Both seem to be fairly understandable extensions of the sigma protocols Groth et.al. worked on. Hopefully someone can provide a good review without too much effort

One reviewer claimed to have found a break in the Arcturus assumption, but I disagree entirely

FWIW, Triptych was just accepted for publication, which is great

I'll be presenting it next month

Interesting. Did that reviewer share his thoughts publicly? I'd love to dig in.

Congrats on publication! Ill keep an eye out for the presentation (hoping its recorded somewhere)

The review was sent privately, but I had included a paste of it earlier

What's your interest? I don't recognize your nick, but welcome!

Here is that part of the reivew: paste.debian.net/hidden/d2ad5b5c

This claimed counterexample does not satisfy all the requirements of the assumption definition

I pointed this out in a rebuttal, unsuccessfully

Just a long term lurker / monero user / cryptography hobbiest. I love keeping an eye on the work that comes through MRL, and your recent work has refueled my interest in ring signature schemes

If the example can be expanded in a way that breaks the assumption, I'd love to know

Thanks for sharing

np

Indeed, that challenge is lacking completeness. From what I can see, the reviewer's challenge completely neglects the selection of Gi. His selection of a0 & a1 will not satisfy the relation on Gi

Im eager to see more formal analysis of this dual target assumption, but it seems likely to be sound.

I suspect it's fine in practice, but I can't find a reduction to a more standard assumption

Almost completed Triptych presentation: overleaf.com/read/rscsccvdsrvj

Comments welcome

Omg slide 15 :D

Research meeting today is at 17:00 UTC

.time

good bot

Triptych presentation is complete: overleaf.com/read/rscsccvdsrvj

Comments and suggestions welcome

Found some small notation issues in the preprint while working on it; they don't affect any of the results

I'll make the corrections and revise on IACR today

Meeting here begins in 30 minutes (17:00 UTC)

.time

good bot

OK, let's get started with the weekly research meeting!

The usual agenda: monero-project/meta #501

Logs will be posted there after the meeting

First, greetings!

hello :)

hi

Let's move to roundtable, where anyone is welcome to share research of interest

Isthmus: you posted to the agenda just now; care to share?

Sure

Our audit is coming along nicely, have been focused on the technical writeup.

Looped in Surae as a reviewer for the audit results and writeup - he’s been super helpful with nailing down a few of the trickier details, and cleanly communicating some of the more complicated concepts.

We have a meeting coming up where we'll merge drafts and freeze some of the sections (algorithms, key generation, subaddresses, stealth addresses) into "draft 1" for y'all to review. I'll just post in -lab on IRC

Great!

Also, still working on the empirical/statistical analysis of transaction field uniformity, and I've been looking into the Diehard tests as a starting point for battery of statistical tests.

(Note that they're designed to test RNG quality, which is a subtly different problem, but related enough that some of the tests (e.g. birthday spacing) should be applicable for both.)

The tricky thing is that many of these are designed to test uniformity of bitstrings, however that's not applicable here. Consider uniformly sampled integers on [0, 555]... Even if the sampling is correctly uniform, we do not expect uniformity in the binary representation (first bit more often 1 than 0) nor in a digit representation (see 5 more often than 8). So I'm having a little bit of trouble figuring

out how to adapt them (or if that's even possible)

( context here: github.com/Mitchellpkt/crypto_field_stats_tests )

Hmm, interesting

It's interesting to think about what the best action would be in the event of observed non-uniformity

I'd say it depends on the nature of the non-uniformity (bias or collisions?) and the implications of non-uniformity in that particular field

I don't think there's a single one-size-fits-all recommendation or level of severity

Very interesting analysis

Is there anything in particular relating to the post-quantum analysis for which you'd like assistance from this group?

Review of the first draft, probably later this week

Any/all feedback :- )

Sounds good!

Anything else you'd like to share?

Or, any questions for Isthmus?

<Mitchell PKT> BTW if y'all are having IRCcloud issues, you're welcome to use the Noncesense bridge at discord.noncesense.org

Nothing else from me for the moment

OK, thanks Isthmus

What would be the dataset for those tests?

Oh, is IRCCloud having problems? Seems to work fine for me, FWIW

I didn't have any issues, but saw people talking about it in scrollback from yesterday

Well, actually, I guess I don't know if I had issues, because I wasn't on IRC

I have a few research items to share

My proof-of-concept code for Bulletproofs+ now supports single-round verification and efficient batching: github.com/SarangNoether/skunkworks/tree/pybullet-plus

I'm in the process of modifying the existing Bulletproofs C++ code to get concrete performance data

Usual disclaimer that this proof-of-concept code is written for research, and not with practical security in mind... do not use in production for any reason

I'm happy to announce that Triptych has been accepted for presentation and publication at ESORICS CBT 2020

:- D

I have a blog post PR for `monero-site` announcing this

That is excellent

I'll make the presentation next month remotely

and the paper will appear in the conference proceedings

Here is a draft of the presentation: overleaf.com/read/rscsccvdsrvj

Comments and suggestions are welcome

I intentionally don't go into the weeds on the math of the proving system, since I think that is less helpful than explaining why it can be used to build a confidential transaction protocol

I discovered some notation problems in the preprint while preparing the presentation, but they are minor and don't affect any of the results or conclusions

Are there any questions on these topics?

Not from moi

Please do review the presentation if possible; my goal is clarity, and I welcome any suggestions

If anyone has trouble getting the PDF loaded in Overleaf, please let me know and I'll be happy to assist

Does anyone else have research topics to share?

I read the version earlier today and it was very clear an well explained

Thanks h4sh3d[m]!

I've recently added some additional slides

I'll have a look at the new slides, but again looks very clear

I am looking for a better way to visually explain the structure of the overall transaction protocol, which I find very tricky to dor

s/dor/do

good bot

Could we get u/Krakataua314 make an infographic?

"visually explain the structure of the overall transaction protocol" < this would be very useful for the quantum research too

Since being able to draw backwards red arrows labeled "X algo" is imho the most intuitive way to quickly see the results

I really wish that I could have submitted Arcturus for the workshop as well

Unfortunately, it was still under consideration elsewhere :(

Oh well

More time to think about its cryptographic hardness assumption

Anyway, those are the topics I wished to discuss

Anyone else?

Uh, I've been helping Isthmus with the PQ paper

Great!

also tomorrow Monero is gaining an undergraduate intern from Clemson University

I'm eager to see the results

Are there projects in mind for this person?

sarang, myself, isthmus, and TheCharlatan have a call scheduled where we will each explain a few possible projects for this student to work on, and they will select which one they want to work on for two subsequent semesters

I had a few things in mind, but wondered if there were others under consideration

each of us has a different set of ideas/flavors, but the student's experience is limited (understandably) so we are going to try to come up with something complete-able

i'm *guessing* that the student will be most interested in doing data science with isthmus looking at anonymity and linkability, but that's a wild guess

The things that I was considering had to do with chain toolsets and perhaps some security model stuff, depending on experience and interest

What is the student's background?

I have an email in my archive with this information ArticMine, but I need to dig it up

suraeNoether: ?

It can help in finding ideas for a suitable project

Sorry. My internet just died.

Anyway, we can pull up the student's experience information after the meeting if needed

ArticMine the student is a math/cs student, but we can't share much more. But we should chat.

We have to respect privacy here

Especially if you have ideas for compactish projects. I was frankly hoping the student could just finish all the TODOs leftover in the original cryptonote code with TheCharlatan lol

Anyway let's chat after the meeting

OK, we can move to action items, where anyone is welcome to share their research plans for the next weeks

I have some work to finish on the Triptych presentation and paper for the workshop, and will continue with BP+ testing

Others?

I want to look more in depth, from a chain analysis point of view, if you know that two transactions will occurs in a time-laps of around half an hour and one consume the output of the previous one, how much you can trace this

I think it's related to the decoy choices right?

and transaction volume

And other factor such as tx volume sure

Do you have a threat model in mind?

Not really, just wondering

There's a little algorithmic trick I came up with, starting with a given output, you make 11 hypotheses (mutually exclusive) that there is a repeaated chain with period of (output_time - input_time)

Then you can work backwards, eliminating most or all of the hypotheses at each step

And it'll quickly surface any chains with periodicity (within some multiplicative or additive tolerance)

Before I was trying to do power spectrum analysis, which was wayyyy overkill

If you know the period, it's even easier

Nice

If there's only two transactions though, this will be very noisy

But this would work if the period is repeated more than once?

SNR depends on length of chain (and period relative to decoy selection algorithm)

"period is repeated more than once?" do you mean in a chain, or from the same wallet?

in a chain

but if you increase the number of related transactions then the signal to noise will improve

Then yea, the more it's repeated, the more certainly it sticks out

How do you increase the number of related transactions?

The pattern is repeated

and there is a correlation between the repeated patterns

Ohh artic I misread your previous message. Yes, exactly right

Before we close out the meeting (discussions are of course welcome to continue after), anything else that should be discussed?

OK, in that case, let us adjourn! Thanks to everyone for attending

Feel free to continue discussions; I simply adjourn so I know what logs to post :D

Ciao!

<3

Thanks

Minor update to the Triptych preprint to fix some bad notation: eprint.iacr.org/2020/018

Corresponding TeX source: SarangNoether/skunkworks d876a0b

I'll post the presentation slides to GitHub as well