05:19:16 <m-relay> <d​aybreak:nitro.chat> Is rucknium's OSPEAD meant to be implemented or is it not going to be finished before FCMP? https://ccs.getmonero.org/proposals/Rucknium-OSPEAD-Fortifying-Monero-Against-Statistical-Attack.html
15:08:50 <Rucknium> MRL meeting in this room in about two hours
16:37:19 <chaserene> the monero.social Matrix seems to be down. this is am attempted test message from IRC sent at 16:36 UTC.
16:37:59 <chaserene> feedback on whether the above message is visible or not is welcome.
16:45:48 <Rucknium> Yes the Matrix server is down. CypherStack is trying to get it back up AFAIK. MRL meeting will go on as planned.
16:46:28 <chaserene> roger. will send out a memo on monero.town.
17:00:53 <Rucknium> Meeting time! https://github.com/monero-project/meta/issues/1078
17:01:12 <Rucknium> Welcome to an IRC-only edition of MRL meeting
17:01:34 <Rucknium> The monero.social Matrix server is down
17:01:38 <rbrunner> Hello. Hehe, last week I was the last holdout on IRC, not on Matrix ...
17:01:39 <Rucknium> 1) Greetings
17:01:53 <chaserene> hello
17:02:17 <xFFFC0000> Hi everyone.
17:02:20 <jeffro256> howdy from IRC
17:03:24 <Rucknium> 2) Updates. What is everyone working on?
17:03:42 <Rucknium> me: Mostly working on N block lock analysis
17:03:56 <jeffro256> me: working on an enote store for Carrot 
17:05:26 <jberman> *waves*, me: continuing on fcmp's, about to start on tx construction
17:05:52 <Rucknium> 3) Stress testing monerod https://github.com/monero-project/monero/issues/9348
17:06:12 <xFFFC0000> me: finished the fast pop_blocks and flush_txpool. Will submit for review. Finishing the issues jeffro mentioned for rpc limit fix right now.
17:07:04 <Rucknium> There has been discussion here about how to put wallet-monerod RPC calls in "chunks", which is important when the txpool is large: https://github.com/spackle-xmr/monero/pull/32
17:07:50 <Rucknium> Thanks to patches from plowsof and tobtoht, the stressnet repo's builds and tests are all passing with green checkmarks
17:09:47 <plowsof> (i changed a few chars of a regex to make a version string pass ^^)
17:10:21 <Rucknium> 4) Research Pre-Seraphis Full-Chain Membership Proofs. Reviews for Carrot. https://github.com/jeffro256/carrot/blob/master/carrot.md
17:11:13 <jeffro256> 0xFFFC0000: for the record, were there actual instances of hitting the LEVIN_DEFAULT_MAX_PACKET_SIZE limit during the get_blocks call or was this precautionary?
17:11:23 <jberman> I haven't fully read that PR code, but to avoid that issue of gaps in the request, the restricted endpoint serves all of the pool's tx hashes in the first response respecting the time of the request, then the client will then fetch all the blobs in chunks
17:12:37 <xFFFC0000> jeffro256: there was. When I was debugging I was getting failure if I don’t introduce that limitation
17:14:05 <xFFFC0000> jberman: that totally makes sense. Strange I didn’t notice it. If we serve hashes in first request, then technically we will be consistent in response.
17:14:25 <xFFFC0000> s/request/response/
17:14:39 <jeffro256> jberman: are you saying that that is what it *should* do, or what the wallet *currently* does? AFAIK the wallet just repeatedly calls /get_blocks with incremental pool updates 
17:15:22 <jberman> when pointing to a restricted rpc that's what it does. the restricted daemon will serve tx hashes in a field remaining_added_pool_txids on the first request, then the client requests those in chunks
17:15:38 <jberman> just piggy-backing off that logic i think may be simpler
17:15:59 <jberman> https://github.com/monero-project/monero/blob/a1dc85c5373a30f14aaf7dcfdd95f5a7375d3623/src/wallet/wallet2.cpp#L3105-L3117
17:16:19 <rbrunner> Ah, that's some of the stuff you built on top my own PR
17:16:32 <xFFFC0000> The restricted and unrestricted are same algorithm fundamentally?
17:16:33 <jberman> then `m_node_rpc_proxy.get_transactions` requests in 100 tx chunks
17:17:44 <jberman> yes so current wallet2 wallets using this endpoint should automatically know to get chunked requests even if a non-restricted daemon updates to use this logic
17:18:03 <jeffro256> Hmmm that's weird that I didn't notice that before. Technically, this is not guaranteed to be consistent if I understand that code correctly; txs may leave the pool between calls to /get_blocks and /get_transactions
17:18:07 <xFFFC0000> Exactly what I was thinking. Thanks a lot.
17:18:33 <xFFFC0000> jeffro but you get the hashes of all txis at the time of first request.
17:18:36 <rbrunner> Well, if you get anything in chunks it's impossible to avoid that, no?
17:19:53 <jeffro256> rbrunner: not necessarily, if you obtain the transaction data in a way that respects pool update times 
17:20:00 <jberman> if it's not in the pool then read_pool_txs won't add it
17:20:22 <rbrunner> Right.
17:20:40 <jberman> and the request shouldn't fail since it's using /get_transactions which includes both pool and non-pool txs
17:24:55 <jeffro256> It could in the pool, then served in remaining_added_pool_txids, and then pushed out of the pool before the  follow-up call to /get_transactions, right?
17:25:31 <jberman> right, in which case read_pool_txs won't add it to the struct the pool logic uses to process pool txs
17:25:34 <jeffro256> If it's served in added_pool_txs, that should be fine as long as the packet size isn't too big 
17:27:02 <jberman> fwiw I still don't think there's a perfect way to do this, since prior txs you already read may also exit the pool by the time all chunks are complete
17:27:31 <jeffro256> Okay so we just need to adjust the balancing between added_pool_txs and remaining_added_pool_txids on the daemon side then?
17:27:35 <jberman> I think this is a reasonable approach (and it also mirrors what wallets did before the incremental time logging change)
17:27:52 <jeffro256> ... Assuming the the TXIDs don't take up up the max packet size
17:28:07 <jberman> ya it won't work if txids take up max packet size
17:28:58 <jeffro256> That's like, what 3 million txs added in the pool since the last fetch?
17:30:34 <jberman> haha what's the size again?
17:30:58 <xFFFC0000> 100mb for max levin package size.
17:32:18 <jberman> yep ~3mn txs
17:34:15 <Rucknium> Do we need more time for discussion on this?
17:35:28 <jeffro256> I think that should be fine
17:36:20 <Rucknium> 4) Research Pre-Seraphis Full-Chain Membership Proofs. Reviews for Carrot. https://github.com/jeffro256/carrot/blob/master/carrot.md
17:37:58 <jeffro256> I followed up with some more firms since the last meeting, one has responded back and said that they will have a proposal soon
17:38:29 <jeffro256> A couple of minors changes to the spec also
17:39:12 <jeffro256> Not much other than that at the moment, though
17:43:01 <Rucknium> Different FCMP topic: From what I understand, monerod will still provide an RPC endpoint that would allow wallets to construct the FCMP input proofs, as a backup to wallet-side merkle tree cacheing. Therefore, a decoy distribution is still needed.
17:43:18 <Rucknium> Is that correct, as of current plans?
17:43:58 <jeffro256> Yes
17:44:21 <jberman> It has been then plan, but the more I'm thinking on it, the less I think it needs to be there. Even light wallet servers would be able to keep track of owned paths today using just the view key
17:44:50 <jberman> It's only when we have that "filter-assist" light wallet tier when light wallets would definitely need that endpoint
17:45:41 <Rucknium> My short-term plan is to finish up some of the black marble research items, finish the OSPEAD estimation with current data, then possibly work on fee uniformity and/or evaluation of Clover.
17:46:37 <Rucknium> Which the OSPEAD estimate would provide the decoy distribution if it is needed in the final FCMP codebase.
17:47:13 <Rucknium> It would be good to get fee uniformity and Clover investigated before the FCMP hard fork, too
17:47:19 <jeffro256> I worry about pushing some mobile wallets (or wallets with lazy devs) into becoming de-facto light wallets if they are either forced to implement wallet-side tree building in a short time or become a light wallet 
17:48:01 <rbrunner> Hmmm, I was thinking most of them use wallet2 at their core
17:48:14 <jberman> ya and wallet2 will do it
17:48:15 <jeffro256> Yes, the ones that use wallet2 would be fine 
17:48:26 <rbrunner> And the rest MyMonero or MyMonero tech
17:49:06 <Rucknium> AFAIK, Exodus has custom code that works with remote nodes.
17:49:28 <jberman> isn't Exodus a light wallet too?
17:49:51 <jeffro256> Rucknium: we might add an additional daemon output distribution that covers all the outputs that FCMP would be able to spend from (which is everything not malformed), as opposed to the RingCT distribution. I don't know if that would affect your research
17:50:36 <Rucknium> No. You can choose your own remote node with Exodus Desktop at least. And I think Mobile, too (check with tobtoht)
17:51:36 <jberman> I think switching a full wallet to a light wallet is way more work than using the new client-side tree building algo when syncing 
17:51:57 <jeffro256> You might be right 
17:51:58 <rbrunner> Well, Exodus is multi-coin, and not open source, last time I checked.
17:52:13 <Rucknium> Basically, it wouldn't because non-RingCT outputs are spent verry rarely. Just ned to make sure that the support of the distribution has positive probability to the beginning of the chain. Basically every distribution I am working with has unbounded support, so they satisfy that
17:53:11 <Rucknium> IIRC Exodus produces about 5 percent of Monero txs
17:53:30 <rbrunner> Yeah, and I was the one coining the motto "No wallet left behind" :)
17:54:24 <jberman> if Exodus isn't using wallet2 and implemented their own syncing logic, they should be more than capable of porting the tree building sync algo
17:54:39 <rbrunner> That RPC call would not be very expensive to implement, I guess?
17:54:53 <jeffro256> Probably not 
17:55:37 <jberman> no it's a very simple endpoint
17:55:43 <Rucknium> There were a bunch of wallets that missed the Aug 2022 hard fork deadline, including Exodus. AFAIK the main change was view tags.
17:55:44 <jeffro256> We also need an RPC endpoint that compresses the tree before a certain client-specified height anyways unless we want to force every user to resync their wallet from height 0
17:56:25 <jberman> yep
17:57:07 <Rucknium> I have a table of which wallets missed the deadline here: https://github.com/Rucknium/misc-research/tree/main/Monero-Nonstandard-Fees#determining-which-wallets-are-creating-transactions-with-nonstandard-fees
17:57:46 <Rucknium> I think a lot of those wallets in the table used LWS/MyMonero code
17:59:02 <Rucknium> 5) 10 block lock discussion https://github.com/monero-project/research-lab/issues/102
17:59:52 <Rucknium> I have been working on kayabaNerve's query from last meeting, which I thought would be "easy". I am still not completely satisfied with my probability model, so I don't have computations to share yet.
18:00:08 <m-relay> <c​haserene:matrix.org> FYI, the availability of the monero.social Matrix is very spotty on my end. I still haven't received Rucknium's 15:08 UTC reminder either on my monero.social or my matrix.org account, I only see it on https://libera.monerologs.net/monero-research-lab/20240918
18:00:19 <m-relay> <c​haserene:matrix.org> whoever can read this: try from IRC (e.g. HexChat: https://hexchat.github.io/downloads.html). that at least seems to work.
18:00:31 <m-relay> <b​asses:matrix.org> there are issues with monero.social currently
18:00:33 <Rucknium> Does anyone have access to this paper? Jiang & Zhang (2024) "Profitability Analysis of Time-Restricted Double-Spending Attack on PoW-Based Large Scale Blockchain With the Aid of Multiple Types of Attacks" https://ieeexplore.ieee.org/document/10644062
18:00:41 <Rucknium> Published just last month
18:00:49 <m-relay> <r​ottenwheel:kernal.eu> PSA. monero.social Matrix homeserver is down. If you still want to participate in today's MRL meeting, use a different homeserver or join through IRC.
18:00:54 <chaserene> (^I guess monero.social is back.)
18:01:10 <chaserene> (old messages incoming)
18:01:24 <m-relay> <r​ottenwheel:kernal.eu> Or perhaps it'll be postponed till homeserver is back up. We'll find out soon.
18:02:17 <rbrunner> If you think it can't get any worse ... then you are bombarded with hours' old messages
18:02:46 <Rucknium> 6) Chainalysis capabilities video.
18:02:57 <Rucknium> Any more thoughts on the video?
18:03:12 <chaserene> back on topic: IMHO if we were to use Kayaba's requirement from the last meeting, 10 blocks seem to be...too low
18:04:02 <Rucknium> There is a huge difference between an adversary having 10 percent and an adversary having 30 percent of hashpower
18:05:47 <rbrunner> I don't think that anything more than 10 is viable for "political" reasons - I don't think will swallow that.
18:06:14 <rbrunner> *people will swallow that
18:06:48 <rbrunner> Not that this should disturb any research, of course
18:06:53 <Rucknium> Endor made some nice tables of historical deep re-orgs on other chains: https://gist.github.com/endorxmr/a13dce62ae1ba4676a1ed0311d96bf07
18:06:58 <chaserene> Rucknium: yes. I guess this is about trying to guess what capabilities the adversary has, which we can't know for certain.
18:07:38 <chaserene> rbrunner: I would agree
18:08:14 <m-relay> <0​xfffc:monero.social> ( I can’t vouch for this service. But some people are using it successfully to access scientific papers :
18:08:16 <m-relay> <0​xfffc:monero.social> https://www.smartquantai.com
18:08:18 <m-relay> <0​xfffc:monero.social> )
18:10:16 <chaserene> Endor's table is interesting, would be even more useful w/ reorg depths (in hour terms)
18:10:16 <Rucknium> At least with this research we can say for some N lock time, chosen by heuristics, politics, or otherwise, _this_ is the risk profile.
18:11:16 <rbrunner> Fully agree, that's very useful in any case
18:12:04 <Rucknium> I think we can end the meeting here. Thanks everyone.
18:12:34 <jeffro256> Thanks everyone!
18:13:13 <chaserene> Rucknium: no doubt about that. I'm curious though to understand, what parameters would such a risk profile include?
18:13:38 <chaserene> BTW, thank you all
18:14:24 <Rucknium> Adversary's hashpower share and how long they possess it. Any ideas on any other ones to include?
18:18:19 <chaserene> got it, so this is similar to the table you presented last week. Endor's table made me think that the security budget [dollars/sec] is a factor. I'm unsure how to incorporate it though.
18:19:32 <m-relay> <k​ayabanerve:matrix.org> I've realized and am willing to concede I don't have a clear view of what powers should be conceded to an adversary and what probability we want to reduce to at this time. I appreciate Rucknium doing the work I asked for on the feasibility of DoSs with limited hash power over time, and look forward to that number in order to influence our decision making process (though off-hand I<clipped message
18:19:34 <m-relay> <k​ayabanerve:matrix.org> 'd guess they'll be so unlikely they won't matter). I apologize if my request for those calculations are too burdensome.
18:20:06 <Rucknium> IMHO, the problem with saying that the adversary has X budget to spend it any way they want is that it's always better to rent a lot of hashpower for a very short period of time than to rent a little hashpower for a long period of time.
18:21:00 <Rucknium> No, it's fine. That's what I'm here for.
19:42:10 <chaserene> ok, I *think* I get it. then, as I see it, the adversary hash power share value (the column headers in https://gist.github.com/Rucknium/da1e57b1864aca477dfa3b4e02e86e26) is about what we assume to be the upper bound on what share an adversary can get access to, regardless of their budget.
19:42:23 <chaserene> it's more about "how much of the current hash power is controlled by rogue entities who can urn malicious at any time" + "how much potentially rentable/buyable hash power is out there that's currently not used for mining Monero". is that correct?
19:44:43 <chaserene> *turn
19:47:37 <m-relay> <r​ucknium:monero.social> IMHO, that's a valid interpretation. The probability calculations don't tell you how the adversary acquired the hashpower.
19:59:24 <m-relay> <r​ucknium:monero.social> I like this passage from Rosenfeld (2014): "There is nothing special about the default, often-cited figure of 6 confirmations [for bitcoin]. It was chosen based on the assumption that an attacker is unlikely to amass more than 10% of the hashrate, and that a negligible risk of less than 0.1% is acceptable. Both these figures are arbitrary, however; 6 confirmations are overkill for<clipped message
19:59:26 <m-relay> <r​ucknium:monero.social>  casual attackers, and at the same time powerless against more dedicated attackers with much more than 10% hashrate.
20:14:05 <m-relay> <c​haser:monero.social> yeah. Satoshi was really good at coming up with arbitrary values that stick with people.
20:21:03 <m-relay> <c​haser:monero.social> do I sense it correctly though that that's not the interpretation underlying your table?
20:21:39 <m-relay> <r​ucknium:monero.social> daybreak: Big changes to the decoy selection algorithm at a time that is not a hard fork means that some users will be using the old version and some would be using the new version. The new Chainalysis video confirms that adversaries are using these types of transaction uniformity defects to reduce user privacy. See my discussion note here for some risk tables: https://github.com/<clipped message
20:21:40 <m-relay> <r​ucknium:monero.social> Rucknium/misc-research/blob/main/Monero-Fungibility-Defect-Classifier/pdf/classify-real-spend-with-fungibility-defects.pdf
20:24:16 <m-relay> <r​ucknium:monero.social> If there are no major problems with FCMP (which it looks that way right now), then an OSPEAD-derived decoy distribution would likely be used for wallet-daemon RPC calls as a backup to the in-wallet merkle tree cache as discussed in today's MRL meeting. If for some reason major problems with FCMP are discovered, then a hard fork to increase ring size with current RingCT tech could <clipped message
20:24:18 <m-relay> <r​ucknium:monero.social> occur. An OSPEAD-derived distribution would likely be implemented at that hard fork.
20:29:13 <m-relay> <r​ucknium:monero.social> chaser: The table is agnostic about that. These calculations start to get anchored when merchant and services use them. For example, I as a merchant weight how much my goods/services cost me, how much an adversary woud have to spend, etc. The calculations are made more complicated by the fact that an adversary can double-spend against more than one target. IIRC one paper suggested<clipped message
20:29:14 <m-relay> <r​ucknium:monero.social>  that merchants look at the total value being exchanged on the honest, visible blockchain to determine total risk (i.e. as if all txs were going to be double-spent). Of course, you cannot do that with Monero since amounts are confidential.
20:30:03 <m-relay> <r​ucknium:monero.social> But most merchants and services won't and don't make such complicated calculations. They just set a single confirmation number for everything, maybe arbitrarily chosen, and let it be.
20:31:29 <m-relay> <r​ucknium:monero.social> AFAIK, today the biggest value that is being exchanged is just other cryptocurrencies against each other, not real goods and services. Peer-to-peer electronic cash....?
20:33:31 <m-relay> <e​ndor00:matrix.org> Perhaps looking at this script might help? https://gist.github.com/endorxmr/07364dc54f277abf487574d455d67341
20:33:32 <m-relay> <e​ndor00:matrix.org> The security budget is the amount of money "generated" by the network over time. If we assume miners are rational (i.e. they never mine at a loss, i.e. they pay for electricity no more than they earn from mining), then that is also the maximum amount of money spent on electricity
20:34:51 <m-relay> <c​haser:monero.social> Rucknium I see. the shitcoin casino averted the double-spend threat :)
20:38:15 <m-relay> <r​ucknium:monero.social> chaser: I think it enabled the double-spend threat, just not with real goods/services, but with cryptocurrency exchanges. AFAIK most of the incidents in endor00 's table involved transferring other cryptocurrency coins out of the exchange as part of the double spends.
20:40:09 <m-relay> <e​ndor00:matrix.org> By playing around with the security budget, the electricity cost, and the efficiency of the mining devices, we can calculate an approximate size of the mining network (number of devices of a given model, total power consumption, profitability, ROI time, etc.) - which allows us to estimate on how much it would cost to acquire a given amount of hashrate (and thus, own a given % of the nethash)
20:42:05 <m-relay> <c​haser:monero.social> Rucknium yes, that's correct. however, I'm almost sure that the trading on on-chain DEXes (think Ethereum, Solana) outweighs CEX deposit/withdrawal volumes.
20:49:52 <m-relay> <c​haser:monero.social> to be honest (this is an answer to endor00 too), I may have misunderstood this discussion. my unconscious assumption was that the threat model includes adversaries with extra-protocol incentives, who mine alternative chains even if only for disrupting Monero (for which, admittedly, "double spend risk" is not the right term). a budget-based analysis makes a lot more sense there.
20:54:43 <m-relay> <r​ucknium:monero.social> It's potentially both types of adversary motivations IMHO. A targeted double-spend beyond the N block lock would cause collateral damage to other users who have their txs invalidated under FCMP. And for an adversary that just wants to cause disruption, the collateral damage _is_ the motivation.
21:03:06 <m-relay> <e​ndor00:matrix.org> Any incentive is a good incentive - the problem is quantifying it.
21:03:08 <m-relay> <e​ndor00:matrix.org> With a simple double-spend attack, it should be fairly straightforward (some % probability of success within a fixed timeframe, vs. a given "reward").
21:03:10 <m-relay> <e​ndor00:matrix.org> If the goal is pure disruption, you can frame it in terms of cost vs. effect (spend X $ to cause some amount of reorgs with some % success, and disrupt some number of txes worth some $ amount).
21:03:12 <m-relay> <e​ndor00:matrix.org> With other types of attacks, it's a bit more complicated, and requires some/a lot of assumptions about the attacker's costs and access to resources, or a more detailed model of what they're doing exactly
21:08:52 <m-relay> <c​haser:monero.social> yes, if we want to account for adversaries with extra-protocol incentives, cost and resource access are key.
21:09:26 <m-relay> <c​haser:monero.social> we could/should assume the attacker's priority will be to control as much hash power simultaneously as possible. these's a lot of compute in existence that's currently not mining Monero, could profitably mine it, and is accessible, so the share will be (100-ε)%.
21:09:49 <m-relay> <c​haser:monero.social> then, even if we pick a double spend attack success probability that we're comfortable with, for a good answer, we need to:
21:09:50 <m-relay> <c​haser:monero.social> 1) define a curve that estimates how much non-Monero-mining hash power can be simultaneously acquired at what cost, and
21:09:52 <m-relay> <c​haser:monero.social> 2) pick a budget for the adversary.
21:16:28 <m-relay> <c​haser:monero.social> (s/profitably/practically, we're beyond profitability here)