04:43:19 I have uploaded the updated transaction weight files Discussion and links are here: https://github.com/seraphis-migration/monero/issues/44 15:32:17 MRL meeting in this room in 1.5 hours. 16:40:49 @rucknium:monero.social: for the Helios-Selene topic, there's no need for discussion time on that during the meeting, though more discussion does need to happen there in general. I'll just post an update during the meeting and then you can continue with the other topics. Thanks! 16:43:51 https://gist.github.com/tevador/4524c2092178df08996487d4e272b096?permalink_comment_id=5772654#gistcomment-5772654 17:00:34 Meeting time! https://github.com/monero-project/meta/issues/1272 17:00:38 1. Greetings 17:00:48 Hi 17:00:56 Hello 17:00:59 Howdy 17:01:04 hullo 17:01:10 Hello 17:01:29 Here for moral support, have a great meeting! 17:01:40 Hi via IRC 17:02:04 waves 17:02:25 Hi 17:02:54 2. Updates. What is everyone working on? 17:04:11 me: completed PR refactoring wallet2 refresh for FCMP++, opened draft PR to persist dest addrs when updating wallet from pre-FCMP++ to FCMP++, opened draft PR for documentation on the FCMP++ integration, some small cleanup PR's, reviewed some of jeffro's PR's 17:04:14 hi: me: working on carrot/fcmp stuff mostly (and some bug fixes). Spent some time diving into curve-trees to figure out how lws was going to handle. likely going to “punt” and giveaway privacy details to monerod (at least for first cut) 17:04:38 the problem is potential memory usage in tree_cache and otherwise having to duplicate the db from monerod into lws 17:04:41 me: Analysis of respend behavior of outputs in invalidated txs after 18-block reorg: https://github.com/monero-project/monero/pull/10085#issuecomment-3313627068 . Rolling DNS checkpoints "formal" protocol as flowcharts (click arrows at bottom to see more flowcharts): https://cryptpad.disroot.org/diagram/#/2/diagram/view/yI43W1 [... too long, see https://mrelay.p2pool.observer/e/iYW6sbgKXzB4VEdJ ] 17:04:49 Me: Responding to the Veridise audit of Helios/Selene and working on a selfish mining mitigation proposal (work in progress). 17:05:00 Me: Wrote a Rust library for CARROT (https://github.com/jeffro256/carrot-rs) and finished reviewing https://github.com/seraphis-migration/monero/pull/81. Personally excited for alpha stressnet 17:05:04 supporting DNS checkpoints testing as needed, looking at ZMQ behavior during reorgs for p2pool mining specifically 17:06:15 Completed a new weight formula for transactions to address the issues with transaction weights and the penalty 17:06:24 DataHoarderdid you spot any other issues than the one in the pr? 17:07:22 believe it or not the PR one was not related, we found it by chance by testing subaddress payouts on P2Pool. 17:07:22 I have noticed that when switching to a shorter altchain (checkpointed one) ZMQ updates are not sent properly to P2Pool, or P2Pool ignores them 17:08:29 I cannot confirm yet if other block/chain ZMQ messages are sent when switching to a shorter chain, noticed it when mining with p2pool on testnet and the network reorg'd against my longer chain (monero switched chain, but p2pool was left behind, and I saw no logs of ZMQ message being received for miner data) 17:08:36 hmm this could theoretical happen if the zmq buffer was full, but that is unlikely 17:08:43 @jeffro256:monero.social: Would you have time to review a draft of the tx invalidation blog post, just to check correctness? Probably have the draft ready for review in 6-24 hours. 17:09:15 it's not a blocker (p2pool could workaround this) but I'll post in lounge about it if I can confirm the issue again with more logging in place 17:09:17 Yes! Send me a DM whenever 17:09:36 I mean correctness as "does Rucknium understand this technical point correctly?" 17:09:42 @jeffro256:monero.social: Thanks! 17:10:23 3. Carrot follow-up audit (https://gist.github.com/jeffro256/12f4fcc001058dd1f3fd7e81d6476deb). 17:11:41 I'm sorry for the delay, I brought up some input pretty late into the discussion; we're going back over some finer points of their report 17:11:47 Not much else to report 17:12:41 4. Proof-of-Work-Enabled Relay ("PoWER") (https://github.com/monero-project/research-lab/issues/133). 17:13:37 I updated the proposal to account for the latest discussion: 1) Equi-X (instead of RandomX), and 2) PoW once per connection, rather than per tx 17:14:11 FYI, Equi-X is about to be upgraded to v2 due to some issues with v1. 17:14:33 It's being coordinated with Tor. 17:14:59 (I received a dm for someone interested in taking on PoWER so I wanted to have the proposal reflect the latest state) 17:15:16 are the issues public? 17:15:27 Not public yet. 17:15:41 got it, thank you 17:16:03 By "taking on PoWER" do you mean someone who wanted to implement it (write the code)? 17:16:09 yes 17:18:46 I would think an Equi-X v2 would be a drop-in replacement for v1, and the vast majority of code implemented on the Monero side would be unchanged 17:18:58 Will we have to write a C++ implementation of Equi-X ourselves? 17:19:59 I assume it would be used as an external submodule same way RandomX is used today 17:20:08 I mean the core algorithm. Guess somebody wrote that already 17:20:26 Yes, EquiX v2 will have the same interface as v1. 17:20:49 tevador wrote it in C: https://github.com/tevador/equix 17:21:19 Ah yes, thanks. 17:21:20 @jeffro256:monero.social: you raised some pushback against PoW per connection, in case you want to re-raise that point 17:22:36 I will also raise pushback on this 17:23:07 what is your argument? 17:23:40 Yes, I think that A) PoW per connection is much more complicated, adding a lot of unnecessary technical debt to our connection code, and B) that PoW should be reusable per-tx 17:23:52 User POW can be very harmful in hot climates, mobile devices etc 17:24:40 so generate pow once, then it can be re-broadcast with same pow? > B) that PoW should be reusable per-tx 17:24:48 It is a myth that POW heat is irrelevant 17:24:49 It should be reusable per tx to enable transaction propagation to be faster with new node connections 17:25:05 DataHoarder: Yes 17:25:26 @jeffro256: I don't see the argument that this slows propagation 17:25:36 Still it can be a barrier 17:25:51 you don't make new connections on tx broadcasts you use existing connections 17:26:12 if anything needing to verify PoW on every hop would slow propagation 17:26:30 To minimize technical debt, it could be expected on first tx w/>8-inputs, and then the connection is verified for future txs. Would be a simple boolean per connection to keep track of 17:26:37 @boog900: For new connections. If PoW is reusable per-TX, then a node can flood the network with that TX instantly, whereas if PoW is done per-connection, then a node is "locked in" to its existing connections for TX propagation 17:27:14 Also PoW per-connection opens the door to DoS against honest broadcasters 17:27:38 @jeffro256: locked in in the sense that they need to do PoW to open more connections .... they still have their current connections tho 17:28:00 new connections aren't broadcasted to anyway 17:28:02 Yes 17:28:10 we only broadcast to current connections 17:28:36 I mean can the spam farm not be set up in some cold part of Canada or Russia? 17:28:46 If it's per tx, you have to deal with txs sitting in the pool longer than 10 blocks, which is arguably a significant area of technical debt that is likely more significant than a per-connection PoW 17:28:48 @boog900: New connections ask for mempool contents, which would also ostensibly be PoW enabled 17:28:58 I also don't really see the technical debt argument they are both added complexity 17:29:26 @jeffro256: only when finished syncing IIRC 17:29:59 You still have the 10 block problem with PoW-per-connection though? How is it avoided? 17:30:24 @boog900: Which is most nodes 17:30:25 @jeffro256: you don't need a timeout on the PoW? 17:30:52 @jeffro256: no I mean it only happens once a node syncs up not after 17:31:13 like a synced node doesn't just a node which has finished syncing 17:33:07 "User POW can be very harmful in hot climates, mobile devices etc" -> honest devices constructing the tx in the first place is expected to be more CPU/work intensive than the PoW calculation. the PoW calculation is to raise the cost for malicious users who craft invalid txs at no cost 17:33:23 @boog900: You do still need a "timeout" or at least bind the PoW to some provably recent random data or a "challenge", so an attacker can't build up PoW for connections 17:33:47 @jeffro256: yes but it is per connection .. you don't need to repeat it 17:34:05 with per tx after 10 blocks you can no longer send the tx to anyone 17:34:14 without doing the PoW yourself 17:34:20 ^ 17:34:59 Why would the PoW timeout for per-TX necessarily be 10 blocks? 17:35:21 That's how I had it in the original proposal 17:35:40 If it's a lot longer, then the attacker can collect PoW hashes for a longer period of time 17:35:54 @jeffro256: because you can compute loads in reserve and flood all at once 17:36:04 > <@jberman> "User POW can be very harmful in hot climates, mobile devices etc" -> honest devices constructing the tx in the first place is expected to be more CPU/work intensive than the PoW calculation. the PoW calculation is to raise the cost for malicious users who craft invalid txs at no cost 17:36:04 So the malicious user sets up the spam farm in some cold part of Canada. The malicious use uses the attack POW heat for space heating. There is no cost 17:36:29 @articmine: the cost is time 17:36:32 that's definitely added cost over 0 17:36:47 -40 = zero spam cost 17:37:00 they can't just send bytes they have to find a PoW solution to send it 17:37:07 better than no cost 17:37:57 -49 C or F 17:38:15 articmine: Not zero cost. They could be mining Monero instead of spamming. Opportunity cost. 17:38:25 At least, there is an opportunity cost of not mining Monero blocks. 17:39:00 https://github.com/monero-project/monero/blob/8d4c625713e3419573dfcc7119c8848f47cabbaa/src/cryptonote_protocol/cryptonote_protocol_handler.inl#L2442 17:39:05 It is not the same because the amount is so sma 17:39:09 Snall 17:39:13 @jeffro256:monero.social: do you see the argument in favor of per connection PoW? if not, I think we should table the discussion, and at least come to agreement that it makes sense for wallet API to allow specifying a max input so the other dev can start on this task? 17:39:22 @boog900: only once per run of monerod it seems 17:41:30 @jberman: I see the argument, I don't know if I'm entirely convinced, but yeah I can definitely start on that wallet API point 17:42:30 I think that may be a good task to pass over to the other dev, but your call, we can discuss later 17:43:06 Perhaps you can let the aforementioned dev working on per-connection first, and both if he/she has the time, and then we can compare what the actualized complexity is 17:43:28 that sgtm 17:43:51 Slightly related note: Have we considered having a special connection type for block relay only? Those would not need any PoW. Bitcoin has it. Low-end devices could then still connect to the network. 17:44:56 IIRC, by default bitcoin has 8 outbound connections for block + tx relay and 1-2 additional connections for block-only relay. 17:45:04 Now that is an interesting idea 17:45:26 The PoW per connection could be an optional thing done per connection, and if done, enables sending txs with >8 inputs over the connection 17:45:39 via tx relay 17:46:34 @jberman: This is how I imagined it, but there's still the issue of mempool fetching. Does that force the responder to upgrade the connection by doing PoW? 17:46:38 It is certainly better if it is done by the node 17:47:05 @jeffro256: seen as thats a response, no IMO 17:47:26 you can't exactly spam txs with that 17:47:47 But then that allows the responder to dump a load of invalid high-input txs to the requester 17:48:01 Ostensibly, the requester would try validating at least 1 17:48:30 @jeffro256: the node ignores the rest if any 1 is invalid 17:48:40 shouldn't be a DoS 17:50:08 Assuming you can't trigger a node to make that request with high frequency 17:50:40 @jeffro256: current code wont, we just need to keep it in mind for future changes 17:52:00 5. Transaction volume scaling parameters after FCMP hard fork (https://github.com/ArticMine/Monero-Documents/blob/master/MoneroScaling2025-07.pdf). Revisit FCMP++ transaction weight funcion (https://github.com/seraphis-migration/monero/issues/44). 17:52:41 I will limit discussion of this item to 30 minutes maximum, unless there is an objection. 17:54:21 The major change is the overall weight applied to the transaction to mitigate the impact of the penalty. 17:54:21 The reasonable weights based number of inputs work very well 17:55:15 So we can easily have fees that are close to proportional to number of inputs or verification time 17:55:43 It is a major change in how WWE charge fees 17:56:23 So now the fee depends on the square of the weight 17:57:07 The next step is t get the size and verification times for all the peoofs 17:57:20 Any qt? 17:57:29 Questions? 17:58:41 I have the data for the membership proof weight formula already 17:59:20 So the proposed weights for this proof are in the latest proposal 17:59:57 Sorry, but at the moment, I NACK making the fee a non-linear function of the weight. That has the same effect as making the weight a function of the square of the number of inputs, which we previously agreed that the weight of the tx should be a linear function of the number of inputs 17:59:58 I included the SAL proofs as well in the latest update to that comment 18:00:50 The penalty is non linear 18:01:12 The end fee is linear with the number of inputs 18:02:16 Agreed on the penalty being non-linear. But the penalty isn't quadratic in the weight of 1 transaction, it is quadratic in the total size of all transactions in a block 18:03:03 The base fee-per-vbyte should be calculated as a square of the backlog IMO, not as a square of the 1 tx weight 18:03:08 That way scaling works it is quadratic on each transaction. That is the point 18:03:52 It amounts to the same thing 18:04:56 It doesn't amount to the same thing, especially when the penalty free zone isn't saturated. A 2-in tx should not cost 4x as a 1-in tx when the marginal penalty difference for both is 0. 18:04:58 The penalty for adding a transaction is quadratic with the TX weight 18:05:39 It doesn't cost 4x. It is linear 18:06:11 Because the weight goes as the square root 18:06:33 The latter is the point 18:06:40 The penalty is not quadratic in the single TX weight, its quadratic in the total TX weights for that block, which results in different calculations for individual txs based on on-chain activity 18:07:09 You mentioned that fee is a function of the square of the weight in your latest proposal, yes? 18:07:28 Iit is a simple formula for the additional penalty 18:07:47 Oh so you're proposing weight be a function of the square root of the number of inputs? 18:07:55 Correct 18:08:06 That is the point 18:08:17 Why that change? 18:08:59 Versus keeping both linear 18:09:02 So that after the quadratic penalty is applied you get linear with the number of inputs 18:09:52 You mean changing the penalty to linear 18:10:08 I looked at that 18:11:10 This works better because it incentivizes effective block construction by the miner 18:12:22 The penalty has never been linear 18:12:33 I meant weight function and fee function by "both", not changing the penalty function 18:12:54 It doesn't work 18:13:49 The quadratic penalty is in-between the weight function and the fee function 18:16:00 So apply square root weight, then quadratic penalty , then quadratic fee 18:16:12 Okay I think I see the fundamental disagreement. You believe that the marginal loss of block emission due to the penalty is a quadratic function of each transaction weight. I believe that the marginal loss of block emission due to the penalty is a quadratic function of the total transaction weights in a block. Is this a correct assessment? 18:16:55 Yes 18:17:21 It is the difference in penalty 18:17:29 That matters 18:18:18 Apply the penalty right at the start of scaling 18:18:19 What would it take to convince you that the marginal loss of block emission due to the penalty is a quadratic function of the total transaction weights in a block, and that the base fee-per-vbyte should be a quadratic function of that value, instead of being quadratic in the weight of one transaction? 18:18:43 @articmine: I disagree, this doesn't make sense for 99% of cases 18:18:56 It only works in the worst case 18:19:41 You have to look at the game theory of the interaction between miners and users 18:20:24 Assume enlightened best interest 18:21:36 So yes the worst case controls 18:23:35 So people should be paying fees 100% of the time as if they were pushing up the dynamic block size ? 18:24:02 Correct 18:24:23 This is a bad idea IMO. That means that there's no downwards price incentive for keeping the block small 18:24:30 The lowest fee pays the marginal penalty 18:24:42 People should be rewarded for not increasing the block size 18:25:37 @jeffro256: You mean rewarded for not using Monero? 18:27:19 For not making spam, yes. There is still a driving incentive for people to use Monero, which is its monetary and transactional utility over other currencies. But there needs to also be an incentive to not make unnecessary transactions 18:27:42 rucknium: It has been 30 minutes. 18:28:12 6. FCMP alpha stressnet planning (https://github.com/seraphis-migration/monero/issues/53#issuecomment-3053493262). 18:29:27 The blocker PR 81 has been accepted (thank you jeffro!), ofrn is now doing final testing with the latest state of that PR 18:30:11 Once I get a green light from ofrn, I'll make the PR setting alpha stressnet dates 18:30:34 (by setting hf blocks on testnet) 18:31:42 Thinking I'll write up a shareable post in that PR description, and we can share that post in the stressnet room, and reddit? 18:31:48 once the PR is accepted 18:32:35 And as per prior discussion, will target 7 days from the time of acceptance 18:32:47 That should do IMHO 18:33:47 Note: I think as of today, the default decision will be to release my tx spamming code as open source. That lowers the barrier a little for a malicious actor to spam mainnet, but all my CCS work is supposed to be published open source. If that default choice should change, it could be discussed. 18:34:56 7. Mining pool centralization: Temporary rolling DNS checkpoints (https://github.com/monero-project/monero/issues/10064), Publish or Perish (https://github.com/monero-project/research-lab/issues/144), and Lucky transactions (https://github.com/monero-project/research-lab/issues/145). 18:35:49 There is a bug that can occur in rare cases that will get a node stuck if it is enforcing DNS checkpoints. AFAIK, @0xfffc:monero.social and @ofrnxmr:monero.social are investigating it. 18:36:28 binaryFate has activated the checkpointer of testnet for the seven moneropulse domains: testpoints.moneropulse.xxx 18:36:54 @0xfffc:monero.social is trying to fix the logic that caused reorged checkpointed nodes to get stuck. Will test one more time with the moneropulse domains, and if i break that checkpointer again, we'll switch back to ruckniums domains to speed up the testing 18:37:25 s/one more time/until it breaks again/ 18:38:12 I tested DNS resolver latency (important for agreement between the 7 records of the 7 domains). My preliminary results say that there is good performance when one of several specified DNS resolvers are used. There are mixed results when a machine's own default DNS resolver is used. It is easy to change resolvers for monerod with a terminal environmental variable. 18:39:33 Do we have info about mining pools' willingness to turn on checkpoints? At least anything that can be shared publicly? 18:40:38 I created a set of flow charts that provides a "formal" specification of the rolling DNS checkpoint protocol: https://cryptpad.disroot.org/diagram/#/2/diagram/view/yI43W1RWom0yoODUJzvAB5vAc9X9ujFVAsxGAxgMMyE/embed/ 18:41:04 Click the arrows that appear at the bottom of the pages to go to the next page. 18:42:02 Once everything is finalized, there will be this flowchart and a narrative. And I hope some FAQs, too. The protocol helps users understand the proposal and how exactly it works. 18:42:36 Anything more on temporary rolling DNS checkpoints, specifically? 18:43:59 I already enabled dns checkpoints on my node, even though not active yet. Just to note, I got 18:43:59 [RPC0] ERROR cn src/cryptonote_core/cryptonote_core.cpp:1262 Transaction not found in pool 18:43:59 quite regularly afterwards.. I don't think this was the case before 18:44:15 Thats unrelated 18:44:21 hm ok 18:44:32 On the next topic, I'm working on an upgrade to Publish or Perish called "Share or Perish" with workshares. There are still minor issues to be solved before I can publish it. 18:44:57 @venture:monero.social: AFAIK, that's unrelated to DNS checkpoints and would usually happen when Qubic is withholding txs. DataHoarder could confirm maybe 18:45:23 that is normal venture. do you have p2pool? 18:45:37 Thank you, tevador. 18:45:39 that means you are trying to submit_block with unknown txs to your node 18:45:56 it's fine, it happens in normal conditions 18:46:18 tevador: Nice :) 18:46:18 I have published some simulation results regarding PoP here 18:46:18 https://github.com/venture-life/mining-simulator/blob/main/out/simulation-results.md#publish-or-perish-with-k3-and-d50 18:46:37 DataHoarder: ah alright, thanks 18:48:11 @venture: turns out: deterministic selection doesn't change things. 18:48:11 otherwise, quite good results I think. With 40% hashrate and close to 1 gamma, without mitigation, the revenue is around 57%. with PoP it drops to 47 18:48:30 @kayabanerve:matrix.org: I think finality layer is fine to discuss during this agenda item, too. I should add it to the links for this item in future agendas. 18:49:11 Thank you. I have nothing to discuss there immediately and am here awaiting FCMP++ topics. 18:49:12 @venture:monero.social: How do those results compare to the results i the original PoP paper? Can they be compared? 18:50:05 I think they roughly match. will double check 18:50:05 AFAIK it should be around 65% with no defenses and α=0.4 18:50:26 @kayabanerve:matrix.org: This is the last agenda item besides "any other business", which could include more FCMP++, of course. 18:50:51 Oh, sorry. I thought @sgp:magicgrants.org: had one added. My mistake. 18:51:15 We can discuss that also. Maybe after the meeting? 18:51:21 Sorry for getting my wires crossed. 18:51:24 yes, 66 is theoretical limit. but then people assume attacker has almost 0 propagation delay and a huge number of honest miners.. 18:51:34 @sgp_: It was added and then deleted ^ 18:52:14 oh, sorry I meant for it to be an agenda item for the update 18:52:18 I just saw, yep 18:54:02 DataHoarder: Could you discuss your empirical findings about Qubic's selfish mining profitability? 18:54:25 I should have just said "it will be a agenda item, with more to discuss later" 18:54:40 I had to drop off, I can come with that later rucknium 18:54:58 Thanks, DataHoarder 18:56:42 venture: so PoP doesn't do much for a low-gamma attacker? Qubic seems to be a low-gamma attacker. However, PoP doesn't stop 10+ deep reorgs. That's what my next proposal is intended for. 18:56:43 May I proceed with the FCMP++ curves stuff if there's no other business? Sorry I didn't mean to remove it fully 18:57:14 ^ Yes, we can continue with this item. 18:57:49 tevador: Good. In the case of Qubic's behavior, I don't think just reducing the selfish mining economic incentive would deter Qubic or similar actor. Need something with more teeth. 18:58:26 I think so yes. Really low-gamma attacker might even benefit from the propagation window to some extend. but it also caps high gamma profitability 18:58:31 It seems that Qubic is selfish mining for its propaganda value more than direct economic mining reward profits. 18:59:41 Preliminary results from my sim show that, a silent stubborn attacker can reorg 20 blocks with regularity. Under various selfish strategies and network loads, they dont appear any more profitable than an honest miner, until that 33% threshold (which is in line with a low gamma attacker). 19:01:38 Can somebody throw in a one-line quick definition of "low gamma"? Thanks! 19:01:55 @bawdyanarchist:matrix.org: Have you seen my theoretical/analytical analysis here? https://github.com/monero-project/research-lab/issues/102#issuecomment-2402750881 My "Table: Duration of meta attack to achieve attack success probability of 50 percent" supports your findings. 19:02:52 @rucknium:monero.social: Yes, but I havent compared my sim results to the theoretical values yet. 19:03:21 rbrunner: The percent of honest hashpower that ends up mining on the attacker's branch, instead of the honest extension 19:03:48 Typically driven by ping, or in some cases, eclipsing attacks. 19:04:08 gamma is used in literature as an artifial metric between 0 and 1 how likely it is an honest miner will mine on the selfish-head given two branches of equal work... it's a metric for "connectivity" of the attacker 19:04:23 Sounds good. My attacker follows a specific z stopping rule strategy that may differ from your attacker's strategy. But the general conclusion is the same: a large-minority attacker can achieve deep reorgs if it tries again and again. 19:05:45 Their reorg lengths are significantly affected by their willingness to be "stubborn". Basically to tolerate the honest branch fully catching up, and then claiming the win after exiting the 0' state. 19:05:57 I think I had some simulation code to double-check my formula results, but I didn't post it. I will try to look for it. 19:07:16 So no rented hash rate to jump over 51% for an hour or two not strictly needed for large reorgs? 19:07:42 No, just luck. 19:07:55 rbrunner: Not necessary. But it is possible that Qubic is doing that, too. 19:08:33 I'm adding summary metrics at the end of each round, and then adding sweeps to the input parameters, so I should be able to search a pretty wide range of input conditions, and summarize those findings. 19:09:05 I computed the probability that Qubic acheived their 20-block reorg with 40% hashpower share (assuming difficulty = 100% hashpower share) and got 5% probability. 19:09:26 I mean, it was amn 18-block reorg but they produced 20 blocks in that period 19:09:35 an 18-block* 19:10:12 That was 5% for a single attempt. And they have been attempting a lot. 19:10:31 So, keep rolling the probability dice and you will succeed the the mining casino eventually. 19:11:46 Probability computation was based on 66 minutes elapsing during the attack, according to block timestamps. And this R line: malicious.hashpower <- 0.4; pgamma(66, shape = 20, rate = 1/2 * malicious.hashpower) 19:11:58 I'm pretty use that's the correct formula for this situation. 19:12:09 pretty sure* 19:12:37 Erlang distribution is a special case of the Gamma distribution. 19:13:12 That looks surprisingly close to what I'm seeing in the sim. A ~20 block reorg could be possible about once per day (at ~33% selfish HP) 19:13:32 Timing info based on https://github.com/WeebDataHoarder/Monero-Timeline-Sep14 19:16:37 @bawdyanarchist:matrix.org: Using the formula with 33% hashpower, I get a 20-block reorg with 50% every 1.53 days 😄 19:17:07 Anyway, to the discussion about Helios-Selene parameter rigidity? 19:17:26 I mean "with 50% probability every 1.53 days." 19:18:17 I think my table scared kayabaNerve when I produced it last year. Maybe started him thinking about finality layers 19:18:53 Thanks Rucknium. Yes, I have an update on Helios-Selene 19:19:34 First, thanks to the community here for supporting the review of the curve selection, and of course a huge thanks to tevador for proposing the initial parameters and reviewing the latest discussions 19:20:10 We can discuss it over email or here. Veridise noted our elliptic curves had am error in the selection script causing us to have to selected the third candidate, not the first, by accident. tevador corrected their script and issued a new gist above. 19:20:33 One note is Veridise was also unhappy with our lack of twist security, despite the several reasons it's irrelevant, for the theoretical attack surface _and_ for the lack of reason _not_ to have a secure twist (as a later choice is functionally equivalent, with sufficiently-secure twist). 19:20:35 I'd lean towards adding the requirement of a secure twist primarily to appease reviewers (as we already have to change the curve's definition) and secondarily out of an abundance of caution. 19:20:46 ref: https://gist.github.com/tevador/4524c2092178df08996487d4e272b096?permalink_comment_id=5772654#gistcomment-5772654 19:22:14 So in summary, the old proposed curves are out, and a new one will need to replace it. So a discussion needs to happen in the near future which ones should be picked. And there are arguably 3 options, depending on how much we care about twist security 19:22:21 As I said in the email, adding twist security would only be for show. It would have exactly zero practical impact on the implementation or the security of FCMP. 19:23:11 The original search conditions call for D = -1571315, which is what my gist is currenly using. 19:23:14 I largely agree BUT it the importance of show here is that we have a clearcut review, if we disagree with the reviewers on importance. 19:24:05 Even if we think this is unnecessary, it satisfies the review process _which is of its own merit_, and I see no reason _not_ to pick the identified option which is functionally equivalent albeit with a secure twist. 19:24:35 Downside of searching for parameters with twist security? Will this affect stressnet performance in any meaningful way? 19:24:49 It does update our criteria, but we're already updating the chosen curve. 19:25:22 Downside: we'll probably need a new search script implementation. My sage script is too slow to reach the D values that provide twist security. 19:25:25 The only downside is that: 19:25:25 - We're adding a meaningless criteria due to peer pressure (pessimist view) 19:25:25 - We're changing our search criteria, but we're already changing the chosen result anyways 19:25:49 None of this is of meaningful consequence to the implementation nor of any consequence to the performance 19:26:13 tevador: They're only 5x bigger IIRC 19:26:31 We can just run it 5x as long /s but not /s 19:26:37 One marginal benefit may be that others may have desire to use the curves for some other reason, and twist security may be relevant for them, which may lead to greater adoption / higher scrutiny on the libs 19:26:53 About 20x bigger. 19:27:05 One moment 19:27:19 Than the correct one. 19:27:33 -1.5M vs -30M 19:28:01 We prior chose 19:28:01 7857907 19:28:01 We're now discussing 19:28:01 31750123 19:28:15 That's 4x bigger that the prior choice. 19:28:16 or 92M was the other option. 19:28:37 The fact the new selection is 5x faster to find shouldn't be considered relevant at this the IMO. 19:29:26 Clarifying: finding curves only matters to reproduce our academia and justify our decision. 19:30:30 I think my original search ran for 1-2 days btw. 19:30:52 With 8 or 16 cores? Not sure. 19:31:09 Veridise seem to have a faster implementation. 19:31:17 So it'll take a week in the future. That's unfortunate but acceptable. 19:31:19 Nothing else from me on this, other than to say if this interests you, please let me know. I'll keep talking with these two after the meeting 19:31:58 Can this be run on the Monero Research Computing Cluster? 19:32:14 Or just a single machine on that cluster? 19:32:14 Also adding "useless" search conditions can be seen as weakening the rigidity. 19:33:31 It would also be possible to remove the Crandall condition (which AFAIK we are not using anyways), then the result would be D = -15203. 19:33:50 I will end the meeting here. Feel free to continue discussing. Thanks everyone. 19:34:03 Thanks rucknium 19:36:43 No, current reductive algorithms take advantage of how 2**256 is congruent to a 128-bit value. 19:37:15 I agree adding arbitrary conditions weakens rigidity. I don't believe this is reasonable to declare so arbitrary. 19:39:31 OK. So I think we can narrow it down to -1571315 or -31750123. 19:41:38 Agreed 20:05:30 @jeffro256: ... and how do you propose to tell ham and spam apart? 20:16:21 The answer is you can't. 20:17:27 What has worked is the current fees. 20:20:08 The same way we've done it before: with fee pricing. We assume that spam is not "worth it" after a certain monetary amount, even though we can't actually discern spam. Generally, I think that we should penalize miners who expand the blocks past the current average weight. The miners will pass those costs onto the transaction c [... too long, see https://mrelay.p2pool.observer/e/xueFt7gKLUZkOHhE ] 20:20:27 Which is why I am not going to support a penalty free zone below 100x the reference transaction size. This is the current situation and it just works. 20:36:16 Increasing the minimum penalty free zone is sort of orthogonal here, is it not? The actual limit doesn't really affect the argument AFAICT; we should either be pricing transactions as a quadratic function of their weight, or as a quadratic function of the total expected txs weights in a block. 20:37:54 @jeffro256: Which is what my proposal does. If we kept the maximum number of inputs at 8 or less, as was originally proposed then we could have kept the old way. 20:37:54 The only reason it has worked in the past is because we were way below the penalty free zone, so uneconomic large transactions got mined. 20:37:54 If a node relays transactions that are not economical to mine, and we are close to the top of the penalty free zone, we are simply setting up the stage for DDDS attack with perfectly valid not economical transactions.[... more lines follow, see https://mrelay.p2pool.observer/e/5-3Gt7gKcG5iZGs2 ] 20:40:43 Of course the miners get penalized for growing the block weight. This does not change. Of course users are incentivized to consolidate transactions. This now works because those consolidated transactions will get mined 20:44:32 The fee per input for my proposal once the membership proof weights are factored in is now lower for a larger number of inputs. This was not the case before if we were close to or above the penalty free zone 20:46:21 I am for keeping fees to the minimum requirement for scaling. 21:00:00 What my proposal does is reduce the penalty for the large transactions not increase the fee 21:42:54 @boog900:monero.social @jeffro256:monero.social: sorry, missed the meeting, I am the one interested in PoWER 21:43:14 20:54:02 DataHoarder: Could you discuss your empirical findings about Qubic's selfish mining profitability? 21:43:17 for per connection PoW, can't an attacker build up connections then start spamming high input transactions practically for free? 21:43:56 @hinto: we disconnect on the first invalid tx 21:44:10 the TL;DR: they were 82% efficient when selfish mining, but they improved and got 90% efficient. Efficiency was calculation of how good selfish mining they were doing 21:44:38 the transactions being spammed are all valid 21:44:44 basically, they lost more overall than if they'd be mining straightforward. they have been doing that recently and their earnings have increased 21:44:55 won't nodes with high connection counts have a disproportionate amount of new load? 21:45:09 monero had a 5% edge on pure earnings compared if qubic was mining directly 21:45:18 @hinto: PoW is only protection against invalid txs 21:45:30 otherwise fee/cost to build the tx is the protection 21:45:47 now that they are not doing selfish and they fixed some of their block delays, their efficiency is close to 100% and get very few orphans 21:45:55 before even when not doing selfish they got orphaned a lot 21:46:09 @hinto: PoW in only done for outbound connections, inbound you only have to verify which is very cheap 21:46:21 last two days they only had one orphan, comparable to normal Monero network rates 21:46:33 what is the challenge? if it is time bounded and invalid PoW causes a ban, won't time gaps between nonces have to be accounted for? 21:47:55 @hinto: I think the handshake response message should include some random challenge bytes and then the peer should optionally respond with a PoW message if they want to send txs with more than 8 inputs 21:48:20 the PoW message being a new P2P message 21:54:48 and for RPC? 21:58:21 @boog900: what about nodes that relay frequently e.g. exchanges? 21:59:44 @hinto: I guess something similar, maybe 2 new endpoints for the challenge and the response? 22:00:04 @hinto: as long as the txs are valid it should be fine 22:00:20 PoW is only done per connection not per tx