Rucknium
commented
1 month ago Log:
< 0xfffc:monero.social > My apologies in advance. I will be late for the meeting. I have few minor updates. I finished the sync-before-verify PR. But eventually decided ( with boog ) to not move forward with it. If anyone else wants can take a look at it [1]. Instead of it, we decided to move forward with a PR that checks hardfork and verify only if necessary [2].
< 0xfffc:monero.social > Other than these, I have started to work on the issue boog explained here [3]. The gist is to send txis only if it is necessary and peers asks.
< 0xfffc:monero.social > 1. https://github.com/spackle-xmr/monero/pull/13#issuecomment-2234543784
< 0xfffc:monero.social > 2. https://github.com/monero-project/monero/pull/9404
< 0xfffc:monero.social > 3. https://github.com/monero-project/monero/issues/9334
< rucknium:monero.social > Meeting time! https://github.com/monero-project/meta/issues/1044
< rucknium:monero.social > 1) Greetings
< rbrunner > Hello
< jberman:monero.social > waves
< jeffro256:monero.social > howdy
< one-horse-wagon:monero.social > Hello!
< rucknium:monero.social > 2) Updates. What is everyone working on?
< chaser:monero.social > hello
< jberman:monero.social > me: finishing up initial migration of cryptonote outputs into the curve trees merkle tree for fcmp's + growing the tree as the node syncs, and cleaning up the grow_tree + trim_tree impl as I go
< rucknium:monero.social > me: Reading many papers on gossip protocols and network topology. I am writing comments to these two PRs: "tx_memory_pool: make double spends a no-drop offense" https://github.com/monero-project/monero/pull/9218 "Fix embargo timeout in dandelion++" https://github.com/monero-project/monero/pull/9295
< jeffro256:monero.social > me: drafting a distilled document for the the new addressing protocol for legacy addresses for formal auditing (hopefully). will talk more about it later in the meeting...
< rucknium:monero.social > 3) Stress testing monerod https://github.com/monero-project/monero/issues/9348
< jeffro256:monero.social > anything interesting break this week? ;)
< rucknium:monero.social > AFAIK, no new incidents on stressnet. There is discussion in #monero-stressnet:monero.social ( ##monero-stressnet on IRC) about how long stressnet should continue and how.
< rucknium:monero.social > The original plan was to run it for two months (which would end about August 10th), but it could be extended if it is helpful for development.
< rucknium:monero.social > and/or the stressnet could be restarted when FCMP++ are ready to test
< rbrunner > As you explained, Rucknium, actually stressing amounts to quite some work, right?
< one-horse-wagon:monero.social > Has there been any actionable results from the stress testing so far that could be taken in the Monero codebase?
< jeffro256:monero.social > https://github.com/monero-project/monero/pull/9404 https://github.com/monero-project/monero/pull/9395
< rbrunner > Yes. An astonishingly high number, if you ask me.
< rucknium:monero.social > Many community volunteers are running stressnet nodes. About 40 nodes at the beginning. Now about 25. They were told at the beginning that it would run for about 2 months and the blockchain would grow to about 50GB. It is 50GB now.
< jeffro256:monero.social > https://github.com/monero-project/monero/issues/9388
< jberman:monero.social > +1, it's definitely been valuable
< vtnerd:monero.social > Hi, sorry for being late
< one-horse-wagon:monero.social > I've asked this question before. Does it help the stress net to do some mining on it? I do it and it seems like I'm almost the only one.
< rucknium:monero.social > one-horse-wagon: Yes because it creates network conditions to test re-org/orphan block behavior
< rucknium:monero.social > But not at a high hash rate
< rucknium:monero.social > Actually we wouldn't have found the invalid blocks issue without multiple nodes mining AFAIK
< one-horse-wagon:monero.social > Gotcha. I've toned it down a lot but the coins still come flying in.
< rucknium:monero.social > If you have lots of mined coins that you don't plan to spam, it is good to send them to the wallets of people who are spamming so we can use the coins for tx fees. I think that's just spackle and me.
< one-horse-wagon:monero.social > Rucknium: Post your wallet address and I'll send you a few thousand.
< jeffro256:monero.social > Do you know of anyone that has used p2pool to mine on the stressnet? Might produce interesting results
< rucknium:monero.social > jeffro256: AFAIK, p2pool is not set up on stressnet. Yes, could be interesting if someone wants to set it up.
< rucknium:monero.social > AFAIK, the p2pool could merge-mine with Monero mainnet now. Or at least I think that change enabling that is in a PR somewhere.
< rucknium:monero.social > 4) Research Pre-Seraphis Full-Chain Membership Proofs. https://www.getmonero.org/2024/04/27/fcmps.html
< rucknium:monero.social > kayabanerve , kayabanerve : Anything on FCMP for this meeting?
< rucknium:monero.social > Or anyone else have something about FCMP?
< rucknium:monero.social > 5) Auditing the math of the new addressing protocol for legacy addresses. ( jeffro256 's item)
< jeffro256:monero.social > I would like to have the new addressing protocol, which I call Carrot (Cryptonote Address on Rerandomiable-RingCT-Output Transactions), deployed alonsgide the initial deployment of FCMP++ for two main reasons: 1) so we can actually leverage FCMP++'s forward secrecy and outgoing view key properties ASAP, and 2) once Jamtis is ready for deployment, there will be a smooth transition <clipped messag
< jeffro256:monero.social > without transaction fingerprinting issues. However, I don't want the Carrot integration to slow down FCMP++, so I would like to get it audited as soon as possible. I have written almost all of the code we need to deploy Carrot (there are still kinks with payment IDs to be worked out soon), so that should not be a limiting factor. The limiting factor will probably be auditing the m<clipped messag
< jeffro256:monero.social > ath and code. To this end, I have begun to draft a document that outlines all the details for the Carrot, distilled from tevador's Jamtis-RCT gist. After this is done, I want to propose that it gets audited with funding from the CCS. This should be a relatively straight forward audit, and I don't forsee any issues. After that, then the code auditing can begin. Luckily, FCMPs and <clipped messag
< jeffro256:monero.social > Carrot mainly touch separate parts of the transaction (inputs and outputs, respectively), so development and integration can be parallelized nicely.
< jeffro256:monero.social > I discussed this earlier in the week in the NWLB meeting
< jberman:monero.social > fcmp implementation timeline still on pace. I think within 3-4 months it'll be ready for stressnet
< rbrunner > Viewed from the outside, a fork to FCMPs without anything Jamtis in it does look like quite a wasted chance, IMHO.
< rbrunner > So in a timeframe of 3 to 4 months there could be room for it, yes?
< jeffro256:monero.social > Well the new addressing protocol is not technically Jamtis, but is backwards compatible with existing addresses but obtains nice properties such as forward secrecy, OVKs, and Janus protection
< jeffro256:monero.social > jberman: tx output construction code for Carrot is basically done, scanning code is basically done, if audits go smoothly (which they should), then the only task remaining is to integrate with wallet2, which with your async wallet scanning code we were already planning to do
< rbrunner > Ah, yes, I did not read all. So able to separate.
< jeffro256:monero.social > Carrot would also be indistinguishable from Jamtis on-chain, so we can switch to Jamtis easily with no loss of privacy in our own time
< jberman:monero.social > I have no issue with pushing it forward in parallel. Once fcmp's are done we can see where jamtis-rct is at and decide at that point what the best rollout strategy is
< jberman:monero.social > so +1 from me pushing auditing forwards
< rbrunner > "Jamtis" brings, in addition, new long addresses, which means wallet changes?
< jeffro256:monero.social > rbrunner7: IMO you're right it would be a wasted chance if we didn't do Carrot because then we don't fully leverage the FCMP features
< rbrunner > i.e. wallet UI changes, which could be quite heavy, and might derail the time line
< jeffro256:monero.social > Yes IMO the biggest issue with Jamtis is the friction of updating addresses. Carrot doesn't have that problem which should speed up adoption
< rbrunner > Does anything change for hardware wallets with Carrot? Maybe things change anyway because of FCMPs?
< rbrunner > With or without Carrot, I mean
< jberman:monero.social > "transaction fingerprinting issues" -> can you elaborate on the fingerprints?
< jeffro256:monero.social > Yes HWs will have to update for FCMPs anyway on the input / spendkey side of things. For Carrot specifically, the HWs dont have to change too much. The ECDH key derivation is exactly the same
< jeffro256:monero.social > Depending on if the HW supports OVKs, the key image derivation might have to change
< rbrunner > Thanks. So they will have to move anyway, not a strong argument against Carrot early.
< jeffro256:monero.social > jberman: 3-byte view tags, encrypted address tags / carrot randomness, and X25519 epehemeral pubkeys are not present in the current Cryptonote address protocol
< jeffro256:monero.social > Onetime addresses, amount commitments, and encrypted amounts will look the same to external observers, though
< jberman:monero.social > "That means wallets can send payments to both new and old addresses and the resulting transactions will be indistinguishable in the blockchain" -> when sending to an old address, would dummy values go on chain?
< jeffro256:monero.social > They aren't really "dummy" tx values in Carrot since all tx elements from Jamtis are used someway or another. For example, the X25519 ephemeral pubkeys are just the the new way to encode analogues of the "main"/"additional" tx pubkeys
< jberman:monero.social > I see in section 6.7, looks like it takes care of eliminating the fingerprints no?
< jeffro256:monero.social > The place that would be used for Jamtis encrypted address tags is used to encode a "randomness" in carrot used to rederive the ephemeral private key to mitigate Janus attacks
< jeffro256:monero.social > Yes, I don't think there's a section explicitly mentioning fingerprinting issues, but that was part of the design
< rbrunner > You mean attention was given, while designing things, to avoid such fingerprinting issues?
< jeffro256:monero.social > Yes
< rbrunner > Alright. We have to implement this almost for the catchy name alone :)
< jberman:monero.social > so ultimately whenever jamtis-rct rolls out, and network consensus requires txs to spec, then we won't have fingerprinting issues, no? I'm trying to see why rolling out with fcmp's avoids fingerprinting issues
< jeffro256:monero.social > Okay good question. Scenario 1) we stick with the old cryptonote addressing protocol with FCMP++ rollout and then try to switch to Carrot and Jamtis later. Scenario 2) we rollout with Carrot initially with FCMP++ then support Jamtis later. In scenario 1, there will be instantly noticeable difference between old Cryptonote address txs and Carrot/Jamtis transactions which splits the<clipped messag
< jeffro256:monero.social > network into 2 anonymity pools
< jeffro256:monero.social > With scenario 2, whenever we switch to Jamtis, there is no difference between Jamtis and Carrot transactions; All post FCMP++ txs look the same
< jeffro256:monero.social > That's why I would like to rollout Carrot with FCMP++: to avoid the fingerprinting issues that come with supporting the new Jamtis address types
< kayabanerve:matrix.org > Apologies
< jberman:monero.social > In scenario 1, I figure a hard frok to switch to Carrot/Jamtis is expected to require all txs be to spec, like the switch to requiring view tags at consensus
< jeffro256:monero.social > A switch to Carrot/Jamtis need not be a hardfork
< kayabanerve:matrix.org > I'm very interested in Carrot explicitly for F-S.
< rbrunner > But only if we already have Carrot, I guess?
< rbrunner > I.e. later adding Jamtis to the mix does not need a new hardfork
< jberman:monero.social > Scenario 2 includes consensus rules that require e.g. 3 byte view tags etc., no?
< jeffro256:monero.social > Nope, we don't need Carrot even to start that addressing protocol since they can just put the scanning data in tx_extra
< jeffro256:monero.social > jberman: what I did initally for testing was put the first byte of the view tag in the
tx_outand the other 2 in tx_extra< jeffro256:monero.social > No hardfork needed
< rbrunner > It's all a bit confusing. Maybe lay it out all carefully in your document, and then people can study and try to understand.
< jberman:monero.social > but then you'll have 2 anon pools, txs that include that extra data in extra and the ones that don't
< jeffro256:monero.social > jberman: this is the situation that I'm trying to avoid but having Carrot roll out initially with the upcoming hardfork
< jeffro256:monero.social > *by having
< rbrunner > Anyway, right now for me it sounds as if going for Carrot is worthwhile even if it should not having to do anything with avoiding fingerprinting
< rbrunner > Also known as a "no brainer" if that opinion has merit
< jeffro256:monero.social > Ideally, since everyone is updating for FCMPs mandatorily anyways, they also receive the Carrot updates and all post-FCMP++ txs use Carrot (or Jamtis since we can't tell as an external observer)
< jberman:monero.social > to achieve the goal of indistinguishable txs I figure we'd want consensus to enforce the new tx format / not use extra
< rbrunner > Certainly
< jeffro256:monero.social > I disagree to a certain extent. I think view tags shouldn't be inside the
tx_outstructs and should be hoisted totx_extra. Then there should be relay rules which dictate the contents oftx_extrato reduce fingerprinting< rbrunner > Sounds strange.
< jeffro256:monero.social > As we've discussed before though, there's not much we can do to stop people from purposefully screwing up their fingerprint in txs. However, we can prevent accidental mistakes
< jeffro256:monero.social > (or people putting large blobs in tx_extra)
< jeffro256:monero.social > (or other actively so far off from normal that trivial heuristics catches it)
< jeffro256:monero.social > *activity
< kayabanerve:matrix.org > The consensus rule of FCMP++s already enables: if fcmp++, xyz, with a hard boundary.
< rbrunner > Maybe that's stuff for another meeting, or a discussion after the meeting proper, but a solid argument pro view tags in tx_extra would surprise me
< kayabanerve:matrix.org > I disagree we need additional consensus rules.
< kayabanerve:matrix.org > I'm unsure I'm for TX v3 at this time though.
< rbrunner > Is there something to fear from a new tx version?
< kayabanerve:matrix.org > (or any deep structural changes with the fcmp++ fork)
< rbrunner > Not sure a component or two more in a tx are already "deep structural changes" ...
< rbrunner > Maybe I underestimate?
< jeffro256:monero.social > rbrunner: a new tx version means extra technical debt and requiring a hard fork which adds even more friction to Monero adoption IMO
< rbrunner > That tx_extra would't process itself alone either
< jeffro256:monero.social > It's justified for FCMP++ IMO b/c if the privacy benefits
< rbrunner > I think now you lost me :)
< jberman:monero.social > MyMonero is an example of a wallet that uses a pretty heavily modified version of the monero core code to construct txs. I can pretty easily imagine they only end up implementing fcmp++'s and not the other changes necessary for Carrot
< rbrunner > Anyway, probably not that important
< kayabanerve:matrix.org > TX extra is entirety out if consensus so it would in fact process itself
< kayabanerve:matrix.org > jberman: If a TX is FCMP++, just only scan per Carrot.
< kayabanerve:matrix.org > MyMonero can legacy send but it'd effectively be a custom protocol and their failure.
< jberman:monero.social > I guess if relay rules enforce the Carrot changes, then that changes things. Would have to introduce relay rules that parse tx extra etc., which I would argue is more complex than new explicit types
< rbrunner > Maybe MyMonero throws in the towel, who knows. Will get interesting.
< endogenic > more like they use the libs others will release
< kayabanerve:matrix.org > *I do know wallets would need updating. Updating wallets is simpler to also updating the output definitions :/ IIRC they're unversioned and not an enum.
< jeffro256:monero.social > jberman: Yes I agree that this in an issue. Could be worth discussing relay rules to at least combat fingerprinting. Really, let's say you're a lazy dev and don't care if your users get F-S, Janus protection, or OVKs with Carrot. You can add dummy encrypted address tags and view tags. The only real cryptographic code that you need to implement is the functions converting points fr<clipped messag
< jeffro256:monero.social > om X25519 to Ed25519 and vice versa
< jeffro256:monero.social > So even for the laziest wallet devs, you only really need
CovertPubkey1,CovertPubkey2, andNormalizeXfunctions from Jamtis-RCT< kayabanerve:matrix.org > jberman: We don't need relay rules if we just don't scan TXs with legacy extra.
< rbrunner > I really think we shouldn't even explain to lazy devs how to be maximally lazy :)
< rbrunner > And get away with it.
< kayabanerve:matrix.org > As jeffro says, there's ways to cheat implementing Carrot and one can do so. Relay rules/strict typing wouldn't catch that.
< jberman:monero.social > ya, fair arguments
< kayabanerve:matrix.org > But if we only scan Carrot, it does mandate sending as Carrot.
< rbrunner > And everybody will still find all transactions?
< kayabanerve:matrix.org > No relay rules needed.
< jberman:monero.social > I mean they have to change scanning on their end too
< kayabanerve:matrix.org > FCMP++ TXs would have a distinct scan procedure (Carrot). All prior TXs would be fine.
< rbrunner > If somebody can just put in any old random data, I don't see how that would work out for everybody overall.
< rbrunner > For things they don't feel like implementing
< rbrunner > Maybe it is so, but somehow does not sound right
< kayabanerve:matrix.org > That's presumably always a risk, yet wallet2 would handle it. The concern is completely custom impls aiui
< jberman:monero.social > Carrot scanning is distinct code from FCMP++ scanning
< kayabanerve:matrix.org > Wat
< endogenic > so make custom impls. everyone will adapt
< kayabanerve:matrix.org > What's FCMP++ scanning in your context?
< endogenic > myMonero doesn't even really have a scale advantage
< endogenic > so it's not worth worrying about whether or not they're going to be able to scale their implementation
< kayabanerve:matrix.org > Outputs are versioned, my bad, sorry. I drop my strict typing concerns.
< endogenic > that's very kind of you guys to worry about someone who scammed the entire community though
< endogenic > lol
< jberman:monero.social > it's not worrying about them necessarily, it's about what goes on the chain / maximizing the anon set
< kayabanerve:matrix.org > Ignoring that, if we do change Carrot, I do think we need multiple months of the finalized spec and a full d/wallet-rpc available.
< jeffro256:monero.social > Agreed
< syntheticbird:monero.social > multiple months ? more than 3-4 months ?
< jeffro256:monero.social > Which is why it's nice that the code is mainly done
< rbrunner > smile
< kayabanerve:matrix.org > I'm not asking the final FCMP++ + Carrot (FCMP+++? FCMP#?) bins be available for three months (I'm unsure HF timelines). I'm asking the Carrot spec and bin be available for four.
< jeffro256:monero.social > I will try to work out a first draft the formal doc by next MRL meeting if y'all think its a good idea
< jberman:monero.social > fcmp++ scanning for full wallets = keeping full paths in the tree saved locally, light wallet fcmp++ scanning = nothing really for legacy
< kayabanerve:matrix.org > SyntheticBird: if it's public for one month, and I take a month to implement, the new monero-serai is available for 0 days prior to fork.
< kayabanerve:matrix.org > I need to impl it, test it, have it audited, and release with my own distance to the fork.
< kayabanerve:matrix.org > I can do that once I have a final spec and ref impl (even if unaudited with potential slight changes upcoming) but I do need that.
< rbrunner > So, to put it a bit bluntly, with Serai you have one of those "custom implementations" on your hand
< kayabanerve:matrix.org > jberman: I'd more call that tree management and think it's fine to say scanning an output, determining if you can spend it, would be Carrot for all FCMP++ TXs. We wouldn't even attempt the legacy scan protocol. I hear you if you want to note the FCMP++ pipeline re: scanning is more involved though.
< rbrunner > Is the goal a public release of Serai together with the FCMP++ hardfork?
< kayabanerve:matrix.org > rbrunner: and downstream consumers :D People like my work :D
< rbrunner > Yes, yes :)
< kayabanerve:matrix.org > But yes, and I do plan to follow the specification properly.
< jeffro256:monero.social > jberman: TBF the light wallet servers themselves have to do the FCMP changes to the wallet. Most of the time the development of the LW clients and LWS is tightly couple / done by the same people
< rbrunner > I just only now understand that yet one more ball is up in the air that may complicate things then
< kayabanerve:matrix.org > I wouldn't shim it unless there was no other way to do it in a sufficiently timely fashion.
< jberman:monero.social > actually ... ! ... light wallet servers should do the same thing as full wallets when scanning, no? at least for legacy. I don't think light wallet impls need decoy paths at all. light wallet servers just keep full paths saved for all received outputs
< jberman:monero.social > (sorry slightly off topic)
< kayabanerve:matrix.org > Re: timeline, that hasn't been the plan prior. I think Serai may beat FCMP++s.
< rbrunner > If no Carrot derails the poor thing :)
< jberman:monero.social > anyway yes, I'm noting that tree management is distinct code necessary to scan for fcmp++'s, compared to code necessary for Carrot scanning
< jeffro256:monero.social > jberman: true yeah as long as the LWS has access to a trusted daemon they can just trivially store paths in a databse yeah?
< jberman:monero.social > all this to say, Carrot isn't a trivial amount of code on top of fcmp++'s. all the more reason to make progress on it asap, but I'm still pretty iffy on rolling it out with fcmp++'s
< kayabanerve:matrix.org > I'd rather just do burning bug + F-S.
< kayabanerve:matrix.org > I'm not against Carrot if it's made accessible to review, implement, and test by devs not working on FCMP++ but I do share the concerns.
< jeffro256:monero.social > AFAIK almost all full wallets in use today use
wallet2for tx construction, correct?< jberman:monero.social > afaik yep
< jeffro256:monero.social > So it's mainly light wallet codebases that would need explicit updating?
< kayabanerve:matrix.org > I'm right here :(
< jberman:monero.social > sending to the new addresses will probably require some trivial changes too
< kayabanerve:matrix.org > My codebase would need explicit updating :(
< jeffro256:monero.social > I know I know !! lol
< jeffro256:monero.social > Not to exclude kayaba....
< jeffro256:monero.social > I was just trying to think of other more obscure wallets
< jeffro256:monero.social > That don't use
wallet2< kayabanerve:matrix.org > Ledger has on-device scanning
< kayabanerve:matrix.org > Trezor has a python reimpl of sending
< jberman:monero.social > also UI changes for handling the new addresses. e.g. let's say no UI changes are made, then you recover a seed that has received to a new address
< jeffro256:monero.social > Wdym by "new addresses" here? Jamtis or regenerated Cryptonote-style addresses?
< jeffro256:monero.social > Sending is exactly the same for old/new Cryptonote addresses
< jberman:monero.social > true trezor reimplemented wallet2, forgot that
< jeffro256:monero.social > Scanning is slightly different if you use a new address with OVKs
< jberman:monero.social > Jamtis generated addresses = new addresses
< jberman:monero.social > I'm thinking I will await your spec and think on it more then
< jeffro256:monero.social > For Jamtis addresses, weren't we going to use a different seed format anyways (Polyseed)?
< jeffro256:monero.social > That would signal to the wallet which type of scanning to do
< jeffro256:monero.social > But Trezor / Ledger DO have their own seed formats...
< jberman:monero.social > Feather and Cake (not sure of others in production) support polyseed today
< jeffro256:monero.social > I did not know that. That makes the UI problems hairier
< jeffro256:monero.social > Is there not a "Jamtis" flag bit in the Polyseed specs?
< jberman:monero.social > probably would make sense for there to be one
< jeffro256:monero.social > Okay just looked I don't think it's in there explicitly, maybe tevadoe mentioned it at some point... this is probably a good application for those feature bits
< jeffro256:monero.social > As long as we make sure production wallets today aren't already using them for vendor specific things
< jeffro256:monero.social > BTW thanks everyone for all the helpful input!
Location: Libera.chat, #monero-research-lab | Matrix
Join the Monero Matrix server if you don't already have a Matrix account.
Time: 17:00 UTC Check in your timezone
Main discussion topics:
Greetings
Updates. What is everyone working on?
Stress testing
monerodResearch Pre-Seraphis Full-Chain Membership Proofs.
Auditing the math of the new addressing protocol for legacy addresses.
Any other business
Confirm next meeting agenda
Please comment on GitHub in advance of the meeting if you would like to propose an agenda item.
Logs will be posted here after the meeting.
Meeting chairperson: Rucknium
Previous meeting agenda/logs:
1041