00:40:15 I am 314stache_nathy from Reddit, I have deleted my account in Reddit and Matrix (an foid 00:40:40 I am 314stache_nathy from Reddit, I have deleted my account in Reddit and Matrix. 00:41:14 I deleted from Reddit to Use more decentralized platforms (and my old account here haved problems). 00:42:24 Nice meet you again guys :) 01:26:53 vtnerd: It's up to us, but for a finality layer: 01:26:55 - We can having staking outputs be transparent 01:26:57 - We can have staking outputs be private 01:26:59 If private, we need to eventually decrypt the _sum_ of stake. This isn't an issue. What's notable is decryption of not just the sum, but every individual staking output, would be possible by: 01:27:01 - A malicious 67% 01:27:03 - A quantum computer 01:27:05 We can avoid this by adding one more layer to the system. 01:27:07 - The user creates a timelocked output to stake 01:27:09 - The user creates a stake transaction which: 01:27:11 1) Proves the existence of a staking output 01:27:13 2) Proves it encrypts the correct amount 01:27:17 Ugh, my formatting just got butchered. 01:27:43 If we are unlinkable to the outputs, slashing becomes more difficult. It's possible? 01:28:48 kayabanerve: Did you check the recent work in PoPETs about private Monero reserve proofs? Maybe something could be useful in there. 01:29:01 Validators, to vote, would have to say 'I own some output for X' (again, not linked to the output under FCMP++ methodology except via a key image'. We could assign dedicated key images for staking, allow slashing staking key images, and then as we prove the key image wasn't prior used, we would prove the staking key image wasn't slashed? 01:30:18 But requiring publishing the staking key image would be linkable from on-chain outputs to validators. We'd have to handle the 'staking key image' inside the FCMP and not actually publish the 'staking key image'. Probably a _sparse_ merkle tree? 01:32:19 TL;DR We can get effectively full unlinkability from staking to actual Monero outputs _and_ maintain slashing with more and more technical designs. All descend from the FCMP methodology, and all would be feasible, but would require: 01:32:19 - An extra TX type to add a forward-secret degree of separation between the output and the stake declaration 01:32:21 - A non-trivially slower FCMP (4x?) 01:32:23 https://moneroresearch.info/266 Thakore, V., & Vijayakumaran, S. (2025). MProve-Nova: A Privacy-Preserving Proof of Reserves Protocol for Monero, Proceedings on Privacy Enhancing Technologies, 2025(2), 582–606. 01:32:43 Is it technically possible to know ( as a miner software) if i'm taking part to an attack from my pool on the network ? and if so adding an option on the mining software to switch to another pool if such attack is detected. This prevents those who invest in monero from hurting the trust in the token 01:32:48 (This is in response to a tweet from vtnerd, which I responded there and here as well as I'd prefer to discuss it here) 01:33:07 Rucknium: I'd have to look for the exact techniques but possibly :) 01:33:51 Pedro Da Fonseca: This is a good question to bring to the #monero room. The short answer is use p2pool. 01:35:04 Thakore & Vijayakumaran (2025), linked above, have their own technique and the literature review could be helpful. It applies to RingCT outputs now AFAIK. 01:36:09 I've outlined a few chapters of my proposed book to discuss ways the L1 can declare staking outputs, and the tradeoffs it causes :) 01:40:27 Ok but It could also be a defense mecanism, if the most part use this option, even if they're on qubic for profitability each time they try to become a bad actor they're fucked and can't know in advance by how much 01:43:16 Only works if they use the mining software from monero when linked to qubic don't know if it's the case 05:51:11 this has privacy implications though. Assuming the stake is a large percentage of the monero supply, knowing the amount staked (and how it changes) helps with correlating large amounts of capital that move in and out of monero. 06:11:34 I was responding specifically to being able to link it to outputs. 06:11:57 If you see a notable amount of Monero leave the staking pool, and a similar notable amount hit your exchange, then obvious guesses are obvious. 06:19:37 if you consider the extreme case where almost all of the monero is staked, then it is easy to correlate when somebody swaps in and then out again. For large movements of capital this still applies even at realistic percentages of total market cap staked. thought you agreed to this here https://github.com/serai-dex/serai/issues/333#issuecomment-3191481625 but just realized when rer 06:19:37 eading that you only agreed to low amount of stake per validator. I would argue even low amount of stake for the total network is desirable. Would you agree? 06:35:37 Sorry, I did misunderstand you there. I called for an accessible stake for decentralization. 06:36:27 Considering the amount of stake is only publicly revealed as a weekly difference, I'm unsure how impactful that is for small entries/exits into the staking pool. 06:37:11 By assigning everyone one stake, and having someone who stakes five times still appear as five distinct validators, it also wouldn't be feasible to determine if one large amount of stake dropped off or a lot of small entries. 06:37:26 I'll agree there's theoretical concerns regarding the privacy pool 06:42:43 I don't think those are theoretical. One of the main benefits of Monero over something like tornado cash is that you can go in with size. 07:36:17 Monero users don't have to stake if they don't want exposure to these considerations. 07:48:22 I once understood that what was being considered was to only stake coinbase outputs, is that no longer the case? Because in the case of coinbase outputs there is direct linkability with the mining address in the case of p2pool. And in order to maximize the number of coinbase outputs one detains, the use of p2pool imposes itself, right? 07:53:12 This was ofrnxmr idea 07:53:59 and it isn't considered at the moment because of mining window and hashrate need to stake enough coinbase 07:54:16 so it will either take 2 weeks for big pools, or 2 years for other 07:54:54 at least that's what i remember 08:05:42 Thanks for the precision, that's too bad it's not seriously considered, this would retain the ethos of Monero way more than if a staker can simply buy its stake :-( 08:45:00 An issue here is false accusations by blockchain surveillance companies that, while mathematically unsound, could still be accepted by a court of law especially at first instance. 08:46:56 Blockchain surveillance is based upon the sale of guesses to governments and law enforcement. 08:47:59 It is for front deterministic 08:48:14 From 08:50:23 The fact that judges understand nothing to cryptography or mathematics yet have to decide on the life of someone else over it. Explaining them why they are false sounds like insolence doubled by an impression of arguing semantics to them. No shit they prefer to rely le and blockchain surveillance claims. It's always about assurance, not doing the right thing 09:00:27 The issue is that the Court can accept an argument that can be mathematically valid for a certain case and extrapolate it to situations where there is little or no mathematical validity. 09:00:27 This is what happened in the case in US Federal Court that I was presented at last year. I am not saying that this will be upheld by the higher courts, but even if it is overturned on appeal a lot harm can be done to an innocent person. 09:00:29 If blockchain surveillance can work for large amounts, then innocent people with small amounts can and will be falsely accused. 09:03:13 I was working for the defense in the case. 09:48:31 1. this affects non staked users as well. 2. it is not only about evidence considered in court. Even heuristics that help narrow a case are to be avoided. Amount staked + changes in amount staked are a piece of information that narrows the possibilities when trying to correlate amounts flowing in and out of Monero. 3. The burden of proof is on the proposal for a high percentage of 09:48:33 total MC staked. Solana halted and had to be restarted by a bunch of people in a discord channel. Ethereum halted as well. Even over 60% in the case of sol and around 30% in the case of eth was not enough to prevent a shutdown. A higher percentage staked does not seem to correlate with higher security in terms of liveness. https://github.com/serai-dex/serai/issues/333#issuecommen 09:48:35 t-3194677441 pointed out in this comment how we can compare PoW PoS and hybrid PoW-PoS solutions. If someone has a better idea how to reason about the relative security please go ahead. 09:54:41 hbs: staking from coinbases would also introduce needless fungibility issues. It creates a situation similar to ordinals. Where some fresh coinbase outputs are worth more than other outputs. Because you can stake from them. It just makes the system harder to reason about for no benefit. 10:13:30 tbf, whatever the crypto, coinbase outputs has always and will always be worth more than non coinbase outputs. At the condition that the seller can prove it is indeed coinbase. 10:14:05 this includes monero as well 10:15:54 tho for monero the difference in value is way less than transparent chains 10:55:01 hbs: It is an option but isn't my preferred option as control of hash power immediately leads to a takeover of the PoS layer. Even now, it'd cede the system to our largest pool. 10:58:19 spirobel: Ethereum didn't halt since moving to PoS. They once had finally stall for some hours, but the chain itself continued. We could have similar behavior with Monero, falling back to the current PoW. 10:59:37

I don't think we would actually meet the minimum threshold of pos stake to get it started for monero 10:59:46

this is a risk no one is talking about 11:00:40 It would be trivial to only have the system start after X stakes have been created, at some minimum, which we could even have decay over time. 11:00:45

the eth pos transition took a good long time to do to endure staking was ready. also they had a lot of centralized nodes and treasury coins to jump start it 11:01:15

that's not so safe is it? having like only 10% of the network stake 11:01:20 I mean, practically, if we're 'over-subscribed' (more stakes than targeted validators), we would want to raise the stake requirement, in a manner akin to how we adjust blocks' difficulties 11:02:00

i guess the downside to a few stalkers would be imbalanced reward distribution IF we give some stake rewards 11:02:16 Having a notational 500m USD of a no-premine, tail-emission coin staking?? 11:02:33 That'd be 'not so safe'? 11:03:10

if only a couple nodes stake... think kraken and kucoin 11:03:15

then yes? 11:09:50 But could a combo of coinbase value + number of coinbase outputs be beneficial to p2pool as it would produce more outputs when mining on p2pool? 11:47:22 Then it could simply be sybil'd. 11:54:53 just read the post mortem of the incident. the tldr is that they just got lucky. It is an over complicated system that is hard to reason about. It is also besides the point. The burden of proof is on higher stake to show it actually helps with liveness. Even in this case they would have ended up with the 25 minute "time out" if the stake was lower. 11:57:16 Higher stake means the same percent, but a higher amount, must go offline for finality to stall 12:00:27 Here's offchain labs's post-mortem: https://medium.com/offchainlabs/post-mortem-report-ethereum-mainnet-finality-05-11-2023-95e271dfd8b2 12:00:27 They primarily blame a implementation vulnerable to effective DoSs and highlight how the network automatically recovered. 12:01:54 yes this is the one I read. if there was more stake on the wrong implementation the mess would have been worse. So higher stake does not help 12:31:35 The finality layer or p2pool? 12:44:57 Its not a coinbase once it's transferred, so its not possible to value it differently. Its only worth anything to the producer 12:49:25 some people buy minted coins higher 12:49:44 so yeah, one step higher value (or with known path) 12:51:19 I know that they do that for btc but is it a thing for Monero? 12:53:15 I know some people that prefer the p2pool outputs compared to pools ones when mining, as it's provable from coinbase, which fits well on their tax records (instead of explaining who transferred it to them) 12:53:25 haven't heard of buying them 12:53:28 read up on long range attacks. old miners can sell their private keys and cash out. It just effectively creates a new asset class from miner private keys. 12:54:36 who would buy private keys and retain the outputs? That is utter risky as you cannot have any guarantee the seller didn't keep a copy of the key! 12:55:17 yes its a total mess. it makes the security of the system harder to reason about but you have to consider it 12:57:59 Criminals, that have off chain methods of enforcement. 12:59:00 You mean methods like physical threat? 13:00:55 I mean as an example how organized has operated for centuries 13:01:14 Organized crimes 13:01:45 But back on the topic of using coinbase outputs for staking, besides the selling of private keys, what would the attack scenarios be? Because pools do not hold the majority of their mined coins, so they would not have a lot of coinbase outputs to dedicate to staking. 13:03:56 If an argument is "PoS using any output means one can buy a stake, which is bad", then one has to consider "Pools have all their coinbases, they just buy coins to pay their miners" too. The cost to both is about the same. 13:06:37 You missed the point 13:07:22 How about pools transferring ownership off chain becoming nominee holders of the keys? 13:08:23 The pools have just borrowed the outputs 13:08:41 pools transfer IOU's 13:10:23 To attack POS it is cheaper to borrow rather than buy 13:11:23 How do they finance buying those coins? 13:12:28 borrow + withdraw! good luck. 13:12:32 No need to buy. 13:13:03 can't stake paper 13:13:39 Who in their right mind would "loan" their private keys, when they can stake them theirself 13:14:06 Who holds the key and who holds the paper? 13:14:46 15:13:39 Who in their right mind would "loan" their private keys, when they can stake them theirself 13:14:53 they pay you more. same as current problem 13:15:04 some people only care about $/h not the underlying 13:15:22 Why woukd qubic need to pay more, if they already own the private keys 13:15:28 at some point they could pay enough for anyone to stop caring 13:15:40 Any mining pool already owns the privkeys 13:15:54 But if they stake they can't pay their participating miners 13:16:09 to reduce large holders influence in PoS, i propose quadratic voting (or other expo) 13:16:09 but a new malicious entity can offer up $ for all the coinbases 13:16:18 and rent them high up enough 13:16:23 The arg oresented is that theyd hodl the coinbases and then buy xmr (using a loan?) 13:16:32 not pools, not qubic, say, someone wants to implement a new attack 13:16:59 But by staking they risk being slashed, especially if their initial intent is to hijack the finality layer 13:17:58 i dont like finality layer. To me, it sounds like "pow is just for show now. 5gh or 50gh, finality layer is new captain" 13:17:59 Qubic's attack is agnostic to POS vs POW. Qubic actually targets the pools 13:18:05 So that makes those coinbase outputs a bad collateral 13:18:52 it works because the coinbase outputs have no specific value and can be sold 13:19:38 Unless the two are tightly related, which the reliance on coinbase outputs instills 13:19:52 but not agnostic to slashing.... 13:20:19 This has been my point . It is a path to full POS 13:20:57 which a lot reject 13:21:18 Thats why u need to take babysteps to hijack the consensus 13:21:54 I really get the TFL improvement. Instead of letting chaos ensue by malicious actors, let's add this so that malicious actors can just halt the network and give us the time to repair the damage. But honestly at this point just bring in the TEE 13:22:43 Define TEE 13:22:51 trusted execution environment 13:22:53 Not fan of the TEE party 13:23:00 me neither 13:23:25 TEE are just a form of DRM 13:24:09 The Intel ME is a TEE 13:24:44 what I mean, is TFL has an improvement but will require human manual and centralized intervention to repair the mess. probably with an hard fork. From a mediation pov, the tee solution is a way more streamlined approach. But again, i'm satisfied by it 13:25:02 yes ArticMine, i too despise TEE, they are insecure and/or backdoored 13:25:20 IM NOT SATISFIED BY IT 13:25:26 NOT 13:27:26 most TEE deployed so far have been broken, exploited, dumped, side channel attacked. that's a reason you don't get 4K blurays on PCs anymore without specific weird old cpus, but those got blacklisted 13:30:35 The "correlation penalty" (https://eth2book.info/latest/part2/incentives/slashing/) detects malicious colaborators... and the penalties hurt. 13:37:51 The sheer complexity makes a strong case for proof of work 14:16:36 well, then TF. /s 15:19:15 Only somewhat? It was suggested as initially caused by multiple operators independently failing. Also, just because higher stake wouldn't have helped in this case (only better distribution), doesn't mean it wouldn't help in others spirobel: 15:19:42 hbs: A miner can on-purposely create many outputs to game their stake. 15:20:29 That's why I was thinking about a combo of value + number of outputs, not just the number of outputs. 15:31:58 Yes but that can still be gamed by on purposely maximizing the output count 15:34:21 Would probably need a custom formula to limit harm 15:38:12 I'd propose a scalar on the amount of outputs to weight them accordingly to risk 15:38:27 I'd suggest a weight variable from 0 to 0 15:38:28 :p 15:38:42 Pure quantity alone is fundamentally at the miner's selection and cannot be trusted 15:48:44 Could miners not include in blocks they mine transactions with huge fees to increase the value of their coinbase outputs 15:50:02 that'd need to be excluded, more tricky fun 15:57:27 kayabanerve: the argument for higher stake needs to be better. it needs to be clear in which circumstance higher stake actually helps. 15:58:02 currently we are in a clapping to scare the elephants away type of situation. 16:12:04 Good thinking. Also means when youpublish the block, miners now have an incentive to mine with that tx on the prev block to "steal" it :D 17:24:31 This effectively reverts to blocks mined then DataHoarder? 17:35:59 blocks mined, but only coinbase, which then gets fun when multiple outputs exist 17:36:49 (p2pool)