--- layout: post title: Overview and Logs for the Dev Meeting Held on 2017-12-03 summary: Discussion of open PRs and issues, Bulletproofs, Monero Research Lab, RNGs, 0MQ, and miscellaneous tags: [dev diaries, core, crypto] author: dEBRUYNE / fluffypony --- # Overview An overview can be found on [MoneroBase](https://monerobase.com/wiki/DevMeeting_2017-12-03). # Logs **\** 1. Greetings **\** 2. Brief review of what's been completed since the previous meeting **\** 3. Code + ticket discussion / Q & A **\** 4. Any additional meeting items **\** 5. Confirm next meeting date/time **\** so 1. Greetings **\** hi **\** Hi **\** luigi1111 (if you're back) / smooth / hyc / moneromooo etc. **\** here **\** etc here **\** 2. Brief review of what's been completed since the previous meeting **\** lots of stuff **\** MRL has working Java test code for complete multi-output bulletproofs **\** It's being ported over to C++ **\** (not the multi output one) **\** The Java part is complete **\** Sorry, I meant just about the port ^\_^ **\** Discussions are ongoing about if/how the fee structure would be modified to prevent large-output txn DoS **\** what's wrong with per-byte fees? **\** You can load a txn with tons of outputs **\** but verification is linear in the # of outputs **\** fluffypony: verification is linear, whilst size is log **\** basically **\** So for low fees you can force the network to verify **\** ah ok, makes sense **\** So we need to incentivize the use of aggregate BPs while basically scaling the fee to the number of outputs etc. **\** But things are looking good **\** Verification is still quite efficient **\** and with the multi-output setup, space savings are unreal **\** In fact, the per byte fee needs to be done first, as per kB is way too coarse for this. **\** Yeah a single output BP is about 704 bytes, while a 2-output BP is something like 768 bytes **\** (including commitments) **\** it's just too damn good **\** nice **\** For clarification, a single output is currently \~ 6 kB, whereas a 2-output is \~ 12 kB **\<* hotoatmeal** was about to ask **\** So we'll continue moving forward with porting and testing **\** serhack here? **\** A typical Monero transaction has 2 ins + 2 outs **\** yep manifest **\** i was wondering who was the m8 that was gonna work on the go-library since i started on it myself a little bit swell **\** dEBRUYNE: this would also be a major cost-saving for pool payments **\** manifest: we're in a meeting **\** For reference, the size of an M-output BP is 32\*(2\*log(64\*M)+9) bytes (this doesn't count the amount commitments) **\** add 32 bytes for each of the M amount commitments if you want to include them **\** (log is base 2) **\** manifest you can hop on mattermost.getmonero.org. Serhack is also there and you guys can PM and chat so as not to disrupt the meeting. Thanks. :) **\** I have to give some thought to the fees to deal with the verification issue **\** ok so beyond BP is there anything else worth noting? **\** We do require a power of 2 in the # of outputs **\** So sometimes you just create an additional change output, or how do you cause always a power of 2? **\** We'll need to either pad with dummy outputs or split into power-of-2 proofs **\** Split the change into two tx **\** OK **\** The dummy output doesn't need to actually represent anything **\** It just needs to be there for the proof **\** It can be amount 0 **\** that will work also **\** Anyway, that's my 3 cents **\** Better to split **\** Space is cheap gp **\** Cpu is expensive\* **\** We will have to price cpu **\** There's a possible optimization for "filler" outs AIUI. **\** Probably not as good as not using them :) **\** There aren't any security proofs for a non-power-of-2 proof **\** I was led to think it was not inherent in the scheme, though ? **\** It is **\** aw... **\** At least for right now **\** There's a recursive step that split arrays in half **\** The issue I see is that the penalty only prices space **\** The authors of the paper are looking into a generalization, but it doesn't exist yet **\** That's interesting **\** ok so **\** anything else from the last two weeks worth noting? **\** suraeNoether is completing review for multisig **\** He is unable to be here today **\** Has a code freeze date for the next for been set yet? **\** Gdhhyfjjs467: yeah we'll be branching towards the end of the month **\** assuming our comfort levels are ok **\** This was discussed briefly in MRL channel with the idea that if BPs are not too far off, would it be worth delaying the next hard fork by a couple months so it can be in? **\** The plan is to include multisig right? **\** \^ fluffypony **\** Yes **\** no need to delay the hard fork **\** I don't think the upcoming fork does anything useful though **\** So there's that **\** if BP is ready it'll go into the Sept fork **\** Should we fork if there's nothing to fork for? **\** Who knows ^\_^ **\** luigi1111: consistency, then **\** well, that's what we committed to with the fork schedule **\** "even if it's just bumping the block version number" **\** Sure, but didn't we also discuss slowing things down once the ecosystem got bigger? **\** We did not commit to an exact fork schedule. **\** And who is this we :) **\** I, at least, did not :P **\** does the wallet release schedule track the protocol fork schedule exactly? **\** or do they have different cadences **\** The wallet needs to update for a fairly large subset of consensus changes. **\** the wallet-cli and wallet-rpc are included with the daemon release that supports the fork **\** So it's convenient to release at the same time. **\** dEBRUYNE: I don't think we're at a point where we can go to annual **\** Besides, the wallet and daemon rely on the same libs. **\** Isn't ZMQ also in the new release? Or has that been there for a while now? **\** yes ZMQ is in the new release **\** There's some of it in, but some of it's still missing. **\** there is some support for zmq over rpc, and more is comming, like tx/block notify and some changes to the existing zmq rpc **\** \*rpc over zmq **\** moneromooo: yeah, mainly thinking about when I need to spend time to get those two memwipe patches (and the third I haven't written yet) reviewed/merged **\** the notify is what the people i hear from are waiting for, and tewinget told me a few weeks ago he's got the basics worked out **\** Are we still waiting on him for stuff? **\** There's a patch waiting on changes IIRC. **\** (for 0mq) **\** *sigh* tewinget, can you please get this stuff done? Seriously. **\** Especially as I think some of the large pool speedups were lost. **\** (not 100% sure) **\** is there a way to detect that the network has forked, and your client hasn't gone with it? **\** Kinda. **\** my local daemon got left behind on the last one, because I forgot to update **\** you can make an educated guess **\** cue colorful headscratching **\** Current daemon should moan if it sees blocks with a higher version than what it knows about. **\** and there's auto-update records that notify **\** The block verison thing is a bit vulnerable to someone mining a bad block on purpose to make you think there's been a fork though. **\** yeah **\** Losing 10 monero in the process or whatever it is :) **\** ok let's move it along, then **\** 3. Code + ticket discussion / Q & A **\** are there any issues that could do with some input / resolution? **\** The handful of oldest ones. **\** The PRNG one. **\** ones. **\** For multisig, I think it's pretty much ready to go in, stoffu's done a lot of careful reviewing. **\** ok - what's the blocker on switching to the Bitcoin one? **\** moneromooo: what still needs doing / deciding on your part of the memwipe ones, and how can I help there? **\** Mainly deciding whether we want to, or not. **\** And bitcoin has two RNGs, the one I ported, and one that's closer to what we have. so there's the possibility of entropy attrition using only the "good" one. **\** hotoatmeal: the only thing left IIRC was switching from std::vector\ to std::unique\_ptr\ and I feel more confident getting it right with vector. **\** Other than that, nothing I think. **\** moneromooo: by "good" one you mean the ported one? **\** That can be done later by someoine who's familiar with how the refcounting works with operators though. **\** Yes. The one that uses getrandom, etc. **\** ok so I think if they haven't hit entropy attrition problems over the past few years it's unlikely we will - thoughts? **\** Let me rephrase: **\** Bitcoin has two RNGs: a good one using HW, and a... hmmm, less good ? one similar to our keccak based one **\** Using the keccak based one does not deplete entropy nearly as fast as using the good one. Monero can use a lot of entropy (eg, range proofs). **\** Therefore, I'm wondering whether using the good one all the time is worse than not. **\** moneromooo: ok, I'll pick up the vector vs unique\_ptr part of that later this month **\** Thanks **\** ok so what if we used the good one for critical stuff like privkey generation **\** and output selection **\** and if you give me some pointers, can look at whatever that refcounted operators thing is in Jan **\** and the stream one for range proofs **\** Well, if I knew that, I'd know the answer to my question, since they're opposites. **\** Anyway, to go back to multisig, I tihnk it's good to go now. If you haven't yet reviewed it, and want to do so, do so now. **\* hotoatmeal** drops out **\** ok **\** 4. Any additional meeting items **\** When do we want bulletproofs on testnet ? **\** Tomorrow! **\** hah hah **\** A day may be a bit short to get people to update in time. **\** are we going to wait for the multi output stuff? **\** I think we should **\** Not sure. This is not quite finished (multiple of 2 requirement), and has a non trivial impact on fees. **\** Hrmm true, the fee thing **\** :/ **\** And I'd really, really like to get smaller txes double plus quick. **\** ok so how would this work **\** A lot of people do **\** In case it's relevant, every single-output proof is still a valid multiproof **\** That's nice. **\** (provided we define the Gi and Hi in the same order) **\** (not sure if my extended code addressed that, will check) **\** So, no clear votes for or against. Except me ^\_^ so that's 100% of expressed votes :P **\* sarang** checks the math on that **\** moneromooo: I asked how it would work **\** The fork ? I imagine similar to rct. Allow bulletproofs at fork f, optionally disallow borromean at f+1. **\** (the code currently does not do that second part) **\** That might become a bit more complicated if we start allowing aggregated proofs at f+1. **\** But not very much. **\** so moneromooo, you'd like to start with single output right? And then eventually switch to multioutput **\** Yes. **\** Sorry if this was answered, but is there an ETA on multioutput port from Java? **\** No. It doesn't appear to be a lot of work though. **\** so then txs with more than 1 output would use borromean? **\** No. They'd use two bulletproofs. **\** yup **\** Which is still a savings. **\** Still great space savings **\** And no DoS issues **\** 2 bulletproofs is 1.3 kb give or take right? **\** ok **\** And we can keep our current fee structure **\** dEBRUYNE: yes **\** Most of it, in fact. Txes are ~2.2 kB. **\** I think that's worth it. And then it can be enhanced even further with multioutput later. But the immediate savings would be appreciated. **\** And gives time for the fee dislogue **\** and what's our confidence level like in this? like is it March-fork-worthy? **\** Dialogue\* **\** Well, we can know better if we fork in a couple days on testnet :) **\** I have an idea on the fee issue **\** It can be deployed to testnet asap no. **\** ? **\** That's what I'm asking about, yes. **\** could we fork testnet this coming weekend? **\** Works for me. Gives time for review. **\** Exciting! **\** Yes and the code should definitely be reviewed by others **\** who? **\** if you had your pick **\** could someone do me a favor and send me the log of this channel from 2017-04-18? **\** Ideally andytoshi since he's a paper author **\** If I had my pick... **\** suraeNoether **\** Satoshi **\** fluffypony: on it **\** Someone who digs the maths **\** So Evan duffield? **\** luigi1111 I guess **\** vtnerd hyc fyi **\** Oh yeah, luigi1111 is a good one. **\** Let's just get all hands on deck for this? **\** ok that means you too rehrar **\** Lol jk. I like andytoshi idea **\** I'm sure we'll find additional optimizations... I know for a fact my implementation of scalar operations into vectors could be refactored **\** I will understand none of it, but I'll look at it and either nod approvingly or cringe based on a coin toss. **\** but I didn't in Java in order to keep it clean and understandable **\** i move to instate rehrar as new RNG **\** The slice op ? Yes, but I don't think it takes much time compared to the muls. **\** Random Nod Generator? **\** Well and operations involving many vector ops could run a single loop per element, instead of per operation **\** but they're generally fast and it makes things clean **\** I'm not a huge fan of sacrificing clarity for a tiny speedup **\** I'd like to chat with moneromooo post-meeting about our basepoint selection, to ease the transition into multiproofs later **\** For those who want to compare code to paper, this is the paper: http://web.stanford.edu/~buenz/pubs/bulletproofs.pdf **\** I pushed the patch as 2883 if people want to start reviewing ^\_^ **\** Can I make a Reddit post calling devs to review it? **\** Reddit.. devs ? **\** \^ that lol **\** :P nvm then **\** The people able to review it will be watching Github **\** rehrar: answer is in the question :P **\** oh **\** I guess meeting ~done **\** 5. Confirm next meeting date/time **\** Sunday the 17th