvement to the composition after submitted for review which is... blarg. ~5% penalty, can try to pick up late.
< kayabanerve:monero.social > *later
< vtnerd:monero.social > Me: still working on LWS remote scanning :/ taking longer than expected but I am making good progress
< rucknium:monero.social > 3) Potential measures against a black marble attack. https://github.com/monero-project/research-lab/issues/119
< rucknium:monero.social > I made a table. The volume of 1in/16outs is still high: https://gist.github.com/Rucknium/567fc52380acaf2991a2f1ad91a95b9e
< rucknium:monero.social > Transactions with 1 input and 8-16 outputs are producing about 45% of all outputs now. Seems suspicious.
< chaser:monero.social > perhaps our previous spammer is trying to sneak under the radar.
< rucknium:monero.social > I will give a preview of what my cost-effectiveness analysis is showing.
< rucknium:monero.social > Current ring size is 16. Current minimum fee/byte is 20 nanoneros/byte. The set of possible ring sizes that were considered were 11 to 60. The set of possible min fees that were considered was 20 to 400 nanonero/byte. Remember that cost-effectiveness is measured by summing the cost to users in tx fee and the cost to all node operators by storage costs, then dividing that sum by th<clipped message
< rucknium:monero.social > e effective ring size when a black male flooder spends some specified budget on flooding transactions.
< rucknium:monero.social > Excerpt from the draft:
< rucknium:monero.social > > Consider an adversary with a daily budget of 12.5 XMR, five times higher than the daily expenditure of the suspected March 2024 black marble flooder. Table 2 says the most cost-effective combination of defense parameters are ring size 60 and minimum 60 nanonero per byte fee. Effective ring size would be 20.7 if the adversary spent its entire budget every day. The 2in/2out refere<clipped message
< rucknium:monero.social > nce transaction with ring size 60 would be about 140% larger than the transaction with current ring size 16. The user's cost to send this transaction would be about 4 USD cents. The total time to verify all transactions in a block of normal transaction volume would increase from 0.5 seconds to 1.8 seconds. An unpruned node would grow 59 GB in a year instead of 25 GB. Pruned nodes <clipped message
< rucknium:monero.social > would grow 14 GB instead of 8 GB.
< rucknium:monero.social > These are potential options that could be discussed for a hard fork before FCMP++
< rucknium:monero.social > You could consider implementing "Coinbase Consolidation Tx Type" https://github.com/monero-project/research-lab/issues/108
< rucknium:monero.social > That would reduce the amount of blockchain data because coinbase consolidations would not have the much larger rings. In the 60 ring member scenario, annual blockchain growth would be 2.7 GB less. This could also be important for P2Pool.
< rucknium:monero.social > If the ring size and/or fee/byte increases a lot, P2Pool mining may become uncompetitive compared to centralized pool mining, especially for the P2Pool mini chain. Consider the 10th percentile of multi-output coinbase outputs during February 2024: 0.000272 XMR. (10% of the likely P2Pool outputs are below this amount.) Right now, consolidating this P2Pool payout by adding an input <clipped message
< rucknium:monero.social > to a transaction would cost the miner about 5% of the value of that output.
< rucknium:monero.social > With the ring size 60 and 60 nanoneros/byte scenario considered above, about 49% of the value of that output would be consumed by the cost to spent the output in a transaction's output. But if coinbase outputs only have to have ring size 1, then even paying 60 nanoneros/byte would cost the miner only 3.6% of the output's value when you spent it in a 1-ring-member input (the cost d<clipped message
< rucknium:monero.social > oes not include the bytes contributed by outputs or other tx data.)
_< sgp:monero.social >__ Would you support coinbase consolidation transaction types post FCMPs?
< rucknium:monero.social > The analysis is showing that increasing the ring size is more cost-effective than increasing fees, as a defense against black marble flooding. You could do a combination of a large ring size increase and a modest fee increase.
< rucknium:monero.social > I think koe didn't want to do a coinbase consolidation type because it adds technical debt. If it is only temporary, then the technical debt may be less. Anyway, if the FCMP++ tx types are expensive, especially the input part, then P2Pool would be less competitive compared to centralized pool mining.
< rucknium:monero.social > Or you would want to raise the minimum payout for P2Pool. That could negatively affect small miners.
< kayabanerve:matrix.org > I'm not against mitigating hard forks, at all, assuming proper spacing. cc jberman for an opinion on time till FCMP++ HF release announcement (code, audits, full PR, review, merged, release announced). I'd presume we'd need a few months spacing at the least for a mitigating hard fork to be worth it?
_< sgp:monero.social >__ the argument against coinbase consolidation type has been complexity, yes. And relatively small benefit relative to that complexity
< kayabanerve:matrix.org > FCMPs can be made computationally expensive, not bandwidth expensive, quite nicely.
< kayabanerve:matrix.org > Something about 2 inputs doubling the size yet BPs only growing 64 bytes as they double.
< jberman > I think we're still on track for 16-18 months from now
< rucknium:monero.social > I mean "expensive" as how much it costs in tx fees to broadcast a FCMP++ tx/. That's a function of min fee/byte and the size of the proof on the input side
< kayabanerve:matrix.org > when the hell did the track become 16-18 months 0_o
< jberman > code complete / full PR within 5-6 months still reasonable
< jberman > 1.5 years was initial estimate
< kayabanerve:matrix.org > discussion for later, for now we have context for a mitigating HF
< jberman > was it not?
< kayabanerve:matrix.org > Rucknium: Right. If we make it computationally expensive, not bandwidth expensive, it'd be cheap.
< jeffro256:monero.social > When do we get to the state in development when FCMP-RCT becomes perpetually "2 years away"™?
< kayabanerve:matrix.org > It's not 64 bytes an input cheap, it's... hmm. I actually don't know what'd it'd be off the top of my head. It may actually be comparable to a bit smaller CLSAG still due to the branch hashes not being so scalable :/
_< sgp:monero.social >__ how much support is there for an immediate hardfork? I didn't realize people still wanted this
< kayabanerve:matrix.org > Let's assume additional inputs under FCMPs remain comparable to a bit-smaller CLSAG for now. I don't want to over promise.
< kayabanerve:matrix.org > jeffro256: when i'm dead and my ghost fails to haunt you back to work
< jberman > FCMP-RCT is moving forwards at expected pace or faster so far in my view
< kayabanerve:matrix.org > I'm not against one, especially if we're discussing 1.5y till FCMP++. It'd mean a year spacing.
< chaser:monero.social > sgp: not literally "immediate", but I do support it. the way the chain is right now, it's vulnerable to a black marble attack at any time.
_< sgp:monero.social >__ I'm still a big fan of increasing fees to simultaneously 1) discourage micro-amount output spending in all cases, 2) make attacks more expensive, and 3) incur no on-chain cost to reduce the risk of an attack. Increasing the ringsize will help as well and should be considered, but the cost for each new decoy is pricey and adds bloat. Fees do not add bloat, and so long as transactio
_< sgp:monero.social >__ ns remain approximately 1 cent or less, users still have affordable transactions
< chaser:monero.social > then your and Rucknium's cost calculations use different models. right?
< rucknium:monero.social > The cost of the bloat is low. You can try alternative calculations on that :)
< rbrunner > Didn't Rucknium just carefully show that it's not pricey?
< kayabanerve:monero.social > ring size 40 ring size 40 ring size 40
< rbrunner > Maybe contraintuitive, but I trust Rucknium's math more that some gut feeling, frankly
< kayabanerve:matrix.org > (without explicitly endorsing any specific ring size, I would ask any HF include a fee bump)
< rucknium:monero.social > We can wait to discuss this more until next meeting, when the full methodological details will be posted. We have something, uh, expensive to approve now.
< rbrunner > Still not a fan of such a pre-FCMP hardfork. I am still not impressed what such a black marble attack is able to achieve, realistically.
_< sgp:monero.social >__ Rucknium: did you share a copy of your draft?
< rucknium:monero.social > sgp_: No. The cost to node operators is a simple function of the retail cost of a 1TB SSD drive (about 1 XMR now), the additional storage needed, and the number of nodes on the network (20,000). Then I multiply that time 2 to adjust for unmeasured costs.
< kayabanerve:matrix.org > can we get to HDDs 🤔
< rucknium:monero.social > basically node operators pay about 20 nanoneros/byte in aggregate, which is the same as the fee right now. Interesting that the numbers line up like that.
< rucknium:monero.social > If the ring size increases a lot, HDDs will be really hard to sync.
_< sgp:monero.social >__ ok, so you're using 20 nanonero/byte for the cost to the network for each added byte from a larger ringsize? And then you factor that in somehow versus the attacker paid cost for on-chain fees?
< rucknium:monero.social > the 20,000 nodes estimate is from monero.fail. Probably some of those nodes are not "real", so the true amount of aggregate storage required is lower
< kayabanerve:monero.social > FCMPs change it quite a bit and was my thought Rucknium
< rucknium:monero.social > Given some budget per day, an attacker can reduce effective ring size to some level because they produce a certain share of all outputs on the chain.
< rucknium:monero.social > The attacker's budget is not "added" to the cost in the cost effectiveness analysis since we are considering "Alice's" decisions. Alice considers to cost to node storage and to real users who send txs.
< rucknium:monero.social > 4) Research Pre-Seraphis Full-Chain Membership Proofs ( https://www.getmonero.org/2024/04/27/fcmps.html ). Eagen Review Quotes ( https://gist.github.com/kayabaNerve/7b3572e633ace8aca6e4b27e09acd9d0 )
< rucknium:monero.social > kayabanerve: Do you want to introduce these quotes?
< kayabanerve:matrix.org > Sure.
< kayabanerve:matrix.org > We have a list of quotes from a list of auditors, many familiar to Monero, some not prior contracted AFAIK
< kayabanerve:matrix.org > We believe this is an exhaustive and fair view of the field. With that, one candidate believed competent stood out on price, Veridise.
< kayabanerve:matrix.org > Due to this, despite some questions over if the timeline truly could be so short (resolved by our belief of competence), that is our endorsement.
< kayabanerve:matrix.org > I believe the request here is 10k to MAGIC.
< rucknium:monero.social > Of the list, only Veridise and Goodell offered to attempt a mathematical proof or disproof, correct?
< rucknium:monero.social > (IIRC, Goodell was contributing as Surae Noether with MRL for years.)
< kayabanerve:matrix.org > Please note other firms were anonymized in the most recent revision by request of someone helping facilitate solicitation, in order to not aggravate the firms.
< kayabanerve:matrix.org > The names of the recommendation, Cypher Stack (currently occupied on another task), and JP Aumasson (who did not submit a quote, yet I wanted to note we contacted) were left transparent as they should be sufficient. Please let me know if that's contested.
< kayabanerve:matrix.org > *The request is 10k USD to MAGIC for the reasons noted in the gist. The Veridise audit is not XMR denominated and MAGIC will handle the value preservation and non-XMR payouts.
< kayabanerve:matrix.org > cc sgp_ for any other MAGIC commentary.
< kayabanerve:matrix.org > Correct. Not all groups were asked, as that discussion was a result of my scoping with CS. Aaron believed review made more sense than attempting to fill in the proof in my document, and so submitted a SoW for just review. Goodell had the choice of which, and was told to submit two quotes with their opinions or one their recommendation, and did the proof. Veridise similarly stepped up.
< rucknium:monero.social > On Veridise, do you know what is their intended proof technique? Will it use https://github.com/Veridise/Picus ?
_< sgp:monero.social >__ From my side: I'm confident that we have pooled a broad number of competent candidates, and the Veridise amount is easily justifiable for having them serve as the first reviewer
< rbrunner > Could it be that Veridise already reviewed this or something quite similar for somebody else?
< kayabanerve:matrix.org > No. We're not discussing formal verification yet a traditional proof.
< kayabanerve:matrix.org > Veridise's talent in formal verification is why I originally noted them, and they are a shoe-in by experience for future efforts if we find them amenable and want to outsource performing formal verification.
< kayabanerve:matrix.org > rbrunner: Not impossible yet I'd doubt it. Their researcher has multiple credits to their name, and they all seemed to be on finite fields.
< kayabanerve:matrix.org > My belief is they truly are just very familiar with the field
< kayabanerve:matrix.org > (I'lm here every Wednesday, 5pm UTC folks)
< aaron:cypherstack.com > T__T
< kayabanerve:matrix.org > Jokes aside, they may also have independent interest as it does have wider applicability
< rbrunner > So we may be lucky
< kayabanerve:matrix.org > But I doubt they are reselling prior done work
< chaser:monero.social > do non-XMR-accepting candidates accept other cryptos?
< rbrunner > I think the general fund must have some BTC left ...
< reuben:firo.org > kayabanerve: just a note I spoke to Mikerah from Hashcloak on this who was surprised on the number of hours estimated by Veridise which seemed pretty low for the scope.
< kayabanerve:matrix.org > Some USDC, USDT.
< reuben:firo.org > This is of course her opinion but thought it was worth bringing up esp since Hashcloak isn't in the running
< kayabanerve:matrix.org > Agreed. I explicitly asked and they believe it feasible. I'm willing to move forward with them. If they request an extension, we'd need to review progress first.
< kayabanerve:matrix.org > $4,000 is only upon result which is positive.
< chaser:monero.social > does Veridise accept non-XMR crypto?
< kayabanerve:matrix.org > Bahhhhh I should've asked them
< rucknium:monero.social > 4K USD for a disproof too, right?
< reuben:firo.org > I mean the amount is low enough that I think it's okay to do it and see how they go
< kayabanerve:matrix.org > That would count as a result.
< kayabanerve:matrix.org > chaser: USDC, USDT.
< chaser:monero.social > then why do we need Magic for the payout?
< kayabanerve:matrix.org > The contradiction would be with the math itself, not my specification (so a bug in the gadget would not auto-trigger that).
< kayabanerve:matrix.org > Sorry, is the general fund actively willing to acquire and hold 10k USDC/USDT over the next month and a half, and can it facilitate payout of said USDC/USDT within 1 week?
< kayabanerve:matrix.org > Also, if a contract is posited, will a member of the general fund sign?
< rucknium:monero.social > kayabanerve: I assume that you want this expense approved at this meeting. Am I correct?
< rbrunner > I think along the same lines as reuben: With a payment so low, we can just try and see how it goes
< kayabanerve:matrix.org > Yes
< kayabanerve:matrix.org > The point of this earmarked fund is for expediency.
< kayabanerve:matrix.org > We do need jberman to confirm their endorsement.
< jberman > Confirmed. I was also surprised Veridise price quote was low and time to complete was low. They seem qualified and the specific researcher they intend to assign to the task seems qualified as well. Risk-reward they seem a clear yes to me
< kayabanerve:matrix.org > I'll also note the two days review given (gist only available today) was suboptimal. I made it when we received the final quote, and the gist delay was my own personal issues. I'd hope to at least offer 2 days, yet 3-4, in the future.
< rucknium:monero.social > I see a proposal from kayabanerve to award a contract to Veridise to review and possibly prove what is specified here: https://gist.github.com/kayabaNerve/7b3572e633ace8aca6e4b27e09acd9d0
< kayabanerve:matrix.org > I'd also note the days will always be <7 as if it was >7, I'd ask for it to be signed off on in the prior meeting.
< rucknium:monero.social > Are there objections to this expense? More support?
< chaser:monero.social > kayaba: okay, my bad. I see why it goes through Magic.
< rucknium:monero.social > IMHO kayabanerve 's proposal is reasonable.
< kayabanerve:matrix.org > chaser: Fair questions, not your bad.
_< sgp:monero.social >__ fwiw, I want to stress that MAGIC isn't charging a fee for this
< kayabanerve:matrix.org > I said "Sorry,", because when you legitimately asked why not GF after I said USD*, I thought there may be precedent I was unaware of
< rucknium:monero.social > I should say that kayabanerve and I are on the MAGIC Monero Fund's committee. I don't think there are any significant conflicts of interest involved.
< rucknium:monero.social > AFAIK some previous audit/review payments to firms that don't accept payment in XMR were handled by binaryFate's Digital Renegades firm.
< jeffro256:monero.social > Sorry maybe it was already mentioned, but why were the other auditor options' names redacted? Also, IIRC, I thought that Cypherstack previously claimed that they unable to perform the review
< chaser:monero.social > Rucknium: sounds good to me as long as there are no good XMR->* pathways
_< sgp:monero.social >__ I was the one who asked for them to be "redacted" just in case the vendors didn't want their quotes to be so openly discussed with their names attached. Some firms are more conservative about that than others
< jeffro256:monero.social > Typically an auditor's value is related to their reputation, which might make comparing options difficult if the options are hidden
< kayabanerve:monero.social > Sorry. I sent messages from matrix.org which aren't populating
< kayabanerve:monero.social > Please stay with me a moment
< kayabanerve:monero.social > If it doesn't, I'll dup them
< rucknium:monero.social > I hope it is ok for me to say that the info is already in the online log: https://libera.monerologs.net/monero-research-lab/20240521
_< sgp:monero.social >__ gist -> revisions\
< kayabanerve:matrix.org > I'd expect this to be through MAGIC, not the committee.
< kayabanerve:matrix.org > It was requested by a person helping with solicitation to not aggravate the auditors.
< kayabanerve:matrix.org > It also isn't deemed relevant enough to be necessary.
< kayabanerve:matrix.org > I followed back up with Cypher Stack and we did work out a proper understanding, hence their submission of a quote.
< kayabanerve:matrix.org > jeffro256: Agreed there. Eagen was not a candidate (the author of the work). There were notable firms, yet CS is presumably of equivalent respect to the community and was tens of thousands of dollars cheaper. Accordingly, a notable firm would presumably be disqualified on price.
< jeffro256:monero.social > Makes sense, but it would be nice to try to attach names to quotes for those who give explicit permission from each firm, if it hasn't already been tried
< kayabanerve:matrix.org > If anyone wants to contest the reasoning there, feel free to.
< kayabanerve:monero.social > I'll try to make it a Q we ask in the futue.
_< sgp:monero.social >__ I can definitely share the names as relevant with anyone who is interested, I just don't want a public record in case the companies are sensitive about their quotes. That's all :) Hopefully that makes sense
< kayabanerve:monero.social > boog900
< kayabanerve:monero.social > > yeah sounds simple enough, we can do this now.
< kayabanerve:monero.social > >
< kayabanerve:monero.social > > Another idea, instead of a migration for monerod, is to change the LMDB comparison function for that table to just ignore the last bit. I would still lean towards migration being a better idea but thought I'd put this out there as a way to avoid one.
< rucknium:monero.social > kayabanerve: Sorry about the homeserver issues. You have copy-pasted the wrong message I think.
< kayabanerve:matrix.org > I did not
< kayabanerve:matrix.org > That is an unrelated note on impl boog900 posted in Cuprate, and I wanted to note here
< kayabanerve:matrix.org > Sorry for jumping topics as such. I just saw they said they couldn't join and I should quote them, so I quoted them without thinking of waiting to do so. That's my bad
< kayabanerve:matrix.org > (though we are wrapping up the prior topic)
< kayabanerve:matrix.org > Anyone have explicit objections/belief another option is clearly better?
< kayabanerve:matrix.org > Or want to further support Veridise?
< rucknium:monero.social > jeffro256: Did you have more comments about the proposal?
_< sgp:monero.social >__ we're not getting a competent review for under $10k from anyone else
< jeffro256:monero.social > Just noting that it's hard to compare options without names, so my opinion is inconclusive. It does appear on the surface that Veridise is competent though. I would just hope we avoid falling prey to underbidding
_< sgp:monero.social >__ jeffro256: let me DM you the names of all
< chaser:monero.social > Rucknium already linked the chat logs
< kayabanerve:matrix.org > Or again, revision history, IRC log
< jeffro256:monero.social > Ah I see
_< sgp:monero.social >__ anyone else who wants the list do that or DM me, it's not meant to be a secret
< aaron:cypherstack.com > I obviously have a conflict of interest but am following along with interest
< aaron:cypherstack.com > (my company submitted a quote)
< jeffro256:monero.social > I wonder if Veridise is up to tackling the more academic math side, since their audits seem to mostly consist of reviewing smart contracts, ZK circuit implementations, etc
< rucknium:monero.social > jeffro256: I had the same thought. That's why I asked if they were going to use https://github.com/Veridise/Picus . kayabanerve said that they wouldn't. They would do a traditional mathematics proof for the proof attempt.
< kayabanerve:monero.social > Their researcher, again, has a history of academix works around finite fields.
< aaron:cypherstack.com > Are you allowed to say who this researcher is?
< kayabanerve:monero.social > It was this history which convinced us of their competency.
< rucknium:monero.social > Computer-assisted proof are legitimate proofs, of course, but it could be harder to get an independent review of a computer-assisted proof. But Veridise are not doing that, anyway.
< kayabanerve:monero.social > Alp Bassa
< kayabanerve:monero.social > Other researchers at Veridise do appear on various preprints
< basses:matrix.org > Pretty sure tools like that are hell of false positives
< jeffro256:monero.social > Will do more research, but I don't have any objections so far. Thanks for all the info
< plowsof > Rucknium , iirc binaryFate handled the BP++ peer review payments personally at his own cost
< rucknium:monero.social > I don't know much about computer-assisted proofs except they were famously used in the first proof of the four colour theorem :)
< rucknium:monero.social > IMHO, there is rough consensus for kayabanerve 's proposal to award review work to Veridise: https://gist.github.com/kayabaNerve/7b3572e633ace8aca6e4b27e09acd9d0
< rucknium:monero.social > More agenda items?
< rucknium:monero.social > We didn't hear from tevador about the Eagen review, but it was posted in this channel in advance of the meeting.
< tevador > Sorry, what did I miss?
< rucknium:monero.social > Maybe we should have name pinged you
< rucknium:monero.social > kayabanerve wants to have Veridise review some things specified here: https://gist.github.com/kayabaNerve/7b3572e633ace8aca6e4b27e09acd9d0
< tevador > Btw, I had some comments about black marble attacks, posted my thoughts in the github issue.
< rucknium:monero.social > Thank you!
< tevador > FWIW, the Veridise quote is clearly the best option, if they can deliver.
< rucknium:monero.social > Thank you for your input :)
< chaser:monero.social > said comment: https://github.com/monero-project/research-lab/issues/119#issuecomment-2125473270
< rucknium:monero.social > I asked for more agenda items and didn't hear anything, so we can end the meeting here. Thanks everyone.
< tevador > For comparison, the most costly RandomX audit was 53K (5 years ago) and the scope was much larger (the specs + the whole implementation). I find most of the quotes rather high for the divisors.
< kayabanerve:monero.social > Eh, it is highly skilled labor.
< tevador > Regardless of the hourly rate, 150 hours is a bit too much IMO.
Location: Libera.chat, #monero-research-lab | Matrix
Join the Monero Matrix server if you don't already have a Matrix account.
Time: 17:00 UTC Check in your timezone
Main discussion topics:
Greetings
Updates. What is everyone working on?
Potential measures against a black marble attack.
Research Pre-Seraphis Full-Chain Membership Proofs. Eagen Review Quotes.
Any other business
Confirm next meeting agenda
Please comment on GitHub in advance of the meeting if you would like to propose an agenda item.
Logs will be posted here after the meeting.
Meeting chairperson: Rucknium
Previous meeting agenda/logs:
1007