ZRC is the "ultimate" case for privacy, in which all tx are totally obscured from the eyes of everyone else and it's impossible to tell how much money anyone else has (or even the system has). The only balances you can effectively know are your own. At the same time you can opt to use cryptography to prove ownership of funds, and where the funds are sent to.

The issue with ZRC was always that you needed a trusted party to setup the initial parameters set. If the trusted party doesn't destroy their keys after setup, then they can freely generate money of out the air and basically control the entire system.

The ZRC guys are now saying that they have found a solution and are implementing it:
From the MIT Bitcoin expo:
http://diyhpl.us/wiki/transcripts/mit-bitcoin-expo-2015/zerocash-and-zero-knowledge-succint-arguments-of-knowledge-libsnark/

Of course, an unsolveable issue is when there's a bug that lets someone create a pile of coins that the creators didn't realize existed (as with Bitcoin), since no one can see how much money exists on the blockchain. If the same event happened with ZRC, that user would own 99% of the ZRC that would even come into existence.

DRK's solution is also O(n) in size and thus has the same relative amount of bloat, as I stated earlier in the thread... The only real reason I can see that DRK stuck to their CoinJoin model was because so much effort had already been made into writing a method of trying to decentralize CoinJoins, and because implementing ring signatures is a giant pain in the ass (you need to keep track of a whole separate database where you keep outputs of the same age in order of their incidence in the blockchain, for one).

2-3 years is optimistic for a blockchain that's been bickering over the size of blocks for years now. And yes, you do need minimum mixin levels to make the system secure, although there are ways of doing that within a Bitcoin softfork. However, this presents the problem of money going from non-anonymous addresses to anonymous addresses, which makes blacklisting/censorship really easy (CoinBase can see your output entered into a ring signature output and ban you). Blacklisting in Monero will be impossible.

This is exactly why gmaxwell and andytoshi proposed their Bitcoin sidechain, which uses BRS (Bytecoin Ring Signatures), much like Monero, but using Bitcoin. However, it's likely that the majority of Monero will already be distributed by the time this is released (if ever), and at that point channels to and from Bitcoin, along with much better liquidity, should already exist.

The Bitcoin shills are always going to say that nothing will be better than Bitcoin, because all their money is in Bitcoin.

Monero is different. Monero is digital cash, whereas Bitcoin is a hybrid equity-wiring service. Bitcoin has a fixed distribution amount and transparency amongst investors. Conversely, Monero inflationary, like real cash, with a small distribution period of approximately five years as basically an "ICO". It can be spent with privacy, like real cash. They're different entities, with a different promise.

Well, I haven't really gone through the entire thread but I don't think the DRK CoinJoin is entirely unsound from the perspective of being a centralized CoinJoin.

The theory is basically, you have n many outputs (O_n) of denomination size D. For simplicity, for any O_n there is an owner Z_n.

Z_n sends her output O_n to a masternode (MN) along with a new receiving address A_n. The MN shuffles these O_n as inputs and makes shuffled outputs to A_n in a single tx. The tx is then signed by all Z_n. The MN submits the tx to the network and the outputs are indistinguishable to everyone except the MN. Well, they're slightly known to the participants too, because they know which address and input is theirs.

It suffers from some of the same flaws as ring signatures (I'm not going to go over that, we've already published on them). But at the same time, ring signatures (a) don't require a MN (centralized) to do mixing because you can use any previous outpoint and (b) are somewhat more expensive space wise (but not really; see below) and (c) the MNs know 100% the outputs owned by their participants, who obviously have to connect to them somehow over TCP/IP. The last point is a big deal in terms of privacy, and even with Tor you can have timing correlation attacks.

The size of the ring signature is O(n), but then again, so is sequential DarkCoin mixing, per mix tx. The cost per mix for DRK is that of the signed input and output for the recipient, and the obfuscational security of a single tx is also O(n). For the latter I mean number of participants in terms of inputs/outputs... obviously a single participant is useless, and two participants is nearly useless. So, the DRK method still introduces O(n) bloat. It just load balances it differently.

The fact that the MNs are the centralized authority in the CoinJoin and now in network consensus (as of instant tx, since the MN decide which chain is valid by which tx is allowed to be in it) is more of an issue, along with providing correct incentives. Long term most of the rewards go to the MNs who I would guess will, over time, become progressively more pernicious in their activities. Another issue is legal ones for potential people running MNs, as they're effectively laundering money on behalf of the participants and directly benefiting from doing so monetarily.

EdDSA is a 64-bit architecture optimized Schnorr signature over a birationally equivalent curve of Curve25519. It was designed by renown cryptographer Daniel J. Bernstein. Curve25519 has been widely used as of recently in cryptography software.

DJB wrote about the design of the curve and EdDSA here: http://blog.cr.yp.to/20140323-ecdsa.html
He also made a large comparison table of features here: http://safecurves.cr.yp.to/

Surely you find our temperamental and sometimes impossible C code interesting.

You'd have to add a new OP_CODE for input verification and separate database bucket for outputs which can be spent as part of a ring signature. In that database outputs would never be considered provable spent. The soft fork rule would be to use the new input OP_CODE to verify a spend from any number of transaction outputs from a list of previous outpoints with ring signature verification.

So... pretty much impossible to get into Bitcoin now I would guess.

Getting ring signatures in would be a soft fork, and very difficult in the current political climate of Bitcoin. Andytoshi and gmaxwell are proposing it as a sidechain, because almost certainly it would be extremely difficult to do on the main chain. There are many other differences too, e.g. the signature algorithm and inflation which would never be accepted into Bitcoin main chain.

Of course, sidechains themselves are considered highly experimental and I'm a little dubious of them being able to work (but I guess we will see). There's also nothing to stop bilateral two way pegs, that is, transfer of XMR to the Bitcoin blockchain as a tokenized coloured coin and the transfer of Bitcoin to the XMR blockchain as a tokenized coloured coin when sidechains come out. Then blockchains simply become decentralized trading apparatuses with different inherent features.

^^ Yeah it's the root(n) paper, sorry. Recalled it incorrectly off the top of my head.

http://www.cs.ucla.edu/~sahai/work/web/2007%20Publications/ICALP_Chandran2007.pdf

IS IT TRUE

Um. What do you want to know? I'll talk about Monero since that's the CN chain I've worked on the most.

(1) It uses a different elliptic curve than Bitcoin for signing (EdDSA, which uses Schnorr signatures on a Twisted Edwards curve).
(2) It uses a different hashing algorithm than Bitcoin for PoW, which is AES heavy and currently performs similarly on GPUs and CPUs. One of the main downsides to this is that sidechains are currently impossible (validation takes too long), however as sidechains don't actually exist right now we've been ignoring this. If we want to add sidechain support in the future, the hashing algorithm can be change to something simple. In the meantime, the algorithm is relatively "egalitarian" in that no specialized hardware is required.
(3) One time use addresses ("stealth addressing") is mandatory for all transactions. This makes light clients very difficult to secure or create in general, but it dramatically enhances privacy because it's impossible to ever reuse an address.
(4) All transactions are denominated in base 10, and fractionated by mantissa.
(5) Ring signatures obfuscate spending of outputs by allowing you to do a 1-of-N input for a transaction where you spend funds from Bob OR Alice OR Michael OR Claire OR et cetera. Like one time use addresses, this is a passive privacy technology that doesn't require any active participation of anyone in the network (unlike DarkCoin, CoinJoin, and so on).
(6) A single pair of private keys is used for the recovery of all outputs owned by a wallet, but with a different type of data structure than BIP32 has (viewkey/secretkey).
(7) An implicit, silent multisig implementation centered around Schnorr signatures is being researched and developed (thanks andytoshi/gmaxwell).
(8) Research is ongoing into ways to break our privacy technology and improve it. See: https://lab.monero.cc/
(9) Monero is readily auditable from a regulatory perspective (you can easily prove your ownership of funds if you need to, for example to tax agencies).
(10) It has a much faster emissions (subsidy/reward) curve than Bitcoin. 80% is mined within 4 years. The emissions curve is also much smoother than for Bitcoin, with reward decreasing every block.
(11) Unlike Bitcoin, Monero will have long term perpetual inflation. Subsidy will become fixed in about 10 years time at a flat rate of less than 1%, to keep the chain from becoming fully deflationary and to better incentivize miners. This makes it more likely to be useful as a currency than Bitcoin, in my opinion.

I never got paid anything...

We're mainly interested in an improvement in overall complexity, and both schemes here are O(n). There is a sublinear ring signature paper that in O(log n) in size that we're looking at more closely.

HashFast has apparently run out of money for envelopes and is now sending me the legal correspondence on open sheets of paper addressed to my name.

Yes. Be sure to set them up on VPSs for maximum security.

...that's every cryptocurrency that uses a hashing algorithm ever, because of Grover's algorithm (which breaks all known hash functions).
http://crypto.stackexchange.com/questions/419/what-security-do-cryptographic-sponges-offer-against-generic-quantum-attacks

Monero has forward and reverse secrecy by default.
Forward: All transactions in Monero are stealth by default, and keys are 100% non-reuseable.
Reverse: Transactions inputs can be mixed with outputs from any other unspent output in the past using the same amount with ring signatures.

So, you can't tell where anything is going, and in the near term soft fork (which we will be publishing a paper on shortly) you also won't be able to tell where funds are coming from with any degree of confidence, unless you choose to publish that information on your own.

Monero also has very different economic policies -- it has a tiny perpetual inflation designed to keep the supply growing and to enforce its use as a currency rather than a store of value. This also ensures that blocks in the future will always have some reward, so PoW can continue to secure the network.

Monero, we had always hoped, wouldn't be a "stealth this" or "darknet that", but rather a currency for the everyday person to use with some reasonable expectation of privacy. Because as anyone knows with Bitcoin, it's piss easy to tell if Joe Blow down the street bought his girlfriend an abortion, or if you just spent half your paycheck on booze and cigarettes or a donation to the EFF. It's about having the same reasonable expectation of privacy with a cryptocurrency that you would have with a normal bank account. The government can still always press you to release your private keys or whatever if they want you to pay taxes, and so on. It's a cryptocurrency to help bridge the world between cryptoequity (which Bitcoin really is) and regular currencies, and hopefully one day become an actual, usable currency (unlike Bitcoin).

It's not a threat to the government (it's still much more traceable than cash, just probably less so than DRK/SDC/whatever) or intended for you to use as Internet Crack Bucks. Probably if you want to buy stupid things online, you'd be better off mailing cash.

You can do 2-of-4 multisig in any Bitcoin fork.

(Sorry, should have been 2-of-3 multisig, corrected it)

And the pool cannot steal anything if you're in a 2-of-3 escrow with say, the mediator being a trusted third party (reputable person on this forum, whatever).

So... yeah. I don't think that currently the software is 100% "pool impossible" or anything, it's more "bonded pool mining amenable, with increased incentives for solo mining".

The bigger issue will come when someone decides to multipool SpreadCoin, I'd guess... so you'd mine for a bit on their server for free to generate your initial bond (mining whatever currency is currently profitable), then that bond enables you to mine SpreadCoins but the payout is in BTC. Miners tend to be bottom feeders and will mine whatever is consistently bringing in cash, if the automated multipool is set up correctly I believe you can amortize the risk enough to remain profitable. But for the moment this is a lot of effort.

I'm not sure MrSpread's argument makes economic sense... Coinbase or BTC-e could also steal all their clients coins at any time, and have way more coins than a single pool ever will. However, pools are a business with real revenue and profit, which is lost in the event of theft for a small tangible reward. Certainly exchanges do run off with coins, but it seems like much fewer coins will ever exist on the pool, disincentivizing the pool from stealing the deposits. As has already been mentioned, all deposits can also be stuck in multisigs with a trusted third party (e.g. 2-of-3 multisig escrow), so that in the event that either the pool or the miner wants to try to steal the deposit, they can not.

At this point I think there is no reason that I can see that a pool cannot be made, the difference with Bitcoin, etc is that such a pool would be bonded mining as opposed to there being no fee for entry in BTC.

I think the issue more right now is that the value of making a pool simply isn't there. It cost almost $20k USD in bounties to get a pool running for CryptoNote coins when we did so with Monero, alongside the possibility of making fees from miners.