Bitcoin Forum

One of the bitcointalk ads says:
"Even if you use Bitcoin through Tor, the way transactions are handled by the network makes anonymity difficult to achieve. Do not expect your transactions to be anonymous unless you really know what you're doing."

In your opinion, which coin really has anonymous transaction? Is total anonymity possible at all?

Boolberry is anonymous.

http://www.slideshare.net/boolberry/boolberry-solves-cryptonoteflaws-37055246

It's well known that Monero (the largest CryptoNote-based coin) provides cryptographically unlinkable and untraceable transactions, a trait it shares with all of the CryptoNote-based coins.

One of the points that is often not mentioned with the Bitcoin-forked altcoins that claim anonymous transactions is that you have to give out your recipient address to receive coins. The process in-between may protect the sender, but if the receiver's address is found (eg. mentioned on a forum or on IRC once) the receiver is at-risk, since it can be seen that they received a transaction of a certain amount.

I've never heard of it. I'll take a look at it.

I'm not familiar with CryptoNote-based coins. I should search about it.

Certainly the second point you mentioned is true.

Monero offers unparalleled priquidity.  I made that up.  I'm proud of it.  (privacy * liquidity) = priquidity.  I also haven't slept in too darn long.

Credits CRD will be the most safe and secure way to go it also will have an integrated decentralized exchange
https://bitcointalk.org/index.php?topic=634403.0

Video to upcoming 2.0 version http://vimeo.com/100148381

That's a good word: priquidity. If you say it somewhere, people will think you are an expert.
Btw, I'm just studying about Monero.

It really seems a good coin. I have a question. What is "Adaptive parameters" under Features here:
https://bitcointalk.org/index.php?topic=583449.0

This part is interesting:
Unlike Bitcoin, your funds are not held in the address you give out to others. Instead, every time you receive a payment it goes to an unlinkable address generated with random numbers. When you decide to spend the funds in that one-time address, the amount will be broken down and the components will be indistinguishable from identical outputs in the blockchain.

I also have a question for you. Can you please explain me what "Decentralized marketplace" under Features means?

Monero is the best anon coin hands down.

The adaptive parameters are discussed in the CryptoNote whitepaper - a good starting point is our annotated version of the whitepaper (the annotations are raw, so just ignore the occasional piece of snark;) that you can grab here: http://monero.cc/downloads/whitepaper_annotated.pdf - a lot of it is around hard-coded constraints in Bitcoin and Bitcoin clones that are adaptive or flexible in Monero.

One of the key features that makes privacy inherent in Monero is, as you pointed out, stealth addresses. You only have one "address", which is not an address in the Bitcoin sense of the term, and when funds are sent to it the address is unpacked and the resulting key combined with random data to compute the destination for a particular output. This means that it's impossible to inspect the blockchain and find someone's balance, and if your address is leaked there's ostensibly no way for blockchain analysis to confirm whether or not you received funds to that address.

Of course, there are esoteric attacks that could reveal information about a sender or recipient, which is why ring signatures provide an additional layer of ambiguity. Basically, with ring signatures a transaction output is signed by you and by a group of random signatories (garnered from the utxoset, and the number of signatures is specified by you). Only one of these signatures is "true" (and that can be determined by the recipient), but to an outside observer they cannot determine which of the N signatures on an output is true, as they all appear to be valid.

Additional edge cases can and do exist that may "deanonymise" a group of signatures, but they are such extreme edge cases that they are not going to be a concern except where a sufficiently advanced and powerful attacker exists (and in that case they'd probably just beat you with a pipe wrench till they get your privkey and can access everything anyway). There have been suggestions such as enforcing a minimum mixin, and there's an interesting discussion on the pitfalls of such a system on the CryptoNote forum (https://forum.cryptonote.org/viewtopic.php?f=12&t=239) if you're interested. Ultimately there are many, many things outside of Monero's control that are more likely to unmask someone, such as them being caught physically receiving a marked package at the post office, but for the purposes of most transactions Monero provides a 100% working system in which transactions are cryptographically unlinkable and untraceable.

I research this question for some time. There are a lot of peoples under each post who trying to promote their one RealAnonCoin but what i get

Bitcoin mixer and shared transaction services - it looks like real way only if you trust the service.
https://bitmixer.io/index.html - one of them

Darkcoin - Masternode technology. popular, interesting and expensive if i get the ino right(10% for darksend)
https://bitcointalk.org/index.php?topic=724083.0 look here - there are a lot info and links about darkcoin technology

Bytecoin/Monero - cryptonight. ring signatures. if you want to look at this kind of coins - just read about Cryptonight and ringsignatures, not about concrete coin.

There are a lot of "truly anonymous"  coins with Guy Fawkes but they look unserious for me.

If your asking in a present tense then I'd say a cryptonote coin like Monero.  I'm a believer That coins like XC, DRK and others have real potential.  That shouldn't be ignored and are worth taking the time to look into.

If you want to stick with bitcoin, you can go to the "know what you are doing" path.

You'll need to know anyway, to decide if all the anoncoins around are really anons or not.

This should be Monero's new slogan!

Priquiditas pro populum.  (Quidquid latine dictum sit, altum videtur.)

Monero: Priquiditas por homoj.

Keeping with the theme, esperanto sounds decidedly less profound unfortunately. :P

Firstly, thanks for the comprehensive explanation. You said in the quoted paragraph "the number of signatures is specified by you". Of course, the bigger, the harder to find the sender, right? Is there any bound for it? And, where can I set that?

Thanks for the response. I just read about Bitcoin mixer. It's an easy idea, but I guess its implementation is complicated. How much is the fee for it?

Darkcoin is way too expensive, as you mentioned.

Monero seems interesting to me.

Do you think governments will forbid anonymous transactions? For example, by forcing exchanges not to accept them.

Monero seems nice. Is it possible for you to explain anonymity idea of XC in one paragraph? The original explanations are usually long.

By the way, nice profile picture! Are you smelling weed?

If governments force Exchanges in their country to not accept Darkcoin for example, the price will go up even more as it will be perceived as a rare, sought after item. And other exchanges will pop up in countries which are less regulated to fill the gap.

Why do you think drugs are so expensive but cheap to manufacture.

That was funny. Or: In Monero We Trust!
Now translate it to Latin to make it more profound!

That's a good point. What if they specify tax for Darkcoin (or higher tax)?

Karl Marx would tell you that labor adds value ;)

the big data make anonymity become more and more difficult.

He's right. Just check it here:
https://www.marxists.org/glossary/terms/l/a.htm#labour-theory-value  :D

What do you mean by "the big data"? Blockchain info?

Coinjoin is very weak.  Read about coinjoin sudoku.

Exchanges are nice but not necessary.  There will always be variation between jurisdictions anyhow, and crypto is global.

Well, remember that you first need to crack either end of a transaction before you even get to the ring signature stage. Pragmatically, then: let's say you've purchased "ileegil drukz" from Walter, a manufacturer. He gets busted by the DEA who beat him with a pipe wrench until he reveals his wallet password. Now they can see all of the incoming transfers. They pick one of them that has, say, a mixin of 5. They now have 5 seemingly valid signatures on each of the transaction outputs (but no direct way of knowing who those 5 signatories are, short of knowing the identity of every single wallet holder on the network). Quite literally the only way for them to prove a transaction happened is to have access to both the sender and the recipient's private keys.

There is no upper bound on mixin, but each signature increases the size of the transaction, so when we move to per-kb fees a higher mixin will cost more. Right now you're only bound by physical transaction size limits. Just to confirm that very high mixins work, I created a 1 XMR example transaction with a mixin of 100 (http://chainradar.com/xmr/transaction/b530964dc70a54f5c0f166ff015e8b50ce24ce27d2b8eb9e835e011c812d19d9) no problem, and it was mined and confirmed with a minute.

Is anonymity very important? i think the important thing is benefit of mankind.

I think he means the mass surveillance program which includes data from millions of web-trackers, social networks including facebook, email services, phone conversations, instant messengers, google searches and the list goes on. All of this data is collected and accessible by employees of the NSA and private contractors without a warrant, both private and public information. To be anonymous these days you need to take extreme precautions, because there is money to be made in stalingrad surveillance systems  ;)
 

Not even just the NSA. With Bitcoin anyone can do analysis fairly easily. Tools for data analysis are easier to use now more than ever and anyone who can code a little can take a bit data set and try to get some useful information.

yes, but in relation with anonymity you need an enormous dataset which at present is only accessible to large corporations, private contractors and organisations like the NSA.

Without anonymity, the best working picture of the future is that of a boot endlessly stomping on a human face.
https://bitcointalk.org/index.php?topic=624223.msg7998097#msg7998097 (https://bitcointalk.org/index.php?topic=624223.msg7998097#msg7998097)

Couldn't agree more. Anonymity (i.e. privacy) is human right regulated by UN Universal Declaration of Human Rights, if nowhere else in your country. One should learn from the history, not ignore it.

Additionally, i personally believe that privacy is one of few (if not the only efficient one) peaceful tools that ppl have to motivate their states to reorganize and optimize itself, if/when corruption gets out of control - i.e. when corruption is that large that fair elections are not possibility anymore, or when fair elections are possible but don't change anything. This second part may be hard to understand for someone that lives in well organized country, but there are really fu*ked up countries in the World.

The ad talks about how your IP could be linked to your transaction.

Now if you use TOR but still didn't hide your traces before, than an ovserver could link your previous transactions to an IP because all Txs are linked.

So to achive anonymity with bitcoin you need to cut the link between your transactions and your IP and in addition to that you need to unlink your transactions from your personal details. Tumblers can help with that.

What about Zerocash / coin anonymity These are supposed to be totally anonymous. wont they be untraceable when they go live?

If they go live anyway. I haven't heard anything for a while now.

Doesn't mean it's not coming though. Maybe they're just hard at work. :)

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0  ::)

I think you need more professional promotion, simply saying "blah blah XXX is what you need blah blah ..." would sound stupid and make people stay away from what you're trying to promote.

I don't deny that Ring Signatures cause bigger blockchain, but consider it as a tradeoff to achieve superior privacy which is unmatched by any coin based on Bitcoin protocol (including XC).

About mass adoption, average users will end up using light weight clients on their phone/PC, leaving full nodes run on dedicated servers around the world.

Do you run a full Bitcoin node with the 20gb blockchain? Just checking.

What I've read on it anyway was its real good but dog ass slow and so they need to speed it up somehow.

Yup, I just read the following paragraph from http://www.coinjoinsudoku.com/advisory/

Executive Summary:

The SharedCoin mixing service provided by Blockchain.info offers only limited privacy to users due to weaknesses in its design. Bitcoin users should carefully consider their privacy requirements and evaluate other mixing services if they require serious privacy guarantees. A tool for analyzing SharedCoin and other CoinJoin-based mixing protocols will be released approximately two weeks following this advisory to allow SharedCoin users adequate time to protect their privacy.

That was clever. So both ends of transaction is needed.
And, per-kb fee is the limiting factor not to set the number of signatures so high, unless we want to transfer a high amount of money, or a very secret one (for instance to Walter White).

Who is the designer of this transaction method? Is this published in a scientific journal, for instance in a cryptography one?

@Christ-Clin
Have you read the book "1984" by George Orwell?

The NSA scandal was disappointing. Is the same thing true about other countries? For instance, Europeans, is your privacy violated by your governments, like the US?

Thanks for the explanation. You explained it very simple.

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

At the moment we're on a flat per-tx fee, so it's still cheap either way, but yes - once we move to per-kb fees it'll be more expensive to use large signature groups (although not prohibitively so).

The original CryptoNote whitepaper is here: https://cryptonote.org/whitepaper.pdf

The CN whitepaper had not been peer reviewed, so we took that job on ourselves.

Our mathematicians and cryptographers raw (and sometimes snarky;) annotations are here: http://monero.cc/downloads/whitepaper_annotated.pdf
The review of the CN whitepaper as presented by one of our mathematicians is here: http://monero.cc/downloads/whitepaper_review.pdf

All worthy reads, and as you can see there's actual mathematics and cryptography and not just pretty pictures:-P

It's a very tired argument that gets pulled out and rebutted each time. The Monero blockchain is currently 5.5x the size of the Bitcoin one for comparable total transactions (so linearly larger than Bitcoin's). So when we've had 44 million transactions (as Bitcoin has over its 5.5 year existence) our blockchain will be about 110gb vs. Bitcoin's current 20gb blockchain. This is, in itself, not a problem, as by the time we get there in a few  years disk space will be appreciably larger, and we'll have the same full node problem Bitcoin has (who seriously keeps the full 20gb Bitcoin blockchain on their laptop, for instance) - the majority of our userbase will use lightweight wallets.

A lot of the people that state that Monero has a "blockchain bloat" problem are picking up snippets of conversation between quite intelligent people on the matter without actually understanding the issue. Monero has exactly the same "bloat" problem as XC, DarkCoin, and anything else that uses a form of mixing - you are going to incur additional entries in the blockchain for every mix (or in Monero's case for every additional signature in a ring), which means the blockchain for all of them is going to be linearly larger than Bitcoin's for the same number of transactions. It is a compromise you accept if you want transaction privacy: it uses more space in the blockchain. However, the advantage that a Bitcoin-derived altcoin has is that it can prune the bloated blockchain, whereas with Monero you can never tell if a utxo has actually been spent or just used in a ring signature, so pruning in the Bitcoin sense is not possible. THIS is what they're actually claiming - that all of the blockchains are going to bloat, but Monero's can't be pruned the way Bitcoin's can. It's very, very important to note alongside this that the Bitcoin blockchain has never been pruned, the code to operate off a pruned blockchain is simply not there (that notwithstanding, as of Bitcoin Core 0.9.0 it does have the ability to prune provably unspendable outputs, but that is not the same as the blockchain pruning we are referring to). Therefore, none of these Bitcoin-derived altcoins are actually able to prune their blockchain, despite their belief that they can flick a switch and voila, magically small blockchain. Not unless they have the ability to write code that the Bitcoin core developers and hundreds of contributors have yet to write.

Isn't this what stealth addresses are for? And they can be implemented in any bitcoin based coin?

My understanding is that the stealth addressing (coupled w/ RS) used in CN is there to provide a reasonable doubt when viewing only the blockchain tx's without a view key, but that doubt can still be removed by providing a view key from the specific person's wallet you'd be looking for information from any time in the future. Is there such a system in bitcoin where I can reveal my stealth address as being concretely owned by my own address in such a manner in bitcoin (that's native to the protocol)?

Short of giving someone total control of my wallet (which would allow sending money, not only viewing transactions), and the way listed below, can I prove that the stealth address was my own and that I sent a transaction to someone?

I think the only way to provide proof with the bitcoin stealth address is by:


Which would require trust and reputation. Not sure if I'm right here though, anyone know any better?

Yes exactly:) The problem with any of the Bitcoin-based coins currently in existence is that they cannot/will not FORCE stealth addresses. In other words, if I've received 5 WhateverCoins from you to my stealth address, chances are when I go to spend them I'm going to send them to a non-stealth (regular) address, which thus reveals me to be the recipient of the output. Stealth addresses have to be the ONLY way to transact, and it has to be in from the genesis block on.

The other thing to consider is that stealth addresses *alone* do not protect you. If our aforementioned hypothetical drug manufacturer is busted and gives law enforcement access to his wallet, they correlate an output of a certain amount with that which was paid by you (and vice versa for a payer that is busted). Thus, the other thing that is required is to have a clever mix of outputs such that blockchain analysis can't find unique amounts. Take, for example, this Monero transaction (http://chainradar.com/xmr/transaction/276e248e6936b2596e168b137f13a11a9ac878331f29ff27835e1a4c9e4f7cef). At first glance it appears to be for 93.487 XMR. But, as you can see, the outputs are 90, 3, 0.4, 0.08, and 0.007 XMR. Thus there's no way of telling the actual amount for this transaction. It could be 90 XMR (with the other outputs merely returning to the sender), or it could be 3.487, or 93, or 90.08, and so on. So now we're, cryptographically, creating transactions are very hard to trace by blockchain analysis alone, even if one party is fully pipe-wrench compromised.

The final step is, of course, plausible deniability. This is what ring signatures provide - the ability for each of those outputs of a transaction to be digitally signed by a group of seemingly valid signatures, such that it is impossible without fully owning the sender and recipient wallets to know if an output "belongs" to someone. And the ring group isn't as small as the mixin you set, the mixin is per output. Thus, on the transaction mentioned above which had 5 outputs: if the sender had sent that with a mixin of 50 that's 250 "people" signing that transaction, for which an observer is unsure which output is true by blockchain analysis alone, which does not even have a unique amount that can be traced.

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

I don't really find it that bad. People will still be able to run nodes no problem and regular people can use thin clients. Assuming that standard Bitcoin style thin clients work with ring sig tech. I assume it does but I don't know.

Your figures are off, the actual figure for Monero is closer to around 5.5x linearly larger than Bitcoin for comparable transaction amounts. I've already gone over this tired and blatantly incorrect argument further up in this thread (https://bitcointalk.org/index.php?topic=724208.msg8230175#msg8230175) so I won't rehash things too much, but suffice it to say that your timeline misses some important details (I mean besides the fact that no cryptocurrency actually has working pruning, just the theoretical prospect of it).

The first is that you're missing time as a frame of reference. Those two chains don't exist at the same time, and by the time the ring signatures chain reaches the level of transactions chain 1 has the lay of the land will be different. In other words, Bitcoin's blockchain right now is 20gb as it processes 61 000 transactions a day with a huge market cap and massive amounts of global reach. If Monero, for instance, reached that level in 5 years time it would have a 110gb blockchain by the middle of 2019. I have a 1tb Kingston thumb drive in my pocket, WD just released the 6tb version of their Red NAS series of drives. With HGST pushing HAMR drives for next year, they expect that in the next 5 years there will be 40tb - 60tb drives that are as readily available and cheap as 4tb - 6tb drives today. Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

Sorry to spoil it for you, but most people do not have money to afford a 1TB thumb drive nor a 6TB HDD. In my country I rarely see people who have a 1TB HDD or higher (excluding myself). How do you plan to have a wider adoption? Although you never know, we might have 40TB drives we might still be stuck with the current limitations (look at batteries - minor/none improvement for years).
There are other ways to provide untraceable and unlinkable transactions. While ring signatures might bloat the blockchain a bit, they could do for now I guess.

But they will be able to afford them in 2019. I think his point was that if he has these today then by then storage will easily cover the needs of the blockchain for many people.

Don't worry, you haven't spoiled anything. I live in South Africa, I know exactly what most people can afford more than most people here.

The "most people" you refer to will use a web wallet or an SPV-style wallet, regardless of the disk space they can afford. Full nodes for Bitcoin (and in future for Monero) are only run by crypto enthusiasts or companies who have a vested interest in doing so...and both groups of people can and do own sufficient storage space even at this very moment to soak up a 110gb blockchain.

To your last point, currently the only other way to provide cryptographically untraceable and unlinkable transactions is ZeroCash, which has been discussed at length and has drawbacks of its own (eg. the accumulator creation event trust issue). All the other methods that exist add layers of obfuscation, but do not provide cryptographically untraceable and unlinkable transactions.

is monero really anonymous? how can someone know if his coin are sent to someone else? the other can just cheat can't he?

fluffypony is a Monero dev and has a few posts in this very thread explaining and answering questions related to that.

Oh then you understand the issues in areas where people are poor. You must realize that not all of them are able to use web wallets (not enough knowledge related to technology overall. Would you be able to provide an objective opinion between Monero and Darksend+ (even though you're a developer there), if you have followed the development on this side too? (new update - Evan posted recently that the release is a few days away). Theoretically the transactions aren't untraceable and unlinkable, but they do add a lot more anonymity compared to the likes of Bitcoin.

Anoncoin is working on ZeroTrust, a completely trustless implementation of ZeroCoin using RSA_UFOs

Source:
https://wiki.anoncoin.net/Zerocoin
https://wiki.anoncoin.net/RSA_UFO

On the flipside, those people will never ever have the cash to run a DRK Masternode where u need 1000 coins, i consider that a real issue as you need them for mixing, wheres Monero runs totally passive.


I dont get your point, its no difference to use a Liteweight wallet or a Fullwallet - both can look and feel exactly the same. And without Internet connection you can´t use cryptocurrency anyway - or well you could make an offline Monero transaction and bring it to someone with internet i guess - but have fun doing that with an active mixer engine.

I follow a lot of developments in cryptography, so I have of course been watching Darkcoin's progress. It definitely does add a lot more anonymity than Bitcoin provides, and that's certainly something that is to be applauded. Speaking purely from a cryptography perspective (and please do not take this as any sort of "FUD attack" or me being "anti-competitive" - I believe every cryptocurrency must carve out its own niche over time) there are two things that concern me:

1. Outputs can still be linked to addresses. If you send 20 DRK and it sends all these other outputs along with it to obfuscate, the 20 DRK still ends up in someone's address. That this can be observed on the blockchain means that analysis is easy, and we all know how often people leak addresses associated with their wallet (eg. posting it up for giveaways etc. etc.) This is an immutable problem in any Bitcoin-forked cryptocurrency that exists, as the solution (stealth addresses computed w/random data) has to be enforced for every transaction from the genesis block. If you enforce it halfway through you're stuck with old outputs that don't use stealth addresses, which makes it exceedingly complex to ensure the anonymityset is not at-risk.

2. Masternodes are an Achilles' heel. Let us say that there are 10 000 masternodes on the network. Their IP addresses and the port they operate on is, by necessity, known to the network. Let's assume that an attacker controls 5 masternodes of the 10 000. Let's also assume that each of the masternodes on the network is on a dedicated server (none of them use a VPS, because a VPS could be trivially owned by the host operating system) and each of these servers is on a 1gbps unmetered, dedicated port (clearly not the case right now, but I'm talking about a future time). How hard would it be for an attacker to knock the other 9995 masternodes off the network, leaving theirs as the only accessible masternodes (and thus not only earning them all the fees, but giving them perfect insight into transactions moving within their controlled group)? Well, NTP amplification attacks have let attackers launch 400Gbps attacks against a single machine from a sole 2mbps connection. SNMP has a theoretical 650x amplification factor. All an attacker needs to do is max out the unmetered port in an obvious attack, and the datacenter will have to react. Even straight up LOIC-style / botnet SYN floods to the port that the masternode has open will lead to the DC null-routing traffic to that box, typically for 6 hours whilst they wait for the attack to stop. Mitigating this is an extremely difficult and expensive operation for each masternode to individually undertake, and not all DCs will even be able to provide DDoS mitigation at this level. An unsophisticated attacker using extremely traditional tools can knock all of the masternodes off the network except those they control. This is a threat to anonymity.

Incidentally, the other problem with masternodes that nobody seems to have thought of is that the limited number of them will mean they're in direct competition with each other. It is in a masternode operator's financial interests to make life difficult for the rest of them - DDoS attacks, reporting the box to the datacenter, anything that can knock a single competitor off the masternode network means more fees for the remaining masternodes. This is different to PoW mining where, for instance, knocking the pools offline doesn't mean you'll get more transaction fees, as miners always have backup pools. I'm not sure how sustainable this is as a system if it unmistakably pitches operators against each other to fight for fees. Given the cost and capital required to own a masternode, it's appreciable that this will happen as a natural result of wanting to maximise masternode profits.

No, I'm definitely not considering this as an attack or something similar. At least you are not: a) ignoring my questions (for stupid reasons like blind followers tend to); b) do not spread FUD about competing coins. I've took some time re-reading this, and it's obviously that your knowledge exceeds mine (well you're a developer after all). I'll get some input elsewhere and respond afterwards (!) accordingly.
Well the issue is that the IP and port of the MNs are known to the network and thus making them vulnerable. Well I don't think that all MNs will be able to get knocked down by this, surely there will be a few individuals to host a few MNs with high security. Don't you think so?
Yeah I think it is limited to 2000(?). Well your concerns are based on the MNs not being good enough (either concept/current implementation).
I also did not know the extend of NTP nor SNMP application, this is knowledge that I will have to hold onto.

Absolutely - but the cost of doing this is extremely high. During a DDoS a datacenter is having their bandwidth saturated, and it's affecting other customers in the datacenter, so they will typically get their upstream bandwidth provider to null-route all traffic bound for that IP address. The upstream bandwidth provider's equipment is all muscle, no brain, on massive amounts of bandwidth, so it can't route things based on the type of data, only on the destination. Typically this means that DDoS mitigation is done, for example, by having round-robin DNS that spreads the load out to different data centers, and when under attack the DNS records can be updated faster than an attacker can reroute his DDoS. If the attack is sufficiently clever and sufficiently large there will be downtime, but it'll be measured in minutes and not in hours.

The only way to mitigate this is to scrub the data at line rate, which means you need your own very powerful, very clever, very expensive routers collocated at the DC. You're also going to need to rent at least 20gbps of the DC's bandwidth, even if you're only using a tiny tiny fraction of that, as a DDoS attack will fill that pipe and your routers will need to scrub it and only let clean data through. It's definitely doable, but it'll cost you tens of thousands of Dollars a month.

If a method is implemented where the wallet can determine the number of running masternodes with a certain level of probability before anonymizing its non-anonymized coins, the incentive to dos the masternodes is taken away. You had some ideas here (https://bitcointalk.org/index.php?topic=718489.msg8120525#msg8120525), but even a superpeer group keeping the count would go a long way imo while a totally trustless solution is found.

That's true, although my idea was a little half-baked and not entirely thought through;) It still doesn't solve the problem of masternode operators being willing to attack each other to boost their own profits, though, and it doesn't give you any insight as to whether a masternode has been hacked and is being maliciously controlled. If they're hell-bent on using externally observable transaction mixing / coinjoin-style mixing, then the real solution is for every node to be involved in mixing (as with i2p or BitMessage, for instance), and for there to be no financial incentive to mix and no ability to disable it. That's the only way you avoid Sybil attacks and remove the risk of masternodes destroying each other. Then you'd need to add stealth addresses where output destinations are computed with random data, and hard fork so that any tx that has non-stealth outputs is rejected.

Problems like these make problems like Monero's blockchain bloat seem trivial in comparison.

This actually kind of sucks for me because I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

I guess at this point the only hope is XC's closed source solution. But I'm not holding my breath tbh.

@Fluffypony
Any other concerns? Looks like that he is interested in such discussions, which isn't surprising considering the amount of trolling in the coin thread.

Why?

BTSX with TITAN is a good candidate https://bitcointalk.org/index.php?topic=687251.0

Although I can't compare with other anonymous implementations as I know little of them.

Because I'm involved with a project that is a new implementation of the latest version of Bitcoin and I'd like for it to be able to implement some level of anonymity at some point within the next year or two. The focus of the project isn't on anonymity at this point at all but personally I hope that eventually there will be solutions that won't require building everything from scratch like CryptoNote did.

Wishful thinking perhaps. :P

There are ways to add anonymity to bitcoin without changing the code. It won't be on source level, but with service providers. You could do something like a DAC mixer.

But even in this case don't you still have to trust the DAC's master or owner or whatever? Unless it was truly independent I guess.

The definition of DAC is that it is 100% autonomous. There are semi-smart contracts that are like those you were just thinking off.

Thanks for the recommendations. I read some parts of the last one, I have M.Sc in Mathematics and it's good to see some mathematics in cryptocurrency. It looked interesting. I will study it completely later.

I'm learning a lot from you. I think it's a good trade off, bigger hard disk space but un-linkable and untraceable transaction. I don't know anything about how blockchain works, but I'm thinking about a wallet which deletes the data which is, for example, a month old and can be used just for send/receive. Another wallet for the network. I haven't read the last posts here, and I guess I will find my answer there.

How do thin clients work?

In general terms, you retrieve parts of the block chain you need from a node or server instead of storing the whole thing yourself. There are several different ways of doing that with a range of security and resource compromises. Most users of Bitcoin today are using lightweight wallets (or web wallets).

fluffypony's explanation method is comprehensive and with details, your method is "just in one paragraph". I like both methods :)

From the first post:
No need to exchange ugly addresses. Instead a Name can be registered with the blockchain which suffices to receive payments. The receiver is anonymous to everyone except the sender.

So, we can assign a username to any address? Can we assign more than a username?

Can someone compare it to other anonymous implementations?

Wallets themselves don't take up sufficiently large amounts of space, the issue is that the blockchain contains the transactions for EVERY wallet (including mixing transactions in the case of other anonymous coins). As smooth explained, most Bitcoin users are using web wallets (Coinbase, Blockchain.info, GreenAddress, etc.) or SPV-style wallets (Electrum, Multibit, etc.) where you don't store the whole blockchain, only the info relevant to your wallet (which is tiny). All of the backends to those services, though, are running full nodes with the full blockchain by necessity.

we need anonimity it was what satoshi wanted

Can web-wallets be used for PoS?

I would assume so, although PoS is so fundamentally broken in all its current form (and detailing the reasons its broken is outside of my wheelhouse, unfortunately) that I'd typically not want to use it either way;)