Update 09 December, 2021

Aha, Amazing. Thx @danda

8 Likes

Oooh almost there! Exciting times. Good luck squashing the final bugs, I am already warming up my fingers for some serious testing :computer:

11 Likes

I remember last year we were looking forward to a Christmas Present (Testnet). Here’s to hoping this year’s present is orders of magnitude more robust. My humblest gratitude to our “hacking super ants.”

8 Likes

Great news that a testnet is close. Well done tenacious M.

8 Likes

This is an interesting development @Nigel

2 Likes

How does the client get a bunch of random decoy keys?

Presumably the client doesn’t have a full list of the existing keys the mint knows about (they could since the spentbook / dag is public, but they probably don’t because it’s potentially a lot of data to retain locally).

Does the client store a partial list of keys for this purpose?

How would this work for a ‘fresh’ client with nothing in their pool? Can they request some random portion of the key pool and select from that?

Just checking my understanding of terminology…

It sounds like blind sigs are no longer being used (replaced by ring signatures), so there will be (very weak) links between transactions. Now the spentbook is a DAG (directed acyclic graph) which can be audited all the way back to the first transaction ever made. Am I understanding this correctly?

Any ideas on how many decoys will be used in practice? I guess more decoy keys is more private but also more computationally costly, and vice versa? Curious to hear more about the tradeoffs and scaling properties of this in the real world.

My understanding is monero uses ed25519 for their ring signatures, but we’ll be using bls for ours. Are there any other projects using ring signatures with the bls curve?

14 Likes

Great news MaidSafe

12 Likes

not that I’ve heard of. That’s why DavidR had to implement from ground up bls ring sigs then mlsag then bls bulletproofs then ringct.

I will defer to DavidR re your other q’s.

6 Likes

The safest way to do it would be to ask clients to have a copy of the spentbook, but that’s clearly not ideal. We need to be careful about having clients request random decoys from the network since a dishonest Elder might be able to de-obfuscate a transaction if they see the same keys in a transaction.

We can probably safely stay in a middle ground where clients request the latest 1MB of the spentbook from a few sections and pick a few decoys at random.

Yep that’s right, we have a DAG now, the audit is verifying that all paths up from a transaction leads to the genesis DBC.

Monero uses a ring size of 11, the computational cost isn’t bad, it’s the size of the signature which is most concerning. The signature grows linearly with the ring size.

Since we aren’t as worried about blockchain size, we could bump that up higher, but 11 is probably a good place to start.

I couldn’t find any unfortunately, it would have been nice to compare test-vectors.

12 Likes

@davidrusu
Is there any insight into how fast TPS or settlement is with RingCT? Compared to say Monero or the other end of the spectrum, a plain centralized mint DBC implementation?

Also curious about how much storage space might be required for the spentbook to process x amount of transactions, say ~1million?

5 Likes

Also curious if it would be more scalable or faster if the entire supply was released at once, so that it wouldn’t be necessary to audit the money supply?

4 Likes

Good question but wouldn’t you still need to have the ability to have ongoing auditability to know it’s working as intended over time such as no double spends or inflation bugs?

3 Likes

Yep, thats the point of the discussion about it. Making sure the transactions are all valid. Supplying all at the start is about solving different issues and reducing the effect of any bad actors and reducing the attack surface.

8 Likes

That’s essentially what we are doing. Ie, the “genesis DBC” would be minted with all possible coins, then (re-)distributed through farming. However auditing is still necessary for any party to be able to prove to themself that mintnodes have not cheated and inflated the money supply.

ie, say the entire money supply is 100. If section elders were ever to collude and create another 100 (or even .00001) out of thin air, network participants need to be able to detect that.

14 Likes

How does that work? Or if not the details, does this solve the problem of a few sections controlling the very large initial supply?

9 Likes

The initial mint is still in the air AFAIK. To mint 100% of coins and distribute to all holders, or some other mechanism is still a discussion to have. It will be a long thread that one :wink:

Using a multi-section spend route is good, but then having a single section create route would IMO be retrograde. So we do need some heads on that one.

14 Likes

We’ll need to have age randomization amongst the decoys so that the true input does not stand out as being more deeply embedded in the graph (older). I believe Monero has done research in this area we can look at.

8 Likes

Very interesting.

For anyone else curious, Monero stats show the blockchain size (since 2014-04-18) is about 64 GB, and contains about 19M txs, so about 3.5 KB per tx.

13 Likes

some one in a chat claims that monero is easy to find out who did the transaction:

https://arxiv.org/pdf/1704.04299/ there’s some good papers about this in which researchers were able to break all, or almost all of the ring signatures at various points in time, this paper is particularly good and goes into a lot of detail. when it was written, they could trivially identify 64% of transactions (because they didn’t use ring signatures), and for the rest they could completely identify more than 80%.

this paper is out of date obviously, but it gives some really good explanations on the weaknesses of the system. there’s been many new projects breaking the ring signatures used in Monero, it’s been sort of a punching bag for people doing cryptanalysis for a while. the main issue is that the core concept of using ring signatures like this is just weak, and will always continue to be so.

q: if not finding out transaction senders

they absolutely can and I can tell you there’s very good tools for just completely breaking these cryptocurrencies, but demanding that I do it on request for you in a public channel is asking the wrong question :slight_smile:

this company is doing the tools to break monero ring cts https://www.chainalysis.com/

2 Likes

Thank you for the heavy work team MaidSafe! I add the translations in the first post :dragon:


Privacy. Security. Freedom

8 Likes