 Ladies and gentlemen boys and girls if you're hanging out in the hallway You're gonna want to make your way in we've got dr. Surang nother Who's gonna be talking with us about ring signatures from the looks of the title? It's this guy right here. He's he's a pimp look at his gold little thing right you got going on there He's got some sort of vibe you guys aren't on top of the stage here with me. You can't feel this vibe It's really really polarizing. I want to leave the stage so that way he can Give all of his knowledge to us. So please if you're out in the hall Go ahead and come on in for those of you that are still talking. I would very kindly request you to either Lower the volume a little bit and or take the conversations outside to be respectful to the people that are going to be Listening to this talk Surang you've got a full house man. So you knock it out of the park man Hello everyone Thank you for coming to the last talk You're respecting my time by being here. I respect your time by trying to go a little bit early because I'm very Yeah, this conference is fantastic, but also exhausting So I am a mathematician and researcher and I am particularly interested in kind of the formalization And efficiency of our transaction protocols and those of other projects as well. So today I will be talking about Transaction protocols the title was merely a ruse to excite people to get them into the talk because it sounds exciting But I'm actually going to talk about transaction protocols but fortunately it will not be very technical and the goal this talk really is to kind of give people a sense of What goes into? blockchain-based transactions How does efficiency work on them and how can we improve it over time since that's always a goal? So kind of a brief outline of some options that are available The Monero and other projects too might consider going to and why they might or might not at this time So briefly people often say that Monero as a digital asset is Crypto-node based crypto-node being kind of the original transaction protocol That kind of inspired Monero and a whole bunch of other assets and it's based on that But it's not strictly true that Monero is a crypto-node asset anymore So I just like to say that it uses the Monero protocol So the transaction protocol basically dictates the structure of transactions So what goes into them what goes out of them? You know what math is used to verify that everything is is completely kosher with a transaction in terms of balance And ownership of assets and things like that So we we've definitely moved past as a project the crypto-node protocol But most of the basic structure is still there. So some big ideas behind it I actually don't like some of the terminology that is used a lot the word output gets thrown out a lot Especially like Bitcoin based digital assets, I Don't really like that term. I think it doesn't tell you a lot because outputs become inputs become outputs So I'm gonna use the phrase notes, which is something that I really like almost kind of like a bank note You can think about it But basically funds exist in like these notes or outputs that exist on the chain And notes in Monero at least I'm using the Monero protocol are not just recipient addresses They're actually derived from recipient addresses in a one-time use kind of situation The amounts of transactions are not visible in the Monero protocol But they're in fact hidden in something called a Peterson commitment Which is kind of a can kind of think about it as kind of an algebraic one-way hash Where algebra works nicely enough that we can show that transactions balance which is important I need to make sure that funds going into transaction are the same as funds going out and in particular The spends themselves are done in the Monero protocol unlike for example Bitcoin in its derivatives Using a specified anonymity set of previous other arbitrary notes So the Monero protocol does not mix funds and the narrow protocol a Particular note would be spent in a transaction But it is basically obscured among other notes that exist on the chain that are chosen non interactively So a little bit different so a transaction basically spends a set of one or more input notes each of which has its own Anonymity set and it generates a new set of output notes So transactions consume notes and generate new ones. That's the idea the idea of like an account in Bitcoin or Monero It doesn't really exist in the protocol level. It's just kind of a nice bookkeeping abstraction that we use to tell you like what your funds are So what do we mean by transaction efficiency? We care a lot about that Well, we actually care about it in terms of kind of not just space or time But kind of space time in a physics sense So space means of course that transactions take up space on the chain And provided that everyone using the protocol is going to be doing something with the chain to verify it That space basically ends up kind of coming along for all time Transactions also have a generation time and a verification time and though it's important to keep those two separate So transaction generation time is I want to spend some funds on the chain So how long does it take for whatever the protocol says needs to be done mathematically to be done? And in general that time is typically allowed to be long by cryptographic standards So we don't want it to be too long I mean initially Zcash for example ran into a problem where transaction generation took a long time to do on the order of maybe 10 or 20 seconds My personal perspective if your transaction generation time is on the order of like a second even that's pretty good The average user is not going to notice that that feels like a long time But verification time is something that we do care a lot about Because if you're but basically validating the entire chain of transactions You need to operate on each individual one even if a particular transaction takes a hundred milliseconds to verify If you have to do that 10 million times. Well, that's a long time However in some transaction protocols, we can do something called batching which is kind of cool Manero currently doesn't do this with its full transaction protocol But the idea is that in some protocols you can take a bunch of transactions and operate and verify them all at once In a way that's much faster than doing them independently and linearly The trouble of course as I said is that transactions take up space time and in particular every input note to a transaction Has a particular anonymity set and it also has to have an authorizing signature Showing that it is intended to be spent in a transaction Outputs output notes that are generated They have a host of other data kind of auxiliary data that are associated with them that are needed for proper verification And of course signatures and all the proofs and everything that we're packing into this big transaction structure Have to be verified by the network so time comes into play So ideally what we'd want to do from a privacy perspective in these projects and assets is increase anonymity Well, in some sense, that's an easy parameter to change in Manero We have a parameter called the ring size which is how large is the anonymity set of every spent note and in theory That's just a network parameter that we could change in the code at any time But the trade-off is space time if we were to increase that hugely you'd end up taking up a lot more space for each transaction and Generation and verification would become very unwieldy. So you can't get everything you want for free So let's look at several big ideas that have been floating around often get asked like oh I see all these things, you know in in the news whatever that means for you in the crypto sense But I'm not really sure what they are how they interact why we are or are not using these So let's go through them alphabetically So one of them is called CL sag that was partially developed in-house along with some other folks random run was the one who came up with it DL sag There's one that we've been working on with Pedro Moreno Sanchez and other collaborators and several others that came from elsewhere Volantis Omni-Ring and ring CT3 So each of them takes a much different approach toward better scaling with improved anonymity ideally But there's different sets of trade-offs. So this is not going to be a comprehensive dive into any of these But just a basic overview of like what's available as a potential future for digital assets like Monero So keep in mind like I had said the way that the Monero's ring signatures currently work is that you have this signature structure That does some cryptographic magic what goes into it are the input notes a true spend and a bunch of decoys that are just kind of thrown Around some additional hidden amount data goes in and what also pops out is what's called a tag And the tag is basically used to detect double-spending because remember There's some kind of obscurity from the spending going on here So if two transactions popped out the same tag you'd be able to detect a double spend So the whole signature operation has to prove that you own a note that you're spending It has to assert that the transaction balances in a hidden way and it must prevent double spending and that our current case A transaction may actually have several signatures if I'm spending several input notes. This is why the scaling gets pretty bad sometimes But a modification of our current signature scheme this modifications called CL sag And there's a longer name for them. I'm gonna bother saying it basically does the same kind of ring signature stuff that we do right now But the benefit is that through some cleverer compression that this guy random run came up with that we worked on It basically ends up meaning that the transaction and the signature end up being much smaller on the chain The signature drop size drops by about half Which is fantastic and it's faster to verify not quite by the same amount But still faster to verify and in fact to generate so you basically get all of this stuff for free The downside is it only works for reasonable anonymity side set sizes right now Monero's anonymity set size is 11 So basically any spend absence external information spends one out of 11 notes And you really can't increase that much with this scheme. So We really couldn't increase the anonymity very much We could do it marginally without any added cost and space and time The benefit though is we do have formal security proofs for it And that means that it's essentially a faster and smaller drop-in replacement for the current ring signature scheme with provable security Which is frankly pretty tough to do sometimes no real downsides and the status right now. We have a pre-print paper available for this Hopefully going to be getting it peer reviewed and audited We have had some folks looking at it, which is a good start and in fact code is ready to go for this So this is something we'd like to deploy Another new signature scheme called DL SAG actually changes the structure of Monero's outputs and the ring signature in Not huge ways, but enough ways to make it a little bit more challenging The benefit to this scheme is that besides kind of showing all the other stuff that we like like balance and things like this It could also enable such things as refund transactions non interactively There's some stuff involving payment channel networks that we could enable and very limited kinds of atomic swaps that depend very heavily on like curve choice and stuff But the downside to that is the way the scheme is set up right now is it would enable a particular kind of tracing where you could detect When certain spends occur and this would mean that effectively you'd have to if you receive funds You'd have to spend them to yourself in order to break that linkage And the downside is from scaling you really couldn't do anything to increase anonymity for free So you'd effectively open the door to things like off-chain functionality, which is pretty great But at some cost involving self spending and certain kinds of migrating output pools That's a little bit tricky However a pre-print is available and we're just kind of hoping that there may be a solution to the tracing problem involved with that To enable the school functionality that we like Another one and the authors to this paper are actually here in the village at some point. I think somewhere But it's a protocol called Atlantis and this is actually based on the zero coin protocol That's been used in other assets and this was designed by and for the z-coin asset in fact But the paper is publicly available It uses a very very different kind of authorizing spend proof that Monero uses right now and that we may consider moving to It turns out there's another auxiliary proof that you need Besides the spend proof called a range proof that we could actually reuse existing fairly efficient code that we already have I personally like Atlantis because the spend proofs become very very small and efficient even at extremely large anonymity set size We're talking on the order of a hundred or a thousand notes instead of around the order of ten notes But the downside is similar to dl sag it requires a self-spend operation to avoid someone being able to detect when a spend has occurred There's a limited amount of information that's leaked there, but it's still leaked So effectively you'd get pretty high anonymity sets you get very efficient proofs But at the cost of this whole self-spend operation, but it's very promising and I think it's actually a really clever approach I'm I know z-coin has some code in progress and we on the Monero side have also been working on some prototyping code Just to kind of test it out Another one that came out very recently. It's called omni-ring I mean this was actually designed kind of with Monero in mind as far as I know But it's basically a transaction protocol that is based on some ideas from the bullet proofs range proof protocol that we already had integrated for a separate separate protocol and it effectively uses one big single integrated proof for all spending that handles spending it handles balance and all of our Auxiliary data all kind of like tied up into this neat efficient package It's kind of cool and the reason I like it is because much like Atlantis you get very very small proofs and You don't even need to kind of migrate over output pools You can kind of reuse the same data that's already on the chain in terms of decoys in a really really small neat way But the downside is the cost of speed omni-ring transactions would be slower than we're dealing with right now And I kind of mentioned something called batching before where in certain schemes You can efficiently verify many transactions all at the same time and right now you can't do that with omni-ring So the scaling is really good for space, but it's not very good in terms of time Everything else about it is pretty great though because you'd be able to get large anonymity sets without Sacrificing size very much. So right now. I know the team is working on ways to allow Basically either batching or kind of separating out some of the inefficient parts in a way that maybe could be batched later So this one's kind of still very much in progress, but also very promising And the last big one that came out was called ring CT 3.0 That's called ring CT 3 for short It is a transaction protocol that at first blush kind of looks like omni-ring It also uses some ideas from this bulletproof scheme that came out of Stanford But it's definitely much simpler in structure and in fact uses separate proofs for spending instead of omni-rings one Compact single proof so much like omni-ring though It would allow for very small spend proofs at fairly high anonymity sets So the reason I like it is because it can be made efficient through batching unlike omni-ring right now But at the cost of some migration stuff that may involve some tricky situations later Another downside is there are some questions that remain on some of the security proofs that are still being worked on But much like omni-ring. It's a clever design small proofs. I mean theory It's actually quite efficient if you can batch it and there is a prototype code actually available for this too And we're still kind of looking into some of the proofs along with some other cryptographers So what does this all mean that was all words. This is a picture This is a table kind of comparing what I think right now is the current status of a lot of proposed transaction protocols That could allow for different anonymity sets. So with several of these we can get large anonymity sets, which is good Whereas some of the other ones that we were originally looking at keep them fairly small the way we have them right now Batching is something we want to be able to do It means that you can take a bunch of transactions and very quickly and efficiently verify them much more quickly than you could on their own It's kind of a it's kind of a mixed bag whether or not you can do this a couple of proposals like l'alantis and rct3 do let you do this Whether or not we'd have to do what's called a migration is also important migration would mean that you'd effectively have to Kind of have a cutoff point for which new transactions must use the new protocol and you can't use decoys from old transactions It's not really a game changer whether or not you have to do this But ideally we would like to not have to do it and cl sag and omni-ring are the only ones right now That would not require such a thing There's some tracing issues with dl seg and l'alantis that I think are more or less show stoppers unless we can solve them And finally some of them do have code available, but that's obviously not a show stopper My conclusion to this is despite the fact that we have a lot of really interesting options as you can see from this table It's kind of a mixed bag. I don't see there being a definite clear winner at this point That gives us everything we want, you know high-end anonymity set small proofs efficient proofs no real downsides However, I can say that right now cl sag Provided it passes audits which are looking like they will probably be pretty good so far That definitely will go through is kind of a current drop-in replacement for what we have now the code is very very simple And despite the fact that it doesn't really increase anonymity or allow batching and it doesn't require migration There is no tracing. We have code for it and it is more efficient just slightly though But I always get asked what about zero knowledge stuff. That's surely a thing you want to do something something So what about ZK Sporks or ZK snacks or whatever the latest thing is that sounds like that? My motto for all the stuff is that these sorts of things you often hear about and there's many different instantiations and Constructions for things that you know involve general zero knowledge proving systems. Those are proving systems a proving system Basically lets you take certain kinds of mathematical statements and show that they are true or valid in some way Without revealing too much information about them. That's a proving system a proving system Is not a transaction protocol these things are transaction protocols so they dictate how to Take outputs or notes on the chain and spend them and kind of authorize their signing and things like that These are just proving systems a proving system is like a language you effectively have to have something to say in that language Otherwise the language itself is not useful and right now The most efficient ways that we can do these sorts of general zero knowledge proving systems are generally require a lot of centralized trust So the big asset that uses this right now, of course is Zcash and the instantiation of ZK Snarks Zcash uses right now gets a lot of efficiency So things are have become quite fast and Zcash and quite small But you have to do a deal with the math devil and the deal with the math devil that you have to do involves centralized trust And that's something that if you're okay with you know great You get fantastic efficiency, you know and Zcash does does a good job with their transaction protocol on that But if you're not willing to accept that kind of centralized trust like I would say most other projects and assets Then you don't really get to use that and unfortunately right now Building complete transaction protocols on generalized zero knowledge proving systems. You have to sacrifice There are a few trustless ones, but they're just not quite efficient enough So that's the status of that and why you know right now. We can't really move to a generalized ZK system So it's unfortunate, but hopefully someday we can but So what is actually next? Well, we like to audit and deploy the CL sag signature scheme Which will make transactions smaller and a little bit faster, which is great Hopefully try to work on some of the DL sag and the Lantus tracing issues Remember DL sag could enable things like payment channels, which would be nice Lantus would allow for much larger anonymity set sizes With Omni-ring which is nice because it maintains a lot of kind of Monero similarities if we can get batching working on that So it's efficient enough or possibly proof splitting Then it would potentially be a pretty likely candidate to go in as a transaction protocol and for RCT3 It's really a question right now. I've kind of making sure that the security proofs on it are nice and solid But the motto of all this if you take anything away Should be that transaction protocols are very subtle and they're very very tricky that table should have hopefully told you That you don't really get everything for free while it would be fantastic I don't think anyone's really fully solved the idea of something that is trustless and efficient in every way You know the goal is to try to iterate and get better and these protocols I'll definitely do that but in different ways So do we have time for questions folks in the back? We do awesome I'm so I guess if there's any questions on this. I am very happy to answer them or we could just end early Yes, oh so view key functionality for things like auditing right so Monero Of course if you were at one of the earlier talks you basically have two keys You have a spending key and a viewing key you can provide the viewing key to say an auditor or someone else So you'd like to be able to watch for transactions on your behalf But they can't spend those transactions. This can be useful for many reasons Some of these protocols do in fact permit that So for example CL sag and dl sag would omni-ring also would Ring CT3 could also have this enabled and the Lantus. I don't believe has any such functionality built in So the answer is mostly the nice thing is some of these protocols In fact, they're neatly abstract enough that you can kind of just port over a kind of view key functionality that you Would want in a really clean way Yeah Yeah, that's a good point So the question was about you know whether or not this this whole like idea of like migration would require users to take action to avoid losing Funds the answer is no it wouldn't I mean I definitely should have clarified that more So when I say migration what I mean is that effectively you kind of have a cutoff point and new transactions Would only be able to use and the members of an anonymity set that were from that new protocol And whereas if you had old funds before you could use the new protocol You basically have to kind of do as a migration transaction to move the funds over to the new pool I do not think that they that there would ever be any issue where funds could become unspendable It would just mean that there's effectively a small added step in there for technical reasons Ideally, we don't like to do this because ideally you have like the anonymity set be as widely available as possible But no like I don't foresee they bring a situation where funds would be unspendable. That's not very good for sound money Yes I'm yeah, and I should say that like I'm not the one who makes these decisions So I just I I build math and then I tell people if the math if I think the math is good or bad Yeah, it's like I speak only for myself with any of this stuff because I work independently Well, so I mean I mean the Monero project is historically iterated on things as they get better So picking something and staying with it is you know very very tall order and it's not something necessarily done So for example moving to CL sag I mean if if one of these other protocols, you know, we're fantastic and ready right now You know, I don't think I would even consider a CL sag as a viable option for it But it's something that is a small enough change at a technical and coding level that it could reasonably be adopted very very soon You know while we sort of work on solving some of the issues with these other protocols So like is that good for technical debt or bad for technical debt? I mean you got to make your sacrifices, right? But you know, it's yeah, it's it's right now like focusing very excited about CL sag So again, I don't make these decisions, but I like it. I think it's good to go. Yes So for our CT3, I mean provided that it was shown to be Provided that like all the proofs end up working out. Okay, but again, I should point out to that None of these papers have been peer reviewed So these are all pre prints which to be very very clear anyone can put a pre print out literally anyone Getting getting peer review by the way is like it's more challenging than you expect So so provided that any of these schemes are shown to be sound And then it's just a matter of what the coding is going to look like so our CT3 Is fairly simple and straightforward Elantis slightly less so in comparison and Omni-Ring is probably the most complex about all of them But I mean if folks were really interested in them and worked hard, you know That could be on the order of a year or two years, but I mean I'd hesitate to put a number on that because You never know Yeah, and again if you're waiting on peer review, you know, who the heck knows it could be a very long process Someone's back there. Yeah No, the the protocol itself was called crypto note and it was also a pseudonymous paper kind of akin to how Nakamoto's paper was on his paper. Um, yeah, but immediate like the yeah It's a separate code base, but it was it was kind of migrated over from other assets originally That just that just used kind of a it was a crypto note based code base. Yeah And it's just since been migrated much further than that with other editions. Oh, man Crypto note was the transaction protocol at crypto night was the original proof of work algorithm Yeah, conveniently almost identical names But again now an arrow protocol is definitely moved far enough a way that I would say like it has it is a crypto note heritage But it's quite different now. I thought there was another hand there Sure. Oh like like I guess I don't quite follow. What do you mean? Oh Sure, it's like so like if I added Monero protocol in here right now. Oh, I should have done that. Oh, man Right now I would say anonymity set is quite small on the order of and again It's a network parameter But on the order of about ten notes for anonymity batchable It is currently not batchable some parts of it involving range proofs are very very batchable But signatures are not batchable at all in terms of migration there was a Sort of a migration when we move to our confidential transaction model But it was a pretty clean one tracing as far as we know does not have any and of course we have code for it There's a question up here first In what way? I Mean, I mean, I don't really do like a lot of the day-to-day like in the trenches development But you know, there's there's a large number of contributors I would say like if you were to plot out like number of commits per contributor Like there's several folks who do I would say the majority of commits, which is probably true for any project But I would say honestly right now. It's a lot of it is Getting I mean ideally if we could get more developers who were magically willing to devote large amounts of time You know to doing development be pretty fantastic But again like the majority people who do so just do so because it's an open-source project And you know probably can't devote that much time to it unless you meant something else Oh, I see seriously like how do you how do you actually encourage people to come in and do such thing? I mean I would say in general a lot of it just has to do with like what kind of community you choose to build Which is like an ongoing problem, right? I mean the development in Zcash tends to be very very centralized and I mean a lot of what they do ends up being more complicated because their transaction protocol is much more complex and Like I don't really have a great answer to that question again like I don't do a lot of the day-to-day development on this I do a lot more than math side But I mean I think what would be nice is if it were much more clear what small tasks Remained open so that people can kind of have a better sense of like what they might be diving into for a particular problem And you know, man, maybe folks aren't very good at doing that right now So I don't know if that answers your question And I would say even on like on unlike the math side, right? Like it's it's often good to step back and be like okay What are some problems that need to be solved right now like how neatly contained are they and what would be like the time and Knowledge commitment required to solve them and it's tough right because no one wants to be the one to maintain that list Which is I don't want to maintain that list There was a question the back I think first yeah becoming a what oh you're talking about like the formalization of it as a protocol So in terms of like very very formal protocol analysis Yeah, I mean Formal protocol documentation has been like severely lacking for a long time And there's like steps to try to get at least kind of a bare bones protocol in place But one of the big problems is that it iterates so quickly and that I mean we we had like even the base stuff what we have right now like needs massive updating and No one really has no one wants to write the documentation So it's it's really it's not there yet. I mean I personally would like to see it there But again, I don't run the show so you're talking about how do you determine like what the optimal anonymity set is? Yeah, I mean bigger is better, right and but it's even a lot of and so you're talking about the the I'll say complaints that we get because they're valid About the fact that like a decoy based privacy like Monero uses is in many ways inferior to like having a full anonymity set Like something like Zcash has which you know in some sense is true But I also don't want to say that having a full anonymity set is like this magic bullet that solves all your problems You know it there are all sorts. There's network metadata that floats around There's other transaction metadata that floats around Zcash has transaction metadata to you know folks Maybe don't talk about it as much, but you know they do too But it is absolutely true that like certain kinds of analysis that are possible with decoy based assets like Monero Are because the anonymity set is small and you know, and I Anecdotally I would say like the numbers we've been kind of throwing around or like two orders of magnitude differences So we're like order O of 10 right now We're thinking like if you once you get to like perhaps O of 100 Then you start getting a lot of diffusion in your transaction graph that I would estimate would probably reduce the effects of that kind of analysis But again, that's not the only thing that you have to care about There's plenty of other metadata that's floating around. That's very very tricky to get rid of So dandelion. Yeah, yes So in terms of like network level stuff like kind of the big goal is to be able to allow for much better support for running over Tor running over I2P and like running dandelion style routing But running dandelion style routing where some folks are running over just plain old internet Some folks are running over Tor and some over I2P is surprisingly tricky And we've had some folks who've been looking very very deeply into doing that So the plan is to integrate such things But it has to be done carefully and again like there's running over Tor doesn't magically mean that there's no metadata floating around either So none of this stuff is a silver bullet. It's very very layered and very very complex to integrate properly Yeah, what's what's the next level? I would say like having like something like this, you know being able to have much more efficient Transactions at a much higher anonymity set size Like what is that going to do? You know, I don't know. I mean right now like it's usable. It's usable right now But yeah, it's usable right now, but you know, there's plenty of analysis that works on it, right? And it'd be nice to not have that analysis work anymore, you know like Anyone if someone if one person can do the analysis any person can do the analysis I'm like, I don't want the bad guys being able to do that analysis either input people in danger. All right That's plenty of questions. We'll just go ahead and stop. All right. Well, thank you for indulging me in speaking here