research-lab Open Research Questions

This is an effort to construct a list of open research question relevant to Monero, as discussed in a recent MRL meeting. The purpose of this list is to:

Prioritize MRL efforts
Inform external researchers of key Monero questions
Maybe serve as a basis for Request For Proposal-style grantmaking in the future

This effort was in part inspired by a similar list put together by Grin.

Cat = Category. The categories are Privacy, Scaling, Decentralization, and User experience. Imp = Impact, a subjective 1-10 measure of how important resolving the question is for Monero's goals. Dif = Difficulty, a subjective 1-10 measure of how difficult resolving the question may be.

A collection of Monero-related research papers is available at MoneroResearch.info.

This list is a work in progress. Please give feedback below, including additional questions that should be added.

Question	Cat	Imp	Dif	Work in Progress	Links
Increase ring size	P,S	8	8	Seraphis; Triptych	#91; #92
Decoy selection algorithm (DSA) that closely matches the real spend age distribution	P	8	6	OSPEAD; Dynamic; Nonparametric	#93; #86
Advisability and feasibility of enforcement of DSA at the node and/or consensus level	P,D	6	4		#87
Advisability and implementation of binning for the DSA	P	6	4	@j-berman 's implementation	#84; #88
Decoy selection when transitioning transaction types	P	6	5		■
Advisability of churning and churning best practices	P,S,U	7	5
Defend against the Overseer Attack	P	7	9		■
Defend against the Flashlight/Poisoned Outputs/EAE/EABE Attack	P	7	9		■; ■; ■
Defend against the Tainted Dust Attack	P	7	9		■
Cross-ring output collisions: implications and solutions	P	2	3		■
Faster syncing of non-custodial wallets	S,U	7	8	View Tags	#73; ■
Reducing or eliminating 10 block lock with acceptable drawbacks	S,U	9	7		#85; #95; #102; ■; ■
Increase mining decentralization	S,D	7	7	p2pool; SolOptXMR
Determine if miners increasing block size is incentive-compatible from a game theory perspective	S,D	5	6		■; ■; ■; ■
Payment channels	S,U	6	7	Grease	■; ■; ■; ■; ■
Layer 2 solutions	P,S,D,U	8	9
Atomic swaps with every coin ever	D,U	8	8	BTC; ETH; BCH	■; ■; ■; ■; ■
Pruning of spent outputs	S,D	7	8		#69 https://github.com/zcash/zcash/issues/4946
Private, untraceable transactions without ring signatures, but with acceptable tradeoffs	P	10	10	FCMP	■; #100
Post-quantum Security & Privacy	P	9	10		■; ■; ■; #105

Nov 18 '21 20:11 Rucknium

@Rucknium can we bump the importance of the 10-block-lock problem up to 9? The inability to spend unconfirmed coins is a massive pain point in Monero for a large number of reasons, ranging from basic consumer needs like buying two cups off coffee in the span of less than 20 minutes to enterprise applications like multisignature non-custodial service optimizations, so it seems more important than layer 2 solutions or swaps.

Jan 04 '22 01:01 LocalMonero

@LocalMonero Sure. Done.

Jan 04 '22 01:01 Rucknium

Suggestion: use polling to estimate user experience impact. Although for the other categories I think the Monero research lab are the experts, user experience is more subjective. For example, polling could be advertised on Reddit, on IRC, or even in popular wallets. It would be completely optional, of course. As part of the polling, we could also ask how heavy of a Monero user someone is, how tech savvy they are, etc... to see how it correlates to the questions.

Jan 11 '22 15:01 ChristopherKing42

@LocalMonero

for a large number of reasons, ranging from basic consumer needs like buying two cups off coffee in the span of less than 20 minutes to enterprise applications like multisignature non-custodial service optimizations, so it seems more important than layer 2 solutions or swaps.

I don't understand. It seems that layer 2 solutions would also solve that and any other problems caused by the 10 block limit, so it would be strictly less impactful.

Jan 11 '22 20:01 ChristopherKing42

A followup question related to the DSA: what are (if any) the side-effects of hardforks/changes in the transaction protocol on the DSA, both in the short term (the initial transactions happening right after a fork) and in the long term (a very old output being upgraded to a newer format)?

Apr 03 '22 14:04 endorxmr

@endorxmr : If the transaction format changes completely, like it will with Seraphis, then yes there are tricky issues around decoy selection. I'm not sure of all the details, but yes there will be a discontinuity and yes we will have to figure out how to deal with it so as to maximally protect user privacy. @UkoeHB , could you clarify this point?

Apr 13 '22 18:04 Rucknium

@Rucknium After the hardfork, new transactions spending new outputs will only be able to use new outputs as ring members. 'Transition' transactions will spend old outputs and create new outputs. Those txs will only use old outputs for ring members.

Apr 13 '22 19:04 UkoeHB

@Rucknium Another information leak is 'when a tx is constructed'. This has two vectors: decoy selection (solvable with seraphis where you can defer making membership proofs until right before tx submission), fee granularity (see this analysis; mitigate-able by discretizing fees).

Fees can also lead to tx fingerprinting, which is also mitigated with discretization.

Apr 18 '22 16:04 UkoeHB

Should we add these to the roadmap page?

Feb 27 '23 12:02 HardenedSteel

@Rucknium inspired by the latest MRL meeting, could you add "Post-quantum cryptography"? and here's a would-be (to-be?) MRL paper as related resource:

Corbo, Krawiec-Thayer, Goodell: Evaluating cryptocurrency security and privacy in a post-quantum world

and what do you think about renaming "Private, untraceable transactions without ring signatures, but with acceptable tradeoffs" to "Global anonymity set with acceptable tradeoffs"? IMHO it describes the goal better.

and a resource for payment channels:

Sui, Liu, Yu, Qin: MoNet: A Fast Payment Channel Network for Scriptless Cryptocurrency Monero