Surae's End of April 2018

MRL Announcements

Meetings. We are holding weekly meetings on Mondays at 17:00 UTC. Logs are to be posted on my github soon(tm).

Conferences, etc. The most valuable contribution I've made to the Monero community this month actually came from (1) reporting someone else's results after (2) flying across the planet to speak with a researcher face-to-face at a conference, all (3) on the Monero Community's dime, I may add. Every donor helped make this happen: a colleague of Tim Ruffing at Saarlang, Pedro Moreno-Sanchez, and his student Rodrigo brought to MRL's attention their model of dual-output key Monero transactions. These are optional transaction formats that allow for refund addresses, are backwards compatible, and soft-fork capable; we are working on the privacy implications, but this is the first step toward a lightning network for Monero. Flumo? Sarang's first draft of a technical note describing the advancement can be seen here. We seem to be drifting closer to Harry Potter spells with the names of these things... To be perfectly clear, one of my goals for the first year of my time at Monero included refund addresses! I am absolutely delighted and honored to report Pedro and Rodrigo's results to our community.

Work Update

Multisig. The majority of my work this month has been on multisig. I plan on submitting this for publication at the end of May. Multisig in this paper is a little different than the description in our implementation. There are two major development fronts here.

First, after much deliberation and consultation with Sarang and others outside of MRL, the superiority of the musig key aggregation technique over our simple sums verified with sginatures has become clear. This approach was published this past February and the technique is provably secure against key cancellation (rogue key) attacks, and requires only one round of communication for key aggregation. In addition to this, it was brought to MRL's attention a few purely technical problems with the construction of security proofs in settings where (i) signatures are used to prevent rogue key attacks and (ii) no certificate authority is responsible for handing out keys. You can read about musig here, or you can read about some of the pitfalsl of the knowledge-of-secret-key assumption here and here. We generally want to avoid all but the bare minimum number of assumptions for security purposes, so since musig does not depend on the KOSK assumption, we favor that approach to key aggregation.

Second, we are following a similar tactic as described in the musig paper to prove the security of our multisignature scheme. This is relevant because we are lifting a security result from a normal/usual setting up to a ring-signature setting. The proof does not carry over directly and suffers several of the same roadblocks that the musig paper faced. Our road blocks are non-negligibly more annoying in the ring setting than they were in the usual Schnorr setting; we must apply a general forking lemma three times instead of twice to account for the ring signatures in Monero, for example. I will post a link to the current version before Saturday evening, and I want to submit for publication before the end of the Month, if possible.

This is now a two-paper project: the "theoretical security paper" and "the practical code review paper," the latter of which will end up in the Monero Standards.

Algebraic Geometry and generating elliptic curves. I've recently started reading papers on how to construct elliptic curves of a prescribed order and preferably with a prescribed embedding number. The papers I'm reading begin with this one and marching forward in time citation by citation based on ostensible relevance to Monero.

Bulletproof auditing is proceeding. Ask Sarang about this one.

Monero Standards and the Zero To Monero publication here. Right now, we don't have a comprehensive list of how Monero works, all the various primitives and how they all fit together. A month or three ago, a few Monero contributors started working on Zero To Monero, a technical document that begins with cryptonote constructions and ends with our latest developments in ring confidential transactions. It's about 45-50 pages long and part of this month I have spent reading this document and making notes/suggestions before the authors publish it. This document is the first step toward the Monero Standards.

Want to hear a joke? We funded 4 months over xmas to get back onto the usual fiscal quarter and then bunged it all up by only getting funded for 2 months in the subsequent quarter, putting us back where we started.

Never confuse a mathematician for an arithmetician. Oy.

Community, education, outreach. We've had the first board meeting of Multidisciplinary Academic Grants in Cryptocurrencies, a non-profit independent of The Monero Project. Our goal is simple: close the loop between the cryptocurrency and education. Money is flowing into the cryptocurrency space thanks to a lot of educated people, but in the meantime undergraduates have the honor of graduating without any knowledge of next-generation security systems. Since this is an independent project, I don't plan on mentioning it very much during these updates, but MAGIC will be hosting a privacy-enhancing-technology conference in the summer of 2019 with an emphasis on financial privacy. Since the Monero Project in general and Monero Research Lab in particular will be involved with both organization and content, some overlap in these updates will be a little inevitable.

SPECTRE, Poisson-Graph Simulations, Cartesian Square Signatures. These are ongoing back-burners, and I have not made any changes to these recently.

Plans for next month? I'm not going to pretend to know yet. It could be flumo work, it could be elliptic curve group construction, it could be SPECTRE/PHANTOM or other consensus methods...

Thank you again! This is a dream life. I can't explain to you guys how absolutely bizarre it is to go from working for 10 years as an academic grunt to ... having an opinion that the market deems valuable. It's humbling and awesome and I'm doing my best to learn as much as possible. I'm hoping that my work ends up making Monero better.