Suppose a node hears a transaction with transaction identifier `T`, but the transaction fails verification

Will it then ignore any subsequent txns with tx_ID `T`

Is there any situation where the node would re-check a transaction with the same TX_ID as one that failed previousy?

Depends why it fails verification.

If it's inherent failure, it won't check it again. Things like key image not in domain are inherent.

If it fails because MLSAG verification fails, I think it might check it again later.

(since they might become valid with a reorg)

Ohhh interesting.

If I took a junk bitstring and pushed it to a node as a "transactinon" it wouldn't blacklist that tx_ID or anything, right?

I'd have to look to know.

I looked, it would try it again.

But then there is no txid for a junk bitstring.

It could hash the bitstring and remember, but that's not much faster than trying too parse it.

Cool, makes sense

Okay, then I'm not quite sure if this section is quite correct ^

And yea, I'm handwaving over Tx_ID having H(prefix) , H(txn stuff), H(sigs)

s/correct/correct, given the default behavior of the core node implementation ^

or if we define `d=H(H(prefix),H(tx stuff),H(sigs))` then maybe it's not handwavey

Fluffy blocks are irrelevant here AFAICT.

Ah yea, you're correct.

The fuffy blocks piece is irrelevant

Otherwise, if a node hears a block that includes `T` and receives corresponding junk `d'`, will it mark the block as invalid?

Is there a chance for redemption if a different node relays the right valid `d`

Or is it game over once the block is marked as invlid?

It will mark the block as invalid IIRC.

Cool, that answers what I was wondering about.

Thanks for the help, mooo 3:)

Update:

I've moved edits made today over to the overleaf doc shared during MRL meeting earlier.

(So if you downloaded a PDF earlier, get a fresh copy)

Same link: overleaf.com/project/5f4fc9e599cecd00017c5fe5

Is the PDF link in the meeting agenda also updated?

Monthly research report: reddit.com/r/Monero/comments/ilkwx9…_monthly_report_from_sarang_noether

good bot

Isthmus: so for naive QA mitigation it would be possible to send funds to a new wallet that has never been used before, and then destroy all sender-wallet metadata. As long as nobody except you know the receiving address and it has never been used before - then it sounds like you are somewhat safe (and in theory you could send payment to someone, as long as your "change" is just a payment to

another new address - with the added complexity that the address you paid to is prone to compromise if the address itself is picked up by your QA?)

dEBRUYNE: MerosCrypto/asmr #2 :)

I'll make a Reddit post once it's merged. I asked my co-author to review the PR first.

Also something about it being 2am locally

kayabaNerve: Awesome, thanks!

Hello all; finally a chance to return to Bulletproofs+ coding today!

experiments updated: gist.github.com/knaccc/78c691aa1c1e0710bb8264ef17b56768

Conclusion: Churn incoming inputs at least 3 times, and do not merge churned outputs within 24 hours of receipt

Wow, so 3x churn per "risky" input

Cool to see some stats behind it, but that is a lot of bloat if done for all transactions

monero txs are bloat compared to bitcoin txs

what about merging all incoming inputs together and THEN churning them N times?

the question is, how much bloat are we willing to pay

Eh, only around 4x the size so far, and about to be ~3x after CLSAG

But point taken

Triple churning every transaction on the network would be extremely costly, even if it has strong benefits against particular attack vectors

IIRC small (non-exponential) changes in ring size are not going to help much here

But raw numbers on that would be interesting

If this attack vector is strong enough to need quick implementation of auto-churn, etc, even just dropping the required churn count by 1x would be a major win for slightly larger overall transactions

sech1 great question. if you are not trying to hide that the 3 outputs are all destined for the same wallet, then you can merge immediately and churn. at this point, the question that is effectively being asked is what the anonymity set size of a single output spend is. i took a random tx from the blockchain, and the anonymity set sizes are here: paste.debian.net/plain/1162446

i meant to say "2 outputs"

someone was suggesting the wallets to have a feature where subaddresses could be flagged as "risky", where auto single_sweep's would be performed on those

(or i completely misunderstood it)

it all depends on what you're defending against

<lithiumpt "someone was suggesting the walle"> That was my idea overall

if you don't want people to know they're both dealing with the same person, you need to churn independently

Since we don't necessarily need to churn all incoming transactions, only those from entities that know your IRL identity

if that doesn't matter, you can merge immediately and churn only prior to cashing out

<lithiumpt "someone was suggesting the walle"> Ideally when creating a new subaddress you would be prompted to answer a simple question like "Will this address be in any way connected to your identity?" and if you answer yes, all incoming transactions will be churned over time independently before being spendable

And then obviously you could manually "flag" other subaddresses/accounts for autochurn if you wanted

That's an interesting idea

of course, the iterated-EABE problem is most severe when someone gets an output prior to doing their first cash-out

Specifically get the user thinking about use cases and threat models

and then gets another output the next week prior to their next cashout

Yeah :)

so their need to cash out early means they can't merge and then churn

<sarang "Specifically get the user thinki"> More clear messaging/forced prompts across the GUI would be good in many areas I think

And this is a clear win against a well-known heuristic (and churning seems to be a good solution with the research so far!)

could the unlock time be dynamic? ie. some subadresses having a longer lock time?

The churn profile could vary (and needs to vary FWIW) in timing

So they would likely have different "lock" times, although that term is a bit confusing as you *can* spend the inputs

You just shouldn't merge them without first churning

The only reason I'd like to "lock" them (with a hidden/advanced override) is to keep users from shooting themselves in the foot

knaccc: code used to generate that data?

i need to clean it up and remove dependencies so people can actually run it without all of the mess attached, i'll do so and release it

Great, would love to review and reproduce the results

I have similar code in progress, and it would be neat to tweak it so the methods are the same, and show the overall results are reasonable

Different methods would actually give more confidence in the results if they roughly match.

I don't mean the specific method of implementation... I meant what analysis method (e.g. pick two outputs from this time range, look at this time window...)

Sorry, that was confusing wording

That is not an accurate assessment of my quote to that reporter

Color me unsurprised.

I'll email the reporter and mention this

done

Yet another lesson I apparently never learn: don't bother talking to reporters

The article seems ok, the title not. Typically, the person writing the article does not get to write the title, they have separate assholes for that.

The reporter does the work, and the asshole trolls the readers.

^ my email to the reporter

Though for cryptocurrency sites, maybe it's just the same, it's small outfits...

At any rate, definitely won't be providing any future statements to them

"Reporter" - I don't think it means what you think it means. sigh.

Thanks for putting in the effort to ask for a revision

The correction is never as impactful as the original

I'm willing to allow a bit of leeway, but that headline is downright misleading

The statement I gave was extremely careful and thorough

They dont even appear to have a Twitter account, interesting

I guess this headline fits with the accuracy of the "DHS can now trace monero" headline

"They haven't demonstrated the effectiveness" is clearly not the same as "it isn't effective" in your minds, right?

I mean heck, Dave Jevans didn't demonstrate that he can make a grilled cheese sandwich, but that doesn't mean anyone is claiming he can't make the sandwich...

it is clear to us.

I wonder why there was no "Monero ring size is now 65536" when sarang started investigating lelantus... Alkways in one direction is it ? :D

-___-

"Sarang Noether does not deny being a Venusian"

<_<

>_>

"Monero may be alien technology"

Here's hoping they change the damn headline

Never a dull moment...

Thanks for pointing this out Inge-

I thought it would find an interested audience here :)

sigh

"Interested" is one word

and it didn't look like anyone had pasted it in any of the channels yet.

Is that a popular site?

It popped up in tradingview's news bar

interesting

Well, at least the quote from my statement was correct and seems in context

Ive never heard of them and they have no presence on Twitter

So not that big I guess

Even the snarky part about me not caring about press releases :D

A few years ago I wrote an article about some bacteria that could change the oxidation state of heavy metals to cause them to precipitate in water. When I picked up a copy of the paper the following week the headline was “new bacteria eat pollution” or something like that

I had a serious talk with the editors and they didn’t mess with my headlines after that...

Yeah, that's some trash reporting

and it's why I never make _any_ conclusions about any technical or scientific topic from general media

always best to consult an actual expert, or at the very least read the source material yourself if you have the literacy

There was a great xkcd on this "cycle" from research to media...

can't find it now :(

Also: will move this to -lounge, sorry :/

sarang hsto.org/getpro/habr/post_images/e5…570df1871c286df69cc5eeebf4cac0b.jpg

Heh, not the one I was thinking of... but still excellent

Oh snap... it was PhD Comics! phdcomics.com/comics/archive_print.php?comicid=1174

Haha yeppppp. To be fair these editors thought they were being helpful by spicing up the title, and were thankfully very receptive when I pointed out the issues with sensationalist headlines for science articles.

Also, interesting ideas around account management

If media would promise never to use the phrase "a study" ever again, I'd be sooooo happy

You mean as opposed to "study X by authors Y" ?

No, because "a study" could mean "a press release about something" or "a preprint" or "a clinical trial in progress" or "a peer-reviewed journal article" or "something in workshop proceedings" or "something claimed by some academic on twitter"

and those all mean different things

Readers shouldn't be expected to fully grok the implications of those differences

sethsimmons: I like your idea of tagging subaddresses as "requiring of higher privacy" and it could be auto churn, or it could remind you when you launch your wallet, that you should do another 2 churns, would you like to do one/them now?

(this "study" talk has moved to -lounge so I can stop spamming this channel)

<Inge- "sethsimmons: I like your idea of"> Yeah something like that would be nice, but honestly I don't want the user to have to even think about it after the creation of the subaddress/flagging.

Or perhaps a status/progress bar for churns on the left side with the sync info to notify you when things are happening etc.

Reticulating splines...

preparsing intercalators

sarang github.com/knaccc/anonymityExplorer

if you want to run it, you need a local node running so it can get blocks via RPC. takes 1-2hrs to load everything into a file, which it stores in ~/.anonymityExplorer

start by running TestOutputCorrelation which will trigger the block retrieval and then perform a test to see if it's correlating outputs properly

it's important to not interrupt it while it's retrieving new blocks from the daemon, because it'll leave the database file in an inconsistent state

it currently needs 470MB of storage available

That's fine... I plan not to run it just yet anyway

actually 1GB

but to use it to check the method against my own separate code

and it shrinks the file after it updates

i've tried to make it readable

the experiments in the gist correlate to 'tasks' in the code

e.g. MergeAnonymitySetSize is probably what you'd be interested in looking at

That article with the inaccurate headline has been updated: cryptobriefing.com/ciphertraces-mon…tool-isnt-effective-researcher-says

My thanks to the author for making this change

I think the new headline is an accurate representation of the statement I provided to the author

much better

The author asked if I wanted the article to include a note about this change, and I said it was up to him

but that I don't specifically request a note be made about it

Finally merged Monero support into github.com/MerosCrypto/asmr. Atomic swaps are here :D

:D

sarang: My partner did use your DL EQ proof btw ;)

Or at least, the underlying algorithm. I'm trying to remember the name of the guy credited in your paper on the topic...

Neat! (Usual disclaimer that the discrete log proof has not been formally shown to be secure, nor externally vetted that I know of)

AFAIK andytoshi came up with it

Nor has this protocol or this library

It has such a rich family history. Really preserving the lineage :P

But yeah, this is explicitly marked as a PoC. Monero uses the network byte because I did all testing with regtest, but BTC is locked to testnet.

And then the other supported coins don't have different bytes for different networks.

moneromooo: in reference to your question yesterday about doubling key length. The good news is (I think) that doubling key length octuples the quantum computing time. breaking a 512 bit key (double our key length) is concretely as hard for the quantum computer as breaking RSA 2048, at least according to the following paper (shuffles through pile)

Pdf link

That seems... bad news.

"Shor’s discrete logarithm quantum algorithm for

elliptic curves"

John Proos and Christof Zalka

Eh it's better than doubling key length only doubling computing time :P

O(N^3) is not as good as O(2^N), you know

I guess :D

Well that's the problem with shor's

Ec

Ecc releasing halo2 source code, considering implementation and getting rid of trusted setup in 2021 electriccoin.co/blog/ecc-releases-code-for-halo-2

It's important to note that all the application code for Halo that I've seen has been _only_ for proof of work, not transactions

AFAIK there are no details released on if/how Halo 2 could improve Zcash transaction scaling or efficiency

See this thread for discussion: forum.zcashcommunity.com/t/announcing-halo-2/37215

I would treat that press release as... a press release

and we all know how that goes :D

Ugh

Wait, so what you're saying is - "Researcher is not impressed" :D

A few knowledgeable people in that thread claim that details on transaction applications are forthcoming, but that has yet to be established

It's almost like the best way to convince people about new mathematics is to publish the details

who knew

Anyway, I echo the comments by secparam (Ian Miers) in that thread

(Ian is one of the authors of Zerocoin/Zerocash)

Don't get me wrong, the ideas in Halo and Halo 2 are quite interesting

but that is not what the press release is saying

Until there are details, this is another "company says thing" situation

I hope the claims about transaction efficiency are true, because that'd be pretty sweet

Yeah claims like this: ""Halo is a significant breakthrough in making recursive SNARKs practical: We now have smaller fields, faster provers and no trusted setups,” said Brendan Farmer, CEO of Predicate Labs,"

That's a fairly vague statement

The technique is certainly fascinating for idea of recursion in proofs

It's also true that SNARK proving has became _far_ more efficient over the past few years

But to leap from that to "you can do anything sooper fast now" is absurd

Halo is not some magical box that makes your proofs fast

It's a specific set of techniques for particular kinds of recursion

I've also seen Halo described as "a SNARK", which is not accurate

(see the thread for more on that)

Any thoughts on the new license under which Halo 2 is released?

It's not monero. So it can be a SNARK. But monero is monero, so it can't use ZK proofs.

moneromooo: STAHP

:|

I am no expert in licenses, but anything described as "radical" in a press release makes me raise my eyebrows

Looks like you have to eventually open-source (under the definition in the license), but have a grace period beforehand

Would be interesting to have a lawyer review

You can make money off free software. The premise seems wrong.

Yeah, I don't really get it... but I know next to nothing about the consequences of licensing

I also don't recall seeing this discussed in Zcash forums, which I follow from time to time

So this must have been internal to ECC, as are all the application details for Halo 2

Not a fan of that style of operation

Sounds a lot like we want it closed source but people not to say it's closed source.

It's missing the point of free software, which is that people can adapt it for their needs.

Here, it seems to be "you can adapt it in a year's time or whenever". Which defeats the point.

But I guess it works if you're after hte open source label rather then the use of it.

What's interesting is that AFAIK they can't apply licensing to the underlying math

Only the code

I wonder if this is why they haven't published anything outside of code

So they want to sell Holo2 for a couple years before they open source it?

"The TGPPL is intended to allow for the best of both worlds: a limited-time period where creators can make money from their software while ensuring that the software will be subsequently open-sourced in order to serve everyone equally." <-- this statement has a footnote mark, but no corresponding footnote ?

Well, they have code available now, but it's incomplete

Yeah, I don't get what they're after here

FWIW there are no papers on this

Only their repo

which is under this license

If there were a paper, they couldn't license the math

(you can't license/patent math)

Hmm, might ask in the forum about this

*no papers for Halo 2

There is a preprint for Halo

They can always make money from software under existing licenses, right?

This is implying exclusivity?

Huh, looks like Zooko himself is the copyright holder for the license: github.com/zcash/halo2/blob/main/LICENSE-TGPPL

Oh, he wrote that license in 2007

It isn't a new thing ECC is doing

lol

Why does the blog post imply it's new??

did you see this?

Just did, ya

It also appears MariaDB does a similar business license

This appears neither radical nor new

But it is certainly interesting to apply it

I find it funny one of the reason they give is "underfunding", when they not only got *shitloads* of money from their 4 years 20%, but came back for another bite, breaking their promise.

The other reason also seems inverted, since how can keeping something closed soure help the public since htey can't adapt it to their needs.

I might be missing something dumb...

Maybe the idea is exclusivity, like trying to make a version of patents?

Of course, patents as the standard for innovation is... not great

Doubt it. He seemed ready to jump onto any shite that might make money.

Gah.

Sorry, wring chan agian.

(not related)

I don't really know why they'd do it

Lol, ECC gets attacked for not making money, but also attacked for trying to make money.

It is odd not to have discussed it prior to release

I'm not attacking anyone Isthmus

Just trying to find out what this is, and why it would be chosen

Not you specifically

oh ok

Well, trying to move the goalposts for the definition of "open source" without any discussion _should_ be received with skepticism

open source*

I'm just surprised they did this without any apparent community discussion

Looks like I got it wrong. It is actually open source, but you *have* to release any changes, even if your mods were private.

nice

At least that is what (i) and (ii) imply.

so it's "eventual open source"?

> Under this license, ECC receives no special or exclusive privilege — any user or any company can take advantage of the licence’s benefits on an equal footing. Later this week, we will release a post on TGPPL and its potential benefits for the open-source community.

I certainly wouldn't use this license without significant scrutiny from attorneys...

So it's a bit more like AGPL in this respect.

The idea that they're doing all this internally and releasing on a schedule is weird

I don't like it

"This is open source, but the method of releasing it is not"

So they will release a bare bones version of it, like they did now and keep their improvements private for 1 year?

If (i) and (ii) give an accurate view of what it is, I don't see why it addresses underfunding nor capture.

Is that the idea? I don’t get it.

Maybe they're lying. It's a company.

Or maybe I should read the actual licence :)

I don't know

This is weird

Especially since the Zcash community pays them

and AFAIK had no say in this license

Ethereum Foundation paid for this apparently

The license??

> In July, EF granted $120,000 to ECC to continue Halo research.

Ah ok

Good for them

:D