13:57:00 Proposing an idea to solve qubic saga and make p2pool more rbust for long term 13:57:01 Creating an option on p2pool to donate a chosen % of the mining rewards to use it as an extra mining reward on p2pool. 13:57:03 Assuming there's enough miners who care more about decentralization then short term profit (enough to create bigger subsidies then qubic) then we can end this saga, and make p2pool stronger for long term. 13:57:05 . 14:08:27 That isn't a solution, albeit it's a feature request for sech1. 14:11:47 Why isn't it a solution? 14:13:43 Because it's a potential improvement based on voluntary subsidiaries to combat other pools from offering subsidies, not a fundamental solution. 14:15:02 ^ as I see it within p2pool workings someone's share could "opt" to some degree into being provided to current PPLNS range 14:15:36 that way it can get seen in the regular scan for earnings/transaction building for rewards 14:16:05 so it's not giving anything more like they "donate" their share weight to others 14:16:24 would require p2pool changes ofc 14:16:49 the alternative is, you can get current miner addresses on p2pool, and, just mine on p2pool yourself on those addresses 14:17:55 that works today, and xvb already does that 14:25:42 if there will be enough subsidies from donated mining rewards we can make future attacks harder. Not a fundamental solution but a good temporarily solution that can also be used in future events ("good" miners will increase the % of donated reward every time a centralized pool gets too big) 14:41:54 DataHoarder: you can just only submit a fraction of the shares you actually mine. 14:42:10 that too 14:42:34 you can do it today, as described ^ 14:45:47 @fullninja:matrix.orgif you are positive that the attacker mines empty blocks only, choosing a higher fee tier will do no harm other than reducing your privacy a little. 14:46:13 they mine all 14:46:18 sometimes they mine empty 14:47:22 it was mentioned here, as they disconnect from network to do selfish they run out of mempool and high blocks in their attempts end up empty 14:55:44 You can get a list of p2pool wallet addresses, and either send XMR to them directly, if you wish so, or mine to their wallets 14:57:10 ... then feed your LLM to brag about it :) 15:01:16 MRL meeting in this room in two hours. 15:23:51 FYI, I am considering drafting a CCS on a finality layer and would have to prioritize: 15:23:53 A) The design and documentation 15:23:55 B) A proof of concept finality binary, which if necessary, could be immediately deployed using Ethereum as the finality layer 15:23:57 C) The implementation of my nominated consensus algorithm, which is the part that'll likely take the longest to competently do 15:23:59 I'm sure this'll be discussed during the meeting (one of the bullets is my meta-issue), but I wanted to raise this question *a bit* beforehand to give people some time to think/get any basics out of the way. I'm sure I'll restate all relevant parts during the meeting to ensure everyone is up to speed though. 15:25:42 At first glance, C seems like a horrible option. The reason it's present as an option is because if Monero ever deployed a BFT finality layer, the consensus algorithm used is largely independent from how it's glued into Monero (which is what A is). They're two parallel tracks BUT most of the time on auditing, performance, p2p networking, would be spent on the consensus algorithm ( hence why it arguably should be done first). 15:26:08 But all of this would be to begin development on a potential future choice, and we'll have the best education and discussions with option A. 15:31:11 Unfortunately, I won't be present, but I wish everyone who will participate a good meeting. 15:42:06 Regarding the BFT layer, i think the main concern is how to choose the validators. I guess thats part if A)? 15:42:10 *of 15:50:02 Technically, any method of 'stake' would work in a decentralized fashion, yet the proposals have been blocks mined or XMR. The former doesn't work _well_. It either has too long a window, and requires anyone who mines a block also runs a node for a year, or too short a window, and doesn't protect against 51% attacks which can be sustained for a few weeks. 15:50:55 Or they've been unquantifiable concepts like a node's reputation, or centralized such as 'the Monero team'. 15:53:28 *I'm not asking for feedback on a CCS which doesn't exist. I'm trying to take a temperature check to decide if I should submit a CCS and if so, how. 15:54:00 Sorry if this is too vague at this time 15:54:47 Though that'd be its own form of feedback 🤔 16:04:05 What is the Main reason of the proposed bft algorithm? 16:04:05 I guess it should be quantum safe and asynchronous? 16:04:07 Couldnt narwhale also fit this? 16:05:53 Can some of ETH‘s Casper FFG be introduced 16:15:02 Tusk isn't PQ. Ethereum's consensus isn't formally proven (though some derivatives are). 16:15:45 (Tusk assumes a random coin, and practically, random coins are done via BLS. While there are PQ random coins, to integrate them into Tusk successfully would be its own commentary). 16:16:43 I believe there's enough unknowns and discussions that if I was to make a CCS, it'd be best to be *my* presentation and analysis of options as leading to *a potential scheme* that everyone could discuss and contribute to before taking further actions. 16:30:14 I am just a bit scared of the cubic communication complexity 16:31:44 <1​7lifers:matrix.org> cubic communication complecity, also known as C3 16:31:55 <1​7lifers:matrix.org> cubic communication complexity, also known as C3 16:41:41 Practically ideally, we'd have quadratic. 16:42:24 (Avalanche claims constant, but with many issues elsewhere. Algorand published an interesting paper on asynchronous consensus with sub-quadratic complexity though...) 16:43:08 kayabanerve: Can I stop you there and wait until the meeting, which starts in 20 minutes? It can get messy when discussion before the meeting bleeds into the meeting. You can continue in #monero-research-lounge:monero.social . And I have a proposal. 16:43:21 This may be an unusual meeting. On the agenda is PoW mining pool centralization: https://github.com/monero-project/meta/issues/1254 16:43:39 This topic is fundamental to the Monero project. I will request more structure than usual for that agenda item. 16:43:44 The purpose of the discussion at _this_ meeting is not to decide any changes to Monero's consensus protocol and blockchain security model, but to start to plot out an Research & Development plan toward addressing weaknesses, both theoretical and empirical. 16:44:12 I propose that the structure of the discussion on the mining centralization agenda item be: 16:44:35 1) I anticipate that there may be more readers and writers than at a usual MRL meeting. Therefore, start by stating your relationship to the Monero project and areas of knowledge/expertise (if any). "Ordinary user" is a fine response. Participation by new participants is fine and encouraged. 16:44:48 2) State what you consider to be the major problem(s) with Monero's consensus protocol and blockchain security model, if you think there are any problems. This includes problems that have actually occurred and theoretical problems that are possible but have not yet occurred. Do not respond to each other at this point in time. 16:44:59 3) State what you consider to be Monero's ideological and ethical principles, especially as they are relevant to potential solutions to mining pool centralization. Feel free to rank the importance of these principles. Again, don't respond to each other at this point in time. 16:45:11 4) General open-ended discussion on potential solutions to the mining pool centralization problem. 16:45:22 (Don't post these now. Wait until the mining centralization agenda item comes up.) 16:46:24 If anyone has suggestions for this structure, please suggest them. 16:46:52 Of course Rucknium: 16:53:01 I would suggest that we separate the discussion between: 16:53:03 1) Improvements and fixes to the existing POW., both at consensus and node relay 16:53:05 2) The introduction of non POW consensus mechanisms such as but not limited to 16:53:07 Trusted Execution Environments 16:53:09 Proof of Stake Hybrid solutions 16:53:11 Other non POW consensus solutions 16:53:25 2) Is way more controversial than 1) 16:53:45 So we should start with 1) 16:54:37 ArticMine: That sounds great to me. Can I insert your two bullet points into my #4 above? 16:54:50 Of course 17:00:22 Meeting time! https://github.com/monero-project/meta/issues/1254 17:00:24 1) Greetings 17:00:40 Hi 17:00:43 hi 17:00:49 Hello 17:01:21 hello 17:01:29 hi 17:01:31 Hello 17:01:33 Hi 17:01:40 Hi 17:02:02 hello 17:02:57 👋 17:03:06 2) Updates. What is everyone working on? 17:03:55 me: Improvements to https://moneroconsensus.info/ , which monitors orphaned blocks and mining pool centralization. Writing up simulation results for questions on review of PR #9939 "p2p: Improved peer selection with /24 subnet deduplication to disadvantage 'spy nodes'" https://github.com/monero-project/monero/pull/9939 (Will post an hour or two after the meeting). 17:04:14 hello 17:05:06 Greetings. Looking forward to the meeting discussion. 17:05:10 Me working on the fee calculations. 17:05:45 The results are posted after the size estimates 17:06:20 3) [Transaction volume scaling parameters after FCMP hard fork](https://github.com/ArticMine/Monero-Documents/blob/master/MoneroScaling2025-07.pdf). 17:07:22 https://github.com/seraphis-migration/monero/issues/44 17:07:50 I posted the link s to the fee results here 17:09:10 bug hunting & testing some fcmp stuff 17:09:15 The enforcement of the requirement that all transactions are economical to mine regardless of size is the basis for the calculations 17:09:55 We have to take into account the quadratic nature of the penalty 17:10:30 my kiss take on fcmp fees/scaling: for fcmp fees i think we should do.. same 300kb standard median. larger txs mean fees will bump up to "normal" tier more often. Unimportant fee = 0.00002xmr per (input+output), other tiers same multipliers as current 17:10:33 This more than compensates for the verification time costs 17:11:00 The verification is linear per input afaict 17:11:30 Keeping the median unchanged failed in 2017 17:11:48 Long-time XMR user here. By XMR user, I mean I actually use it as a currency. I also mine. I have also attended Monerotopia. I typically take a hands-off approach, but in this instance, I'd be remiss not to speak up for other silent XMR users and encourage cypherpunk and decentralized values. It's easier to keep liberty we have, than to regain it once it's lost. I look forward to hearing 17:11:54 everyone out. That is all. 17:12:41 wrong chat 17:12:46 => #monero 17:13:09 maybe wrong agenda item 17:13:12 This would be the right chat if it were during the mining centralization item, which comes later 17:13:49 mea culpa all rights to the moderator, Rucknium our supreme leader 17:14:00 sorry. Please continue 17:14:01 wdym? 17:14:56 In 2017, didnt tx sizes decrease? I dont recall the history of the median changes 17:14:57 This? https://www.getmonero.org/2017/12/11/A-note-on-fees.html 17:15:23 The transactions were to big to scale so were stuck. A second hard fork was needed to fix the issue 17:16:08 I'm running fcmp right now with 8mb blocks (15mb at peak) 17:16:38 Basically if one increases the tx size by a factor of 3 then the base has to increase by a factor of 3. Fees then stay the same 17:16:48 Was it that a large tx could not fit in a block when the block size median had not been raised yet? 17:17:13 The fees get very high 17:17:55 This is good to know 17:18:42 It means that the proposal increase in the base median makes sense 17:20:16 Take a look at the 128 input TXs to see what I meam 17:20:55 The key ratio is tx weight/ long term median 17:22:20 I will keep the meeting moving... 17:22:25 4) [FCMP alpha stressnet planning](https://github.com/seraphis-migration/monero/issues/53#issuecomment-3053493262). 17:23:00 AFAIK, ofrnxmr has been trying to trigger bugs on his private testnet. 17:23:15 So that an alpha stressnet can begin. 17:23:53 Will the alpha stressnet fork from the public testnet, like the last stressnet, or start from genesis? 17:24:32 I think for the "public stressnet", fork from testnet would be good because performance issues could develop when the blockchain already has some GB in it. 17:25:43 jberman and jeffro256 aren't here right now to give an idea of how they view the exact launch process. But ofrnxmr could take the lead maybe. That would take some labor off their shoulders. 17:26:22 Oops sorry, thanks for the ping 17:26:43 This also impacted the fee discussion 17:27:24 I haven't looked at Artic's recent comments on the tx weight GH issue, but I'm going to do that today. 17:28:51 Rn I'm reviewing and testing the 128-in FCMP++ PR, seems good so far. The contest code is more or less ready to go for usage in the stressnet. I think that we could start planning the date for the stressnet now, but I might hold off until j-berman is here 17:29:43 "Will the alpha stressnet fork from the public testnet, like the last stressnet, or start from genesis?" << mine starts from genesis, _but_ the fees are different pre-tail emission 17:31:12 There was a major spike in fees in 2017 with the introduction of ring ct 17:31:50 Tx size ~13500 bytes for 2 in 2 out 17:32:06 Ok. The stressnet launch planning discussion can occur outside of the meeting time, especially so jberman can give input. 17:32:24 Jeffro, i'm also running the 128in pr. I think this shoukd definitely be included in stressnet 17:32:44 Forking from an existing network would yield more accurate DB migration times, more accurate FCMP tree handling times, etc. However, it might be an overhead that outweights its benefits 17:33:21 sorry, to chime in.. but it burns to ask.. was it not decided to restrict 8-in, 8-out (fan-in/fan-out) for FCMP? why these 128-in fee calcs? please ignore if it's out of place 17:33:33 Rucknium: at what chain size would it not be worth it in your opinion to use an existing network ? 17:33:38 I'm going to get my blocks up to ~20+mb and then share my binaries so rucknium and others can try it out 17:34:23 Jeffro, testnet is only abt 7gb iirc. My db is around 1gb currently 17:35:00 (But those 7gb take like 12hrs to sync.. ) 17:35:36 What seems to be a rough agreement right now is to allow >8-in/8-out txs at the consensus level, but require PoW to *relay* larger txs in the mempool 17:35:51 jeffro256: I don't know. I like forking from testnet since as ofrnxmr said, the fees and scaling, etc. And it was not difficult to do it last stressnet (but the code has changed a lot with FCMP, of course). 17:35:57 Probably b/c there are hardly any peers 17:36:09 no, due to checkpoints 17:36:32 Lack-of* 17:36:34 Or lack thereof? 17:36:42 Didn't new testnet checkpoints get added? 17:37:01 Not to the monero-project. We only added them to the stressnet 17:37:04 Okay let's do that 17:38:00 5) [Spy nodes](https://github.com/monero-project/research-lab/issues/126). 17:38:10 That's interesting, I wouldn't have thought that it would take that long to verify 7GB worth of tx proofs, but I haven't ever actually profiled it 17:38:31 jeffro256: had a question about simplification of the code in github.com/monero-project/monero/pull/9939 to have the "already-connected" subnet qualification to be made at the `/24` subnet level instead of the current `16` level. According to my simulations, it makes very little difference given the current network structure, assuming the spy nodes found by boog900 17:38:34 (for testnet w/o checkpoints at least) 17:38:57 its all the PoW hashes too 17:38:59 When honest nodes have the default 12 outbound connections, setting the "already-connected" subnet qualification to the `/16` subnet level gets you an average of 1.048 connections to the spy nodes. When it is `/24`, the average is 1.064. A very small increase. 17:39:04 I will post teh write-up and code on the PR 17:39:17 TIA 17:40:32 Like I said before the meeting, I want some structure in the next agenda item on mining pool centralization. 17:40:56 The purpose of the discussion at _this_ meeting is not to decide any changes to Monero's consensus protocol and blockchain security model, but to start to plot out a Research & Development plan toward addressing weaknesses, both theoretical and empirical. 17:41:05 But there is also geographical distribution concerns also, not related to spy nodes. How does going from /16 to /24 affect that? A less diverse set of already-connected peers might slow down tx&block propagation for those farthest away from the "center" of the node graph 17:41:55 jeffro256: I can look into that. I have the actual IP addresses of a network scan, so I can translate that into geography 17:41:57 Thanks 17:42:06 For the next agenda item: 17:42:13 1) I anticipate that there may be more readers and writers than at a usual MRL meeting. Therefore, start by stating your relationship to the Monero project and areas of knowledge/expertise (if any). "Ordinary user" is a fine response. Participation by new participants is fine and encouraged. 17:42:22 Thank you for doing that 17:42:25 2) State what you consider to be the major problem(s) with Monero's consensus protocol and blockchain security model, if you think there are any problems. This includes problems that have actually occurred and theoretical problems that are possible but have not yet occurred. Do not respond to each other at this point in time. 17:42:45 3) State what you consider to be Monero's ideological and ethical principles, especially as they are relevant to potential solutions to mining pool centralization. Feel free to rank the importance of these principles. Again, don't respond to each other at this point in time. 17:42:59 4) General open-ended discussion on potential solutions to the mining pool centralization problem. The discussion will proceed: 17:43:09 1) Improvements and fixes to the existing POW., both at consensus and node relay 17:43:13 2) The introduction of non POW consensus mechanisms such as but not limited to A) Trusted Execution Environments, B) Proof of Stake Hybrid solutions, C) Other non POW consensus solutions 17:43:27 Agenda item: 17:43:29 6) PoW mining pool centralization. [Monero Consensus Status](https://moneroconsensus.info/). [Bolstering PoW to be Resistant to 51% Attacks, Censorship, Selfish Mining, and Rented Hashpower](https://github.com/monero-project/research-lab/issues/136). [Mining protocol changes to combat pool centralization](https://github.com/monero-project/research-lab/issues/98). 17:43:40 could we agree on @jeffro256:monero.social proposed changes now ? 17:44:27 The context of this is Qubic's selfish mining strategy where they have perfromed a few blockchain re-organizations recently. One was 7 blocks deep. 17:44:50 FCMP++ R&D 17:44:51 Serai Developer 17:44:53 PoW vulnerability to coordinated actors at scale risking double spends and censorship. 17:44:55 Decentralization and privacy. 17:45:43 I have been involved with the Monero project since 2014 and with POW mining since 2011 Have worked on Monero scaling and have been on the core team since 2016 17:46:34 1) Me: I have been providing research analysis for Monero's privacy and security for about four years. I am an empirical microeconomist. My areas of knowledge are statistics, economics, and game theory. I have chaired the weekly MRL meetings for a while. 17:47:10 1] Monero Research Lab regular and researcher of blockchain technologies in general. 17:47:29 1) Monero dev since 2017. Chair of the weekly Monero Tech Meetings. Frequent poster in the Monero subreddit. 17:47:37 1. ofrnxmr. Monero abuser 17:47:39 2. ability to invalidate txs w/ a deep enough reorg, and no "rules" or protections against it. Exampke: we have a 10 block lock, but there is no enforcement that 10 blocks are actually final 17:47:41 3. payments. reliable and immutable. 17:48:15 2] I see two factors regarding Monero's current consensus that create a problem: 1) the mining algorithm is geared toward general-purpose hardware which is easy to access/rent, 2) the reward issuance in dollar terms is currently low both relative to other cryptos and the global availability of general-purpose hardware. these make attacks in the Nakamoto consensus (e.g. selfish min 17:48:17 ing, or a 51% attack,) more feasible than desired. 17:48:44 I see the Qubic situation as an attack on Monero's decentralization. There is also a lot of history since the principals in Qubic were also related to Bytecoin, an over 83% pre mine from which Monero was forked in 2014 17:49:07 There is a lot of history and bad blood here 17:49:20 2) Problems: Low security budget at the current real purchasing power of 1 XMR. Behavior of individual miners to concentrate in a few pools (unclear why this occurs). Using a "flow" to protect a "stock", i.e. only a flow of PoW rewards protects the stock of the value that users keep in the XMR in their possession. 17:49:25 1] scientist: physical modeling with recursive filter networks 17:49:27 is there a reasonably good writeup of the reorgs and, in particular, the contents of the reorgs and transaction equivalency (or lack thereof)? 17:49:38 Longtime user 17:49:39 I wish to keep the majority of Monero's PoW advantages and ethos, while strategically mitigating some of the most significant downsides of pure nakamoto consensus. Notably, these are decentralization, accessibility, censorship resistance, and fair issuance. 17:49:41 I do not believe PoW "tweaks" will address the most significant issues of nakamoto consensus in Monero. I believe that a TFL approach is most likely to yield the best tradeoffs. 17:50:34 2) The main problem I see is that Monero is too small, simply put. 17:50:39 3 The above says it very well 17:51:03 I have been asked to pass this message from discord: "I think I speak for a lot of people here saying the issue of mining pool centralization is quite concerning & requires immediate attention since a successful attack on the network would result in the loss of trust in the ecosystem and once lost, it'll be nearly impossible to get back. At the 17:51:03 time of writing, a 6-7 block reorg was demonstrated to have happened in the past few days thanks to rucknium's amazing tools & work with the help of other devs. A solution to this problem is needed yesterday & frankly monero should've addressed this issue a long time ago considering the historical progress in this field of research." 17:51:09 sgp_: TFL = Trailing Finality Layer? 17:51:26 kanzure: The tx contents of the re-orged blocks did not change. You can check this with `print_pool_stats` in your `monerod` console. No double spend txs attempted. 17:51:56 thank you rucknium. that is interesting. 17:52:01 3) Principles: Privacy, decentralization, accessibility, fungibility. 17:52:38 ordinary user, somewhat technical background and somewhat studied monero technicals. also, sporadic donor 17:52:39 2. 17:52:41 - double-spend attacks if >51% is reached, less likely since there the attacker would be known to be affiliated with the majority block producer. would presumably give way to legal recourse since this would be plain theft 17:52:43 - censorhip, restricting txs somehow. this is also the reason why i think that any finality might come short of mitigation since nothing can be finalized what wasn't accepted by a centralized PoW provider 17:52:57 3] principles: 17:52:57 * privacy. a solution shouldn't leave users, and ideally miners/validators too, any worse off than the current level. 17:52:59 * censorship-resistance. same as previous point. 17:53:01 * decentralization. 17:53:03 * resilience. if a solution works, it should work in highly adversarial settings too. 17:53:05 * avoiding high complexity. 17:53:07 * integrity of monetary policy. leave it intact, or at least never increase the overall issuance rate of XMR. 17:53:09 * asset integrity. the consensus protocol shouldn't issue a secondary asset. 17:53:11 * open-mindedness. judge solutions based on how they work and what they achieve, not where they come from or what narratives are attached to it. 17:53:22 yes, FTL = trailing finality layer 17:53:28 yes, TFL = trailing finality layer 17:53:30 Faster than light? 17:53:35 2] I pointed out that CPU hashrate may be rented 4 month ago and suggested a 2nd BFT layer based on Eigentrust - now called "finality layer" 17:53:38 When i said "payments, reliable and immutable", it should go without saying: confidential, accessible, and decentralized 17:53:40 what is the benefit of a finality layer compared to proof stake? 17:53:59 3) Monero should stay "trustless" and "permissionless". Otherwise forget all the fuss and use credit cards and paypal. 17:54:22 That stated, Qubic can make it appear that a double-spend against a victim occurred, by double-spending to itself. Then, a "double spend" tx would appear in the nodes, but there would be no actual victim, just propaganda value. 17:55:32 both are variants of BFT, one not based on wealth 17:55:33 Has everyone who wanted to speak on the first three bullet points spoken? 17:55:43 On principals: 17:55:43 We need to stay away from TEEs The Intel ME is an example of a TEE that even the NSA in the US found obnoxious 17:55:45 We also need t stay away from hybrid POS systems 17:56:33 which one is not based on wealth? its not like cpus and electricity are free 17:57:08 arcticmine: yes. 17:57:09 Now we will get into General open-ended discussion on potential solutions to the mining pool centralization problem. First: Improvements and fixes to the existing POW., both at consensus and node relay. 17:57:27 (Note: discussion of non-PoW solutions will follow after this first point discussion.) 17:57:39 I would suggest instead that we focus on hardening our existing POW both at the consensus and node really levels 17:58:38 what is the security budget currently and how much would the attack cost increase by this measure ? 17:59:06 Is this where tevador's bandwidth-based idea comes in? 18:00:02 There was a paper published recently in a top economics journal. It was circulated as a draft for a few years: Budish, E. (2025). "Trust at Scale: The Economic Limits of Cryptocurrencies and Blockchains", The Quarterly Journal of Economics, 140(1), 1–62. https://moneroresearch.info/101 18:00:19 Where can I watch the meeting? 18:00:21 Part of the abstract: 18:00:23 > This article shows that Nakamoto’s novel form of trust, while undeniably ingenious, is deeply economically limited. The core argument is three equations. A zero-profit condition on the quantity of honest blockchain “trust support” (work, stake, etc.) and an incentive-compatibility condition on the system’s security against majority attack (the Achilles heel of all forms of permissionless consensus) together imply an equilibrium constraint, which says that the “flow” cost of blockchain trust has to be large at all times relative to the benefits of attacking the system. This is extremely expensive relative to traditional forms of trust and scales linearly with the value of attack. In scenarios that represent Nakamoto trust becoming a more signi ficant part of the global financial system, the cost of trust would exceed global GDP. Nakamoto trust would become more attractive if an attacker lost the stock value of their capital in addition to paying the flow cost of attack, but this requires either collapse of the system (hardly reassuring) or external support from rule of law. 18:00:35 I like both trevador's idea and Sech1's with 1% 18:00:45 1. Full-time developer paid thru Monero CCS since 2023. User since late 2017. Formal education in computer science and distributed systems, and working knowledge of elliptic-curve-based cryptography. 18:00:47 2. One issue that I believe to have been a large one for some time is the lacking present security budget due to a front-heavy monetary emission policy. Unfortunately, this is hard to change after the fact. This *can* be helped by furthering adoption and raising XMR price to make financial attacks against PoW harder / riskier. 18:00:49 3. Principles: privacy, fungability, decentralization, permissionless, ease-of-use, honoring past social contracts, salability over time&space, battle-hardening, research-focus 18:00:51 Both can be implt 18:01:11 Implemented 18:01:13 CountBleck: Yes, it could. That's https://github.com/monero-project/research-lab/issues/98 18:01:16 I want to point out that BFT may be tied to a resource we control... and thats the community (trust) itself. 18:01:35 Keith Meister: You're watching it right now. It's all text-based. 18:01:35 do the monero developers consider monero PoW hard-fork to be substantially different from (say for example) successfully deploying a bitcoin PoW hard-fork? do the present conditions exceed anyone's notions for requiring a PoW hard-fork? just curious. 18:01:53 Personally, I don't think that any clear issues arose from RandomX. RandomX worked exactly as intended. Nakamoto consensus worked exactly as intended. An adversary selfishly mined blocks and lost more money than they made, though this doesn't factor in free PR value 18:01:53 Certain tweaks could be made to make pool mining less competitive, which could help reduce the advantage of mining pools and could help with decentralization. The tevador proposal, while interesting, may _increase_ centralization by turning away small miners (it raises their costs to require a node in some circumstances). In any case, I don't see these as addressing the "core" pro 18:01:55 blem, even if certain tweaks are considered appropriate and selected. Another proposal needs to be considered in conjunction, imho 18:02:40 Sorry to jump in, but this is very wrong. 18:03:38 But yes, we should focus on PoW immediately per Rucknium's chairing 18:04:43 I like tevador's proposal but am concerned about the risk a higher percentage of honest miners disappear than malicious miners, while in such a delicate state. 18:04:55 tevador did respond to this concern though. 18:05:03 As for the security budget a lot of the issue with Qubic is shifting of miners to their centralized pool 18:05:03 We also have to be careful here that we do not create a cure that is far worse than the desise 18:05:24 sgp_: I agree that it honest mining pools could become less concentrated, e.g. no honest mining pools above 5% total hashpower, the Qubic attack could still happen. Reducing honest mining pool centralization is good, but much more would be needed. 18:05:25 +1 18:05:35 That isn't to say I drop my concern, just to say tevador has their own opinion. 18:05:57 I dont think they _shifted_ miners, but attracted (or rented) dormant hashrate 18:06:10 rbrunner: can you clarify which message you're supporting, please? 18:06:21 ArticMine's 18:06:33 Cure versus desease 18:06:46 There are many bad options indeed :) 18:06:47 +1 on avoiding cures that are worse than the cancer 18:07:06 We have it in our hands to destroy Monero all on our own :) 18:07:14 Thank you 18:07:46 how much in dollar terms cost is it currently to perform a 51% attack on monero? I have read people say its 75 million or just a few hundred k 18:07:57 I'm not entirely convinced tevador's proposal is guaranteed to be better than worse re: the current malicious pool, but I support it generally. 18:08:21 kayabanerve: I would ask Matrix-side commentators to do the same by prefixing their response comments with the username of the user they are responding to. This helps keep IRC-side logs, which are used for the GitHub issue, understandable. 18:08:56 They have my being that successful on raw sustainable hash power. What Qubic is being very successful is in creating a social engineering attack. 18:08:57 When I see radical proposals that go against the basic principles of Monero, I see their success 18:08:59 $1 because by adding $1 in outside incentives, you'll pay the highest reward for hash power, and a hyper-efficient capitalist market will have all hash power go to you /s 18:09:18 This discussion is my evidence 18:09:33 we dont even have a clear number, right? is there a ball park figure ? 18:09:41 spirobel: About 432 XMR is emitted to miners every day. That is called the "security budget". 18:10:02 thats not much to secure billions of dollar in market cap 18:10:05 spirobel: They currently seem to pay with their own coin, emissioned weekly out of thin air, for free 18:10:55 Here are some tables endor00 produced a while ago: "51% attacks and mining incentives" https://gist.github.com/endorxmr/a13dce62ae1ba4676a1ed0311d96bf07 18:10:59 Which works as long as the AI-hype-ponzi machine keeps pouring in money to Qubic's coin 18:11:16 Exactly. That can take a while :) 18:11:22 [@articmine:monero.social](https://matrix.to/#/@articmine:monero.social) the best proposal ive heard, was sent to me in dm (and sent to pool operators). For pools to collude with one another to perform a real 51% attack with the goal of censoring qubic's blocks. i had to go to bed after reading that 18:11:54 spirobel: it's a function of the inflation rate, a very delicate balance that all assets need to keep, not just Monero. 18:12:04 100.000$ / month for 1GH 18:12:28 ofrnxmr: that only works so long as they have a minority hashpower, even if everyone else agreed to do that. If they got the majority for a sustainer period, then that wouldn't work. And we're back to square 1 18:12:44 lets say you are a whale right now, if you wanted to contribute to the security of the network you would have to sell part of your xmr to mine at a loss. so there is a negative feedback loop here. PoW just adds sell pressure and no security 18:12:59 Pool centralization has been an issue long time before qubic. Miners don't care. Even 0% fee is not enough to make miners move to p2pool. That's why #98 was proposed. 18:13:23 Spg, i forgot the /s. It was actually proposed, but asking to be 51%d is.. against monero core values 18:13:26 Which would stop them dead in their tracks right now 18:13:42 jeffro256: right, they're currently probably sustainable because they're dumping their coin on retail investors who buy into the hype. 18:14:10 let's all centralize around one big pool but it's actually trustworthy and only denies blocks by bad people /s, ofc 18:14:11 They are not close to 51% on a sustainable basis 18:14:15 "we hate big pools. also: hey pools, can you combine and 51% attack the network?" 18:15:31 I personally think that on the PoW tweak front, tevador's proposal is the most realistic, by far. That's where discussion should focus around in the future 18:15:36 One can even use node relay e orphan malicious blocks 18:15:47 To 18:16:17 sgq, I think node relay stuff is my preferred direction 18:16:23 Realistic short-term mitigations are: 1) Renting hashrate to help the network. 2) Temporarily raising tx fees (as a relay rule). 18:16:34 are there any ideas on how to fade in #98 slowely ?? 18:16:36 That's assuming we can differentiate Qubic blocks from non-Qubic blocks, which would probably rely on nodes connecting into Qubic mining pools 18:16:55 Where can I watch the meeting? 18:17:07 youre in the meeting now, keith 18:17:14 <1​7lifers:matrix.org> here. scroll up. 18:17:35 <1​7lifers:matrix.org> i got some fresh popcorn ready to last the whole meeting 18:17:43 Which users are the devs? 18:17:53 No checking how the block structure compares to an honest block structure. 18:18:06 also cc [@kayabanerve:matrix.org](https://matrix.to/#/@kayabanerve:matrix.org) what about an orphaned blocks difficulty addition, or uncle blocks etc 18:18:11 I suppose I'm also for higher tx fees. But it's not a complete solution 18:18:23 pow is nostalgia. why not rip off the band aid? if just 10% of xmr holders stake we have a security budget in the hundreds of millions much more than 432 xmr 18:18:26 So the diff isnt based on "5gh" when there is really 7gh mining 18:18:27 I thought Qubic patched that recently 18:18:29 If the difference is big enough block or delay 18:19:24 articmine wouldn't that just cause split consensus? 18:19:28 I'm not immediately sure if allowing referencing orphaned uncles to increase the network's difficulty would be good or not. I'd guess not, because whoever includes the orphans would face the wrath. 18:19:58 wouldnt everyone include the orphans? 18:20:01 If Qubic is forced to mine honest block the harm in the attack is diminished 18:20:17 IMHO, raising tx fees as a relay rule won't work for two reasons: 1) You would still not have enough fee, as a percentage of block reward. 2) It is easy to get around nodes that update to new node relay rules, so txs would still get to miners. This happened with nonzero lock time. 18:20:29 what would including orphans even fix here? 18:20:52 Agreed but there's no good way to require a block is honest. 18:20:55 The diff is artificially low. This would create an acxurate difficulty 18:20:59 you could allocate a minor part of the issuance to reward orphan inclusion. 18:21:21 Chaser, thats how uncle blocks work, no? 18:21:28 but that would just slow blocks down rather than stop a selfish mining attack 18:21:39 *agreed a miner forced to mine honest blocks diminishes the attack. 18:21:48 Yes, but nothing forces nods to relay dishonest blocks 18:22:09 I mean, it's bad for the network. 18:22:24 Selfish mining is based on withholding a longer chain so adversaries are mining on old data. 18:22:33 qubic created a lot of orphans during their attack that they didn't broadcast you would be rewarding them 18:22:38 ofrnxmr: I believe so, yes 18:22:41 Taking longer to switch to the best chain is on purposely keeping yourself on an old chain. 18:23:16 https://kevinnegy.github.io/Selfish%20Mining%20Re-Examined.pdf 18:23:17 > ETH, on the other hand, shows that a new selfish miner with any hash rate and any γ value can at least break-even. This finding is entirely due to the uncle block reward system that exists in ETH, which is described in more detail in Appendix A. 18:23:24 If honest miners are *randomly* behind the actual longest chain, they can immediately close the gap by switching and have the best odds of the actual next block. 18:23:53 According to my interpretation, giving uncle rewards can promote selfish mining, at least below the usual 33% hahspower threahold ^ 18:24:47 benefit of PoS is faster finality, higher TPS, no inflation. whales are naturally incentivized to protect network security by staking. tx fees will be enough to compensate stakers. 18:25:23 spirobel: I believe that discussion is tabled for later 18:25:26 ETH has serious orphan blocks issues due to relativistic (physics) effects 18:26:09 Rucknium: interesting, thank you for noticing that 18:26:32 Allowing uncle blocks also removes the current implicit penalty for slow block propagation, which can de-stabilize the network 18:26:35 It takes a finite amount of time for light to travel over fibre optic cable 18:26:38 if orphaning blocks skews the hashrate down, and given the general attack vector of having too few miners... how about rewarding net hashrate / difficulty increase? Incorporating that in a sort of dynamic block reward tied to a set difficulty over time? 18:26:39 Currently, it has a negative feedback loop, every new miner diminishes the returns of existing ones 18:27:41 in practice the hashrate goes up when the price goes up 18:27:46 it has been observed forever 18:27:47 you would be changing the emission then presumably 18:28:47 flip flop: if we assume 100 k for 1 month of 1GH it means the only reason this attack is not performed its because its hard to acquire that much cpus without kyc 18:29:42 I honestly wouldn't see anyone wishing to avoid kyc attack monero. On the other end I easily see people wanting to attack monero to not having to worry about kyc. 18:30:29 Lol. We do know who attacks us right now, no? 18:30:56 Rbrunner, we dont know who he works with/for 18:31:11 sgp_: the question is really related. 98 is just more band aid if at all 18:31:17 right 18:31:19 we cant even measure the impact properly 18:31:42 spirobel: which is why it's being discussed _next_. 18:32:08 A 51% attack against Monero could be considered a criminal act in many jurisdictions so avoiding KYC would make sens 18:32:17 spirobel: I agree with the practical challenge of renting hashrate. A thief swapping xmr to btc or whatever is incentivized to rent hashrate if they can to double spend. That's certainly an important scenario that Monero's consensus needs to be prepared for 18:32:52 Oh, sorry if I replied regarding the wrong thing spirobel 18:32:59 rentable hashrate is one of the most significant disadvantages of a cpu friendly algo 18:33:34 ArticMine: not quite, only the double-spend is criminal. not having more than 51%. 18:33:35 So yes, since qubic is public, double-spend is unlikely. Censorship/kyc attack after having achieved 51 more so IMHO. 18:33:52 asic friendly hashrates are more centralized around manufacturing, but it's harder to "driveby" doublespend 18:34:50 sgp_: Weakness and a strength. Network recovery after an attack is easier with CPU-mineable since no one could have bought up all the CPUs. 18:35:09 Attack against a computer network are criminal. There is no exception for privacy preserving decentralized networks 18:35:11 which renders even a finalizing layer mute, when you can't get your tx in the PoW block provider's block in the first place. 18:35:22 the sad answer is that high decentralization... has not been demonstrated in practice. In practice, we trust. 18:35:28 And even a strength for defenders to rent their own defense hashpower if there is advance notice, as in this Qubic case. 18:35:33 I wouldn't count on geopolitical superpower to apply their law to such an extent 18:35:50 rucknium yeah I'm not pro asic, but the cpu friendly algo has the downside of these social, ponzi-driven social attacks being easier to rally up 18:36:19 They may not have a choice 18:36:23 "there are pros and cons" ha 18:36:50 ArticMine Apologies for intervening but in most jurisdictions wouldn't an entity need to press charges for this to be an effective deterrent ? As long as i am aware there is no Monero Foundation legal entity at this moment to be able to do that... That's an assumption you can of course defend your point just bringing something up. :) 18:37:01 There is also the risk of decentralized litigation 18:37:16 Anyone familiar with a review research article on hardening PoW blockchain consensus? 18:37:25 Anyway, I think tevador idea proposed in "98" would take months of finalizing and hardforking into service. That may well be too late for our *immediate* "Qubic problem" 18:37:43 Anyone hurt by the attack could press charges 18:37:46 new included mining pool service: lawyers for civil litigation 18:38:30 ArticMine: if its down to this and we are ready to admit it: why do we need to buy cpus to secure the network and gift money to utility companies? we could reduce inflation to zero and tell bitcoiners: there will only ever be 18 million monero. And cost of attack would be orders of magnitude higher than it is now 18:39:26 It is one of many possible options 18:39:35 51% attacks are not criminal. taking over an org / hostile take-overs happen even in stock markets. but I'm not an expert 18:40:11 IMHO, probably the best short-term defense is people adding more hashpower, from their own machines or renting hashpower, during the Qubic hashpower spikes. 18:40:31 with that in mind miners could theoretically press charges for yesterday's attack for making them miss profits from the orphaned blocks i am unsure how realistic that would be 18:40:39 its the only option that is sensible. I saw someone mention he is willing to sell xmr to rent hashrate to secure the network. so currently we have negative inflation proof of stake. people love monero so much they are willing to pay to secure it. 18:40:58 Let's not be naive here, both US and Europe jurisdictions would be delighted to hear XMR plunged to death. That is without considering lobbyist and corruption. There is no chance that civils will achieve a case against Qubic. On the other end, it just take one grant from an ally/strategic country to Qubic to transform the case into a geopolitical mess that will slow/stuck things e ven further. Qubic have the high grounds here 18:41:22 I remember when an individual said that Bitcoin was not money in 2011. The SEC fitted the individual for an orange jumpsuit. 18:41:44 I will do a broad literature search on articles about hardening PoW blockchain consensus without altering its fundamentals. Any other specific actions to take on PoW-based research? 18:41:51 how would you prove your didn't just disconnect from the network and happen to reconnect once they overtook the mainchain? 18:41:55 Don't forget that courts, litigations etc. usually drags on freaking years. People, that's not useful. 18:41:59 the miner disconnect from the network^ 18:42:22 In the next 5 minutes I will move us to discussing non-PoW options, unless there are really new things brought up about PoW. 18:42:23 the shoe is always on the other foot with these guys. it's a commodity here, but money there *sigh 18:42:44 on Monero this would be enough to invalidate pretty much all txs if they reorged more than 10 blocks 18:42:51 rucknium: proof of work is nostalgia. 18:43:05 would checkpoints fall under PoW? 18:43:23 Hyc's rolling hash of hashes 18:43:30 also: pos would help with the eclipse / sybill attack of nodes 18:43:50 spirobel can you wait on the rucknium to bring the next point 18:44:04 We could still use checkpoints with PoS. Is that what you are asking? 18:44:07 spirobel can you wait on rucknium to bring the next point 18:44:31 boog900: IMHO, checkpoints with current PoW fits in this section. Could fit in the next section, too. 18:44:46 I wouldn't be for a distributed version like that, but not allowing reorgs beyond 10 blocks is something I have been liking the thought of more and more 18:45:01 checkpoints most closely fall under PoS/TFL, unless you are implying daily/hourly monerod software releases :p 18:45:40 Sgp, we have dns checkpointing, so it doesnt require releases. 18:45:47 no rolling checkpoints I think it what bitcoin cash calls just not allowing reorgs beyond 10 blocks 18:46:00 beyond X blocks^ 18:46:26 boog900: that leads to split consensus with nodes though. What chain does a newly syncing node follow? The highest hashrate one, or a different one with less work that other nodes claim they saw first? 18:46:48 i dont buy the bootstrapping is as a blocker 18:46:55 it would be the highest hashrate with the hope an attacker can't keep up forever 18:47:20 they would have a period where they can get new nodes but the real chain should overtake them eventually 18:47:23 Arguably, BCH has an bigger sword of Damocles hanging over its head than Monero does, with its SHA256 hashing. And BTC people wanting to kill it since 2017. 18:47:29 The chain which the majority of your peers are on 18:47:31 so during the attack we have two networks 18:47:36 If BCH does that, I guess they came up with a solution for these bootstrapping problems? 18:47:39 sadly 18:47:46 better than a big reorg IMO 18:47:47 We already have 2 networks during attack 18:48:07 BSV (Bitcoin Satoshi's Vision) had an attacker that mined empty blocks for a awhile IIRC. A rolling checkpoint wouldn't fix that. 18:48:23 currently nodes have clear instructions about which chain to prefer. With the same info, nodes will agree on which is the single "correct" one 18:48:57 your node can currently get thrown onto a bad chain during bootstrap 18:49:00 this would have two nodes running the same code, depending on their view of the network, disagree 18:49:26 thats wht highest hashrate make more sense 18:49:38 imo 18:49:45 Has happened to me a few times, wjen malicious nodes decided to share a bad chain ~ block 1.5million 18:49:51 only new nodes would be affected 18:49:53 Let's go to the next sub-item: 18:49:58 2) The introduction of non POW consensus mechanisms such as but not limited to A) Trusted Execution Environments, B) Proof of Stake Hybrid solutions, C) Other non POW consensus solutions 18:50:07 Rucknium: Actually, it could have helped. 18:50:11 while the attack is ongoing, the network is stalled and there are 2 networks 18:50:17 hopefully new nodes would not have the same economic impact as reorging old nodes 18:50:42 Why should nodes accept consecutive empty blocks, if their mempool is not empty ? 18:50:48 A) nah b) i only like proof of pow c) no comment 18:50:58 If a finality layer is sufficiently quick to achieve finality, even if a malicious miner tries to reorg out honest blocks, they may already be finalized. 18:51:07 stalled? we would have 1 correct and 1 that is ahead for as long as they want to keep the wasted mining 18:51:35 They just have to be the first broadcast block for the finality layer to observe, if it's sufficiently responsive. 18:51:48 I and the miners I work with only like PoW. Absent PoW, we move to other cryptocurrencies. Simple as. 18:51:55 I consider TFL a more robust mechanism than "don't reorganize past 10 blocks" 18:52:00 elongated i had the exact same thought but this is hard to get right as depending on the node local scope 18:52:21 a lot more complicated though 18:52:43 Tbf, this is already technically true for 1-block-deep reorgs. If there's two chains with the same exact height, b/c of the difficulty calculation lag, a node will choose whichever one it saw first, then switch to the chain which has the next block built on top of it, so on and so forth. 18:52:58 also: theres no reason why qubic _has_ to share empty blocks. They can effectively stuff the blocks to the brim and make for an arguable worse attack 18:53:01 What is a Trailing Finality Layer? 18:53:03 i.e. there's no "tie-breaker" rule 18:53:21 Or link me something that you think explains it well. 18:53:24 the complication is worth it imo to avoid potentially prolonged split consensus 18:53:35 Let’s say a node accepts 2 empty blocks, if miner is not clearing mempool (even half of it) the miner is malicious? 18:53:47 With an asynchronous consensus algorithm, like the one I posited, we'd achieve consensus however frequently the environment allows (limited by processing speed, bandwidth, and latency). Because we wouldn't have a hard requirement on any performance, anyone could run a validator over any network (such as Tor). 18:53:53 I'm less concerned about a 1-block reorg since those essentially need to happen in honest scenarios as well 18:54:14 Attacker just switches to mining full blocks of their own txs 18:54:17 We can use an asynchronous consensus algorithm to finalize existing Monero blocks (PoW). This would prevent them from being reorganized off of. 18:54:33 Rucknium: https://electriccoin.co/blog/the-trailing-finality-layer-a-stepping-stone-to-proof-of-stake-in-zcash/ 18:54:50 This would ideally prevent selfish mining and ensure X% of hash rate actually earns an average of X% of blocks, if sufficiently responsive. 18:55:01 More definitely, it stops deep re-orgs. 18:55:07 what is the security benefit of the finality layer over PoS? 18:55:49 It also lets us replace the 10-block lock with a finality-block lock. Outputs can be spent once the block creating them is finalized. This would, ideally, reduce the 10-block lock to just a few seconds (so effectively non-existent). 18:55:58 How is this finality layer secured? 18:56:05 We would need to decide validators, which we'd presumably do via PoS. 18:56:17 Pos ? 18:56:22 I believe a stake-based finality layer as an overlay to the current Nakamoto consensus is the best option, and viable without compromising on any of Monero's principles. I'm categorically against any solutions involving trusted execution environments (Intel SGX, etc.) because of their nature of being trusted, potentially backdoored from day 0, and frequent in-the-wild exploits. 18:56:31 So we are back t POS? 18:56:40 PoS is just proof of stake and can mean many things. Zano's PoS allows someone who stakes to produce a block. Here, PoS entitles one to participate in a live network to finalize blocks. 18:56:43 For security 18:56:49 would they be rewarded for staking? 18:57:13 kayabanerve: why not just switch to PoS ? 18:57:28 using PoS for the finality layer instead of entirely helps maintain more of Monero's PoW values. It's not perfect all around, but it _may_ be the best bang for our buck all around 18:57:37 kayabanerve, that recent paper that you linked to, is it really so attractive as title and abstract seem to suggest? Is that a substantial improvement of "state of the art"? https://eprint.iacr.org/2024/677 18:59:02 fwiw, I am quite worried of a large service (e.g. exchange) effectively halting the finalizations (and in effect, the network). I think that's a real risk that needs to be carefully considered in the TFL design 18:59:04 sgp_: in other words: there is no scientifically sound reason, just nostalgia for PoW 18:59:26 arguably, "fair distribution of new coins" is a reason 18:59:33 The TEE solution I proposed has been withdrawn and I maintain is fundamentally misunderstood by anyone still yelling against it because TEEs are insecure. 18:59:48 spirobel: Nakamoto proof of work is fundamentally more sound, lower complexity and ensures wider participation in block validation over longer spans of time. it's a good ground to build on IMHO. 19:00:25 At the end of the meeting, I want to list specific actions that specific people will take to advance this issue. Keep that in mind. 19:00:54 Spriobel wants to eliminate the emission as well 19:01:14 POS has a fundamental flaw that cannot be solved. What the network cannot determine is whether the person putting up the stake is actually long Monero in this case. 19:01:15 Sure the stalker has put up XMR. But. What prevents the stalker from borrowing XMR and then selling it creating a larger short position in XMR than the stake. 19:01:17 Then the stalker has an incentive to create havoc on the network in order to devalue his debt 19:01:30 Pow+pos is more sensible 19:01:37 But regardless, we can move on. 19:01:38 boog900: I'd propose 20-50% of the emissions. 19:01:39 They will need large number of pos nodes to do that ? 19:01:41 spirobel: PoW as a first pass has some arguments, as it arguably means we have a VDF in our consensus protocol _and_ it reduces the amount of options voted on. 19:01:43 https://github.com/monero-project/research-lab/issues/135#issuecomment-3169589987 19:01:45 rbrunner: That paper was notable for not using PKC. By simplifying out PKC, there schemes resolves as PQ. 19:01:47 Overall, it's quite notable for being direct and clean though. 19:01:49 It is still of cubic communication complexity in one area though, which we'd accept or we could discuss improving with non-PQ cryptography if too slow to evaluate. 19:01:51 Articmine, thats why i only like the idea of staking coinbases 19:01:53 Sorry, my messages have failed to send for the last minute. 19:01:55 Fractional reserve banking is the death of PaoS 19:01:57 "proof of pow" 19:01:59 we established before in this chat that 1gh is 100k per month and the only reason keeping people from performing this attack is that it is illegal and this amount of hashrate is hard to acquire without kyc 19:02:01 articmine does that not _also_ impact PoW? Go short XMR, rent hashrate, 51%.... 19:02:17 The biggest risk of the finality layer is a malicious set of validators can halt the network, and try to double spend at that moment they finalize two different blocks, yep. 19:02:38 Staking coinbase does not prevent going short 19:02:51 I still like the no reorgs past 10 blocks :) 19:02:53 No need to decrease emission for miners 19:02:55 No need to worry about exchanges 19:03:14 boog900: as a blind rule? 19:03:16 boog900: there's no need for that if you make block-winning miners the validators, and *require* them to participate in the finalization process for N blocks afterwards to claim their PoW reward. 19:03:26 What if attacker does 51% starting with that hf ? Only they get coinbase and control pos 19:03:31 yes 19:03:58 We know that CEXs have gone short Monero. POS is a way to bail them out 19:04:05 ArticMine: same goes for CPU hashing power. the difference is that we have to waste money in the current case. lets say you are a whale right now, if you wanted to contribute to the security of the network you would have to sell part of your xmr to mine at a loss. so we currently have negative inflation PoS and call it proof of work. 19:04:16 I'm against staking 'blocks mined' or their coinbases. 19:04:18 now someone with 51% just needs enough blocks 19:04:33 The fundamental issue of PoS are long range attacks (you can buy lots of empty wallets and roll back the chain from the time they had enough funds to stake). Ethereum solves this by "asking a friend which chain is the real one". 19:04:51 I'm against an arbitrary re-org depth. 19:05:00 Not so simple. The Canadian winter is coming 19:05:24 tevador: You'd need the stakes of the ancient _validator set_, not just ancient wallets, assuming the first validator set is trusted. 19:05:29 Then there is excess solar 19:06:01 That's one of the pleasant things about keeping PoW around: it serves a VDF to some degree. If you're initially syncing and see two different chains, they should have vastly different amounts of work. 19:06:15 *first validator set is checkpointed 19:06:49 What is VDF? 19:06:55 its not ideal but none of this is and its simple 19:07:01 sorry I can't see how this train of thought is any different from a regular "short" 19:07:01 Checkpoint = "asking a friend" solution. 19:07:04 I still see no answer to fundamental POS security 19:07:08 kayabanerve: for that they would get slashed, no? 19:07:14 Verifiable Delay Function Rucknium, sorry. 19:07:35 boog900: indeed, it can't protect against 51% attacks. 19:07:38 Yeah this would seem to just further entrench mining pools, especially if they started just creating coinbase outputs out to a single self-owned address, and then splitting from there 19:07:50 thats why going hybrid is needed 19:07:59 chaser @chaser:monero.social: If the active validator set (as needed to double spend) yes. 19:08:17 mining pools have to issue payouts. Cant mine "used" coins 19:08:23 Cant stake* 19:08:25 That is the bear attack on POS. The short is incentivized to cause harm to the network to profit 19:08:35 flip flop: You need to give the username of who you are replying to, especially when the user is on the IRC side. 19:08:41 IRC side can't see which message is being replied to on the Matrix side. 19:08:45 From the short 19:08:48 I personally think the idea of keeping PoW "in charge" at the front, while backstopping it with PoS, is a reasonable sell 19:08:51 hybrid doesn't fix that 19:09:03 The finality layer really looks good. Is there no way to limit the damage of a malicious staker over time ? 19:09:05 Qubit could've shorted Monero before attacking it with PoW though? 19:09:24 slashing 19:09:25 the hybrid just feels like we're adding a new door to exploit 19:09:27 yay design decision we need to solve 19:09:29 boog900: PoW + FL can potentially enable trade-offs regarding long range attacks and historical validator sets. 19:09:43 ArticMine: you always end up with proof of stake no matter what. with proof of work you just need to jump through additional hoops that are unnecessary. from a pragmatic perspective the cost of attack would be an order of magnitude higher if monero was proof of stake. no way you can hedge this with shorts on kyc exchanges 19:09:58 We're replacing the PoW 51% attack risk with the issues of PoS. 19:10:07 (if we add a FL) 19:10:14 Adding layers and complexity does not hide the fundamental flaw in POS 19:10:24 kayabanerve: I'd be interested to hear your reasons 19:10:30 Yeah I guess it depends on how long you can delay payouts / what % fee you take 19:10:31 buying cpus or asics + wasting money on electricity is a form of stake 19:10:33 kayabanerve: why no fixed max reorg depth? 19:10:49 Isn't the existence of shorts fundamentally an incentive to on purposely damage something? 19:11:05 spirobel if you really feel like you need to shill pure PoS, try make that feeling go away. 19:11:22 Fixed reorg depth leads to permanent chain splits. 19:11:24 you're unhelpful at spamming Articmine your point over and over 19:11:31 jeffro256: what do you mean by "splitting from there?" 19:11:36 tevador: agree 19:11:39 stake is permanent. if qubic had acquired enuf to perform a 51% on PoS.... then what? 19:11:42 chaser @chaser:monero.social: Either the window is short, and a 51% attack enables compromising the PoS layer too, or the window is long, and miners have to stick around for a year. 19:11:46 spirobel: IMHO, your zero-inflation proposal for PoS collides with the collective action problem, at least for small stakers: If my validation is a drop in the bucket, why bother? It's more costly to me to validate than the small benefit I am getting to secure the chain. Or public goods problem, whatever term you prefer. 19:11:49 ArticMine: pow is an added layer of complexity to proof of stake. it just means you need to buy cpus and send a check to your utility company to proof your stake in the network 19:12:09 boog900: Assumes a synchronous network and enables getting nodes stuck on alt-chains when syncing. 19:12:12 A failing exchange could easily do this . MtGox staking Bitct? 19:12:14 Respondind to ArticMine: To borrow such a large amount of the supply of a multi billion dollar coin you will still need more resources in the form of collateral than what it costs to rent CPUs 19:12:15 Both PoW and PoS fall to actors with unlimited resources, it just takes way more with PoS 19:12:31 Bitcoin 19:12:37 gingeropolous: Social slash. 19:12:51 same problem currently with pow rucknium. pow is just a different colored version of proof of stake with added inefficiency and hoops 19:12:55 chaser: a mining pool normally pays out directly in the coinbase tx b/c of lower bytesize, but if we were to switch to only being able to stake coinbase outputs, a pool could pay out to itself, stake that output, and then when done, pay out in a regular tx 19:12:57 pls explain to me like ive never really dug into PoS fixits 19:13:00 If the PoS layer fails, the Monero community deploys a hard fork to choose a chain and invalidate the malicious stake. 19:13:09 jesus monkeybut 19:13:14 same with reorg? 19:13:15 I said somewhere else "pow pools may run "staking pools" where they stake your coins and pay extra if you dont withdraw them", but thats, imo, better (and less static) than exchanges running staking pools with people's "long term savings" 19:13:28 max reorg depth^ 19:13:41 Any dishonest CEX can borrow XMR at no cost 19:13:58 PoS halts on such a catastrophe. PoW will re-org. A re-org depth limit won't re-org but also won't halt at all. 19:14:21 Mining pool dont usually pay out in the coinbase, only p2pool does that 19:14:28 Unless you say any 10-block alt chain causes a halt. Then I can go halt every node right now. Give me a week. 19:14:58 Btw, have we considered renting some hashrate tomorrow? When qubic comes back to try again. Not sure if that's an ethical use of the general fund. 19:15:05 Artic, like tradeogre staking zano deposits 19:15:18 kayabanerve: a finality layer can't stop a 51% attack anyway, so... regarding window length, I'm sure we can come up with a reasonable middle-ground between 10 blocks and 1 year. 19:15:31 To artictime: If a CEX adquires 51% of XMR supply, they have vastly exceeded the budget needed to attack using PoW 19:15:48 ... a finality layer explicitly stops a 51% attack? 19:15:49 51% of what is currently staking 19:15:51 (as in, deep re-orgs) 19:15:55 the chance of a non malicious 10 block reorg is incredibly small 19:15:59 No, they dont jeed a budget to have 51% of the _staked_ xmr 19:16:05 They just need deposits 19:16:26 There are too many ongoing conversations for me to properly participate in. 19:16:28 boog900 you can't limit the reorg depth, otherwise an attacker can cause a permanent chain split. 19:16:32 @gonabat 19:16:56 best you can do is selfish mine 9 blocks send them out and hope to split the network on the next block 19:17:14 rucknium you can look in the other channels people are willing to rent aws servers to protect monero with rented hashrate. there is so much belief and power in this community that people are going out of their way to incur costs to protect the network. it is a pos system where you lose money if you stake and people still do it 19:17:31 yeah, what is the current topic of discussion? 19:17:50 chaser @chaser:monero.social: A finality layer stops deep re-orgs for as long as it stands. 19:17:51 gingeropolous: You're right a PoS finality layer could be captured. We'd generally assume that won't happen, as we assumed it for PoW, but now are revisiting. 19:17:53 boog900: You can't halt on a 10-block re-org though. You have to halt on any 10-block alt chain existing because you don't know which side you're on (the malicious one or the honest one). 19:17:55 **Topic is: The introduction of non POW consensus mechanisms such as but not limited to A) Trusted Execution Environments, B) Proof of Stake Hybrid solutions, C) Other non POW consensus solutions ** 19:18:13 boog900: You're assuming a synchronous network. 19:18:16 I wasn't calling for a halt fwiw 19:18:25 another benefit of having validators with stake is that we can use this to prevent ecllipse attacks of nodes 19:18:42 But that was my original point. A finality layer failure causes a halt. A PoW failure doesn't. 19:18:47 Other non POW consensus solutions? What if the finality layer was based on Proof of Space \/s 19:18:49 @tevador it will he hard to rent hashrate using xmr during a 51%. We have some btc though? 19:19:24 ofrnxmr: I was looking at that BTC, too :D. miningrigrentals takes BTC. 19:19:40 To ofrnxmr: What's harder/more expensive? An exchange custoding 51% of staked XMR or an entity adquiring 51% of pow. I think that's the key. 19:19:41 I'm inclined to believe the prior is less likely 19:19:47 I believe I would like to draft a CCS to write a book going over the design questions for a finality layer, potential options, and my recommendations. I believe this presentation will be informative and while it won't answer if we should have a finality layer, may clarify what one is and the trade offs present. 19:20:00 Especially if staking promotes self custody, can be done 19:20:08 @gonbat the latter. The former costs nothing 19:20:16 Would people here be receptive to such a CCS to create such documentation and provide a recommendation for IF we were to adopt a finality layer? 19:20:21 was there any merit in what i posted on the github thing 19:20:37 i dunno if that qualified as non-PoW, or if i should wait for a PoW based thing 19:20:40 This is my attempt to establish a proper conversation topic on the overwhelming flood of messages regarding the concept of a finality layer. 19:20:42 jokes on you I can't read 19:20:44 I'd +1 the research 19:20:56 gingeropolous: Can you clarify? 19:21:26 It would cost around 0.04 BTC for 100 MH/s for 24 hours. Part of the cost would be recouped with mined XMR. 19:21:33 the idea was that mining a block gives you a "credit" to add a block to the chain in the future, in some rolling window. 19:21:48 kayabanerve: Currently looks to me as the least unreasonable proposal on the table, so to say. I think it should get elaborated. 19:21:59 > chaser @chaser:monero.social: Either the window is short, and a 51% attack enables compromising the PoS layer too, or the window is long, and miners have to stick around for a year. 19:22:08 basically, creating some kind of "past work means you do good work". 19:22:18 was my comment here on that idea, which I even mentioned in my GH issues when first posted. 19:22:38 I believe we would need to address the underlying security of the proposed POS firts 19:23:20 ArticMine: If you believe PoS never has anything at stake (but PoW does), I'm unsure how you want us to address that other than by agreeing with you. 19:23:22 @gonbat kucoin and kraken probably hold more xmr in reserves than any other entity. Kucoin has (likelt falsly) claimed to have 9million xmr. This costs them negative amounts, as they are paid when a user uses their service. They pay nothing. Example: tradeogre was / is staking zano. They dont pay _anything_ for this stake 19:23:45 ... or by renaming PoS to Proof of Coin so it's not about if anything is at stake, but just about a decentralized way to select people to issue finality. 19:23:47 Focusing on the top layer does not address the base POS layer issues 19:23:51 @gonbat.zano: ArticMine ofrnxmr CEX only have paper monero those are excluded from staking. serious note: it makes no sense for an exchange to do a 51% attack and there is no CEX that holds that much XMR. so they would have to buy it 19:24:17 I will support such a CCS, both in spirit and with my donation 19:24:31 the threshold is lower than 51% afaik 19:24:35 for pos 19:25:07 34% is the academic bound for consensus in any asynchronous network. 19:25:51 I think it's conceivable that an exchange could have 34% of staked coins 19:25:55 In an asynchronous network, Monero only requires one malicious node by the way. 19:26:11 To ofrnxmr: if it's confirmed that over 51% of XMR Is custodied then I'd stay away from PoS 19:26:13 however if that's not yet the case, PoS can be used to incentivize self custody, by disallowing delegations 19:26:15 sgp_: true. still the practical cost of attack is orders of magnitude higher than a 51% attack against a pow network 19:26:34 I'll reiterate the potential to social slash. 19:26:36 Access to capital isn't precisely the same as cost 19:27:05 The community can always issue a HF invalidating all staked coins if the shakers misbehave, even if they do so in a way so catastrophic, it halts the current chain. 19:27:10 so social slash just means that a bunch of people decide that the bad actors blocks shouldn't be included 19:27:26 so we could just get all the existing pools to make an agreement to mine on each others blocks and we'd have a similar thing 19:27:45 No. If the finality layer is co-opted, we can issue a hard fork resetting it, burning all staked coins. 19:27:48 [@gonbatfire:monero.social](https://matrix.to/#/@gonbatfire:monero.social) : its not 51% of xmr, but 51% of the staked xmr. Kucoins 9-10million is clearly fake. 19:28:06 hmmm... the we 19:28:08 WE 19:28:23 thats why its good that monero is anti custody. it will be much secure than other coins that are held in large percentages by exchanges (that still are unlikely to commit extremely self damaging crimes all at the same time ) 19:29:00 We, the Monero community. 19:29:27 To ofrnxmr: then that would be a matter of getting everyone to stake, much easier/meaningful than getting everyone to mine 19:29:36 sounds permissioned and centralized to me, but that could be just me 19:29:55 Brother luigi decide when to release 19:30:09 I think this is already centralized enough 19:30:10 there's also a _risk_ that networks like Serai/Thorchain/whatever get strong acceptance _and_ are programmed to stake 19:30:17 And open for coopting / infilatration at the community level( see bitcoin) 19:30:21 codes not the network bro 19:30:29 It's about as permissioned as us deciding to do a HF banning Qubic from mining (if we could) and then getting the community to download and run the new release. 19:31:07 I wouldn't like that 19:31:55 I'm noting a social slash would be the same complexity and process. 19:32:10 permanent solutions to temporary problems. Look, if the chain was unusable and everything was falling apart then sure, maybe. 19:32:20 qubic, and anyone, should be allowed to mine. But the network should protect against "breaking" itself, whether intentionally or unintentionally. 19:32:21 we got a 6 block re-org 19:32:32 Yes specifically banning Qubic is the same. Who is proposing this 19:33:00 I cannot support this finality layer 19:33:06 7* :) 19:33:16 stonks 19:33:23 an immediate band-aid for deep-reorgs would be raising the cost to mine a block, ie. lower the block frequency? 19:33:53 To gingeropolous: Qubic can go away tomorrow, there's still the long time issue of only needing 100k to attack for a month, security budget needs to raise, and price alone won't cut it 19:33:59 that would make it easier to remove more PoW? 19:34:01 kayabanerveI in a trailing finality layer as you propose it, what would happen if a malicious pool attempts a reorg that's deeper than the trailing span? 19:34:36 It wouldn't be acknowledged. Nodes would always follow a blockchain descending from the last finalization. 19:35:21 this would make it more difficult to reorg, no? - changing to 4 minute blocktimes causing a dbling of the difficulty. (Also increases size of p2pool payouts, and blocks(?)) 19:35:22 aight, lemme try and summarize my idea again. There's a rolling window. When you mine a block, a new protocol decreases the friction for you to add a block in the future. The more friction you have (by being a new miner) means that nodes question whether to add your 7 blocks to the chain tip. The less friction you have, means that your future block will be added to chain tip without question 19:35:49 obvi difficult to implement during an attack. 19:36:06 That would seem to encourage centralizing to just a few pools, if not one or two? 19:36:08 kayabanerve: in that case, how would a node syncing from genesis decide between two conflicting chains? 19:36:09 so you would add mining state into blocks? 19:36:20 I would have assumed reorging 2 blocks at half the difficulty would've been harder than 1, but I could be wrong 19:36:28 no, normal miners could still have decreased friction. 19:36:32 chaser @chaser:monero.social: There should never be two distinct finalized chains. 19:36:49 gingeropolous: does this not encourage consolidation around a single pool? I don't follow 19:36:56 That's either a catastrophic error, or we could adopt a synchronous tiebreaker based on most work exclusively for initial block downloading. 19:37:50 i support the finality layer idea, also because staked validators can help with the eclipse / spam attack on nodes. 19:37:51 So your a solo miner. You mine a block. You have high friction because you don't mine blocks that often. Your block makes it to another node. They have to choose whether to add your block. Your single block has high friction, but its a single block. 19:37:58 venture: no. If we increase the block time, the *amount of time* that a reorg spans is the same, just a fewer number of blocks. It has no effect on security or really UX, except now that the block time is higher. It may result in a lower block propogation time to block time ratio, which increases stability, but that really isn't a huge issue in the context of this discussion 19:38:28 Now say you are an attacker. You mine 6 blocks. You have high friction because you don't mine that often. This 6 block thing comes to a node. The node goes "hey, you have high friction. I don't think I should add these blocks" 19:38:33 boog900: current successful re-orgs with less than 51% happen only by luck over time, Ruckniums meta attack. that would be mitigated somewhat if the difficulty for a block was doubled (ie, 4-min blocks) 19:38:41 @ginger, isnt this backwards? Amd is pro-pool, anti solominer? 19:38:52 Have we thought about working on making propagation faster for all blocks 19:38:54 if the attacker only sent 1 block, then yeah, the node may consider adding it 19:38:58 1 year block times here we go /s 19:39:02 gingeropolous: this is more or less uncle blocks, yeah? 19:39:25 This seems to optimize mining around low friction nodes which will be frequent miners, AKA large pools, and would simultaneously eliminate p2pool which can't identify itself as a pool in its current form. 19:39:45 (or at least, never let it get to a lower friction state) 19:39:56 Are there any other non POW proposals under consideration? 19:39:58 it depends on how large the window is 19:40:14 and the main thing is to prevent selfish mining 19:40:17 has anyone looked into Stellar's Proof of Agreement? 19:40:20 I would have thought more blocks lowers the part luck plays 19:40:38 there's no reason a 6 block re-org from the same miner should come to a node and the node go "yup this is obviously better than what i have" 19:40:39 I think the main way we can prevent selfish mining is taking a page from Bitcoin book from 2015 with what they did with FIBRE 19:40:50 and selfish mining is the mechanism of double spend 51% attacks blah blah 19:40:55 yes 19:40:59 Non-BFT PoS and using Ethereum for finality would be the other non-PoW non-FL discussions. 19:41:23 (Or using BTC) 19:41:26 boog900: seemingly, but re-orgs "roll-back" in time, and the odds of finding a block is higher with more frequent blocks. 19:41:27 I'll also redrop the Proof of Space which is way harder to rent 19:41:32 I would not want to depend on another network 19:41:45 I don't think we should depend on other chains 19:41:53 i mean i'd prefer merge mining with BTC over anything else. Easy enough to fork away from if BTC gets compromized 19:42:11 I know kayaba rescinded TEE due to it not helping with the 51% PoW attack, but TEE is one option to keep in mind due to it potentially being useful at mitigating individual tx censorship. I only mention this for completeness, I'm not actually _for_ TEE at this stage 19:42:13 SyntheticBird: PoS is still _a_ PoW. 19:42:18 tell me more... 19:42:20 "if btc gets compromised" welcome to 2017? 19:42:31 A lot of problems seems easy to eliminate through forking unsurprisingly 19:42:33 well i'll run my idea through my simulator and see how solo miners do 19:42:35 but the odds of finding more blocks with the same PoW as one big one with luck would be smaller 19:42:38 I rescinded it because it doesn't really help with anything sgp_: 19:42:43 P2Pool are already able to take one block into a single network packet and sends it to many peers at once, with packet sizes less than 1 KiB. but this is just in the p2pool software, is there anyway this can be implement for all nodes so that non-p2pool pools get the same ability 19:42:51 very true, the second point stand tho. cpu is easier to rent than storage 19:42:57 Bitcoin was compromised by Blockstream a while ago 19:43:08 I'm not shilling it btw, just notating it here 19:43:10 It fails during a 51% attack and doesn't solve anything not already 'solved' when there isn't a 51% attack. 19:43:11 The Intel ME is a TEE. A rather controversial one 19:43:14 sgp_: i 100% agree with ArticMine when it comes to TEE. tee is just horrific and we should not entertain this 19:43:45 > The TEE solution I proposed has been withdrawn and I maintain is fundamentally misunderstood by anyone still yelling against it because TEEs are insecure. 19:43:53 It's fun how I said this almost an hour ago. 19:43:58 lol 19:44:00 I was gonna quote it 19:44:15 hey. I'm not pretending to understand it 19:44:28 I brought it back, I thought it could still help with anti censorship. I'll sync on this later and we can drop further discussion here 19:44:59 I aim to not break any meeting length records again, so I would like to have the "main part" of the discussion end in 15 minutes. Of course, discussion can continue in this room and #monero-research-lounge:monero.social . At the end, I want specific people to commit to specific steps to advance this R&D agenda. 19:45:12 The only actionable item here that I see is one of two: 19:45:13 - Attempt rough consensus on a fee policy 19:45:15 - Attempt rough consensus on if my CCS would be received or immediately declined as work on a path we haven't agreed to take, even though my CCS would be to write how that path would look 19:45:45 can you point me to a description? 19:45:47 I don't believe we'll agree to any hard forks today, and I'm unsure there's any other relay rules we can discuss today. 19:45:49 I'm personally interested into having your CCS completed before discussing it 19:45:51 (or if anyone else wants to help with TFL research) 19:46:27 Pumping up the fee can help with miner profitability, does anyone know the average amt a block receives in fees? 19:46:37 I would like to not spend a few hours drafting a CCS to explore, explain, and recommend a FL unless that would potentially be accepted depending on if the proposal itself is fair. 19:46:52 (I don't charge millions of dollars) 19:47:12 How about the proposals from trevador and Sech1 that have effectively been sidelined? 19:47:17 flip flop @antilt:we2.ee: The first would be as in Zano, the second would be exactly what it says. 19:47:27 can someone link sech1 proposal? 19:47:39 Those require hard forks. I don't believe we'll agree on a hard fork today. 19:47:45 im all for tevador one but as rbrunner said it will take time to implement 19:47:52 SyntheticBird: Miners sign their blocks and get a minimum percent of the reward. 19:48:18 I personally don't support a fee change in the short term because it does not help with the short-term problem. In the medium or long term, fee policy changes could be a good idea, especially if it were linked to PoW difficulty as an oracle for the purchasing power of 1 XMR. 19:48:20 Is that to prevent the hidden mining tactic pubic tried doing? 19:48:39 I think we should have another one that rips the band aid off completely. no inflation PoS 19:48:39 - 10 block reorg limit. Doesnt require hf, can be opt-in. 19:48:41 - sanity check on block contents. Not accepting lower quality blocks that arrive later than higher quality ones 19:48:43 - potential block frequency change 19:49:12 Also, no one has to listen to me as I try to co-opt Rucknium's position of chair. I'm only trying to steer to what could happen today because: 19:49:13 1) I explicitly have self-interest 19:49:15 2) I figure we'll continue discussions this next week and only need the meeting for summaries, reasonable clarification (< 2 hours of it), and rough consensus 19:49:26 I'm sorry but an opt-in 10 block reog limit is literally you opting in to run on a different network than everyone else if anything goes wrong 19:49:27 Soiled: No, it's to reduce pool mining. 19:49:49 Gotcha 19:49:51 ofrnxmr: The first assumes a synchronous network. The second keeps miners on worse block chains when being attacked. 19:49:53 Blame bch. Theirs is entirely modifiable with a runtime flag 😅 19:50:01 BCH good 19:50:03 and not is opting to run on a chain which could have a load of txs removed by an attacker? 19:50:24 Instead of miners immediately jumping to a longer chain to best purpose their work, they'd continue on a worst chain by choice 🤮 19:50:41 We literally have cjeckpoints rhat do this already 19:51:00 Dns checkpoints can force those who opt-in onto a core-decided chain 19:51:08 It makes selfish mining easier as now, even when you do finally publish, you don't have competition. 19:51:14 yeah if someone reorgs beyond checkpoints we would have multiple chains right now 19:51:19 Peopke running 18.3.4 can reorg deeper rhan 18.4.1 19:51:54 We can move to a single checkpoint of the last PoW-only block if we adopt a finality layer /s 19:52:01 We can add rules that prioritizes chains that were published for longer 19:52:39 ... that literally just wastes honest hash power 19:52:50 option Z: monero devs run the finality layer exclusively with frequent DNS checkpoints #centralization 19:52:52 a 9 block alt chain should not be mined on if a 9th block comes from the previous main chain 19:52:53 It has honest hash power waste time on a worse chain, before they actually mine a candidate chain 19:53:05 - sanity check on block contents. Not accepting lower quality blocks that arrive later than higher quality ones 19:53:07 Boog, thats similar to this 19:53:20 For chains of equal work, I believe nodes already prefer the first seen? No? 19:53:42 i mean, thats why the DNS checkpoint system was created, for defense etc, afaik 19:53:44 Sgp: isnt that why the dns-checkpoints flag was created 19:54:07 kayabanerve: Yes 19:54:18 split network > 1000 block reorg 19:54:20 So your proposal boog900 would only help for chains of more work and less time seen vs less work and more time seen, which is why it wastes honest hash 19:54:21 First seen, but they will reorg to longest chain, even ia longest is selfish 19:54:33 temp split network* 19:54:36 Are there any more items on the agenda? 19:54:50 It also allows taking advantage of network conditions to make a second-seen chain less preferred, even if first broadcast 19:54:51 possibility of* 19:55:05 There are no more items on the agenda 19:55:12 ArticMine: My attempts for rough consensus on two items I thought we may be able to, and more running in circles. 19:55:30 Has anyone considered faster block propagation 19:55:38 Or none per the official agenda :p 19:55:39 Sir it's been 7 months, can i sleep now? 19:55:55 this was part of the 10 block max reorg FWIW 19:56:08 it would only be for blocks close to the boundary 19:56:23 to try mitigate the risks of a chain split 19:56:39 That assumes a synchronous network :/// 19:56:52 a small price to pay 19:57:07 Considering synchronous networks don't exist IRL? 19:57:18 They're solely ideal models of computers? 19:57:22 I disagree. 19:57:34 We should move to a solution which works in asynchronicity. 19:57:48 as long as their is not someone constantly wasting an immense amount of hashes keeping the bad chain it'll resolve it self eventually 19:58:29 if not a simple update to the built in checkpoints will kill it 19:58:31 The fact sticky chains wastes any hash power of honest miners presumably decreases honest miner profitability. 19:59:18 we have never had a 8 to 9 block reorg so it would be very small 19:59:21 And re: a max re-org depth, no, the difficulty on the alt will trend to 0 and be infinitely cheap to keep alive indefinitely. 19:59:49 Not really when an adversary is already so large and doing all of these attacks? 19:59:52 it would have less PoW eventually? 19:59:57 It'd tip in their favor further. 20:00:28 But with a max re-org depth, they won't re-org back to the chain with the most work boog900: 20:01:05 boog900: Guaranteed network splits at 10 blocks would certainly increase the incentive for an attacker to go for a 10-block reorg 20:01:09 I will no longer be present here in the remnants of the meeting but solely popping in occasionally. Bye y'all. 20:01:45 I just don't see these highly controversial solutions where there is clearly little consensus as an option. 20:01:45 1) TEEs . Thankfully this has been withdrawn 20:01:47 2) 2 POS hybrid solutions. 20:01:49 The harm in my view is that the above are distracting the community from even considering way less disruptive proposals, that are way less controversial. 20:01:51 good night 20:02:24 ArticMine, this is the non-PoW section 20:02:27 we are deemed to discuss controversial changes 20:02:31 hybrid solutions are more forward looking imho 20:02:33 I don't see a lot of support for immediate relay-rule fee changes. kayabanerve has a proposal on the table for him to draft a CCS on Trailing Finality Layer research (the proposal would be subject to all the normal discussion and vetting as any other CCS, if proposed). What does everyone think of the proposal to write a CCS proposal? 20:02:43 true, but you would need to publish at the exact right time and also have those blocks ready and mined 20:03:04 +1 of research proposal. I dont see any problem with looking into it 20:03:16 also this is why I mentioned prioritizing the chain that got reorged? 20:03:30 maybe if you got reorged at 9 blocks the limit is dropped? 20:03:53 are there estimation of the hashrate of the attack? 20:03:53 we can roughly calculate how much hashrate coming by observing staled (orphaned) blocks 20:03:59 https://static.learnmeabitcoin.com/technical/blockchain/51-attack/equation-success.png 20:04:04 Good day 20:04:07 ArticMine: the pow game has been plaid out. its either asics, gpus or cpus. I personally think the endgame for private digital cash is zero inflation pos with 1-10 second finality. (default path sub 2 second finality) 20:04:13 ArticMine: how much do you think Monero security budget needs to increase? 2x, 10x? 20:04:15 The latter only happens with drastic approaches 20:04:33 for the reorged chain only* 20:04:33 I will search the research literature for ways to harden PoW consensus. I will also try to get a basic understanding of Trailing Finality Layer and the research on Proof-of-Stake failure modes. I haven't looked into PoS much because PoW-only was taken for granted. 20:05:06 I think Zcash's resources are a good starting point for TFL research 20:05:24 I'm heading out. Good meeting, y'all, thanks to everybody who participated. 20:05:51 https://electriccoin.co/blog/the-trailing-finality-layer-a-stepping-stone-to-proof-of-stake-in-zcash/ 20:06:09 Rucknium: Kayaba said they'll write the proposal only if there's a good chance of it being accepted so it's not in vain. can anyone here give such a guarantee? I personally see the mentioned exploratory work as useful and support the effort. 20:07:09 One Weird Trick to Stop Selfish Miners > https://eprint.iacr.org/2014/007.pdf 20:07:10 We can end the meeting here. Thanks everyone. 20:07:23 Thanks 20:07:28 Thank you Rucknium for breaking this up and focusing the discussion! 20:07:30 I more meant if MRL is cool with it chaser @chaser:monero.social: 20:07:30 Have a good one yall 20:07:35 Thanks, good night. 20:07:37 Feel free to continue discussing here or in #monero-research-lounge:monero.social 20:07:47 Because Monero Community will want MRL to sign off 20:08:22 So I wanted to ask if MRL may even sign off, and not ouright refuse it because we aren't currently working on a FL, and it sounds like yes 20:09:00 Rucknium: also look into how much the security budget and cost of attack is in PoW vs PoS that would be helpful in having an informed discussion and if a hybrid would ever make sense from an economic point of view 20:09:17 kayabanerve: got it. several people said yes here, none against 20:09:54 Shower thought on the 10 block lock (I haven't thought it through that thoroughly): it might incentivize pools to only publish their combined blocks in 10-block batches (?) 20:10:30 *10 block reorg limit 20:10:34 it's optional to follow it. it's more of a suggestion. and if you dont agree to --enforce-dns-checkpointing then you will naturally still follow the normal longest chain rules afaik. so this would cause some serious network splits unless the enforce flag was default. 20:11:26 HardenedSteel: I tried using the method of Ozisik, Bissias, & Levine (2017) "Estimation of Miner Hash Rates and Consensus on Blockchains" https://arxiv.org/abs/1707.00082 20:11:27 but I don't get the iterative algorithm to converge. I will try again sometime. 20:11:39 kayabanerve: i dont think a hybrid pow pos system makes sense, but I still support your proposal because it moves the discussion forward. 20:12:37 can you look up on that: https://learnmeabitcoin.com/technical/blockchain/51-attack/ 20:12:45 https://matrix.monero.social/_matrix/media/v1/download/monero.social/hZYSyVFKoYEDsvMZfzAASiqM 20:12:57 spirobel: Ok. That is a lot to do in a week (with everything else), but I can get to it eventually. 20:13:10 there's also ruby code calculate 20:14:21 given time span, the attacker roughly has ~20% hashrate 20:14:31 its the first question you have to ask rucknium. because if the conclusion is that pow is vastly less secure more expensive than pos: why bother with pow and hybrid systems? 20:15:38 I think the case has already been made that with side-payments, cost to attack PoS can be the cost of paying an interest rate. 20:15:48 But I will have to look into the research! 20:15:54 the state of the art on consensus systems currently is between alpenglow and Mysticeti 20:16:18 everything else is a sideshow of obscure low market cap stuff or highly theoretical 20:17:05 HardenedSteel: Thanks. I just skimmed it. I think mine is better :D https://github.com/monero-project/research-lab/issues/102#issuecomment-2402750881 20:18:04 I think they are using the original Satoshi formula, which had a small error. 20:18:26 What users are the official devs? 20:18:31 > Here's the equation from the Bitcoin Whitepaper (Section 11): 20:18:58 Current Pure PoS impmementation like ETH have very centralized ways to avoid long range attacks, it's why Zano sticks to hybrid even though we believe PoS is superior 20:20:43 the issue with zano is that its a very small community so its centralized in any case. 20:21:15 let's move to lounge 20:21:19 the game is between ETH, solana and (in theory) sui 20:21:23 ok 21:25:19 Hi all! I've been OOTL recently, but does anyone have an analysis estimating the Qubic control percentage, based on probability of replacing the top X blocks? I would be very interested in comparing anyone's analysis, thanks 21:53:46 read a bit little above 21:55:26 read little bit above