03:51:50 as said, one is that you build on what's semi-pejoratively called "moon math". 1) cryptographic hardness assumptions that seem sound, but haven't been so time-tested, 2) higher complexity, easier to make mistakes on multiple levels on the way from theoretical foundation to production code, 3) less people who understand it and can catch mistakes. up until 2018 Zcash had an inflatio 03:51:51 n bug because a single operator in a single equation was wrong, and the smartest people in ZK at the time didn't catch it for years. things got a lot better since then, but it's still a relative risk. another downside is that, for Monero to work in such a fashion, you'd have to redesign the whole protocol to such a degree that it's not desirable or worth it at all (it's already be 03:51:51 ing redesigned a lot as we speak with the work on Seraphis). but who knows, I've seen so mind-bending leaps in ZK that maybe at some point you'll be able to safely tailor such a proving system for Monero without having to change Monero, and people could just opt to use that sync mode. 04:03:42 We ask the initial 16 (15 decoys, yet we also include the real spend so the node can't look for TXs using those 15 decoys to identify the real spend). If one is invalid, we ask for exactly one more, effectively doxxing to the node the further selections are decoys. 04:03:42 > AFAIK relies on cryptographic hardness assumptions that are less tried-and-tested than what Monero relies on 04:03:43 chaser I would not say this, and I also wouldn't say we *can* create constant-sized proofs. At best, *without a trusted setup* you get a proof constant to the program size where the program enables verifying a proof of a large proof (which can be recursed ad infinitum to achieve arbitrary program space). 04:05:25 > as said, one is that you build on what's semi-pejoratively called "moon math" 04:05:25 People not understanding math doesn't make the math wrong. Most people don't understand Bulletproofs and yet here we are. 04:06:17 > cryptographic hardness assumptions that seem sound, but haven't been so time-tested 04:06:18 Again, this is not correct. 04:08:30 The complexity commentary is fair. I'm not entirely sure the less people commentary is when I'd posit most modern cryptographers work with such proofs. The underlying problem space is incredibly important, and solutions for it are widely usable. Accordingly, they frequently see use. 04:10:35 > because a single operator in a single equation was wrong 04:10:35 This isn't correct. The fact they had a bug which was missed during review for years is correct. Whether or not "the smartest people in ZK" participated in that review I cannot comment. I want to say Microsoft eventually caught it, presumably when one of their researchers decided to review it? Which means when some of the 'smartest people in ZK; did review it, they caught it, even if some of the other 'smartest people in ZK' missed it. 04:12:04 > you'd have to redesign the whole protocol to such a degree that it's not desirable or worth it at all 04:12:04 No, you wouldn't, and I'm pushing these exact scalability discussions with Seraphis. They technically *can* be done now, we'd just need more complicated circuits than would be needed under intelligent design. 04:13:41 > I've seen so mind-bending leaps in ZK that maybe at some point you'll be able to safely tailor such a proving system for Monero without having to change Monero, and people could just opt to use that sync mode. 04:13:41 It'd be a great hackathon project to run Cuprate in RISC-0. I'd expect a proof of concept to take less than a month depending on how Cuprate is architectured (monero-serai is extensively aiming to support no_std, and Cuprate is modular, yet you'd need a `libconsensus` equivalent (Bitcoin term) which is no_std and support for a custom database, which I haven't looked into). 07:21:36 1. An adversary conducts a flooding attack on the Monero blockchain, which costs him about 500$ for 100k txes per day. The dynamic block size adjustment works through penalty system which calculates for the latest M100 blocks. Let's say the "natural transactions rate" is 10k per day for Monero, so now its 10k natural + 100k flooding. After the dynamic block size kicks in an attack 07:21:36 er stops the attack and in the next M100 cycle block size is readjusted again to its normal 10k per day rate. Does it mean that an attacker can bloat the blockchain each second M100 cycle? 07:21:37 2. If the Monero's price is essentially pinned down to everlasting 150$ by CEX manipulations - will be tail emission sufficient to keep the network working? Won't there be a situation when because the price is controlled through CEX (and it will be controlled in the observable timeframe) miners will lose the interest in the network? 07:21:37 3. How does the previous 2 stack up into the whole idea of a fullscale attack on Monero (e.g. government/Bitcoin whales induced)? How both is mitigated? 07:25:35 1. An adversary conducts a flooding attack on the Monero blockchain, which costs him about 500$ for 100k txes per day. The dynamic block size adjustment works through penalty system which calculates for the latest M100 blocks. Let's say the "natural transactions rate" is 10k per day for Monero, so now its 10k natural + 100k flooding. After the dynamic block size kicks in an attack 07:25:35 er stops the attack and in the next M100 cycle block size is readjusted again to its normal 10k per day rate. Does it mean that an attacker can bloat the blockchain each second M100 cycle? 07:25:36 2. If the Monero's price is essentially pinned down to everlasting 150$ by CEX manipulations - will be tail emission sufficient to keep the network working? Won't there be a situation when because the price is controlled through CEX (and it will be controlled in the observable timeframe) miners will lose an interest in the network? 07:25:36 3. How does the previous 2 stack up into the whole idea of a fullscale attack on Monero (e.g. government/Bitcoin whales induced)? How both is mitigated? 07:45:15 Mitigations: 07:45:15 1. Submit very large transactions with fees you think are prohibitively high for the attacker to match. 07:45:15 2. Convince major pool operators to adopt a more restrictive minimum fee policy. 07:45:15 3. Try to investigate the origin of the transactions and ask him wtf (pretty hard to do, but who knows maybe he's just a malicious idiot with no opsec)? 08:25:53 >(and it will be controlled in the observable timeframe) 08:25:57 doubt it 08:26:20 imo most volume will be done via dexes very soon 08:26:30 imo most volume will be done via dexs very soon 08:34:49 The current XMR volume on DEXes is 0.2 BTC. Its a joke. And even if it somehow occur which I doubt since nobody is willing exchange their XMR for dirty BTC/LTC/etc. (DEXes will be used exactly for this in case of Monero) - there still be CEXes, which will be the deciding factor for XMR price. When you will try to exchange your XMR to fiat - CEX price will decide. I might be missin 08:34:49 g something for sure but your point is weak. I'd like to receive an expert response from the Monero team. 08:40:54 Whatever the response is, this isn't the place for it. Look for the Monero Markets room :) 08:41:35 Its exactly the place for it - my questions if purely technical, they are listed above. 08:42:30 Its exactly the place for it - my questions is purely technical, they are listed above. 08:43:00 Its exactly the place for it - my questions are purely technical, they are listed above. 08:43:02 (Btw avoid editing messages please - it causes spam on the irc side of the room) 08:43:04 This is exactly the place for it - my questions are purely technical, they are listed above. 08:44:00 Tell me how this is related to Monero Market room 08:45:21 As far as the mining incentive is concerned, price is indeed important. The average amount of money paid to the whole mining network is: [coin price] * [block reward] / [target block time] 08:47:12 The block reward is just a parameter. If some outside entity wanted to suppress miners through price manipulation, all they'd need to do is to push the coin price low enough until the network becomes trivial to attack - regardless of how big or small the block reward is 08:50:11 As for how the price will actually behave in the future, you are making a lot of assumptions - which *seem reasonable*, but are objectively unverifiable (e.g. "the price is controlled through CEX") 08:50:23 A significat part of Monero network can keep mining at any price (botnets, free electricity miners etc) 08:51:25 How the market will actually evolve (price, volume, and where and how the trading will happen) is anyone's guess 08:52:50 These are 2 separate questions. 08:52:50 1) The first one is about technical availability to make the Monero blockchain unusable each second 100 blocks timeframe. 08:52:51 2) The second is about tail emission which is directly stated as the key factor for keeping Monero mining profitable hence blockchain alive https://www.getmonero.org/resources/moneropedia/tail-emission.html: 08:52:51 > Tail emission ensures that a dynamic block size and fee market can develop. 08:52:52 But since the price is manipulated through CEX - it is a question if tail emission really "ensures" 08:56:15 Like I said: the actual block reward is just a parameter. So if the reward is 1 xmr/block, then you push the price below, say, 50$. If the reward is 2 xmr/block then you have to push it below 25$ and you get the same effect. A bigger block reward means you'd have to push the price lower and lower (which is *presumably* harder, but the difficulty depends on how you're actually supp 08:56:15 ressing the price), but it also means more inflation in the short term 08:59:30 The reason why the site says that the tail emission "ensures" that the network will keep going, is because transaction fees are not enough to maintain a big mining incentive over time. For example: in 10-30 years, as the block reward keeps halving, the Bitcoin network will see a huge decline in hashrate - to the point where even someone with 5-10% of today's total nethash could ea 08:59:30 sily 51% their network. And this is inevitable unless they change their emission curve (to include a tail emission) and increase their blocksize 09:01:33 (Or rather: Bitcoin users would have to start paying >30-50$ fees *per transaction* (for a basic 1in-2out) to sustain their current mining incentive of ~700 $/second) 09:01:54 (And that's assuming they can keep those block full all the time) 09:02:47 (I swear I'm gonna finish writing that paper some day 😭) 09:03:48 Bitcoin halving soon https://www.nicehash.com/countdown/btc-halving-2024-05-10-12-00 - we'll see if it sparks more discussions after miners get rekt 09:04:12 *Bitcoin miners 09:36:57 I see your point and its valid against Bitcoin but: 09:36:57 1) The block reward is constant 0.6 XMR and miners don't pay for the electricity and hardware in XMR, they pay in USD. If the price is constantly suppressed via CEXes - where is that diverging point where the whole idea of sustaining the network become unprofitable? 09:36:58 2) Since the block reward is small, the only way for miners is the same as you mentioned for Bitcoin - to compensate the loss with fees 09:36:58 3) Let's say that now the "critical" point of profitability for sustaining the Monero is around 150$ for 1 XMR. That include both block profits & fees profits. If the price is consistently supressed down further and the network is attacked as I've mentioned in my first question (this is the primary question actually) - wouldn't that be possible to basically kill the network just b 09:36:59 y driving the miners and users out of it? 09:36:59 So the whole attack scenario is: 09:37:00 1) Keep the price at current levels or pin it down even further, since a CEX always can "temprorary shutdown withdraws" and replenish its wallets with real coins -> reducing fees & block reward profit 09:37:00 2) Attack the network by periodically bloating the blockchain every M100 cycle. The network becomes unusable, mempool is growing, transactions confirming for days - people leave -> reducing fees profit. That decreases "natural" txes volume further but miners is still compensated by an attacker and the block reward 09:37:01 3) Systematically drive the Monero out of the market, same as Binance delisting and EU ban, reducing the number of users and adoption -> reducing fees profit 09:37:01 4) This looks like enough to strangle the network but as the last resort there is always a possibility to basically zero out the price via controlled CEX if needed 09:37:02 But my main question is still about the M100 cycling flood possibility, if you may please. 09:38:39 No, you are mixing things up 09:38:51 In order: 09:39:13 The tx fees are part of the total block reward used in the incentive calculation 09:39:32 Not sure where you get the 0.2 btc figure. The volume on Bisq alone for the past 7 days is 64.7 BTC (4 million usd). Other DEXs and Atomic swap volumes are harder to measure. When Haveno and Serai launch its not completely unrealistic that most Monero volume will then flow through DEXs rather than CEXs. 09:39:54 Not sure where you get the 0.2 btc figure. The volume on Bisq alone for the past 7 days is 64.7 BTC (4.6 million usd). Other DEXs and Atomic swap volumes are harder to measure. When Haveno and Serai launch its not completely unrealistic that most Monero volume will then flow through DEXs rather than CEXs. 09:41:01 There isn't a single "critical" price point. Rather, you can calculate the maximum network hashrate that could be supported for a given mining incentive and a given electricity price; and from there, see how many devices it corresponds to, and what would it cost to perform a 51% attack against them 09:42:57 Keep in mind that profitability is based on hardware efficiency, i.e. how many $/kWh you can earn on a given hardware vs how much $/kWh you pay for that electricity 09:43:57 Mining incentive goes down -> profitability goes down for everyone -> the most unprofitable miners tend to leave -> profitability goes back up for those who stay 09:44:06 It's an equilibrium 09:44:15 not for monero 09:44:29 we have botnets mining at zero cost 09:45:35 the closest comparison for xmr on serai is imo BCH on thorchain 09:45:37 Yes, sech1 already mentioned that. They still work under the same paradigm, they just happen to pay 0 $/kWh (though they probably have some running costs of some other kind) 09:45:55 and that had 55 million in volume in the last week 09:46:21 and thats for a chain you can get on any ccex 09:46:24 As for the "spamming the network every M100 cycle" - I suspect you misunderstand how the reward penalty works 09:46:24 and thats for a chain you can get on any cex 09:46:32 I've just opened Bisq and I see there 261 XMR selling for 1 BTC, 523 XMR for 2 BTC. This is exactly what I was telling - nobody wishes exchange their XMR for _a priori_ dirty BTC unless its 2x times cheaper than XMR price on exchange. You can buy XMR for 300$ here if you like, no problem. 09:46:50 you dont get dirty bitcoin from serai 09:47:04 at least not if you provide xmr liquidity 09:51:25 What will happen if all miners will be made unprofitable by CEX price pinning? 09:51:47 The reward penalty is applied per block, if the block you're mining is bigger than the short term median. That means that a spammer would need to spam transactions for *at least* 50 blocks at the minimum fee, before miners would start increasing the block size above the minimum. 09:51:48 Note that the goal of this would be to increase the blocksize in order to spam *even more* transactions per block. Otherwise, if they let it reset, then they would be limiting themselves a lot 09:52:28 btw this room is not the place to discuss this stuff 09:52:55 use community or research lounge 09:53:06 True ^ 09:53:21 Monero Research Lounge let's move here syscall 09:54:21 what this room is for then? 09:56:13 This channel is for research. The monero IRC channels are many, which might be obscured from wherever you connect from (matrix ?). 09:56:31 Then again, there's been a tendency to discuss code stuff here for a long while instead of in -dev for some reason. 09:56:55 #monero is the catch all channel, also includes broader privacy stuff not directly related to monero. 09:58:10 There are several more too. #monero-pools for pools and mining, #monero-markets for econ stuff. etc. 09:58:59 #monero-pow for, oh, I dunno... maybe pow... 13:21:35 I think part of it is also some survivorship bias 13:21:35 If I understand the point of this channel correctly, it should only be used during meetings 13:21:36 So by definition, anything said outside of meetings is off-topic 13:40:55 I think price suppression is harder if people don't keep their Monero on exchanges or don't even use exchanges. Monero is in a good position to resist price suppression because a good majority of merchants only demand on-chain Monero, not off-chain claims on Monero. The network may be profitable at a lower block reward, but only for more efficient miners, so I don't really see the problem with this. It lower's overall confirmation security of transactions, but this is just something that must be accepted. 22:26:47 What is the effective ring size of Monero currently, assuming that 80% of daily decoys are controlled by a single entity which intends to conduct sell-chain analysis service? Also, what is the degree of probability for EAE and EABE transactions to be traceable? Ignore my grammar; I am Chinese and using a translator. 22:44:45 My estimate says that average effective ring size is 5.5 right now if an adversary is producing the suspected spam transactions for a black marble flood attack. 22:47:42 The success probability of an EAE/EABE attack is unknown. It actually has never been rigorously defined. 22:50:03 Is the ring size of 5.5 derived from mathematical paper or did you conduct some analysis for last few days of transaction? Also, is this effective ring size sufficient? If one spends the coin on the same day as they received it, is the effective ring size 5.5? By what factor are EAE and EABE transactions more traceable with a ring size of 5.5 compared to, say, 16? 22:52:19 I'm doing an analysis. I will post in 24-48 hours. Basically I assume that the 4 weeks of txs before March 4 were the non-spam rate of txs. Then the txs on top of those in the last week are "spam". The outputs of those spam are assumed to be black marbles. Then I run what the decoy selection algorithm would be at a specific block height 22:53:40 Sufficient? We'll talk about it at the MRL meeting at 17:00 UTC Wednesday. 22:57:01 Thank you for your valuable time. Please include some information about EAE and EABE if possible. 22:57:29 I don't know what exactly is the minimum acceptable. I have been re-reading papers. We probably want to know what level of flooding would create conditions for a "chain reaction" or "graph analysis" attack. There is a theoretical paper about the exact thresholds that should be used, but its analysis assumes a different type of decoy selection algorithm. IMHO we could simulate bloc k marbles realistically with what is on the blockchain now and then run a Dulmage-Mendelsohn decomposition with the Rust code that Vijayakumaran (2023) wrote. 22:57:54 We probably need someone who understands how to run Rust, but I can create the simulated input data. 22:59:44 The theoretical paper is Egger, C., Lai, R. W. F., Ronge, V., Woo, I. K. Y., & Yin, H. H. F. (2022). "On defeating graph analysis of anonymous transactions." 22:59:44 But it assumes that a partitioning decoy selection algorithm is used. Monero uses a mimicking decoy selection algorithm.