Please login or register.

Funding for Surae at MRL for Q1 2018


funded of XMR380.00 target

92 individual contributions
100.02766209687% Funded
1 payouts
XMR285.11 balance available
24.993086388232% Paid Out

Milestones 1/4

  • December

    Funds awarded: 25% (~XMR95.03)

  • January

    Funds awarded: 25% (~XMR95.03)

  • February

    Funds awarded: 25% (~XMR95.03)

  • March

    Funds awarded: 25% (~XMR95.03)

Payouts 1

  • 95 XMR (Tuesday 30 January 2018)

WHO My name is Brandon Goodell. I am Monero Research Lab’s first postdoctoral researcher into cryptocurrency. I have a Ph.D. in Mathematical Sciences from Clemson University, a M.Sc. in Mathematics from North Dakota State University, and a B.S. in Mathematics from Colorado State University. I taught as a graduate student for 9 years at the university level, and I have participated in the Monero community under the pseudonym Surae Noether since 2014.

WHAT I am requesting a continuation of funding for our next “quarter” of four months. My funding began in 2017 in June, which offset Monero Research Lab from a usual fiscal quarter by one month; this four-month round of funding will end when the usual Q2 of 2018 begins.

WHY We have been productive: Sarang completed a review of the subaddress code and together we published an analysis of the scheme (see here). The first draft of our analysis of the multisig scheme is written (see current draft here) and we have begun comparing our analysis of the theory with the C++ code. Once that is complete, we will be submitting the multisig paper for peer-reviewed publication, as it presents a new security definition. Along with contributor knaccc, we completed the RTRS RingCT prototype. We were able to use that prototype to determine the conditions under which it would be favorable to switch to smaller ring signatures (answer: not yet, but even small improvements in signature verification time could allow us much larger ring signatures, in principle).

We are still being productive: I am looking into (a) anti-ASIC roadmaps, (b) blockchain dynamics, (c) sidechains, and (d) economic analyses about centralization (Sarang is looking into some overlapping, some non-overlapping additional topics) (not to mention finishing our multisig code vetting). For (a), small changes to our proof of work algorithm may be made very quickly that could, in principle, foil attempts at taping out new ASICs. We are currently working on a plan/roadmap behind the scenes for a series of fallback plans in case our proof of work algorithm becomes vulnerable to ASIC computations: the final step of this plan will be to abandon proof of work entirely for some more secure alternative (although see below for a caveat). For (b) blockchain dynamics, I began coding an efficient python prototype of the SPECTRE protocol (see here) for comparison against the classic Nakamoto consensus. For (c), in terms of sidechains, we are interested in adding a layer of oblivious transaction processing on top of the current Monero blockchain.

My work on (d) is actually very closely related to my work on (a). My economic work began by asking about Proof-of-Space-Erasure and Proof-of-Retrieval as an alternative to Proof-of-Work. This led to a rather intriguing conversation Sarang and I had with Zooko (of zcash) recently. Here’s the idea. If mining is not at all commoditized, then specialty hardware is needed for mining, otherwise not. If specialty hardware is needed, the only way a small-pocket miner can mine would then be to rent space on someone’s specialty equipment. However, this owner of the hardware is disincentivized to act dishonestly on the network, because attacks on the network devalue the equipment (and the owner has sunk some cost into it). On the other end of the extreme, if mining is completely commoditized, then anyone can mine, regardless of the depth of their pockets. In this case, a deep-pocketed miner can suffer a disproportionately smaller sunk cost than a small-pocketed miner: either by purchasing equipment at cost, or by using equipment they already own that has already paid for itself through other business activities. This is dangerous: imagine a cloud storage service that has absolutely nothing to do with Monero spinning up all empty drives for a proof-of-storage attack. Since they have nothing to do with Monero except to execute this attack on a whim (using equipment that makes them money for other reasons), their attack does not harm their sunk cost into their equipment.

In this way, the value that commoditized mining brings in terms of decentralization may actually hamper network security compared to un-commoditized mining (ie ASICs), since the centralization induced by non-commoditized mining comes equipped with an economic incentive against dishonest behavior, whereas decentralization reduces economic incentives against dishonesty. If we are going to consider options like alternatives to proof of work, then we should analyze this game, parameterize the game using reasonable real-world values, and determine the precise conditions under which commoditized mining leads to improved security, not just improved decentralization.

HOW MUCH My request is for 380 XMR for continued full-time research over the four-month period beginning at the start of December 2017 and concluding at the end of March 2018. Sarang and I have both discussed our interpretation of a fair salary, and we have agreed on this number based on recent volatility of the price of XMR.

LET'S DISCUSS We at MRL strongly value community input into the funding process, and welcome discussions regarding this proposal. My primary concern is fairness, both to myself and the community: if the market changes significantly against me before funding is complete, I would like to be able to renegotiate/discuss. After all, this is my livelihood. However, this should be a symmetric relationship. If the market changes significantly against the community before funding is complete, I would like to extend the same courtesy to the community because, after all... y'all are donating your livelihoods.

As a quick aside, the last funding round occurred too quickly according to some community members... Sarang and I have delayed posting our funding requests until now so that the community can use their observations of our work at MRL through Sept-Nov in deciding their opinion on funding us for Dec-March. This required a balance between giving time for funding and giving time for folks to judge our progress. We feel like there is ample time for questions, comments, complaints, suggestions, and generally vigorous debate before December begins.

I want to thank the community once again for their continued faith in me and Monero Research Lab. I am humbled to be granted the ability to study something as interesting as cryptocurrency as my career, and I’m enjoying the heck out of my job.

Replies: 12
suraeNoether posted 4 days ago Weight: 491 | Link [ - ]

Howdy, everyone! This is the last delayed update I plan on making (next update should be on the 2nd of March). This update spans early January to the first week of February. I'll just jump right in:

This month, you sent me all over the world to represent Monero. You, as a community, kick complete and total ass. Thanks to the generous donations of Monero community members, I was able to attend the RealWorldCrypto conference in Zurich with fluffypony and friends, and the BPASE18 conference at Stanford with Sarang (and also fluffypony and friends). Together, these ate up a huge portion of my time for January, but attending these conferences was extremely valuable. I met with several members of the international Monero and cryptocurrency community, hardware wallet developers, researchers and developers... these trips were fantastic. I learned a lot about the game theoretic implications of smart contracts, various flavors of selfish mining and block-withholding attacks, consensus mechanisms, hardware sidechannel attacks, and large scale key management systems.

Let me tell you how cool it is to be waiting for Buenz' talk on bulletproofs, sitting next to andytoshi coding up bulletproofs, while gmaxwell is across the room realizing SHA-256 can be bulletproofed... when andytoshi is simultaneously realizing how to implement (yet another) optimization of bulletproofs. Moments like that get me all philosophical. Funny story: Pietr Wuille and I both found ourselves in the same boat, in Zurich without tickets to attend RWC. Thanks to the very generous Zooko Wilcox, I was able to attend the conference nevertheless. I still have his nametag with his name scratched out and "Monero Research Lab" written in childish crayon underneath it. I don't know how Wuille got in, come to think of it...

Back to business.

MRL Announcements: We are continuing with our weekly research meetings on Mondays at 17:00 UTC until someone starts to complain loudly about it.

Summary of Work: This month saw a lot of travel, so my actionable work was a little less varied this month. In the remainder of January and the start of February, I primarily have spent my time on:

  • Multisig: I was concerned for awhile that our multisig scheme allowed for key cancellation attacks. Luigi has since proven me wrong (we have an authentication phase that cannot be passed by someone attempting a key cancellation attack). As such, multisig is back to "almost done" status. I spent a lot of time looking into the key aggregation set-up from the Musig paper, which elegantly handles key cancellation attacks. As a consequence, the multisig paper will be a little bit more well-rounded. This is one of the reasons I've put off posting this statement of work, I was hoping to get it completed and available for the community to read. Next update will be at the end of this month, and I anticipate a completed multisig paper for everyone to read through by that point.

  • SPECTRE and Blockchain simulations: Since Sarang and I are constantly looking into consensus mechanisms like SPECTRE and PHANTOM, and I have been interested in difficulty for a long time, I've coded a sandbox simulation of a cryptocurrency network. Nodes arrive and leave in two independent Poisson processes, blocks are discovered at local nodes according to an independent Poisson process with intensities dependent upon difficulty, and blocks are deterministically transmitted accross the network. This is available on my github here although there are some issues with the code. My code implementing constant-time SPECTRE will eventually be used within these simulations.

  • A new cryptographic scheme: I have some details written down on a new implementation of proxy ring signatures, under the random oracle model and discrete log assumption, and without bilinear pairings. The application of this scheme in cryptocurrencies is not totally clear to me (there are repudiability issues and issues with re-use of signatures), but I am not aware of any other proxy ring signature schemes without bilinear pairings, so I think it is worthwhile to describe this scheme and submit it for peer review.

  • Reading: I am reading a lot on merge-mined sidechains and security models, lightning network, arithmetic circuits, and decentralized asset issuance. In fact, the latter is what led me to my proxy ring signature scheme. I am particularly interested in learning all I can about AC circuits and satisfiability. It seems like the next decade is going to use them a lot.

  • Churn and EABE: I know, what is this, 2017? Someone recently reached out to me about a possible attack that, upon further consideration, appeared to be an EABE attack. After a back and forth with this concerned party, we discussed some alternatives to churn. Some ideas are being kicked around still. In the meantime, I want to remind the community: the sender-ambiguity property of Monero is improved in chains of transactions, so if you are wild about your personal privacy, we recommend that you construct one or more self-to-self transactions before spending Monero.

  • Writing the "Q1" Research Roadmap: This has been briefly delayed. We will be posting this as soon as possible; the delay is partly my fault, and partly due to the fact that this document has some more comprehensive implications for 2018.

In addition to this, I've been having discussions with Sarang about educational outreach. News on this soon! Seriously, some cool stuff is happening behind the scenes here and we hope to make an announcement about it soon.

Gingeropolous posted 1 month ago Weight: 437 | Link [ - ]

testing testing

suraeNoether posted 1 month ago Weight: 433 | Link [ - ]

Hello again, everyone. Thank you all for your patience in my delayed end-of-2017 update for MRL: my family and I had some emergency health issues (so December was less productive than I had hoped) and then I had to bounce out to Zurich for a week to go to the Real World Crypto conference with Fluffypony and friends (so I was again delayed in January).

MRL Announcements We are still having weekly Monday meetings at 17:00 UTC. These are one-part research meetings, where we update the community on our work, and one-part "office hours" where we answer questions, help new people in Monero, etc. I've missed the past several meetings (see my excuses above) which I feel a bit terrible about. I am happy to entertain format suggestions regarding these meetings. They can always be improved, and sometimes I feel like I'm just describing all my recent shower thoughts to a mostly empty room.

POW Difficulty Replacement Contest: After discussing with several community members, we are putting this on hold for a few months. I still think this is a good idea, but I believe we have higher priorities right now. Right now I am shooting for such a contest to be funded by 1st June 2018, for submissions to be accepted in July, August, and Septebmer 2018, and for a winner to be announced (or all submissions announced as losers lulz) by 1st December 2018. My initial plan is to match up 10% of donations up to around $2000-4000 USD (worth of Monero) so that the prize could be quite substantial. If all submissions are losers, we can either run a second round of the contest, or send the funds to the monero general fund, or donate it all to the Pineapple fund or something. However, given how things seem to be going, maybe we should be expecting to begin in September or something like that.

WTF Happened in the past 45-ish days?: Rundown for December and January.

Multisig: Because of this paper, I've decided to just start tripling my expected time-to-completion for everything. Because apparently I am not super great at estimating time of completion. This took up the majority of my time becuase I constantly felt "almost done," so I didn't want to work on anything else.

The vast majority of January I spent working on the multisig paper, correcting mistakes, going through code review. I believe I spent around 120 or 135 hours working on this in December and January together. The current version can be seen here... there are two major remaining components for this paper: first, the attack section of the paper has been temporarily commented out, and second, the code review needs to be re-reviewed (all explanations of the code need to be fleshed out and triple checked). I expect each of these (the attack section and the code appendix) to take between 25 and 30 hours of work, totalling 50 to 60 hours before completion of the multisig paper (translation: I really think I'll be done with this before the end of the week, but I'm afraid it will take the rest of the month).

RTRS RingCT, column linkability, amortization: Still chatting with soon-to-be-Dr. Ruffing about these. Expect more information about this by the end of January.

Bulletproofs: We are currently discussing how to go about auditing/vetting bulletproofs. Sarang and I both agree that the math looks good, Sarang and Moneromooo both believe the code is rather tight, and we have had some optimizations suggested by various folks. As I mentioned on Reddit just the other day, we are sort of faced with a dilemma here: either we implement bulletproofs for the Spring hard fork or not, and each decision has a cost. The cost of not implementing bulletproofs will, over six months, amount to around six hours of additional download+sync time for new nodes. This cost is in adoption rate, and is certain to occur. On the other hand, the cost of implementing bulletproofs too soon, is Monero's double spend protection, and is not certain to occur. Since one of these is catastrophic but may not occur, and the other is kinda terrible but is certain to occur, we have a tradeoff to consider here. We are being cautious. Expect a statement from us about this in the coming days.

Monero Standards: No progress has yet been made on these, although much of the documentation in the multisig paper will make it into the RingCT component of the Monero Standards, so there is a nice overlap there.

Remainder of January and leading into February: I am attending BPASE18 with Sarang, Fluffypony, and all you other crazy bastards. In addition to this, I am merely finishing the multisig paper by the end of January. For those of you keeping track of hours, I plan on working 50 hour weeks for the remainder of January and for all of February so that my delayed payment for December does not bleed into the end of the "quarter."

Any time I have leftover in January above and beyond multisig will go into one of the following: 1) the ZK literature review by Jeffrey Quesnelle (author of the recent Zcash linkability paper), 2) working on my SPECTRE code (the blockchain concensus algorithm, not the recent exploit), or 3) network simulations for independent verification of the difficulty assessment computations of zavvy12 from here (if you are curious, I have some not-yet-functional code gluing Poisson processes together here).

What about the rest of the year?:

First Quarter Roadmap: This is being delayed until the end of January if not a bit longer. This is partly becuase this first quarter roadmap is really an "2018 whole-year roadmap," and partly because all of the delays I have personally recently experienced. In addition to this, after speaking with fluffypony in Zurich, I am going to look into:

Fee structures: Using time series analysis, I believe it will be a fairly straightforward task to develop a long-term plan for our fee structures based on empirical connections between fees and network activity. These connections are, of course, correlative not causative and, moreover, would be computed assuming absence of attacks. However, this would provide us some sort of long-term empirical plan for our fee structures (compared, for example, to eyeballing/arbitrarily setting base fees each hard fork). This would provide us an easy target to point at when we hear fee complaints in the future... a statement like "our fee model disagrees with you, so unless you have a better forecasting model than ours, or a specific attack model in mind, your criticism is empirically unjustifiable" would be absolutely invaluable against feeFUD.

Side note on this: Anyone willing to get me as much historical Monero network and pricing data as possible in this regard will be doing me a huge favor in saving me time. I can analyze data quickly, I can curate a data set slowly. Due to this, I do not plan on spending any of my time actually gathering any of this data before February: if someone hands me a data set, I will analyze it happily. When I say "as much data as possible," I'm not kidding around. Average number of transactions per block, average fee paid per transaction, average kb per transaction, number of inputs per transaction, number of outputs per transaction, average time between blocks, USD/XMR and EUR/XMR and CNY/XMR and BTC/XMR exchange rates and exchange volumes at the time of each block for many exchanges... these are all obvious, but even silly stuff like "number of cryptocurrencies listed on each exchange at each block time" is nontrivially helpful information.

Educational outreach: I have something semi-secret brewing that I hope can be included in my end-of-Februrary announcement. It's probably a badly kept secret (many many folks in Zurich have given me their thoughts), but putting it in writing here seems to be perhaps unwise until I speak with a few more folks about how to handle all of it. My initial plans for Sarang were to organize a 2018 summer school at some willing university, but it appears that was too ambitious (we are shooting for summer 2019 now for this), so we have pivoted a little bit to this new idea... anyway, details will be forthcoming over the coming weeks.

THANK YOU ALL. This is the best opportunity anyone like me could possibly hope for. I am pretty sure Sarang feels the same way. The Monero community has so far proved to be extremely generous. I really do my best to avoid concluding that a decision was good just because the outcome was good, you know? But kicking the traditional economy to the curb in favor of this opportunity has been absolutely the best outcome of my life so far, and I fear I couldn't possibly explain to everyone, even face to face, how much all of this means to me.

At the risk of mimicking the first season of Silicon Valley... thanks for giving me the opportunity to make the world a better place.

suraeNoether posted 2 months ago Weight: 329 | Link [ - ]

I want to thank everyone who donated, and anyone who even CONSIDERED donating! This is, again, a real honor to be working on this project for this community, and to have the support of the members. I'll be posting my end of November (2017!) update soon.

franchb posted 2 months ago Weight: 327 | Link [ - ]


Cryptonic edited 2 months ago Weight: 326 | Link [ - ]


nioc edited 2 months ago Weight: 325 | Link [ - ]

Happy Thanksgiving!! One of the many things I am thankful for is the excellent work being done at the MRL

Donation sent :)

keatonofthedrake edited 2 months ago Weight: 322 | Link [ + ]


pa edited 2 months ago Weight: 318 | Link [ + ]


TheseAreBetterDays edited 2 months ago Weight: 318 | Link [ + ]


antw081 edited 2 months ago Replies: 1 | Weight: 282 | Link [ + ]

I'll be happy to help fund the MRL team (Sarang & Surae) again.

Reply to: antw081
antw081 edited 2 months ago Weight: 308 | Link [ + ]