Hi everyone ! here is a link to our bulletproofs+ audit: suyash67.github.io/homepage/assets/…etproofs_plus_audit_report_v1.0.pdf . It is a draft, shared with you alone. We will release the final version to the community in a week. We welcome any comments and questions. I will try to make myself available here as much as I can but

you can reach out to me using my email omer.shlomovits⊙gc or telegram omershlo

Nice "key fundings section" and nice to see "we did not find any critical issues and none of the high-severity issues were discovered to bepractically exploitable" :)

/!\ this channel has moved to ##hamradio /!\

/!\ this channel has moved to #nyymit /!\

/!\ this channel has moved to #nyymit /!\

/!\ this channel has moved to #nyymit /!\

/!\ this channel has moved to #nyymit /!\

Remember kids. If you call project coral reef for what it is - fluffy embezzling half a mil usd from the monero fund for a website with smaller adoption than monero woo plugin, you will get excommunicated.

Wasn't the "point at infinity" check the same bug that was patched and disclosed back in 2017? getmonero.org/2017/05/17/disclosure…in-cryptonote-based-currencies.html

* Wasn't the "point at infinity" check (paragraph 5.1) the same bug that was patched and disclosed back in 2017? getmonero.org/2017/05/17/disclosure…in-cryptonote-based-currencies.html

Oh yeah, they even reference it in section 4, page 19

does not seem like the same bug to me

but related

it's 17 utc but we didn't really organize a meeting this week

quick update on the bp+ audits

first report came in, so reading that

sarang and I spoke with 2 firms yesterday, SoWs on the way

for triptych?

no for bp+

hinted a bit with one of them about triptych however

some more work needs to be done before handing that off to auditors however

BTW, I started looking at integrating triptych, since sarang had a C++ implementation intended for production use (I did not realize when we talked about this before).

The key image problem from way back when had to do with incorrect subgroup membership that could be misused in a specific way

Whereas an identity element in a proof is not strictly invalid on its own

I'm curious: a priori, how would one go about deriving / calculating an ideal tail emission rate?

Define ideal.

Defining ideal is part of the question

I don't think the check for identity that the authors recommend is needed as they state it

Even if you were to use a prime-order curve group and could avoid torsion checks, the prover could always provide identity elements anyway

I would say "provides enough security, but doesn't wastefully or egregiously overpay miners at the expense of transaction affordability"

But that's just one take

I don't want to bias how it's approached

and the prover would still run into the issue of challenges

That sounds awfully subjective.

So I disagree that torsion plays any role here

This is why I'm asking for help coming up with a way to make it objective

ping @ArticMine

One can argue it is very close to optimal, in that it is just below the historical inflation rate of gold

Gold being the "gold standard" for hard money

That's an economic-first lens. What about a security-first framework?

(or a combination)

(obviously they're heavily coupled questions)

The highest security that meets the Austrian economic argument

I'm admittedly not familiar with that, how does it map to hashrate and chain finality security?

Ah "The Austrian school holds that prices are determined by subjective factors like an individual's preference to buy or not to buy a particular good, whereas the classical school of economics holds that objective costs of production determine the price"

The simplest it to compare rto Bitcoin stopping the halving at 3.125 BTC per block

Define objective costs of production including environmental / social externalities for example

No that simple

Not

Yea, that's going the opposite direction

The other interesting case is Bytecoin abandoning the adaptive blocksize in 2019

As the emission fell way below the equivalent for Monero at tail emission

Sorry, I'm not articulating this well

I'm trying to figure out something like "What is the minimum tail emission necessary to ensure that the network consistently attracts [[sufficient]] hashrate to keep the chain [[secure]] against malicious miners"

Where defining 'sufficient' and 'secure' is part of the question.

Yes and this becomes an empirical calculation at best

Yes, it's a hard question, but we still have to ask it and try to come up with an answer :- (

I project that Bitcoin and especially Bitcoin Cash / SV will become the guinea pigs to test this out

Too late for us though ☠️

Anyways, I don't have an answer. Just a bunch of questions :- P

I'll simmer on this some more

I also expect this issue to arise in Bitcoin Cash / SV well below Monero's tail emission

<Isthmus "I'm trying to figure out somethi"> In my opinion, the answer to that question is directly tied to the coin price

The primary regulating force of network hashrate is profitability

Which depends on hardware efficiency vs electricity price

So you want to attract enough miners in order to grow the network hashrate to a point where anyone would struggle to (easily) find enough hashrate to mount an attack

In turn, that requires establishing an estimation of the computational power available for your mining algorithm, and a choice for the safety margin

You establish those two factors, from there you derive the network hashrate you want to achieve, and from there you find amount of coins emission that makes mining slightly profitable for an established electricity price

And then you decide if that amount of inflation is acceptable based on [[criteria]] or not

TLDR: network security depends on coin price vs hardware efficiency of the available computational power vs the electricity price

So you have to regulate emission (and the subsequent inflation) based on these three parameters

Although you'd be kinda inverting cause and effect if you took that literally - emission is the parameter, and the coin price is the result of these parameters and other market factors

So what I'd do is choose the emission curve based on the aforementioned "acceptability" [[criteria]], and then ask "How big of an attack could an attacker mount? How profitable would it be?"

* So what I'd do is choose the emission curve based on the aforementioned "acceptability" [[criteria]], and then ask "How big of an attack could an attacker mount at the current price? How profitable would it be?"

(Please let me know if any point in my logic is wrong or flawed)

I like your approach and insights

On a call, will circle back with more notes in a bit :- )

There is a valid point endor00[m] in that if the inflation rate is set high then price should fall and vice versa.

The trouble is that markets are to a large degree emotional. So one is trying to quantify emotion.

This is why I like the current setting for the tail emission. Set it close to but below the emotional value of the inflation rate gold

True

Indeed, I like the current tail emission too. Small enough to avoid large inflation, but large enough to incentivize miners to keep going

I especially like the fact that it's linear inflation, and not exponential

i mean it makes some sense that money supply should adjust to economy growth

I'm... not sure if I agree?

Good point. The key with linear inflation is that when one takes lost coins into account then an equilibrium will be reached between inflation, price and lost coins leading to a stable supply

that's a big assumption. that lost coins are smaller than emission rate

most likely, oldest coins are more likely to be lost. and the further back in time you go, the faster the emission rate was, which means more coins were sloshing around

which means more coins are likely to be lost

If they are larger then price should increase due to scarcity leading to a lower loss rate

Since if they are more valuable one would expect a lower loss rate

ok, I suppose so

I mean, if we want to dig into assumption, then we can also assume that we can't really know which coins are truly lost, because anyone could be lying about losing them in the first place. See "boating accidents"

not sure that really affects anything

The only coins that could be provably lost are the ones sent to a coin eater address for which nobody knows/finds the private key

but definitely, in the early days, people were spitting out coins from faucets, throwing hundred or thousands of coins around

And even then it wouldn't be a certainty, it would be just a "reasonable improbability"

casually, with no concern for recoverability.

look at the recent stories about the guy trying to recover BTC from his old discarded hard drive

people had thousands of coins sitting on machines they tossed into the trash

Oh I'm aware, I'm just saying that there's no "formal" way of knowing which coins are really lost

All estimates are based on some kind of trust in anecdotal evidence

There is not, but one can argue for an equilibrium nevertheless

Just one would not know what the equilibrium value would be

Indeed

I would argue that since there are no fundamental mechanisms based on burning coins in Monero, we should rely on the working assumption that the available supply is equal to the full emission

And treat any lost coins as a "disturbance" (can't think of the right word for it)

aberration, anomaly

Perturbation! That's it

A perturbation of the system

those rhymes are not going in a good direction