12:27:42 <OmerShlomovits> Hi everyone ! here is a link to our bulletproofs+ audit: https://suyash67.github.io/homepage/assets/pdfs/bulletproofs_plus_audit_report_v1.0.pdf . It is a draft, shared with you alone. We will release the final version to the community in a week. We welcome any comments and questions. I will try to make myself available here as much as I can but
12:27:42 <OmerShlomovits> you can reach out to me using my email omer.shlomovits⊙gc or telegram omershlo
12:31:01 <ErCiccione> Nice "key fundings section" and nice to see "we did not find any critical issues and none of the high-severity issues were discovered to bepractically exploitable" :)
13:07:01 <gsdg> /!\ this channel has moved to ##hamradio /!\
13:15:19 <thejoecarroll> /!\ this channel has moved to #nyymit /!\
13:15:52 <ProClifo> /!\ this channel has moved to #nyymit /!\
13:15:56 <channelsaJ> /!\ this channel has moved to #nyymit /!\
13:17:16 <drdanickEC> /!\ this channel has moved to #nyymit /!\
14:53:23 * sarang reads the audit report
15:45:44 <seyawqmnx> Remember kids. If you call project coral reef for what it is - fluffy embezzling half a mil usd from the monero fund for a website with smaller adoption than monero woo plugin, you will get excommunicated.
16:26:58 <endor00[m]> Wasn't the "point at infinity" check the same bug that was patched and disclosed back in 2017? https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
16:27:27 <endor00[m]>  * Wasn't the "point at infinity" check (paragraph 5.1) the same bug that was patched and disclosed back in 2017? https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
16:34:09 <endor00[m]> Oh yeah, they even reference it in section 4, page 19
16:38:03 <selsta> does not seem like the same bug to me
16:38:09 <selsta> but related
17:01:40 <sgp_> it's 17 utc but we didn't really organize a meeting this week
17:01:52 <sgp_> quick update on the bp+ audits
17:02:01 <sgp_> first report came in, so reading that
17:02:21 <sgp_> sarang and I spoke with 2 firms yesterday, SoWs on the way
17:02:51 <gingeropolous> for triptych?
17:02:57 <sgp_> no for bp+
17:03:06 <sgp_> hinted a bit with one of them about triptych however
17:03:17 <sgp_> some more work needs to be done before handing that off to auditors however
17:05:11 <moneromooo> BTW, I started looking at integrating triptych, since sarang had a C++ implementation intended for production use (I did not realize when we talked about this before).
17:36:38 <sarang> The key image problem from way back when had to do with incorrect subgroup membership that could be misused in a specific way
17:37:14 <sarang> Whereas an identity element in a proof is not strictly invalid on its own
17:50:05 <Isthmus> I'm curious: a priori, how would one go about deriving / calculating an ideal tail emission rate?
17:50:30 <moneromooo> Define ideal.
17:51:23 <Isthmus> Defining ideal is part of the question
17:51:24 <sarang> I don't think the check for identity that the authors recommend is needed as they state it
17:51:57 <sarang> Even if you were to use a prime-order curve group and could avoid torsion checks, the prover could always provide identity elements anyway
17:52:00 <Isthmus> I would say "provides enough security, but doesn't wastefully or egregiously overpay miners at the expense of transaction affordability"
17:52:02 <Isthmus> But that's just one take
17:52:13 <Isthmus> I don't want to bias how it's approached
17:52:14 <sarang> and the prover would still run into the issue of challenges
17:52:21 <moneromooo> That sounds awfully subjective.
17:52:39 <sarang> So I disagree that torsion plays any role here
17:52:41 <Isthmus> This is why I'm asking for help coming up with a way to make it objective
17:52:48 <Isthmus> ping @ArticMine
17:53:53 <ArticMine> One can argue it is very close to optimal, in that it is just below the historical inflation rate of gold
17:54:24 <ArticMine> Gold being the "gold standard" for hard money
17:55:16 <Isthmus> That's an economic-first lens. What about a security-first framework?
17:55:27 <Isthmus> (or a combination)
17:55:38 <Isthmus> (obviously they're heavily coupled questions)
17:55:56 <ArticMine> The highest security that meets the Austrian economic argument
17:57:57 <Isthmus> I'm admittedly not familiar with that, how does it map to hashrate and chain finality security?
17:58:59 <Isthmus> Ah "The Austrian school holds that prices are determined by subjective factors like an individual's preference to buy or not to buy a particular good, whereas the classical school of economics holds that objective costs of production determine the price"
17:59:13 <ArticMine> The simplest it to compare rto Bitcoin stopping the halving at 3.125 BTC per block
18:02:40 <ArticMine> Define objective costs of production including environmental / social externalities for example
18:02:45 <ArticMine> No that simple
18:02:48 <ArticMine> Not
18:03:02 <Isthmus> Yea, that's going the opposite direction
18:04:19 <ArticMine> The other interesting case is Bytecoin abandoning the adaptive blocksize in 2019
18:04:53 <ArticMine> As the emission fell way below the equivalent for Monero at tail emission
18:05:33 <Isthmus> Sorry, I'm not articulating this well
18:05:33 <Isthmus> I'm trying to figure out something like "What is the minimum tail emission necessary to ensure that the network consistently attracts [[sufficient]] hashrate to keep the chain [[secure]] against malicious miners"
18:05:33 <Isthmus> Where defining 'sufficient' and 'secure' is part of the question.
18:06:31 <ArticMine> Yes and this becomes an empirical calculation at best
18:07:11 <Isthmus> Yes, it's a hard question, but we still have to ask it and try to come up with an answer :- (
18:07:52 <ArticMine> I project that Bitcoin and especially Bitcoin Cash / SV will become the guinea pigs to test this out
18:08:53 <Isthmus> Too late for us though ☠️
18:09:10 <Isthmus> Anyways, I don't have an answer. Just a bunch of questions :- P
18:09:32 <Isthmus> I'll simmer on this some more
18:10:10 <ArticMine> I also expect this issue to arise in Bitcoin Cash / SV well below Monero's tail emission
18:37:57 <endor00[m]> <Isthmus "I'm trying to figure out somethi"> In my opinion, the answer to that question is directly tied to the coin price
18:38:12 <endor00[m]> The primary regulating force of network hashrate is profitability
18:39:10 <endor00[m]> Which depends on hardware efficiency vs electricity price
18:39:43 <endor00[m]> So you want to attract enough miners in order to grow the network hashrate to a point where anyone would struggle to (easily) find enough hashrate to mount an attack
18:40:50 <endor00[m]> In turn, that requires establishing an estimation of the computational power available for your mining algorithm, and a choice for the safety margin
18:42:38 <endor00[m]> You establish those two factors, from there you derive the network hashrate you want to achieve, and from there you find amount of coins emission that makes mining slightly profitable for an established electricity price
18:43:23 <endor00[m]> And then you decide if that amount of inflation is acceptable based on [[criteria]] or not
18:44:35 <endor00[m]> TLDR: network security depends on coin price vs hardware efficiency of the available computational power vs the electricity price
18:45:47 <endor00[m]> So you have to regulate emission (and the subsequent inflation) based on these three parameters
18:46:59 <endor00[m]> Although you'd be kinda inverting cause and effect if you took that literally - emission is the parameter, and the coin price is the result of these parameters and other market factors
18:49:45 <endor00[m]> So what I'd do is choose the emission curve based on the aforementioned "acceptability" [[criteria]], and then ask "How big of an attack could an attacker mount? How profitable would it be?"
18:49:47 <endor00[m]>  * So what I'd do is choose the emission curve based on the aforementioned "acceptability" [[criteria]], and then ask "How big of an attack could an attacker mount at the current price? How profitable would it be?"
18:51:31 <endor00[m]> (Please let me know if any point in my logic is wrong or flawed)
18:51:57 <Isthmus> I like your approach and insights
18:52:21 <Isthmus> On a call, will circle back with more notes in a bit :- )
19:38:11 <ArticMine> There is a valid point endor00[m] in that if the inflation rate is set high then price should fall and vice versa.
19:39:14 <ArticMine> The trouble is that markets are to a large degree emotional. So one is trying to quantify emotion.
19:40:57 <ArticMine> This is why I like the current setting for the tail emission. Set it close to but below the emotional value of the inflation rate gold
19:41:20 <endor00[m]> True
19:42:23 <endor00[m]> Indeed, I like the current tail emission too. Small enough to avoid large inflation, but large enough to incentivize miners to keep going
19:42:43 <endor00[m]> I especially like the fact that it's linear inflation, and not exponential
19:43:20 <charuto> i mean it makes some sense that money supply should adjust to economy growth
19:44:54 <endor00[m]> I'm... not sure if I agree?
19:45:06 <ArticMine> Good point. The key with linear inflation is that when one takes lost coins into account then an equilibrium will be reached between inflation, price and lost coins leading to a stable supply
19:45:48 <hyc> that's a big assumption. that lost coins are smaller than emission rate
19:46:48 <hyc> most likely, oldest coins are more likely to be lost. and the further back in time you go, the faster the emission rate was, which means more coins were sloshing around
19:47:00 <hyc> which means more coins are likely to be lost
19:47:12 <ArticMine> If they are larger then price should increase due to scarcity leading to a lower loss rate
19:47:52 <ArticMine> Since if they are more valuable one would expect a lower loss rate
19:48:53 <hyc> ok, I suppose so
19:50:42 <endor00[m]> I mean, if we want to dig into assumption, then we can also assume that we can't really know which coins are truly lost, because anyone could be lying about losing them in the first place. See "boating accidents"
19:51:11 <hyc> not sure that really affects anything
19:51:20 <endor00[m]> The only coins that could be provably lost are the ones sent to a coin eater address for which nobody knows/finds the private key
19:51:40 <hyc> but definitely, in the early days, people were spitting out coins from faucets, throwing hundred or thousands of coins around
19:51:51 <endor00[m]> And even then it wouldn't be a certainty, it would be just a "reasonable improbability"
19:52:26 <hyc> casually, with no concern for recoverability.
19:52:43 <hyc> look at the recent stories about the guy trying to recover BTC from his old discarded hard drive
19:52:57 <hyc> people had thousands of coins sitting on machines they tossed into the trash
19:54:19 <endor00[m]> Oh I'm aware, I'm just saying that there's no "formal" way of knowing which coins are really lost
19:54:58 <endor00[m]> All estimates are based on some kind of trust in anecdotal evidence
19:55:31 <ArticMine> There is not, but one can argue for an equilibrium nevertheless
19:55:58 <ArticMine> Just one would not know what the equilibrium value would be
19:57:29 <endor00[m]> Indeed
19:59:34 <endor00[m]> I would argue that since there are no fundamental mechanisms based on burning coins in Monero, we should rely on the working assumption that the available supply is equal to the full emission
20:00:19 <endor00[m]> And treat any lost coins as a "disturbance" (can't think of the right word for it)
20:04:56 <hyc> aberration, anomaly
20:05:58 <endor00[m]> Perturbation! That's it
20:06:14 <endor00[m]> A perturbation of the system
23:00:45 <geonic> those rhymes are not going in a good direction