15:01:16 MRL meeting in this room in two hours. 15:02:08 Stay hydrated. Will probably be a long meeting. 15:21:35 I propose that the "1. Greetings" get replaced by "1. Water check" 16:42:45 Hi all! I'm Ben Sepanski, CSO from Veridise. In light of the upcoming discussion, we wanted to share Veridise's perspective on FCMP++ and SLVer bullet. 16:42:47 Since SLVer Bullet was updated based on the attached concerns (after we shared them directly) and announced before we heard back from Cypher Stack, we wanted to go ahead and share them publicly in case they are found useful by the Monero community or any future reviewers planning to create/analyze security proofs for SLVer Bullet. While we do not intend to perform further review, based on a brief pass we believe that neither of the two most serious issues raised were addressed by the update: 16:42:51 * The use of explicit curve addition formulas in the derivation of the verification equations results in relations that do not hold at the function field level (and are not equivalent to the expressions proposed by Eagen as claimed). See, for example, the SAGE script above, in which the original equations match the expected expression computed using SAGE's built-in functions, but SLVer bullet does not. As mentioned, we do not have capacity at this point to perform further reviews of SLVer Bullet, but the underlying issue of applying derivatives to an expression which holds over only a subset of the curve is still present 16:42:55 * The soundness argument contains a flaw in the use of Schwartz-Zippel, which also has not been fixed. SLVer Bullet’s soundness argument (Theorem 3.3.7) relies upon "Sage code 2 (see [Sla25]) giving statistical evidence of that the two cases result in the same distribution of roots, enabling our application of Schwartz-Zippel.” This does not constitute a proof and cannot provi de the basis for soundness of a cryptographic argument 16:42:59 To avoid multiple rounds of back-and-forth, we plan to continue work along the original line of reasoning based on the ideas of Eagen and implementation by Kayaba, and will share here if we have more updates 16:43:01 As mentioned in the first response, we reiterate our commitment to be actively involved in any constructive endeavour to ensure the correctness of the proofs, the clarity and precision of its exposition and the security of the scheme based on it, and hope this is helpful for any future decision-making. As always, we remain open to any further questions or concerns! 16:43:03 log_deriv.ipynb 16:43:05 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/mrIQjbCrDTXpPLilgKjXsdwb 16:43:07 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/ilabQZKNKVDxZrXZAbQvWROw 16:43:09 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/gNUdNJDsKZsnxOmnriExRNLj 16:47:22 ben_sepanski: Welcome! Thank you for sharing. 16:58:42 For the first point, our new numerical values may be found on page 16 and 23, so the provided Sage code is no longer relevant, as it applies to the prior version. For the second, the Schwartz-Zippel issue HAS been addressed, on page 13. Our code was merely intended to provide, as we state, *statistical* numerical evidence, so was never intended to constitute a proof. It seems as i f there are misunderstandings between what we intended and what you have read (no claims as to who is "at fault" here, but we will clarify these issues in future versions). Veridise, we do appreciate your review, and thank you for helping to make Monero better, which is ultimately what we all want! ❤️ 17:00:33 Meeting time! https://github.com/monero-project/meta/issues/1244 17:00:42 1) Greetings (water check). 17:00:55 Hi 17:00:58 hello 17:01:03 glass half full 17:01:04 ji 17:01:05 hola 17:01:16 Hello! Are there leaks? 17:01:22 *hi 17:01:23 hi 17:01:25 hello (hydration check) 17:01:27 Howdy 17:01:37 hi 17:01:37 👋 17:01:54 *waves* 17:02:27 seas 17:02:29 2) Updates. What is everyone working on? 17:03:00 me: Analysis supporting changes to the DNS ban list: https://github.com/monero-project/meta/issues/1242 . Evaluated feasibility of setting up "honeypot(s)" to learn more about the infrastructure of the spy node network (seems feasible so far). Guided ditatompel to add MRL/DNS ban list columns to his table of remote nodes: https://github.com/ditatompel/xmr-remote-nodes/issues/191 https://xmr.ditatompel.com/remote-nodes 17:03:08 me: got lwsf into monero_c. but the bindings need to be re-worked and the build process is problematic 17:04:30 me: steering these bots to make this monerosim work 17:05:27 3) [SLVer Bullet: Straight Line Verification for Bulletproofs](https://github.com/cypherstack/silver-bullet). [Cypher Stack review of divisors for FCMP](https://github.com/cypherstack/divisor_deep_dive). 17:05:43 me: drafted a proposed spec for PoW-enabled relay "PoWER" (https://github.com/monero-project/research-lab/issues/133), handled compiler warnings for FCMP++/carrot with some help from jeffro too, set up core tests testing constructing a FCMP++/Carrot tx spending from a pre-rct tx, tests went smooth 17:06:46 I would like a summary and bottom line of what has happened since the SLVer Bullet paper was first released. 17:07:32 I think it would be best to hear from CS what they did, and then kayaba or I can summarize what that means for Monero and the implementation 17:07:35 We put out an update yesterday with extensive changes taking Veridise's review and annotations into account. 17:07:51 We also were able to prove that our verification equations are just simplifications/reductions of Bassa's/Eagen's 17:08:07 Me: getting very close to a first working version of hot/cold wallet implementation for Carrot/FCMP++. Importing/exporting received outputs works, creating transaction proposals works, signing works, and finalizing FCMPs and BP+s on the hot side works. It is completely backwards compatible up until when the FCMP++ fork activates, and shouldn't require much downstream reworking. Th e RPC interface is *almost* unchanged, except for a quirk where b/c of detached FCMP++ signing, the cold wallet doesn't know TXIDs of signed transactions, but that's how tx private keys are fetched in the RPC interface. The hot/cold protocol, as implemented, also supports "stateless" hot/cold interaction, cold-initiated transaction proposals, reduced overhead when hot wallets "rem ember" tx proposals, and Carrot-derived-key wallets in the future 17:08:11 In a sense, criticisms leveled by one of us toward the other or vice versa are superficial 17:08:35 we were able to improve soundness bounds and little stuff like that, and improve the arithmetical efficiency of our version over the previous 17:09:23 we present some statistical* evidence in the paper that our arguments are equivalent to Bassa's and we also provide a calculus-based explanation of why 17:09:56 we still have some issues we are currently addressing which revolve around kayaba's code 17:10:06 but other than that, "mysteries are solved," so to speak 17:10:30 Shall I step in with my perspective now? 17:10:48 don't ask, just do :) 17:10:50 Always <3 17:10:52 I know sgp_ wanted to first hear from CS. 17:11:58 Veridise and Cypher Stack, as of a week ago, disagreed with each other's work. Currently, Cypher Stack is signing off on Veridise's work. We have already done the implementation for and audited Veridise's work. That reduces, albeit incredibly so, all of the work of Cypher Stack to one, very long, and with many adjacent threads, review of Veridise's work which has come back with approval. 17:12:08 *is now signing off on 17:13:16 to be more specific, it might be best to say "cypher stack believes that eagan's scheme is secure to use" 17:13:45 Our initial contract was to look over Bassa's / Eagen's stuff. We found it unconvincing, mostly because lack of background, proofs, and skipping over several things we deemed important. Reverse engineering that work to get it to the level of mathematical rigor we were comfortable with was taking quite some time and MRL was putting pressure on us to deliver quick. 17:13:47 Given the time constraints, we gave a thumbs down, even though our guts told us that it would probably work out correctly. We just didn't have the time to do said rigor. 17:13:49 We decided to take our own stab at it and made SLVer Bullet. During this current Stack Attack we have shown to our own satisfaction that our methods are equivalent to Veridise's. In so doing, we have fulfilled our original goal of giving a thumbs up or not do Eagen's / Bassa's work, though in a roundabout method. 17:13:51 Right, sorry. Signing off on the result, if not necessarily the methodology and existing work. 17:14:46 The only reasons to discuss Silver Bullet would be if we believed it more efficient to Monero in a way worthwhile of time and effort to migrate (non-trivial). Given how marginal any performance benefit would be _within our context_, I can not endorse investing that effort. That means, for the purposes of our discussions, even if Silver Bullet is an amazing artifact representing mo nths of works, we can simply add it to a list of texts in our library for this line item and move on. 17:15:18 Note the Silver Bullet paper proposes its own contexts/use-cases, and I am thankful to Cypher Stack for their self-organization and investment of their effort to promote Monero's security. 17:15:20 Given the above, Cypher Stack is, at this point, confident is saying that either Eagen / Bassa's work, or SLVer Bullet is fit for use in Monero. 17:15:21 Our continued work on SLVer Bullet has yielded several optimizations that we think would help Monero somewhat (though not massively), so we (obviously biased) think it may be worth it to look at the speed ups for SLVer Bullet and see if they would be worth the time to recode. And if not, using Eagen / Bassa's stuff is fine. 17:15:23 _very_ thankful 17:15:49 <3 17:15:52 marginal improvements, in Monero's specific context, are ~1% right kayabanerve ? It may be more efficient in other contexts 17:15:53 Within the context of the FCMP, each invocation of the current proof is _7_ rows in the IPA. 17:16:54 If that was decreased to five, we'd save ~8% of the proof. As the proof is padded to a power of two, we only observe literal performance benefits w.r.t. the summary MSM if we improve performance by 50%. 17:17:41 I'd find five a notable result, yet that doesn't change yes, it's of no effect when we're already at such a small constant. 17:18:24 We can argue the performance of linear constraints, which don't impact the size of the MSM, yet that's the point: they don't impact the size of the MSM. They're so relatively cheap I didn't even find them worth measuring the performance impact of. 17:19:10 Are these numbers for verification time or proving time? 17:19:32 inb4 even 1% is welcome on the verification side 17:19:39 And as per the witness size within the dedicated commitments, the one other metric this category of proof could improve in, I believe Cypher Stack agrees the current work is optimal. We currently represent a 256-bit scalar multiplication using: 256 field elements correlating to bits _and_ a 256-degree witness (SB's MakeWitness function) which has up to 256 roots. 17:19:49 > we only observe literal performance benefits w.r.t. the summary MSM if we improve performance by 50% 17:20:07 we *did* improve our proof size over the previous version 17:21:12 surae: Communication of the Silver Bullet proof, for a 256-bit scalar multiplication, requires the scalar itself _and_ a witness polynomial with at least 256 elements, correct? 17:21:17 SyntheticBird thank you, we definitely beat 1% 17:21:35 I understand the prover builds the proof from there. I just want to set the base fact of how that communication is still required. 17:22:31 K, I immediately want to clarify this: Cypher Stack did not build nor propose a proof for usage within a Bulletproof. If we were to adopt Silver Bullet, we'd have to apply the same techniques as seen with the existing work to execute it within a Bulletproof. 17:22:53 The performance benefits claimed, to proof size, proving, and verification, become negligible within the context Monero currently wants to use this proof in _AFAIK_. 17:23:22 In the contexts Cypher Stack proposed, designed, and built, their proof for: Oh yes, much more efficient. No disagreement. 17:23:33 *Within* a Bulletproof, we present divisors *applied to* Bulletproof 17:23:42 _Within_ a Bulletproof, we present divisors _applied to_ Bulletproofs 17:23:43 kayabanerve @kayabanerve:matrix.org: correct 17:23:46 re: proof size 17:24:02 not including a few extra field elements 17:24:23 surae: Right. With the current proof, the only elements we explicitly commit to in Pedersen Vector Commitments is the scalar itself (decomposed) and the 256-element witness polynomial. 17:24:36 If both proofs have that (the statement and the witness polynomial), there is no room for improvement there. 17:25:17 The only improvement, _within our context_, is with regards to the IPA rows (currently a constant `7` which means any improvements are marginal) or with regards to the linear constraints (a negligible part of our performance). 17:26:04 I am not trying to bash Silver Bullet, which proposed new contexts and made great efforts on their efficiency. I just want to keep the discussion focused to our current context due to the amount of discussion we've had on it already, ideally culminating here and now. Introducing yet more doesn't help wrap this up. 17:26:31 But the new contexts proposed are worthy of review and consideration, and I do believe CS deserves acknowledgement for them: I am just asking not right now. 17:28:58 Because Veridise and Cypher Stack agree on the current implementation's definition, the only note is one question I raised with Cypher Stack recently. The Silver Bullet paper defines a `line` function, while my implementation has our own `line` function. The two are distinct. This would imply my proofs... math differently, and yet they are accepted by the verifiers I've defined an d tested with. If my proofs are valid, yet their math is different, why are they valid? 17:29:38 That's something we're trying to address right now! 17:30:04 I've asked Cypher Stack for an answer (of which they are not obligated to give, of course), but I believe they've been generous enough to work on to at least some degree. if this one 'discrepancy' is resolved with Cypher Stack, I see no reason not to consider the theory accepted and move on to discussing a second audit of the implementation: as-is. 17:30:25 (including potentially not obtaining a second audit, I'm just noting where the discussion would shift) 17:30:31 I am confused by the current status of the objections raised by ben_sepanski at Veridise: 1) [Something] does not hold at the function field level. 2) Rigor of proof using Schwartz-Zippel lemma. 17:30:31 I think Cypher Stack thinks it has adequately responded to those objections in the latest version. Does Veridise still think the objections are valid, or not, or has Veridise not yet (and may never) looked at Cypher Stack's responses? 17:32:18 Rucknium: While I'd be happy to let Ben clarify their own position, as I do not want to speak for them, I also don't wish to expect their answer nor demand their time. Their review of Silver Bullet was voluntary. My discussion short-circuited if Veridise agreed with Cypher Stack by nothing both parties agreed on the results worked on by Veridise. That means we don't _need_ Silver Bullet to be agreed upon, as we aren't implementing it. 17:32:52 We, to the best of our knowledge, have addressed every "category red" comment that they provided to us, as well as most of the "category orange" comments 17:33:50 So we argue that their two big points are not problematic for our case 17:33:51 So you could say that all this brings cryptography forward, but does not immediately influence us on the way to the first FCMP++ hardfork? 17:33:58 So we argue that their two big points are not problematic 17:33:59 Though we can also shift back to discussions on hiring Veridise for _mutual agreement_, hiring a third entity to review Veridise's work (with Silver Bullet provided as an auxilliary text), or continuing work on a unified publication regarding divisors _as oriented by Veridise_ to encourage further review. As that last discussion occurs, I'll note I believe Cypher Stack are already continuing with their publication, which should cause any inherent/natural review on their claims (including the claims of equivalency). 17:34:10 Freeman's response here to their response today 17:34:11 Thank you very much to Veridise for reviewing the work 😁 17:34:22 On (2), we do not believe the Schwartz-Zippel lemma (as written in either version of SLVer Bullet) can be applied. This is essentially because standard Schwartz-Zippel requires sampling variables [x,y] independently. When sampling points on an elliptic curve, the curve equation enforces a relation between x and y 17:34:23 On (1), we have not had time to look in detail at the updated derivations since our initial comments. It sounds like the updated equations match Eagen's, in which case they may be correct 17:35:27 kayabanerve: can you clarify the current primary blocker with the implementation? That's the most important thing for everyone to understand in the moment 17:35:30 Thank you, ben_sepanski 17:35:38 We can continue this part of the conversation in the Research Lounge? 17:35:40 The dependency between coefficients vs roots will be equivalent, by Vieta's formula. And our statistical evidence supports our viewpoint 17:36:48 #monero-research-lounge:monero.social 17:37:24 sgp_: Cypher Stack believes their work equivalent, therefore proving the validity of Veridise's work in their own method. Despite this, Cypher Stack's work suggests my work shouldn't work. As my work appears to work, the _implied result_ of Cypher Stack's _claimed result_ does not _immediately_ hold. I believe this should be fully understood before we continue with the _claimed re sult_, which is that Cypher Stack agrees with the current protocol because it can be proven equivalent to their own work. 17:37:38 "based on a brief pass we believe that neither of the two most serious issues raised were addressed by the update" vs "we have not had time to look in detail at the updated derivations since our initial comments. " 17:38:01 "based on a brief pass we believe that neither of the two most serious issues raised were addressed by the update" vs "we have not had time to look in detail at the updated derivations since our initial comments. " 😕 17:38:03 If I understand correctly, the two Veridise objections affect SLVer Bullet and not Eagen's original work, right? (I guess this is obvious now, but I want to make sure I have this clear.) Or do they affect the claimed proof in the SLVer Bullet paper that SLVer Bullet and Eagen's work is in some way equivalent? 17:38:08 Freeman Slaughter: can you please leave this? In the context of Monero we don't care right now 17:40:41 Rucknium: Correct. Cypher Stack believe Veridise's work is correct because their own work can be argued a method of proving Veridise's work. Veridise believes Cypher Stack's work has faults, and is therefore insufficient as a proof to this claim, but it doesn't change Veridise's work is only invalid _with both parties being wrong_. 17:40:58 This means we do have two independent organizations claiming the security of this result. 17:41:25 Previously, Cypher Stack said that the calculus work in Eagen's paper was "incorrect". How can this be? Was it 1) The calculus was correct, after all, 2) Cypher Stack found another way around the problem that didn't involve the "incorrect" calculus, or 3) Something else? 17:42:32 Though I still want to understand why the 'implied result' is not immediately understood, which of course Cypher Stack has said they're working on (much to my appreciation). 17:44:56 We always argued that Veridise *could* be correct, just that we were not convinced by their proofs. An unjustified proof can never be correct, because it relies on something whose veracity is not supported. The calculus was correct, in a consequentialist sense, but their proofs were confusing enough for us that we were forced to rederive them from scratch (which we only recently f inished to a level that we found sufficient) 17:46:50 From what I understand today, I would prefer that a third firm confirm the correctness or one or both of Veridise's and/or Cypher Stack's claimed proofs of the soundness of Eagen's divisors. 17:47:01 Rucknium, you're referring to the fact that in a previous MRL meeting, I stated that the calculus was incorrect. 17:47:03 This was because Brandon had said that Eagen had incorrectly applied the chain rule. The incorrectness comes from the fact that the use of it in that context was not justified. 17:47:05 For instance, their usage of the chain rule was not justified, in our view. So any application of it is "incorrect" until that step is justified 17:47:38 fwiw, I would support getting a third firm involved to look things over. 17:47:44 Rucknium: another review of the Eagan technique may still be warranted, yes 17:47:49 We can move forward with testnets and things in the meantime. 17:47:59 But these two firms are currently in agreement with the Eagan scheme being secure 17:48:01 Rucknium: You understand we currently have both research outfits agree the currently defined proof is secure, with independent methodologies, correct? 17:48:26 They don't agree on the same mathematical proof. 17:48:36 The fact they disagree on their methodologies does not shift _both must be wrong_ for the proof to be wrong. 17:48:37 That isn't what I expected. 17:48:56 They disagree on the _security proofs_ for the proof. 17:48:59 I expected CS to agree that Veridise's original proof was correct. 17:49:07 They both agree the proof has the desired mathematic effects w.r.t. elliptic curves. 17:49:19 Incorrect. They didn't make security proofs to disgree with. :P 17:49:21 They do agree the proof is correct. They disagree the arguments for it, at the time, were convincing. 17:49:29 they got to the same result with different work, which wasn't the simplest path but it still a valid option 17:49:44 CS wrote a new proof. 17:49:47 Diego Salazar: While a joking comment, it makes no difference to this discussion. 17:49:57 if budget allows, a third review could be commissioned, but it's not really _strictly_ necessary 17:50:16 Rucknium: Which is why we currently have two independent groups, with two independent methodologies, agreeing the defined proof is built on sound theory. 17:50:26 Hmm, doesn't the mountain of material to potentially review grow all the time? 17:50:50 If I understand correctly, the two firms disagree that the other's proof is fully valid. 17:50:53 Which is why I'd prefer to discuss using the budget on a second audit, before discussing a third review of the theory, with the emphasis being I'd like to move forward. 17:50:54 Now already two different proofs, if I understand correctly 17:50:59 a third reviewer might in theory make yet a third route to also support security 17:51:09 :) 17:51:16 (all of this assuming the 'implied result' thing gets circled back on, which I expect and believe will occur) 17:51:33 Do we know 51 qualified research outfits eligible to participate in a ranked-choice vote? 17:51:51 Is ZK-Security no longer available? 17:51:55 Rucknium: The other's arguments for why the proof is valid. They agree on the proof. 17:52:00 Ultimately, any disagreement with our work is a disagreement with Eagen's work, since we've shown them to be equivalent 17:52:06 Rucknium: The other's arguments for why the proof is valid. They agree on the proof we would implement in _some context_. 17:52:26 The proof != the security proofs, as I keep trying to iterate. 17:52:28 AFAIK, Veridise isn't sure that the equivalency holds. 17:52:37 Diego Salazar: I was making a joke on ensuring qualified review. 17:52:38 Ultimately, any disagreement with our work is a disagreement with Eagen's work, since we've shown them (the verification equations) to be equivalent 17:52:49 but Veridise independently supports the Eagan scheme 17:53:15 I would advocate for a 3rd independent review before mainnet, but prioritize tasks that move forward toward mainnet 17:53:17 both groups agree Eagan's scheme is secure 17:53:19 Why did cryptographers name something "proof" when that term was already taken? 🤔 17:53:26 Correct. So the actual summation is that: 17:53:27 1. Veridise supports Eagen's scheme 17:53:29 2. Cypher Stack supports Eagen's scheme in a way that Veridise doesn't agree with (SLVer Bullet) 17:53:38 the end result is indeed that both firms support Eagen's scheme 17:53:42 Sorry, but to take this back a second: Rucknium, of course, you are allowed to believe a third review is justified. I just want to be clear, both Veridise and Cypher Stack currently agree on a proof to implement. They have independent arguments for why the proof is secure, and disagree with each other's arguments. 17:53:48 with the caveat that there is disagreement on how the support comes about from Veridise's side 17:53:53 We only released v3 the other day, so I would like clarification on if the Veridise comments pertain to this new version or not 17:53:57 I agree with jberman . The "third review" can occur in parallel to the implementation work, and any other code audit work. 17:54:06 If a third review were to occur 17:54:07 If you could confirm your understanding is they disagree on the road, not the destination, that would be great Rucknium. 17:54:47 Zk Security was prior brought up as a 3rd party to bring in for this review. I think it makes sense to bring them in prioritizing other work at this time, but to keep them in mind for a future 3rd review 17:54:56 and/or, the existing can be implemented, and then a third review can review both the math and the implementation 17:55:30 This wouldn't qualify as passing peer review in a journal since the reviewer(s) would have to agree that the author had a valid, specific, proof. 17:55:37 i don't think charging the same people for reviwing both the math and implementation is a good idea 17:55:40 I have never seen "Ok, here are two possibly-valid proofs" 17:55:44 i don't think charging the same people for reviewing both the math and implementation is a good idea 17:55:57 Choose which one you like 17:55:59 at least not at the same time 17:56:11 Unfortunately, happens all the time in pure math.... 😅 17:56:18 I think they do agree on the destination. 17:56:27 Are we allowing the axiom of choice? 17:56:33 Heresy! 17:56:42 Yes, but not the well ordering principle 17:56:51 Axiom of choice is always necessary for any real work. 17:56:57 Insider jokes? 17:57:07 I personally don't believe in free will and have (as inscribed in the universe itself) decided not to be convinced by any proof requiring even the idea of choice 17:57:39 rbrunner: The axiom of choice is an axiom one can use when writing proofs, with extensive debate over if it should be used and the impacts of it. 17:57:42 There are like 400 distinct proofs of the Pythagorean Theorem. It is incredibly common to come upon a true result with vastly different methods. 17:57:51 The end result is, you can use it or not use it, up to you. 17:58:01 Here, we have two proofs. You can use or use the other. Up to you. 17:58:05 Unfortunately, this is the way math works sometimes. There are disagreements on subtleties here. We don't think these disagreements will affect Monero in any real sense. 17:58:22 But there will be people who prefer axiom of choice, and be people who prefer not to have it. 17:58:25 Zorn's lemma..... well, who really knows? 17:58:31 Luke Szramowski: I agree with you. It is not common for there to be two proofs and the two proof-writers to disagree with each other on the validity of the other. 17:58:48 Obviously, we'll find people convinced either way, and people not convinced of specific proofs regardless of if the axiom of choice was used or not. 17:58:49 I propose the following: 17:58:51 1. Get a third party to look over Eagen's work. Share Veridise's work as well as Cypher Stack's for background. 17:58:53 2. Move forward with testnets, since we do have two separate firms giving the ok. 17:58:55 we have an n of 2. need to get to that magic n of 3 17:59:05 That doesn't change here, we have two independent research outfits approving the result _as originally desired_. 17:59:13 I agree with Diego Salazar 17:59:23 I do as well^ 17:59:29 A third entity reviewing theory before a second audit would be a notable misuse of funds IMO. 17:59:37 I'll get a quote from zksecurity so it can be considered 17:59:47 second audit of what? 17:59:53 I will discuss with PUP about funding it. 18:00:11 so MRL doesn't have to hem and haw about misuse of funds 18:00:39 I don't believe, in good faith, I can prioritize a third review of theory (which already has two points of failure) before a second audit of its implementation (a current single point of failure). 18:00:42 PUP = Power-up Privacy 18:00:43 I also agree with kayabanerve that we should prioritize other work over the 3rd review 18:00:48 sgp_: please get me the quote (you can tell MRL too obviously), and I'll pass it on to get funded ASAP if PUP is down (Which they probably will be) 18:01:16 this lets MRL focus on the implementation review 18:03:12 The one! The only! 18:03:55 I think there may be loose consensus on proceeding with FCMP implementation code-writing and remaining code audits as priority. And a range of views from "indifferent" to "desired" for a third firm to review the Divisor mathematics, especially if it does not require funds from the FCMP research CCS 18:04:05 Diego Salazar: You're welcome to ignore my advisory yet that doesn't change a _cold read_ of your immediate messages is that the solution to a potential misuse of funds is to find a donor who doesn't care about potential misuse. I understand the point, where if we agree it'd be good to do eventually _and_ we have a large enough fund pool, why not, but I'm irked by the near-complet e circumvention of the oversight process not inherently because it's slow, but so we don't have to "hem and haw about misuse of funds" (which yes, was presumably intended as a jokey message where the real issue would be how long the hemming and hawwing takes). 18:04:22 The Divsior review as completely parallel and non-blocking to the other priorities. 18:04:33 Noting OtterSec looks like a solid candidate to bring in to the mix as well: https://pse.dev/blog/under-constrained-bug-in-binary-merkle-root-circuit-fixed-in-v200 18:04:57 I'd like to hem and haw _a reasonable amount_. If the amount of funds available is more notable, the amount we have to hem and haw decreases. 18:05:08 Wrong. But we can discuss later. 18:05:37 I ran out of water 18:06:04 I'd like to delegate the scoping discussions to SGP, as they volunteered and they asked, and hear the response. If they have a reasonable quote for both, we can discuss that, but my priority would be the _audit_ side of things. 18:06:34 Outside contracting zkSecurity for one task, when another task is the better-agreed priority, may delay the overall process. 18:06:56 Rucknium: It isn't completely parallel if it is scheduled sequentially to the same entity. 18:07:15 You got a point :) 18:07:48 I think an audit should occur as the main priority regardless. Please feel free to DM me or email me (justin⊙mo) if you have someone in mind for the audit! I can help with that 18:08:10 At this time, I'd also like to delegate to @jberman who has the practical commentary on moving forward as the R part of R&D runs in parallel 18:08:14 It is if the elements within the entity working on it would not be the same 18:08:26 "scheduled sequentially" 18:08:57 Ok, so do the third review of divisors after the code audit. That sounds OK to me, if necessary. 18:09:44 I will respond to this in Monero Research Lounge so as not to clog up the meeting. 18:09:46 I tend to agree, at least right now 18:09:56 I 18:10:09 sorry, *I'll get some quotes 18:10:19 What else needs to be decided & discussed on Divisors? 18:10:25 Thank you, @sgp_ 18:12:32 Ready to move on to agenda item 4 of 10? 18:12:53 I say yes 18:13:04 Yes 18:13:08 4) [Transaction volume scaling parameters after FCMP hard fork](https://github.com/ArticMine/Monero-Documents/blob/master/MoneroScaling2025-07.pdf). 18:13:25 Thank you, ArticMine for this write-up. 18:13:42 The third review of divisors not need be done by a third-party, and it may be cheaper / more efficient, to have both Veriside / Cypherstack work together to find a methodology that both are happy with. We may contract a third-party and still end up with a nre security proof for the divisors technique that the other two aren't happy with. Yes, there may be 400 proofs for the Pythag orean theorem, but there is probably at least one which basically everyone agrees is valid under certain axioms. If we do more theory review, I think we should try to move towards finding 1 methodology that almost everyone accepts, not 3 methologies which 33% each accept, and the rest partially accept 18:13:50 Any questions or comments 18:14:30 What the current thinking in regards to adding an additional safety 'ultra-long term' median to the new design? 18:14:32 Sorry typing that was slow, I can continue the convo in lounge for now 18:15:00 I look at that. 18:16:55 There is the cost of calculation. ~ 4 years of transactions 18:17:01 ArticMine: regarding section 5.2 Transaction Weights (Proposed), Input proofs weight, that's the originally proposed weight approach that jeffro256 implemented that I have some thoughts on: https://github.com/seraphis-migration/monero/pull/26#discussion_r2057203539 18:18:03 TL;DR my thoughts: it would incentivize making more txs spending the same number of inputs, rather than spending them in 1 tx (e.g. spending 3 inputs in a 1-in and 2-in would be cheaper than spending in a 3-in) 18:19:19 We have a conflict in pricing in consensus and node relay 18:20:43 So if we increase the weight in consensus to cover verification time then we also have to further in crease the fee in node relay to avoid soam 18:22:01 This is why I am recommending moving the price difference between actual size and verification time entirely to node relay 18:22:47 Also if the relative cost changes it can then be addressed in node relay 18:23:56 I don't follow the justification for selecting weights like that though 18:24:37 You mean for number of inputs 18:24:56 Right, rounding up to powers of 2 18:25:57 An original justification for that approach was to more closely tie weight to verification time 18:26:48 Is there no cost advantage in size or verification time with powers of 2? 18:27:04 Cost per number of inputs 18:28:22 The advantage is to increase weight more significantly than it would otherwise be increased using byte size alone, in order to more closely resemble the increasing verification time as n inputs increases 18:28:23 Namely say 3 vs 4 inputs 18:29:25 Yes but we can move this to node rlay 18:29:46 Relay 18:29:58 ArticMine: do you have the spreadsheet with exact tx byte sizes for Carrot/FCMP++ txs as-is? 18:30:34 No I was looking for this 18:30:43 With rounding up to powers of 2, someone is more incentivized to spend 4 inputs instead of 3 if they're able to, which is bad and also not reflective of the actual verification time or byte size 18:31:06 Then you have a point 18:31:15 https://matrix.monero.social/_matrix/media/v1/download/monero.social/JsKFvrmjEOzSkGSKoRVGYEFq 18:31:35 ^ Assuming divisors and Carrot stay as-is this should be accurate 18:31:48 well, I guess it's close to verification time since the verification time of 3 is only very slightly less than for 4 inputs 18:32:06 but that doesn't hold as well for 5 inputs vs 8 inputs e.g. 18:32:30 Then there is an advantage of 4 over 3 18:33:08 I will take a close look at the spreadsheet and review 18:33:58 Can see the tables here also that include size and verification time for the membership proof alone: https://github.com/seraphis-migration/monero/pull/26#discussion_r2057203539 18:34:16 The total verification time for a node for a 1-in FCMP tx and a 3-in FCMP tx is much greater than a 4-in FCMP tx, so this is in fact good, right? 18:34:50 We want people to spend a 4 instead of a 3 and a 1 (ignoring privacy for the moment) 18:34:56 This is a question for anyone familiar with the protocol: Is the size of `tx_extra`, usually/always the same size when the number of outputs are the same and the tx is of the same type with respect to paying to an integrated address? 18:35:57 If one is using Carrot or our current addressing protocol, basically yes. But there is nothing enforcing this at consensus 18:36:27 Yes but this does not take into account the additional fee per byte needed at node relay 18:36:40 I am asking this because the Transaction weight section on page 6 says "Use actual size." for `tx_extra`. 18:38:17 Actually, fun fact, the current code for tx construction can produce a different size of `tx_extra` and leak whether one of the destinations is a subaddress in >2-out transactions 18:38:18 The issue is that a 40k TX requires 16 x the fee of a 10k tx 18:38:19 Minor correction/question: In the right column of page 2, it says, "`f_IL = 0.95f_R` ; Minimum fee per byte". I didn't see `f_R` defined in the right column. I think you changed notation. Should `f_R` be `f_RL`? 18:38:43 Fee per bute 18:38:58 Byte 18:40:28 that's true. my line of reasoning there was incorrect. The problem with scaling to powers of 2 was not with 3-in+1-in compared to 4-in. It was on 3-in compared to 1-in + 2-in (the latter is incentivzied), and on {5,6,7}-in's not being incentivized compared to lower input combinations 18:40:32 Under the current situation of allowing these over size TXs at the minimum node relay fee applying the weights at consensus works 18:40:38 Isn't it more accurate to say that the total fee of all the tx fees is quadratic over the penalty zone, not that each individual transaction needs 4x fee? 18:41:08 It may actually need more than 4x or less than 4x, depending on the ratio of the total tx fee to the block subsidy 18:41:22 At the start of the penalty zone it is quadratic 18:41:58 Deep into the penalty zone it approaches linear 18:43:09 The issue is that a spammer can target the large TXs and create spam that low or no cost because the TXs are not mined 18:43:31 Except this is good for privacy. 18:44:10 Yes privacy is the other argument 18:45:18 Ya feel free to ignore my commentary on 3-in vs 4-in above, that's not where the issue is with scaling to powers of 2 and I was mistaken 18:45:57 I still advocate an 8-input limit. 18:46:25 But I guess if you want to argue taht it's superior for privacy to have 1-in and 2-in's versus 3-in's, then that's a discussion 18:46:27 Hell, we can even program a sunset such that the amount of inputs halve every three months until they reach the set target. 18:46:29 I am fine with that 18:46:41 8 input limit 18:46:48 ... or did my long-post with evidence resolve as 16-input? Is it 8 or 16 my final opinion was? 🤔 18:47:11 Regardless, point on an input limit <= 16 _and_ and a sunset can be on the table. 18:47:55 My point is that if more 8 inputs are allowed then the additional pricing at node relay is needed 18:48:16 Emphasis on if 18:48:43 I think this discussion is getting close to PoW-Enabled Relay (PoWER), which is later on the agenda. 18:49:57 In a past meeting we generally agreed on high input limits with PoWER^. A core benefit of high input limits is atomic high input txs and fewer outputs on chain when spending more inputs, which some seem to want pretty strongly 18:50:45 Regarding the fee discussion, I'm thinking maybe we give ArticMine more time to review the byte sizes / verification times and potentially adjust the proposal? 18:51:08 I am fine with that 18:51:22 Returning for a moment to discussing a safety median; the calculation being prohibitive feels like an addressable problem. An example might be to only consider every tenth block over the period of interest. 18:51:42 No need to stall discussion on this point, but I would like to see it thoroughly considered. 18:53:07 There are alternatives, namely restricting upward bandwidth for TXs before they are mined at node relay 18:53:10 We already cache a rolling median in the DB code, doing a billion block median is as simple as a 100K median like we currently have. The issue is if we want wallets to be able to calculate the fees 18:54:19 Don't wallets need nodes to suggest fees, anyway? That cannot really be avoided, AFAIK. 18:55:03 The wallets would not be impacted, all the sanity median does is restrict the growth of the long term median 18:55:49 ... and peg this growth to Nielsen's Law 18:56:14 We will come back to this topic next week, at least. 18:56:25 So this is a whole discussion that we could spend another hour on lol. It depends under what assumptions you want the wallet to operate under. If it's an SPV wallet model, we could put block weight rolling medians in the block content so it's attested to by PoW. Then the wallet need only trust the longest chain for valid fee data 18:56:35 5) [FCMP++ optimization coding competition](https://www.getmonero.org/2025/04/05/fcmp++-contest.html). 18:57:33 IMHO, a post-mortem of lessons learned on the competition could be nice, but maybe it is better to have another week of time to reflect, given the current time 😅 18:59:01 Need to write the official writeup. Waiting on clarification from binary fate on the General Fund funding a 2nd place prize. lederstrumpf's submission has been integrated and kayaba has already improved on it. fabrizio's submission is in PR and fabrizio has kindly fixed an internal test failure that I plan on adding to the PR today too 18:59:02 Yes I really want to post something like this, because the whole process was very insightful, and there were a few bumps that everyone could've skipped with a bit more planning by us on the front-end of things. And those things aren't necessarily intuitive until you've already done something like this 18:59:38 6) [FCMP alpha stressnet planning](https://github.com/seraphis-migration/monero/issues/53#issuecomment-3053493262). 19:00:30 I would like to move forward on an alpha *testnet, and will give more color on why I say testnet instead of stressnet for the time being 19:00:32 Sounds like we can scratch off SLVer bullet from the list based on today's discussion ... 19:01:32 Do spackle or ofrnxmr have anything else to add here that wasn't already posted in that GH issue? 19:02:08 With fabrizio's divisor integrated, prove() time is still quite slow for high input txs (128 input proofs take 5 minutes to construct on a high end Ryzen). I opened a tracking issue for this here: https://github.com/kayabaNerve/fcmp-plus-plus/issues/34 19:02:15 Mostly a plea for consideration: The planned scaling design allows 32MB blocks in the near term. Ensuring that the daemon can handle blocks of this size is significant. Instead of a spam attack creating a potential issue in the span of hours/days, it would take a couple of months. 19:03:11 That issue is solved by limiting the amount of supported inputs to 8 at the consensus level, which also improves privacy. 19:03:32 I don't expect we'd be able to bring that prove() time down in the short term. We can discuss action plans on bringing that prove() time down in the medium term. But I don't think it should hold up getting an alpha testnet up and running 19:03:56 Making Monero easy to use for everyone encourages the anonymity set to grow, which improves privacy :P 19:04:52 So I'd say for this initial alpha network, we have 2 options: 1) integrate very slow prove() times for high input txs, or 2) keep consensus as is at limiting to 8 inputs 19:05:26 Obviously, kayaba has an opinion on this lol, but worth discussing both routes today 19:05:32 for alpha I personally don't care 19:06:31 Or, keep consensus as-is, and simply have people choose whether or not to observe large prove times. 19:06:42 That would be the case if we deployed to mainnet today. 19:06:47 Let testnet model life. 19:07:08 A test/stressnet doesn't necessarily have to have high-input txs. Usually, it must have high-output txs to make it easier on the spam formation. 19:08:07 jberman: I am ok with either of those two options. 19:08:52 For the "wider" non-alpha stressnet, I would want to consider the options again at the time that decision would need to be made. 19:09:12 I'd go with #1. We should allow high-input txs, and let those people who want to make high-input txs deal with it for now 19:09:40 Ok, I'm fine with #1 19:10:12 Although in the tx construction APIs, we could perhaps allow a parameter which optionally caps the number of inputs 19:10:35 How about this plan: we aim to have all code ready to go for an alpha *stressnet* by next week's meeting, and settle on a timeline to stressnet then? 19:11:03 Tangential point, I also included this in the PoWER proposal 19:11:30 That sounds great to me. 19:11:32 to allow wallets to use the wallet API without shipping a PoW algo 19:11:39 Of course, I'm not writing any of the code :D 19:12:05 That's where I got the idea from ;) 19:12:27 Should we add PoWER to the alpha stressnet agenda? 19:13:03 I don't think so, that's going to take time (and also I've heard we may have an externally funded dev interested in working on it) 19:13:29 by external I mean non-CCS 19:14:11 K fair enough. Would also be nice to get data on hammering the nodes with high-input txs without PoWER 19:14:58 On to next agenda item? 19:15:22 are we on PoWER? 19:15:25 good with me 19:15:37 boog900: No 19:15:43 7) [Spy nodes](https://github.com/monero-project/research-lab/issues/126). 19:15:53 Here was my update pertaining to spy nodes: 19:15:55 Analysis supporting changes to the DNS ban list: https://github.com/monero-project/meta/issues/1242 . Evaluated feasibility of setting up "honeypot(s)" to learn more about the infrastructure of the spy node network (seems feasible so far). Guided ditatompel to add MRL/DNS ban list columns from my network scan data to his table of remote nodes: https://github.com/ditatompel/xmr-rem ote-nodes/issues/191 https://xmr.ditatompel.com/remote-nodes 19:16:19 AFAIK, the Core Team would need to implement any change to the DNS ban list contents. Feel free to comment on the issue and/or thump-up/down. 19:16:50 Any more comments or questions on this agenda item? 19:18:39 8) Rucknium's research agenda. 19:18:46 In the next day or two I will finish my current CCS and open a proposal for a new one. What should be on my research agenda? I think I should definitely continue to work on short-, medium- and long-term solutions to network-level privacy against spy nodes. I also have a few loose ends that I want to tie up, e.g. final versions of subnet deduplication and black marble MRL bulletins , writeup of results of safety of OSPEAD deployment. 19:18:49 A "new" topic I could start to look into would be mining pool centralization. I would want to explore voluntary pool Pigouvian fee solutions, i.e. pools agree that when their hashpower share gets "too high" that the fee they charge to miners increases, to encourage some miners to switch to a lower-hashpower pool. 19:19:01 I am on the fence about whether to package the OSPEAD results for submission to a peer-reviewed journal like PoPETs. PoPETs has a deadline for submissions every three months, the next being August 31. I would probably need most of August to get the paper in shape. 19:19:15 Any other suggestions are welcome :) 19:19:27 My areas are statistics, economics, and game theory. (But I prefer to make only light use of game theory on the grounds of methodological principles.) 19:20:34 9) CCS proposal: [Monero Network Simulation Tool](https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/589). 19:20:59 gingeropolous 's update on this was "me: steering these bots to make this monerosim work" 19:21:36 boog900: PoWER is the next, and final, agenda item. 19:22:26 10) [Proposal and spec for Proof-of-Work Enabled Relay ("PoWER")](https://github.com/monero-project/research-lab/issues/133). 19:23:07 kayabanerve: any more thoughts on Equi-X vs RandomX light? 19:23:22 Thank you for the proposed specification, jberman 19:23:35 Dynamically increasing miner fees is an interesting idea, and I have held for a long time that minexmr should've done this instead of shutting down, since the practical effect was that people redistributed to other centralized pools, but now there was one fewer big pool 19:24:06 I think this is also going to require a change in alt-block handling, otherwise people can get around the 10 block rule by mining lots of blocks and sending them all at once 19:25:04 I think that OSPEAD is absolutely still worth working on / polishing up for two main reasons: 1) Monero wallets might use decoy selection for FCMP path fetching, and 2) there will still be other ring-signature-based privacy coins in operation 19:25:13 Salvium, Zano, etc 19:25:21 This issue with RandomX being flagged by anti-virus scanners. I think that could be an advantage for Equi-X, right? 19:25:41 for example header only sync until we know the chain has enough PoW 19:25:48 Potentially yep, I noted that in that follow-up comment 19:27:24 also I wonder if putting the PoW on inbound connections would be better for preventing P2P node DoS 19:27:26 Equi-X seems the better fit re: purpose. 19:28:03 jeffro256: Thanks for your input. I was also unsure if a journal like PoPETs is "still interested" in ring signatures. It seems that they still are because they just published Christian Cachin & François-Xavier Wicht "Toxic Decoys: A Path to Scaling Privacy-Preserving Cryptocurrencies" https://crysp.petsymposium.org/popets/2025/popets-2025-0165.php 19:29:03 Moser et al. (2018) is one of their top-cited articles, too, which helps probably. 19:29:08 thoughts on ASIC resistance being a reasonable +1 for Monero compared to tor? 19:30:14 What is the difference between FPGA and ASIC resistance? I don't understand well, but I thought FPGA was basically a prototype-stage ASIC. 19:31:09 seen as this is isn't consensus, I think ours and Tor's requirements are similar here? 19:31:26 seen as this isn't consensus, I think ours and Tor's requirements are similar here? 19:31:34 Could one reasonably rent RandomX hashpower to create the PoWER PoW hashes? Or would the usual mining API not support that? 19:31:49 as in, inside `handle_notify_new_transactions`, only check for PoW on inbound connections rather than outbound? 19:32:18 I mean PoW for connection attempts not on txs 19:32:49 I think it would solve this issue `Txs sitting in the pool longer than 10 blocks` 19:33:01 An FPGA can be reprogrammed and repurposed, an ASIC is designed for one specific purpose (and costs a lot to develop, estimated $1mn with citation by tevador in that initial reasoning) 19:33:40 I'm not going to die on the hill of RandomX light over Equi-X, so if I'm the only one +1'ing RandomX light, I'd defer to Equi-X 19:34:45 Any estimate of the coding work time to integrate RandomX vs Equi-X? 19:34:48 thats to protect miners with 100's of incoming cx 19:35:21 ah gotcha 19:35:57 txs would still need PoW for public RPC nodes FWIW 19:36:16 unless you do PoW on RPC connections too 🤔 19:38:13 PoW on connection actually does make more sense, that's a good point, since a bad actor can only get 1 bad tx before getting dropped anyway 19:40:14 PoW on RPC connection for wallets that support it, otherwise said wallets can't construct >8-input txs over the connection if the daemon has the startup flag, seems to make sense to me too 19:40:40 To make sure that's true, check the procedure that is followed when a node gets multiple txs in a single message. Does it abort and ban on the first ban tx? 19:41:15 I think it does, but yes would need to make sure the node does this upon implementing too 19:41:32 Usually, multiple txs are clumped together in normal conditions, anyway. 19:41:35 first bad tx* 19:42:23 no ban, but does disconnect it seems: https://github.com/monero-project/monero/blob/fbc242d52d89d9c8021194cd4faae657c94d5a31/src/cryptonote_protocol/cryptonote_protocol_handler.inl#L943 19:42:31 yeah, im unclear why tor went with equi-x vs randomx, and if tor chose to go equi-x as a ddos prevention thinger, then aren't we trying to do the same here? 19:43:16 this was my argument: https://github.com/monero-project/research-lab/issues/133#issuecomment-3100620908 19:43:30 afaik 1 bad tx (doublespend) and connection is not banned right now (to prevent defamation attack) 19:43:53 Actually people would be able to create lots of valid txs and send them all at once, do we have a minimum block ref for FCMP? 19:44:03 I think that this opens an arguably larger issue: nodes can refuse connection PoW for valid connections and then honest connectors can't reuse that across the next connection. If the PoW is tied to transaction content and a recent block hash only, if my peer denies me, I can turn around and try to send it yo someone else for no extra work. If PoW is connection-based, I can be DoS' sd just trying to make a connection 19:46:17 true but they would need a large share of the reachable network addresses to pull off that attack, right? 19:46:20 cx timer ? 19:46:32 I believe there are better alternatives such as higher pricing in node relay for the targeted transactions 19:47:07 Fees don't help because the txs are invalid 19:47:09 Like how the spy nodes are current ~1/2 of the reachable nodes on the network? 19:48:43 They only make up like 15% of the outbound connections. Also if we took 50% at face value this "only" doubles the PoW, which should be relatively cheap anyway 19:48:49 A timer doesn't help in this scenario. In this scenario that I'm talking about, the node that is presenting the challenge / validating the PoW dishonestly fails verification and refuses to open a connection. Thus the honest challengee / worker must trash that PoW and try another connection, where the same thing may happen 19:49:07 otoh, if someone wants to build hardware to dos tor, they could then turn and dos monero (if we use equi-x for this). Then again, same applies to randomx in general i guess. 19:50:47 right, if we go with Equi-X, we are also in an idirect way increasing the incentive to construct an ASIC to DoS tor 19:50:57 Yes I get it 19:51:01 like it could cause some disruption, needing to compute more PoW, as your node connects to the network but once it has connections it should be fine. 19:51:03 Also this would presumably remove them from your address book, reducing there presence on the network 19:51:56 I don't follow this fully. Presumably dishonest nodes can hold connections for some time and then drop today, no? 19:53:00 It increases PoW by 15% under the current environment, but in this future with PoW-based connections, there is now a novel incentive to accrue outgoing connections from other nodes, so the percentage of dishonest outgoing connections may rise 19:53:25 Yeah but we don't need PoW to connect to nodes today 19:54:57 I mean the incentive is already there IMO, but even if they did PoW is not expensive enough where this becomes a problem IMO 19:55:22 This also has bad implications for transaction propagation times which is important for network stability 19:56:25 I thought this would be better as once connections are made they have sometime before a new connection is made, however with PoW per tx you now need to do a RX hash every hop. 19:57:20 I guess that is only for big txs, but I still think this would have no impact on tx propagation 19:58:31 PoW may not be sufficient to protect nodes with 100's of incoming cx ... 19:58:46 This is true. It would probably have better average-case performance, but worse worst-case performance 19:59:41 what is the worse case for tx propagation in this scenario? 20:00:57 Origin node is connected to many dishonest nodes at time of receiving the tx and makes new outgoing connections to propogate tx 20:01:55 it should already have connections as it would do so on startup not when a tx comes in 20:02:22 ohh wait they disconnected when the tx is sent 20:02:57 currently this would just cause a fluff to all connections 20:03:20 it is a black hole attack 20:03:59 so as long as one is good the tx will propagate, I don't think this is any different than the current protocol 20:05:00 One other related comment to PoW by tx versus by connection: after serious optimization, let's ballpark that 128 input proofs will take 1 minute to construct, compared to 4-5s for 9 input proofs. We may want PoW for txs with 128 input proofs to be much higher than for 9 input proofs. In theory the initial connection could include some PoW that allows some upper bound on inputs to address this 20:07:19 So we add state information and complicate the connection code even more than it already is. What if we want to relay someone else's high input tx? We can't do this with the connection cap 20:07:41 I think just target the max allowed for simplicity, 1s to verify a 128-input tx, right? so a 1s PoW? 20:09:21 If the PoW is per-tx, then we can add all these stricter requirements for bigger txs, and have the node simply relay the PoW alongside the tx w/ no issues 20:09:48 I was initially thinking keeping PoW proportional to prove time rather than verify so that dishonest actors are required to expend CPU time comparable to honest actors 20:10:22 what is the current enc/dec time ratio typical? 20:11:38 honest users are still doing double the work tho 20:11:52 Eh. I think we should just price in verification time since that's what we're trying to protect against 20:11:53 as they need to create the tx + PoW 20:12:10 Very ballpark estimates, high end machine, 1 input - 128 inputs 20:12:11 Verification: ~20ms - 2s 20:12:13 Prove: ~1s - 5 minutes 20:12:23 What do you mean by enc/dec ? 20:12:36 I assumed they meant prove/verify 20:14:13 Going off verify is fine with me 20:14:57 I ttied to figure out: how many dishonest nodes does is take to overpower 1 honest node with "valid" tx's. 20:15:07 *tried 20:15:29 does "valid" mean invalid? 20:15:35 We might even be able to go less, PoW per connection means for an attacker PoW per (connection + bad tx), whereas PoW per tx is just PoW per tx. 20:15:37 Meaning with 1 lot of bad PoW an attacker can send it to multiple nodes. 20:15:39 What do you mean by "overpower"? 20:15:47 black marble style 20:16:21 just keeping them busy 20:17:09 A black marble attack is an attack on decoy selection for ring signatures 20:17:23 It's a privacy issue, not a DoS issue 20:19:33 call it a different name, a load estimate. 20:20:11 but thats what testnet is for, innit? 20:20:30 Given that the meeting's length is potentially deep into record-breaking territory, maybe PoWER can come up for discussion next week. And in the meantime, people can comment on the `research-lab` issue. 20:21:14 I don't mind switching to Equi-X considering minimal support from anyone else for RandomX light 20:21:59 Going to keep thinking on the per connection vs per tx argument 20:22:37 oh and also will change the description to making PoW comparable to verify rather than prove 20:23:46 For the record, I like RandomX for TX PoW since the daemon already has a RandomX scratchpad loaded for block verification. IDK how complicated the Equi-X algo is, but if it's anywhere on the level of RandomX, I would prefer to not add the dependency when we have an excellent PoW algo as-is 20:24:09 But yeah, I'm fine with continuing this later 20:24:35 We can end the meeting here. Thank you everyone. 20:24:48 thanks, all 20:25:17 Thanks everyone! (I am now hydrated) 20:25:50 the higher the prove/verify time ratio, the higher the gain in network security. That was my point. 20:26:03 bye 20:33:06 a dishonest actor can create invalid txs in 0 time (aka prove would take 0s), whereas honest prove takes much much longer 20:37:08 But the verify time is finite hence the DDOS attack vector 20:41:05 maybe I got something fundamentally wrong here. But either way, a challenge/response system could get the job done. Sorry to sidetrack. 21:28:10 Shouldn't nodes locally adjust their targets as their proof verification queue fills? Wouldn't that somewhat handle publication of a large batch? 21:29:37 https://github.com/monero-project/research-lab/issues/133#issuecomment-3109508587 21:54:56 "There are like 400 distinct proofs of the Pythagorean Theorem." << after all that scroll back, this is just about all that i managed to comprehend from that MRL meeting today. 22:01:49 within these 400 distinct proofs of Pythagorean Theorem. 2% are actually useful, 31% are made bored mathematicians and 67% are made by students that needs to present some last year work 22:02:03 by bored* 22:05:33 * midipoet distinctly decides _not_ to apply this newly garnered knowledge regarding Pythagorus' theorem to the divisor's proof malarky