Paxful was just another centralized, KYC demanding, zero privacy, zero security exchange, which used the label "peer to peer" as a marketing gimmick despite being no such thing. Just like LocalBitcoins. I do not care in the slightest that they are shutting up shop.

Noones is absolutely just Paxful under a different name and excluding the US. It also has the same KYC requirements, centralized wallets, and all the other downsides of centralized exchanges.

If you want to use an actually decentralized exchange or trade actually peer to peer without these centralized exchanges spying on you and taking control of your coins, then pick an exchange from here, ideally Bisq or RoboSats: https://kycnot.me/

I used the site exclusively via Tor, and after the 04.04.2023 changelog posted here.

I generated and saved a note, and then received the error "Backend offline. Please try again later." I reloaded the page and it progressed normally. I created a new note before proceeding.

Made the deposit transaction and waited for it confirm with the page open. The automatic update on the page was a bit slow, and lagged several minutes behind my node. Clicking the button to manually refresh was faster. However, all data (such as the address) disappears from the screen and the minimum deposit field changes to "NaN" for a good 30 seconds or so before it updates and everything comes back. To me, this looks like the website has crashed or my connection is down. It would be better to change it to say "Refreshing, please wait" or something similar.

Downloaded the guarantee letter, and confirmed the signature no problem. Confirmed the API address given matches the private key in the note.

I shut everything down and started again to make a second deposit. This time I closed the browser immediately after sending the transaction and came back much later. I combined the two notes I had generated with no issues, and received a new note, also with no issues.

At this point, I searched for a way to split my note without withdrawing, but I couldn't find one. It would be great if I could split my note up in to smaller notes. That way I can save them separately, or I could even peel off a note of say 0.01 BTC and give it to someone else to withdraw.

When withdrawing my note, I always seemed to be left with 1 satoshi regardless of number of addresses and the split between those addresses.

Again, downloaded the guarantee letter which confirmed no problem. The withdrawals also proceeded within the desired time without issue.

---

Suggestions/thoughts:

Change the refreshing screen as above to say "Refreshing, please wait" or something similar.

Personally, I'm not a fan of the percentage sliders. I would like to be able to specify an exact amount to go to one or more addresses, and "everything else" to go to another address.

Is it possible to split notes as well as combining them?

Are 2 confirmations necessary for small deposits?

On the withdrawal page, you need to make address field larger so I can see the entire address at once to make it easier to double check. Similarly, I want to see the whole address at the bottom, not just the first few and last few characters.

Minimum deposit: Is it possible to male this lower than 0.001 BTC? This would allow the user to send several small outputs to different addresses via notes and consolidate them in to one larger withdrawal. You could charge a fee from every small deposit to cover the increased fees associated with sweeping lots of small inputs.

I notice on the backend you are sweeping deposits relatively quickly with a much higher fee than necessary, and frequently as the only input in to the transaction. Would it not make more sense to sweep only a couple of times a day, and do so in a large consolidation transaction involving (for example) 100 deposits, and do so with a more appropriate fee? You would save a lot of money this way.

---

My address: bc1q5ha4shf59lnmcmh97x2ee4uafk3dy3twqnl6p4

There is absolutely no way to put a number on the number of coins which have been lost this way, and there is also absolutely no way to guarantee that such coins are actually lost and won't be recovered in the future, either from the owner finding a back up, remembering some important piece of information, brute forcing their missing words, lying about losing it in the first place, etc., or from advances in technology and quantum computers being able to recover such "lost" coins. Given this, it is wrong to say that such coins have been removed from the supply. They could all be moved at any time (and that includes all of Satoshi's coins).

The current number of bitcoin which have been provably lost, burned, unclaimed, or are otherwise unspendable and can therefore be removed from supply numbers only (at present) 2,828.654 BTC.

This is misleading.

During a halving the supply does not reduce. The supply will continue to increase until the final halving event in ~2140. What does happen during a halving is that the rate of increase of the supply reduces.

So although the supply is continuing to increase, it is increasing more and more slowly as time goes on. And so a demand which is increasing more quickly, or even just increasing at a fixed rate, will outstrip the increase in supply and cause the price to rise.

The bottom line is that there is nothing to worry about for many years or even decades.

Out of all the various parts of bitcoin, the bit which is the most vulnerable to quantum computers (via Shor's algorithm) is the elliptic curve itself, which means an attacker being able to take a public key and calculate its corresponding private key. Reverse engineering from addresses (rather than from public keys), mining, and many other parts of the protocol are less vulnerable because they use various hashes, which are far more quantum resistant than the ECDLP.

So at some point in the future we will likely fork to some new quantum resistant cryptography before quantum computers pose a serious risk. We don't need to make any decision regarding this for years or even decades, and indeed, making such decisions now would be a mistake given the entire field is in its infancy and any system we chose today would likely have been replaced by something else by the time it was actually relevant.

Don't forget that in such a scenario then almost all the encryption currently used across the entire internet will similarly be broken, including everything to do with the fiat banking system.

Of course. But as I pointed out in an older post which was quoted earlier in this thread, I am under no illusion that I could very easily forget such things through no fault of my own and with absolutely no warning. Anyone can have a stroke at any time. Anyone can simply trip and hit their head on the sidewalk at any time. Anyone can contract meningitis at any time. The number of possible ways your memory can be damaged cannot be counted. I don't like those odds, especially when it is so trivially easy to overcome them by simply writing your seed phrase on a piece of paper.

If I forget, I'll ask my wife. And as I said above, I can at least look for a physical back up in places I am likely to store one. If you forget your seed phrase, then you are shit outta luck.

Go through the process of restoring your seed phrase to Electrum. Select "Standard Wallet" -> "I already have a seed", and then enter your seed phrase. Before you click on "Next", some text will show up under the box you entered your seed phrase in. Something along the lines of "Seed Type: legacy" or "BIP39 (checksum: ok)". What does yours say?

Are you absolutely certain both wallets used the same seed phrase?

Did the addresses in both wallets start with "1"?

How did you lose the wallet files? Have you checked in the Electrum data directory: https://electrum.readthedocs.io/en/latest/faq.html#datadir

In a scenario where it costs $1 million for a loaf of bread, how many wheelbarrows will you need to cart around the cash you receive for selling a bar of gold? And you better spend all that cash today, because by next week it will have lost another 90% of its value.

So now you are entirely dependent on a third party who can price gouge you. And who is to say that in an economic collapse pawn shops will even still exist or operate or want to buy gold? Not to mention carrying around wheelbarrows full of cash as above, since who knows if internet banking will still be working. Bitcoin solves all of this.

Using a wallet such as Electrum on your phone is good enough for most people.

You forget that I lost all my bitcoin in an unfortunate boating accident!

I don't own any, but if I was forced at gunpoint to buy a coin other than Bitcoin or Monero it would probably be Grin. Mimblewimble in general is very interesting and hopefully will play a bigger role in the future.

Absolutely. I pointed this out in another thread a few months ago after some clickbait saying that RSA had been broken by quantum computers, which it obviously hasn't: https://bitcointalk.org/index.php?topic=5433605.msg61567738#msg61567738

But this is unlikely to be true forever. Shor's algorithm can break RSA and ECC if we get sufficiently powerful quantum computers.

That's a good point, and one I did not consider. For an external observer using blockchain analysis, then a fast mix appears identical to someone using notes. They can see the deposit being made, but since they don't know if the user is using fast or notes, they are unable to reach any conclusions about the time frame of when the withdrawal will be made or how much will be withdrawn. Both fast and notes users benefit from being in the larger anonymity set provided by the other type of user, and having the different process help to obfuscate what is happening.

Neither are actually private.

Given that the secp256k1 curve is defined modulo p, then there are no negative coordinates as anything which would be negative will loop round mod p and end up positive. As pooya87 says, -y = p-y.

Given that the curve equation is y² = x³ + 7, then for every x coordinate there are two valid y coordinates. And because p is an odd prime, negating y by doing p-y as above will change its parity. This means that one y coordinate will always be even, and the other will always be odd. This allows us to compress public keys simply by specifying the parity of the y coordinate as a prefix.

Good question. I assume there is at least one altcoin other than Monero out there somewhere I would consider owning, but I haven't found it yet.

Lol. Absolutely not.

That's not accurate.

As I said above, Grover's algorithm allows a problem to be solved in the square root of n-time. Half of 2²⁵⁶ is 2²⁵⁵. Grover's algorithm reduces 2²⁵⁶ to the square root of 2²⁵⁶, which is 2¹²⁸.

If you are talking about solving the ECDLP, rather than brute forcing part of a seed phrase as above, then you are now talking about Shor's algorithm, not Grover's. Shor's runs in polylogarithmic time, and can factor a k bit number in k³ time. A sufficiently powerful quantum computer (again, decades away) could easily break the ECDLP.

The best solution is to have a set up where compromise of one back up is insufficient to steal your coins, such as separate seed phrase and passphrase back ups, or a multi-sig. Make two copies of each part. That way you have redundancy against accidental loss as well as greater protection against theft.

I remember reading that report thoroughly at the time it was shared. I agree that the structure that ChipMixer used, and the similar structure that Whirlwind is now using, meant that they can't be broken in the same way as traditional mixers exactly for the reasons whirlwindmoney has given above. By allowing users to deposit different amounts to different addresses at different times, to combine and split these amounts freely, to do so over any period of time desired, and then to withdraw any amount of coins from their vouchers/notes, it becomes impossible to track inputs and outputs in the same way this report does. Of course users can still make mistakes such as combining mixed and unmixed UTXOs, but the service itself is not at fault in such cases.

My feeling would be that the fast option would potentially be breakable in the same way that every other mixer is, but notes would not be breakable in the same way that ChipMixer wasn't.

And of course if things get as far as blinded certificates, then it becomes provably impossible to link deposits and withdrawals via blockchain analysis, since certificate issuing, trading, spending, and redeeming, all happens off chain and Whirlpool are blinded to the individual certificates.

I would point out that you really want to be using the graph which displays transactions by weight, not by fee. The fee chart you have chosen vastly distorts things to show very small amounts at low fees and much higher amounts at high fees. If you have 100,000 vbytes of transaction data paying 1 sat/vbyte, then it will show a bar of 100,000 sats in height. If you also have only 10,000 vbytes of transaction data paying 50 sats/vbyte, then that bar will be 500,000 sats in size. So the bar at the higher fee rate will be 5 times bigger despite there actually being only 10% of the data.

So yeah, in the bar at the top on the right hand side, make sure you click on "weight" rather than on "fee" to get a far more accurate representation of the mempool, remembering that each block will remove up to 1 MvB from the top.

---

Given how easy it is to make an RBF transaction, and it is only going to get easier with full RBF spreading through the network, then there really is no reason to ever have a stuck transaction anymore.

Absolutely, but it can't accommodate an infinite amount of stupid decisions and money printing. We are currently riding off of previous successes and a previously strong economy. Prior to the 2008 crash, the Fed's balance sheet was sitting at around $0.85 trillion. 15 years later, it now sits at almost $9 trillion. This means that in the last 15 years, we've printed 9x more money than we had in the entire history of the US before 2008. This is clearly unsustainable.

True, but harder to safely store where you can easily access it, harder to spend, difficult for the average person to verify, and almost impossible for the average person to subdivide as needed to buy goods. All of this is very easy with bitcoin.

Could be. A sufficiently powerful quantum computer running Grover's algorithm can perform a brute force search in O(√n) functions, rather than O(n) functions as a standard computer would. This means that a 2¹²⁸ string could be brute forced in only 2⁶⁴ iterations. This is all dependent on very powerful quantum computers though, which are a long way off.

I think people get too hung up on metal seed phrase storage, and it can actually lead to poor practices. Because of the expense of such devices, many people will just buy a single device and that will be their only back up. Only having one back up is a very risky situation, especially if that one back up is stored at home alongside the device(s) your wallet(s) are installed on. Two pieces of paper in separate geographical locations is safer (not to mention cheaper and easier) than a single metal back up.

Of course owning bitcoin will change that.

Take any country which has recently experienced rampant hyperinflation - Zimbabwe, Venezuela, Argentina, etc. It costs billions (or more) of their local currency to buy a loaf of bread. So what do these countries do instead? They use a different currency altogether. Maybe USD, maybe EUR, maybe something else. All the people who owned this other currency prior to the hyperinflation event are in a far better position that people who are now trying to purchase this other country at exchange rates of billions to one.

If the dollar goes to zero, and it costs a million dollars to buy a single euro (substitute with any other large currency), but I still own a bitcoin worth ~26,000 euros, then I will fare significantly better than if I owned no bitcoin.

Sometimes. Sometimes not. Far too risky an assumption to make.

You are more likely to remember where you physically put something than a list of words you just repeat to yourself over and over. And if you forget the location of your back up, you can at least look for it. If you forget your memorized seed phrase, your coins are gone.

Only if you also have physical back ups. Relying only on your memory is very bad practice.