CryptoNote vs Bitcoin-based solutions

An abstract approach

You can put all outputs in any blockchain-based coin in a DAG where outputs are objects and transactions are arrows. If the transaction involves multiple inputs and multiple outputs, then add an arrow from any input to any output (call this a clique). In any such clique you mix the inputs, which is a good thing. The problem with Bitcoin is that the size of the cliques is severely limited: normally, you only have multiple inputs with a common source and most transactions have only two outputs, one of which is a change address. This allows you to aggregate addresses under the same ownership and this ripples both backwards and forwards (the latter is more troubling since it is the antipode of forward secrecy).

CoinJoin-like solutions attempt both to directly increase the size of the cliques and to address the first part of the problem (common inputs share ownership). Stealth addresses attempt to solve the second problem (everyone sees where the money goes). You can see how instead of saying that CryptoNote is "simply" better than those, it is more accurate to say that those solutions are actually approximate partial fragments of CryptoNote. In other words, any hypothetical Bitcoin privacy solution would necessarily have both a CoinJoin-like AND a stealth address-like mechanism to be viable. Due to technical limitations in the Bitcoin protocol (that would require a hard, hard fork to implement), all CoinJoin-like solutions are complicated Rube Goldberg machines because you can only mix with inputs in your same clique and that is and can never be enough (*) and all stealth address-like mechanisms require extra back-and-forth to perform the DH exchange. CryptoNote does those two things naturally; indeed, one could argue that the main ways in which CryptoNote is not Bitcoin are precisely changes specially-made for these two purposes (plus different PoW and other "variables").

Now you ask, "OK I understand CryptoNote is the shizzle and Bitcoin-based solutions are the groupies, but I think Bitcoin's network effects, prime mover advantage and a decent privacy implementation would make alts an academic exercise." To which the answer only really depends on whether you think any alt can overtake Bitcoin at all and has not much to do with privacy. People have very strong beliefs about this question generally. My answer (and that of many if not most here) is that it is entirely possible, but not necessarily probable, since they cater different markets (light vs dark liquidity) and thus we move to a different question.

If you really care about privacy then you understand that approximate privacy is no privacy. Monero's attack surface is flat compared to a hypothetical Bitcoin solution's fractal closure. Whoever sees this will use Monero instead of the Bitcoin-solution for privacy even if the userbase for Monero is much smaller. (*) This is because CryptoNote allows mixes with the past outputs. This means you do not need other participants (which is a seriously heavy rock that all CoinJoin approaches have to carry arround). On the longer term, this means you can mix even if there are only two people left using the network; even if the last transaction was last year; and so on, even if everyone stopped using Monero after this block you could still mix ten years later.

Finally, give me a function that decides in poly-time the question "Is output X the true source of the money that reached output Y?" in a CryptoNote DAG where all ring signatures have size at least 24 and I can probably decide 3-SAT in poly-time. The constant in the reduction could go to 12 since I'm pretty sloppy with map/fold. This means deterministic linkability is NP-hard and this is a very powerful result -- if the protocol is not misused, plausible deniability will never be compromised. If anyone's interested in pursuing this thread, the next question I have in mind is "What happens if we relax 'decides' to 'PAC-decides'?" A discussion of taint could come in handy here.

Sometimes I wonder if marterluc is watching XMR

The mandatory update is pretty old now. It is mandatory because the old versions used a fixed TX fee much too small to prevent dust and spamming. If you tried to use an old version, no miner would take your transaction. This also helps blockchain size.

TX size grows linerly with mixin count. TX data is the bulk of the blockchain size, block headers being relatively negligible. TX speed is not affected. At this moment TX fees are not affected but that is likely to change in the future.

I would like to see the mixin as well.

Also, just to clarify something: this is a complete rewrite of simplewallet and not a wrapper, correct? Is so, then it must be able to connect to a daemon on another device, correct? If so, then there is no reason the wallet will not be compilable for ARM, correct? If so, then it will be truly cross platform (Windows, Linux, OSX, Windows Phone, Android,  iOS), correct?

If not, please let me know where my enthisiasm gets derailed.

With a rooted phone you could make sure the app only talks to the servers it is supposed to talk. But you can't know what it talks unless you don't SSL it, in which case you might as well just run the app - your account gets hijacked either way.

Let's see. PoS, 2 week PoW that just ended, less liquidity than MRO on smooth's OTC exchange, looks pumped already. Hmmmmm, I'll pass this one.

I don't have a user on HitBTC so I can't see the orderbooks, but as much as I like a good, funny, story with a lesson embedded in the consequences, if Kozi is right about the thickness, then he's also right about the fraud or bug. Unfortunately, life is often darker than the narratives we use to rationalize it. I'm (casually) waiting for an explanation as well.

Edit: Obligatory bait:


Sounds like you were in the right place.

Sorry, I was too busy LMFAO'ing. Consider it an anecdote or a fable unless somebody corroborates. Maybe bitcoinwisdom can dredge some data (market sell completely out of the blue with no continuation, quantity between 790 and 820 BTC when market price was within 10 units of quantity - that's all I remember).

Some other fat finger at Gox the other day probably wanted to sell 5 BTC at 800 and managed to sell 800 BTC at 5. That's when I stopped complaining about how much my day sucked.

We only have an upper bound on solo and private pools if botnets use public pools. I would be interested in some insight from the public pool ops whether there is any way they can identify bots with any likelihood better than a Bayesian guess.

It is not even the 'greater good'. It's simply a prisoner's dilemma in which it is self-servingly rational to cooperate.

This means getting the incentives right and that's exactly why Monero is and will be hot.

Unlike Bitcoin-based cryptos, Monero doesn't have two keys per address (public, private) but instead it uses three (public, view, spend). The view key allows one to view a wallet's activity (just like blockchain.info does in Bitcoin) but not spend funds - it is like a read-only key for an address. The spend key is like the private key in Bitcoin.

Mix-in is the size of the ring signature (how many past transactions to use to blend your sender's address in?). Use a number from 0 to 99/100. Zero means no hiding, you are the only one signing. One means use another transaction as well to sign the transaction. This makes it possible for you to deny being the sender legally (it wasn't me, i swear. It was the other guy who mixed with me). The CryptoNote whitepaper proves mathematically that nobody can guess, only from reading the blockchain, which one was the actual sender with better than 50% accuracy (meaning you could flip a coin and do no worse). This scales up with the size. If you mix with 99 others nobody can guess it was you with better than 1% accuracy. The downside is a bigger transaction. Right now there is a fixed fee for all transactions but this will change at some point. In practice, a mix-in of 5 is considered reasonable and one of 20 is considered probably sufficient for all future practical purposes. (Please somebody correct my numbers if wrong)

You can mix in layers, say mix once send to yourself mix again send to destination. This multiplies the mixing factors but probably opens up some attack vectors which are not yet well understood such as timing attacks. If you only mix in one layer there are very few avenues to extract any information from the blockchain. In this sense Monero is almost perfectly opaque (pseudonymous and untraceable). Once I2P routing is implemented around august or so then that also becomes true about your IP address.

I thought the point of CPU-only was that users are miners and run the network in a decentralized cost that most absorb invisibly as some small bump in power bill cost.

I think it is quite myopic to think like that. The backlash over premining is not that it changes the rules, but that it changes them to the interest of those already in power. This is what the whole crypto world was supposed to solve.

I am a holder and would buy more if the curve was flattened and the current holders' accounts halved. "Half ma coins" is not the target audience. The change is against the current owners and for the future owners. The reason those in power do it is because they are more heavily invested (financially or otherwise) and therefore more risk adverse. They prefer -EV bets that increase the coin's long term success.

That is my argument for the holders, for the non-holders and the core of the associated PR campaign. Monero can be the coin that does things better, even in terms of policy.

Edit: i sometimes feel like the Monero community temporarily forgets the scope we aim for. If successful at what it pretends to become, Monero will not be drug dealers and shady biz money, but instead it will be the People's Republic of Offshore. There is a large difference in audience between the two.

Masternodes are such a blatantly broken idea I cannot imagine someone encourages it in good faith. How do masternodes/miners/whoever verify if a coin is not double spent and originates from a wallet with sufficient balance if they don't know what they are transacting? There are three options:

1. Zero-knowledge proofs, but that is Zerocoin at the moment and the drawbacks are catastrophic.
2. Ring signatures and similar mixing constructs that hide the sender in a subset of the network.
3. Some other information leak that is not documented.

Do you understand why there is no other way?

If the New and Improved DRK implements 2, then it has at most the same strength as MRO and possibly less, with the added bonus(?) of more, unnecessary centralization. If it implements 3, then it is a failed anonymity solution. The short answer is that ring signatures are cryptographically near-perfect mixing and no Bitcoin fork can ever natively support them.

As for your last paragraph, it is factually wrong. MRO does not need high volume because it doesn't mix transactions but outputs (even spent ones from the past). This is a tremendous advantage that MRO has and DRK doesn't, contrary to your assertion. And even gmaxwell, author of CoinJoin, sees no point in DRK.

None of the exchanges have a proper exchange wallet yet for MRO - they use simplewallet or something very similar. So instead of using one wallet for every user, they dump everything in one wallet and use PayID to route to user. It is the exchanges' "problem".

Right click on the title bar, edit, paste.


I don't think you currently can. A MRO wallet has three files:

1. wallet.bin.keys contains your private keys in binary, encrypted with your password
2. wallet.bin.address.txt contains your public keys in text, ready for copy-pasting
3. wallet.bin itself is just a cache of the blockchain

To make a paper wallet you should convert wallet.bin.keys to some text format (hex, base58 etc) and save that, together with your wallet password. Agreed it is not one-click at the moment.