00:05:12 I want serai to work but not mordinals 00:09:56 ceetee[m]: both subaddresses and payment IDs are more-than-reasonable current uses of the tx_extra 00:13:05 Don't those things now have their own fields? 00:13:09 No 00:14:13 They will have specific fields in seraphis, but look a bit different than they do now thanks to a lot of refinement. 00:15:23 so removing tx_extra now would break both subadresses and payment ids? 00:15:29 yes 00:15:52 well, it would break all balance recovery since the tx pubkey for normal addresses is also stored there 00:16:01 Break > change 00:16:26 ofrnxmr[m]: only if new fields are added 00:16:43 Right 00:17:59 If we change the tx_extra field (either A or B3), we could add new fields 00:18:08 Removing without adding properly used fields for the data currently contained there isnt an option id ever imagine 00:19:16 ceetee[m]: the tx_extra debate is about how it will look in seraphis, there hasn't been much enthusiasm for updating the current protocol 00:20:17 Well then its even less of a question 00:21:14 my point is, without the tx_extra it's not a guarantee we'd have subaddresses right now 00:22:06 I don't question the historic relevance at all 00:22:45 but think the current state of XMR is advance enough that we know much better where we are going 00:22:57 Compared to a few years ago 00:23:27 that is very optimistic 00:26:29 If the question were what is more likely: we desperate need txextra for a feature or txextra will be abused for some bs, I'd bet on the second option 00:36:35 I think some people in this conversation are forgetting what exactly tx_extra is. We're not talking about smart contracts or even bitcoin-style scripting, instead just some arbitrary bytes. There is no additional functionality added to Monero by it, except for things like subaddresses which... (full message at ) 00:40:09 "If the question were what is..." <- And even if it *just* isn't abused for some BS, for example, even if there are developers making actually useful wallets that give additional features to their users assuming other users also use the same wallets, all this creates a plethora of mutually incompatible subecosystems, with the complexity and incompatibility only increasing over time. 00:41:35 This is the current state of the Bitcoin ecosystem. 00:42:15 But does removing tx_extra actually solve this? They'd just stuff outputs instead, which is way more harmful to us than a dedicated field 00:42:39 politicalweasel[: It doesn't solve this but it closes one of the doors that allows this. 00:43:02 And the outputs door is much less efficient to use, which naturally disincentivizes it. 00:44:06 A lot of use cases would only need 32 bytes anyway, as a commitment. And you're underestimating how much people will pay to do useless shit - loot at ordinals 00:44:10 look* 00:44:30 And also it worsens the senders privacy, if I understood correctly, so users are disincentivised to uses services that need bit stuffing 00:45:24 ceetee[m]: Correct, unless there's full range proofs, as per kayabanerve 00:46:28 People don't care. And it worsens privacy for everyone, ie those using the bloat outputs as decoys, not just the sender. 00:46:44 *membership proofs, not range proofs. 00:47:29 politicalweasel[: You're right but having tx_extra doesn't eliminate this issue. 00:47:47 It merely diverts most of the honest actors not to exploit it. 00:48:07 and how is that not a good thing? and what's the disadvantage of keeping it? 00:52:02 If you enable easy arbitrary data storage you enable not just use but abuse, as ceetee🇧🇪 alluded to. We have no way to predict how an arbitrary data field will be used, what sort of subchains and subecosystems will develop. Look at Bitcoin right now with hundreds of BIPs, incompatible wallets, multisigs, addresses, someone's stuffing NFTs, someone's mixing, others are rejecting those who are mixing etc etc. 00:53:39 I feel like Monero should be as narrowly-defined as possible, the protocol as strict and efficient as possible, for one purpose: decentralized, electronic, fungible (private) digital cash. 00:53:45 Bitcoin's situation is a product of refusal to do a proper (hard fork) update to clean itself up. And again, data storage is still possible without tx_extra. They'll just choose to do it in a way which is much more expensive to the network as a whole. 00:55:26 tx_extra doesn't expand Monero's functionality. It only makes it more extendable. Both for spam and legitimate uses which we don't know of yet. In both cases removal will either result in output spam or holding Monero back from its potential. Relying on Core to hard fork every possible use case into Monero is not a desirable future 00:55:29 To make an analogy, if you have two leaks in your boat you wouldn't make an argument that closing one leak is pointless because there's another leak, right? I understand that there doesn't exist a solution for the outputs exploit at the moment, but I haven't seen proof one way or the other that this is a solvable/unsolvable issue. 00:55:56 Point is, you're making an argument from is, not from ought. I'm making an argument from ought. 00:57:36 Tx_extra is a big but easily pluggable leak of arbitrary data. The outputs exploit is a much smaller leak, but more difficult to plug as well. 00:58:47 "Bitcoin's situation is a product..." <- WE are also refusing to clean up. I was surprised that the data for sub addresses and payment ides don't have their own fields yet, and are still in the tx extra. We should sort that out 00:59:23 ceetee[m]: I believe that this is implied in the seraphis upgrade assuming tx_extra is removed. Right UkoeHB ? 00:59:56 I could use the boat analogy back on you. Attackers can still spam regardless (a leak), but honest users would be forced to spam w/o tx_extra (a leak). You've been arguing that patching the latter doesn't have merit. 00:59:56 We can't force users to use Monero in the way we strictly define. Regardless that's arguably not even a good idea in the first place. Arbitrary data storage will always be possible. And I still don't understand why tx_extra is anywhere near as bad as output spam. 01:00:18 ceetee[m]: fair enough, those should have been given their own fields long ago 01:00:59 They dont, because of Txextra. Its like a junk drawer. Allows laziness 01:03:02 if Monero's dev team is lazy to the extent that it's legitimately causing harm to Monero, then that's not something which will be fixed by removal. besides it's not that "lazy", there just isn't a real reason to "fix" that which would frankly be a waste of dev power which coud've been used elsewhere. Doing it when we overhaul the tx format is a reasonable time 01:03:29 it's preferable to have dedicated fields, but not really a big deal 01:04:33 Im not calling ANYONE lazy. Lets make that clear first. 01:04:33 Leaving it in Txextra is lazy. Leaving depreciated addresses alive is lazy. 01:04:45 oh yes I agree 01:04:57 i guess i misinterpreted 01:05:19 as a user, i am against nfts on monero. yet im still currently spinning up a morbinal node just for the novelty of it. i shouldnt be able to do that. 01:05:50 mordinals would instead just exist by spamming outputs. Then we'd have the same problem at an even higher cost. yay? 01:05:59 > <@politicalweasel:matrix.org> I could use the boat analogy back on you. Attackers can still spam regardless (a leak), but honest users would be forced to spam w/o tx_extra (a leak). You've been arguing that patching the latter doesn't have merit. 01:05:59 > 01:05:59 > We can't force users to use Monero in the way we strictly define. Regardless that's arguably not even a good idea in the first place. Arbitrary data storage will always be possible. And I still don't understand why tx_extra is anywhere near as bad as output spam. 01:05:59 Yes but again, you're arguing is rather than ought. Do you believe that arbitrary data storage is desirable? 01:06:21 in some cases, yes, but in the case of ordinals and similar, no 01:06:28 No. Mordinals would be harder to develop and wouldnt be public on chain. 01:06:36 politicalweasel[: How would you police the cases absent a hard fork? 01:06:47 we don't live in a perfect world 01:06:54 you dont. only mitigate damage 01:06:55 Precisely. 01:07:01 you can't police use cases 01:07:12 its impossible 01:07:26 Its not policing. 01:07:34 ofrnxmr[m]: "harder" to what extent? And why wouldn't they> 01:07:40 ?* 01:08:30 can morbs be pruned out? should be easy to do righ 01:08:32 s/righ/right/ 01:08:44 Pruning takes io 01:08:53 tx_extra can (?) be pruned. outputs cannot, without manual blacklisting 01:09:44 if we have to have morbs id like them to be as pruneable as possible 01:10:36 politicalweasel: it's one thing to say "let's extend the Monero protocol because feature X is useful", it's another thing to say "let's make a dedicated field for anyone to be able to morph the protocol into whatever they like", which will lead to the same state as Bitcoin is at right now. It's true that if you want to write arbitrary data on the chain then it will become harder and more costly, but that's also kinda the 01:10:36 point of having a hyper-focused project: any usage of XMR outside of its primary usage is to be as inefficient as possible to maximize the efficiency of the primary usage. This is especially important given Monero's need to be fungible (hence, homogeneous) 01:11:43 ^^^ 01:11:52 Anyway.... (full message at ) 01:11:54 Like, it's true that I can encode the entire bee movie by registering a long-enough chain of twitter accounts. Doesn't mean Twitter should cater to being a file sharing service. 01:13:09 You can't have the first thing without the second*, that's the nature of flexibility. And you still haven't addressed the fact that removal doesn't stop spam, only makes it more harmful to the network. 01:13:09 *it's not really "whatever they want". Again, we're not talking about smart contracts. 01:13:37 ^^^ 01:14:29 It doesnt make it more harmful. 01:15:08 > <@politicalweasel:matrix.org> You can't have the first thing without the second*, that's the nature of flexibility. And you still haven't addressed the fact that removal doesn't stop spam, only makes it more harmful to the network. 01:15:08 > 01:15:08 > *it's not really "whatever they want". Again, we're not talking about smart contracts. 01:15:08 Removal doesn't stop spam, but neither does keeping it. I don't need to fix the outputs issue to argue against tx_extra. 01:15:15 Thats absolute fear mongering. (Or an accusation that good actors ate actually bad) 01:15:18 > <@ofrnxmr:monero.social> Anyway.... (full message at ) 01:15:23 If steg+output spam is worse than a small tx_extra field, and neither option stops abuse, then it's logically better to have a small tx_extra field 01:16:11 One incentives spam by making it a tool. The other ruins the blockchain. 01:16:22 Spam outputs harms everyone's privacy and bloat the enote set. Way more harmful than a few arbitrary bytes which can be ignored or even pruned 01:16:57 ofrnxmr[m]: Exactly. Tx_extra is a systemic issue while outputs are a rather minor exploit that's only feasible for some use-cases. 01:17:43 Alex|LocalMonero: But removal doesn't actually solve anything. It's not "patching" any "hole", just forcing water into the other one. Legit users would be forced to spam. 01:17:52 The damage to ring privacy is not "minor" 01:18:07 politicalweasel: those arent orbot users 01:18:08 By minor I meant arbitrary data storage. 01:18:10 Keeping it DOES patch a hole, that being legit users not having to spam 01:18:28 Keeping it doesnt patch anything. 01:18:40 It just names people use more tx to write their script 01:18:43 I just explained what it patches 01:18:55 politicalweasel[: That can be done without removal of tx_extra 01:19:23 And anyone who would, is, by definition, an attacker. 01:19:32 nikg83[m]: yes but why force honest usecases to do it? Would you rather 100 people die or 50? 01:19:33 ofrnxmr[m]: But that comes at a higher cost, which is an active incentive against it. System working as intended 01:19:42 politicalweasel[: Legit users doing tx need to spam ? 01:19:42 Not a good actor that is being forced to mixer babies 01:19:43 Murder* 01:20:05 merope: Steg does too 01:20:12 politicalweasel: but I believe that once you zoom out to the bigger picture, you'll see that keeping it will lead to the bitcoinization of Monero (by bitcoinization I mean that the ecosystem will be splintered, mutually incompatible in a lot of ways, many different address types and multisig and wallet setups and NFTs and so on like the Bitcoin ecosystem is now, where the harm for Monero is much worse because unlike 01:20:12 Bitcoin Monero has a goal of being fungible) 01:20:22 nikg83[m]: legit usecases for arbitary data, I mean. Or even non-legit ones, ie ordinals which don't explicity want to attack the network but also aren't really "legit" 01:20:26 politicalweasel[: Who is using tx_extra rn ? 01:20:46 Exchanges 01:20:57 nikg83[m]: see my earlier reply 01:20:58 And bad actors 01:21:02 I don't really buy the argument that removing tx_extra will cause people to spam useless outputs. 01:21:02 I'm sure there's the occasional motivated spammer who really wants their favorite meme on the blockchain no matter that it takes, but I'd bet most will just think "oh, there's nowhere to put it" and give up. 01:21:08 So yes politicalweasel I would rather that kaya uses outputs for his DEX than open the door for the bitcoinization of Monero 01:21:14 politicalweasel[: Is monero a currency or data storage network ? 01:21:36 Its ipfs 01:22:00 Alex | LocalMonero | AgoraDesk: agreed. But he wont. 01:22:14 Alex|LocalMonero: tx_extra doesn't do this though, that's a strawman. Nor does it harm fungibility, at least not any more than output spam. 01:22:16 nikg83[m]: A transaction data storage network. We are now arguing what types of data constitute "valid" transaction data, which includes an optional field 01:22:44 Yes sir 01:23:13 merope: A option field which can bloat the chain ? 01:23:15 nikg83[m]: currecy, but do you think people actually care and will respect that? And regardless, some data storage isn't mutually exclusive to a currency... if that were the case then we'd have to remove subaddresses, etc 01:23:28 politicalweasel[: Why do you think that it doesn't do that when we already have mordinals? 01:23:37 No we wouldnt have to remove subaddresses ! 01:23:44 Let that be clear 01:23:53 Thats nonsense. 01:24:13 Alex|LocalMonero: they can and will spam outputs instead, if it's actually a serious project that has serious intentions of doing what it's designed to 01:24:23 ofrnxmr[m]: that's my point 01:24:41 Its like "putting the dishes away", who would suggest just tossing them in the trash. .? 01:24:51 nikg83[m]: It can also be used to add features without requiring a hardfork every time someone wants to implement a new service thay requires it. And since chain bloat can be acheived even without tx_extra, the chain bloat argument loses value 01:26:10 politicalweasel[: That may be true, but you're, again, arguing how things *are* rather than how they *should* be. You're arguing that arbitrary data is desirable, but only when it's not mordinals. 01:26:17 I do t agree endor00: the arguement doesnt lose value. Quite the opposite 01:27:13 merope: If output exploits happen with or without tx_extra then the discussion should be focused purely on whether we want tx_extra or not. 01:27:13 Not really... I'm saying data storage is inevitable, though desirable in some cases. tx_extra just defines a way to do that while causing the least harm 01:27:31 A. Bad actors do bad actor things 01:27:31 B,3. A+ good actors think they are doing a good thing and will push more a d more 01:28:54 > <@ofrnxmr:monero.social> A. Bad actors do bad actor things 01:28:54 > B,3. A+ good actors think they are doing a good thing and will push more a d more 01:28:54 B3 bad actors have a "lower hanging fruit" way of doing bad things that actually reduces their harm, and good actors are not forced to act like bad actors to do the things they want 01:28:57 again, i'm not convinced that there's any real argument in favor of removal, aside from "following" vague principles according to one's own interpretation. There's not actual harm caused. 01:29:45 politicalweasel[: Would you also be against removing tx_extra if the outputs exploit didn't exist? 01:29:58 A. Legit users AND illegit users AND attackers all "attack" the network 01:29:58 B. Legit users AND illegit users don't attack, attackers still do 01:30:01 "It can also be used to add..." <- New service ? A 3rd party tool? Should monero blockchain be even used for that , for new core features I am sure we can always hf 01:30:01 Now that hf are so slow that most of these features would be well planned in advanced and won’t need such experimental fields 01:30:05 Alex|LocalMonero: If chain bloat happens with or without tx_extra, but its harm can be minimized *with* tx_extra, then tx_extra is the least harmful option 01:30:44 politicalweasel: what insane world do you live in where legit users to illegit things ? 01:30:44 merope: Chain bloat isn't the only variable when it comes to keeping/removing tx_extra. You're forgetting about the bitcoinization argument that I described. 01:30:44 Alex|LocalMonero: maybe. there's an argument to be made that data storage in general should not be outright banned in the first place 01:30:44 Thats what you call greed 01:30:57 ofrnxmr[m]: depends on how you define that 01:31:07 ofrnxmr[m]: That would be the case of Serai using output steg to encode their data 01:31:17 nikg83: 2 hard forks coming over the next 2-3 years 01:31:25 merope: Are you in the opinion we keep tx_extra but cap the size? 01:31:26 > <@busyboredom:monero.social> I don't really buy the argument that removing tx_extra will cause people to spam useless outputs. 01:31:26 > 01:31:26 > I'm sure there's the occasional motivated spammer who really wants their favorite meme on the blockchain no matter that it takes, but I'd bet most will just think "oh, there's nowhere to put it" and give up. 01:31:26 i think this way 01:31:27 And after seraphis we should be good for a while 01:31:46 nikg83[m]: No, I'm very much in the "remove" camp. 01:31:47 nikg83[m]: Yes, option B3 01:32:09 Oh, he was addressing you. 01:32:12 > That would be the case of Serai using output steg to encode their data+ 01:32:12 endor00: precisely. 01:32:12 That is a bad actor by definition 01:32:39 Alex|LocalMonero: Yah I know your stance already 👍 01:32:40 Alex|LocalMonero: Like politicalweasel said, it's a strawman argument 01:32:53 > <@ofrnxmr:monero.social> > That would be the case of Serai using output steg to encode their data+... (full message at ) 01:33:14 You cannot claim to support privacy, while intentionally harming it for profit, to the determent of tour customers 01:33:33 ofrnxmr[m]: forcing output spam IS harming privacy 01:33:41 Forcing spam? 01:33:51 ofrnxmr[m]: And here's an easy solution: relegate your harmful data in this nice optional tx_extra field! :D 01:33:57 (spam which could've otherwise been innocous tx_extra) 01:34:06 Why would someone develop something that is BROKEN BY DWSIGN 01:34:06 politicalweasel[: Nobody is forcing 😂 01:34:08 endor00: politicalweasel please answer the question: if output exploits weren't a thing would you be for tx_extra removal? 01:34:23 You cant force someone to write broken software on purpose 01:34:51 nikg83[m]: If there is no alternative to implement a needed feature, then you are effectively forcing people to break the system to get what they want 01:35:13 Endor: what they want being impossible by breaking it 01:35:31 merope: You don’t harm others privacy to achieve your goal, that’s called a bad actor 01:35:51 Alex|LocalMonero: Right now, no, but I wouldn't be nearly as hardline. Also keep in mind that I'm assuming there's no other harmful data storage method is available. Meaning could possibly be convinced otherwise. 01:36:42 "> <@busyboredom:monero.social> I..." <- i will bloat the chain with monerochans just because it is so simple to do -.- 01:37:16 politicalweasel[: That's important because it demonstrates that there's a difference in values. You don't value Monero's hyper-specialization factor as much as I do, so I feel like this isn't something we can ever reach consensus on. 01:37:49 Wen ccs to attack mainnet 01:39:18 Forcing Kaya to do it, forcing me to do it, whats the differencio. 01:39:18 Bad actors are going to act bad. 01:39:18 Either I have 2 routes, or 1 01:39:19 "endor00: politicalweasel..." <- No: like I said, leaving *some* room to implement features that can connect Monero to other ecosystems and implement advanced features. The risk of spam can be reasonably mitigated by designing tx_extra with some forethought (eg. size limits and/or fee cost). 01:39:19 But the real answer is that until someone figures out how to actually prevent output exploits, the question remains a pure thought experiment - and can therefore have no bearing on real-world decisions *today* 01:40:13 endor00: my full stance was remove in next hard fork, then possibly add back in a new /improved / studied form for Seraphis 01:40:43 Oops, cut off part of the message: * I believe leaving some room is a good idea 01:40:53 * monerobull[m] uploaded an image: (2KiB) < https://libera.ems.host/_matrix/media/v3/download/matrix.org/yOfVJzsWUYaFTKLNlLZpdfhL/grafik.png > 01:40:56 That's fair. I understand your point, but my argument is one of being flexible and reducing damage caused by certain use cases, even at the cost of comprising a strict code of principles. Of course, I do still value fungibility, privacy, etc. 01:41:02 Alex | LocalMonero | AgoraDesk: 01:41:14 (forgot to quote) 01:41:15 monerobull[m]: im gonna do it guys. ill abuse tx_extra just because its so easy 01:41:18 Its not removing any use cases aside from the ability to soft fork 01:41:28 Dooooooo it 01:41:36 its morbin time 01:41:37 Make em max size and dont stop for 6 months plz 01:41:39 Rip 01:41:42 You have to holes for arbitrary data. One gaping and easily-pluggable hole and one smaller hole. You have people who want to shove their arbitrary stuff through those holes. A bigger and free-to-access hole is much easier to shove stuff through, therefore it will be used extensively with massive amounts of stuff shoved through it. If that hole is closed the smaller hole will remain. Only the most determined hole-stuffers, 01:41:42 malicious or not, will utilize it, therefore less stuff will be stuffed. 01:41:42 If you believe arbitrary data is desirable then this argument won't convince you, but I would argue that if you believe that arbitrary data is desirable then perhaps Monero is not the best project for you. 01:41:57 two holes* 01:41:58 ofrnxmr[m]: how much would that even cost 01:42:21 I would thumbs up but only some people have that power in here #emojigate 01:42:37 monerobull[m]: 0.01c per tx, 2160tx/day 01:42:54 Send to yourself. Ie, almost nothing 01:43:02 wait what 01:43:05 > massive amounts of stuff shoved through it 01:43:05 Hence the proposal for a tight size restriction 01:43:14 no way arb data is that cheap 01:43:14 > <@alex:agoradesk.com> You have to holes for arbitrary data. One gaping and easily-pluggable hole and one smaller hole. You have people who want to shove their arbitrary stuff through those holes. A bigger and free-to-access hole is much easier to shove stuff through, therefore it will be used... (full message at ) 01:43:20 Yes cheaper than read data 01:43:22 Real 01:43:42 Also, if plugging one hole causes the other hole to explode and break stuff around it, then having two small but controlled holes is better 01:43:45 wtf im gona use monero as cloudstorage from now on /s 01:43:48 Arbitrary data of literally any kind is harmful to fungibility. And if reducing or eliminating arbitrary data means we don't get to "interact with other ecosystems" then so be it. Monero does its job just fine on its own without other ecosystems. 01:44:20 DiegoSalazar[m]: output spam is way more harmful though, which is the alternative 01:44:29 do morbs even harm fungibility 01:44:32 they use preset outputs no? 01:44:33 yes 01:44:44 * yes they harm fungibility 01:44:46 It only precludes interacting with other systems that absolutely necessitate data to be written into the Monero chain Diego Salazar . The overwhelming majority of other systems don't require that. 01:44:46 monerobull[m]: for ring members 01:45:18 DiegoSalazar[m]: But that's the point: removing tx_extra would not eliminate harmful data. Rather, it would force people to put it in an even more harmful place, causing bigger damage overall 01:45:36 It doesnt force people to. 01:45:44 politicalweasel[: Malicious actors can spam outputs regardless of tx_extra, we need to fix that issue as well. Sorry for repeating myself but I'm exhausted that the two holes get merged. 01:45:49 ofrnxmr[m]: you know what we mean :/ 01:45:52 Bad actors arent going to spam using Txextra, they are going to do both. 01:46:23 And good actors will unintentionally do more than bad actors simply by using the protocol the way it was designed 01:46:23 ofrnxmr[m]: explain. 01:46:25 Example 01:46:37 Kaya with 5000tx/day and view keys posted 01:47:03 If I have two bugs, one is easy to fix and one is hard to fix, I won't refrain from fixing the easier-to-fix bug just because the harder-to-fx bug exists politicalweasel . 01:47:03 ofrnxmr[m]: If they want to put it somewhere, they *will* put it there, because they can. So giving them a less harmful alternative is the preferable option 01:47:20 endor00: if an xmr based exchange wants to put it there, it wants to die fast 01:47:25 And kill monero with it 01:47:31 It's like giving clean needles to drug addicts: they still have a drug problem, but at least they avoid giving hepatitis to eachother en masse 01:47:39 So, its not even a realistic assumption 01:47:44 Alex|LocalMonero: but my point is that the easier-to-fix "bug" will just lends its "vulnerabilities" to the much more dangerous and harmful "bug" 01:48:03 Security through obscurity 01:48:29 Lets hope bad actors are nice and only use Txextra, and lets hope good actors are nice and dont steg 01:48:32 Both of those thought involve drugs 01:48:58 ofrnxmr[m]: You don't know that, and can't assume that 01:49:11 Dont know what? 01:49:21 ofrnxmr[m]: most arbitrary-data-users don't wish harm to Monero. only explicit attackers. 01:49:22 That it would die fast 01:49:24 That it wants to die? Or that it wants to put view keys up? 01:49:25 politicalweasel[: Yes but by leaving the easier-to-fix bug open you divert merely a subset of the damage away from the main damage-generating-bug. You just hope that the diversion of the good guys is enough to keep the damage by the bad guys below an acceptability threshold, which there is no reason to assume 01:50:03 merope: If you ran an exchange and poisened 60% of outputs via steg. Are you really going to use xmr to secure your liquidity? 01:50:06 Cmon now 01:50:23 Thats like opening a vegan steakhouse 01:50:25 Lets put aside those who want to do harm for a minute. I'd think leaving it in signifies to a lot of people, even well meaning ones, that it's OK to build a lot of things that would harm fungibility further. 01:50:50 DiegoSalazar[m]: Exactly! 01:50:59 ofrnxmr[m]: Users gonna use services without knowing how things work under the hood. If that service gets popular, it will do so regardless 01:51:02 Diego Salazar: I know it sounds like in poking at kaya but im not 😂. 01:51:02 Just the best metaphor I can use 01:51:05 Alex|LocalMonero: again, the existence of bad guys isn't an argument against mitigating damage caused by good guys 01:51:35 i'll be gone for 10-15 minutes 01:51:39 ...... good...guys.... dont 01:51:39 ... premedite... bad...behavior... 01:52:21 Diego Salazar: hence the proposal to keep the field but restrict its size to something like 128 or 256 bytes 01:53:10 politicalweasel[: Yes, but neither is ignoring the existence of bad guys 01:54:03 Unless you're arguing that the good guys are what will carry the output poisoning issue over the acceptability threshold, which I don't think you are. 01:54:25 You're only acknowledging that this is an issue that needs to be fixed. 01:54:49 > <@ofrnxmr:monero.social> ...... good...guys.... dont 01:54:49 > ... premedite... bad...behavior... 01:54:49 ofrn can you help me get morb running 02:01:00 The dynamic size limits are never more than 11 hours away from allowing ~30MB blocks, so long as the fees are paid to make it happen. 02:01:00 I suppose it is not impossible for something like this to make that happen. 02:01:00 My takeaway is to have a high performance node and mining rig ready. 02:01:41 s/to make it happen// 02:05:29 "Unless you're arguing that the..." <- the "acceptability thresehold" is 0. But 1 is better than 2. And 2 is better than 3. And so on. 02:05:51 > <@spackle_xmr:matrix.org> The dynamic size limits are never more than 11 hours away from allowing ~30MB blocks, so long as the fees are paid. 02:05:51 > I suppose it is not impossible for something like this to make that happen. 02:05:51 > My takeaway is to have a high performance node and mining rig ready. 02:05:51 isn't there a long-term dynamic blocksize cap which prevents taht 02:05:53 "Diego Salazar: hence the..." <- 128, but enforced on all tx should be fine to keep uniformity & removal/further reduction to be studied till seraphis/w.e next big hf comes 02:06:16 * isn't there a long-term dynamic blocksize cap which prevents that 02:06:42 nikg83[m]: I was kind of thinking all tx extra should be padded then, yeah. 02:06:43 I'm not a fan of enforcing on all txn's. Needlessly increasing tx sizes 02:07:08 Fungibility above all else. 02:07:27 DiegoSalazar[m]: That option was also considered, but most people seemed against it 02:07:28 DiegoSalazar[m]: Security? Censorship resistance? Reliability? Sustainability? 02:07:47 not that tx_extra directly impacts all of those, but still 02:07:50 32 bytes max. Anything they want to say can be said in that space. :P 02:08:21 politicalweasel[: Yes. 02:09:09 We already have "secure" blockchains (for some definition of secure) 02:09:18 We already have "reliable" blockchains. 02:09:27 We have no other fungible blockchains. 02:10:05 so then we should just remove the blockchain and have Monero operate on "I send you 1 XMR"? Completely fungible. 02:11:57 "> <@spackle_xmr:matrix.org..." <- That is the long-term cap taking effect.... (full message at ) 02:13:06 Here's a simulation I wrote off that document, if you feel like checking my work: https://github.com/spackle-xmr/Dynamic_Block_Demo/blob/main/Dynamic_Blocksize_v16.py 02:13:48 politicalweasel[: Lol. Then it wouldn't be a blockchain. It must be a fungible blockchain. Not just a fungible. 02:14:57 spackle_xmr: wait so the long term cap is 50x? Am I reading that correctly? 02:15:28 Diego Salazar: fine, then we'll have a blockchain consisting of "XXX sends user XXX 'XXX' XMR" 02:16:29 politicalweasel[: Once the penalty median M_N is no longer restricted by the short term median, it is restricted by 50 * M_L. 02:16:29 Then the maximum possible block size is 2 * M_N, assuming that enough fees are paid. 02:16:29 Note that the amount of fees required for this is absolutely massive. 02:16:30 * Diego Salazar: fine, then we'll have a blockchain consisting of "Unknown user sends unknown amount to unknown user" 02:16:55 politicalweasel[: This isn't the gotcha you think it is, as the goal is indeed to make it as close to this as possible to an outside observer who is not either party in the transaction. 02:18:17 DiegoSalazar[m]: Then let's do it. Hard fork next month to remove all this "cryptography" crap 02:18:42 I understand your hyperbole extends even to the parties in the tx, because then it is completely 100% fungible. But the concessions to let it be used as a currency mean the parties themselves must see what's going on. 02:19:20 Beyond the necessary concessions that let it be used as a currency, nothing else should be considered that would weaken fungibility. 02:19:48 Tx extra is not needed for currency functionality. 02:19:56 that's not the point. it's that a "currency" who's only property is fungibility is not really a currency 02:20:45 DiegoSalazar[m]: Again, output spam DOES weaken fungibility, which is the alternative to tx_extra. 02:20:57 "Fungibility above all else" doesn't mean we have nothing else in there. :P it means that when we come to a crossroads, and one path harms fungibility, we prefer the alternate path. 02:21:24 Okay that's at least a more reasonable statement 02:22:39 Ye. Sorry for my desire to be "twitter brief and punchy" robbed me of the nuance I needed to get the point across well. 02:33:40 > that's not the point. it's that a "currency" who's only property is fungibility is not really a currency 02:33:40 What properties must a currency have ? 02:34:52 Currency is a service to be exchanged for goods and services. 02:34:52 Currency as a service is fungible transfer of value. 02:38:59 well for one, security. currency is pointless if it is insecure, ie if it can be duplicated or trivially stolen. A fungible coin is worthless if I can magically steal it from you or magically turn it into 10. 02:47:44 So turn up the hashrate 04:23:42 "the "acceptability thresehold..." <- 1 is better than 2 but 2 with no tx_extra that closes the biggest door on bitcoinization is better than 1 that swings the bitcoinization door wide open, would you grant me that? :) 05:05:59 You still haven't really solidly explained why tx_extra will result in "bitcoinization". There are 2 main "branches" of bitcoinization, as I see it.... (full message at ) 05:06:44 oops didnt finish #1: ...like I said, Monero should be simple and standard but extenable 05:07:09 s/extenable/extendable and flexible/ 05:08:35 When you say extendable and flexible, you mean on-chain, right? But you can't have a simple and standard and extendable chain at the same time, or am I misunderstanding something? It would seem to me that if you allow anyone to soft fork with tx_extra you inevitably reduce simplicity, do you not? 05:10:16 Monero's baseline format should be simple, but also flexible to be built upon and extended by external users 05:10:33 I guess that's a slightly better way to say it 05:12:29 Right, but if you're talking about that capability being on-chain then I don't see how you won't end up in the same place that Bitcoin did. The xkcd about standards comes to mind: https://xkcd.com/927/ which is projected in the BIP library :) https://github.com/bitcoin/bips 05:16:12 So if a protocol can/will be used/abused to its maximum extent, it would seem to me that that abuse needs to be limited/discouraged/disincenticized to the greatest possible extent, by closing any potential doors. And while one may say that you can never really close all the doors that feels to me like making the perfect the enemy of the good. 05:18:26 I'm not really talking about standards though. There should be one standard address format, and one standard transaction format, with very little or no exception. Simple. I'm talking about things like DEX's or atomic swaps and so forth, where Monero itself isn't being changed but built upon to create something with it. Users generally shouldn't have to deal with non-standard "stuff" unless they explicitly seek it out. 05:19:37 (unlike bitcoin, with its several address/transaction formats) 05:19:49 * its several standard address/transaction formats) 05:20:24 But if you allow tx_extra then you necessarily allow a similar address fragmentation to develop. Recall that integrated addresses are just base address + tx_extra. 05:22:02 It would seem to me that you're not advocating for tx_extra (arbitrary data field) specifically but for a field that can be dedicated for, say, DEX interfacing. 05:23:05 Also, recall that Haveno, a DEX, does not require tx_extra. And IIRC atomic swaps don't need it either. 05:29:35 Fair point, but I think subaddresses should have been made standard long ago, and integrated addresses disabled. It's probably not worth it at this point with Seraphis approaching, but whatever. That's something we need to do as a community, not something that should be preemptively blocked by strictly solidifying the tx protcol. Allowing subaddresses to be phased in via tx_extra wasn't the worst thing in the world, but 05:29:36 it should have been temporary. 05:29:36 You can't predict use cases, though. Just because what exists now doesn't require tx_extra, doesn't mean it can't be useful. But again, either way, there's an argument to be made that discouraging output spam alone is enough to justify tx_extra as a "put your crap here instead of outputs" thing. 05:33:38 in fact come to think of it, this situation has a parallel with OP_RETURN. Core tried limiting it to 80 bytes, so ordinal spammers just used the segwit loophole instead. Luckily for Bitcoiners, it isn't too harmful besides the raw blockspace, but that's not the case for us. On-chain ordinals won't fit on Monero either way, but smaller 32 or 64 commitments definitely could 05:34:04 people will find a way around restrictions if they want to 05:35:01 * in fact come to think of it, this situation has a parallel with OP_RETURN. Core tried limiting it to 80 bytes, so ordinal spammers just used the segwit loophole instead. Luckily for Bitcoiners, it isn't too harmful besides the raw blockspace, but that's not the case for us. On-chain ordinals won't fit on Monero either way, but smaller 32 or 64 byte\ commitments definitely could 05:35:05 * in fact come to think of it, this situation has a parallel with OP_RETURN. Core tried limiting it to 80 bytes, so ordinal spammers just used the segwit loophole instead. Luckily for Bitcoiners, it isn't too harmful besides the raw blockspace, but that's not the case for us. On-chain ordinals won't fit on Monero either way, but smaller 32 or 64 byte commitments definitely could 05:36:20 Would you agree that defining the Monero protocol as strictly and simply as possible with maximizing transaction efficiency (in the sense of monetary transactions: medium of exchange, store of value, global monetary base) while maintaining decentralization and fungibility (which necessitates confidentiality and homogeneity) should be the prime directive? 05:38:11 I mean I don't think a flag to include either 0 or 256 bytes of tx_extra is a massive complication. We aren't talking about smart contracts here. I value simplicity, but also see value in the extensibility I was talking about earlier 05:38:37 (or 128 bytes, or however many) 05:38:48 that part doesn't really matter 05:39:09 Well, as mentioned previously even 16 bytes is enough to have address fragmentation (IIRC integrated addresses use just 16 bytes of tx_extra). 05:40:12 well in theory you could do it with just 4 if you're ok with "only" having ~4 billion addresses to choose from. That kind of misses the point though 05:41:56 So you can't have tx_extra, especially not one as large as 256 bytes, and not have the potential (or, perhaps more accurately, have the guarantee) for address fragmentation. 05:47:35 The *potential* yes. Though if we were really desperate for some reason then a new address format could also use spam outputs, but that's not my point. 05:47:35 Integrated addresses were hastily strapped onto CryptoNote, and it shows. We, as a community, are responsible for maintaining a clean protocol. If we can't do that then we're screwed anyway, tx_extra or not. The legacy system of CryptoNote and integrated addresses and wishy-washy tx_extra and so on wasn't kept clean, and Seraphis is a new start. We've cleanly solved the fundamental problem that integrated addresses poorly 05:47:35 solved, so that issue isn't likely to arise again. 05:49:27 After all Monero started out as another low-effort fork of ByteCoin. Even in post-RingCT Monero there are remnants of that. Seraphis will basically not have any 05:49:39 s/post-/current / 05:52:02 politicalweasel: are there any chains that eliminated the vulnerability of output spamming? 05:52:18 no, because it's impossible 05:52:39 well, not without just banning all transactions lol 05:54:03 So, this issue is separate to having tx_extra or don't. If someone seriously wants to attack Monero will do it no matter the cost 05:54:36 this was discussed already 05:54:48 there's more to it than that 05:55:58 Ok, I just wanted to be clear 05:59:55 By the way politicalweasel , spamming outputs is only a privacy issue while we don't have full membership proofs, which may change soon. We're left with it being costly to stuff arbitrary data into the chain as opposed to arbitrary data costing the same as any other data in the case of tx_extra. 06:00:21 s/We/Without the privacy issue, we/, s/tx_extra/tx\_extra/ 06:01:09 Which, to me, is a desirable outcome. 06:03:47 So, if you have tx_extra then address fragmentation is not disincentivized. If in order to have a wallet app with address fragmentation you need to generate more outputs you'll have to pay a disproportionally higher cost than wallets that are using the standard Monero protocol, hence, your wallet is outcompeted by the standard implementation. 06:07:17 Do full membership proofs require accessing the enote set at all, or only a constant-sized "root" of some sort? If so, then that's still worse than tx_extra. If not then I'd probably be okay with removal, but we'll cross that bridge when we come to it. There is still a higher cost due to verifying rangeproofs, but that's not the end of the world. 06:07:17 Using tx_extra should be more expensive than not, so there's not really a significant change there. But again, that's a community responsibility. 06:07:50 "if so" as in still having to access the enote set 06:08:29 I dont like that political weasel is making arguements based on feelings and mixing in alot of assumptions or "what ifs" 06:08:42 Where there are real answers to some of said assumptions 06:09:16 like what? what's a "what if" I've used which isn't reasonable? 06:09:21 Example 06:09:21 Why are you voting "its ok because Seraphis is coming" 06:09:21 When is Seraphis coming? 06:09:21 Exavtly. Its not ok to just wait around 06:10:27 I didn't mean it's something to not care about, but that since Seraphis is approaching anyway it's likely not worth the effort to change anything unless we have a hard fork in-between anyway (ie for BP++) 06:10:46 Exactly = you dont know. 06:10:46 It could be 2 years, it could be 6, it could have been a year ago 06:11:25 "Likely" not worth the effort. You're just speaking your opinion. 06:11:56 Opinions are nice, but everybody has them. Most of your arguements for keeping it are because you have an opinion 06:12:56 Doing a full hard fork to restrict one singular field is absurd IMO. We could soft fork, because that change wouldn't affect any average user, but I'm not sure if the community would go with that. 06:12:57 Not because you how anymore this works. 06:13:17 tx_extra should have been cleaned years ago, but we're in an akward position where Seraphis is "close" 06:13:23 Arguing with, what I assume to be, the largest monero adopter outside of cex 06:13:44 politicalweasel[: Should have? Never 06:13:44 ok, your point? 06:13:54 ofrnxmr[m]: wdym? 06:13:55 It was a junk drawer and stuff gotnput in there and left there 06:14:31 so... you're saying it shouldn't have been cleaned up? 06:14:37 because that's what I'm saying 06:14:46 It should have never been filled with junk! 06:15:00 oh sure, agreed 06:15:16 Subaddresses made it in because if a sift fork. A hard firm would have added them properly. 06:16:01 I don't think subaddresses were a soft fork? Only a wallet-level adoption protocol, no consensus change 06:16:17 Yes,soft fork 06:19:28 > Alex | LocalMonero | AgoraDesk: subaddresses are in the tx_extra, and are not enforced by consensus afaik. 06:19:28 ^ koe 06:20:48 "Ordinals does not use OP_RET and..." <- ^ politicalweasel: 06:28:43 "Doing a full HF to ...." - there are more (necessary) reasons to HF pre seraphis than Txextra. Txextra is just extra. Far from the main reason. 06:34:30 > Integrated addresses were hastily strapped onto CryptoNote, and it shows. We, as a community, are responsible for maintaining a clean protocol. 06:34:30 If we can't do that then we're screwed anyway, tx_extra or not. 06:34:30 The legacy system of CryptoNote and integrated addresses and wishy-washy tx_extra and so on wasn't kept clean, and Seraphis is a new start. 06:34:30 Txextra leans toward an excuse not to hard fork. We will have hard firms until we get it right. 06:44:00 And I understand your and others perspective. I really do. It just isnt a business minded decision you guys are making. You're trying to appease everyone instead of trying to push towards progress 06:58:46 After reading the backlog I would like to explain something to the non-devs here: 06:59:24 I have seen repeated mentions of the following: "Stego and tx_extra are like 2 different holes on a boat, a small one and a big one" 06:59:50 Or, in other words, it gets claimed that writing something into tx_extra is easy, and stego is hard 07:00:42 This is misleading. Making stego, like creating fake outputs and putting bytes in there, is only one library away from becoming very easy 07:01:14 Somebody has to write that library, agreed, and it's not trivial, but once it exists, putting arbitrary bytes into 07:01:40 a Monero transaction using stego once again becomes as easy as using tx_extra 07:02:20 In your code you just call a very simple method: tx.add_with_stego("this is rubbish and only bloats the chain" 07:02:42 And that "add_with_stego" method will care about all the complexity of creating fake outputs, and so on 07:03:06 stego by its nature is less space-efficient, so the tx fee will be larger 07:03:15 which will reduce spam 07:03:31 Yes, correct, but that wasn't the argument that was used in the discussion 07:04:34 It was used at least once and disregarded as "but we never know what we might need within the next year" 07:07:21 also, output count is limited to 16 per transaction 07:24:19 Again, a good point, but on the other hand proposal B3 comes with a pretty strict length limit as well. 256 bytes is one proposal. 11:23:59 Cant transfer ownership of an 'ordinal' on monero >> sure you can. just publish the true output in the tx_extra, right? 11:28:13 gingeropolous @gingeropolous:libera.chat: There's also the input side I don't care to comment the solution for. 12:37:17 gingeropolous the opinion i blindly parroted seems to be misinformed, please forgive 13:28:35 "We're left with it being costly to stuff arbitrary data into the chain as opposed to arbitrary data costing the same as any other data in the case of tx_extra." 13:28:59 reading most of the back log and thinking, maybe the issue is that fees, especially for tx_extra, are way too low 13:29:59 we're talking about storing data on every node forever, I feel like if it's appropriately priced, spam discourages itself. isn't that like, a significant portion of the reason we have fees at all, to deal with spam issues? 13:31:53 like Ik it doesn't solve the problem but it feels like everyone is talking around how CHEAP this data storage actually is and how much that incentivizes people to stuff data to begin with 14:43:17 "reading most of the back log and..." <- I thought about this too. If tx_extra is worth more per byte then a normal transaction, miners are incentivized to preferably include these transactions 14:44:41 not a problem right now, but it affects the economics of dynamic scaling 14:46:21 ceetee[m]: a miner adds a tx to a block if the fee exceeds the marginal block reward penalty from adding that tx. Block reward penalty is a function of tx weight, not tx size. To increase the fee cost of tx_extra, we would increase the 'weight' of tx_extra bytes. 14:47:08 So, whether or not a tx has a tx_extra would not be a factor miners care about 14:47:52 oh okey, that's is actually very good design 14:49:53 My mental concept had the normal size based tx fee + an extra fee for the extra data. Glad I was wrong 15:45:37 "Yes, correct, but that wasn't..." <- It was exactly that argument.. 15:49:40 "also, output count is limited to..." <- Also, with tx chaining we can limit the number of outputs to 2 for each transaction, which, and correct me if I'm wrong, seems to almost completely close the "spam output" steg angle. 16:02:58 Increasing tx_extra fee might not be that effective, unless it's something like a 200x increase: Monero's fee per byte is very low 16:36:47 Rucknium: What would you think about the potential of using relays to enforce statistical tests rather than being hardcoded consensus? 16:49:15 kinda feel like the overall fees could be higher too, we're also talking about people using output spam for steg afterall 16:52:59 I'm not super sure how things scale as XMR price increases since fees are priced in XMR without respect to dollar price but like, rn a standard TX is like 0.007 USD 16:54:25 which if you compare the size of a Monero transaction to a bitcoin transaction, about 10x larger, that's on some level the same as if bitcoin had fees that were 7 hundredths of a cent 16:54:37 it's ludicrously low imo 16:56:54 it's very low because tx volume is still in the minimum-size buffer zone, which exists to ameliorate wide volume swings when adoption is low 17:01:50 BawdyAnarchist: IIRC the loose proposal being discussed would do the statistical checks at the node tx relay level, not consensus. Just like min fee is now. So you are "on the right track" :) 17:37:00 Thanks for fielding my pleb questions 17:45:09 my understanding is that even when we get above minimum block size, the system is designed for fees to stabilize approximately where they are now, and for higher fees to be mostly during sudden TX volume increases. is that wrong 18:10:15 that's correct 18:11:04 ok I'm not sure what you were trying to say about the minimum-size buffer zone then 18:13:14 There's plenty of space for everyone, and the max block size gets no shrinking pressure. 18:13:36 It would if it were above 300000. 18:17:33 true. so fees would average higher than now for that reason? 18:18:49 If there were pressure and people tried to pay more to get in first. 18:19:11 During block size expansion fees are higher. The fees at a high and stable tx volume will be significantly lower than they are now. 18:19:11 The fee per byte is proportional to 1/M_F, with M_F being the median for minimum fees calculated as min(M_N, M_L). 18:19:11 For example: At a stable 10M block size I believe the fee per byte would be approx. 2.27e-9, compared to the approx. 1.9e-8 it is now. 18:19:11 If there's pressure and everyone's fine waiting some, fees don't go up. 18:21:02 im having a hard time getting my head around "it's OK if we don't have tx uniformity" 18:24:43 * During block size expansion fees are higher. The fees at a high and stable tx volume will be significantly lower than they are now. 18:24:43 The fee per byte is proportional to 1/M_F, with M_F being the median for minimum fees calculated as min(M_N, M_L). 18:24:54 I think the situation is more like, we can't entirely prevent it, so should we keep the field for it to keep it from potentially poisoning outputs? also, less adaptable protocol 18:25:24 when you edit in matrix it reposts the whole comment on the IRC side 18:25:42 Ahh, got it. 18:25:49 but thx for the explanation 18:26:53 sure, but that would lean toward a mandatory tx_extra... if we can't prevent it. 18:27:20 random thought, I don't entirely understand how steg works in XMR, but would some sort of deterministic decoy selection close that hole 18:27:33 ok that's a fair take 18:31:02 and the "keep it as it is because it is the way it is" seems.... silly. That's not how you make protocol improvements. If that logic were true, we would've kept variable ringsizes 18:32:34 I don't think that will happen as long as consensus can happen for something else 18:32:59 You don't think what will happen? 18:34:09 and presumably, if steg (i.e., data stuffing) is still possible even without tx_extra, theoretically the protocol would still be adaptable. you could mod the relay rules to allow some payload as long as its linked to some stegged hook in the tx 18:34:15 LyzaL: steganography is basically impossible to prevent 18:39:31 While the subject of the dynamic block size algorithm is being discussed... if anyone is interested in creating animations to help explain it, I've been working on that with the end goal of creating a interactive graphical simulation.... (full message at ) 18:43:04 "LyzaL: steganography is basicall..." <- But it's possible to limit its scope and increase its cost, right? 18:44:11 I guess? it's pretty low priority from a protocol design standpoint 18:47:07 and you aren't going to get more than like 2-3x higher cost no matter what, which is pretty insignificant 18:51:35 UkoeHB: 2x-3x higher cost is already more than enough for the standard Monero implementation to outcompete anyone that wants to soft-fork through steg. 18:56:18 this whole social engineering game does not excite me 19:22:50 any decision we make regarding tx extra, fees, etc potentially affects user behavior so I don't see how it would be avoided, or maybe exactly what you mean by it 19:31:58 I know this sounds crazy ... could statistical checks be implemented by relays to check that outputs meet some very low threshold which all but ensures you'll avoid type I errors? 19:32:43 So, remove tx_extra; and then relays basically prevent the propagation of transactions with outputs that are clearly non-random 19:32:46 Monegro: Checking for what? 19:32:54 Some of the statistical checks you mentioned 19:33:46 Uniformity checks. Legit outputs should have a uniform distribution, no? 19:34:24 (also, full disclosure, I'm Bawdy. I just decided to use IRC instead of Matrix rn) 19:35:51 So the threshold would be set such that it's nearly guaranteed that there will be no false positives. But anyone trying to build extensibility via steg, wouldn't be able to reliably get their transactions through, because even tho some might get through, too many of them will be caught to be reliable. 19:36:29 It's a can of worms, to start. And if the steg was encrypted or even XOR'ed with some other random parts of the tx like jberman suggested in the long tx_extra Github issue, then a statistical check wouldn't work at all. 19:37:22 It's probably more robust to limit the outputs to two, which will also help with tx uniformity as per tevador 19:38:08 This can't be done now, however, as tx chaining is only possible post-seraphis. 19:38:20 Seraphis doesn't directly fix the 10 block lock by the way. Alex, I think you implied that above in arguing for limited to two outputs. 19:39:14 Rucknium: tx chaining doesn't necessarily require fixing the 10-block-lock, those are distinct issues AFAIK. 19:39:39 UkoeHB: would you comment? ^ 19:40:09 so with a post-ringsig proof (full membership), do the fungibility implications of tx_extra go away? 19:40:53 gingeropolous: Only if tx_extra is mandatory and fixed size and somehow uniform. 19:41:22 but when you go to make a tx in post-ringsig monero, you don't reference a specific set of enotes 19:41:31 But if people using steg for extensiblity are now required to encrypt their outputs, doesn't that remove one of the primary negatives regarding output poisoning? 19:41:33 gingeropolous: IMHO, not entirely because you can accidentally or purposely fingerprint yourself in tx_extra. Global membership or not, a unique user-level fingerprint would destroy privacy. 19:42:59 sure, in the generation of txs, but in a global membership, you don't reference specific enotes ... (?) 19:43:02 But yes if a user is using a standard not-fingerprinting wallet w/global membership proofs then they are not impacted much from the fingerprinting txs. There is not the output poisoning externality 19:43:35 roight 19:44:00 Or how about implementing a uniformity check when constructing rings? As a simple means of avoiding poisoned outputs? 19:44:07 At the wallet level 19:44:44 yeah i seem to be more concerned with tx linkability than fingerprinting in my thoughts on tx_extra 19:45:46 or traceability. being able to tell which enote is the real one 19:45:55 Monegro: You mean "avoid suspicious outputs"? Maybe there is already a spent outputs database builder in the code that could be extended. But recently I think tobtoht suggested it be removed. 19:46:35 It's complicated since right now the daemon only tells the wallet basic info about the available outputs. Would require some engineering effort 19:46:52 gingeropolous: Both of those measurements are intertwined: bad fingerprintability makes for bad linkability 19:46:52 to do the picking on the wallet side 19:48:11 right. which is why the thought "tx nonuniformity is fine" still makes my head hurt. 19:48:36 (continuing to go out on a limb) with the statistical check of outputs, there would need to be a large enough sample of bytes/bits in the output public key(s). Are there enough? Probably not. 19:50:32 Let's suppose for a moment that people using steg are more likely to use multiple outputs. It's starting to run into complexity, but supposing that such a uniformity check was applied only to transactions with say ... 4 or more outputs, and renders the check on the concatenated set of outputs. 19:51:06 Now you're x4 on the number of bits. 19:51:49 Again, only at the wallet level. A user-level mitigation against poisoned outputs, in the case that tx_extra is removed. 21:10:25 One problem with pushing people who want to work-around a size constraint or 21:10:29 removal of tx_extra (e.g. steganography in fake outputs), is that we 21:10:31 may end up having to ensure all outputs are actually on the curve so as to 21:10:34 avoid fingerprinting. That would be more problematic in terms of verification 21:10:38 cost. Enforcing a uniform distribution of a constrained size tx_extra I posit 21:10:48 would be preferable. 21:13:39 jtgrassie: What is "the curve"? 21:14:20 outputs are curve points 21:15:35 Thus I now lean toward the various B (2,3,4) options. 21:17:24 (e.g. encrypted tx_extra, though I have no strong preference to fixed size / optional) 21:26:06 "avoid fingerprinting. That would..." <- In that case you should be in favor of limiting outputs to 2, not tx_extra. 21:27:22 If we go with A (removal), I think we'll end up having to make steganography 21:27:25 harder, which will mean more verification overhead at relay. 21:27:47 And yes, restricting output count is one way to make steg harder. 21:28:04 (harder / more costly) 21:29:40 How would limiting outputs to 2 increase the verification overhead? 21:30:27 It wouldn't. When I mentioned verification cost I was refering to checking outputs are actually valid curve points. 21:31:07 Limiting to 2 outs makes doing steg harder, but removes the ability to perform batched transactions. 21:33:10 (batched txs are commonplace for exchanges and pools) 21:37:05 if the number of outputs is limited to 2, sweeping/churning will require a lot more txn 21:38:06 hbs[m]: no it wouldn't, a sweep takes any number of inputs but creates 1 output. 21:39:32 (1 and a dummy) 21:41:16 sweep_all can be instructed to produce a specified number of outputs, very handy to split a large output into 16 smaller ones 21:41:35 sweep_single sorry 21:41:42 That's true, yes. 21:42:02 I forgot! 21:42:36 So, 2-outs restriction has 2 issues: 21:42:49 1) no more batched txs 21:43:21 2) no more ability to split a large output into multiple small outs 21:45:59 it will also significantly increase the spent fees 21:46:30 which is a consequence of the two points you mentioned 21:47:09 yes, and for the honest user (e.g. someone using Monero as p2p cash) 21:48:32 https://mordinals.org/item/101 21:49:25 Hence why I now prefer keeping tx_extra, but encrypted + size constrained. 21:50:38 We have to close the gap of (ab)use of the blockchain for non-financial txs, but not at the expense of honest users. 21:52:01 By keeping the field but size constrained and encrypted, people can still ab(use), but not at the expense of privacy or cost to honest users. 21:52:52 that would still allow to go the stego way and poison outputs right? 22:18:40 yes, but it allows a safer way to experiment 22:19:12 Preventing steg is impossible. IIRC valid curve points aren't actually that rare to find in random 32 bytes (50/50 I think?), so ensuring that outputs are valid curve points doesn't help anything. And enforcing 2 outputs just delays the problem... people could still spam chained transactions. So you quite notably damage user experience while simultaneously increasing the load on the network due to having multiple 22:19:12 transactions which could have been batched as 1. 22:20:10 politicalweasel[: indeed, steg would still be possible 22:20:55 but an encrypted size constrained tx_extra provides a safer way to experiment 22:21:38 yes, I am strongly in favor of option B3 (optional, fixed-size tx_extra) 22:23:18 my only hesitance with a fixed size (vs optional or 0-CAP) is it dictates growth where none may be required 22:25:01 Yeah I mean optional 22:25:08 transactions would either have 0 or 256 bytes 22:25:22 (or whatever arbitrary number is chosen) 22:27:21 gotcha, yes, I still prefer even B4 to A, but B2 or B3 over B4 22:35:59 B3 was optional fixed length encrypted by default, from the current discussion it seems it is rather mandatory encryption that has the greatest consensus, or at least with a satisfactory result to a yet to define statistical test 22:53:14 Encryption should be done by default and yes maybe we should even have some statistical check, but that won't actually stop anyone who really wants to put public data there. In practice it would be more of a "strong recommendation" rather than something which can be actually enforced. 22:53:56 a statistical test shouldn't be that difficult or costly to enforce 22:54:48 ordinals allowed custom tokens on btc right 22:54:52 yeah but a simple XOR and that all goes down the toilet 22:55:04 monerobull[m]: can the same be done with the currend morbs 22:56:34 politicalweasel[: true, but an enforced statistical randomness test certainly helps 22:57:07 XOR maybe a weak form of encryption, but it's better than nothing 22:58:23 point being, from a uniformity perspective, an enforced statistical test should suffice 23:00:07 I'm not opposed to a statistical test as long as it doesn't notably impact verification time. My point was just that it's not bulletproof. 23:00:20 monerobull[m]: morbs would still be possible, yes, but at least they wouldn't harm privacy of others 23:01:40 im talking about "fungible" morbs like how there are tokens based on ordinals on btc now 23:01:40 politicalweasel[: exactly and agreed. a statistical test over a small field (256 or 1024 bytes) is going to be fast 23:13:36 XOR with a one time pad is the über form of encryption, which as a matter of fact can ne used extensively for plausible deniability, i.e. any tx_extra can be proven to be the encrypted form pf anything with the correct one time pad 23:17:21 very true 23:20:34 a statistical test of randomness will suffice our needs 23:21:18 (for passing a sniff test of encryption that is) 23:58:44 "Limiting to 2 outs makes doing..." <- Which is why I only suggest limiting to 2 outputs after we have chained transactions, which is possible in Seraphis as per UkoeHB