15:02:23 MRL meeting in this room in two hours. 17:00:37 Meeting time! https://github.com/monero-project/meta/issues/1068 17:00:43 1) Greetings 17:00:52 Hi 17:01:11

Hello. 17:01:24 Hi 17:01:52 *waves* 17:01:55 Hello 17:01:59 👋 17:03:33 2) Updates. What is everyone working on? 17:03:59 Nothing of note on my end. 17:04:24 Hackerone issues 17:06:11 Hpwdy 17:06:37 me: I updated https://moneroresearch.info to use the latest version of WIKINDX. The Quick Search is improved. Instead of "OR" it now uses "AND" between words. So you get much more relevant results with multiple keyword searches. I will be on MoneroTalk at 22:30 UTC today: https://xcancel.com/MoneroTalk/status/1830994649730699491 , using a hired voice. I have been working on final results for combining black marble attacks with the Dulmage-Mendelsohn decomposition. 17:06:43 me: collecting Carrot audit proposals, hopefully should be done by next MLR meeting 17:06:48 continuing fcmp++, working on trimming the tree on reorg/pop blocks 17:07:55 3) Stress testing monerod. https://github.com/monero-project/monero/issues/9348 17:08:40 I have merged 0xfffc 's PR for dynamic block size sync: https://github.com/spackle-xmr/monero/pull/30 17:08:51 I have started to spam stressnet again. 17:09:26 How's it going so far? 17:09:54 plowsof wrote a bounty to enable fast sync for testnet (this would enable it on stressnet since stressnet is a testnet fork): https://bounties.monero.social/posts/149/0-450m-add-fast-blockchain-sync-to-testnet 17:10:20 Currently the bounty is at 0.45 XMR 17:10:27 <0xfffc:monero.social> Hi everyone. Apologies for being absent. Right now, I am working on an issue on stressnet side. But I will keep an eye on this chat too. 17:10:28 <0xfffc:monero.social> My work past week was mostly on finishing dynamic bss and dynamic span. (L 17:11:19 jeffro256: Initial testing of dynamic block size sync has been good. But we haven't subjected it to big blocks yet. 17:12:21 Reminder that this stressnet will stop being "supported" in about a month. So it is a good time to test your code that fixes bottlenecks. 17:13:24 4) Research Pre-Seraphis Full-Chain Membership Proofs. https://www.getmonero.org/2024/04/27/fcmps.html 17:13:50 kayabanerve: Do you have an update on the potential Veridise followup work? 17:15:02 I believe we're planning to get on a call to organize within the next week or so. 17:17:05 Anything more on FCMP++? 17:22:08 not exactly mrl, but @tobtoht proposed considering dropping windows 32-bit support since windows 11 requires 64-bit (only >18 year old CPU's running windows 10 would be affected), and the 32-bit windows build will be a bit of a pain to get working. Seems reasonable to me but worth bringing up to a wider group 17:22:54 the devs yearn for monero-dev meetings 17:23:05 shrug :) 17:23:18 kayabanerve: Yeah lol 17:23:39 5) Change how transactions are broadcasted to significantly reduce P2P bandwidth usage. https://github.com/monero-project/monero/issues/9334 17:24:20 vtnerd: Do you have an opinion about changing the fluff-phase tx queue timer to exponential distribution instead of Poisson? 17:24:33 I see we're moving on but I'll note I support monero-dev meetings (distinct from NWLB) and have no objections to dropping first-party support from problematic archaic targets. 17:25:29 It needs to be exponential, I don't have any other comments than that really 17:26:51 I'd also tentatively say I support dropping official support for 32-bit windows unless it gets brought to our attention that more than a handful of people are actually using it 17:27:08 Maybe we are moving toward loose consensus to change it from Poisson to exponential. It could be a PR and discussed further in the PR 17:29:18 I'd say we should converge on whatever the reviewed literature says , which is exponential , no? 17:30:08 There is a pr 17:30:24 The Dandelion++ paper seemed to assume that the fluff phase has exponential timers. 17:30:39 I thought the PR only affected the embargo timeout? 17:30:54 https://github.com/monero-project/monero/pull/9295 17:31:32 Oh right, I thought I changed both in that pr 17:32:01 Here's what I said about the D++ paper: https://github.com/monero-project/monero/pull/9295#issuecomment-2260998091 17:32:08 I'll just update that pr then 17:32:10 > I have been looking at whether the fluff-phase timer should also be changed from Poisson to exponential. The Dandelion++ paper doesn't explicitly say that the fluff timers should be exponential, but it strongly hints that way IMHO. Algorithm 5 "Dandelion++ Spreading at node v" in Fanti et al. (2018) ends with Diffusion(X ,v, H). The paper says "Bitcoin Core, the most popular Bit coin implementation, adopted a protocol called diffusion, where each node spreads transactions with independent, exponential delays to its neighbors on the P2P graph." Fanti & Viswanath have an earlier paper about the privacy properties of bitcoin's transaction broadcast system. It describes diffusion: "In diffusion spreading, each source or relay node transmits the message to eac h of its uninfected neighbors with an independent, exponential delay of rate λ. We assume a continuous-time system, in which a node starts the exponential clocks as soon as it receives (or creates) a message." 17:33:43

It is estimated that as of 2024, only 4.3% of Windows users are running a 32 bit version and that number is shrinking every year. 17:34:45 IIRC in PR #9295, the function named "exponential" takes the floor of the drawn values, which actually creates a geometric distribution. Probably there should be a true exponential distribution and the exp-turned-geometric distribution can be named something special for use when a discrete number is needed. 17:37:13 Do we want to discuss the ten block lock now? Put it on next agenda's meeting? Neither? 17:37:18 Always a fun one 17:38:08 Aaron Feickert and isthmus wrote a report on it: https://github.com/AaronFeickert/pup-monero-lock/releases/tag/final 17:38:42 AFAIK the new contributions are in Section 4 with the FCMP++ discussion 17:39:28 I've prior stated my disagreement with the premise, and I believe there was a general agreement we needed a proper quantitative analysis of the odds of various reorg depths/natural likelihood/etc. 17:41:21 A quantitative analysis is on my CCS research agenda. 17:41:22 Do we think that block propagation will change significantly when FCMP++ is activated on mainnet? 17:42:13 We use fluffy blocks, so probably not 17:42:50 Does it make sense to investigate changing it with the FCMP++ hard fork, or should we wait until we see the network behavior, then possibly change it in a future hard fork? 17:43:51 Did stressnet unearth any block propagation problems as blocks became bigger? I don't think so, but I am not sure 17:44:20 I've called for the FCMP++ hardfork being monolithic its set of changes. 17:44:21

There's going to be a huge change with FCMP++ and I would suggest waiting until everything is settled in before piling on more changes. 17:44:46 We figured out that some nodes rejected valid blocks since they didn't have the txs. 17:45:14 I want to deprecate/prune RPCs, ship Carrot, etc, because if we're already forcing users to update for XYZ, adding A isn't much more (but forcing them to change twice, six months apart, is). 17:45:19 Then the nodes marked the blocks as permanently invalid. jeffro256 made a PR to stop the permanent invalidity of the blocks 17:45:26 So if we're changing the n-block lock, I'd call for it at the hard fork. 17:46:23 I'll also reiterate the n-block lock should be the depth reorganizations are infeasible, not unlikely, but I've rung that bell more than enough. 17:46:33 I agree with one-horse-wagon: we should discuss after smoothing out details of the FCMP upgrade. Unlike kayaba, I think it can be reduced now with FCMPs without such a permanate loss to privacy under certain circumstances which made the 10 block lock privacy impact much more relevant, but we definitely shouldnt try from the get go 17:46:42 The pessimist in me whispers that we will need a second hardfork to micro-adjust some things anyway that we did not yet get fully right with the original FCMP++ introduction ... 17:46:55 kayabanerve: The only way to do that is a rolling checkpoint like BCH has 17:48:06 If you do that, you add a liveness assumption to the network 17:48:23 Or to nodes I mean 17:49:07 jeffro256: The private option is the depth reorgs are infeasible. To suggest we can reduce it is to disagree with my premise or to say reorgs aren't feasibly by an adversary at 9 blocks. 17:49:15 Since a node that has been shut down for a while can wake up to two blockchains because it never saw the Nth checkpoint block 17:49:50 It's not about if a reorg actually happens. It's about the tree root selection being a fingerprint. 17:50:19 Rucknium: If we assume you're not eclipsed, and no adversary has 51%, then the probability of a n-block reorg goes down with each additional block. 17:51:00 An adversary with just 49% can only pull off any reorg with random chance. 17:52:11 I'm calling for the n-block lock to have n be the soft finality depth, where we define soft finality as an adversary having infeasible likelihood of performing a reorg. This is generally done in practice with the hash power percentage of the top mining pool(s). 17:52:12 Allowing nodes to leave and re-enter the network was part of the bitcoin design in the white paper 17:53:06 I'm not claiming it's hard finality, even though that can be a discussion for another day. I'm saying PoW coins for years have evaluated reorg risks for minority adversaries and recommended amounts of confirmations accordingly. 17:53:31 What's your infeasibility probability? 17:53:32 (and also higher confirmations for situations of higher criticality, I'm not blind to that) 17:54:12 Those have usually been heuristics. Satoshi had the wrong minority attack formula in the white paper anyway 17:55:08 Recommendations are just risk management. Everyone has a different risk preference 17:55:10 If you want to say they're heuristics and have me call them such, I'm fine doing so. 17:56:12 I'd call for at least 1% odds by the largest mining pool. 17:56:26 Specifically for the n-block lock. 17:57:10 Over what period of time? A year? And what is the resource of the adversary? Can it keep trying every block? 17:58:42 I guess we'd have to define how long until we expect users to realize they've been so repurposed. I am scared to ask what the confirmation count needs to be if we say over a day though. 17:58:50 I said > largest mining pool 17:59:42 And if they have a finite amount of hash power for attempts, can't they only start an attempt occasionally? Having attempts in parallel would mean they have more hash power than assumed. 18:01:01 Or we simplify to a singular attempt. I don't have all the answers here and I'm not trying to claim I do. I'm solely saying that even if a non-trivial adversary attempts a reorg, it should be agreed sufficiently unlikely at some confirmation depth. I believe that depth should be lock depth. 18:01:30 (not just unlikely naturally, yet unlikely by an active attacker so infeasible) 18:01:57 If we want to reduce the lock depth, I'd call to reduce the depth at which we consider reorgs infeasible. I wouldn't call to alternatively define the lock depth. 18:02:13 I have a question about this sentence in the paper: "[In Zcash] There are few network consensus rules governing the age of this anchor; it must be at least one and at most 100 blocks old." 18:02:43 If I can pay 10k over a year to invalidate TXs once a month, some wallets will default to more stable tree roots and we will end up with fingerprints though. 18:03:06 Would FCMP++ have a maximum age of an anchor? If it doesn't any tx that stays in the txpool longer than the max anchor depth would be permanently invalid, right? 18:04:30 No, doing so would invalidate TXs as you say. 18:06:07 Unless there are objections I will put the 10 block lock on the agenda for next meeting. It has been about a year since it was on the agenda. Right on time for its annual appearance. 18:11:11 We can end the meeting here. 18:21:51 I don't think Zcash has _any_ consensus rules regarding the anchor depth. 18:21:54 The 100 blocks thing is just a limit on what parameters the wallet uses 18:22:30 It defaults to 3 but allows the user to specify 1 to 100 18:22:43 And of course it would be trivial to fork the wallet and change that range to 200 or 1000 or whatever 18:25:22 Thanks, isthmus 18:40:17 Having had experience in the past with network upgrades, the ecosystem will not be able to cope with successive network upgrqdes in a short time-spqn 18:40:32 Even when Monero was much smaller it was already difficult to get everyone to upgrade properly and on time