This discussion is very tiring. Mathematically can't get exponential growth of mixing without exponential growth of overlap, unless the supply of transaction outputs is also growing exponentially.
Each output is being mixed with an exponentially-declining share of an exponentially greater number outputs. My bounty algorithm shows that old outputs will mix until they hit their trigger of maximum mixes then the sender is de-anonymized. Thus the exponentially growing supply of outputs is continually being pruned, either by a mitigation you will implement or by de-anonymization if you don't implement mitigation. attempting to impose some tracing-based blacklist becomes equivalent to to a coin ban.
No only a ring > 1 input ban, i.e. ban on anonymity. Okay, authorities may ban anonymity. Thank you for pointing that out. Incorrect, they only blacklisted illegal activity. The anonymity died as an artifact. This can be an important distinction for legal and politically correct "standards" (aka propaganda). I never heard of dedicated and concerned developers that expected everything to be handed to them on a silver platter in completely polished form so they don't have to do any work.
I expect nothing. I'm simply pointing out that if you want to be listened to by people with any real technical competence (as opposed to others who don't have the background to even tell the difference between valid and invalid claims), you need to focus your comments in a way that rises above the noise floor of many vague and poorly supported claims (yours and others'). Especially here, where frankly a lot of people are either ignorant, full or shit, or have a hidden agenda (or perhaps all of these). It is up to you whether you want that or not. Ditto. If XMR had responded to BCX's points about the quick difficulty readjustment and 20% discard with a whitepaper about such issues and the Cryptonote solution, then I would be more impressed We can't and won't respond with a whitepaper to every vague claim of "there might be a flaw" that is posted on bitcointalk whether that is from you or BCX or anyone else. Thus that is a difference between XMR and my style. Different culture. I took BCX's points seriously and made some interesting discoveries from it. You keep repeating your point that authorities won't blacklist because it blacklists the entire coin. And I keep making the point that they don't care. If you fuck with their control over money, they will do anything they can effectively do, even probably taking us to nuclear war if it will achieve their aims. Rather you have to think more in terms of what they can and can't do operatively, not what you think they can't do because you think it is unreasonable.
That is misrepresenting my point. They won't blacklist because it is ineffective: 1) because the output may have already been spent (and it is unknowable whether that is the case); and 2) because downstream blacklisting will be ignored by anyone using the coin at all. And if they do, it won't accomplish much, because, well, it is ineffective (or effective only insofar as a ban is effective). And you continue to ignore my repeated point that if they control the mining, they can effectively ban. |
|
|
|
If you were trying to "debate" with gmaxwell in place of providing meaningful detail about whatever it is you think...
Afaics detail is there. You can read the thread. Here is gmaxell's post. |
|
|
|
4. BCX killed Auroracoin (which btw rpietila invested in and asked my opinion about and I warned him it would be a pump and dump) and now he tells you what the vulnerabilities of XMR are, so these have to be taken as slightly more credible than if randomjoeblow said it.
So you were also complicit all along with the grand lie used to sucker in newbies for pumping XMR. Genuinely disappointed with the charades all around and you don't get a free pass either.  MRO (Monero)
Okay, there was a reason why I wrote on alts. Cause I have just made my first altcoin investment ever! Monero has a trait which pretty much all other alts lack: slow and geometrically decreasing issuance. At present, only 5% of MRO is mined, and even after 4 years there will still be 20% left to be mined. There is no premine, and the community consists of several people Smiley Furthermore, it is at least currently a CPU coin, since the hashing algorithm is designed to make it difficult to implement for GPU let alone ASIC. These things make it "fair" so that there is no way to amass large stashes except by working for them in the competitive mining or buying in the open market. tacotime, please rethink your strategy about developing for XMR. I hate to see someone of your stature in all this  I was under the impression that rpietila only invested in XMR and BTC. Can you link or post PMs that prove your claim? smooth corrected me by quoting where rpietila posted that he had changed his mind and didn't invest in Auroracoin. I was nearly certain he was going to invest and assumed his did. I was pretty strongly against investing in it. |
|
|
|
You have unfounded assumptions about shills being around. Seems like you may have gotten the word shill and supporter mixed up. Or are they the same to you?  Evidence: "evidence" with no proof that it is evidence at all.... Sorry try again. I was providing evidence that 'shrill' and 'supporter' have become confusing for readers to discern. |
|
|
|
Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade
Exchanges are just an example of a commerce transaction... Incorrect. The distinction is an exchange acts (by its Terms Of Service) as an unallocated pool for all participants thus it warrants that every coin in the pool is fungible, whereas without explicit anonymity mixing a vendor spends a traceable coin on a transparent block chain and the trail of culpability stays only with that coin, not with all the other coins spent to that vendor. This is a distinction without an ultimate difference, most certainly to the affected party... The cost is charged to all customers of the exchange, whereas in the vendors case it is only charged to the last single bagholder holding that specific coin. I am contemplating you imply effectively that rings may so radically cross-mixed that blacklisting anything blacklists everything.
Note the algorithm I did for the bounty. If that algorithm is worthy, then mixing is going need to be much less overlapping otherwise anonymity is lost. I wasn't referring to overlapping at all, just the exponential growth of mixes. If one recipient mixes with 5 others and each of those mixes with 5 others, even if there is no overlap, then after a relatively small number of steps, a huge number of coins become mixed. Mathematically can't get exponential growth of mixing without exponential growth of overlap, unless the supply of transaction outputs is also growing exponentially (which since outputs have to be same sized I think implies unless coin money supply is growing exponentially and/or velocity is falling exponentially). Any way, I have not formalized that and I am not going to. You guys are invested in ring signatures and thus you need to know. attempting to impose some tracing-based blacklist becomes equivalent to to a coin ban.
No only a ring > 1 input ban, i.e. ban on anonymity. More study is always needed, but again we are back to "there might be a flaw." Yes there might be. Anywhere and everywhere. Provide actual analysis or just continue to make these vague sweeping generalities that signify nothing.
Some specifics have been provided. I never heard of dedicated and concerned developers that expected everything to be handed to them on a silver platter in completely polished form so they don't have to do any work. Only doing the work and proving out everything will convince more people. There are no shortcuts. Even if I go away, I am not the cause of the price moving one direction or the other. Even rpietila would agree I have no impact on the price. If XMR had responded to BCX's points about the quick difficulty readjustment and 20% discard with a whitepaper about such issues and the Cryptonote solution, then I would be more impressed. I have been writing my own whitepaper over these days about issues that were raised in this thread. A significant feature of ring signatures is the spender decides (i.e. has autonomy of) what to mix with, thus the authorities can make the spenders culpable for mixing with blacklisted anonymity sets. Not if the mixing occurred before the blacklisting. There will always be new coins mined that are not yet mixed with anything. I already made that point once. Thus the entire coin is never banned unless new coin rewards have stopped (but then the coin will be dead anyway according to my theory). You keep repeating your point that authorities won't blacklist because it blacklists the entire coin. And I keep making the point that they don't care. If you fuck with their control over money, they will do anything they can effectively do, even probably taking us to nuclear war if it will achieve their aims. Rather you have to think more in terms of what they can and can't do operatively, not what you think they can't do because you think it is unreasonable. Also orthogonally you repeatedly ignore the point that I am not convinced you can have that widespread mixing without having de-anonymization on a large scale. We need my algorithm to be tested so we can know. If that is not a high priority for you all, then fine. I am stating my opinions. Thus the point that blacklisting is only relevant to fungibility if it occurs in a very narrow time window. Once the horse (and his DNA) is out of the barn, there is no turning back.
Again you ignore ongoing coin rewards (otherwise coin is dead) and de-anonymization (by my algorithm and also users that volunteer their passwords in exchange for an agreement to unlock their coins from the blacklist). Thus the real pinch point is if the authorities control the mining. Since how many months have I been stating that I don't think anonymity mixing on the block chain is the killer feature that drives a coin to be #2 or #1. I don't think fungibility can be protected that way, but rather the choke point is the control over mining. If I had to guess I would speculate something to do with the signal-to-noise issue I referenced earlier.
I could claim similarly about your posts. I think it is the nature of debate. |
|
|
|
Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade
Exchanges are just an example of a commerce transaction... Incorrect. The distinction is an exchange acts (by its Terms Of Service) as an unallocated pool for all participants thus it warrants that every coin in the pool is fungible, whereas without explicit anonymity mixing a vendor spends a traceable coin on a transparent block chain and the trail of culpability stays only with that coin, not mixed with all the other coins spent to that vendor. Blacklisting entire anonymity sets is legally and politically plausible It is largely useless, since you are blacklisting coins that might well have already been spent... ...because you would be blacklisting many and even most coins after some rounds of mixing. I am contemplating you imply effectively that rings may so radically cross-mixed that blacklisting anything blacklists everything. Note the algorithm I did for the bounty. If that algorithm is worthy, then appears to be the mixing is going need to be much less overlapping otherwise anonymity is lost. So we might discover that blacklisting is viable for Cryptonote because either we mitigate which means less ring overlap, or some of the rings are de-anonymized. Thus I maintain, "the jury is out, we need more study". There is a very narrow window of opportunity to actually know whether coins are unspent, before they are used by anyone in a mix. And once they are used, it is only a short time from there before exponential spreading means they are then mixed all over the place and downstream blacklisting is impractical.
A significant feature of ring signatures is the spender decides (i.e. has autonomy of) what to mix with, thus the authorities can make the spenders culpable for mixing with blacklisted anonymity sets. If blacklisting one coin blacklists the entire block chain then as new coins are mined, spenders might choose not to mix them at all. If we are speculating, then heck the US Justice department is attacking UBS and the entire nation of Switzerland, surely they aren't afraid to attack all the users of a $5 million market cap anonymous coin, or even all the users of a $10 billion market cap coin. This is why I stated upthread IMO the key issue is what can the authorities actually enforce. If the miners are too decentralized and anonymous (and note mining is not even anonymous in XMR) and spenders have no control over whom they mix with, who will the authorities attack? I thought about it in April when rpietila first asked me about Bitmonero, and I liked the non-simultaneity (autonomy) and the cryptographic clarity (e.g. no dubiously underspecified DRK masternodes, but which has hence potentially become muddled, but jury is out), but every other aspect I disliked about ring signatures (as I enumerated upthread). Now with the algorithm I presented for the bounty, I am thinking the spender is not even fully autonomous to choose the public keys in his/her ring, but we don't have yet a working characterization of that algorithm thus, "the jury is out, we need more study". because with a crack on private keys only the attacker can double-spend his coins Or did you mean "without?" Correct. That being the case, what you said is untrue. Anyone can double spend, simply by spending on whatever fork does not survive...
I've already covered my proposed solution to this in detail in the Longest Chain Rule thread in the Developers subforum. I don't want to repeat what I've already argued there about how to handle forks. Apparently gmaxell disagreed with me, but he refused to tell me why. Also I've done some additional thinking about that hence, but my thoughts are not loaded in my mind at the moment and I don't want to go digging right now. |
|
|
|
The universe has no edge
Yes, it is a very dull place, mostly. You don't mean of course unexciting. |
|
|
|
I see no new ground here except "decentralized exchanges are good" (and "forks are bad"). And checkpoints can't substitute for being resistant to forks in every case. Any the increased use on chain mixing with large anonymity sets increases the risk of not being able to abandon a sustained bad fork, thus making the threat of forks that much more serious. And centralized mining is very bad. I agree except that doesn't really solve the problem, not even in the future, since exchanges are just one example of a good being delivered rapidly (other coins in this case). With any other commerce transaction where the goods or services have been delivered double spending leaves someone holding the bag with no recourse. It doesn't really matter if the blockchain is traceable or not.
Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade. Also, the blacklist issue is greatly reduced because a blacklist as you propose would only be effective if put into place before mixing occurs. Once the mixing occurs, you can't undo it, and you can't effectively blacklist the root coins because far enough back you are essentially blacklisting all coins. Not that far even, given the exponential spread of mixing.
Disagree. Blacklisting entire anonymity sets is legally and politically plausible (but I don't know how realistic any delisting is, certainly if mining is centralized it is much more realistic), and the anonymity set can't increase once blacklisted without culpability on the part of the users. Well at least for ring signatures. Thanks for helping me (re-)discover a key qualitative distinction which is very negative on ring signatures. EDIT: Also, there is still no credible basis for a private key attack due to either de-anonymizing (traceability) or double spending. It hasn't been be disproven (indeed most of practical crypto is strictly speaking unproven), but continuing to repeat it as pure "there might be a flaw" is just uncertainty and doubt with no analysis backing it up and is not credible.
Why are you bringing that up? I hadn't mentioned that in our recent exchange and when I did mention it, I said the same as what you just wrote above. Edit: I guess you are responding to my list of concerns about ring signatures. Btw, I contemplating that certain hash functions (e.g. SHA256) are much more vetted with cryptanalysis than the simultaneous equations in different number fields that I showed. |
|
|
|
A minor price drop is nothing more than the weak hands pissing themselves and they will regret it soon enough and buy back in at a loss.
This thread has become a joke.
Unless ring signatures are qualitatively the wrong solution for anonymity. The jury is still out on this one. Needs more analysis.... Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us. I mean qualitatively. To which of my concerns do you claim there is no proof in any form? P.S. I defer to head of quantum computing research at IBM on the veracity of the 10-15 years prediction. He explained his reasons. Google is your friend. I have bolded the "concern" which there is no proof of. You may study something forever but at some point it is assumed true until you can prove it false. And I would say the vetting has been more than adequate. I've enumerated my concerns. You'd have to try to specifically show me convincingly that each of those concerns has been vetted. Your claim without specifics is not convincing to me. I hadn't seen the IBM announcement yet. However, it is unclear when such a computer would be commercially available. Chuang said it is expected that between seven and 10 atoms will be used in tandem in more advanced quantum computers within the next two years. Even if this is true It's a far cry from a system capable of changing the world. I think Chaung is trying to justify his 3 billion budget. And the Hard part about this system when it is a reality is in fact going to be qualitatively deciphering the resulting data. So much for boolean. Since you are claiming authority and not sufficient explanation of the science to convince me you actually know what you are talking about, what are your credentials relative to the head of research at IBM? |
|
|
|
I totally remember reading about that discovery in Nature or Science...oh wait, it was published on Google Groups. Such legit  The universe has no edge That is what I wrote too. And thus we can't be a non-relative observer, nothing is absolute, and the fundamental matter of the universe is cycles. |
|
|
|
Debates with smooth sometimes really help me clarify my own designs.  Some transactions are unwound. Unwinding less transactions by being able to segregate transactions in the attacked fork and add to the non-attacked fork those which are not downstream from a double-spend or stolen coinbase afaics doesn't decrease fungibility? Rather it aids a potential political consensus to choose the non-attacked fork.
It does because you are imposing traceability, and with traceability comes the threat of blacklists or whitelists. That is a risk but doesn't necessarily follow because afaics to absolutely enforce it you must be able to regulate or control the miners. Also lack of traceability doesn't mean there can't be blacklists or whitelists. The crackdown could even cause people not to mix their coins since mixing with a delisted coin could delist the entire anonymity set. Also perhaps you can imagine a coin design that was unlinkable because every transaction only had one input and one output. But it would have very high overhead. It would remain traceable. The point I am making here is that anonymous coins need to be very resistant to fork attacks, because long duration forks are more intractable to recover from. And my other salient point was that checkpoints can be an illusion. Also with the resolution of any double spend comes the judgement of which is the "correct" spend.
Not at least for the coinbase double-spends. For the other double-spends, I had proposed they both get trashed, because with a crack on private keys only the attacker can double-spend his coins. Of course everyone downstream is penalized, but stolen money is stolen money (the alternative might be to split the value between all recipients). Monero coinbases can't be spent or used used as mixes until they are unlocked (rather short now IMO, but will probably change that) so unless the fork is prolonged, and you are on it for a prolonged period of time, none of your spends will be mixed with coinbases nor with anything downstream of coinbases.
Analogously to tx fees, I don't think penalizing users is beneficial if it can be designed another way. You also can't mix with an output you can't see, so the threat of chain replacement doesn't affect you as an innocent third party. I don't understand. I am super hungry. Once the chain replacement is noticed, most likely exchanges (at least the well-run ones) go frozen rather quickly, and again few if any transactions will be affected.
I believe only in decentralized exchanges for the future. Again penalizing many users is not a design option I prefer. With any coin you can certainly be downstream of a double spend with no real recourse. Lets say someone double spends to an exchange, and then you withdraw.
Again I see a future only with decentralized exchanges and thus not mixed risk, except for on chain anonymity mixes. But moreover, I think much more important for anonymous coins to very sure they can't be fork attacked with much less than 50% of the hashrate. What happens with a transparent or non-transaparent blockchain is that your withdraw from the exchange is unwound (when the other fork prevails) and the exchange is likely out a lot of coins and could go bankrupt. If not then they just reissue the withdraw transaction to you with some other coins.
A distinction is that with on chain transparency (i.e. decentralized exchanges) then there is no collectivized bankruptcy (other than cascade into anonymity set mixes). |
|
|
|
A minor price drop is nothing more than the weak hands pissing themselves and they will regret it soon enough and buy back in at a loss.
This thread has become a joke.
Unless ring signatures are qualitatively the wrong solution for anonymity. The jury is still out on this one. Needs more analysis.... Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us. I mean qualitatively. To which of my concerns do you claim there is no proof in any form? P.S. I defer to head of quantum computing research at IBM on the veracity of the 10-15 years prediction. He explained his reasons. Google is your friend. |
|
|
|
As I said, one way or another, one chain (fork) will survive. Users on the other chain may scream bloody murder, but arguing with math will get you nowhere.
Yes and if sufficiently mixed, you can't try appease those who want the bad fork, because you can't extract their transactions from the bad fork and put into the good fork. And this is the qualitative threat difference from block chains that don't mix transactions. Except that all chains have mechanisms of mixes, maybe not on chain, but good luck untangling any block chain after any significant period of time, once people have traded through exchanges (many that are effectively totally anonymous), used coin mixers, used coins to rent rigs and mine new coins, etc. You can probably do it for a small number of blocks, just as a fork of around 40 blocks caused no lasting trouble for Monero last month. But after hours or days, any chain is equally intractable to undo. Furthermore I'm not convinced even if it could be done, that it would be helpful to users. Fungibility might very well be more valuable than the ability to pick winners and losers after an incident. True that any coin mixing (i.e. not IP obfuscation mixing) is qualitatively equivalent, but coin mixing on chain could be explicitly denied by only allowing one input to a transaction (and dedicated means to merge balances would be needed) or the user could selectively agree not to use on chain mixing. Non-decentralized mixers can mix coins with out multiple inputs per transaction, but these can't be trusted thus in my mind they are not anonymity any way. Some transactions are unwound. Unwinding less transactions by being able to segregate transactions in the attacked fork and add to the non-attacked fork those which are not downstream from a double-spend or stolen coinbase afaics doesn't decrease fungibility? Rather it aids a potential political consensus to choose the non-attacked fork, i.e. afaics it adds fungibility. |
|
|
|
As I said, one way or another, one chain (fork) will survive. Users on the other chain may scream bloody murder, but arguing with math will get you nowhere.
Yes and if sufficiently mixed, you can't try appease those who want the bad fork, because you can't extract their transactions from the bad fork and put into the good fork. And this is the qualitative threat difference from block chains that don't mix transactions. |
|
|
|
my recipient has lost his funds.
Yes this is what happens in a double spend scenario What if I've died, moved on, lost my private key, etc.. I can't reissue the transaction. Then you are a small edge case, especially for plausible fork lengths, and even more especially for plausible fork lengths given regular checkpoints (as in Bitcoin and every other reasonable coin). Given the possibility of forks (even normal ones transient ones) you always need to be prepared to reissue your transaction for some reasonable period of time. The far more likely cases are that: 1) nothing happens, or 2) you simply see the coins back in your wallet and resend them. Smooth I am sorry you didn't read yesterday's discussion I had with NewLiberty. I refuse to repeat the same discussion again. Checkpoints are an illusion given a sustained attacker. Once the attackers' chain get mixed up with enough important transactions, you will have users screaming bloody murder if you try to unwind them. You entirely dismiss the concept of time. Ding dong! "Hey I sold out of XMR when I saw the attack underway and I got out before the stampede in the price, and I damn well don't agree to clawback of my fiat from Polonoxious to the current miniscule price". Once consensus is sufficiently violated, it is possible you may never get it back again or at least it will be tough slog. |
|
|
|
You're not getting it. The concept of a non-transparent blockchain precludes there being "bad" outputs. There is, in general, no-deanonymiziing (certainly no assurance of it) and just outputs (coins) and transactions.
That is my point. With mixing on the block chain, there is no way to rollback just the double-spends if they get extensively mixed in with the legitimate transactions. Thus I do have to fear that when I spend, it can be unwound and that is me doing a double-spend, because my recipient has lost his funds. What if I've died, moved on, lost or discarded my private key, etc.. I can't reissue the transaction. And on chain mixing could in theory much more amplify this potential Gordian knot. And please don't equate with waiting for 6 confirmations as you did upthread. Different risk category when we are talking about an extended duration fork attack. |
|
|
|
Whether your output is included in a mix makes no difference to your ability to spend it.
Try re-reading what I wrote. Hint: I was referring to when bad transactions mix with the same outputs as I do, thus if you can't de-anonymize, then my transaction gets mixed with the double-spent outputs even though neither I (nor my prior trace of coin history) did double-spend. I can fix that by mixing with no outputs other than mine, thus no anonymity. I suppose this applies to any form of transaction mixing, not just ring signatures. And it is just a risk of mixing with more outputs increasing the risk of mixing with a double-spend. Perhaps a difference is if I am sure I am mixing with very old outputs that are unlikely to be double-spent, then another bad transaction mixing with those plus some that are double-spent, I am thinking you can't remove me from the bad set in some convoluted hierarchal scenarios. Edit: the more I think about it, it is applicable to any form of block chain mixing in transactions, not just ring signatures. The greater your anonymity set, the greater the risk of dominoes cascade of double-spends into your transaction. |
|
|
|
|
Show Posts
