15:31:25 MRL meeting in this channel in 1.5 hours. I hope the monero.social Matrix server is fixed in time for the meeting. Thanks, admins :) 17:00:11 Ready. 17:00:31 Sending from Matrix. Message visible? Please confirm. 17:00:41 Pong 17:00:52 Meeting time! https://github.com/monero-project/meta/issues/966 17:00:55 Alex | LocalMonero | AgoraDesk: Yes 17:00:58 1) Greetings 17:01:05 Hi 17:01:10 hi 17:01:12 Howdy 17:01:13 Hello 17:01:26 hi everybody 17:04:22 2) Updates. What is everyone working on? 17:04:48 me: OSPEAD. And some empirical analysis of unlock time...posting....now 17:05:45 Working on seraphis tx serialization 17:06:33 me: locking mechanism for blockchain.cpp 17:07:32 Discuss: Removing/Fixing/Encrypting monero's timelocks https://github.com/monero-project/research-lab/issues/78 17:08:10 I can give a short report about my contribution, a Reddit post: https://old.reddit.com/r/Monero/comments/1amomjj/timelocks_let_us_finally_retire_a_rarely_used_and/ 17:08:21 We don't have to decide on time locks today. I hope we can finish discussion by 18:00, but if we really need it we can extend the time to 18:30 at teh most. 17:08:43 Thanks for current usage stats Rucknium 17:09:06 The post got a fair share of attention and comments. Noteworthy are the 99% upvotes 17:09:36 I didn't actually count, but I would guess 8 or even 9 out of every 10 comments are pro removal 17:10:04 IMHO nothing really surprising surfaced, e.g. a novel use of timelocks that so far nobody ever thought of 17:10:29 Here are the usage stats and some estimates of the privacy impact on users who are creating txs with custom lock times: https://github.com/monero-project/research-lab/issues/78#issuecomment-1944249619 17:10:30 Well, that's not a guess, more of an estimate about reading everything 17:11:24 If I may, I'd like to point out how we use timelocks occasionally and how to us it's a good feature. 17:12:24 Sometimes, we ban a certain user permanently from our platform. Sometimes, that user tries to return to the platform. We catch them and warn them not to return again or there will be consequences. 17:12:39 On usage, I have findings that are similar to what TheCharlatan found many years ago. 95% of custom unlock times have no effect since the wallet developer(s) do not understand that block height is absolute. And I have new findings on the privacy impact. The real spend can be correctly guessed in 34-91% of the custom unlock times that I evaluated. 17:13:47 They ignore us and return to our platform. In these cases, we take the XMR that they placed in the arbitration bond and send it to them in a timelocked transaction to disincentivize them from trying to return again. 17:14:05 It's quite effective. 17:14:12 It could be that the developers DO understand that the height is absolute, but they're putting other meta information in that field 17:14:24 USDT can even close accounts. Also effective lol 17:15:04 The fact that you can punish people (deserving or not) is terrible 17:15:09 So this is a "light punishment" use of custom unlock time. Instead of extreme punishment of not sending them any XMR at all. 17:15:32 Well, that does have a novel edge, as far as I am concerned 17:16:36 Could there be a compromise? Maybe wallet2 can consider custom-locked outputs as "not received" by default. Depends on how much other wallets follow wallet2 I guess. 17:16:51 But anyway, I think we should be careful, it's not only the question whether those timelocks have uses - they have - but whether they are net positive 17:17:27 Additionally, I can think of cases where a person might know ahead of time that they will be entering a dangerous situation (travel, jail, mandatory conscription, etc) and want to ensure that their coins will not be spent until they are out of the situation, so they send themselves a timelocked tx. 17:17:43 localMonero's use case can be replicated by choosing to send the funds later or sending to a time lock puzzle 17:18:18 That use case too can also be solved with a time lock puzzle 17:18:55 Yeah, and like the use case with rents, subscriptions and similar pay-ahead things: Very dangerous if circumstances change, and the XMR absolutely can't 17:18:58 Choosing to send the funds later is quite problematic as the person might start to claim that we never intend to send them and start some sort of reputation damaging action. A timelocked tx prevents that. 17:20:31 You could send the funds to them in a time lock puzzle and prove that thr y will be able to access the funds after s bounded amount of computation 17:20:35 The main concern with timelocks is that it's tx-based and not output-based, which, I agree, can lead to serious problems if the person utilizing them is not aware of this and doesn't send the desired timelock to a separate wallet first to ensure separation. 17:20:52 Well, can't they claim coercion, which also can be an offense, and damage your reputation nevertheless? 17:21:34 Their claim won't have credit since there are records of them being banned and warned not to return. 17:22:04 You'll have to PM me with the details about the time lock puzzle, not sure how to implement it. 17:22:11 You have the same records if you just send them later ... but whatever. 17:22:42 Wheres the sense of power/control in that? 17:22:50 We have the same records, but while the coins are with us the person can still claim we're just keeping them. With a timelocked tx they can't. 17:22:59 Are you aware of someone applying it in Monero? 17:23:03 Fair enough. 17:24:19 The way I see the matter after reading the comments on Reddit and on jeffro256's PR https://github.com/monero-project/monero/pull/9151: Yes, there are certainly usecases, but for me they in no way outweigh the negatives 17:25:14 The main concerns with time locks for 99.9% users is that 1) receiving time locked funds leads to confusion why it isnt spendable 2) you can't pick locked decoys which degrades on chain privacy and makes making non fingerprint able decoy selection harder 3) you cant pick locked decoys which can open you up to privacy attacks from an untrusted daemon 4) it makes transactions less u niform which degrades on chain privacy 17:25:17 By the way, I reviewed that PR, looks good, it would probably no problem to activate it 17:25:41 (technically) 17:25:48 I also disagree over the notion that this is especially unintuitive for developers. Even bitcoin has timelocks. It may be a question of a lack of documentation, but to me it seems rather weird that a developer scanning for deposits to the wallet using the JSON-RPC would just completely ignore the "unlock_time" parameter staring right at him. Perhaps the dev is very inexperienced. 17:26:55 jeffro256: Isn't (2) and (3) true for coinbase txs, which have a 60 block lock? I checked a few block heights. The share of the probability mass of the decoy selection algorithm "blocked" by coinbase lock time is 0.2% to 2.0% 17:26:56 No but you could do this completely off-chain, no hacky consensus rules required 17:28:05 The unintuitive part is that the lock is per TX as opposed to per output. 17:28:07 ^ At least one Monero payment channel proposed protocol uses time lock puzzles. Did they write the code to implement it? I don't think so. 17:28:17 Some devs use monero libraries which may not unlock_time aware 17:28:41 Yes 17:28:53 "unintuitive" is a very mild name for a completely braindead and borderline-unusable design, IMHO 17:29:06 The problem with this PR not disabling with a hardfork is that devs are more likely to not care about unlock_time 17:29:49 Well, that's probably a separate discussion, should be reach consensus to remove the feature at all 17:29:55 *should we 17:30:34 However, if you were going to use a feature which picks non-coinbase anyways like that PR I wrote, you would be able to tell where an output is coinbase unlocked before you even request it based on its height 17:30:38 I'm not here to say that timelocks are essential, I'm merely offering our usecase for it, as it seems that nobody else could come up with usecases. 17:31:14 If jeffro256 could explain to me how to implement the time lock puzzle then our usecase won't be relevant anymore. 17:31:19 Mochi101 recently found many big instant swap sites unaware of unlock time. We then added a red warning to the rpc docs 17:31:32 FWIW, the privacy problem scales up with usage. Right now usage of custom unlock time is very low. Nonstandard txs fees, which about 5% of txs use now I think, are a much bigger problem. 17:31:38 Nobody indeed came up with that, as far as I could see. But earlier discussions are full of mentions of "self discipline" approaches, for example 17:32:35 Or as already mentioned subscriptions, regular "payouts" (unlocking in waves, so to say) cases 17:32:44 But that's about it. 17:32:52 For me localmonero being able to punish people is precisely a reason to remove it 17:33:00 lol 17:33:46 The ability to punish can promote good outcomes. That's about half of game theory. 17:34:22 With respect to big instant swap sites, their devs are probably subpar. Seeing the unlock_time in the API is trivial and given that timelocks are present most cryptos it's not something that they'd never think about. Sounds like a bad library or something. 17:35:16 The best use case for unlockntime.isnt going to "save" it if its provably broken and bad for privacy 17:35:26 Sure. If all were roses with timelocks except that subpar devs don't understand them, then yeah, let's start an education push. But that's not the case. 17:35:33 If I find a library that does it already I will send it to you. The general idea behind the math is pretty simple tho: you basically just make a small RSA ring and then try to brute force the secret key. It can be provable before you do it that there is 1 solution because of the way RSA is structured 17:35:34 Yeah it's not like we're out to get people. We just want various types of exploiters to stay away from our platform. This is a minimally invasive and soft way of effectively doing it. 17:37:06 Our devs were aware of timelocks in XMR from the getgo, way back in 2017. So are most devs I feel. Again, I'm not here to judge people, and I agree that simpler is better. I'm just saying that timelocks are not weird in crypto. 17:37:42 It sounds like we may have a viable compromise if a time lock puzzle protocol is implemented for Monero. (But that costs labor time.) 17:37:43 Now, just because something is not weird in crypto doesn't mean it's desireble in XMR 17:37:49 Maybe it turns out like with those "Mordinals": On our own we couldn't reach consensus about removing or limiting tx_extra. It took an actual attack to move us. 17:38:06 Even the argument that subpar devs are unaware of it doesnt matter.. it is broken and bad for privacy 17:38:28 Maybe somebody should send around thousands of timelocked dust transactions to all ecosystem players ... 17:38:37 Does Bitcoin or its cousins have the same type of time lock as Monero? They have a different type, I know. But they also have one like Monero? 17:39:23 That's fine. I'm cool with the removal. The simplicty and privacy of the XMR protocol is more important than our use case. I just wanted to mention it. 17:39:34 I don't know, but you would think there must be stories like locking for thousands of years by accident then, which I *never* heard 17:39:43 rbrunner: I don't think dust amounts will matter much. The problem happens when you think you have a legitimate large payment for something and take action based on that false belief. 17:40:12 There's a per-address timelock. Meaning you send BTC to a p2sh address where the script says you can only spend the coins at this address after a certain time. 17:40:30 rbrunner IIRC, you can only lock for 4 years maximum without re-compiling the binaries. So, it's hard to do accidentally 17:41:01 Yes, it would need a dedicated attacker, just any script kiddie won't do 17:41:55 Anyway, I surely hope that we will reach consensus on our own this time, without anything bad happening first of course 17:42:41 Maybe a year ago someone said they were paid 10's of XMR in a locked tx. In #monero I think. It's not just a theoretical risk. 17:42:53 I think that non-consensus on tx_extra limits are forever in the blockchain in the form of a few gigabytes of Mordinals rubbish :) 17:42:58 plowsof, do you remember? 17:43:42 It was an owner of a swap site iirc .. basically a competitor draining their reserves 17:44:38 This exact exploit was an immediate consideration for us when we were originally developing our platform. It's trivial to sidestep - just read `unlock_time`. 17:44:54 https://libera.monerologs.net/monero/20230119#c191161 "Hello everyone, I have an exchanger connected to a Monero server. 2 days ago, I saw that 133 Moneros were blocked in my account for a period of 4 years. How is this possible?" 17:45:10 Was btcpaysever unlock time unaware 17:45:28 AFAIK, we have no guides about how to make a Monero wallet. 17:46:18 From what I have seen, I would guess that most "third-party" code that receives XMR isn't aware of lock time. Or at least that was the state a year+ ago. 17:46:22 Well, as I said, even with perfect documentation and no more subpar devs around ever timelocks *still* have grave problems 17:46:24 Yeah, a unified guide of "what to worry about when integrating XMR" would solve most of this I think. 17:46:49 However, rbrunner is right. If it's a hazard to privacy it should be removed, just like tx_extra. 17:48:46 The use cases are motivation for a fixed/real solution 17:49:12 I never used timelocks so my opinion is irrelevant but I would be in favor of disabling it (for the sake of privacy) for future transactions but not void the current ones that uses it. I think a robust and easy to use multisig would fix many of the timelock issues. One could simply trust a 3rd party (which could be himself) to relay his tx when the time comes. Another example woul d be using google that offers the possibility to send messages after some inactivity time in your account. So basically there are many ways to handle when to send a transaction in the future that dont need to be on-chain. 17:49:24 That discussion with the victim of the locked XMR on monerologs.net is gold ... 17:51:23 Maybe we should use the remaining regular 10 minutes of meeting time for an attempt to find out where we stand, and where we go from here, i.e. after this meeting? 17:51:31 One or both of Trezor and Ledger had an unlock time "vulnerability". 17:53:45 I think that existing timelocks should be honored, but for the sake of simplifying XMR and strengthening privacy they should be removed, assuming that time lock puzzles are a practical solutions as jeffro256 says. 17:53:49 In any case, as mentioned, at least coding is almost done. A second review would probably be good. 17:54:37 I'm of the same opinion: no more new non-zero tx unlock times, but honor the old unlock times. 17:54:57 I don't think we should ask jeffro to implement time lock puzzles because he is working on tasks with higher priority. But if we could have the off-chain time lock puzzles working, that would be a good compromise. 17:54:59 Ditto 17:55:15 Not honoring the existing timelocks will lead to a crisis of confidence. If the XMR protocol won't honor one contract, why would it honor others? 17:55:46 Yes. I don't think anybody voted for removing all locks, period. 17:56:09 The "Free the locked XMR" movement :) 17:56:10 I wanted to talk about a slight change to the unix-time-based unlock times: Secondly, I want to toss up the idea of a small modification to the consensus rules also related to the unlock time. In short, I want to make Blockchain::get_adjusted_time() monotonic (barring reorgs) on the next network upgrade. The reason for this is that if you have time-locked outputs in your input rin gs, decoy or true-spend, and you send a transaction into the mempool, it may be accepted now but actually be invalid for several blocks based on the timestamps of the new blocks on top of the chain pushing the value of Blockchain::get_adjusted_time() into the past. This is because of these lines: https://github.com/monero-project/monero/blob/059028a30a8ae9752338a7897329fe8012a310d 5/src/cryptonote_core/blockchain.cpp#L4029-L4035. They take into account the latest block timestamp instead of only the median timestamp, and take the minimum between them. If we only make the adjusted time a function only of the median timestamp, we will have a monotonic clock since the median timestamp increases monotonically. This means that if any transaction output is unlocke d now, it will always be unlocked in the future if there isn't a reorg. 17:56:23 From this comment: https://github.com/monero-project/meta/issues/966#issuecomment-1936243293 17:58:34 It might not be worth the effort, but it make the behavior of the like 8 locked transfers more reliable 17:59:08 Maybe xFFFC0000 would be ready to look into these puzzles? So jeffro256 can continue with his indeed essential things. 18:01:12 Sure. I can take a look. But keep in mind mooo asked me to take a look at locking for blockchain.cpp and I am right now working on fixing locking mechanism on blockchain.cpp. Right after than I can jump into the puzzle thing. which should not take long. 18:02:05 Nice. 18:02:39 Thanks for taking care of our usecase guys <3 18:02:51 All in all, things look a lot less controversial than back then with tx_extra. Maybe we will succeed this time. 18:03:14 Would monotonic block time help anything else besides unlock time? And "Median timestamp increases monotonically" is that because of consensus rules on how much mined blocks' timestamps can differ from neighboring blocks? 18:03:48 No. Yes 18:04:36 AFAIK, the downside of time lock puzzles is that time-to-solution depends on CPU speed, so it's not as precise as depending on block height. But for a "punishment" use case, that is probably not a problem. 18:04:37 new incoming block timestamps cannot be less than the median of the last 60, which increases median of the next 60 18:05:29 Yes for punishment and self-control use cases, which is most, the time doesn't have to be exact IMO 18:07:01 I think we don't have to extend the meeting time. The result is that xFFFC0000 will evaluate implementing an off-chain time lock puzzle as a compromise, when he has time. 18:07:37 There's another couple of things id like to discuss if people are willing 18:08:01 From that same comment I linked: Thirdly, I'd like to discuss disallowing v1 transactions for "unmixable" input amounts in the next network upgrade. The reason for this is that the output amounts of v1 transactions obviously aren't confidential, which reduces overall network privacy. And since CLSAG signatures can still work on a ring of size 1, this shouldn't lead to anyone havin g their dust locked like with MLSAG signatures. There have only ever been 462 v1 transactions since Hardfork v6 in September 2017 as of the time of this writing. 18:08:24 Ok we can continue 18:08:43 Looks like stuff for a handful of meetings, if done carefully, IMHO. 18:09:29 We can end the meeting officially and discuss this laster 18:10:18 Ok. --- Meeting end --- 18:12:11 Thanks everyone 20:56:14 For the record, I did not ask xFFFC0000 to look at locking. xFFFC0000 asked for ideas I thought would be good to work on. I'm perfectly ok if something else is done instead. 20:56:39 I confirm. 23:09:40 Sorry for missing the meeting today - I've been working on "hardening" the ZMQ message handling in LWS. I put the trust-on-first use in the wallet off for now (until another PR gets merged) 23:10:10 thanks for doing that zmq stuff 23:10:12 the hardening hit a blocker on it not really being completely feasible either, without some more painful changes 23:10:15 i notice crashes 23:10:54 in LWS? 23:11:03 yep 23:11:08 I mentioned them on GitHub 23:11:14 been happening for a couple years now 23:11:27 i'm not sure if it's my OS configuration .. but I saw others reported the same issue 23:12:07 ok lets keep that discussion to github, and not in this research room (slightly off topic) 23:19:13 then why mention it lol 23:19:21 you often talk about lws here 23:20:18 do you know what I would really be curious about as far as research goes is investigating an actual solution for some of the spend patterns that are not safe yet quite justified in Monero 23:20:24 i've also talked about those on GitHub 23:20:33 I mentioned it years and years ago that this would be an issue and we also have issues with time locks 23:20:44 Yeah, when I brought up things like the dlsag and paymo research before 23:21:04 the founder of a competing scriptable privacy coin replied to me with a bunch of bs then ghosted 23:21:10 sadly others bought it i think 23:21:28 it was odd timing, all of that. i wonder why we dont get excited hearing about that research 23:21:39 i think the demand is clear 23:22:03 i also think it's likely the next step for any privacy coin to be able to handle some of the unsafe justified spend patterns 23:22:44 yet quite -> yet but quite 23:24:39 a bunch of bs , that is, discouraging monero from pursuing that line of development 23:24:42 like, what a surprise 23:24:53 he claimed it wasnt something monero ought to try to solve 23:25:23 clearly, private partial scriptability on some order *is* the solution 23:25:43 it's amazing how people claim that they're not trying to dictate the direction of the technology when the facts clearly disagree 23:26:35 we can take the slow way there by ignoring emerging new techniques and generate even more metadata to analyze later - or we can wake up 23:27:12 personally i dont like having the project stolen away from the actual people by those who actually have conflicts 23:27:25 not that anyone here gives a sh anymore 23:29:12 those people running some competitor ICO aren't gonna show back up here and say oh sorry guys we were just kidding, we just said that to delay you, so that our shit would seem more initially competitive 23:29:19 and that's all it takes to kill a project unfortunately sometimes 23:29:24 probably too late anyway