00:00:34 <trashpanda[m]> Both seem to be fairly understandable extensions of the sigma protocols Groth et.al. worked on. Hopefully someone can provide a good review without too much effort
00:01:19 <sarang> One reviewer claimed to have found a break in the Arcturus assumption, but I disagree entirely
00:02:30 <sarang> FWIW, Triptych was just accepted for publication, which is great
00:02:38 <sarang> I'll be presenting it next month
00:05:05 <trashpanda[m]> Interesting. Did that reviewer share his thoughts publicly? I'd love to dig in.
00:05:05 <trashpanda[m]> Congrats on publication! Ill keep an eye out for the presentation (hoping its recorded somewhere)
00:10:06 <sarang> The review was sent privately, but I had included a paste of it earlier
00:10:26 <sarang> What's your interest? I don't recognize your nick, but welcome!
00:12:39 <sarang> Here is that part of the reivew: https://paste.debian.net/hidden/d2ad5b5c/
00:12:57 <sarang> This claimed counterexample does not satisfy all the requirements of the assumption definition
00:13:08 <sarang> I pointed this out in a rebuttal, unsuccessfully
00:13:17 <trashpanda[m]> Just a long term lurker / monero user / cryptography hobbiest. I love keeping an eye on the work that comes through MRL, and your recent work has refueled my interest in ring signature schemes
00:13:22 <sarang> If the example can be expanded in a way that breaks the assumption, I'd love to know
00:13:29 <trashpanda[m]> Thanks for sharing
00:13:32 <sarang> np
02:11:04 <trashpanda[m]> Indeed, that challenge is lacking completeness. From what I can see, the reviewer's challenge completely neglects the selection of Gi. His selection of a0 & a1 will not satisfy the relation on Gi
02:11:36 <trashpanda[m]> Im eager to see more formal analysis of this dual target assumption, but it seems likely to be sound.
02:43:09 <sarang> I suspect it's fine in practice, but I can't find a reduction to a more standard assumption
03:42:01 <sarang> Almost completed Triptych presentation: https://www.overleaf.com/read/rscsccvdsrvj
03:42:04 <sarang> Comments welcome
04:50:10 <Inge-> Omg slide 15 :D
14:23:37 <sarang> Research meeting today is at 17:00 UTC
14:23:38 <sarang> .time
14:23:38 <monerobux> 2020-08-26 - 14:23:38
14:23:41 <sarang> good bot
15:58:20 <sarang> Triptych presentation is complete: https://www.overleaf.com/read/rscsccvdsrvj
15:58:27 <sarang> Comments and suggestions welcome
15:59:16 <sarang> Found some small notation issues in the preprint while working on it; they don't affect any of the results
15:59:23 <sarang> I'll make the corrections and revise on IACR today
16:28:04 <sarang> Meeting here begins in 30 minutes (17:00 UTC)
16:28:05 <sarang> .time
16:28:05 <monerobux> 2020-08-26 - 16:28:05
16:28:07 <sarang> good bot
16:59:35 <sarang> OK, let's get started with the weekly research meeting!
16:59:55 <sarang> The usual agenda: https://github.com/monero-project/meta/issues/501
17:00:02 <sarang> Logs will be posted there after the meeting
17:00:05 <sarang> First, greetings!
17:00:09 <sgp_> hello :)
17:00:20 <h4sh3d[m]> hi
17:02:07 * Isthmus puts on lab coat and goggles
17:03:46 <sarang> Let's move to roundtable, where anyone is welcome to share research of interest
17:03:59 <sarang> Isthmus: you posted to the agenda just now; care to share?
17:04:07 <Isthmus> Sure
17:04:15 <sarang> https://github.com/monero-project/meta/issues/501#issuecomment-681005468
17:04:31 <Isthmus> Our audit is coming along nicely, have been focused on the technical writeup.
17:04:31 <Isthmus> Looped in Surae as a reviewer for the audit results and writeup - he’s been super helpful with nailing down a few of the trickier details, and cleanly communicating some of the more complicated concepts.
17:04:31 <Isthmus> We have a meeting coming up where we'll merge drafts and freeze some of the sections (algorithms, key generation, subaddresses, stealth addresses) into "draft 1" for y'all to review. I'll just post in -lab on IRC
17:04:45 <sarang> Great!
17:05:01 <Isthmus> Also, still working on the empirical/statistical analysis of transaction field uniformity, and I've been looking into the Diehard tests as a starting point for battery of statistical tests.
17:05:01 <Isthmus> (Note that they're designed to test RNG quality, which is a subtly different problem, but related enough that some of the tests (e.g. birthday spacing) should be applicable for both.)
17:05:01 <Isthmus> The tricky thing is that many of these are designed to test uniformity of bitstrings, however that's not applicable here. Consider uniformly sampled integers on [0, 555]... Even if the sampling is correctly uniform, we do not expect uniformity in the binary representation (first bit more often 1 than 0) nor in a digit representation (see 5 more often than 8). So I'm having a little bit of trouble figuring
17:05:01 <Isthmus> out how to adapt them (or if that's even possible)
17:05:12 <Isthmus> ( context here: https://github.com/Mitchellpkt/crypto_field_stats_tests )
17:05:26 <sarang> Hmm, interesting
17:06:01 <sarang> It's interesting to think about what the best action would be in the event of observed non-uniformity
17:06:38 <Isthmus> I'd say it depends on the nature of the non-uniformity (bias or collisions?) and the implications of non-uniformity in that particular field
17:07:25 <Isthmus> I don't think there's a single one-size-fits-all recommendation or level of severity
17:07:55 <sarang> Very interesting analysis
17:09:04 <sarang> Is there anything in particular relating to the post-quantum analysis for which you'd like assistance from this group?
17:09:22 <Isthmus> Review of the first draft, probably later this week
17:09:30 <Isthmus> Any/all feedback :- )
17:09:57 <sarang> Sounds good!
17:10:03 <sarang> Anything else you'd like to share?
17:10:07 <sarang> Or, any questions for Isthmus?
17:10:18 <MRL-discord> <Mitchell PKT> BTW if y'all are having IRCcloud issues, you're welcome to use the Noncesense bridge at discord.noncesense.org
17:11:13 <Isthmus> Nothing else from me for the moment
17:11:20 <sarang> OK, thanks Isthmus
17:11:21 <h4sh3d[m]> What would be the dataset for those tests?
17:11:32 <sarang> Oh, is IRCCloud having problems? Seems to work fine for me, FWIW
17:11:57 <Isthmus> I didn't have any issues, but saw people talking about it in scrollback from yesterday
17:12:13 <Isthmus> Well, actually, I guess I don't know if I had issues, because I wasn't on IRC
17:12:36 <sarang> I have a few research items to share
17:13:14 <sarang> My proof-of-concept code for Bulletproofs+ now supports single-round verification and efficient batching: https://github.com/SarangNoether/skunkworks/tree/pybullet-plus
17:13:45 <sarang> I'm in the process of modifying the existing Bulletproofs C++ code to get concrete performance data
17:14:23 <sarang> Usual disclaimer that this proof-of-concept code is written for research, and not with practical security in mind... do not use in production for any reason
17:15:42 <sarang> I'm happy to announce that Triptych has been accepted for presentation and publication at ESORICS CBT 2020
17:15:57 <Isthmus> :- D
17:15:59 <sarang> I have a blog post PR for `monero-site` announcing this
17:16:00 <ArticMine> That is excellent
17:16:19 <sarang> I'll make the presentation next month remotely
17:16:26 <sarang> and the paper will appear in the conference proceedings
17:16:49 <sarang> Here is a draft of the presentation: https://www.overleaf.com/read/rscsccvdsrvj
17:16:53 <sarang> Comments and suggestions are welcome
17:17:17 <sarang> I intentionally don't go into the weeds on the math of the proving system, since I think that is less helpful than explaining why it can be used to build a confidential transaction protocol
17:17:51 <sarang> I discovered some notation problems in the preprint while preparing the presentation, but they are minor and don't affect any of the results or conclusions
17:18:31 <sarang> Are there any questions on these topics?
17:19:12 <suraeNoether> Not from moi
17:19:14 <sarang> Please do review the presentation if possible; my goal is clarity, and I welcome any suggestions
17:19:45 <sarang> If anyone has trouble getting the PDF loaded in Overleaf, please let me know and I'll be happy to assist
17:20:02 <sarang> Does anyone else have research topics to share?
17:20:06 <h4sh3d[m]> I read the version earlier today and it was very clear an well explained
17:20:18 <sarang> Thanks h4sh3d[m]!
17:20:25 <sarang> I've recently added some additional slides
17:20:33 <h4sh3d[m]> I'll have a look at the new slides, but again looks very clear
17:20:49 <sarang> I am looking for a better way to visually explain the structure of the overall transaction protocol, which I find very tricky to dor
17:20:54 <sarang> s/dor/do
17:20:54 <monerobux> sarang meant to say: I am looking for a better way to visually explain the structure of the overall transaction protocol, which I find very tricky to do
17:20:57 <sarang> good bot
17:21:58 <Isthmus> Could we get u/Krakataua314 make an infographic?
17:21:58 <Isthmus> https://www.reddit.com/r/Monero/comments/gy0m1u/i_made_an_infographic_on_how_a_monero_wallet_is/
17:21:59 <monerobux> [REDDIT] I made an infographic on how a Monero wallet is generated. Can you find any mistakes? (https://i.redd.it/tv98m10mbd351.png) to r/Monero | 171 points (100.0%) | 28 comments | Posted by Krakataua314 | Created at 2020-06-06 - 22:42:54
17:22:16 <Isthmus> "visually explain the structure of the overall transaction protocol" < this would be very useful for the quantum research too
17:22:37 <Isthmus> Since being able to draw backwards red arrows labeled "X algo" is imho the most intuitive way to quickly see the results
17:23:31 <sarang> I really wish that I could have submitted Arcturus for the workshop as well
17:23:41 <sarang> Unfortunately, it was still under consideration elsewhere :(
17:23:49 <sarang> Oh well
17:23:57 <sarang> More time to think about its cryptographic hardness assumption
17:24:24 <sarang> Anyway, those are the topics I wished to discuss
17:24:35 <sarang> Anyone else?
17:27:25 <suraeNoether> Uh, I've been helping Isthmus with the PQ paper
17:27:33 <sarang> Great!
17:27:40 <suraeNoether> also tomorrow Monero is gaining an undergraduate intern from Clemson University
17:27:41 <sarang> I'm eager to see the results
17:28:11 <sarang> Are there projects in mind for this person?
17:28:12 <suraeNoether> sarang, myself, isthmus, and TheCharlatan have a call scheduled where we will each explain a few possible projects for this student to work on, and they will select which one they want to work on for two subsequent semesters
17:28:39 <sarang> I had a few things in mind, but wondered if there were others under consideration
17:28:41 <suraeNoether> each of us has a different set of ideas/flavors, but the student's experience is limited (understandably) so we are going to try to come up with something complete-able
17:29:05 <suraeNoether> i'm *guessing* that the student will be most interested in doing data science with isthmus looking at anonymity and linkability, but that's a wild guess
17:29:31 <sarang> The things that I was considering had to do with chain toolsets and perhaps some security model stuff, depending on experience and interest
17:29:50 <ArticMine> What is the student's background?
17:31:46 <sarang> I have an email in my archive with this information ArticMine, but I need to dig it up
17:31:52 <sarang> suraeNoether: ?
17:32:28 <ArticMine> It can help in finding ideas for a suitable project
17:32:41 <suraeNoether> Sorry. My internet just died.
17:33:08 <sarang> Anyway, we can pull up the student's experience information after the meeting if needed
17:33:34 <suraeNoether> ArticMine the student is a math/cs student, but we can't share much more. But we should chat.
17:33:59 <ArticMine> We have to respect privacy here
17:34:23 <suraeNoether> Especially if you have ideas for compactish projects. I was frankly hoping the student could just finish all the TODOs leftover in the original cryptonote code with TheCharlatan lol
17:34:53 <suraeNoether> Anyway let's chat after the meeting
17:35:07 <sarang> OK, we can move to action items, where anyone is welcome to share their research plans for the next weeks
17:35:38 <sarang> I have some work to finish on the Triptych presentation and paper for the workshop, and will continue with BP+ testing
17:35:42 <sarang> Others?
17:36:44 <h4sh3d[m]> I want to look more in depth, from a chain analysis point of view, if you know that two transactions will occurs in a time-laps of around half an hour and one consume the output of the previous one, how much you can trace this
17:37:09 <h4sh3d[m]> I think it's related to the decoy choices right?
17:37:20 <sarang> and transaction volume
17:37:24 * Isthmus digs around for writeup
17:37:29 <h4sh3d[m]> And other factor such as tx volume sure
17:37:42 <sarang> Do you have a threat model in mind?
17:38:14 <h4sh3d[m]> Not really, just wondering
17:38:29 <Isthmus> There's a little algorithmic trick I came up with, starting with a given output, you make 11 hypotheses (mutually exclusive) that there is a repeaated chain with period of (output_time - input_time)
17:38:44 <Isthmus> Then you can work backwards, eliminating most or all of the hypotheses at each step
17:39:09 <Isthmus> And it'll quickly surface any chains with periodicity (within some multiplicative or additive tolerance)
17:39:36 <Isthmus> Before I was trying to do power spectrum analysis, which was wayyyy overkill
17:39:59 <Isthmus> If you know the period, it's even easier
17:40:29 <sarang> Nice
17:40:34 <Isthmus> If there's only two transactions though, this will be very noisy
17:40:47 <h4sh3d[m]> But this would work if the period is repeated more than once?
17:40:48 <Isthmus> SNR depends on length of chain (and period relative to decoy selection algorithm)
17:41:19 <Isthmus> "period is repeated more than once?" do you mean in a chain, or from the same wallet?
17:41:59 <h4sh3d[m]> in a chain
17:42:07 <ArticMine> but if you increase the number of related transactions then the signal to noise will improve
17:42:12 <Isthmus> Then yea, the more it's repeated, the more certainly it sticks out
17:42:38 <Isthmus> How do you increase the number of related transactions?
17:43:25 <ArticMine> The pattern is repeated
17:43:38 <ArticMine> and there is a correlation between the repeated patterns
17:45:23 <Isthmus> Ohh artic I misread your previous message. Yes, exactly right
17:47:19 <sarang> Before we close out the meeting (discussions are of course welcome to continue after), anything else that should be discussed?
17:49:33 <sarang> OK, in that case, let us adjourn! Thanks to everyone for attending
17:49:52 <sarang> Feel free to continue discussions; I simply adjourn so I know what logs to post :D
17:49:55 <Isthmus> Ciao!
17:50:07 <suraeNoether> <3
17:50:19 <h4sh3d[m]> Thanks
20:12:04 <sarang> Minor update to the Triptych preprint to fix some bad notation: https://eprint.iacr.org/2020/018
20:12:41 <sarang> Corresponding TeX source: https://github.com/SarangNoether/skunkworks/commit/d876a0b489cad3f2a07be301224fb55e335542ba
20:13:41 <sarang> I'll post the presentation slides to GitHub as well