Rucknium
commented
2 months ago < rucknium:monero.social > Meeting time! https://github.com/monero-project/meta/issues/976
< rucknium:monero.social > 1) Greetings
< vtnerd > hi
< rbrunner > Hello
< aaron:cypherstack.com > Hello!
< plowsof:matrix.org > hi
< diego:cypherstack.com > hello hello!
< 0xfffc:matrix.org > Hi everyone.
< hinto.janaiyo:matrix.org > hello
< rucknium:monero.social > 2) Updates. What is everyone working on?
< rucknium:monero.social > me: OSPEAD. I think I will make my self-imposed deadline of next week for milestone 2.
< vtnerd > me: working on getting LWS new accounts "pushed" to scan threads intead of resetting the scan state on new accounts
< vtnerd > also was tracking a LWS bug someone reported privately via telegram, but was unable to duplicate (segfault)
< 0xfffc:matrix.org > Me: worked on second version of reader_writer lock 9181 which addresses writer starvation issue. It is finished, and in a good shape. I believe with few reviews and a little bit more testing we will be able to get it merged. I am running it on my private node too.
< rucknium:monero.social > 3) Discuss: CypherStack have requested 50% ($16,000) of the Bulletproofs++ Peer Review CCS to be paid out. https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/358#note_23485
< diego:cypherstack.com > Hiya. I brought this up at the community meeting too.
< rucknium:monero.social > Aaron Feickert: Could you say something brief about the review progress. I heard that you found some flaws in the security proofs, but you were able to repair some(?) of them
< diego:cypherstack.com > Basically we're more than halfway through and the singular milestone is kind of set up to only pay out at the end. Given the length of the project, it'd be very helpful to us to be able to have a mid payout to keep some cash flowing.
< diego:cypherstack.com > Aaron can answer specific questions, but our progress report is basically the following:
< diego:cypherstack.com > We've made significant progress. Lots of math. Lots of digging. Found some errors so far. Talked to the authors who responded. Still more to work through. Got like 11-12 pages of math so far.
< diego:cypherstack.com > We DO have a VERY incomplete draft of the paper for viewing if people want proof of work. Just what we've done up to this point.
< diego:cypherstack.com > Aaron Feickert: if you wanted to give a very brief statement about security proofs and authors as Rucknium asked?
< aaron:cypherstack.com > Yeah, we've identified a number of issues so far. There's a fair amount of notation that's incomplete or incorrect, several points in the proofs that we needed to expand on significantly for correctness, one proof that was incorrect (and even had an incorrect statement) that we rewrote, and another whose validity we're still attempting to verify
< aaron:cypherstack.com > I've been in contact with the preprint authors as well to discuss some of the issues
< rucknium:monero.social > "incorrect statement" == theorem is wrong? Do you have a counterexample? Is it an important THM for the paper?
< rucknium:monero.social > To me it sounds like we will need another party to do another review of your work because the changes are large. That's fine. It affects hard fork planning.
< aaron:cypherstack.com > The particular lemma is at the heart of higher-level emulation claims. The statement of the lemma was incorrect: it couldn't possibly have held, didn't match the proof (which had other errors), and wouldn't have made sense for the emulation
< aaron:cypherstack.com > The authors agreed, provided the actual statement, and we rewrote the proof to assert it could be fixed (it can)
< aaron:cypherstack.com > A lot of the preprint is written fairly informally, unfortunately, in terms of things like notation and claims. This makes it challenging.
< rbrunner > How does that compare with earlier Bulletproofs and Bulletproofs+?
< rbrunner > I mean, do you happen to know whether the papers were better?
< aaron:cypherstack.com > That's an excellent question
< aaron:cypherstack.com > Roughly speaking, I'd say that BP and BP+ share a lot of the same underlying structure, and the way the range proving protocols are built makes analysis reasonably straightforward
< rucknium:monero.social > Thanks so much for your work on this. I don't like to set precedent for splitting milestone payments, but your CCS proposal only had one milestone. Most proposals have multiple. I think it would be OK to pay half the milestone if we get your current draft.
< aaron:cypherstack.com > The extra "+" in BP++ carries a lot weight; the structure of its range proving protocols is very different and much more complex
< aaron:cypherstack.com > *a lot of weight
< rucknium:monero.social > FWIW, BP+ had a flaw in one of its math proofs. It was caught and corrected in one of Monero's reviews.
< aaron:cypherstack.com > Yep
< rbrunner > I think the precedent would not be a big problem if we try to find points for mid-way payout in future such CCSs to avoid the issue in the first place
< rbrunner > For big reviews, that is
< aaron:cypherstack.com > Anyway, as Diego Salazar mentioned, we have an in-progress report (around 11-12 pages)
< aaron:cypherstack.com > I would caution against making it widely available, lest readers assume more from it than they ought
< rucknium:monero.social > My gut says that the benefit of BP++ might not be worth the risk. We "only" get smaller tx sizes and faster verification. But if we're wrong then a malicious actor can create counterfeit XMR. Too early to say for sure now while the review is ongoing of course.
< rbrunner > Just curious: Will BP++ continue to be used in a FCMP version of Monero, if it comes to that?
< rucknium:monero.social > If you don't want the draft widely available, then maybe write a summary of initial findings? That wouldn't take much time, right?
< aaron:cypherstack.com > Rucknium: how detailed would you like such a summary to be?
< diego:cypherstack.com > No. The draft is ready to go and the work has been done on it already.
< rucknium:monero.social > I am not a cryptographer, so ask one :)
< aaron:cypherstack.com > @rbrunner: I am not certain how much work would be needed to modify the BP++ protocols to support that
< rucknium:monero.social > 1 - 2 pages summary I assume would cover things
< aaron:cypherstack.com > Rucknium: the risk assessment is tricky, to be sure, given the complexity
< aaron:cypherstack.com > There are a lot of new moving parts to BP++
< diego:cypherstack.com > I'm sorry to be a choosing beggar here, but I'd rather not spend a few hours of unpaid work on a summary.
< rucknium:monero.social > I was skeptical of this paper from the beginning. Take my skepticism with a grain of salt :)
< aaron:cypherstack.com > Rucknium: all math should be subject to healthy skepticism :D
< diego:cypherstack.com > Happy to share the draft we prepared yesterday as proof of our work. If a summary is needed for release of half the funds then we'll push forward without it until completion.
< diego:cypherstack.com > Not trying to be hostile or antagonistic. Hope my words don't come off that way.
< aaron:cypherstack.com > The draft does contain a warning right up front about its incomplete status, and is thoroughly watermarked as a draft!
< aaron:cypherstack.com > (This is common for Cypher Stack reviews, so there's no doubt about the draft status of initial reports)
< rucknium:monero.social > If there are not vulnerability disclosure concerns with the draft, then we have to give something public to the community IMHO. It can be a summary or the current rough draft
< aaron:cypherstack.com > Again, I would just caution any readers against assuming final conclusions from such a draft
< rbrunner > We have a comment on GitLab from UkoeHB: "A short progress report may be appropriate, to justify adding a milestone" I guess he could do with a more detailed interim report as well
< diego:cypherstack.com > Showing the community isn't a problem, I don't think. I think the big issue is spreading it widely on social media.
< aaron:cypherstack.com > Rucknium: I know of only one implementation, and I don't think it's deployed anywhere (or even assumed to be ready for deployment)
< rbrunner > Yeah, I don't think social media will be a real problem :)
< rbrunner > In this particular case
< aaron:cypherstack.com > Readers should just be cautioned that the findings could change over time as the review continues, and as we continue discussions with the preprint authors
< diego:cypherstack.com > Where would be appropriate/sufficient for community? IRC channels? Telegram? Reddit?
< rucknium:monero.social > Post on the CCS proposal as a comment IMHO. Any community members closely following the proposal will see it
< diego:cypherstack.com > Perhaps the gitlab discussion itself
< rbrunner > Yup, had the same thought
< rucknium:monero.social > Anyone else in the meeting here have opinions about this?
< rucknium:monero.social > Diego Salazar: "I'm sorry to be a choosing beggar here, but I'd rather not spend a few hours of unpaid work on a summary." That's totally understandable :)
< diego:cypherstack.com > https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/358#note_23499
< aaron:cypherstack.com > Also note that the preprint authors haven't been sent the draft
< rbrunner > Yeah, I suppose the work turned out to be bigger than anticipated anyway
< aaron:cypherstack.com > We've been discussing specific issues via email
< rucknium:monero.social > You are aware that the paper was accepted at EUROCRYPT 24 right?
< aaron:cypherstack.com > I was not!
< diego:cypherstack.com > By a lot. The proposal was first made when draft 1 was a thing and I didn't think much of the timeline. Then draft 2 dropped and it more than doubled the workload.
< aaron:cypherstack.com > The authors didn't mention it, but I also didn't ask /shrug
< midipoet > Just clearly state it's a draft and summarise the content into bullet points with [draft] after each one?
< rucknium:monero.social > https://eurocrypt.iacr.org/2024/acceptedpapers.php
< plowsof:matrix.org > sounds ideal. jberman / UkoeHB where the first to request. if they can give it a lgtm
< aaron:cypherstack.com > Rucknium: interesting! How did you come across it?
< rucknium:monero.social > Revise it and get coauthor credit ;)
< rucknium:monero.social > kayabanerve saw it first
< aaron:cypherstack.com > I'm intrigued as to what the EUROCRYPT reviewers thought
< rucknium:monero.social > And then we discussed here the quality of peer review standards in cryptography
< aaron:cypherstack.com > I will note that conference/journal reviews can be all over the place
< rucknium:monero.social > rubber stamp
< aaron:cypherstack.com > I've seen some that are really excellent, and others where I questioned if the reviewer read the whole paper =p
< aaron:cypherstack.com > That's not to say their specific reviews were thorough or not thorough (I have no idea)
< aaron:cypherstack.com > I can only speak for our review
< diego:cypherstack.com > Yeah if you all can go to the PR and give an emoji or something, that'd be great. :D
< aaron:cypherstack.com > (Terrifyingly, I've seen situations where reviewers were not required to read security proofs)
< aaron:cypherstack.com > Anyway, sorry to derail!
< rucknium:monero.social > Yeah I quoted our conversation about that here in this channel. I hope that was OK.
< aaron:cypherstack.com > (Side note: the EUROCRYPT program looks excellent)
< rbrunner > That "accepted paper" list is fascinating for a crypto-noob like me: How much I have absolutely no clue about :)
< plowsof:matrix.org > pending emojis/lgtm from jberman/UkoeHB. it would seem that binaryFate should then go ahead and send out the payment when possible yes?
< rbrunner > Sounds reasonable to me
< diego:cypherstack.com > Weee! Thanks all.
< rbrunner > Well, depending on the emoji used of course
< diego:cypherstack.com > We do hope to have this completed this month, I believe.
< aaron:cypherstack.com > Hopefully the giant DRAFT watermark is large and annoying enough :)
< rucknium:monero.social > Thank you Diego Salazar and Aaron Feickert . Incredible work.
< diego:cypherstack.com > Given we are actually much farther than half way
< aaron:cypherstack.com > Rucknium: thanks! I admit it's been a challenging review
< aaron:cypherstack.com > But as always, I hope it's useful to the community and broader ecosystem
< diego:cypherstack.com > jberman: UkoeHB ^
< diego:cypherstack.com > either way. Nothing else from us.
< rucknium:monero.social > We had a couple more items of the agenda. jeffro256 isn't here now to continue the +1 alternative block tiebreaking idea.
< rucknium:monero.social > We have had a x2 increase in Monero tx volume the last two days: https://bitinfocharts.com/comparison/monero-transactions.html#3m
< aaron:cypherstack.com > 2x increase in two days??
< hyc > the surge seems to have already subsided
< rbrunner > Yes. Just checked, it's ongoing. They pushed blocksize up to 310 KB at one time
< aaron:cypherstack.com > Some kind of obvious spam attack?
< aaron:cypherstack.com > Anything stand out about the tx structures?
< rbrunner > In the morning UTC it was a bit less. Now we have again 1039 txs waiting.
< hyc > my node says there are ~880txs in pool now, 5 block backlog
< aaron:cypherstack.com > geez
< rbrunner > Mostly 1 in / 2 out as far as I can see, nothing extraordinary: https://xmrchain.net/
< rucknium:monero.social > lots of 1in/2out txs. We could try to run the same analysis that we did in 2021. But that's a lot of work. https://mitchellpkt.medium.com/fingerprinting-a-flood-forensic-statistical-analysis-of-the-mid-2021-monero-transaction-volume-a19cbf41ce60
< hyc > could be a very naive exchange or pool doing payouts to 1 user per tx
< hyc > when they should have been doing N destinations per tx...
< plowsof:matrix.org > txpool for convenience: https://xmrchain.net/txpool
< aaron:cypherstack.com > holy mempool batman
< rucknium:monero.social > plowsof and I are storing txpool data. This will help with fee prediction algorithms later.
< hyc > I just check print_pool_stats on monerod ...
< rucknium:monero.social > And other research questions we don't know about yet
< aaron:cypherstack.com > If it is an attack, wonder if it's the same entity/entities as the earlier Zcash spam attack
< aaron:cypherstack.com > That went on for quite some time
< rucknium:monero.social > Anyone think I should divert effort to analyze this? I prefer "no"...
< rbrunner > My first thought is "Depends on how long this continues" ...
< rucknium:monero.social > I don't know what action could be taken. The dynamic block size is supposed to work its magic.
< rucknium:monero.social > It's it's not magical, then it should be made more magical...but that has to wait for a hard fork
< rucknium:monero.social > If it's*
< plowsof:matrix.org > monerod print_pool_state for convenience* web url so i look busy hyc** lol
< plowsof:matrix.org > stats*
< rucknium:monero.social > Anything else? If not we can end the meeting.
< rucknium:monero.social > --- end meeting ---
< plowsof:matrix.org > thanks for chairing Rucknium!
< UkoeHB > Thanks for the update Aaron, good to see the progress :)
< aaron:cypherstack.com > @UkoeHB thanks!
Location: Libera.chat, #monero-research-lab | Matrix
Join the Monero Matrix server if you don't already have a Matrix account.
Time: 17:00 UTC Check in your timezone
Main discussion topics:
Greetings
Updates. What is everyone working on?
CypherStack have requested 50% ($16,000) of the Bulletproofs++ Peer Review CCS to be paid out.
@jeffro256 I think we can improve how the nodes handle alternative blocks in a way that might naturally reduce the number of reorgs on the network.
Transaction volume increase this week
Any other business
Confirm next meeting agenda
Please comment on GitHub in advance of the meeting if you would like to propose an agenda item.
Logs will be posted here after the meeting.
Meeting chairperson: Rucknium
Previous meeting agenda/logs:
973