Unfortunately the meetings are at a bad time for me so I wasn't/won't be able to participate, but this is my humble opinion on why B(3) > A.... (full message at <libera.ems.host/_matrix/media/v3/do…aea021a5b1d6c99c9a0e284ae7806aceb15>)

tevador: I forgot to mention earlier, the biggest benefit of change memos is cross-wallet record consistency. Seraphis has nice view-only wallets, but those wallets will be blind to anything done by the corresponding full wallet.

for example, you could record the destination address of the other recipient in a 2-out

or a root entropy for the enote ephemeral privkeys

I concur.

It's like you're reading my mind.

who are you talking to?

Oh hey, that was a threaded reply to politicalweasel.. maybe your client didn't understand that. It says it's a beta feature. Sorry if it's confusing.

Please don't do any fancy matrix stuff in bridged channels (threads, edits, etc), it doesn't translate to irc.

sure thing

thanks

I don't see a way to disable threads in the room sadly

to me, it seems the most valid argument for B3 is enabling the protocol to be adaptable without a hardfork. I understand the appeal of the memo / messaging aspects, but they seem unnecessary for a value transfer protocol. To borrow the meme, "monero means money.... and memos apparently"

now, my freshly caffeinated head might be too "blue sky", but I feel there's gotta be another way around the tx flexibility that doesn't involve permanent memos in each tx.

I think in all of this, option A keeps on missing its little tagline of "coinbase txs still get to have fun"

or whatever we call the special sauce that miners get to put into blocks

coinbase tx are special, they don't use ring sigs as well

so, say in a hard option A environment: would it be possible to modify the relay rules (via a non-hardfork release), such that nodes can relay payloads (tied to the tx, somehow), and then the new tx-rules in those payloads get stuffed into the block header.

or coinbase_tx. whatever.

this would keep the txs all uniform on chain. the only non-uniformity would exist on the wire. and even if this soft fork scenario required all txs include a payload, they just end up stuffed in the header

oh, that's just evil

so you want pools to mine tx_extra for each tx into coinbase?

maybe?

coinbase tx_extra can be limited to 256 bytes, miners don't need a lot

Merge mining N chains needs something like log(N) * 32 bytes (plus framing). 1 chain->32, 2 chains->64, 4 chains->96. I think.

i forget where I read this, but I remember as some point a discussion of why payment_IDs exist. Basically, the gist of the story was this - if you consider the cryptonote protocol, all of its design decisions make sense regarding tx privacy except for payment_IDs. The lore (again, I forget where it came from), is that the protocol was so good at doing its job (being private money), that when the original designers went and had to

integrate into exchanges (or think about being on exchanges), they realized the protocol was so good that they had no way for an exchange to determine whether an output belonged to a particular user. That a user had sent a particular output. Thus, paymend IDs, in stupid cleartext nonsense, were bolted on.

of course, in retrospect, the original cryptonote allowed ringsize = 1 (mixin 0), so who knows what user those dusty memories serve

user = utility . s/user/utility/l33t_sed_syntax

thus, to me tx_extra always feels like a bolt_on meant to try and make monero (a square peg) fit into a round hole (the current exchange ecosystem, which isn't a p2p ecosystem, but is almost the definition of client-server afaiu, or whatever is the anti-p2p)

and I also would opine that soft-fork-ability is a ...... thing that results from bitcoin's ceding of their consensus generation to industry. The bitcoin system has to believe that soft forks are the way forward because they no longer own the consensus mechanism. I personally feel that if you aren't generating blocks, then you're not participating in consensus. Bitcoin's system has gone sideways to that notion. Anyway. Long story short,

I think the real question here is soft-forkability. And I don't think thats an issue because we own our consensus power.

To be fair gingeropolous , payment differentiation is something that literally every merchant needs, not just exchanges.

Heck, private individuals need to differentiate their payments as well.

CN or bytecoin had this nice idea of having different spend keys with the same view key. That was a nifty use of the double key system.

yeah but it doesn't need to be on chain. I don't write a note on the cash in my wallet regarding where it came from.

I think they worked it out fairly late though.

regardless, i could see a monero where option B3 exists, but its baked into the system in such a way that it can be turned on or off. I.e., we pick a default, but there also exist a flag --enable_tx_extra , so that if we decide we don't think its a good idea now, it could be re-enabled. man i talk in circles. have your cake and eat it too!

would there be any problems with doing b3 but storing it in the block?

other than the node knowing its from your tx

all nodes will know

What do you think about the following proposal:

In preparation of and as support for further tx_extra discussion we create a new GitHub issue

The idea is it to be a strictly single-purpose issue: "State your stance on the tx_extra removal question"

For example preferred solution plus the two or three most important personal arguments, in *brief*

So it's *not* a vote, and nobody should understand or abuse it as such

So it's *not* yet another tx_extra discussion issue, people should refrain from discussing there

Its goals are to get a better overview, and more transparency, over where the dev community currently stands

Collecting info that is currently strewn over various places, not readily accessible

Of course, while decidedly not being a vote, it would still allow to better gauge current sentiment

I think the sentiment was made clear in the first meeting, which had the most traction, that the most acceptable solution is the removal of tx_extra.

People who want to keep tx_extra get more talk in because there's a lot more to discuss about how to keep tx_extra, whereas the people who are against tx_extra don't have that much to discuss among each other.

there was no conclusive consensus in the first meeting

UkoeHB: Yes there was, the "remove tx_extra" had the clear majority.

Anyone could pick however many options they wanted and "remove" was picked by the most people.

This discussion is prolonged mostly by people who want to keep it in some form.

You should be for this issue then. What's there to fear? That clear sentiment from the first best-traction meeting would just get clearer, no?

1. I didn't speak against the issue, I was merely stating that it was already clear which option the most people find acceptable

2. The sentiment might not necessarily be the same if the traction is not the same. The people who are pro-removal have already spoken out and saw that they are in the majority, while those who are against are in the minority and keep talking and prolonging this issue, so its in their interests to keep voting and discussing it until the pro-removals all get tired of arguing the same points over again.

So, as it stands, its in the interests only of the anti-removal camp to keep discussing this issue ad nauseam.

Alex|LocalMonero: there is more than enough weight behind keeping the field to continue discussing it.

And how much weight is enough weight?

Are we looking for a unanimous decision? That's not going to happen.

I don't know, but we certainly have more than that

What's your test for "enough" or "not enough"?

I won't quibble with you

This is not a quibble, I'm asking for your measure.

What level of consensus do you consider as being "winning" the issue? 80%?

Well, this proposal is my honest attempt to not prolong the discussion ad nauseam, but to help to finally bring it to a close.

We are on opposite sides of the opinion spectrum, but share the sentiment that this *has* to come to an end

No sure I'm all for the issue, I'm honestly prepared to discuss this ad nauseam if I have to.

I feel that Monero's design principles are being threatened and I plan to defend them as long as I can.

For some people it's a transaction construction detail, for other people it's a frontal attack on core design principles :)

Catering to arbitrary data injection onto the chain is absolutely a redefinition of Monero's design principles. All the arguments stating that "we're just trying to help well-intentioned devs not to have to increase the network scan time by 0.1% with stegging", are ignoring that if someone is actually malicious and they want to harm global scan time they will do it with or without tx_extra.

Heck, we had plenty of consensus around tx_extra removal prior to the recent flare up of this discussion. Why wasn't the decision made back then?

There's a post on getmonero.org from over 2 years ago explicitly telling devs don't use tx_extra, we're gonna remove it

And how does this all help to bring this to an acceptable close that people can compromise on?

There shouldn't be any compromise with arbitrary data injectors, just like there shouldn't be any compromises with any other people who come to Monero from other projects having other ideas that are counter to Monero's principles and what led to Monero having a following that other projects don't have.

Yeah, we should all be nice to each other, listen to reason, and all. Ah, and not compromise of course. That will surely help. I guess I only get what I deserve for my attempt to move things a tiny bit forward.

We are nice to each other, aren't we?

Extremely :)

Just some progress is lacking, if you ask me.

No but seriously I'm for your attempt, post the issue.

I agree, this issue needs to be done with cuz it's hurting other issues.

There's plenty of important other things to discuss.

I've said it once and I'll say it again, the core team should just make a collective decision on this.

UkoeHB: seems to be willing to continue rescheduling this over and over at the detriment of other issues that need discussion until he gets a feeling of consensus, which I'm sure will not happen because there's a fundamental difference in how people treat the very notion of arbitrary data injection into the chain, and those differences seem irreconcilable.

is there something else to discuss?

Yes, there are further bullet points in the MRL topics as listed on the issue: monero-project/meta #803

those have been there for over a year

You really fight like a lion, have to give you that. If only the goals would align a bit better ...

UkoeHB: Fair enough. I know you're tired too.

I am also thinking ahead. I am pretty sure that for Seraphis we have a number of difficult decisions of all sorts waiting. Would be bad if we would have multiple reruns of this type of discussion.

2 years of quibbling over important Seraphis decisions, after it would basically be ready, how does that prospect sound?

*That* worries me a lot more than this silly tx_extra question.

Do you have any particular difficult decision examples?

Yes. For example that Seraphis makes third-party scanning services much easier. A big chance, and a big potential controversy as well: Should we go all in there, or de-emphasize, or even backtrack and delete the key making this possible?

Do you mean the fact that the view key will allow to see both incoming and outgoing txs?

Or more technical ones: I am sure people, at some time, will shout bloody murder that `wallet2` will go away.

Yes to the viewkey question

Or maybe already that "switch the curve" question, let's see how our decision process will fare with that ...

MRL #100 should be added to the meeting agenda, so we can make some progress there.

If I'm being honest, neither of those three issues seem to be as fundamentally contentious as this one. Monero always had the principle of privacy by default but the possibility of voluntary privacy abdication, so the view key is being more functional is just an extension of that.

tevador: I will add it to the agenda for next meeting. Or someone else can take on agenda-posting duties if they want.

rbrunner: one goal of jamtis is to enable maximally private third-party scanning with the find-received tier. We should spend exactly zero resources on supporting remote scanning that uses anything else.

"For example that Seraphis makes third-party scanning services much easier." This statement is not true. It doesn't make them any easier, it just reduces the severity of the resulting privacy loss. I don't see how this could be controversial.

tevador: he means to use the view-balance key for remote scanning I think

In practice, there is very little difference between the cryptonote view key and the seraphis view balance key.

I see that I shortened too much. We improve third-party scan possibilities with Jamtis and Seraphis, right? We make them better.

There are people who think this goes into the wrong direction.

I saw them on Reddit when news broke that there are new, better third-party scan mechanisms

Your own daemon for fullest privacy, no compromises.

No key whatsoever to third parties, even severly restricted ones.

See how I mean that position?

Having a separate find-received key reduces security risks even if you don't shared the key with anyone.

Some people argue that the key should not exist in the first place.

You can't share what doesn't exist, right?

I don't argue pro this position, I just try to get accross that there could be contention.

That again may strain our decision processes.

You can technicallt make a wallet that has k_fr = k_vb if you wish to do so.

I guess there are people that would oppose any change whatsoever.

Yes. Bigger project = more people = more people with extreme positions one way or another = more strain on the decision process

Have to go. Does not exactly look good for my "State your stance" issue proposal so far, only 1 pro statement until now. Will check the backlog in 8 hours.

<Alex|LocalMonero> "If I'm being honest, neither..." <- maybe there is a need for a different explanation of the rationale behind the new view key. What I have seen is an explanation stating that the same info is heuristically already obtainable so that it doesn't change much. But there is a big difference between something that is only statistically possible and something that is certain, and that may worry some. So definitely the

question of the new view key will be raised at some point, and will be controversial.

Honestly, I've always seen the inability of the view key to show one the proper balance of the wallet as a design flaw.

View-only wallets are an important use case that's within Monero's core principals and this'll make them work properly.

Alex|LocalMonero: I tend to agree on this too, removes plausible deniability which may be very important for some.

Plausible deniability is easily achieved with seed offsets.

Or do you mean the inability to reveal your balance without revealing your private keys?

The statistical "attack" already removes any chances of *plausible* deniability. We're talking about 99%+ chance of correctly guessing each spend with the old view key.

I mean that some people are worried that the very existence of the new key may be used by some as a pressure mechanism on them to share it. 99% chance is not 100% so that 1% might still save you in some jurisdictions.

It saved OJ didn't it?

if the key don't fit...

😂

Does it really make a difference? If there is any doubt if a particular spend is yours, they can just compell you to provide a crytographic proof that none of the decoys produce the key image with your secret spend key.

I am not saying it makes a difference, I am just suggesting that a better explanation on the rationale behind those keys be given so the ultra-paranoids don't start thinking a three letter agency is behind the introduction of those new keys

So clearly explaining how the same information can be obtained today and how a user could be compelled to provide it with the existing key structure would be a big plus in terms of acceptability of the change.

Time for a CCS "explaining Seraphis to dummies".

Off topic for lab

But what are they going to do? Cry on Reddit? Stop all the miners/nodes they dont run? Just because you dont understand something doesnt mean anyone is obligated to ELI5.

One day, chatgpt will have the data and can explain it to those

LMAO Tevador. Thanks for the Tldr. I can stop typing

let's not forget that many users don't go down the rabbit hole of the transaction protocol, they just need to understand they are safe when they use Monero, and Seraphis might scare them because they will see videos on YT which will incorrectly explain that those new keys are backdoors.

... #monero-offtopic:monero.social

YouTube and fud arent lab

Sorry this is considered OT, was just bouncing off the original message stating that Seraphis will bring hard decisions

"Seraphis for dummies" was basically the goal I had with this talk: youtube.com/watch?v=xGEBRQU1lzw

I go into pros/cons of the view balance key at 4:14

The probabilistic heuristic for using the incoming view key to see change outputs will probably become less effective when ring size increases with Seraphis, right?

The 3rd pro requires a more thorough explanation

Yes Rucknium. The cons go into further explaining that 3rd pro hbs

I guess it could go deeper

Yes it is that kind of explanation that needs to be advertised more openly

clearly stating how the same level of information could be obtained. The only difference being that once the view balance key is shared there is no privacy, whereas the sharing of key images and proofs need to be repeated for each txn/output