1
00:00:01,720 --> 00:00:23,519
[Applause]

2
00:00:07,840 --> 00:00:25,840
[Music]

3
00:00:23,519 --> 00:00:27,800
I'm Rucknium a researcher with the monero

4
00:00:25,840 --> 00:00:30,000
research lab and an empirical

5
00:00:27,800 --> 00:00:32,439
microeconomist today I will present a

6
00:00:30,000 --> 00:00:34,160
statistical research agenda from Monero

7
00:00:32,439 --> 00:00:37,600
I apologize for needing to use a

8
00:00:34,160 --> 00:00:40,039
synthesized voice it is to protect my

9
00:00:37,600 --> 00:00:42,320
privacy the slides of this presentation

10
00:00:40,039 --> 00:00:43,879
are posted on my GitHub account

11
00:00:42,320 --> 00:00:45,440
github.com

12
00:00:43,879 --> 00:00:48,120
ropresentation

13
00:00:45,440 --> 00:00:50,719
I've applied my skills to help improve

14
00:00:48,120 --> 00:00:53,960
Monero I found a way to speed up Monero

15
00:00:50,719 --> 00:00:55,960
transaction confirmations by 60 seconds

16
00:00:53,960 --> 00:00:58,640
I computed the Privacy impactor P to

17
00:00:55,960 --> 00:01:01,600
pull de centralized mining payouts the

18
00:00:58,640 --> 00:01:03,719
Privacy impact was significant SEC one

19
00:01:01,600 --> 00:01:05,799
and dvo figured out a way to double

20
00:01:03,719 --> 00:01:08,799
payout efficiency which reduced the

21
00:01:05,799 --> 00:01:11,600
Privacy impact of ppol I analyze the

22
00:01:08,799 --> 00:01:13,280
Privacy effects of morel's am mono nft

23
00:01:11,600 --> 00:01:15,119
protocol I helped write the

24
00:01:13,280 --> 00:01:18,479
fingerprinting of flood analysis of the

25
00:01:15,119 --> 00:01:20,119
2021 transaction volume anomaly I am in

26
00:01:18,479 --> 00:01:22,320
the final stages of development for

27
00:01:20,119 --> 00:01:24,200
optimal static parametric estimation of

28
00:01:22,320 --> 00:01:26,880
arbitrary distributions all speed for an

29
00:01:24,200 --> 00:01:29,040
improved Deco selection algorithm I

30
00:01:26,880 --> 00:01:31,320
serve on the magic Monera fund committee

31
00:01:29,040 --> 00:01:33,799
which funds up Source mono research and

32
00:01:31,320 --> 00:01:37,880
development I do some upkeep of mono

33
00:01:33,799 --> 00:01:40,360
research Community Resources quiz equs

34
00:01:37,880 --> 00:01:43,000
written by sat morto in the original

35
00:01:40,360 --> 00:01:45,759
Bitcoin white paper involved a concept

36
00:01:43,000 --> 00:01:49,280
from cryptography a concept from

37
00:01:45,759 --> 00:01:51,000
probability both or neither from the

38
00:01:49,280 --> 00:01:53,560
topic of this presentation you may be

39
00:01:51,000 --> 00:01:56,439
able to guess that the answer is b a

40
00:01:53,560 --> 00:01:58,119
concept from probability Satoshi used

41
00:01:56,439 --> 00:01:59,920
probability Theory to calculate the

42
00:01:58,119 --> 00:02:01,719
chances of an attacker rewriting the the

43
00:01:59,920 --> 00:02:04,159
Bitcoin blockchain for double spend

44
00:02:01,719 --> 00:02:06,320
attack cryptography is obviously a

45
00:02:04,159 --> 00:02:07,880
crucial part of cryptocurrency but

46
00:02:06,320 --> 00:02:10,160
probability and statistics have been

47
00:02:07,880 --> 00:02:12,160
hear from the beginning mon needs a

48
00:02:10,160 --> 00:02:14,840
robust statistical research capability

49
00:02:12,160 --> 00:02:16,519
to rise to the Privacy scaling and

50
00:02:14,840 --> 00:02:18,959
security challenges of today and

51
00:02:16,519 --> 00:02:22,000
tomorrow we have two bro categories of

52
00:02:18,959 --> 00:02:24,560
manur statistical research questions the

53
00:02:22,000 --> 00:02:27,360
first involves ring signatures the

54
00:02:24,560 --> 00:02:29,200
second does not involve ring signatures

55
00:02:27,360 --> 00:02:31,120
ring signatures are a big part of

56
00:02:29,200 --> 00:02:32,920
statistical research in monos and

57
00:02:31,120 --> 00:02:36,000
statistical guessing is a threat to the

58
00:02:32,920 --> 00:02:37,840
Privacy provided by ring signatures ring

59
00:02:36,000 --> 00:02:40,440
signatures have been called the weakest

60
00:02:37,840 --> 00:02:43,080
part of Monero I hope that one day

61
00:02:40,440 --> 00:02:44,920
Monero implements a better solution

62
00:02:43,080 --> 00:02:47,400
however I expect that ring signatures

63
00:02:44,920 --> 00:02:49,480
will be with Monero for many more years

64
00:02:47,400 --> 00:02:51,800
new ring list Protocols are too risky at

65
00:02:49,480 --> 00:02:53,840
the moment there is a lot of enthusiasm

66
00:02:51,800 --> 00:02:56,840
for Global or full blockchain membership

67
00:02:53,840 --> 00:02:58,800
proofs with ring signatures the truly

68
00:02:56,840 --> 00:03:01,920
spent transaction output is one of a

69
00:02:58,800 --> 00:03:04,120
small subset of the total set of outputs

70
00:03:01,920 --> 00:03:06,120
with global membership proofs whenever

71
00:03:04,120 --> 00:03:08,000
an output is spent it could be any of

72
00:03:06,120 --> 00:03:11,280
the millions of transaction outputs on

73
00:03:08,000 --> 00:03:13,680
the blockchain CC has had this model in

74
00:03:11,280 --> 00:03:16,200
their shielded transaction pool since

75
00:03:13,680 --> 00:03:18,280
2016 Global membership Prov sound

76
00:03:16,200 --> 00:03:21,840
fantastic but they are not without

77
00:03:18,280 --> 00:03:23,959
problems first zcash a ZK not model has

78
00:03:21,840 --> 00:03:25,840
had high CPU and RAM requirements for

79
00:03:23,959 --> 00:03:28,040
transaction construction that prevented

80
00:03:25,840 --> 00:03:30,319
low performance devices from being used

81
00:03:28,040 --> 00:03:32,319
as wallets second

82
00:03:30,319 --> 00:03:34,640
zcash users had to trust that the random

83
00:03:32,319 --> 00:03:36,280
data generated at Zach's Genesis was not

84
00:03:34,640 --> 00:03:40,000
improperly controlled or observed by a

85
00:03:36,280 --> 00:03:42,000
malicious party third CC's cryptographic

86
00:03:40,000 --> 00:03:45,439
mathematics was based on New Foundations

87
00:03:42,000 --> 00:03:47,519
that were not battle tested just to note

88
00:03:45,439 --> 00:03:50,000
mon uses bullet proofs which are a type

89
00:03:47,519 --> 00:03:52,040
of zero knowledge proof bullet proofs

90
00:03:50,000 --> 00:03:54,360
are not a ZK not because they lack the

91
00:03:52,040 --> 00:03:58,000
succinctness property which is the S and

92
00:03:54,360 --> 00:03:59,360
the acronym D fix some of its problems

93
00:03:58,000 --> 00:04:02,239
the performance requirements were

94
00:03:59,360 --> 00:04:04,680
reduced with 2018 sapling upgrade the

95
00:04:02,239 --> 00:04:07,879
ordered Halo to upgrade in 2020 to

96
00:04:04,680 --> 00:04:10,319
provided ZK snars with no trusted setup

97
00:04:07,879 --> 00:04:11,920
but the protocol might not be safe

98
00:04:10,319 --> 00:04:14,599
enough to use since their cryptography

99
00:04:11,920 --> 00:04:16,239
is still not battle tested many close

100
00:04:14,599 --> 00:04:18,919
calls have threatened private digital

101
00:04:16,239 --> 00:04:21,759
cach protocols often problems with the

102
00:04:18,919 --> 00:04:24,440
cryptography mathematics itself not the

103
00:04:21,759 --> 00:04:28,639
computer code that implements it garbage

104
00:04:24,440 --> 00:04:31,160
in garbage out case study one do see

105
00:04:28,639 --> 00:04:32,840
cash counterfeiting FLW I will quote a

106
00:04:31,160 --> 00:04:34,759
long section of the announcement to show

107
00:04:32,840 --> 00:04:36,400
how much scrutiny the mathematics

108
00:04:34,759 --> 00:04:40,520
received but yet the FL remained

109
00:04:36,400 --> 00:04:42,919
undetected for 4 years on March 1 2018

110
00:04:40,520 --> 00:04:44,759
Ariel gabison a cryptographer employed

111
00:04:42,919 --> 00:04:46,320
by the zcash company at the time

112
00:04:44,759 --> 00:04:48,639
discovered a subtle cryptographic FL in

113
00:04:46,320 --> 00:04:50,360
the 2014 paper that describes the ZK

114
00:04:48,639 --> 00:04:52,800
snar construction used in the original

115
00:04:50,360 --> 00:04:54,560
launch of zash the FLW allows an

116
00:04:52,800 --> 00:04:56,360
attacker to create counterfeit shielded

117
00:04:54,560 --> 00:04:57,840
value in any system that depends on

118
00:04:56,360 --> 00:04:59,800
parameters which are generated as

119
00:04:57,840 --> 00:05:01,320
described by the paper this

120
00:04:59,800 --> 00:05:03,120
vulnerability is so subtle that it

121
00:05:01,320 --> 00:05:04,919
evaded years of analysis by expert

122
00:05:03,120 --> 00:05:07,560
cryptographers focused on zero knowledge

123
00:05:04,919 --> 00:05:09,120
proving systems and z sarx in an

124
00:05:07,560 --> 00:05:12,039
analysis in

125
00:05:09,120 --> 00:05:13,560
2015 Prime pner from Microsoft research

126
00:05:12,039 --> 00:05:16,360
discovered a different mistake in the

127
00:05:13,560 --> 00:05:18,720
paper however the vulnerability we

128
00:05:16,360 --> 00:05:21,240
discovered appears to have evaded his

129
00:05:18,720 --> 00:05:22,800
analysis the vulnerability also appears

130
00:05:21,240 --> 00:05:25,560
in the subversion zero knowledge KN

131
00:05:22,800 --> 00:05:28,680
schem of F Bar 2017 were an adaptation

132
00:05:25,560 --> 00:05:31,319
of the Ben sassin Chesser trer and vers

133
00:05:28,680 --> 00:05:33,560
a 2014 paper inherits the flaw the

134
00:05:31,319 --> 00:05:35,960
vulnerability also appears in the Adar

135
00:05:33,560 --> 00:05:38,240
construction described in that paper

136
00:05:35,960 --> 00:05:41,080
finally the vulnerability evaded the

137
00:05:38,240 --> 00:05:42,720
zash company's own cryptography team

138
00:05:41,080 --> 00:05:44,639
which includes experts in the field that

139
00:05:42,720 --> 00:05:45,880
had identified several flaws in other

140
00:05:44,639 --> 00:05:48,720
parts of the

141
00:05:45,880 --> 00:05:51,919
system importantly the Ben SASS and

142
00:05:48,720 --> 00:05:53,319
Chessa tror and V 2014 papers

143
00:05:51,919 --> 00:05:55,400
construction did not have a dedicated

144
00:05:53,319 --> 00:05:57,880
security proof as noted in partner's

145
00:05:55,400 --> 00:06:01,000
2015 paper and relied mainly on the

146
00:05:57,880 --> 00:06:03,960
security proof from the parner harl

147
00:06:01,000 --> 00:06:06,120
Gentry and vover 2013 paper and the

148
00:06:03,960 --> 00:06:08,039
similarity between the two skines the

149
00:06:06,120 --> 00:06:11,080
zcash company team did attempt to write

150
00:06:08,039 --> 00:06:14,000
a security proof in the bow CIS and

151
00:06:11,080 --> 00:06:17,319
green 2017 paper but it did not uncover

152
00:06:14,000 --> 00:06:19,840
this vulnerability case study two Crypt

153
00:06:17,319 --> 00:06:22,479
not mon counterfeiting flaw like the

154
00:06:19,840 --> 00:06:25,520
zcash flaw this one laid silent for

155
00:06:22,479 --> 00:06:28,759
years the Crypt no 2.0 Paper was

156
00:06:25,520 --> 00:06:32,199
released in 2013 a mon cryptographer

157
00:06:28,759 --> 00:06:34,360
figured out the in 2017 I will quote the

158
00:06:32,199 --> 00:06:36,080
announcement in one era we've discovered

159
00:06:34,360 --> 00:06:38,199
and patched a critical bug that affects

160
00:06:36,080 --> 00:06:39,599
all Crypton note based cryptocurrencies

161
00:06:38,199 --> 00:06:41,240
and allows for the creation of an

162
00:06:39,599 --> 00:06:43,080
unlimited number of coins in a way that

163
00:06:41,240 --> 00:06:44,520
is undetectable to an observer unless

164
00:06:43,080 --> 00:06:47,039
they know about the Fatal floor and can

165
00:06:44,520 --> 00:06:49,160
search for it we patched it quite some

166
00:06:47,039 --> 00:06:50,720
time ago and confirmed that the Monero

167
00:06:49,160 --> 00:06:52,639
blockchain had never been exploited

168
00:06:50,720 --> 00:06:54,560
using this but until the hard Fork that

169
00:06:52,639 --> 00:06:56,479
we had a few weeks ago we were unsure as

170
00:06:54,560 --> 00:06:58,680
to whether or not the entire network had

171
00:06:56,479 --> 00:07:00,919
updated a big difference between this

172
00:06:58,680 --> 00:07:02,520
mon FL and the zcash flaw is that the

173
00:07:00,919 --> 00:07:05,000
counterfeiting from the cryptonote fla

174
00:07:02,520 --> 00:07:07,080
would be detectable after the fact the

175
00:07:05,000 --> 00:07:08,520
form of the zcash fla did not provide a

176
00:07:07,080 --> 00:07:11,280
way to determine whether the floor had

177
00:07:08,520 --> 00:07:14,039
been exploited by a malicious party case

178
00:07:11,280 --> 00:07:16,599
study three secret Network privacy

179
00:07:14,039 --> 00:07:18,479
exposure secret network is a smart

180
00:07:16,599 --> 00:07:21,639
contract blockchain that promises

181
00:07:18,479 --> 00:07:23,520
privacy for users it uses Intel software

182
00:07:21,639 --> 00:07:25,680
guard extension a type of Hardware

183
00:07:23,520 --> 00:07:29,120
trusted execution environment to protect

184
00:07:25,680 --> 00:07:31,280
user privacy last year researchers found

185
00:07:29,120 --> 00:07:33,319
for in sgx that could reveal private

186
00:07:31,280 --> 00:07:35,080
information completely the secret

187
00:07:33,319 --> 00:07:36,560
network has been vulnerable to this AIC

188
00:07:35,080 --> 00:07:39,400
and now mere vulnerabilities that were

189
00:07:36,560 --> 00:07:41,840
publicly disclosed on August 9

190
00:07:39,400 --> 00:07:44,440
2022 these vulnerabilities could be used

191
00:07:41,840 --> 00:07:45,919
to extract the consensus seed I'm Master

192
00:07:44,440 --> 00:07:48,479
a decryption key for the private

193
00:07:45,919 --> 00:07:50,199
transactions on the secret Network

194
00:07:48,479 --> 00:07:51,800
exposure of the consensus SE would

195
00:07:50,199 --> 00:07:53,599
enable the complete retroactive

196
00:07:51,800 --> 00:07:55,319
disclosure of all secret Min four

197
00:07:53,599 --> 00:07:57,599
private transaction since the chain

198
00:07:55,319 --> 00:07:59,720
began we have helped secret Network to

199
00:07:57,599 --> 00:08:03,039
deploy mitigations especially the

200
00:07:59,720 --> 00:08:06,039
registration Vis on October 5th

201
00:08:03,039 --> 00:08:07,400
2022 however there is no way to know for

202
00:08:06,039 --> 00:08:10,039
certain whether this attack has been

203
00:08:07,400 --> 00:08:11,440
attempted previously it is also possible

204
00:08:10,039 --> 00:08:13,319
that ordinary node operators may have

205
00:08:11,440 --> 00:08:14,680
unintentionally prepared the attack if

206
00:08:13,319 --> 00:08:16,759
they were active nodes prior to the

207
00:08:14,680 --> 00:08:19,039
mitigations and may opportunistically

208
00:08:16,759 --> 00:08:20,800
decide to complete it in the future we

209
00:08:19,039 --> 00:08:22,560
urge privacy conscious users to

210
00:08:20,800 --> 00:08:25,400
reevaluate their risk considering that

211
00:08:22,560 --> 00:08:27,639
their past transactions may be exposed

212
00:08:25,400 --> 00:08:29,440
out of ethical concern the researchers

213
00:08:27,639 --> 00:08:31,720
are raised the mastered eqution key they

214
00:08:29,440 --> 00:08:33,479
had extracted but we cannot guarantee

215
00:08:31,720 --> 00:08:34,680
that a malicious actor had not already

216
00:08:33,479 --> 00:08:37,320
performed the

217
00:08:34,680 --> 00:08:41,159
extraction actually exploited flaws in

218
00:08:37,320 --> 00:08:43,800
private digital cash protocols in 2017

219
00:08:41,159 --> 00:08:45,440
bitecoin a cryptonote based coin was

220
00:08:43,800 --> 00:08:49,360
exploited by the counterfeiting fall

221
00:08:45,440 --> 00:08:50,760
that Mona discovered in patch in 2017 a

222
00:08:49,360 --> 00:08:53,480
malicious party exploited a

223
00:08:50,760 --> 00:08:56,120
counterfeiting bug in the C of fire in

224
00:08:53,480 --> 00:08:58,800
2020 a counterfeiting exploit C against

225
00:08:56,120 --> 00:09:01,560
even due to several flaws how confident

226
00:08:58,800 --> 00:09:03,079
do we need to be in the last few years

227
00:09:01,560 --> 00:09:05,200
cryptocurrency protocols have been

228
00:09:03,079 --> 00:09:08,519
exploited for over5 billion

229
00:09:05,200 --> 00:09:11,399
US flood code flaw safeguards flaw

230
00:09:08,519 --> 00:09:12,800
cryptography flaw economics how

231
00:09:11,399 --> 00:09:14,600
confident should mon will be New

232
00:09:12,800 --> 00:09:18,480
cryptographic Foundations before they

233
00:09:14,600 --> 00:09:22,399
are evoca activated on M it 95%

234
00:09:18,480 --> 00:09:25,399
confident 99% confident

235
00:09:22,399 --> 00:09:27,120
99.9% confident how confident were the

236
00:09:25,399 --> 00:09:30,680
researchers and developers of these

237
00:09:27,120 --> 00:09:33,320
exploited protocols here revew Audits

238
00:09:30,680 --> 00:09:34,839
and battle testing my definitions of

239
00:09:33,320 --> 00:09:36,959
these terms are a combination of a

240
00:09:34,839 --> 00:09:39,800
commonly accepted meaning in my own

241
00:09:36,959 --> 00:09:42,760
classification I'm an economist so I

242
00:09:39,800 --> 00:09:45,200
think about the incentives academic peer

243
00:09:42,760 --> 00:09:47,200
review fellow cryptographers check the

244
00:09:45,200 --> 00:09:49,640
mathematics of the security proofs in

245
00:09:47,200 --> 00:09:52,399
new papers the incentives are

246
00:09:49,640 --> 00:09:55,200
professional responsibility to science

247
00:09:52,399 --> 00:09:57,640
build and maintain reputation code

248
00:09:55,200 --> 00:09:59,120
audits an independent party checks that

249
00:09:57,640 --> 00:10:00,720
the code correctly implements the

250
00:09:59,120 --> 00:10:03,399
paper's math and does not contain

251
00:10:00,720 --> 00:10:05,079
exploitable holes build and maintain

252
00:10:03,399 --> 00:10:08,640
reputation of the incentives of the

253
00:10:05,079 --> 00:10:10,240
audit companies Lal testing every

254
00:10:08,640 --> 00:10:12,880
basement attacker and government agent

255
00:10:10,240 --> 00:10:14,440
declares open season on the protocol the

256
00:10:12,880 --> 00:10:17,600
incentives are wealth of pursuit of

257
00:10:14,440 --> 00:10:20,360
government objectives truss C case narks

258
00:10:17,600 --> 00:10:23,079
are not yet battle tested just a few

259
00:10:20,360 --> 00:10:26,399
years old many Protocols are not

260
00:10:23,079 --> 00:10:28,320
properly peer reviewed as far as I know

261
00:10:26,399 --> 00:10:29,760
there's no explicit Financial incentive

262
00:10:28,320 --> 00:10:32,920
to find flaws

263
00:10:29,760 --> 00:10:36,519
ckash has no bug Bounty program mon has

264
00:10:32,920 --> 00:10:39,680
a 1,000 XMR bug Bounty program prented

265
00:10:36,519 --> 00:10:43,079
The Bounty for counterfeiting flaws is

266
00:10:39,680 --> 00:10:45,200
self-executing but not for privacy flaws

267
00:10:43,079 --> 00:10:48,480
cryptocurrency users are encouraged to

268
00:10:45,200 --> 00:10:48,480
verify not

269
00:10:52,519 --> 00:10:57,760
trust do you love coffee and Monera as

270
00:10:55,240 --> 00:11:00,480
much as we do consider making gratuitous

271
00:10:57,760 --> 00:11:02,600
dorg your daily cup pay with Monera for

272
00:11:00,480 --> 00:11:04,920
premium fresh beans and if you like what

273
00:11:02,600 --> 00:11:07,760
you taste send a digital cash tip

274
00:11:04,920 --> 00:11:10,160
directly to the farmers that made it

275
00:11:07,760 --> 00:11:13,470
possible proceeds help us grow this

276
00:11:10,160 --> 00:11:16,609
channel gratuitous and

277
00:11:13,470 --> 00:11:16,609
[Music]

278
00:11:18,600 --> 00:11:23,839
Monero cryptocurrency users are

279
00:11:20,839 --> 00:11:26,240
encouraged to verify not trust the

280
00:11:23,839 --> 00:11:28,200
blockchain data and its cryptography

281
00:11:26,240 --> 00:11:31,000
it's an ideal that is really achieved in

282
00:11:28,200 --> 00:11:33,000
practice the mon research lab has few

283
00:11:31,000 --> 00:11:35,279
researchers now who can write and slash

284
00:11:33,000 --> 00:11:38,040
or evaluate mathematic security proofs

285
00:11:35,279 --> 00:11:40,639
of new cryptography mathematics at this

286
00:11:38,040 --> 00:11:42,160
level is extremely difficult

287
00:11:40,639 --> 00:11:43,920
understanding how something works is not

288
00:11:42,160 --> 00:11:46,880
the same level of knowledge to be able

289
00:11:43,920 --> 00:11:49,720
to discover flaws how many engineers and

290
00:11:46,880 --> 00:11:51,519
scientists use calculus how many of them

291
00:11:49,720 --> 00:11:54,160
can write the calculus mathematics

292
00:11:51,519 --> 00:11:56,600
proofs and recognize flaw proofs

293
00:11:54,160 --> 00:11:59,279
probably not many we could be in a

294
00:11:56,600 --> 00:12:00,920
position where monor users researcher

295
00:11:59,279 --> 00:12:02,800
and programmers cannot verify the

296
00:12:00,920 --> 00:12:05,399
correctness of the cryptography Mona

297
00:12:02,800 --> 00:12:07,000
uses the Mona core team and the Monera

298
00:12:05,399 --> 00:12:08,560
research lab would like to follow the

299
00:12:07,000 --> 00:12:10,320
development philosophy that it is wise

300
00:12:08,560 --> 00:12:12,680
to start with smaller changes at first

301
00:12:10,320 --> 00:12:14,240
and then Ram those changes up over time

302
00:12:12,680 --> 00:12:16,920
rather than start with drastic changes

303
00:12:14,240 --> 00:12:19,480
and try to scale them back Monero cannot

304
00:12:16,920 --> 00:12:21,279
afford to be experimental more people

305
00:12:19,480 --> 00:12:23,040
may rely on Monero to protect their

306
00:12:21,279 --> 00:12:26,160
privacy than any other private digital

307
00:12:23,040 --> 00:12:28,600
cash protocol there is a moral

308
00:12:26,160 --> 00:12:31,480
responsibility mono has no non-private

309
00:12:28,600 --> 00:12:33,560
trans SP pool like many other protocols

310
00:12:31,480 --> 00:12:35,279
coins like see cash and fire can

311
00:12:33,560 --> 00:12:37,040
quarantine possible counterfeiting

312
00:12:35,279 --> 00:12:38,880
exploits by their turn sty rules that

313
00:12:37,040 --> 00:12:41,360
prohibited more coins exitting the

314
00:12:38,880 --> 00:12:43,959
private pool than have entered in my

315
00:12:41,360 --> 00:12:46,880
opinion monero's privacy will be in a

316
00:12:43,959 --> 00:12:48,920
very good position one surface level 128

317
00:12:46,880 --> 00:12:50,760
ring size and improved mimicking Deco

318
00:12:48,920 --> 00:12:52,959
selection algorithm like or speed are

319
00:12:50,760 --> 00:12:56,040
implemented the main attack that will

320
00:12:52,959 --> 00:12:58,440
remain is the eae attack Edgar and other

321
00:12:56,040 --> 00:13:00,639
researchers in the paper UND defeating

322
00:12:58,440 --> 00:13:02,839
graph analysis of anonymous transactions

323
00:13:00,639 --> 00:13:04,440
argued that the ring size as low as 24

324
00:13:02,839 --> 00:13:06,440
would protect monor users from a

325
00:13:04,440 --> 00:13:09,519
specific type of anonymizing attack all

326
00:13:06,440 --> 00:13:11,639
chain reactions I discuss skepticism of

327
00:13:09,519 --> 00:13:13,240
trus global membership proofs because I

328
00:13:11,639 --> 00:13:14,600
want to argue that it is still worth

329
00:13:13,240 --> 00:13:16,399
researching improvements during

330
00:13:14,600 --> 00:13:19,120
signature model while we wait years for

331
00:13:16,399 --> 00:13:21,800
the new cryptography to be battle tested

332
00:13:19,120 --> 00:13:23,440
let's get into the research questions

333
00:13:21,800 --> 00:13:26,959
how do we defeat the attex known as

334
00:13:23,440 --> 00:13:28,839
poison outputs e and over we model

335
00:13:26,959 --> 00:13:30,360
examples where two colluding parties

336
00:13:28,839 --> 00:13:32,160
attempt to learn information about an

337
00:13:30,360 --> 00:13:33,320
individual by sending outputs to

338
00:13:32,160 --> 00:13:35,399
individuals and tracing their

339
00:13:33,320 --> 00:13:37,440
transaction graphs these colluding

340
00:13:35,399 --> 00:13:39,880
paries May perform powerful statistical

341
00:13:37,440 --> 00:13:41,680
test to learn significant information

342
00:13:39,880 --> 00:13:43,079
especially for repeated transactions

343
00:13:41,680 --> 00:13:46,160
where they would not normally occur by

344
00:13:43,079 --> 00:13:49,000
chance research questions how to

345
00:13:46,160 --> 00:13:50,959
formally describe the E attack what is

346
00:13:49,000 --> 00:13:53,440
the average false positive and false

347
00:13:50,959 --> 00:13:56,759
negative rate of the attack is churning

348
00:13:53,440 --> 00:13:58,519
a defense against the EA attack for best

349
00:13:56,759 --> 00:14:00,839
privacy what should the wait time

350
00:13:58,519 --> 00:14:04,000
between between CHS B should it match

351
00:14:00,839 --> 00:14:06,240
the decoy selection algorithm when if

352
00:14:04,000 --> 00:14:10,800
ever should outputs be combined while

353
00:14:06,240 --> 00:14:13,920
churning na Sur and S made some attempts

354
00:14:10,800 --> 00:14:16,440
at e research remember binning the

355
00:14:13,920 --> 00:14:19,199
current method randomly choose each

356
00:14:16,440 --> 00:14:21,880
decoy independently randomly choose

357
00:14:19,199 --> 00:14:24,600
locations for a few bins then select

358
00:14:21,880 --> 00:14:26,399
decoys within those bins the goal of

359
00:14:24,600 --> 00:14:28,079
binning is to provide a second layer of

360
00:14:26,399 --> 00:14:30,320
Defense if the adversary can guess the

361
00:14:28,079 --> 00:14:32,480
age of the real spend the current

362
00:14:30,320 --> 00:14:35,759
version of the surface could Implement

363
00:14:32,480 --> 00:14:38,000
spending research questions what are the

364
00:14:35,759 --> 00:14:39,959
costs and benefits of binning does

365
00:14:38,000 --> 00:14:42,839
binning improve privacy for some threat

366
00:14:39,959 --> 00:14:45,360
models but worse in privacy for others

367
00:14:42,839 --> 00:14:47,600
improve mimicking decrease selection

368
00:14:45,360 --> 00:14:49,759
many papers argue that of matching the

369
00:14:47,600 --> 00:14:51,680
real spend age distribution as closely

370
00:14:49,759 --> 00:14:55,360
as possible is very important to protect

371
00:14:51,680 --> 00:14:57,360
user privacy research questions how to

372
00:14:55,360 --> 00:15:00,040
estimate the real spend age distribution

373
00:14:57,360 --> 00:15:01,839
of mon users how to fit the curve to

374
00:15:00,040 --> 00:15:05,399
translate the estimate into a decreas

375
00:15:01,839 --> 00:15:09,199
selection algorithm Dynamic is just over

376
00:15:05,399 --> 00:15:12,360
time or static remain the same over time

377
00:15:09,199 --> 00:15:15,639
parametric simple mathematical formula

378
00:15:12,360 --> 00:15:17,279
or nonparametric free form optimal

379
00:15:15,639 --> 00:15:19,360
static parametric estimation of

380
00:15:17,279 --> 00:15:21,399
arbitrary distributions all speeds is my

381
00:15:19,360 --> 00:15:24,600
own project that proposes answers to

382
00:15:21,399 --> 00:15:27,880
these questions transaction flooding

383
00:15:24,600 --> 00:15:29,839
detection research questions is there a

384
00:15:27,880 --> 00:15:32,519
general method for detecting attempt to

385
00:15:29,839 --> 00:15:34,040
De anonymizing flooding episodes are

386
00:15:32,519 --> 00:15:36,279
there any viable flooding counter

387
00:15:34,040 --> 00:15:39,720
measures like a decentralized counter

388
00:15:36,279 --> 00:15:41,720
flood more ring signature questions can

389
00:15:39,720 --> 00:15:43,639
changing The Deco selection algorithm

390
00:15:41,720 --> 00:15:46,519
between hard Forks allow adversaries to

391
00:15:43,639 --> 00:15:48,160
fingerprint old SL new wallet versions

392
00:15:46,519 --> 00:15:51,000
how should decoys be chosen when a new

393
00:15:48,160 --> 00:15:53,720
transaction type is implemented e g

394
00:15:51,000 --> 00:15:55,519
surface transaction type are there any

395
00:15:53,720 --> 00:15:57,079
big downsides to excluding coinbase

396
00:15:55,519 --> 00:15:59,759
outputs from the standard decoy

397
00:15:57,079 --> 00:16:02,560
selection algorithm coinbase exclusion

398
00:15:59,759 --> 00:16:04,839
is a plan change can the 10 block clock

399
00:16:02,560 --> 00:16:07,199
on spending new outputs be reduced or

400
00:16:04,839 --> 00:16:09,480
eliminated can wallet level changes like

401
00:16:07,199 --> 00:16:12,399
mes proposed Pocket Change negatively

402
00:16:09,480 --> 00:16:15,199
affect user privacy statistical research

403
00:16:12,399 --> 00:16:18,360
questions Beyond bring signature issues

404
00:16:15,199 --> 00:16:20,519
transaction format strictness variations

405
00:16:18,360 --> 00:16:23,360
in transaction format are gold Min for

406
00:16:20,519 --> 00:16:25,839
cryptocurrency tracing in Bitcoin like

407
00:16:23,360 --> 00:16:27,519
blockchains wallet software fingerprints

408
00:16:25,839 --> 00:16:29,880
can indicate when coins have changed

409
00:16:27,519 --> 00:16:31,440
custody design of Bitcoin supports a

410
00:16:29,880 --> 00:16:33,440
tremendous variety of possible

411
00:16:31,440 --> 00:16:37,920
transaction types that I designed years

412
00:16:33,440 --> 00:16:40,440
ago satosi motor table from MOS and Aron

413
00:16:37,920 --> 00:16:44,120
2022 resurrecting address clustering in

414
00:16:40,440 --> 00:16:46,560
Bitcoin monot transaction format lose

415
00:16:44,120 --> 00:16:49,240
aspects change dist strict could use a

416
00:16:46,560 --> 00:16:51,639
mount hiding ring CT or old format with

417
00:16:49,240 --> 00:16:54,880
transparent amounts

418
00:16:51,639 --> 00:16:57,800
2017 all transactions must use ring CT

419
00:16:54,880 --> 00:17:02,000
except under special circumstances user

420
00:16:57,800 --> 00:17:05,079
chosen ring size 2018 all transactions

421
00:17:02,000 --> 00:17:06,720
of same ring size custom wallet software

422
00:17:05,079 --> 00:17:10,839
doesn't follow 10 block clock on

423
00:17:06,720 --> 00:17:12,839
spending new transaction outputs 2019 10

424
00:17:10,839 --> 00:17:15,640
block lock enforc by blockchain

425
00:17:12,839 --> 00:17:18,559
consensus rules transactions with a

426
00:17:15,640 --> 00:17:20,360
single output allowed indicting a likely

427
00:17:18,559 --> 00:17:23,000
selfs spend

428
00:17:20,360 --> 00:17:25,079
2019 all transactions must have at least

429
00:17:23,000 --> 00:17:27,600
two outputs with possible zero amount

430
00:17:25,079 --> 00:17:29,320
outputs making one Arrow's transaction

431
00:17:27,600 --> 00:17:31,960
format more

432
00:17:29,320 --> 00:17:33,880
custom lock time users can prevent their

433
00:17:31,960 --> 00:17:35,559
transaction outputs from being spent for

434
00:17:33,880 --> 00:17:39,240
a custom amount of time by setting

435
00:17:35,559 --> 00:17:41,400
unlock time downsides Cod complexity

436
00:17:39,240 --> 00:17:42,960
transaction fingerprinting risk to

437
00:17:41,400 --> 00:17:45,360
Merchants who don't check on lock time

438
00:17:42,960 --> 00:17:49,440
when receiving payments

439
00:17:45,360 --> 00:17:51,480
outsides not many research question can

440
00:17:49,440 --> 00:17:53,799
we discover any useful applications with

441
00:17:51,480 --> 00:17:56,000
custom lock time the current version of

442
00:17:53,799 --> 00:17:59,640
surface could remove the option to set a

443
00:17:56,000 --> 00:18:01,520
custom unlock time V discre ation the

444
00:17:59,640 --> 00:18:04,240
standard mon wallet software has four

445
00:18:01,520 --> 00:18:06,280
fee levels but other wallet software is

446
00:18:04,240 --> 00:18:08,120
free to set fees which could

447
00:18:06,280 --> 00:18:10,480
accidentally fingerprint the wallet

448
00:18:08,120 --> 00:18:13,919
software this actually happened with my

449
00:18:10,480 --> 00:18:16,200
monor now fixed problem can be worse in

450
00:18:13,919 --> 00:18:18,760
mon since it has 12 digits of precision

451
00:18:16,200 --> 00:18:21,760
after the death small Point Bitcoin has

452
00:18:18,760 --> 00:18:23,760
eight current surface code blockchain

453
00:18:21,760 --> 00:18:26,240
consensus rules would require fees that

454
00:18:23,760 --> 00:18:29,679
are a power of 1.5 rounded to one

455
00:18:26,240 --> 00:18:32,799
significant digit research questions

456
00:18:29,679 --> 00:18:35,600
what form of discretization is best any

457
00:18:32,799 --> 00:18:37,720
potential problems with exponents would

458
00:18:35,600 --> 00:18:40,000
feed discretization create fee bubbles

459
00:18:37,720 --> 00:18:42,559
because users cannot select intermediate

460
00:18:40,000 --> 00:18:43,960
fees how should wallet software estimate

461
00:18:42,559 --> 00:18:46,640
the he needed to be included in the

462
00:18:43,960 --> 00:18:49,640
blockchain at high transaction volumes

463
00:18:46,640 --> 00:18:52,760
prohibit arbitrary data in transactions

464
00:18:49,640 --> 00:18:56,080
using TX extra the morals protocol

465
00:18:52,760 --> 00:18:57,679
created n fds eliminating TX extra does

466
00:18:56,080 --> 00:18:59,159
not prevent arbitrary data and

467
00:18:57,679 --> 00:19:00,919
transaction

468
00:18:59,159 --> 00:19:02,919
data can be injected into the price of

469
00:19:00,919 --> 00:19:05,840
transactions intended for cryptographic

470
00:19:02,919 --> 00:19:08,799
elements for example public Keys

471
00:19:05,840 --> 00:19:11,000
research questions can a statistical

472
00:19:08,799 --> 00:19:13,799
test detect an exclude arbitrary data

473
00:19:11,000 --> 00:19:16,840
with acceptable tradeoffs low power

474
00:19:13,799 --> 00:19:20,640
candidates Shannon's entropy Kai Square

475
00:19:16,840 --> 00:19:24,760
test high power candidates binary Matrix

476
00:19:20,640 --> 00:19:26,360
rank bookstack birthday spacings can

477
00:19:24,760 --> 00:19:28,520
cryptography be used to enforce

478
00:19:26,360 --> 00:19:31,600
encryption when the keys are unknown

479
00:19:28,520 --> 00:19:34,320
probably not making money transaction

480
00:19:31,600 --> 00:19:37,080
format more strict require a standard

481
00:19:34,320 --> 00:19:38,960
decoy selection algorithm non-standard

482
00:19:37,080 --> 00:19:41,039
wallet software can choose decreas for

483
00:19:38,960 --> 00:19:43,600
ring signatures any way it developers

484
00:19:41,039 --> 00:19:47,039
want fingerprinting issue that will get

485
00:19:43,600 --> 00:19:49,440
worse as ring size increases more data

486
00:19:47,039 --> 00:19:51,799
War ring members means greater ability

487
00:19:49,440 --> 00:19:53,360
to statistically distinguish them we

488
00:19:51,799 --> 00:19:55,480
know that there are multiple nonstandard

489
00:19:53,360 --> 00:19:58,039
decre selection algorithms being used in

490
00:19:55,480 --> 00:20:00,120
the Wild on the mono blockchain includes

491
00:19:58,039 --> 00:20:04,000
C casing members that directly reveal

492
00:20:00,120 --> 00:20:06,400
the real spend research questions should

493
00:20:04,000 --> 00:20:09,480
a standard dequ selection algorithm be

494
00:20:06,400 --> 00:20:11,159
required where are at the downsides

495
00:20:09,480 --> 00:20:13,559
should the requirement be a blockchain

496
00:20:11,159 --> 00:20:16,760
consensus rule or just a no transaction

497
00:20:13,559 --> 00:20:20,360
relay rule for example minimum fuse

498
00:20:16,760 --> 00:20:24,400
relay not consensus new restriction on

499
00:20:20,360 --> 00:20:26,159
EX exercises relay rule is standardized

500
00:20:24,400 --> 00:20:28,559
how often could The Deco selection

501
00:20:26,159 --> 00:20:30,520
algorithm be updated could you have an

502
00:20:28,559 --> 00:20:32,960
automatically updating algorithm based

503
00:20:30,520 --> 00:20:34,760
on changing aggregate user Behavior

504
00:20:32,960 --> 00:20:37,400
record the algorithm in the block heads

505
00:20:34,760 --> 00:20:39,799
to conduct the orchestra Karo updating

506
00:20:37,400 --> 00:20:41,640
allow adversaries to manipulate it

507
00:20:39,799 --> 00:20:44,559
restrict number of inputs and outputs

508
00:20:41,640 --> 00:20:46,679
per transaction right now between two

509
00:20:44,559 --> 00:20:49,360
and 16 outputs per transaction are

510
00:20:46,679 --> 00:20:51,760
allowed number of inputs are unlimited

511
00:20:49,360 --> 00:20:54,640
but transaction must fit in a single mon

512
00:20:51,760 --> 00:20:56,679
block on serapes transactions are

513
00:20:54,640 --> 00:21:00,880
proposed to have between two and 16

514
00:20:56,679 --> 00:21:02,840
outputs one to 112 inputs the number of

515
00:21:00,880 --> 00:21:05,600
inputs and outputs May reveal some

516
00:21:02,840 --> 00:21:07,200
information about the user a transaction

517
00:21:05,600 --> 00:21:09,799
with many inputs could be a merchant

518
00:21:07,200 --> 00:21:11,480
consolidating payments a transaction

519
00:21:09,799 --> 00:21:14,240
with many outputs could be an exchange

520
00:21:11,480 --> 00:21:15,720
or mining pool many inputs can reveal

521
00:21:14,240 --> 00:21:18,120
information about one user owning

522
00:21:15,720 --> 00:21:20,120
several outputs which gives more

523
00:21:18,120 --> 00:21:22,559
information than just single output

524
00:21:20,120 --> 00:21:24,679
ownership there's an extreme proposal to

525
00:21:22,559 --> 00:21:27,279
deal with the transaction on uniformity

526
00:21:24,679 --> 00:21:30,240
issue require all transactions to have

527
00:21:27,279 --> 00:21:31,799
only two input and two outputs could be

528
00:21:30,240 --> 00:21:33,760
major annoyance for entities like

529
00:21:31,799 --> 00:21:36,120
merchants and exchanges that usually use

530
00:21:33,760 --> 00:21:40,360
many inputs and outputs especially with

531
00:21:36,120 --> 00:21:42,039
the 10 block lock research questions how

532
00:21:40,360 --> 00:21:44,400
common are transactions with three or

533
00:21:42,039 --> 00:21:46,840
greater inputs and outputs in one and

534
00:21:44,400 --> 00:21:49,080
transparent blockchains what is the

535
00:21:46,840 --> 00:21:51,400
Privacy benefit of requiring two inputs

536
00:21:49,080 --> 00:21:53,279
and two outputs how much of an

537
00:21:51,400 --> 00:21:56,640
inconvenience would requiring two inputs

538
00:21:53,279 --> 00:21:59,880
and two outputs be dynamic block size

539
00:21:56,640 --> 00:22:01,400
and V policy Mon's Dynamic block size

540
00:21:59,880 --> 00:22:03,200
has not received the same amount of

541
00:22:01,400 --> 00:22:05,520
research scrutiny as its privacy

542
00:22:03,200 --> 00:22:07,760
features there are some graphs created

543
00:22:05,520 --> 00:22:10,159
by spackle xar that simulate the effect

544
00:22:07,760 --> 00:22:13,080
of larger transaction volumes and fees

545
00:22:10,159 --> 00:22:15,600
and the mon block size research

546
00:22:13,080 --> 00:22:17,240
questions can the dynamic block size

547
00:22:15,600 --> 00:22:19,559
parameters result in undesirable

548
00:22:17,240 --> 00:22:22,240
outcomes for example too fast or too

549
00:22:19,559 --> 00:22:24,200
slow block size increase the interaction

550
00:22:22,240 --> 00:22:25,720
of block size and Fe policy is supposed

551
00:22:24,200 --> 00:22:28,039
to adjust you to the purchasing power of

552
00:22:25,720 --> 00:22:31,159
a unit of XMR in the future a type of

553
00:22:28,039 --> 00:22:32,640
oral problem can this go wrong is it

554
00:22:31,159 --> 00:22:34,760
possible to have a fee policy that

555
00:22:32,640 --> 00:22:36,679
discourages adversarial spam but

556
00:22:34,760 --> 00:22:38,960
provides low fees for people around the

557
00:22:36,679 --> 00:22:40,640
globe the dynamic block size rules

558
00:22:38,960 --> 00:22:42,400
assume miners will choose to raise the

559
00:22:40,640 --> 00:22:45,039
block size when there's V pressure to

560
00:22:42,400 --> 00:22:47,520
maximize their profits research

561
00:22:45,039 --> 00:22:50,159
questions is Raising block size the

562
00:22:47,520 --> 00:22:52,600
economically rational choice for miners

563
00:22:50,159 --> 00:22:55,000
are miners fully rational or do they

564
00:22:52,600 --> 00:22:56,720
have bounded rationality I discovered

565
00:22:55,000 --> 00:22:58,480
that mining pools were leaving fees on

566
00:22:56,720 --> 00:23:00,720
the table until I informed them of their

567
00:22:58,480 --> 00:23:03,120
configuration problem the finding

568
00:23:00,720 --> 00:23:05,520
supports the hypothesis of bounded

569
00:23:03,120 --> 00:23:08,159
rationality meaning not fully rational

570
00:23:05,520 --> 00:23:11,440
with perfect information reducing mining

571
00:23:08,159 --> 00:23:13,080
pool centralization research question

572
00:23:11,440 --> 00:23:14,919
could a dynamic mining pool Fe be

573
00:23:13,080 --> 00:23:18,080
developed that would encourage miners to

574
00:23:14,919 --> 00:23:19,880
join smaller pools or P2 pool when a

575
00:23:18,080 --> 00:23:22,799
mining pool has a large percentage of

576
00:23:19,880 --> 00:23:24,240
total hash rate the M XMR pool raise

577
00:23:22,799 --> 00:23:25,679
fees when it gained a large share of

578
00:23:24,240 --> 00:23:28,200
hard rate in

579
00:23:25,679 --> 00:23:30,279
2022 the dynamic fee would require

580
00:23:28,200 --> 00:23:32,440
voluntary adoption by mining pool

581
00:23:30,279 --> 00:23:33,760
operators surprise I'm foreseeing

582
00:23:32,440 --> 00:23:36,080
research

583
00:23:33,760 --> 00:23:37,480
questions some of the best statistical

584
00:23:36,080 --> 00:23:38,960
research questions appear when you

585
00:23:37,480 --> 00:23:41,000
happen to see something unexpected in

586
00:23:38,960 --> 00:23:42,880
the data when I discovered the

587
00:23:41,000 --> 00:23:45,600
transaction confirmations could be sped

588
00:23:42,880 --> 00:23:47,640
up by 60 second I was working on

589
00:23:45,600 --> 00:23:49,919
researching feed discretization a

590
00:23:47,640 --> 00:23:52,640
completely different topic how to get to

591
00:23:49,919 --> 00:23:55,080
work on the statistical research agenda

592
00:23:52,640 --> 00:23:56,720
active mon research lab statistical

593
00:23:55,080 --> 00:23:58,400
researchers

594
00:23:56,720 --> 00:24:01,720
MJ is

595
00:23:58,400 --> 00:24:03,400
and neptun we need more I wrote some

596
00:24:01,720 --> 00:24:05,760
thoughts on how Mana could recruit more

597
00:24:03,400 --> 00:24:07,679
researchers in a Reddit post the magic

598
00:24:05,760 --> 00:24:10,400
Manero fund put requests for research

599
00:24:07,679 --> 00:24:12,480
proposals and research Grant databases

600
00:24:10,400 --> 00:24:15,520
we may have a new research project on AE

601
00:24:12,480 --> 00:24:18,960
attack soon recruitment is hard

602
00:24:15,520 --> 00:24:18,960
questions and feedback

603
00:24:24,010 --> 00:24:29,799
[Music]

604
00:24:26,799 --> 00:24:29,799
please

605
00:24:37,590 --> 00:24:44,270
[Music]