Please login or register.

Sarang: funding for October-December 2018

Ladies and gents and everyone beyond, it's your friend Dr. Sarang Noether here again! My current funding round is nearly complete, and I'm up for three more months of research for the Monero Research Lab. My humble thanks go out to those who have supported the Lab's work in the past through financial support or in spirit.

I won't insult your intelligence by rehashing all the gory details of the past few months, as you can read my reports for July and August (with September to follow) at your leisure. But I certainly can sum it up by saying that I have been very busy with a great many projects. Bulletproofs have been successfully audited, hardened for security, and made blazingly efficient compared to our initial work, and they're ready to go with our upcoming network upgrade. New research into refund transactions and payment channel foundations continues with good research under our belt. Our multisignature scheme has undergone formal analysis and exists as a preprint for the broader cryptographic community. And there's so much more; please read the linked reports for details.

The next three months show no signs of slowing down from a research perspective. Concepts like atomic swaps, payment channels, sublinear ring signatures, zero-knowledge proof technologies, balance proofs, spent output analysis, and more are all unsolved problems in need of some attention. I and my labmates work hard every day to keep Monero safely on the cutting edge of applied cryptography. I'm game if you are.

This request is for the funding period starting 1 October 2018 and ending 31 December 2018. My dollar-value equivalent is 9000 USD per month, which is my assessment of fair compensation for a self-employed Ph.D. researcher, with all the delightful tax implications therein. This is also in line with my previous several funding requests. The funding amount is set using a 14-day exponential moving average, and can be updated if needed before funding is complete; I'll make a note below if this happens.

As always, comments and questions are welcome. Feel free to also reach out on IRC at #monero-research-lab for any particular research-related concerns.

Edit: (14 September 2018) Changed from Bollinger to EMA to set price.

Replies: 20
SarangNoether posted 5 months ago Weight: 142 | Link [ - ]

Hi there, pals. It's friendly Dr. Sarang Noether back again to deliver my monthly research report for December. This is the final report for this funding period, and I thank the entire community for supporting my work, either through donations or in spirit.

This is a lighter report, since many contributors take time at the end of the year with family to celebrate the magic of Festivus. I'll save the airing of grievances for another report, and move right along.

Most work this month was review and planning. There were substantial rewrites and work on the next big paper, which discusses ways to map Monero transactions to graph structures and apply some clever graph theory for analysis. This paper establishes some computational bounds on transaction heuristics, generalizes some earlier analysis we've seen, and lays the groundwork for future research. Look for it in internal review once it's had some additional polish.

Other reviews were completed on external submissions that haven't yet been released. These include some ideas for return addresses and other augmentations to the original CryptoNote protocol, transaction definition formalizations, protocols for swaps, and more. I'll post updates when these papers are released by their respective authors.

The older StringCT scheme is updated with basic stealth address functionality, which was not included in the original prototype release. This increases the size of output keys but provides a more robust address structure than we currently have, with little added computational complexity.

I'm completing review and documentation updates that cover the various transaction, spend, and balance proof methods currently available. Each has different use cases and mathematical construction, and it will be handy to have these made more accessible and understood, especially since there are newer ways to prove balance than we have currently.

Discussion is ongoing within the Lab and developer circles as our next upgrade approaches, particularly surrounding ways to increase the indistinguishability of transactions. Payment IDs can be a headache to deal with in the Monero ecosystem, and we want to establish a timeline for if, how, and when to migrate away from standalone IDs. As always, we iteratively improve on transaction privacy, and will continue to do so.

My next funding period will cover the first quarter of next year, but it is not fully funded at this point. I rely on community support to work full time on Monero, and appreciate any and all support that is available to help me continue to do so. Please consider donating if you are able.

Now on to Sarang's Reading Corner, a list of some of the interesting papers I've come across recently in my ongoing literature review. The appearance of a paper in this list does not imply that I endorse it, or even agree with its contents or conclusions. These are in no particular order.

SarangNoether posted 6 months ago Weight: 84 | Link [ - ]

Hello once again! Dr. Sarang Noether here, delivering my monthly research report for November. My sincere thanks go to the entire Monero community for ongoing support of my research for the Monero Research Lab.

This past month has seen work in several areas, a few of which I'll mention here. I was invited to deliver a talk and hands-on coding workshop on Monero and privacy technology in Chicago for the Bitcoin & Open Blockchain Community. This was a great opportunity to educate and inspire folks in Chicagoland about why privacy matters and what common approaches are taken in distributed assets like Monero. Transportation costs were paid by the group. You can watch recordings of the workshop and the talk on YouTube.

After some updates, three papers are in the merge pipeline to be posted to the Lab archive shortly. One is an analysis of spent outputs that generalizes some ideas that have been proposed over the past few years. Another is a dual-address output scheme that has applications to refund transactions and payment channels. The third is the thring (threshold ring) signature paper that conducts a formal security analysis. Along with posting these for posterity, we're making the above link the "most official" home for Lab material, as a great replacement for our much older archive; the old Lab site served us well, but it's not suited for translations, easy updates and additions, format consistency, or looking fancy.

Continuing with ring signature scheme updates that took place last month, the underlying multisignature primitive required for the StringCT scheme has been updated to use the more robust MuSig construction to take advantage of its security guarantees (and to give us code for prototyping). This code is also being updated to support the use of stealth addresses.

I'm conducting ongoing review of several of unpublished paper drafts. One details constructions useful for payment channels and timelock mechanisms, and is related to the dual-address output paper. Another contains ideas for extension to the Zerocoin protocol to support better privacy. A couple more are looking at particular algorithms relating to our spent output tool and recent spent output paper. The unpublished papers will be made publicly available once their authors have completed further work and review.

Finally, Tari Labs hosted a few Lab researchers and collaborators in Nashville for an in-person informal research session. Meetings like this are a great way to work out research problems face-to-face, which any good mathematician will tell you is the only true way to get math done efficiently! Transportation and incidentals were paid by Tari Labs, which does not set or otherwise influence our research agenda.

There's plenty of ongoing work happening.

I produced prototyping code for a discrete log equality proof that was constructed a while back by Andrew Poelstra. It allows a prover to convince a verifier that it knows the discrete logarithm of a given element across arbitrary groups, and that the value is the same in both (up to an equivalence). This toy code uses the ed25519 and ed448 constructions, which use groups of different order over different curves. This is a useful idea toward more complex atomic swap operations. A detailed writeup to accompany the code is being polished and will be posted to the Lab paper archive shortly.

Final items of note are Bulletproof generalizations that require fun algebra, and assisting labmate Surae Noether with some of his fascinating work involving graph matchings. Other ring signature code has been placed on the back burner temporarily, but it's still open research.

Now on to Sarang's Reading Corner, a list of some of the interesting papers I've come across recently. The appearance of a paper in this list does not imply that I endorse it, or even agree with its contents or conclusions. These are in no particular order.

SarangNoether posted 7 months ago Weight: 22 | Link [ - ]

Happy Moneroween to everyone! Dr. Sarang Noether here, delivering my monthly research report for October. As always, my thanks to the Monero community for your ongoing support of my work and that of the Monero Research Lab.

Our latest network upgrade is up and running, and that means smaller, faster, cheaper, and more secure transactions thanks to Bulletproofs and a whole lot of other updates and optimizations. We've also posted the last Bulletproof audit report from QuarksLab, which is a great read about their fine work reviewing several areas of the codebase. The implementation of Bulletproofs was a long and complex process, but I think we all agree that it provides great value to the project and our community as we continue to grow.

This month's research began with an updated look at ring signature decoy selection. As you may know, your transaction includes decoys to hide the true spend, and the algorithm used for selecting these decoys has been iterated over time as we learn more about making transactions indistinguishable from each other. I and other Lab researchers generalized several pieces of earlier research on this topic into a technical note and examined the effects on the Monero blockchain.

Using a custom analysis tool, we quantified the practical effects of these on-chain analysis methods, confirming that modern transactions are not susceptible to most forms of known on-chain analysis. The analysis tool flags old transaction outputs that can be proven to be spent, and should not be chosen as decoys. Fortunately, these old outputs are exceptionally unlikely to be chosen anyway due to the way we select decoys, so even use of the flagging tool is realistically not needed. Coinciding with this, we've upgraded our decoy selection algorithm to better mitigate against certain types of timing analysis. If you keep your wallet software updated, you'll automatically get this benefit. We'll continue to optimize decoy selection as we iterate on the algorithm.

I revisited an older ring confidential transaction scheme proposed last year by outside researchers, which we lovingly dubbed StringCT (among other names; we're terrible at naming things). The scheme would permit larger ring sizes with better size scaling than we use currently. Unfortunately, the verification of the resulting transaction proofs and signatures was much slower than we had hoped, and we put the work aside. However, thanks to some underlying algorithmic plumbing that we built for Bulletproofs, I took the StringCT algorithms, ported them to Python for easier prototyping, and added the new plumbing along with a test suite. This includes multiexponentiation and even batch verification using some clever algebra. Initial testing suggests that we may be able to get the verification times down to a reasonable level with the ring sizes we might choose in the future. This work is ongoing but promising. Note that we have no plans to migrate to this scheme, as this analysis is still in its early stages.

Now on to Sarang's Reading Corner, a collection of just some of the interesting papers that I've come across recently. The appearance of a paper in this list does not imply that I endorse it, or even agree with its contents or conclusions.

ViolentlyPeaceful edited 9 months ago Weight: 0 | Link [ + ]

I'd love to see some research on balance proofs, I feel like it's pretty important for business and others who have cold storage and want to be able to validate the balance without compromising the spend key. I obviously support this as Monero would not be so great without the hard work of Sarang and the boys from MRL.

erciccione edited 9 months ago Weight: 0 | Link [ + ]

Sarang's job is fundamental for monero's growth. This proposal should be moved to funding required as soon as possible

keatonofthedrake edited 9 months ago Weight: 0 | Link [ + ]

Send to funding! I am excited that the next time you need funding we will be using bulletproofs!

GoodEnough edited 9 months ago Weight: 0 | Link [ + ]

Happy to contribute to you and Surae! Yall are doing amazing work.

CTTE edited 9 months ago Weight: 0 | Link [ + ]

Sorry, I somehow missed this. Please know your work is greatly appreciated!

binaryFate edited 9 months ago Weight: 0 | Link [ + ]

+15XMR on behalf of XMR.TO

devbordecraft edited 9 months ago Weight: 0 | Link [ + ]

Happy to contribute to the FFS for the first time !

M5M400 posted 9 months ago Weight: 0 | Link [ + ]

Emptied the supportXMR.com donation wallet into this. Hope this gets funded.

el_ruobuob posted 9 months ago Weight: 0 | Link [ + ]

on its way

m2049r posted 9 months ago Weight: 0 | Link [ + ]

+1 XMR on behalf of Monerujo

oneiric posted 9 months ago Weight: 0 | Link [ + ]

Supported, much love for your work.

antw081 posted 9 months ago Weight: 0 | Link [ + ]

Donated.