00:39:10 Zero to Monero 2.0 most recent edition? 00:47:27 yes 00:52:58 ty UkoeHB 13:41:12 So I just found this: 13:41:12 https://www.cyphermarket.com/monero-research-lab/ 13:41:52 I especially enjoy the MRL Molotov. Tossing truth bombs all over the place 😆 14:47:25 Updated pre-print with security proofs is available now for Lelantus Spark: https://eprint.iacr.org/2021/1173.pdf 14:47:25 Also available on Github, but IACR should be viewed as canonical. 15:24:27 amazing news 15:55:41 @Halver[m] Got it from the monero database that @neptune maintains 16:01:02 "@Halver[m] Got it from the..." <- Thanks isthmus . 16:01:02 I profit for a silly question : how is it possible for a tx to have more than 11 outputs ? 16:01:02 Are such txs done with unofficial wallets ? 16:01:46 The current protocol allows up to 16 outputs (correspondingly, I think the core wallet would let you send to 15 recipients + change) 16:02:15 So the peak at 16 makes sense, people maxing out the allowed number of recipients 16:03:00 The prevalence of 11 outputs is odd. It could be an unofficial wallet, OR it could be a script/wrapper/whatever around the core wallet that simply batches by 10+change and doesn't take advantage of the full 16 allowed by the protocol 16:03:28 outputs |= ring members 16:05:52 nioc: Indeed, I was making this mistake. 16:05:52 If I'm correct the number of ring members is fixed, at 11 atm, 16:05:52 and it is also mandatory to be accepted in the blockchain ? 16:06:24 correct 16:08:24 "The prevalence of 11 outputs..." <- I guess only a mining pool (old) script could generate such a volume ? 16:08:53 if every transaction returned change split into 15 seperate outputs would that have a net positive for privacy? 16:12:52 If the source of the 11 output txns switched to making 16 output txns it would be a very good thing to reduce how much their transactions stand out 16:13:08 (if we can figure out who/what is behind it, I would politely contact them with a note about updating their max outputs value) 16:13:53 The plot above is a log y-scale, so that peak at 11 is way bigger than it looks (essentially an order of magnitude over the surrounding output count values) 16:15:28 There will always be a bunch of transactions with 2 outputs from day-to-day users, and a bunch of transactions that max out the output count of the protocol (currently 16) for things like batched payouts. So if transactions can pick one or the other and blend into there would be best 16:15:44 I've pondered the notion of requiring #outputs to be a power of 2 16:16:05 So if you have a 6 output transaction (including change) you would just add 2 dummy outputs so that you're at 2^3=8 16:16:19 Rucknium: Isn't there a meeting programmed at 17:00 UTC today ? 16:18:16 isthmus: What would be the benefits ? 16:18:31 yes 40mins 16:19:38 It would prevent goofy stuff like some pool generating thousands upon thousands of N=11 outputs that can be traced to each other and ruled out as decoys from other rings :- P 16:19:52 UkoeHB: ah, so my UTC shown time must be wrong 16:22:29 unless I am crazy, it is 16:20 UTC right now 16:23:23 No. You're right, and I was wrong. 16:28:20 "if every transaction returned..." <- Net privacy win, but a block chain bloating problem 16:28:53 Or maybe not 16:30:08 bigger problem is scanning times to find owned outputs 16:35:33 I don't think it's necessarily a net win for privacy if every tx created 16 outputs. I think you'd likely end up having more tx's that have >1 ring with members from the same tx that way (unless all wallets actively prevent this), which makes it easier to identify those outputs as real 16:38:21 jberman: if that's the norm though, wouldn't it make it basically a wash? Why should anyone send more than 1 output to themselves or another person in normal use? 16:38:31 minko comes to mind, but that's the only legitimate example I've seen 16:38:55 I see 16 out as a net privacy win, but at relatively significant cost 16:39:18 there was an idea earlier for allowing either 2 out or 16 out only, but that's probably not flexible enough 16:44:09 If you have 2 rings in your tx, and both rings reference distinct outputs from the same tx, it's pretty clear that those are the outputs being spent, regardless of whatever else is happening 16:45:14 True, though that's a non-issue since dummy outputs would have 0 value and would not be consumed by subsequent transactions from the same wallet 16:45:32 If you're dividing up amounts into 16 outputs always, you also have smaller outputs with which to make tx's, so it seems you would also need to use more inputs to send the amount you'd want 16:45:42 No I'm definitely not proposing that 16:45:45 Would be a privacy disaster 16:47:06 We could change fake out selection to slightly favour using outputs in different rings that come from the same tx. Never did it though. 16:48:23 oh wow nooooooo, no one is proposing using anything other than dummy outputs here :p 16:48:36 splitting into tiny amounts just for the lulz is baaad 16:49:28 "if every transaction returned..." <- was answering this q 16:50:24 ah sorry I missed that 16:50:30 midipoet: no :) 16:54:43 "We could change fake out..." <- I think this would be effective though, at the cost of fewer decoys from across the chain (it's sorta like the naive binning approach I was planning to propose) 16:56:10 what use case are we better protecting where the use case involves spending several outputs from the same transaction 16:56:50 if anything, a wallet should probably warn if they receive several outputs in a single transaction as a higher risk of receiving poisoned outputs 16:58:44 ya agree I don't see what privacy gains you get from always constructing 16 output tx's. I think the main benefit is likely less time spent waiting to spend cuz of the unlock time (you have more outputs sitting around ready to go) 16:59:42 sgp_[m]: Some wallets are working on features which generate extra change outputs to avoid the 10 block lock 16:59:43 Rucknium[m]: do you want to run the meeting? 17:00:24 I could. Usually people with agenda items shouldn't run meetings, though. 17:00:49 ok I will do it 17:01:00 Want me to run? 17:01:05 let the meeting commence. Logs will be posted on the issue: https://github.com/monero-project/meta/issues/610 17:01:18 1. greetings 17:01:22 hello everyone 17:01:26 Isn't carrington running one of the Monero Community meetings soon? carrington , could you run this one too? I don't know if you are busy though carringtonn 17:01:30 Hi 17:01:40 Hello 17:01:41 hello 17:01:41 Hoi zäme 17:01:47 Hello 17:01:49 Hi. 17:01:50 hello 17:01:52 I'm cool with koe running for now 17:01:54 Hi all 17:01:56 hi 17:02:01 Hello! 17:02:07 sarang and brandon ran most of the previous ones and they always had agenda items 17:02:13 Hello. A researcher should run the MRL meetings, not me 17:02:14 Hi 17:02:33 Hello 17:02:34 2. updates. People working on stuff, a brief summary of what you have been up to. 17:02:42 hi 17:02:49 hello 17:03:40 hi 17:05:16 My main thing is working on a roadmap to improve the mixin selection algorithm. Within 12 hours I will submit the roadmap to the Vulnerability Response Process in part so that moneromooo and luigi1111w can redact any sensitive parts before release. jberman and isthmus have seen a draft of it. 17:05:33 The I sill submit a CCS proposal to execute it 17:05:44 * will submit 17:06:08 Lots of people here :). My summary: The past couple weeks I have been working on PoC for Seraphis. Right now I have working performance mock-ups of RingCT with CLSAG and Triptych on my branch (https://github.com/UkoeHB/monero/tree/seraphis_perf), and have a good plan for building out the Seraphis PoC. There are a lot of variations to perf test, so it is taking me a while to design things properly. 17:06:26 So Lelantus Spark is out with security proofs. I am working on Seraphis's security proofs. Need verification of security properties I wrote here: https://github.com/UkoeHB/Seraphis/issues/2#issuecomment-918639450 17:07:30 Lelantus Spark: https://eprint.iacr.org/2021/1173 17:08:25 But since Lelantus Spark is "somewhat" of an instance of Seraphis, I guess I'll just "align" my security analysis... 17:08:43 I will give about 3-5mins more for summaries then we can move to discussion :) 17:08:46 Here's a good casual discussion on Lelantus Spark https://www.youtube.com/watch?v=vEZC1fTYRZk 17:09:04 jberman[m]: would you like to update us? 17:09:24 My summary: recommended patching integer truncation in the wallet & reducing the "recent spend window" (https://github.com/monero-project/monero/pull/7798#issuecomment-917495021), did a bit more research into the decoy selection algorithm adding the effect of MyMonero+Monero-LWS & openmonero to the mix in response to some of vtnerd's feedback and 17:09:25 criticisms (https://github.com/monero-project/research-lab/issues/86#issuecomment-915806414), worked on other non-research related tasks, and hoping to talk about binning in today's meeting 17:11:18 Re: binning, my binning proposal was updated a while back (final draft kind of form) https://github.com/monero-project/research-lab/issues/84 17:12:17 Also research related: 17:12:17 - fee updates have been PRd and I have comments: https://github.com/monero-project/monero/pull/7819 17:12:17 - multisig address generation fixes have been PRd: https://github.com/monero-project/monero/pull/7877 17:12:34 Anyone else? 17:13:22 ty for reviewing the fee changes 17:13:49 3. discussion. Ok I think we can move on. The remainder of the meeting is open ended. 17:14:03 are we accepting ArticMine's growth parameters then? am I the only one who is concerned with them? 17:14:29 I don't have a strong opinion 17:14:34 Ping me when you comment on PRs, I seldom check the repo nowadays. 17:14:44 sgp_: I suppose I could look at them. 17:14:44 ah gotcha 17:15:28 sgp_[m], can u briefly summarize ure concerns? 17:15:36 I am an economist after all. Maybe I have something to say about fees. 17:15:51 I responded to the growth parameters in MRL issue 70 and the pr 17:16:06 ok 17:16:42 gingeropolous: it's just a generous growth rate allowed 17:16:58 we don't need to talk about this here among all the other important stuff, but I am worried it is too generous 17:17:08 sgp_[m]: It may be good to circle back to that issue after the fee PR is ready to merge. 17:17:49 ok 17:17:55 i think Rucknium[m]'s input will be valuable, because it is effectively monetary policy 17:18:01 Just a note if you change the grwoth parameters on has to change the whole fee calulation 17:18:28 So I would suggest this not be left to the last minute 17:19:15 so whats all the other important stuff? :) 17:19:35 Triptych vs. alternatives... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/ae5111e8ad7cef1dddd03a40c2a19fde0eed447c) 17:19:38 It sounds like there isn't anything new to add in this meeting, just a call to action: please take a look if you can (MRL issue 70 and PR 7819). 17:20:19 for those that can't do links 17:20:21 Triptych vs. alternatives 17:20:21 Improvements to the mixin selection algorithm ( 17:20:21 Decoy Selection Algorithm - Areas to Improve research-lab#86 ) @j-berman @Rucknium 17:20:21 Removing/fixing/encrypting unlock time ( 17:20:22 Removing/Fixing/Encrypting monero's timelocks research-lab#78) (it also affects binning) 17:20:23 Analysis of July-Aug 2021 tx volume anomaly (?) ( isthmus? { @Mitchellpkt } ) 17:20:24 Active recruitment of technical talent @Rucknium & others 17:20:26 MRL structure (why aren't things getting done?). 17:20:38 (from Rucknium[m] 's matrix post) 17:21:24 Oh, long Matrix posts don't come through nicely on IRC? 17:21:49 These are the items from https://github.com/monero-project/meta/issues/610 17:21:59 - does anyone have comments/questions about Triptych vs alternatives? 17:22:44 Do we have some concise figures on verification time / tx size for comparison? 17:22:47 I have one question because we haven't really discussed this during a meeting specifically as far as I understand, but it has been discussed elsewhere: 17:22:57 questions: Triptych isn't competitive even with ideal multisig or multisig is the only blocker ? 17:23:00 ArticMine: I am working on perf tests for that. 17:23:07 Has anyone looked at RingCT 3.0 as an alternative to Triptych? 17:23:10 UkoeHB: My continued preference is explore Seraphis/Lelantus Spark and move to a hard-fork with ring-size change in the meantime. 17:23:14 Thanks 17:23:21 Due to improved view keys and multi-sig simplicity, mainly. 17:23:24 Well, I have the comment that I can't comment because I am not able to read Sarang's paper and decide how the UX and UI for multisig would change. 17:23:37 Which of the following is more important: 1) easy transition with compatible address format, or 2) easy multisig 17:23:46 I.e. how much more complicated to transact? 17:23:48 I vote 2 17:23:49 wfaressuissia[m]: Multisig is the main blocker, but there are other advantages to Seraphis/Lelantus Spark. 17:25:00 I have to agree with sethsimmons after speaking with sarang at DefCon after his talk. The Multisig simplicity is very significant in my view 17:25:17 I would prioritise whatever gives us a good and usable multisig. 17:25:27 Quite some unknown how we would fare with an address format change I guess 17:25:34 Sounds quite radical 17:25:36 sgp_[m]: I assume the new sofware would prevent users from using old addresses? 17:25:44 wfaressuissia: Seraphis in general has several other benefits over Triptych. 17:25:44 1. possibly more efficient (TBD) 17:25:44 2. new features: membership proof delegation (allows tx chaining, offloading membership proofs to third parties, reduces timing analysis of slow tx like multisig), collaborative funding (multiple funders for a tx without big crypto design effort), better address schemes (several variations) 17:25:45 s/sofware/software/ 17:25:58 BCH more or less did an address format change. Could query them on how to do it right 17:26:24 Interesting 17:26:28 Could address size decrease? 17:26:51 The new format address not be backward compatible? 17:26:55 i imagine with a hardfork, it would be easy to protect users re: address change. 17:27:00 x3nu[m]: there are two sets of address scheme variations, one set is larger 17:27:09 proper view keys that show the whole balance (while also allowing view keys as we know them today) is a large win 17:27:13 ErCiccione: backward compatible? 17:27:19 UkoeHB: "collaborative funding (multiple funders for a tx without big crypto design effort)" Does that mean that a BCH Flipstarter-like crowdfunding system would be easy to put together? 17:27:30 exporting key images is frankly terrible 17:27:35 hypothetically - depends on various design decisions 17:27:45 This new feature list looks so fantastic, somewhat hard to believe for laypeople 17:28:04 sgp_[m], smooth would have disagreed, or at least they expressed pause in the past. for reasons i don't fully remember or understand 17:28:25 ErCiccione: people would get new Lelantus Spark/Seraphis addresses 17:28:44 re: proper view keys that show whole balance. 17:28:52 I mean, if we really get all that for an address change, well then ... 17:28:53 The biggest issue with the address format change is static addresses used in the past would not be valid/usable. 17:29:06 i.e. static donations, saved addresses for friends in address book, etc. 17:29:11 static = widely published? 17:29:20 haha yeah exactly rbrunner , MANY benefits as I see it 17:29:24 As new wallet software after HF would only use the new format, new address generation wouldn't be an issue. 17:29:34 gingeropolous: there is an address scheme variant where view-only identifies owned and spent outputs, but can't read amounts. I like this one personally. 17:29:35 sgp_: my question was if the precedent format will be still accepted, otherwise would impact ux quite a lot 17:29:41 As it's coupled with a HF I don't think it's a huge deal, but it's certainly a bit more headache. 17:29:41 if the base point of comparison is the best non-reviewed and unproven DAP designs, then Triptych isn't competitive even with multisig. If the base point of comparison is current ring signatures with 10 decoys then even Triptych with a bit more complex multisig is an improvement which was expected to deployed soon. 17:29:51 Seth: critically funds sent to those addresses would not be unspendable however 17:29:55 Zcash is trying to merge t- and z-address formats, I believe. Just another example of another coin doing it. 17:30:00 It would not lead to lost funds with a HF, FWIW, just pain for users when merchants/donation acceptance does not update static addresses. 17:30:12 ErCiccione: the existing format would have to be rejected 17:30:13 but I assume LS/S funds couldn't be sent to old addresses 17:30:24 sgp_[m]: No, wallet software should just reject the address as invalid and prompt that it's old format 17:30:45 UkoeHB: Woah, thats cool 17:30:52 wfaressuissia: 'soon' is only 'soon' if you find someone to implement that complex multisig 17:31:14 Rucknium[m]: This is different, they all still exist and are usable they just basically use a new URI format that can choose among multiple options. 17:31:20 If I see something as good-looking as this I unvolentarily start to look for the catch :) 17:31:21 They aren't phasing out any address format or changing it. 17:31:22 i don't think the change in address format is a cause for concern 17:31:29 It's just a wallet SDK change. 17:31:42 Would it be possible to convert an old address to a seraphis address? 17:32:07 Triptych is a year + out even if we were fully on board with running with it, which I think is inadvisable at this point 17:32:13 d3neon[m]: your private keys would stay the same (or at least your base entropy/mnemonic, depending on design choices) 17:32:20 One can allow a transition phase afte which sending funds to legacy addresses would not be allowed 6 months would be reasonable 17:32:22 UkoeHB: 2 people were agree to help with implementation: hyc and vtnerd, but that's for the case when design is ready 17:32:25 d3neon[m]: New wallet software would just provide new addresses, no conversion needed etc. 17:32:41 Regarding fees. These fees are being used as protection against unlimited blockchain growth (problem with cheap storage and network), unlimited number of malicious txs (problem due to small number of decoys for ring signature) and reward for miners (not very important, since ther is fixed tail emission). How is it possible to justify decrease or increase of fees without any knowledege of hardware available to miners ? 17:32:45 If you could convert it, that would solve the static address issue 17:33:18 d3neon[m]: You just post a new one, don't need to convert. 17:33:27 The sender couldn't convert it, FWIW. 17:33:34 alright 17:33:51 Yeah, a fully automatic conversion tool, based only on the info in the address, would be surprising 17:33:51 ArticMine: Yes, that is an option to implement both address formats, but obviously added complexity and code. 17:34:02 rbrunner: "I unvolentarily start to look for the catch" The protocol is still experimental and not implemented anywhere - of course there might be a catch no one has seen yet. The more eyes the better. 17:34:04 Triptych is a year + out >>> how far out will seraphis / lelantus / superdooper be? 17:34:25 Also Year + 17:34:33 or is it 3 + 17:34:45 So a ring decoy increase should be reconsidered then? 17:35:01 As a holdover 17:35:12 imo its theater 17:35:12 ArticMine: I also think a big transition period would be good. 17:35:26 Firo is planning on Q3 2022 for adoption of Lelantus Spark 17:35:29 just to give a rough idea 17:35:42 x3nu[m]: Yes, IMO. 17:35:53 sorry, Q2 2022 17:35:59 I think there is pretty broad consensus for a ring-size + BP+ HF with ring-size of 15-17. 17:36:23 Seth: yup 17:36:41 But the larger improvements to privacy are likely coming via the decoy selection/binning work being done, TBH. 17:36:53 wfaressuissia[m] Fees increase/decrease based on number of transactions being sent. They have nothing to do with mining hardware 17:36:59 But ring size bump does help with those in theory, but that's more jbermanRucknium territory 17:37:21 Hi! I made an attempt to elucidate Seraphis here. Highly incomplete hahaha. UkoeHB please correct mistakes: https://raw.githubusercontent.com/coinstudent2048/writeups/main/seraphis.pdf 17:37:43 wfaressuissia: "How is it possible to justify decrease or increase of fees without any knowledege of hardware available to miners ?" The fee PR has two parts. 1) improve the algorithm design to avoid problematic edge cases. 2) increase the minimum fee. Parameter choice is very difficult and somewhat arbitrary, so yes 'how is it possible' is kind of engineering voodoo (which is seen in other engineering fields too). 17:37:58 ok, so lelantus spark will be ready Q3 2022 ? 17:38:06 coinstudent2048[: cool! I will take a look :) 17:38:08 We could turn things on the head and ask whether currently anything still speaks *pro* Triptych 17:38:21 Except an existing but non-multisig implementation 17:38:50 gingeropolous: That's their plan, yes, but that's for Firo -- would require implementation for Monero specifically on top of that, but not sure on complexity. 17:39:20 nice coinstudent2048 ! 17:40:25 There is also a PoC implementation of Lelantus Spark: https://github.com/cypherstack/spark 17:40:26 sethsimmons: I'm not sure it worth to make a hard fork now if there are more consensus changes being worked on (assuming they are consensus-related) 17:40:41 so i guess, as mentioned before, a key piece of data is compare and contrast lelantus spark / seraphis / triptych re: size and speed etc 17:40:42 rbrunner: If Seraphis/etc. turn out to be flops, Triptych is the best known protocol. 17:41:01 ErCiccione: Ah, forgot to include fee changes, which should also be included. 17:41:12 Past that there are no other consensus changes near-ready that I know of. 17:41:15 I see, yes 17:41:27 I think we should prepare a list of what consensus changes would be included in the next hard fork and then have a dedicated meeting about it 17:41:29 And as mentioned a new protocol is still 1y+ out. 17:41:32 That being said, Seraphis/etc. don't introduce any crazy new crypto, so it is unlikely. 17:41:54 UkoeHB: I second this. 17:42:00 Agreee with ErCiccione on dedicated meeting about HF 17:42:02 ErCiccione: Agreed. 17:42:03 UkoeHB: but we need it to support multisig in case 17:42:20 meeting again in two weeks then? 17:42:31 yes seems appropriate 17:42:38 there is enough stuff to talk about in any case i would say, beside the hard fork 17:42:42 Does Lelantus Spark support multisig then in a reasonable form? Does Firo aim to support multisig? 17:43:01 HF process falls outside of MRL scope mostly and is more of a -dev thing, but yes very important 17:43:22 rbrunner: Yes, very simple AFAICT. 17:43:23 rbrunner: afaik yes, the Chaum-Pedersen proofs they use can be multisig-d 17:43:30 rbrunner: yes, Lelantus Spark multisig is a dream compared to Triptych 17:43:44 meeting in monero-dev sunday 3th 17:00 UTC? 17:43:49 Nice, one more arrow in the back of Triptych ... ? 17:43:50 Pre-print: https://eprint.iacr.org/2021/1173.pdf 17:43:50 Github: https://github.com/firoorg/spark-paper 17:43:50 PoC: https://github.com/cypherstack/spark 17:44:25 ErCiccione: I'm not aware of any meeting but there should definitely be one imo 17:44:27 sounds good to me ErCiccione 17:44:31 we should move to another topic, this one took a surprising amount of time 17:44:31 - Improvements to the mixin selection algorithm 17:44:47 rbrunner: that's the main reason not to use Triptych 17:44:50 4 areas to improve decoy selection algo: 17:44:51 1. Integer truncation in the wallet (e.g.: `3 / 2 = 1`) 17:44:51 2. Binning 17:44:52 3. Modifying the distribution estimator (@Rucknium spearheading this) 17:44:52 sgp_: yeah, will post in -dev about it if there is consensus here 17:44:52 4. Validating correct algo used at consenus 17:45:11 ErCiccione: yes please do 17:45:45 1. Patching integer truncation 17:45:46 Refresher: the decoy selection algo selects *older* outputs than it otherwise would because it truncates an integer (e.g. 3 / 2 = 1, instead of 1.5) 17:45:46 I recommended patching integer truncation in the official wallet: https://github.com/monero-project/monero/pull/7798#issuecomment-917495021 (and downsizing the "recent spend window" where the wallet re-selects a young output if the algo suggests a locked output). 17:45:47 Summary: patching truncation seems safe on grounds of tx uniformity to me, and I think it's reasonable to assume it would correctly select a decoys that more closely mirror spending patterns. 17:45:58 don't think there is much to talk about on that^ 17:46:01 rbrunner: I try to post about Sarang's Triptych multisig paper in MRL/Lounge, but not now. 17:46:15 TIA! 17:47:17 jberman: +1 17:47:43 Will give 30 more seconds then moving on to binning 17:47:47 yeah safe to patch 17:48:01 Lol, bug killed in 30 seconds :) 17:48:23 :] 17:48:34 I think binning is blocked by the decision on what to do with unlock times 17:48:35 Unlock times have privacy issues (they break tx uniformity & can enable unknowing links), and make binning implementations more vulnerable to particular attacks. So bringing the topic of unlock times back up to try and move toward a decision on what to do with them. 17:48:58 Encrypting unlock times is possible at cost of doubling verification time and increasing tx size. Which seems overkill for a feature barely anyone uses today 17:49:10 Thoughts on how to reach consensus? Seems no one really loves the feature, so no one cares much about it to go one way or another. Is there precedence for deprecating a feature like this? 17:49:20 imo, they seem a novelty 17:49:40 tbh I'm happy to simply write off binning right now 17:49:41 yea, I don't think they are much used 17:49:53 maybe a dedicated issue could help? So we can see points in favor and points agains? unless there is already one 17:50:10 I don't know any important use cases for them 17:50:28 wait, I thought atomic swaps relied on lock times? 17:50:31 precedence? perhaps axing of the clear format tx id or whatever it was. 17:50:32 ErCiccione: binning has been suggested countless times over many years 17:50:39 merope: no on the Monero side 17:50:51 ErCiccione dedicated issue for handling the unlock time: https://github.com/monero-project/research-lab/issues/78#issue-726924520 17:50:52 in practice, ringsizes are too small, and it involves many complexities 17:50:57 (or at least, one of the proposed implementations? comit maybe?) 17:50:57 shouldn't a feature like unlock time be treated elsewhere as in the official wallets ? 17:51:00 Would existing locks honored if we decide to ax them e.g. in our next-gen protocol? 17:51:05 jberman: nice. Thanks 17:51:12 paymentID. that was deprecated because it didn't do many useful things, but it was replaced with something better. 17:51:21 well it did useful things, but poorly 17:51:48 perhaps thats something to throw into the lelantus / seraphis thing - can these new protocols do some kind of timelock thinger? 17:51:56 in a better way 17:52:19 @rbrunner interesting question, I would lean towards yes 17:52:28 (should honor previous timelocks) 17:52:35 rbrunner: yes, since old outputs would be spent using CLSAG 17:52:40 so there is no issue 17:52:49 Ok then, good to know 17:53:13 yup no issue with past compatibility there :) 17:53:28 gingeropolous: not that I know of 17:53:55 Will confirm no swap protocol has plans to use the feature 17:54:10 A consideration for the next gen transaction protocol should also be whether payment channels are possible 17:54:11 Are there any proponents of keeping the lock time assuming not? 17:55:12 carrington[m]: I think someone would need to study that specifically. 17:55:17 Well, I'm for keeping the lock time as-is for this hardfork, and I'm cautiously for removing it for the next hardfork (but there's a lot of TBD there) 17:55:31 i would vote to deprecate them due to their privacy breaking nature and lack of utility 17:55:59 I would vote for retiring them with the HF to the next-gen protocol, for a clean cut 17:56:09 gingeropolous: are you suggesting that for this immediate update? way too soon imo 17:56:09 i mean they are really only used for 1 purpose currently - im not gonna spend my monero until 2099 ... right? 17:56:19 hahah 17:56:32 well no we're not talking what goes into the next hf. thats for the dev discussion :) 17:57:25 I figure as soon as someone presents a fleshed out compelling use case that actually needs to use lock times, like payment channels, then there would be no resistance to bringing them back 17:57:32 It seems 1hr was not long enough for this meeting, there are still 3 items on the agenda. How about we schedule another meeting for 1wk from now at the same time (1700 UTC), so all agenda items get proper attention? 17:57:41 okay, just good to attack rough timelines to these discussions I think 17:57:41 Ok I will talk about (3). (Let me know if this doesn't go through to IRC correctly.) I will repost my "update" from above: 17:58:15 My main thing is working on a roadmap to improve the mixin selection algorithm. Within 12 hours I will submit the roadmap to the Vulnerability Response Process in part so that moneromooo and luigi1111w can redact any sensitive parts before release. jberman and isthmus have seen a draft of it. 17:58:15 Then I will submit a CCS proposal to execute it 17:58:23 why not to finish right now ? there are a lot of important things and 1 hr / 2 weeks is too small quota to discuss something 17:58:32 s/finish/continue/ 17:58:34 I am gone in 2mins 17:58:40 but the meeting can continue without me if you want 17:59:10 Seems good to me to adjourn. We are not in such a hurry to do everything today, seems to me 17:59:11 It's a two-stage execution plan. First, what I have termed Optimal Static Parametric Estimation of Arbitrary Distributions (OSPEAD). It's a medium-term solution to stop the bleeding. 17:59:12 We can have a meeting in 1 week 17:59:22 I also have to head out 17:59:27 +1 ArticMine 17:59:35 Would be good to reconvene next week 17:59:38 weekly ftw 17:59:48 Older people are also a bit exhousted after one such hour :) 17:59:59 In for meeting next week 18:00:01 I would be OK with weekly. 18:00:19 The Return Of The MRL Meetings. 18:00:28 I am fine with weekly 18:00:43 Can someone change the channel description to have the next weeks meeting agenda? Once one is created 18:00:50 Yeah, at least until the backlog is cleared. 18:01:19 For next week I'll have a postmortem of the transaction volume anomaly from a few weeks ago 18:01:36 Ah, a cliffhanger 18:01:46 Clever 18:01:49 ;- ) 18:01:50 Tune in next week 18:01:54 Same bat time, same bat channel 18:02:34 Can someone grab logs? 18:02:51 rucknium[m]: Do you have a write up that can be linked here for people to find in the meeting logs? 18:03:10 "https://libera.monerologs.net/monero-research-lab/20210915/raw" grab or grab&post ? 18:03:39 carrington: Yes I have a write-up. No, I cannot share it until it has been sanitized by the Vulnerability Response Process. 18:04:39 carrington[m]: I can change topic, just ping me once created 18:07:23 Logs posted 18:08:54 carrington: It looks like something is wrong with the logs. Not everyone's username shows up 18:09:07 Gah, IRC usernames seem missing 18:09:36 It's because of the <> formatting 18:10:02 Yeah, saw it, maybe the Libera log would be better 18:10:18 Or did GitHub eat the usernames? 18:10:33 Github did it lol 18:10:52 Quote somehow the whole log? ```` or so? 18:11:00 time to :%s/ Not sure about MarkDown 18:11:27 I'll have to manually reformat unless someone has another source without the formatting issue 18:11:53 The Libera log that wfaressuissia posted above, have a look 18:11:55 ^ just search and replace all the < with < 18:12:09 https://libera.monerologs.net/monero-research-lab/20210915/raw" 18:12:31 Arg ... without the double quote at the end of course 18:15:55 did u get a good log? i pulled up my logfile 18:15:58 http://highlandsun.com/hyc/raw 18:15:58 Fixed 18:16:11 Thanks, looks better now :) 19:31:03 Did we know about this paper? 19:31:03 https://petsymposium.org/2021/files/papers/issue3/popets-2021-0047.pdf 19:31:28 Someone posted in r/Monero about it 19:31:28 https://www.reddit.com/r/Monero/comments/polatq/partitioning_samplers_a_better_approach_for_ring/ 19:31:38 "This can be seen as a theoretical con- 19:31:38 firmation of the approach used in Monero, albeit condi- 19:31:38 tioned on the strong assumption that Monero chose a 19:31:38 good ˆS." 19:32:22 ^ "S" is the distribution for the mixin selection algorithm. Hmm, yes it is a "strong" assumption that a good S was chosen. 19:43:02 Seth agenda posted 19:43:02 https://github.com/monero-project/meta/issues/611 19:45:18 How's that? 19:45:43 "We emphasize that although Theorem 6.2 shows... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/a7cd47bd9997008a41985651c089065f9fe1b7a7) 19:57:42