Monero Research Lab Meeting - Wed 19 June 2024, 17:00 UTC

Logs

< rucknium:monero.social > Meeting time! https://github.com/monero-project/meta/issues/1025

< rucknium:monero.social > 1) Greetings

< isthmus > Heya

< rbrunner > Hello

< kayabanerve:monero.social > 👋

< vtnerd > hi

< rucknium:monero.social > 2) Updates. What is everyone working on?

< spackle > hi

< isthmus > I did some more work on/with my library for detecting a particular anomaly created by some non-wallet2 codebase that caches decoys and reuses them (across hundreds or thousands of transactions) https://pypi.org/project/ringxor/

< rucknium:monero.social > me: Mostly Stressnet things. I wrote a Shiny app to collect and display stressnet data at https://monitor.stressnet.net/ . Set up a stressnet explorer at https://explorer.stressnet.net/ . Wrote a transaction spamming script ( + tested jeffro256 's new feature to make "outputs pay for fees" in a tx).

< jberman > me: continued the fcmp trim_tree algo implementation

< kayabanerve:matrix.org > I presented at Monerokon and have an update on Veridise.

< rbrunner > Hmm, that stressnet explorer gives me "502 Bad Gateway" right now. Already spammed to death? :)

< rucknium:monero.social > 3) Stress testing monerod https://github.com/monero-project/monero/issues/9348

< spackle > testing is in progress

< vtnerd > I finished stress testing LWS remote scanning. Everything looked as expected except for one outstanding bug report (unrelated to remote scanning). Still waiting to hear back on that

< rucknium:monero.social > The node died earlier. Maybe the explorer is dead too. `xmrblocks uses more RAM and CPU than I expected.

< vtnerd > also working on updating the serialization code again, will probably reduce the one PR a bit so that hopefully some more reviews (other than jeffro, thanks!) will come in

< emsczkp:matrix.org > Hi everyone, I hope my message gets through. I'm Emanuele Ph.D, I worked on the implementation of the compressed sigma-ipa and compared it with bp ipa

< rucknium:monero.social > We already got reliable reproduction of out-of-memory error when a stressnet node has lots of connections: https://github.com/monero-project/monero/issues/9348#issuecomment-2170629015

< rucknium:monero.social > By boog900

< rucknium:monero.social > emsczkp: Hi! Do you want to bring up a topic at this meeting again? More discussion from you is welcome :) Maybe you can discuss at the FCMP agenda item

< rucknium:monero.social > Any Monero protocol developers who want to test performance patches can sync a node to stressnet. It's a good time now to test. AFAIK we want to run stressnet for about two months. Discussion happens in #monero-stressnet:monero.social and ##monero-stressnet on IRC

< 0xfffc:monero.social > ( hi )

< emsczkp:matrix.org > thanks you rucknium, i'll discuss at point FCMP

< rbrunner > Is the traffic on stressnet now "at maximum" already?

< rucknium:monero.social > No. I don't know where the maximum will be, but spackle is still sending out txs

< rbrunner > Or all there plans to make happenings like "Now all we all spam together"?

< rbrunner > Alright, will follow the Matrix room to learn more!

< rucknium:monero.social > AFAIK, the spam timing will be loosely coordinated. Probably spackle can spam enough all by himself, but others can add more.

< rbrunner > Don't want to complain, but a single source of transactions is probably ... not very typical :) Except if we have a spam wave, that is

< rucknium:monero.social > That is true. I have 50,000 outputs ready to go into a spamming cycle. That would be about 75MB of txs in the txpool. The stressnet spamming started about two hours ago. I think we will see how things go and adjust.

< rucknium:monero.social > 4) Potential measures against a black marble attack https://github.com/monero-project/research-lab/issues/119

< rucknium:monero.social > I don't really have anything to add to this agenda item right now. I think I will have the update that gives Alice a budget constraint by next meeting.

< rucknium:monero.social > 5) Research Pre-Seraphis Full-Chain Membership Proofs. https://www.getmonero.org/2024/04/27/fcmps.html

< rucknium:monero.social > kayabanerve: , emsczkp

< kayabanerve:monero.social > Veridise has completed a proof of the divisor technique. Their proof does force modifications to my R1CS gadget yet nothing notable here. I hope to, by next meeting, have a quote for the review of the proofs.

< aaron:cypherstack.com > Is this publicly available?

< rucknium:monero.social > Fantastic!

< kayabanerve:monero.social > Review of the R1CS gadget, as a specification, may or may not fit into the allocated hours. It may require an extension, say +5h (of 24h allocated) which would incur a further cost.

< kayabanerve:monero.social > The R1CS gadget, which needs updates, accordingly may be done on a distinct contract OR the work there will continue next week on the current SoW, once I do my updates. We're seeing what's best now.

< emsczkp:matrix.org > I just wanted to say that my implementation shows a 50% optimization on verification times compared to the BP's IPA

< kayabanerve:matrix.org > Aaron Feickert: Not yet. I asked for them to clarify some ambiguous notation. It's not breaking, it's just a bit wonky to read. Once I have that final PDF, or at least their confirmation that the one thus far shared is okay to publish (not an internal preprint), I'll share it. Ideally a day or two.

< kayabanerve:matrix.org > emsczkp: Would you please share a link and clarify if you're delaying the verification to a final multiexp or not?

< kayabanerve:matrix.org > (to the implementation. I'd be shocked if saving the inversions was so impactful)

< emsczkp:matrix.org > I can share the repositories. Just a second, I'll make it public. I haven't implemented the multi-exp version yet and I'm working on it

< kayabanerve:matrix.org > I'll further clarify I'm holding off on soliciting quotes for further review until I do have the PDF to be shared, as necessary to get quotes. So ideally, in a day or two I can solicit quotes, and ideally we have them Monday for the meeting Wednesday? That somewhat applies weekend quotes, so the review quotes may be up to the wire on the meeting :/ Apologies.

< rucknium:monero.social > kayabanerve: That sounds good to me. Thanks for doing all the coordination.

< emsczkp:matrix.org > this is the repo https://github.com/EmanueleSc/IV-IPA/ , the name is misleading because it would be the final idea... meanwhile "inner-sigma" i.e., the compressed sigma-ipa, and "inner" i.e., the BP IPA are implemented. I can share screenshots of benchmarks

< aaron:cypherstack.com > Is this approach formalized anywhere?

< kayabanerve:monero.social > I'm also soliciting review of the GBP proofs, and have been for a week or so. There's one candidate in mind so I'm hoping that works out. Else, it'll be another candidate spread, likely Goodell and one or two other groups.

< rucknium:monero.social > Aaron Feickert: Scala, E., & Mostarda, L. 2024, Efficient inner-product argument from compressed $sigma$-protocols and applications. Paper presented at International Conference on Advanced Information Networking and Applications. https://moneroresearch.info/index.php?action=resource_RESOURCEVIEW_CORE&id=221

< emsczkp:matrix.org > yes, the approach is formalized here https://moneroresearch.info/index.php?action=resource_RESOURCEVIEW_CORE&id=221&browserTabID=

< kayabanerve:monero.social > With GBP proof review, we can move to auditing. With the divisor gadget also signed off on, we can move to its entire circuit?

< rucknium:monero.social > ^ I think that's the paper

< kayabanerve:monero.social > So progress being made on a few ends there.

< kayabanerve:matrix.org > I'll ask Aaron Feickert, who is welcome to reply privately, if

< kayabanerve:matrix.org > 1) They're happy with the notation in their proofs and are fine with me sending them off as-is. I assume so yet will double check.

< kayabanerve:matrix.org > 2) They reached out to the original authors (and specifically noted the H_i extraction)

< kayabanerve:matrix.org > Oh, and 3) If they can confirm again (I did ask back in the day), the cross-product issue preventing more efficient H_i extraction is non-trivial and we should move forward with the protocol as-is.

< aaron:cypherstack.com > 1. The report made available at the CS repository should be fine for review by anyone interested.

< aaron:cypherstack.com > 2. We did reach out to the original authors (in early May), but did not hear back.

< aaron:cypherstack.com > 3. Correct, but I would be thrilled if someone found a way around this limitation :D

< kayabanerve:matrix.org > In that case, I won't push it and will move forward with review as-is.

< aaron:cypherstack.com > That being said, I'd be shocked if there weren't typos in the notation somewhere...

< aaron:cypherstack.com > (but there are none I know of)

< kayabanerve:matrix.org > I want to personally try out the above IP A, as an experiment on the verification times, as it'd save a few inversions. The claims of saving verifier scalings/50% are presumed notational artifacts at this time and not expected IRL.

< kayabanerve:matrix.org > I literally implemented it off your notation >:(

< kayabanerve:matrix.org > That implies correctness

< kayabanerve:matrix.org > Or dyslexia on my end.

< aaron:cypherstack.com > Heh, I mean typos in general. Sorry, didn't mean to imply more!

< emsczkp:matrix.org > kayabanerve explains so will you test the solution?

< emsczkp:matrix.org > sorry but I always have the "federation problem" on the server and it's difficult to follow the chat perfectly

< kayabanerve:matrix.org > https://libera.monerologs.net/monero-research-lab/20240619

< kayabanerve:matrix.org > Refresh that every minute or so, as a workaround

< kayabanerve:matrix.org > I will try it out with FCMPs specifically, as an experiment. If it saves a sufficiently notable amount of time, I'd likely request quotes as necessary to evaluate if we have the bandwidth to also move forward with it.

< emsczkp:matrix.org > ok thanks for the effort, I'm waiting for news and I hope that my contribution is the one expected in order to move forward

< rucknium:monero.social > We can end the meeting here. Thanks everyone.

< kayabanerve:matrix.org > I'd likely need to see those inversions save 5-10+%. The inversions are expensive, yet I'm not convinced they sufficiently weigh considering the amount of scalar matrix muls we currently face.

< kayabanerve:matrix.org > That's off the total proof, not just the IPA.

< rucknium:monero.social > Discussion can continue of course :)

< emsczkp:matrix.org > kayabanerve: Do you have a formal specification I can refer to? I would like to know more

< emsczkp:matrix.org > I know you have implemented bp+ , and are addressing GBP. I would like to have some material if possible

< aaron:cypherstack.com > You mean IPA challenge inversions? Those can also be batched, so as to replace multiple inversions with a single inversion and sequence of multiplications

< aaron:cypherstack.com > (assuming this is what you meant)

< kayabanerve:monero.social > My looking into spending the time and effort on this, which expends limited bandwidth, would likely have the aforementioned reward necessary. The current IPA proof itself is available at

< kayabanerve:monero.social > https://github.com/kayabaNerve/fcmp-plus-plus/blob/develop/crypto/generalized-bulletproofs/src/inner_product.rs

< kayabanerve:matrix.org > I'm pulling up the benchmark command, one moment...

< kayabanerve:matrix.org > Sorry, I became quite distracted. I sent on monero.social the link to the current IPA (see logs). The benchmarks can be run with cargo test --all-features -p full-chain-membership-proofs -- --nocapture from https://github.com/kayabaNerve/fcmp-plus-plus/.

< kayabanerve:matrix.org > emsczkp:

< emsczkp:matrix.org > Thank you for the repo, i'll do some experiments on the ipa

< kayabanerve:matrix.org > *--release

< kayabanerve:matrix.org > One should also benchmark with the --release flag, added after test in the above command.

monero-project / meta

Monero Research Lab Meeting - Wed 19 June 2024, 17:00 UTC #1025

1022