-
br-m
<jeffro256> how would this work?
-
br-m
<jeffro256> Also, removing the number of txs from future block hashing blobs still means that we need to save that number for past/existing blocks, so we need it either way for block 202612
-
br-m
<boog900> @jeffro256: Yeah I know that's why I said it doesn't really change anything :)
-
br-m
<boog900> @jeffro256: Because the block 202612 hash is an impossible hash to make, the number of txs it states is different to the size of the Merkel tree.
-
br-m
<jeffro256> Right, but how does the integer inside the block hashing blob do anything to change this while processing headers? > <@boog900> Because the block 202612 hash is an impossible hash to make, the number of txs it states is different to the size of the Merkel tree.
-
sech1
block 202612 bug was precisely about the number of transactions and Merkle tree
-
br-m
<jeffro256> I know that, but what about the precense of the integer 514 inside the header hashing blob does anything whatsoever to help process that? You need either A) the fixed merkle tree hash, or B) the list of TXIDs iin its entirety (what the current code does), then map that into the wrong existing hash. The integer 514 being inside the header hashing blob does nothing
-
br-m
<jeffro256> I shouldn't be able to pass a header with the same prev ID and 514 txs and have it map to the existing block ID and PoW hash. It should map iff the content representing by the list of TXIDs is what already existed on-chain in what we refer to using block ID bbd604d2ba11ba27935e006ed39c9bfdd99b76bf4a50654bc1e1e61217962698
-
br-m
<jeffro256> Even though that block ID doesn't bind to the last 2 txs in the list
-
br-m
<boog900> it alows you to compute a blocks hash and just compare that hash against what is block 202612's real hash to swap it out. If the numb of txs was not hashed then that would be broken as you could cut 2 txs off the end to get the bad block 202612 hash.
-
br-m
<boog900> IMO that's nicer than hardcoding block 202612's blob or double hashing
-
sech1
"With only header hashing info, it is trivially faked" I don't understand this argument. With only header hashing info, merkle hash can also be faked, so what?
-
sech1
I don't understand this whole buzz about removing a single varint
-
sech1
to save 1-2 bytes
-
br-m
<jpk68:matrix.org> Doesn't P2Pool use it? Maybe I'm thinking of DataHoarder's block explorer/mining pool tracker
-
br-m
<jeffro256> @boog900: Nope. The number of txs hashed in is vestigial here. What the block hashing code does is hash the whole block blob, which means hashing the entire TXID list, which is what actually lets you catch when the last 2 TXIDs would be swapped out. The number inside the header could be 3, 4293, 37394, 0, 42, etc it does [... too long, see
mrelay.p2pool.observer/e/t86fi4wLZ1RIbUxU ]
-
br-m
<boog900> Yeah monerod does the double hash
-
br-m
<boog900> monero-oxide does not
-
br-m
-
br-m
<jeffro256> This is how I would do it, personally. But yeah, again, the number of txs in the header does absolutely nothing here. The presence of the true merkle hash being here is what matters
-
br-m
<boog900> no it does
-
sech1
what matters is that the merkle hash is checked against the real merkle hash of the transactions list
-
sech1
this is why merkle hash matters
-
br-m
<jeffro256> sech1: exactly
-
br-m
<boog900> it prevents someone from cutting off the last 2 txs from block 202612 and getting the correct hash causing a collision
-
sech1
tx count from hashing blob is also checked in block verification
-
sech1
so you can't call it "fake"
-
sech1
by your own logic
-
sech1
also, what boog900 said about block 202612
-
br-m
<jeffro256> sech1: re merkle hash also being faked: that is absolutelky true. But the difference is that A) the merkle root being here is a cryptographic necessity, and B) no one pretends to use the merkle root as a metric for mempool processing without further context
-
sech1
because block 202612's merkle root was calculated from 512 transactions, not 514
-
br-m
<jeffro256> @boog900: The true merkle root being present does that, not the number of txs
-
br-m
<jeffro256> It would be equally as secure without the number of txs being present is what I'm saying. If Keccak256 had length extension security flaws, maybe this would be a different convo IDK
-
br-m
<boog900> It doesn't
-
br-m
<jeffro256> sech1: I'm not talking about block consensus verification, I'm talking about block header sync > <sech1> tx count from hashing blob is also checked in block verification
-
br-m
<jeffro256> Of course you can validate it with further context, but with further context, then the field being present is completely meaningless anyways
-
sech1
what about block header sync? 1 extra byte makes it impossible due to high bandwidth?
-
br-m
<boog900> The real merkle root has 512 txs, we swap the 514 txs merkle root for the 512 one. If the number of txs was not hashed this would be a collision
-
br-m
<boog900> As someone could provide block 202612 with only 512 txs and get the same hash as the 514 tx block
-
sech1
"the field being present is completely meaningless anyways " meaningless is a personal opinion
-
br-m
<jeffro256> sech1: No, but it adds ~2.5-5% bandwidth for no security benefit
-
sech1
no one said it's for security
-
sech1
I have a theory why that field is there in the first place, but I don't have pre-github change history for Cryptonote to confirm it
-
sech1
why are you not talking about minor version byte in the hashing blob then? Also a complete waste of bandwidth!
-
sech1
This is a useless converation
-
sech1
Hashing blob could be just a merkle hash(transactions + header) + 4 bytes for nonce, that's it
-
sech1
let's optimize it to the logical limit
-
br-m
<boog900> Yeah I do think there are better places to save bandwidth
-
sech1
also, 256 bits for merkle hash seems like a waste too
-
sech1
128 bits will be enough
-
br-m
<boog900> Having the p2p network use a self describing format is a big one
-
br-m
<jeffro256> > <@boog900> The real merkle root has 512 txs, we swap the 514 txs merkle root for the 512 one. If the number of txs was not hashed this would be a collision
-
br-m
<jeffro256> My bad for using confusing language. When I say "true" merkle root, I meant the merkle root of the updated tree hash code binding all 514 txs. When I say "existing" merkle rooot, I meant the merkle root of the old code which only bound 512 txs, but is what was used for calculating the existing (non-binding) block ID. The mon [... too long, see
mrelay.p2pool.observer/e/he3mi4wLektVcWgt ]
-
br-m
<jeffro256> sech1: 128 bits is not enough cryptographically to prevent hash collisions
-
br-m
<boog900> The existing and current merkle tree code will give the same result for the first 512 txs of that bad block fwiw
-
br-m
<boog900> We have a test in monero oxide for it
-
br-m
<jeffro256> The conversation is not useless if we can come to a consensus to make header-only more efficient > <sech1> This is a useless converation
-
br-m
-
sech1
if it's about network efficiency, you'll save more bandwidth if you send many headers in a single packet
-
sech1
one header will waste a lot due to TCP/IP overhead
-
br-m
<jeffro256> @boog900: I understand that, but you aren't passing the existing (512) merkle root to the linked function are you? Youre passing the true (514) merkle root, which correctly binds the 514 txs
-
br-m
<jeffro256> sech1: That's what I'm prepping in
monero-project/monero #10758
-
br-m
<boog900> @jeffro256: Yeah but then what if a bad actor sends the block across the network with only 512 txs
-
br-m
<boog900> They would split the network as the block would have the same hash
-
br-m
<jeffro256> Okay I see what're your arguing for on that end. That is one valid way to do it, yes. But you can still process the block correctly without the number of txs by rejecting the existing merkle root altogether too
-
sech1
What is header-only sync for? You can only get headers, block IDs and PoW hashes out of it, nothing else. And the total number of transactions in each block, of course (which will be not fake because PoW)
-
tevador
Header only sync is useful because it lets you decide early on the most likely highest-chainwork fork without the need to download a ton of data.
-
br-m
-
sech1
should I send you google links on how to better compress data? I already see 3 places where your current code is inefficient
-
sech1
can reduce by 2-3 bytes per block easy
-
sech1
instead you try to abolish the legacy field which is useful, only because you want to save 1 byte
-
br-m
<jeffro256> For that reason and that also it is being used as a misleading display value
-
sech1
it's not misleading
-
sech1
it's exactly the number of transactions in the block (including the coinbase)
-
br-m
<jeffro256> Only when the block template creator is honest
-
sech1
if you want to completely change how PoW hashing blob is constructed, you can get down to 32 bytes per block
-
sech1
"Only" = always, because if they're not, they will lose block reward
-
sech1
block will be invalid
-
sech1
just make PoW hash = RandomX(keccak(block header)), then you will only need to send keccak(block header) aka block id
-
sech1
and the initial block header in full
-
tevador
sech1: not very useful, that doesn't prove the hashes form a chain
-
br-m
<jeffro256> A) that is still a vector even if you ignore it. It costs nothing to the template creator beside opportunity B) again, miner-local txs don't lose block reward
-
tevador
I'm pretty sure you can't compress it to fewer than 35-ish bytes per block
-
sech1
I was talking about 37-38 by my estimates
-
br-m
<jeffro256> And you need timestamps for non-fixed difficulty calculation
-
tevador
If we're talking about new block header rules for the next hard fork, I'd propose a rule to have a strictly increasing timestamps.
-
sech1
that will backfire
-
sech1
timestamps will run away into the future
-
tevador
No
-
tevador
I'd even go further: strictly increasing timestamps and wtema for the difficulty calculation using only the last block's timestamp
-
sech1
you will have "T,T+1000,T+1001,T+1002,..." if someone malicious make a big jump in their block
-
sech1
not very good
-
sech1
other nodes will have to adjust their real timestamps just to satisfy the new rule
-
sech1
so now instead of one fake timestamp, you have multiple
-
sech1
forcing honest miners to fake their timestamps
-
tevador
So what? The timestamp should only be used for the difficulty calculation anyways. You don't set your watch based on it. At most, it can drift by the FTL, which can be ~10 minutes.
-
sech1
what are the exact rules then? It's either my example, when the max deviation is limited, or it will run away into the future because of malicious miners
-
sech1
it's not a timestamp at this point anymore
-
tevador
FTL of 10 minutes means nodes won't accept blocks with a timestamp more than 10 minutes ahead of their local time. And the purpose of the timestamp is to adjust the PoW difficulty. It can be in arbitrary units as long as it does its job.
-
sech1
if max deviation is limited, then it will open some new attack vectors, because honest miners won't be able to just set their timestamps, and maybe even won't be able to broadcast some mined blocks for ~1 second because their timestamp is too far ahead
-
tevador
FYI, my proposal is not a new idea, it has been researched and your concerns are unfounded.
-
br-m
<kiersten5821:matrix.org> I wrote up what was discussed in the monero-docs channel. I think using remote nodes at all essentially destroys privacy in a bad way that doesn't seem to have been previously described
gist.github.com/k-privacy-enjoyer/9684e4b5270cd806a31e3c0819e8f3c1
-
br-m
<rucknium> @kiersten5821:matrix.org: Thanks. Feather wallet does switch remote nodes regularly, making it the best remote node wallet 😍
-
br-m
<rucknium> AFAIK, it switches remote nodes regularly for tx construction and wallet sync. By default, it does multi-broadcast to all nodes on its list simultaneously to reduce the chance of a failed broadcast.
-
br-m
<rucknium> This may be helpful for your computations:
github.com/Rucknium/misc-research/b…-spend-with-fungibility-defects.pdf "Formula for Accuracy of Guessing Monero Real Spends Using Fungibility Defects"
-
br-m
<kiersten5821:matrix.org> @rucknium: thanks, i didn't know that and checked, you're right. i added an incomplete section at the bottom about which wallets are safe from this
-
br-m
<kiersten5821:matrix.org> i probably won't make better estimates as i expect it to still be really bad and we already know the solution, i am just a simple user of the software