Sarang: research funding for 2019 Q1

Friends, neighbors, well-wishers, hello. Dr. Sarang Noether here, back again for Monero Research Lab 2: The Search For More Money. My current funded research time is coming to a close, and I'm good to go for another three months of research and development for the Monero Research Lab.

You can read my reports for October and November, with December coming at the end of this month. There has been, in my not-so-humble opinion, a lot of quality work for the project and community. I've conducted analysis, built useful cryptographic primitives, written code, tested new ideas, and more. One of the original and primary reasons for the creation of the Lab was to continue investigating what's new in applied cryptography and use it to strengthen Monero, and my work has done so.

The next three months will be, as they should be, a mix of tasks and topics. I always stay up-to-date on new developments and literature review. I collaborate with outside researchers and groups on analysis and new technology. There will be more on confidential transaction schemes, payment channel and atomic swap plumbing, security analysis, and whatever comes next.

I work hard to provide value to the Monero community for the value you provide here. For the period beginning January 2019 and continuing to the end of March 2019, my rate will be the equivalent of 10415 USD each month, which is my assessment of fair market compensation for a Ph.D. researcher in this field with a proven track record working from the United States; this takes into the account that making this my full-time job carries irritating but necessary support and tax implications that I take very seriously. Using a 14-day exponential moving average of 47.21 USD/XMR taken from Kraken, the request total is 661 XMR. If there are large fluctuations prior to the close of funding, we can revisit this number.

I invite questions, comments, and discussion on my previous work and this proposal. My thanks for the ongoing support of this community; whether you donate here, volunteer your time developing or translating or documenting, reach out to others for education, or simply use Monero, your dedication is appreciated! The Lab works hard to ensure Monero continues to grow safely and surely. Onwards!

EDIT (9 December 2018): Updated rate from 58.69 to 50.68 USD/XMR and total from 533 to 616 XMR due to large fluctuations.

EDIT (14 December 2018): Updated rate from 50.68 to 44.39 USD/XMR and total from 616 to 703 XMR due to large fluctuations.

EDIT (1 January 2019): Updated rate from 44.39 to 47.21 USD/XMR and total from 703 to 661 XMR due to large fluctuations.

Hello everyone! It's your old pal Dr. Sarang Noether, delivering the first monthly research report of the new year. This is the first of three reports for my current funding period, which was made possible by the generosity of the Monero community through donations and in spirit.

Monero researchers and developers have been busy preparing for the spring network upgrade, and we are finalizing changes that you can expect to see released in a few months. A great deal of planning, research, simulation, coding, and testing has gone into this process. Payment IDs are set to be removed over the next two releases, which will make transactions simpler, smaller, and more uniform. We've simplified some of the underlying cryptography that powers our confidential transaction scheme to make transactions a bit smaller. Bulletproofs have received many additional speedups and optimizations that decrease verification time by up to 60% (and possibly more) from the last release. Our dynamic block size algorithm will be updated to more robustly handle spikes in transaction volume. And there are plenty more updates in the next release, so stay tuned.

Led by the esteemed Justin Ehrenhofer of community fame, we've begun releasing a video series called Breaking Monero that goes in depth talking about weaker aspects of Monero's structure and operation, and how we've improved over our history. Each episode features a topic, like unusual ring sizes or chain reactions, that an adversary might use to analyze the Monero blockchain. We discuss the history of Monero analysis, practical recommendations for users, and how researchers continue to iterate on improvements to the protocol. More episodes are on the way!

As you likely read this, I am participating in the Stanford Blockchain Conference, an outstanding academic conference on applied cryptography. Last year's event featured a host of presentations and results very relevant to Monero, and this year promises to continue this trend.

Other important but less prominent areas of ongoing work include the ring decoy output selection algorithm, alternate ring signature schemes, interactive and non-interactive refund and return address constructions, an upcoming paper on graph analysis, and more!

For the next month, expect additional simulations and formal planning for the spring network upgrade, code for a Bulletproofs multi-party computation protocol, improved documentation, transaction relay simulations, the usual literature and code review, and many other mathematical odds and ends.

And now, on to Sarang's Reading Corner, a list of some of the interesting papers I've come across recently in my ongoing literature review. The appearance of a paper in this list does not imply that I endorse it, or even necessarily agree with its contents or conclusions. These are in no particular order.

• Dandelion++: Lightweight Cryptocurrency Networking with Formal Anonymity Guarantees
• Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies
• ZeroCT: Improving ZeroCoin with Confidential Transactions and more
• Jevil's Encryption Systems
• Universally Composable Accumulators
• Proof-of-Stake Sidechains
• Analysis of Difficulty Control in Bitcoin and Proof-of-Work Blockchains
• CryptoNote+
• Selfish Mining in Ethereum
• P4: Private Periodic Payment Protocol
• Grin vs. BEAM, a Comparison
• Efficient Non-Interactive Zero-Knowledge Proofs in Cross-Domains without Trusted Setup
• Raptor: A Practical Lattice-Based (Linkable) Ring Signature

Greetings to all. Dr. Sarang Noether here, delivering to you the second of three monthly research reports for my current funding period to describe my work from February. As always, my deep and sincere thanks go out to the Monero community for supporting my research and that of the Monero Research Lab.

In preparation for the upcoming network upgrade, I've written simulations to examine the response of different block size scaling algorithms to adversarial network conditions. Additional simulations, which will be used for the next client release due to the network upgrade timeline, examine more robust ways of handling ring member selection and ways to mitigate certain statistical heuristics.

I've been collaborating with other researchers to finalize a paper describing useful signature constructions for Monero that relate to payment channels and non-interactive refunds. This has been ongoing, but new proofs and scaling data mean the paper is nearly set to be submitted for a conference. The preprint will be shared publicly after submission. As always, I appreciate the opportunity to work with other researchers on interesting cryptographic problems.

The recent Stanford Blockchain Conference was a great success, with plenty of fascinating talks on new research. Videos and slides are posted at the conference links. Community support to attend this conference is gratefully acknowledged.

I presented at a recent meetup in Nashville, where I discussed different ways that projects approach privacy and fungibility. My thanks to the attendees for great questions and conversations.

Work for the next month will, as always, be varied. The security model for a Bulletproofs multiparty computation protocol has been worked out, and test code is being finalized. This has been on the back burner for a while, and was temporarily tabled to make time for the network upgrade. Expect more results and analysis for transaction relay, Breaking Monero educational videos, Bulletproofs, and documentation.

And now, on to Sarang's Reading Corner, a list of some of the interesting papers I've come across recently in my ongoing literature review. The appearance of a paper in this list does not imply that I endorse it, or even necessarily agree with its contents or conclusions. These are in no particular order.

• Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings
• Betting on Blockchain Consensus with Fantomette
• HashCore: Proof-of-Work Functions for General Purpose Processors
• Exploring Spatial, Temporal, and Logical Attacks on the Bitcoin Network
• On the security of the BCTV Pinocchio zk-SNARK variant
• New Empirical Traceability Analysis of CryptoNote-Style Blockchains
• Re-thinking untraceability in the CryptoNote-style blockchain
• It wasn't me! Repudiability and Unclaimability of Ring Signatures
• LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs
• Zether: Towards Privacy in a Smart Contract World
• Measurement and Analysis of the Bitcoin Networks: A View from Mining Pools

merged

mentioned in commit e77d2bac

The following was also posted to Dr. Goodell's funding thread verbatim.

Greetings Dr. Feikert, I hope you are having a great 2019.

I have some questions regarding your work in regard to the Monero Project. I hope I am not too forward in asking the following questions as I (and many Monero supporters) may not have a very good grasp of what work a typical PhD in mathematics does.

Anyway, here are my questions:

• Have you proposed any impactful and original idea(s) that have made it into the core Monero daemon code? If so, can you list or explain some of them?

• Do you have any goals, ideas or work that would actually correspond to milestones other than just being paid as a milestone in and of itself? Maybe this isn't a proper question, and the use of the word milestone is misplaced in the CCS. Maybe milestone should be changed to merely remuneration.

• I am not sure if this has been asked formally before, but what does a typical day look like for you, being employed (or in business for yourself as the case may be) working on the Monero project? How much of your time is spent on other projects outside of the Monero project?

• Since one of the goals or properties of the Monero project is decentralization--ASIC resistance, is this an area of expertise you would contribute to or is it outside your field of expertise?

• What is your vision of the Monero project, say, two years from now? (other than Monero value "going to the moon".) :-)

In closing, I would like to thank you for your time and contributions to MRL. I hope these questions aren't taken too negatively and I wish you the best in your future endeavors.

Once again, it's Dr. Sarang Noether here, delivering the last of my three monthly reports for this quarter to share my research work from March. Like always, my deep thanks go to the Monero community for continuing to generously support my work for the Monero Research Lab.

This month's work has been varied. Investigations are underway on Dandelion transaction routing integration in projects like Bitcoin, Grin, and Zcoin. In conjunction with other network-level routing mechanisms, Dandelion routing can mitigate against certain types of adversarial network observation.

Prototyping code for multi-party Bulletproofs is complete. This is a generalization that is compatible with our existing Bulletproofs implementation and could be useful if we decide to implement certain types of mixing operations. The security guarantees depend on the way that the proof communication is structured, and leave a few open questions.

The review process for an upcoming paper relating to dual-address signature applications is still underway to update some formal definitions and proofs. This is in collaboration with several other researchers and will be shared publicly when the preprint is released.

Test code exploring the Lelantus transaction model is in progress, but not yet fully operational. This is a clever application of double-blinded Bulletproofs and a particular commitment sigma protocol that I am looking into to better understand its operation, security, and practical efficiency. There are no particular plans for its integration into the project.

Rockstar research contributor RandomRun posted a clever idea for compressing MLSAG signatures that shows a lot of promise. I have example code for full and simple transaction types, as well as an interesting generalization. This has the potential to make transactions smaller while also improving verification time.

Thanks to the community for supporting my next funding proposal for the second quarter of this year. There is a lot planned, and I'm excited as always to continue my research contributions.

And now on to Sarang's Reading Corner, a list of some of the interesting papers I've come across recently in my ongoing literature review. The appearance of a paper in this list does not imply that I endorse it, or even necessarily agree with its contents or conclusions. These are in no particular order.

• Ring Signatures: Logarithmic-Size, No Setup --- from Standard Assumptions
• The Distinction Between Fixed and Random Generators in Group-Based Assumptions
• A Note on Key Agreement and Non-Interactive Commitments
• Flyclient: Super-Light Clients for Cryptocurrencies
• Fast constant-time gcd computation and modular inversion
• Forward-Secure Multi-Signatures
• Trapdoor commitments in the SwissPost e-voting shuffle proof (direct link to paper)
• Lelantus