00:36:31 ofrnxmr: re: "it sounds like "pow is just for show now..."" 00:36:31 blocks finalized by a finality layer would still need to be valid, built by miners, satisfying PoW difficulty and all other existing requirements. validators are constrained in what they can finalize. to cause reorgs in such a setting, you'd need a large share of the hash rate _and_ control >33% of the stake (so that the honest stake can't finalize). a more probable attack/failure 00:36:33 would be if, for any reason, >33% of the stake stayed inactive. there you'd have an interim period where the chain would work as it does now. inactive validators would lose some of their stake for missing rounds and, if they missed too many, get automatically ejected from the validator set. both would increase the ratio of active stake until it'd hit 67% and finalization could re 00:36:35 sume. 02:16:42 hey has anyone had success with darkirc? the connections keep droppping on me 02:51:14 [#monero-offtopic:monero.social](https://matrix.to/#/%23monero-offtopic:monero.social) 02:51:24 #monero-offtopic 03:27:36 with hybrid pow / pos you can relax some requirements such as having a minimum number or stakers. the threshold to get stake started with only 5-10% network would be fine because you would also need to control the pow network to actually double spend beyond a single block. 11:08:16 The issue I see is that certain solutions are very controversial because they involve drastic changes to the Monero social covenant. 11:08:17 In order of the least controversial to the most I see 11:08:19 1) Solutions that keep the existing Random X POW consensus as the sole consensus solution 11:08:21 2) Solutions that introduce other POW consensus mechanisms involving ASICs 11:08:23 3) Hybrid solutions that include POS but require to POW to function. 11:08:25 4); Solutions that are POS only or have been identified by other projects as a pathway to a POS only solution. 1) For example POS finality layers. This has been identified as a pathway to a POS only solution by ZCash. 11:08:27 By their very nature 2, 3 and 4 are long term only since they involve hard fork(s). 11:30:25 I kinda like the idea of hybrid pow/pos with no block reward for pos blocks, and it does not affect the social covenant. I'd place this as 1.5 because 2 does affect that covenant. 11:34:18 (to be clear, the idea behind no block reward for pos is that holders' benefit would be a bulwark against attack; a defense against monetary loss rather than a monetary gain). 11:35:10 What if stakers received transaction fees only? 11:36:09 How would the penalty work on POS blocks? 11:36:59 I have no idea. I purposefully ignored that issue in my impl :) 11:37:01 the you still have the trouble with long range attacks / more complexity. 11:37:58 that is addressed somewhat in hybrid pow pos. 11:38:10 then you still have the trouble with long range attacks / more complexity. 11:38:19 Am I correct that "long range attack" is basically "create a long pos only chain strting from long ago" ? 11:39:20 because there is not cost in pos to makeup an alternative chain, there is an incentive for an attacker to make up chains where they mess slightly with the rewards so that they capture them all 11:39:27 because there is no cost in pos to makeup an alternative chain, there is an incentive for an attacker to make up chains where they mess slightly with the rewards so that they capture them all 11:39:31 *no cost 11:40:16 I can see how the attack would work 11:41:18 that is really the strongest argument for pow that this is not possible, because there is a real cost to consuming energy. 11:42:18 (leaving aside the question how future proof that is, as energy costs and semiconductor production costs will continue to decline as technology progresses) 11:43:25 https://www.energy.gov/articles/doe-releases-new-report-evaluating-increase-electricity-demand-data-centers 11:43:49 The report finds that data centers consumed about 4.4% of total U.S. electricity in 2023 and are expected to consume approximately 6.7 to 12% of total U.S. electricity by 2028. The report indicates that total data center electricity usage climbed from 58 TWh in 2014 to 176 TWh in 2023 and estimates an increase between 325 to 580 TWh by 2028. 11:44:17 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/RfAsUfuxhovCLFvtoaCIRQyL 11:44:37 Well, I will assume the answer to my question is "yes", then. So I believe that type of attack is mitigated by the way difficiulty is calculated, as it favors chains with equal numbers of pow and pos blocks. So do pos only (or pow only) and you'll lose out to a similar chain composed of ~50% of each. The longer the chains, the stronger the effect. 11:45:07 How well mitigated is left as an exercise for the statistician though. 11:50:58 TFL looks really nice in theory too. Could it be that the pos/pow asymmetry can be fixed by having pow finalize something made mostly of recent pos blocks and vice versa ? This might prevent this fear of it being a pathway to pos only. 11:51:56 That is, whether pos or pow finalizes that height H depends on the composition of the most recent blocks. 11:52:09 *at height H 11:52:52 I did not read the theory beind TFL though, just the zcash article vague overview, sorry. 12:24:39 Hi Rucknium 12:24:39 I created an issue and linked it to the meeting, however, I just learned that my github account is being shadow-banned (showing 404 for others) since I only signed up for it now (with a vpn). Support at github is open. In the meantime, I post the content of my issue below: 12:24:41 One thing to highlight about the Selfish-Mine exploit is that an attack is seen by the network in real-time prior to the inevitable re-org. This is due to the fact that the side-chain has two parts, a hidden tail and the published branch which is continuously being ignored by the miners trapped in the losing branch because of matching cumulative difficulty and the first_seen rule 12:24:43 and the reactivity nature of selfish-mine. The trapped miners are modeled by (1-γ) where γ "denotes the ratio of honest miners that choose to mine on the pool’s block" (citation from the infamous paper, Majority is not enough - Bitcoin is vulnerable, referred to as 'the paper' from here). 12:24:45 It seems therefore strictly better to free the trapped miners (collapse the two public branches into one) as soon as possible by choosing deterministically which branch to mine on (implemented within stratum, no protocol change). This fixes γ to 0.5 and the pareto front (Fig. 3 of the paper) shows that you need a pool share α > 0.25 to be profitable. On first glance, it doesn't 12:24:47 seem promising on it's own since γ relies on additional effort of employing sensors and skew the first_seen metric to your favor. With a high enough γ you can currently profit with even less than 25% hashrate share. If your share is > 25% you don't need to rely on luck or sensors anymore and you profit even more if you had previously a γ below 0.5. 12:24:49 However, I think the upside of collapsing the branch as quickly as possible is bigger here. I propose a further adjustment in which it does not matter from a reward perspective which branch is ultimately adopted. What matters is that the partitioning of the honest hashrate by γ bands together and we free our friends quickly. The further adjustment is quite drastic but effective: 12:24:51 - we have an additional field "donation" (not sure if that can be a stealth address or not). To account for p2pool, this should allow lists of addresses with percentage 12:24:53 - block rewards are paid out by the subsequent block (N+1) based on that donation field 12:24:55 - rewards would be given to all competing blocks (uncles) uniformly. This needs to parent (N-1) + uncles from N-2. Since the branch point is one block earlier 12:24:57 outside of protocol, in stratum: 13:03:01 title was: Countering Selfish-Mine 13:03:44 under PoW: Long-term fix 13:04:35 but it's idea-stage. if at all valid, certainly needs to be fleshed out 14:08:03 i dunno if i'll be around at meeting time, but hopefully the folks associated with the 2 things i put in the lab meeting issue may be around to discuss 15:01:00 MRL meeting in this room in two hours. 16:38:34 venture: Can you give your idea a name besides "Countering Selfish-Mine"? 16:39:49 Countering Selfish-Mine: Promote orphans to uncles (equal pay) and choose deterministically (in stratum) who becomes father :) 16:50:15 https://github.com/monero-project/meta/issues/1256#issuecomment-3207233765 some thoughts on meeting items 5. and 6. ... maybe we can reach some rough consensus on which questions the community wants answers to for the TFL work. 16:51:28 I had a question regarding TFL, but I'm probably wrong: It is my understanding (or hunch) that a finality layer would completely override the longest/heaviest chain rule from the underlying PoW, similar as checkpoints would? Once finality is required by exchanges miners will always jump ship and mine on any branch endorsed by that layer. 16:51:55 I will be commenting on the block signing remix. 16:51:55 With a minimum of 1% of the block reward before penalty or fees in a single transaction signed. 16:51:57 As an option 10% of the total block reward in multiple transactions could also be allowed 16:52:20 Block signing is included in one of the listed proposals 16:54:46 I am currently working on a write-up for this 16:58:58 The sub-items I have for mining pool centralization: https://github.com/monero-project/meta/issues/1256#issuecomment-3207278521 16:59:53 can you add the two questions from my comment to the TFL subpoint? 17:00:26 Can you type them here? Your comment is long 17:00:30 jbermans comment has some good thoughts as well. maybe we can condense those into questions and add them too 17:00:39 Meeting time! https://github.com/monero-project/meta/issues/1256 17:00:44 Howdy 17:00:48 A) How low can the staked percentage of the total marketcap be, to achieve the same cost that is needed for an attacker to shut off our current PoW system consistently over time? 17:00:49 B) The second question I am interested in is how higher stake behaves during real outages. 17:00:51 1) Greetings 17:00:59 hello 17:01:03 Hello 17:01:06 *waves* 17:01:17 Hello 17:01:21 hai 17:01:23 hi 17:01:37 Hi 17:01:39 hi 17:01:45 Hi 17:02:53 hi 17:02:58 2) Updates. What is everyone working on? 17:03:29 me: final tasks in prep for the FCMP++ alpha stressnet (reviewed 9473, tested forking from testnet). All code right now for the alpha stressnet is in review. I spun up the current testnet, forked it locally, and found/patched a couple bugs. We should be good to go forking from current testnet once the fixes are merged 17:04:00 I am working on the block signing remix proposal and also doing research on Proof of Stake in general 17:04:14 me: ironing out monerosim 17:04:19 me: updated/rebased existing prs, bug fix for lwsf tx construction, read a few papers on selfishing mining mitigation/prevention, etc 17:04:55 Veridise is nearing completion of their research on the Helios/Selene pair, as part of the FCMP++ work. The formal verification of the library will follow that 17:05:17 trying to reproduce an issue i had with big blocks. Issue disappeared when the txpool expired 17:05:34 me: Performed some network construction simulations to help analyze "p2p: Improved peer selection with /24 subnet deduplication to disadvantage 'spy nodes'" https://github.com/monero-project/monero/pull/9939 . See my comments in that PR. Looking at research literature on hardening PoW against attackers. Helping test rolling DNS checkpoints on the public testnet with ofrnxmr , vtnerd , and tevador . Visualizations (4 different subdomains): https://testnetnode{1,2,3,4}.moneroconsensus.info/ 17:06:04 Trying to hit back review backlog for both FCMP++ and the core repo, and working on integrating tevador's double hashing idea 17:06:08 wrote out a framework for judging the relative security of pow / pos / pow-pos hybrid solutions. https://github.com/monero-project/meta/issues/1256#issuecomment-3207233765 and took a look at the monero-oxide audit / started migrating to the crate 17:07:19 embarrassed myself with a very naive idea with outlandish numbers and that would have let to bifurcations, thankfully the community was there :) Researched more on countering selfish-mine 17:08:56 3) Transaction volume scaling parameters after FCMP hard fork. https://github.com/ArticMine/Monero-Documents/blob/master/MoneroScaling2025-07.pdf 17:10:55 One of the considerations here is that regardless of the valuation of verification time, we must allow the weight s to scale for large weight transactions 17:11:43 Otherwise it is possible to launch a zero cost DDOS attack on the nodes 17:12:39 I don't understand why charge more for larger txs, when smaller txs are better to attack with. Makes sense (to me) to not discriminate against any of them (page 2) 17:12:42 I followed up on that here: https://github.com/seraphis-migration/monero/issues/44#issuecomment-3187685572 17:13:38 If the tx is ultimately invalid, then the fees dont matter (do they? Im assuming the fees are irrelevant because an invalid tx wont be mined). For a valid tx, the fees should be inline with cost oer input on lower input txs 17:13:54 I will provide a response in the thread on this. 17:14:15 if tx is invalid, fees don't matter 17:14:17 The response does not address this issue 17:14:33 ArticMine: somewhat related, do you happen to know why the transaction weight limit was changed from (block weight minimum - coinbase_size) to (block weight minimum / 2 - coinbase_size) in hard fork v8 ? 17:14:54 If the tx does not get mined feed don't matter 17:15:57 Do you mean for node relay? 17:16:04 Fees 17:16:07 A 128-in FCMP++ can be bigger than 120kb, which is more than half of the block penalty-free zone (unless we change that in the next HF). I was wondering if there would be any downsides if txs above 1/2 the penalty-free zone were allowed? 17:16:35 ArticMine: that tx weight limit is a consensus rule 17:16:41 (*150kb) 17:16:59 Sorry, yes that was a typo. 150kb 17:18:24 So 50% of the penalty free zone 17:19:31 Yes I supported that since it mitigates somewhat my concern over a DDOS attack with un economical transactions 17:19:35 > One of the considerations here is that regardless of the valuation of verification time, we must allow the weight s to scale for large weight transactions 17:19:35 After thinking about this for a few weeks, I'm not quite convinced that this is true anymore. Like ofrn is saying, you can split the tx into smaller parts, pay a smaller fee, but the change to the block reward penalty would be the same. The additional marginal fee to be imposed by a tx really is a function of the sum total size of the mempool, not any individual tx 17:21:16 One can split up a tx and pay lower fees because it attracts a lower penalty for each split tx. This is a given 17:21:48 When it really gets down to it, it's a discrete optimization problem, so optimally it's a function of individual txs, but that's a different discussion. I'm talking about approximations 17:21:54 the cost to perform a ddos attack could be increased by having the proposing nodes sign transactions with a bond and slash that bond if they propose tons of invalid transactions 17:21:58 But i can ddos better with smaller txs, at a lower cost, and higher size 17:22:07 The issue is a spam attack with large weight TXs where the spam TXs do not get minef 17:22:18 /my 17:22:26 But it's the same penalty diff for the sum of those 2 txs 17:22:37 The fee doesn't matter in that case 17:22:41 its really the verification cost of invalid transaction that could become a ddos concern, right? 17:22:57 The two TXs can be in different blocks 17:23:41 So the higher penalty rate is never paid 17:23:41 ofrnxmr: the fee still matters. We're talking about valid-proof txs, where the relay fee is less than what would make it economical to mine 17:23:47 This is not about invalid transactions 17:24:01 That's different from the discussion where a verification-time DoS is performed with invalid txs. The fee makes no difference in that case 17:24:36 how can the verification cost of valid transactions ever be an issue for ddos? if thats the case the fees are too low in general 17:25:09 It isn't, but you don't know if it's invalid or not until you validate it 17:25:13 This is not about verification t 17:25:20 Time 17:25:38 I will address this in my response in the thread 17:25:46 On GitHub 17:27:29 Is there any else on this topic? 17:28:19 4) [FCMP alpha stressnet planning](https://github.com/seraphis-migration/monero/issues/53#issuecomment-3053493262). 17:28:20 on scaling in general I would recommend people to read up on the research about tachyaction. other than that no 17:28:22 > The two TXs can be in different blocks 17:28:23 > So the higher penalty rate is never paid 17:28:25 By that same logic, you can wait until the mempool is more empty to mine the bigger one too and not pay the higher penalty rate 17:29:18 True. This is why we have not yet had a problem with this 17:29:21 > on scaling in general I would recommend people to read up on the research about tachyaction. other than that no 17:29:21 That's more related to cryptography / data availability and not traditional fee markets though. But yes, an interesting topic for sure 17:29:23 spirobel: This one, right? https://seanbowe.com/blog/tachyon-scaling-zcash-oblivious-synchronization/ 17:30:21 AFAIK, final bugs that would affect alpha stressnet are being squashed. 17:30:31 This I have to read especially after the brutal attack on ZCash 17:30:38 (holding on stressnet until above discussion is finished) 17:31:07 yes I posted about this before a while ago in the community workgroup channel. the tldr is that it will change node requirements in the sense that not all key images will have to be kept in memory for verification. so ram requirments get decoupled from archiving the blockchain. 17:31:30 ok, I have 3 items to raise for FCMP++ alpha stressnet: 17:31:36 1) Set a fork date. 17:31:49 - As proposed in a past meeting, it would fork from current testnet. So get your testnet nodes synced up and ready to go. 17:31:49 - I would prefer to have all code merged before announcing the official start date and releasing instructions on how to join the stressnet. 17:31:51 - I would hope to target this coming Tuesday (Aug 26th), but that depends on our ability to get the code merged beforehand. 17:31:53 - Blocking code is linked here: https://github.com/seraphis-migration/monero/issues/53#issuecomment-3053493262 17:32:57 IMHO, it's best to wait until the code is 100% ready before setting a date. 17:33:18 Ok 17:33:24 In summary, the blockers now are the PRs created in the wake of the other stressnet, and a wallet sync speedup PR. Nothing super FCMP++ related 17:33:31 Do we need to announce anywhere except here? Isn't there a non-alpha stressnet planned for more community participants? 17:34:20 2) Here is a draft post written and ready to blast out: https://paste.debian.net/1392565/ 17:34:26 - It includes instructions (borrowed from jeffro) on how to build monerod, CLI, RPC, and GUI using the expected alpha stressnet code. 17:34:27 - The code would live on a new branch called "fcmp++-alpha-stressnet" in the seraphis-migration repo. 17:34:38 Then we'll need to set some roles/rules. I, for example, will volunteer to run a seed node. i think we might have to have controlled mining due to the speed (lack of) of generating txs 17:35:04 I figured it would be good to make a reddit post 17:35:07 What do you mean by "controlling mining"? 17:35:08 *controlled 17:35:13 Imo, it needs a paragraph on top to remind people what FCMP++ is, in ELI5 language 17:35:31 i mean, i have a script that only starts mining under certain conditions 17:35:44 Instead of every 2mins, since i cant fill blocks that fast 17:35:51 > Do we need to announce anywhere except here? Isn't there a non-alpha stressnet planned for more community participants? 17:35:51 Rucknium : probably the stressnet Matrix room I would think 17:35:58 Difficulty will fall off fast you that is done 17:36:04 fast if* 17:36:35 For building stressnet - we should release binaries. Building shouldnt be necessary, but of course people can build if they choose to 17:37:03 Thats fine. My diff is at 2 and i oroduce blocks every 20mins :P 17:37:16 They are ~17mb, spamming from 4 wallets 17:37:28 I think I can probably use the testnetnode1.moneroconsensus.info nodes as seed node, too. 4 nodes. 17:37:41 ofrnxmr: perhaps I could add a tool which re-uses EC blinds and speeds up stressnet tx creation 17:37:55 Discussed binaries briefly with jeffro. We haven't messed with GUIX building yet, so not sure how that'll go. I pinged tobtoht on it too for thoughts 17:37:58 Obviously, you wouldn't want to ever, ever use that for production 17:38:11 I can manage some spamming from the Monero Research Computing Cluster and maybe some from my seed nodes. 17:38:16 Depends works 17:38:28 Guix not ready afaict 17:38:44 Blinds construction is fast now with fabrizio's code merged. It's prove() that's the bottleneck: https://github.com/kayabaNerve/fcmp-plus-plus/issues/34 17:39:00 yes I posted about this before a while ago in the community workgroup channel. the tldr is that it will change node requirements in the sense that not all key images will have to be kept in memory for verification. so ram requirements get decoupled from archiving the blockchain. 17:39:22 Oh, you're right.. 17:39:32 Nvm 17:40:29 I think we should see how things go at normal mining speed at first and then adjust if necessary. 17:40:33 I'm fine with releasing binaries too. I have some reservation on it because it might end up a little annoying if people start doing stuff like using the wrong node/wallet and report bugs from that, and so requiring building at least raises the bar somewhat 17:41:38 But, if no one shares that concern, then we can do binaries 17:41:50 Perhaps we could switch to a fixed difficulty at some point 17:42:17 Is that easy to do? Don't all nodes on the network need to agree for that? 17:42:26 Probably need like 30+ wallets spamming if were actually pushing for large blocks 17:43:00 IIRC, `monerod --version` shows the current commit hash if not a release version, right? 17:43:07 Maybe I can try to Dockerize something :D 17:43:07 I don't really like Docker, but this may be a good usecase. 17:43:16 it uses 100% cpu 17:43:36 We can just ask them what version they're using as the first question 17:43:37 (wallet does) 17:43:52 100% of one thread or 100% of the whole CPU? 17:44:11 > Is that easy to do? Don't all nodes on the network need to agree for that? 17:44:11 Yes, they all need to agree on that. It can be supplied with a CLI argument 17:45:08 The new MRC box has 256 threads and 1TB RAM 17:45:18 Can almost run a Qubic node ;) 17:45:31 doing things like mixing and matching and not realizing etc. 17:45:42 https://ccs.getmonero.org/proposals/gingeropolous_1TB_MRC.html 17:45:57 100% of 8-12cores here 17:46:04 binaries are fine with me in any case 17:46:21 IIRC, no one got confused when binaries were released for the last stressnet last year. Anyone remember anything about that? 17:46:28 yaaas, someone use it! 17:46:45 binaries were the main deployment 17:47:05 Only issues we had were "idle" users who didnt update, probably at all 17:47:33 probably biggest difference is that wallet cache /wallet impl was compatible across versions for that stressnet. the changes for fcmp++/carrot are much more significant 17:47:45 [@gingeropolous:monero.social](https://matrix.to/#/@gingeropolous:monero.social) how does mrc work, can you set me up a vm or something i can try to spam from? 17:48:06 Anything more that we need to discuss here that shouldn't be shifted to #monero-stressnet:monero.social ? ( ##monero-stressnet on IRC, IIRC ) 17:48:07 yeah we can figure it out 17:48:18 3rd thing from me: 17:48:46 I propose that 9473 (allow unrestricted RPC when pool is >100mb) not remain a blocker for stressnet. It has some issues and I want to give 0xFF time to continue on it. If pools end up exceeding 100mb, we can roll out the patch (or push people to use a restricted RPC instead). 17:49:11 Can just use restricted for the time being, thats what we did last time 17:50:01 going to remove that as a blocker unless anyone raises objections 17:50:56 Even if dynamicbss isnt merged to fcmp++-stage, we should merge it to the stress branch/repo 17:51:12 good with me^ 17:52:45 nothing else from me 17:53:20 Thanks for making the final checklist and moving alpha stressnet forward, jberman 17:53:24 Rucknium, so you have testnet wallets with a lot of outputs? Or only stressnet 17:53:54 Not so many now, but I will try to mine some. 17:54:20 On public testnet, fees are lower than a from-genesis private testnet, AFAIK 17:54:24 i should have a testnet wallet somewhere. xmrchain is mining. 17:54:49 Yeah, pre-tail, fees are higher 17:55:09 But my rewards are in the 100s of xmr :P 17:55:23 5) [Spy nodes](https://github.com/monero-project/research-lab/issues/126). 17:55:39 I ran some network construction simulations to help analyze "p2p: Improved peer selection with /24 subnet deduplication to disadvantage 'spy nodes'" https://github.com/monero-project/monero/pull/9939#discussion_r2285992169 17:56:13 Some interesting findings: The longest distance between nodes on a realistic network of reachable nodes is 4 hops. Converting that to milliseconds of latency using GeoIP data, it takes a maximum of about 110 milliseconds for a message to originate from one node and arraive at the farthest node, assuming speed-of-light speed, shortest straight-line distance between points on the Ea rth's surface, and no CPU processing of messages. 17:56:33 Thank you for doing that, Rucknium 17:57:20 By the way, you could probably get an analytical formula to the number of hops, since the graph is approximately 24-regular (12 outbound connections by each node). Somewhere a paper probably has the formula. 17:58:12 Anything else on spy nodes? 17:58:17 Yeah, interesting work, as always 17:58:41 My pleasure :) 17:58:48 Switching "already" connected subnet filtering from /16 to /24 doesn't seem to change eccentricity very much, which is good 17:59:41 is there something else to review ? 18:00:08 On the PR? I don't know. I commented where I thought I could contribute. 18:00:32 That was my main concern with /16 to /24 already connected change, so I don't have any major criticisms after that 18:00:41 (for the moment) 18:01:02 @jeffro256 18:01:05 tx 18:02:20 For the next agenda item, I gathered a list of possible proposals to organize the discussion: https://github.com/monero-project/meta/issues/1256#issuecomment-3207278521 18:02:21 We will open the floor for discussion of any type of proposal after we have walked through this specified list. 18:02:38 6) PoW mining pool centralization. [Monero Consensus Status](https://moneroconsensus.info/). [Bolstering PoW to be Resistant to 51% Attacks, Censorship, Selfish Mining, and Rented Hashpower](https://github.com/monero-project/research-lab/issues/136). [Mining protocol changes to combat pool centralization](https://github.com/monero-project/research-lab/issues/98). 18:03:08 ## Short-term 18:03:09 **Rent hashpower to increase honest hashpower share. (HF not required)** 18:03:11 https://www.miningrigrentals.com/rigs/randomx 18:03:13 https://i.imgur.com/MQZcVC8.png (Chart by Eddie ) 18:03:15 https://xcancel.com/xenumonero/status/1957403356462268705 18:03:17 just wanted to add one thing on the topic of spynodes 18:03:22 If I remember correctly from the cuprate meeting on the cuprate tor implementation, boog mentioned there is trouble accepting p2p nodes over tor, because it is too cheap to make new tor hidden service addresses. (so there is the risk of eclipse attacks if tor peers are accepted.) The block lists on spy nodes seem to operate on ip addresses as well. Is there a similar concern or do 18:03:23 they also contain hidden service addresses? 18:04:22 The ban lists do not contain onion hidden service nor I2P addresses. Only clearnet IPv4 18:04:45 This ties into the proposed TFL work on number 6. Could the stake be used as a way to mitigate against the costless creation of spy nodes / eclipsing peers? could that potentially help to reduce our reliance on the cost of acquiring ip addresses to mitigate these issues and we could allow nodes to completely operate behind tor more safely? 18:05:00 There is some speculation about if renting hashpower from miningrigrentals (MRR) actually contributes hashpower or if it is just re-distributing honest hashpower. 18:05:14 Let's wait to discuss that spirobel 18:05:34 rucknium, in addition, i also think qubic hash is available to rent 18:05:48 increase honest hashpower share might be counter-productive. Honest miners are being duped by first_seen and depending on connectivity might even fuel any attack 18:05:51 IIRC, sech1 said he rented hashpower from MMR during the approach of MineXMR to majority hashpower a few years ago. I wonder if he has any information that could shed light on this question. 18:06:04 imho 18:06:43 Does anyone support the monero core team renting hashrate? I'm not sure if this is an idea with supporters or just an idea 18:06:55 IIUC, MRR can shoe the current hashrate of unrented miners, assuming they arent idle 18:06:57 I did, but I don't know where the rigs are mining when not rented 18:07:04 i should just setup an account and put my hashrate up for rent and see if it switches me between "mining for me" and "mining for the bidder". 18:07:07 Simply based on observed prices, I think the MRR rigs are not mining when not rented. If they were mining, I would expect that the price would be lower. 18:07:08 Honestly, imo, no 18:07:14 It does 18:07:24 [@gingeropolous:monero.social](https://matrix.to/#/@gingeropolous:monero.social) kawaii did exactly that 18:07:31 oh, then, there yah go 18:07:57 I think tevador and myself showed tentative support for the idea of Core renting hashpower. 18:08:31 https://x.com/kawaiicrypto/status/1950967882747134402 18:08:31 https://xcancel.com/kawaiicrypto/status/1950967882747134402 18:08:36 I think about renting hashpower the same way that Qubic uses their coin to subsidize rewards to spur a higher hashrate: you are infusing external rewards to incentivize participants that wouldn't otherwise be mining without the incentive. Except, ostensibly, you wouldn't donate to a selfish miner 18:08:49 is that not valid? happy to be wrong.. 18:09:09 Jeffro, qubic could very well be the entity that you are renting from, at 40% surcharges 18:09:21 If qubic approaches or exceeds 50%, it can help to rent some hashrate. 18:09:29 Qubic had its coin emission "halving" today, by the way: https://qubic.org/halving 18:09:45 > Does anyone support the monero core team renting hashrate? I'm not sure if this is an idea with supporters or just an idea 18:09:47 @sgp_ no since it's a slippery slope and the optics lead people to believe that we've more or less given up on PoW as a secure consensus mechanism 18:09:58 Possibly, the halving means that Qubic has less money to subsidize miners in its pool. 18:10:11 And rbrunner seems to have lost the bet to no one. 18:10:17 example, i saw rentals from from 0.7ltc per mh to 0.95, and while qubic was doing "4gh" xenus rentals were underperforming 18:10:25 Right! 18:10:30 no one? 18:10:36 Go from* 18:10:47 in general I don't think its a great first option, but it makes sense to have it as a last resort... though there's no way to tell if we'd be just inadvertently putting money into qubic 18:11:06 No one took to opposing side of the bet, for 0.1 XMR. The bet that Qubic wouldn't actually halve. 18:11:37 Its a smart business model, for them to rent their hashrate at exotic prices during their marathons 18:11:44 i should take the handle "no one". I said I take it, question was only how to verify.. than it got lost in chatter 18:11:51 but i don't claim it 18:12:03 *then it got lost in chatter 18:12:05 If the Qubic halving has a negative effect on their hashpower, the period of maximum risk have have now passed. 18:12:13 So the threat to Monero with its tail emission has dropped by 50% 18:12:43 may have now passed* 18:13:13 Not necessarily, the price per unit of Qubic has gone up in the last 3months 18:13:16 That "halving" is a bit murky anyway 18:13:35 If I understand correctly, issue continues, but burning intensifies: https://qubic.org/blog-detail/qubic-s-epoch-175-halving-understanding-its-role-in-tokenomics 18:13:49 Also, the rewards for XMR haven't halved, so I think the threat is definitely not reduced by 50% 18:14:09 We have a lot of items. Any important points remaining on this idea? 18:14:13 I think checkpointing should deliver an organized PR blow to Q* - is this the next item ? 18:14:21 The price of Qubic in terms of Monero is the critical parameter here 18:14:51 Renting hashrate is the exact opposite of giving up on PoW. 18:15:09 The other critical parameter is the ratio of the emission rates 18:15:25 the tokenomics of this marketing project with a blockchain are wild. so many billions 18:15:42 trillions 18:16:33 **Follow DNS checkpoints by default (HF not required)** 18:16:33 https://docs.getmonero.org/infrastructure/monero-pulse 18:16:35 the question is really what the TAM is for their marketing campaign. by know everyone who could possible hear about it has probably been exposed to this 18:16:49 the question is really what the TAM is for their marketing campaign. by now everyone who could possible hear about it has probably been exposed to this 18:17:03 the question is really what the TAM is for their marketing campaign. by now everyone who could possibly hear about it has probably been exposed to this 18:17:09 How often would these checkpoints be checked by monerod? 18:17:22 Like I said in my update, ofrnxmr , vtnerd , tevador and myself have been testing following rolling DNS checkpoints to avoid deep re-orgs. 18:17:59 tristate is doing 2mins. Mainnet selsta proposed 5min. I dont know what is a safe number due to performance hit 18:18:11 Testnet* is doing 2mins. @ginger 18:18:12 Mechanically, it seems to work ok, but some problems to smooth out. Philosophically is a different question. 18:18:42 yeah, it's akin to trusted seed nodes.. right? 18:18:47 I abhor the idea of DNS checkpoints by default. Perhaps a knee-jerk reaction, but the centralization of that approach is unpalatable to me. And "HF not required" is not quite accurate. Every single time a checkpoint is pushed, a new hard fork is created. Ideally, this hard fork is not contentious, non-disruptive, and retroactive, but it is technically a hard fork 18:19:04 This was proposed as an emergency measure in case qubic gets to 51% and starts orphaning everyone, as they announced. 18:19:29 i think the main thing here is to not enforce by default 18:19:38 And to allow mining pools to opt-in 18:19:50 You would want good, reliable DNS propagation. We observed a lot of peer banning when our simulated attack occurred. On mainnet, those net fissures could heal, but it is hard to know how quickly and easily. Monero nodes _love_ banning each other. 18:19:54 on fluffy's proposal, I brought up the idea of requesting >50% of hash rate defend the network by not mining on top of the attacker's blocks 18:20:30 I would probably prefer that to checkpoints. But that would not work if the attacker has >50% of the hash rate 18:20:52 dns blocklist doesnt work for >50% either 18:21:04 But should work for selfishmining deep reorgs 18:21:17 DNS checkpoints work for >50% 18:21:32 only if enforced on everyone 18:21:35 ofrnxmr: It does work in that case, but only for the subset of nodes who have enabled DNS checkpoint enforcing. 18:21:48 technically 18:22:11 Yes, it's essentially a hard fork that nodes would need to join. Either that or follow the 100% qubic fork. 18:22:13 The main chain wouldnt be able to overtake an attacking chain with >50%, so those nodes wouldnt switch back 18:22:19 I definitely feel the philosophical clash, but moneropulse was meant as training wheels... the ability of the stewards of the project to keep the network healthy as it grows 18:22:21 yeah 18:22:33 the problem is our little network still needs to grow 18:22:59 Less than 50% is _my_ goal for dns checkpoints. It makes qubic choose to mine honestly, or at mininum, keep reorgs to a low depth 18:23:05 Before this month, CfB (major person in Qubic) announced that they would try to selfish mine Monero for the month of August. Maybe in Sepetmber they will stop. 18:23:26 PR: we should get the word out on twitter that the option exists; that their are wasting their time; futile; running against a firewall; etc 18:24:22 In any case, if we do something stupid that makes their win of prestige and attention even larger 18:24:28 The option doesnt work properly as-is, imo, due to the 1hr interval to check. that would revery 1hr worth of blocks and invalidate a lot of txs 18:24:38 DNS checkpoints are a break-glass-in-case-of-emergency countermeasure. I don't see an emergency yet, but it could happen. I want to keep testing its behavior so the available options are known. 18:24:39 and *why* it hasn't grown is a fun rabbit hole of price suppression conspiracy. there are a lot of headwinds, and using this tool to plow forward (if necessary) seems fine. its not a permanent change to anything. it can get turned off. thats not the same as other solutions being proposed 18:24:41 tbh they don't rent on MRR, at least the majority of their hashrate comes from datacenters. AWS or Google cloud 18:25:02 Sech1, i meant they lease their hashrate out on mrr 18:25:18 During their marathons 18:25:42 selsta said in #monero-dev:monero.social : "we can reduce the DNS checkpoint load frequency from 1h to like 5min, but i don't think there will be consensus for enabling DNS checkpoints by default, too risky" 18:26:31 I think thats probably sane, and to recommend miningpools enable the enforcement option, just in case 18:26:32 That is in regards to the next version release of Monero, coming very soon. 18:26:33 yeah regardless of whether it will be used, we should definitely figure out if we can use it 18:26:51 +1 18:27:15 IIRC, DataHorader complained that the DNS checkpoint network call was "blocking", i.e. other node operations were paused while it completed. Maybe that could be fixed. 18:27:16 The other thing that needs to be set/changed if its to be enforced, is reducing the ban time 18:27:36 rbrunner: which statement did you +1? 18:27:57 ginger: find out whether we can use it 18:28:09 DataHoarder* 18:28:26 correct. that's why it's disabled in recommended p2pool config 18:28:31 Could be ok if the whole network doesnt ban itself, but probably not ideal to 86400second ban all of your peers that werent using the checkpoints 18:28:35 ofrnxmr: what would reducing the ban time do in this scenario? If there is a network split b/t nodes which did not implement DNS checkpoints we can merge together again quicker? 18:28:42 Ah ok 18:28:43 yes 18:28:47 it blocks operations for a certain number of time, increasing latency for block data 18:29:14 I think a short-term fix against deep-reorgs at least, is to choose on stratum deterministically which branch to adopt. 18:29:15 it frees trapped hashrate and would prevent deep reorgs. incentive-wise..i don't know. it fixes gamma to 0.5. 18:29:20 (it should be done asynchronous from main logic) 18:29:32 Ok I will keep experimenting with it. I have https://testnetnode4.moneroconsensus.info/ set to follow rolling DNS checkpoints on testnet and testnetnode 1 - 3 not following. I will probably change #3 to follow checkpoints to have half of them following. 18:30:13 DNS checkpoints are the nuclear option. If we are ready to "press the button", it might be enough to discourage the attack. 18:30:54 _How I learned to stop worrying and love the DNS checkpoints_ 18:30:59 Maybe. Attacking and then not succeeding might not cost them much either way. 18:31:01 **Detective mining (HF not required)** 18:31:01 https://github.com/monero-project/research-lab/issues/140 18:31:03 https://eprint.iacr.org/2019/486 18:31:05 https://ceur-ws.org/Vol-3304/paper15.pdf 18:31:24 yep, psychology is part of it 18:32:23 "and immediately mines a "counter" child block on top" <-- doesn't this need to have valid PoW, ie takes time? 18:32:28 This falls in my view into the category of low impact mitigations and as such should be supported 18:33:20 Detective mining won't work against >50%, it's only against selfish mining strategies. 18:34:16 well, you can still have >50%. it would prevent the attacker from using the 51% nefariously... maybe? 18:34:34 tevador I learned your proof, anything that fixes 50% is not PoW anymore :) 18:34:54 While an individual low impact mitigation may have a limited impact on the attacker, the cumulative impact of multiple low impact mitigations can effectively block an attack. 18:35:00 just because you have a majority of the hashrate doesn't mean you are going to find all the blocks, unless you selfish mine. probabilistic random blah blah 18:35:16 question is do we want that protection or encourage mining adoption. 18:35:36 sech1 had thoughts on detective mining. (Just trying to ping sech1 ) 18:36:55 Either I don't understand something, or it won't do anything against the current attack. I commented there. 18:38:01 sech1 : I agree that there is a risk when the attacking chain gets long. 18:38:24 On first pass, detective mining seems sensible to attempt me assuming hash rate <50% is willing to implement. If >50% is willing, then I think ignoring the attacker's blocks is optimal. I'll respond to fluffy in a second 18:38:41 to prevent long growing attacking chains, I think a short-term fix against deep-reorgs at least, is to choose on stratum deterministically which branch to adopt. It frees trapped hashrate and would prevent deep reorgs. incentive-wise..i don't know. it fixes gamma to 0.5. 18:40:12 I also have doubts about it. I think it's a good strategy to detect a potential attack, but probably not a practical defense. On a related note, it might be a good idea to put an explicit block height into the hashing blob at the next HF. 18:40:56 as mentioned, it seems low-impact, otherwise benign 18:41:01 Isn't an attacking chain with parity to the main chain usually last-seen? And when it has +1 advantage over the main chain, it will be chosen to mine on top of anyway? 18:41:28 and it falls mostly on pool-ops to implement, and they should be incentivized because they are losing block rewards. 18:41:42 I'm certainly interested in a no/low-downsides way to make selfish mining worse, even if it doesn't address 51%+. I haven't had enough time with the proposal to really think about what the potential downsides could be. I think this proposal warrants continued discussion/research 18:42:01 With a hard fork, you could require the RandomX hash to start with the whole block, right? Then mining pools would have to send the whole block and a "detective" would have the block in plaintext. 18:42:18 That would reduce the incentive to produce high-tx blocks, however, I think. 18:42:34 This approach simply seems like a much, much more complicated scheme of just not mining on newly encountered alt chains. Selfish mining alt chains will almost propagate after "honest" alt chains, so if miners don't switch chains up to a certain depth, I would think that you can achieve almost the same effect without all the detective work 18:42:40 that is the re-org point. 18:42:41 and no, it's not always last-seen. depending on gamma (connectivity of the selfish pool to honest miners), it traps honest ppl onto mining their chain and leaves less hashpower to original one 18:43:00 rucknium: No, the pool would just send the Blake2b midstate, which is ~200 bytes. 18:43:21 gamma will reduce over time, or the majority will anyways catch-up, that's when they publish all and do the re-org 18:43:28 tevador: Thanks. 18:43:50 jeffro256: , but how do you distinguish between that and a re-org. I guess the case of a netsplit and recover is the only case perhaps. 18:44:13 tevador no, not if the whole block is the RandomX input 18:45:03 fwiw, my understanding is that this proposal would not discourage selfish mining by an entity that doesn't solicit hashrate from the public. afaik. So there's limited potential benefit 18:45:46 gingeropolous: You don't, or you could allow very shallow re-orgs (1 to 2 blocks). But if majority does the same, then you don't lose funds from building "behind" 18:45:51 If the nonce field comes before the block data, you can't use a midstate. If it comes after, you can. 18:46:08 sgp_: but its potentially the most relevant. idle hashpower is sorta the problem here. 18:46:32 forcing an attacker to build datacenters is sorta the juice of PoW IMO 18:47:28 juice = essence. 18:47:50 I think it's hard to definitively say it's the most relevant. If it is expected to be profitable, an attacker could rent private servers and still selfishly mine on their own 18:48:08 It is part of it 18:48:12 thats the same sgp_ 18:48:39 Is Diego Salazar from Cypher Stack here? 18:48:49 always 18:49:30 Are you still considering looking into this issue? Maybe we could divide-and-conquer the vast literature on this topic. 18:49:58 Yes, we've already done several days of research here. 18:50:13 y 18:50:21 And I will use this opportunity to share some big-picture papers that I have tentatively put on my reading list: 18:50:42 Zhang, R., Preneel, B. (2019) "Lay down the common metrics: Evaluating proof-of-work consensus protocols’ security." https://doi.org/10.1109/SP.2019.00086 18:50:43 Azouvi, S., Hicks, A. "Sok: Tools for game theoretic models of security for cryptocurrencies." http://arxiv.org/abs/1905.08595 18:50:45 Judmayer et al. (2021) "SoK: Algorithmic Incentive Manipulation Attacks on Permissionless PoW Cryptocurrencies" https://eprint.iacr.org/2020/1614.pdf 18:50:47 Andrew Lewis-Pye, Tim Roughgarden (2024) "Permissionless Consensus" https://arxiv.org/abs/2304.14701 18:50:49 Eric Budish, Andrew Lewis-Pye, Tim Roughgarden (2024) "The Economic Limits of Permissionless Consensus" https://arxiv.org/abs/2405.09173 18:50:51 Budish, E. (2025). "Trust at Scale: The Economic Limits of Cryptocurrencies and Blockchains" https://moneroresearch.info/101 18:50:53 Luke Szramowski: Rigo Salazar ^ 18:51:13 cuz 18:51:30 The Azouvi & Hicks paper is (2020) 18:51:51 Someone can decode the computer science jargon and I can decode the game theory jargon. 18:52:02 ## Medium-term 18:52:03 **N-block rolling checkpoint (HF recommended)** 18:52:05 https://blog.bitmex.com/bitcoin-cash-abcs-rolling-10-block-checkpoints/ 18:52:14 Diego Salazar Focus follow Mouse, it moved into the matrix window... The "y" was ment for the package manager... just did not want to pollute more the room with edit because we have IRC. 18:52:23 This is a rule that nodes don't re-org if the proposed alt chain is longer than N blocks 18:52:25 Rucknium: there is also this https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4727999 compares cost of attack on eth vs btc 18:52:59 k 18:52:59 I'm sorry Rucknium did anyone comment on my short term proposal? just the stratum determinist mining 18:53:26 *proposal as in mentioned here in the meeting while this agenda short term fix was brought up 18:53:42 I did, but maybe the relationship was not clear. 18:54:01 Here is a consensus mechanism specifically designed to prevent selfish mining, might be worth reading: https://eprint.iacr.org/2016/916 18:54:08 anyways, seems not catching on. ok 18:54:14 We're looking into things, obviously, but I'd like to say something about this whole shebang. PoW and PoS has been debated for years at this point. Yes there's new research, but pretty much all this research is going to come with tradeoffs to the current social contract that many will find unacceptable. 18:54:26 There's very little "new" in any of our debates or research here. 18:54:39 tevador: I have a newer, better proposal later on the agenda that builds on Fruitchains. 18:55:05 At some point, somebody is going to have to take lead on something and code it up for discussion. Someone gotta take charge a bit. 18:55:49 The transition from full PoW, if that is what is decided, is going to be painful, and we will lose people. And where we end on the spectrum from PoW to PoS is honestly kind of irrelevant. 18:55:56 I might prefer dns checkpoints to n-block rolling checkpoints, honestly :/ at least those won't cause a chain split among adopted nodes 18:56:33 Every step along the spectrum has its own trade-offs, with the either end of the spectrum generally requiring the least centralization 18:56:49 things like DNS checkpoints and other stuff more towards the middle require more centralization 18:56:54 Diego Salazar: I don't know what the literature says, so it's still new to me. And the big-picture articles I shared were released in the last few years. Some of those are "top-down" theorem-building. Different from specific protocols. 18:56:56 anyways, that's my thoughts. I'm done. 18:57:15 I just wanted to note that several proposal in #136 were marked as "needing a soft fork". Soft forking requires the majority of the hashrate to start following the new rule, so it can't work against a >50% attacker. It would have to be a hard fork. 18:57:23 We're trying to go over newest literature now, but there's nothing new under the sun. 18:58:30 More on N-block rolling checkpoint? 18:59:11 I wouldn't recommend rolling checkpoints due to chain split concerns. 18:59:18 iirc rolling checkpoints can be gamed (comment in #136) 19:00:32 I think the concern with forcing a netsplit when releasing a N-block alt chain at exactly teh right time could be fixed by deterministic chain tip selection (based on hash) for only that 10-block re-org threshold. Maybe. 19:00:37 **Shorten target block time interval (HF required)** 19:00:37 https://bitcoincashresearch.org/t/lets-talk-about-block-time/471 19:00:39 https://blog.ethereum.org/2015/09/14/on-slow-and-fast-block-times/ 19:00:41 > The conclusion of all this is simple: faster block times are good because they provide more granularity of information. In the BFT [Byzantine Fault Tolerant] security models, this granularity ensures that the system can more quickly converge on the "correct" fork over an incorrect fork, and in an economic security model this means that the system can more quickly give notificati on to users of when an acceptable security margin has been reached. 19:01:29 By the way, I put these two in "medium-term", because they require a hard fork, but not much code-writing. 19:01:31 tevador: they could also be done with a UASF, a hard fork is not necessarily required even assuming we have <50% honest hashrate 19:01:55 the simplicity of "shorten target block time" is impressive. 19:02:12 back to 1 minute block times #thankfulfortodaywasright 19:03:48 and this could be in addition to whatever else ends up getting implemented. 19:04:35 Diego Salazar: agree somewhat. the literature can only get us so far. academics are only mere mortals after all. Rucknium regarding big picture theory building there seem to be not much out there. Building a reading list for this category seems helpful. The only one I came across was this one by Roughgarden (one of the authors of the papers that you mentioned) https://arxiv.org/pd 19:04:37 f/2304.14701 after reading it I am a bit skeptical its helpful. We should really do a critical reading of those and not accept them at face value. 19:04:45 USAF is essentially a hard fork because it can cause a chain split, unlike a mining-majority soft fork. 19:05:06 Agree on critical reading. 19:05:34 I'm ultimately for whatever block time makes sense, I don't really care. I just know this won't address selfish mining on its own 19:05:52 ## Long-term 19:05:53 **Require Blocks be Signed by the Miner's Key (HF required)** 19:05:55 https://github.com/monero-project/research-lab/issues/136 19:05:57 1 minute block time was abandoned for a reason - high orphan rate. 19:05:57 > With a minimum of 1% of the block reward before penalty or fees in a single transaction signed. As an option 10% of the total block reward in multiple transactions could also be allowed 19:06:03 stupid question: how would 1min blocktime that hinder Qubic? 19:06:14 ArticMine is writing a formalization of this 19:06:55 Didn't the high orphan rate happen because Fluffy Blocks weren't implemented yet? 19:07:15 I'm against this one unless I'm missing something major. It seems to do nothing afaict 19:07:42 The orphan rate for 1-minute blocks will probably only get worse under FCMP++ unfortunately because of higher bandwidth and computation requirements for txs 19:08:09 but healthy orphans are fine, right? 19:08:22 it's still wasted hashrate 19:08:34 I'm not convinced that a lower block time helps the state converge when one of the participants is purposefully withholding state information like in a selfish mining scheme 19:08:37 i wonder if it could be coupled with uncle blocks 19:09:06 AFAIK, uncle blocks make selfish mining worse. 19:09:26 😅 oh shit 19:09:52 Check the Selfish Mining Re-examined paper 19:09:56 **Construct RandomX cache by selecting random parts of the blockchain (HF required)** 19:09:57 https://github.com/monero-project/research-lab/issues/98 19:11:04 i commented there, but this essentially cuts out thr majority of gupax users 19:11:22 (gupax defaults to using a remote node fwiw) 19:11:30 Which is probably only like 15mh.. but is also probably 90% of the vocal minority 19:12:28 +1 if drop in HR is no concern. Major re-org of network topology 19:12:57 15 MH is almost nothing, but it would hurt centralized pools and hashrate rental services hard. 19:13:04 Reachable node will probably be hit with a big increase of their inbound connections. 19:13:49 it seems like something we should move towards. hard to see it as a binary switch. maybe there's a transition period where n% of blocks require it ? 19:13:50 The mh is nothing, but its potentially 1000+ users 19:14:29 Centralized pools are also thousands of users. 19:14:42 no way to phaze this in slowly... ? 19:14:46 thousands of p2pool users* 19:15:01 I think this proposal will mostly harm small miners who will no longer be able to mine (in practice) without a node. Yes they're a minority of total network hashrate, but it does substantially deviate from a goal of "anyone can mine". That said, I do see the arguments for, even if I think they are somewhat marginal (large miners still have incentives to use pools, and the costs ar 19:15:01 e constant not scaling with hashrate) 19:15:09 in qubics case, they would just having to spin up a node doing this, some pool software, and then find a way to get the blockchain data to their workers... really fast? 19:15:19 a good chunk of p2pool mini are gupax users 19:15:35 It would be possible to slowly decrease the RandomX epoch from the current 2048 block down to the proposed 64 blocks. 19:15:48 ofrnxmr: Source on that data? 19:15:59 "i made it up" @rucknium 19:16:11 Not sure if anyone else sees this is as a serious threat especially given the current pressing Qubic situation, but fwiw this proposal would obviously decrease total hashrate by a lot, making us more vulnerable to coordinated attackers (institutional, nation-state, etc) 19:16:44 the opposite is likely more true. (almost) all gupax users are on -mini, but not all -mini users are gupax users 19:16:52 might actually put Qubic (AWS) in an advantage 19:17:04 I think this proposal will cause a net decrease in the total hashrate, with most of the drop contained to small miners 19:17:19 Any PoW change will likely decreased the hashrate temporarily. 19:17:25 what would an attacker have to do if we had this protocol 19:17:36 right. This hurts pools and unattended botnets, but not necessarily qubic, who has 700 nodes with 2tb ram. Can probably afford the bandwidth 19:17:51 I think it'll be a net decrease at equilibrium 19:18:37 does anyone know? has there been a paper on this? 19:18:41 So this could, in theory.. lead to qubic (immediately) having a (much) larger % 19:19:11 well it depends if they can get the data from a blockchain quick enough right? 19:19:17 Any pow change at all will knock botnets offline for a while, but not qubic 19:19:33 ofrnxmr: I think that is most likely. I think the average Qubic hash/sec is more likely to run a node than the average honest hash/sec 19:20:20 Probably 80% of the honest hashrate comes from the top 20% largest miners, who can easily afford to run a node and join p2pool. I don't see a reason for a large permanent drop in hashrate. Qubic's distribution is likely very similar. 19:20:22 **Countering Selfish-Mine: Promote orphans to uncles (equal pay) and choose deterministically in stratum) who becomes father (HF required)** 19:20:23 https://libera.monerologs.net/monero-research-lab/20250820#c568556-c568579 19:21:06 I think 80% of "honest" hashrate is botnets, who would drop off 19:21:09 I agree the largest miners will be essentially unaffected 19:21:25 Again, i dont have a source for my thoughts 19:22:27 It would be a big win if 80% of the hashrate migrated to p2pool. 19:22:50 i guess this agenda can be skipped. didn't know uncles make it worse. i checked the paper quickly, not sure that they do make it worse in combination of a join (banded together) mining strategy (stratum) 19:24:03 with an orphan / uncle and re-org: avg payout would be 0.5. 19:24:03 either 0.5 + 0.25 (if branch was chosen) 19:24:05 or 0.25 (if branch was not chosen) 19:24:07 avg: 0.5 19:24:09 the point is, it collapses the 2 branches into one as quickly as possible 19:24:35 *joined 19:24:37 I doubt, that uncle rewards change the way Qubic operates. Switching miners (~5%) does not seem relevant at large. 19:24:39 **Friction (HF required)** 19:24:41 "Amends fork choice rule to give greater weight to blocks produced by miners that have a history of mining" 19:24:43 I think the most realistic outcome is that the largest miners will continue to use pools. It's simpler (and potentially even cost effective) to have the pools deduct the bandwidth costs from payouts for these large miners than the cost for the miners to need their own nodes (storage and local bandwidth costs) 19:24:59 I think gingeropolous know info about this Friction idea 19:25:24 here's the bat bones 19:25:28 100% human generated 19:25:32 https://github.com/Gingeropolous/friction/blob/main/batbones.md 19:26:33 Wouldn't this encourage people to join the largest pool, to ensure the blocks mined there have the greatest "weight" (friction?) 19:26:56 yeah its not anti-pool, its mostly anti selfish mining 19:27:20 sgp_: I'm not convinced that the costs of running a node are higher than the bandwidth costs for mining at a centralized pool + the pool fee. 19:27:23 "the secret"... whats that, again ? 19:27:28 which i view as the main fulcrum of the current attack 19:27:59 but in general, friction doesn't affect honest mining 19:29:18 **Proportional Reward Splitting (HF required)** 19:29:19 Paper claims that Proportional Reward Splitting can defeat a selfish miner that has up to 38% of hashpower 19:29:21 https://arxiv.org/abs/2503.10185 19:30:05 I haven't finished reading this paper, but I like it because it's recent (2025) and actually claims to have computed the Nash equilibrium game theory of the proposed protocol. 19:30:56 Is this the paper that builds on fruitchains? 19:31:20 most likely, it mentions it in the abstract 19:31:37 I think there could be some downside (the paper states that the "optimal" and "practical" parameter values are different), but I haven't gotten there yet. 19:31:40 er maybe not 19:31:41 tevador: yes 19:32:18 It says FruitChains had some problems. This protocol fixes them. 19:33:17 tldr; not wort the efford 19:34:07 Might not be worth the effort of coding and testing. Right. 19:34:36 *h -- it redestributes rewards ok (nice to have) but works for >51% only. Very complex to implement. 19:35:13 But. To compete with this proposal I would prefer novel proposals on selfish mining to try to quantify their benefit. 19:36:07 Works for >51% of miner adoption? This is a consensus change, not opt-in. 19:36:29 of hash power 19:37:18 the paper seems complex and math heavy. the consensus should be as simple as possible so that people can trust it and it stays easy to reason about 19:37:52 would the implementation mirror this complexity? 19:38:12 I don't think I like a weak protocol that is easy to reason about instead of a strong protocol that is difficult to reason about. 19:38:39 Anyway, the selfish mining attack is against the Nakamoto "simple" protocol. 19:38:59 The paper has a lot of jargon that is not necessarily needed. 19:39:06 Because it's formal 19:39:59 may be not so complex to implement, but I dont understand their criticism/weakness of fruitchanes tbh 19:40:54 problem with complexity is, it is harder to judge if its actually stronger or not. 19:41:33 If you have a mathematical proof, that's the reasoning. 19:41:40 We are at the last specified sub-item (open floor discussion can continue after). 19:41:44 **Finality Layer (HF required)** 19:41:45 https://github.com/monero-project/research-lab/issues/135 19:41:47 https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/604 19:42:10 kayabanerve: This is the Trailing Finality Layer discussion. 19:43:49 is this like if the N-block rolling consensus was conscious? had human input? 19:43:52 a long term efford, tbs 19:44:23 not sure about these fruits, and what they abstract. but they do have the concept of uncle-fruits, claiming nash equilibrium because of the reward allocation. so my 2 cents, the existence of uncle blocks alone does not necessarily mean they benefit selfish mine 19:45:33 yep, iiuc 19:46:21 also envisioned as a separate binary/p2p net (?) 19:46:36 I am lukewarm (pun not intended) toward this TFL CCS proposal because I think it's a few weeks premature and kayabaNerve obviously has a high opportunity cost of his time. 19:47:25 I say premature because the whole space of countermeasures and alternative proposals has barely had its surface scratched. The high opportunity cost is reflected in the budget of the proposal. 19:48:23 It introduces PoS, which might be opposed by some people as being against the ethos of Monero. 19:49:15 TFL question, would a finality layer completely override the longest/heaviest chain rule from the underlying PoW? Because, to me, once finality is required (eg, by exchanges) miners will always jump ship and mine on any branch endorsed by that layer. 19:49:44 I'm not against it. I think more research is good. Just lukewarm on it. 19:50:48 i think we should at least reach consensus on which questions we want answered 19:51:55 IMO, a good way forward would be: (1) Test the DNS checkpointing as an emergency short-term measure. (2) Research a consensus protocol that works with PoW (assuming >50% of honest hashrate) and fixes selfish mining. 19:52:29 im not a fan of how it seems to be PoS-like 19:52:45 yes, we should subdevide the topic. BFT has many many options 19:53:44 yeah i think we have 2 issues. 1. selfish mining 2. mining centralization. 19:54:18 ... and I like recursive elements (including friction :) 19:56:04 ... like malicious collective detection, in Gasper -- but thats too far away. 19:57:08 dns checkpointing as a long term solution seems more centralizing than pos 19:58:11 I don't think anyone is proposing DNS checkpointing as a long term solution. 19:58:20 there could be a benefit to have nodes with a bond that could be slashed beyond consensus 19:58:45 we could discuss this outside of the pow-pos paradigm and think about it pragmatically 19:59:41 brought this up earlier at agenda point 5: it could help increase the cost for malicious nodes spinning up tor hidden services 19:59:59 blocking based on ips is a form of centralization as well 20:01:00 anyway its 4am here i am running out of steam: wrote down a comment on this earlier: https://github.com/monero-project/meta/issues/1256#issuecomment-3207233765 20:01:24 maybe we could have a work group instead a book ?? 20:02:14 i also like what jberman said about no fees + rewards. Its similar to what I said earlier that pow can be seen as pos with negative staking rewards if people are willing to defend the network by mining at a loss 20:02:27 Feel free to discuss any idea now, including those not on the specified list. 20:03:06 the few papers I looked at were junk, lots of half attempts to fix selfishin mining 20:03:45 Thanks for wading through the junk. Can you share a few so we know to avoid them? 20:03:50 flip flop: good idea, only question is how do we make sure it stays structured? can we agree on the core questions that should be answered? 20:04:56 google ai recommended this: https://link.springer.com/article/10.1007/s10207-024-00857-5 20:05:02 but I didnt like it. so much for ai 20:05:27 I spent way too much time looking at it, their algorithm wasn’t quite clear imo which threw everything off 20:05:33 1. DIff. BFT <> Pos 2. Design choices based on historical imlementations 20:05:54 they also assumed that the selfishing miner would have an older timestamp which is rubbish because you would just set to the max allowed by protocol 20:06:31 its possible that I missed something, but I wasn’t getting it. not sure if I can share it because its all begin paywall 20:06:42 I skimmed the abstract on this one I think. I remember thinking that the tone was informal. Maybe that's an arrogant thought, but it stopped me from going further. 20:06:45 *behind 20:07:43 well their own algorithm has 20:07:43 NumOfBrBlocks <- 0 20:07:45 if (NumOfNrBlocks = 1) then 20:08:04 Rucknium: more formal == better at hiding the skeletons in the closet 💀 20:08:05 This is especially true since we have a block difficulty calculation lag, so setting the timestamp ahead doesn't make our mining harder. If they set it too far in the future (>2 hours in Monero) then it will be rejected, but they can wait a certain amount of time depending on how far ahead they are of the honest chain 20:08:07 "It’s very unfair for honest miners, and it’s a big problem that needs to be stopped." from the abstract... yeah quite informal to put it nicely 😅 20:08:09 like what? I think they meant to say NumOfBrBlocks published at once or something but even with that assumption I dont think it worked 20:09:22 sorry there was typo in that algorithm, they indeed set a value to 0 and then do an if on that value with stating what it really should be 20:09:46 spirobel: I don't disagree with you on that. You need a closet detective for that. 20:09:55 I wish I could copy+paste a portion from this pdf but I cant sorry (wont let me copy for whatever reason) 20:10:23 anyway, hopefully I didn’t misread it and it was a good paper in the end. May go over it again since I paid for it and all. Never trust AI lol 20:10:30 Oops, sorry, falsely setting the timestamp in the future would make the mining *easier* with real-time targeting, but the point still stands: faking timestamps is still possible and doesn't hurt a selfish miner if done correctly. 20:12:21 yes, an excerpt from the paper: 20:12:21 "If miners broadcasted more than one block in the same time interval, one block should be selected as the valid block. Selfish miners keep their blocks secret for some period of time. Therefore, selfish miner’s block’s timestamp is old.” 20:12:50 like what? how can you assume that? not all papers are the same 20:13:00 We can end the meeting here. Feel free to continue discussing, as I know you will. Thanks everyone. 20:13:09 thanks 20:13:18 bye 20:13:35 bye 20:13:38 thank you 20:14:55 vtnerd: i heard about this new ai project called aigarth that mines ai on cpus maybe it can solve that 😆 20:15:12 the marketing material says something about growing the ai in a garden 20:17:01 the other interesting thing about all of this is that not all tokens in the available supply were generated for ai computation - some were used to selfish mine xmr, etc. 20:17:10 just interesting from an optics standpoint 20:17:28 this is assuming the ai computation is genuine also 20:18:04 as genuine as an ai garden could be 20:18:19 if only jensen new. he could have invested in cpus instead of gpus 20:19:04 if only jensen knew. he could have invested in cpus instead of gpus 21:37:59 Apologies for missing the MRL meeting. I've been working on migrating monero-serai to monero-oxide and upstreaming the FCMP++ libraries (which had included >13,000 lines forked from Serai's cryptography, but doesn't anymore). 21:38:36 Rucknium: Heard you're lukewarm as we haven't scratched the surface on proposals. My CCS would scratch the surface on a finality layer :p 21:59:51 (I understand and respect Rucknium's point) 23:23:50 Not sure if it was mentioned, but here's the implementation of Eth Classic Modified Exponential Subjective Scoring (MESS). Basically depth penalty based on the time differential between the last common ancestor, and the new (reorg'd) head. 23:23:51 https://ecips.ethereumclassic.org/ECIPs/ecip-1100