You miss the point of PGP / GPG. First: it probably won't be useful in the future, cryptography moves and advances. Nonetheless, GPG as it is used today is NOT use primarily as a means of encryption. There are plenty of tools that are more performant, more efficient, and arguably more cryptographically secure. GPG's primary purpose is a means of confirming one's identity.

A similar role is served by sites employing DNSSEC to confirm the validity of an A record: it is a means of confirming that that (barring some sort of exceptionally advanced or esoteric attack) you are indeed talking to the server for whatever.domain.you.specified.com. It's a way of confirming the identity for that FQDN.

Traditional stock exchanges, such as the NYSE, have evolved from ancient analog systems, so a lot of this infrastructure (whereby the authenticity of orders is confirmed) is based on the equipment of those brokerages / seat holders being close to the NYSE's tin. An exchange such as MPEX is not evolving from pen-and-paper, so it has instead chosen to take advantage of the system that is one of the most secure and renowned for identity verification over the Internet. It's not perfect, it has nuances and failings of its own, but it's just as cryptographically sound as the NYSE's "please put your box next to ours and run a fibre cable into the jack at the back" solution.

PS. You seem to be a fan of hyperbole, especially with your NYSE comparison. Ironically you fail to take the effect of time into your puerile vitriol. By comparison: if a competitor to Facebook sprung up 2 years ago, would it have 1.32 billion active monthly users by now? Historicity leads to a network effect which creates the companies and organisations we know today. Comparing an organisation with nearly 2 centuries of history with one that has been around for only a few is silly and beyond idiotic, especially since the global paradigms they are operating within are so vastly different. I used to think you were more intelligent than you have proven yourself to be, Jimbo.

Don't worry, you haven't spoiled anything. I live in South Africa, I know exactly what most people can afford more than most people here.

The "most people" you refer to will use a web wallet or an SPV-style wallet, regardless of the disk space they can afford. Full nodes for Bitcoin (and in future for Monero) are only run by crypto enthusiasts or companies who have a vested interest in doing so...and both groups of people can and do own sufficient storage space even at this very moment to soak up a 110gb blockchain.

To your last point, currently the only other way to provide cryptographically untraceable and unlinkable transactions is ZeroCash, which has been discussed at length and has drawbacks of its own (eg. the accumulator creation event trust issue). All the other methods that exist add layers of obfuscation, but do not provide cryptographically untraceable and unlinkable transactions.

Do you want the Butterfly Labs estimate, or my usual "sometime before August 30th, 2015"? :-P

You're incorrect. Bytecoin, Monero's predecessor and the basis of the CryptoNote reference code, had its first commit to github (in fully working form) on November 15th, 2013. The first Darkcoin commit was on January 10th, 2014 when it was still called XCoin (bet you didn't know that;)

Your figures are off, the actual figure for Monero is closer to around 5.5x linearly larger than Bitcoin for comparable transaction amounts. I've already gone over this tired and blatantly incorrect argument further up in this thread so I won't rehash things too much, but suffice it to say that your timeline misses some important details (I mean besides the fact that no cryptocurrency actually has working pruning, just the theoretical prospect of it).

The first is that you're missing time as a frame of reference. Those two chains don't exist at the same time, and by the time the ring signatures chain reaches the level of transactions chain 1 has the lay of the land will be different. In other words, Bitcoin's blockchain right now is 20gb as it processes 61 000 transactions a day with a huge market cap and massive amounts of global reach. If Monero, for instance, reached that level in 5 years time it would have a 110gb blockchain by the middle of 2019. I have a 1tb Kingston thumb drive in my pocket, WD just released the 6tb version of their Red NAS series of drives. With HGST pushing HAMR drives for next year, they expect that in the next 5 years there will be 40tb - 60tb drives that are as readily available and cheap as 4tb - 6tb drives today. Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

I'd have the same concerns. Unless Poloniex or whoever offer an SSO, or this app's source is made available and we can deterministically verify the build in the Play store, using this app is extremely risky.

You can generally ignore any error that starts with [P2Px] - if it causes the daemon to crash please open a github issue so we can investigate it more thoroughly:)

The original CryptoNote whitepaper is here: https://cryptonote.org/whitepaper.pdf

The CN whitepaper had not been peer reviewed, so we took that job on ourselves.

Our mathematicians and cryptographers raw (and sometimes snarky;) annotations are here: http://monero.cc/downloads/whitepaper_annotated.pdf
The review of the CN whitepaper as presented by one of our mathematicians is here: http://monero.cc/downloads/whitepaper_review.pdf

Yes exactly:) The problem with any of the Bitcoin-based coins currently in existence is that they cannot/will not FORCE stealth addresses. In other words, if I've received 5 WhateverCoins from you to my stealth address, chances are when I go to spend them I'm going to send them to a non-stealth (regular) address, which thus reveals me to be the recipient of the output. Stealth addresses have to be the ONLY way to transact, and it has to be in from the genesis block on.

The other thing to consider is that stealth addresses *alone* do not protect you. If our aforementioned hypothetical drug manufacturer is busted and gives law enforcement access to his wallet, they correlate an output of a certain amount with that which was paid by you (and vice versa for a payer that is busted). Thus, the other thing that is required is to have a clever mix of outputs such that blockchain analysis can't find unique amounts. Take, for example, this Monero transaction. At first glance it appears to be for 93.487 XMR. But, as you can see, the outputs are 90, 3, 0.4, 0.08, and 0.007 XMR. Thus there's no way of telling the actual amount for this transaction. It could be 90 XMR (with the other outputs merely returning to the sender), or it could be 3.487, or 93, or 90.08, and so on. So now we're, cryptographically, creating transactions are very hard to trace by blockchain analysis alone, even if one party is fully pipe-wrench compromised.

The final step is, of course, plausible deniability. This is what ring signatures provide - the ability for each of those outputs of a transaction to be digitally signed by a group of seemingly valid signatures, such that it is impossible without fully owning the sender and recipient wallets to know if an output "belongs" to someone. And the ring group isn't as small as the mixin you set, the mixin is per output. Thus, on the transaction mentioned above which had 5 outputs: if the sender had sent that with a mixin of 50 that's 250 "people" signing that transaction, for which an observer is unsure which output is true by blockchain analysis alone, which does not even have a unique amount that can be traced.

1. I don't think you can argue that one emission system is better than another, as long as both are fair. It is widely accepted, among those in the know, that Monero's emission curve is quite fine.

2. I'm currently seeing less than 0.5% submitted blocks being orphaned across the network. Pick any pool, in fact, and check how many orphaned blocks they have in their most recently mined blocks: http://moneropool.com/#pool_blocks

3. We inherited the block size penalty from thankful_for_today. It is not something we would have done, as the pitfalls are clear to us, and we have thus since fixed this.

4. As pointed out in 1, it is widely accepted that Moner's launch was fair. There are certainly botnets mining many cryptocurrencies, including Monero, but there is little evidence of it being anything more than the normal result of Monero's organic growth (the same thing happened with Bitcoin and more recently with Litecoin). Monero has had no viruses, only false positives, which is no different to Bitcoin's blockchain that is still flagged as a virus by many antivirus scanners. I fail to see where there have been unannounced GPU miners - when a GPU miner has become available it has been linked in the Bitcointalk OP and spoken about at length. Your bag holders point makes no sense - are you implying that there are people that bought Monero at a certain value and Monero is now worthless? Read the definition of bag holder before using it in a sentence to ensure less confusion. You certainly don't have to like Monero, but outrightly lying is not a very smart tactic. If you're going to say something it's probably better to back it up with a reference or two.

5. Monero offers the same features with no marketing at all, so you've got that going for you:-P

It's a very tired argument that gets pulled out and rebutted each time. The Monero blockchain is currently 5.5x the size of the Bitcoin one for comparable total transactions (so linearly larger than Bitcoin's). So when we've had 44 million transactions (as Bitcoin has over its 5.5 year existence) our blockchain will be about 110gb vs. Bitcoin's current 20gb blockchain. This is, in itself, not a problem, as by the time we get there in a few  years disk space will be appreciably larger, and we'll have the same full node problem Bitcoin has (who seriously keeps the full 20gb Bitcoin blockchain on their laptop, for instance) - the majority of our userbase will use lightweight wallets.

A lot of the people that state that Monero has a "blockchain bloat" problem are picking up snippets of conversation between quite intelligent people on the matter without actually understanding the issue. Monero has exactly the same "bloat" problem as XC, DarkCoin, and anything else that uses a form of mixing - you are going to incur additional entries in the blockchain for every mix (or in Monero's case for every additional signature in a ring), which means the blockchain for all of them is going to be linearly larger than Bitcoin's for the same number of transactions. It is a compromise you accept if you want transaction privacy: it uses more space in the blockchain. However, the advantage that a Bitcoin-derived altcoin has is that it can prune the bloated blockchain, whereas with Monero you can never tell if a utxo has actually been spent or just used in a ring signature, so pruning in the Bitcoin sense is not possible. THIS is what they're actually claiming - that all of the blockchains are going to bloat, but Monero's can't be pruned the way Bitcoin's can. It's very, very important to note alongside this that the Bitcoin blockchain has never been pruned, the code to operate off a pruned blockchain is simply not there (that notwithstanding, as of Bitcoin Core 0.9.0 it does have the ability to prune provably unspendable outputs, but that is not the same as the blockchain pruning we are referring to). Therefore, none of these Bitcoin-derived altcoins are actually able to prune their blockchain, despite their belief that they can flick a switch and voila, magically small blockchain. Not unless they have the ability to write code that the Bitcoin core developers and hundreds of contributors have yet to write.

At the moment we're on a flat per-tx fee, so it's still cheap either way, but yes - once we move to per-kb fees it'll be more expensive to use large signature groups (although not prohibitively so).

The original CryptoNote whitepaper is here: https://cryptonote.org/whitepaper.pdf

The CN whitepaper had not been peer reviewed, so we took that job on ourselves.

Our mathematicians and cryptographers raw (and sometimes snarky;) annotations are here: http://monero.cc/downloads/whitepaper_annotated.pdf
The review of the CN whitepaper as presented by one of our mathematicians is here: http://monero.cc/downloads/whitepaper_review.pdf

All worthy reads, and as you can see there's actual mathematics and cryptography and not just pretty pictures:-P

Monero is based on the CryptoNote protocol. You know that, right? I was answering the question by demonstration (quod erat demonstrandum, as it were).

It's very simple.

Here is my Monero address:

49VNLa9K5ecJo13bwKYt5HCmA8GkgLwpyFjgGKG6qmp8dqoXww8TKPU2PJaLfAAtoZGgtHfJ1nYY8G2 YaewycB4f72yFT6u

Here are 3 Monero blockchain explorers:

http://monerochain.info
https://minergate.com/blockchain/mro/blocks
http://chainradar.com/xmr/blocks

If you can, using any of these blockchain explorers, get my current balance on my address I will give you 10 BTC. A cryptocurrency is not private if your balance can be leaked.

To be clear: this offer expires on August 30th, 2014. I wish you all the best in your pursuit.

In other words, if you mention your address on a forum once, nobody should be able to tell the address balance from the blockchain. That's what anonymity means to normal people. There should be no rich list, and no idea who owns what. If the blockchain reveals the balance of anyone's address then it is not an anonymous cryptocurrency, not even for "normal people".

If you can see someone's balance on the blockchain, it is inherently devoid of unlinkability and untraceability. In other words, if I send 1.486 XC and within a period of time an address receives 1.486 XC a link can be made between the sender and the recipient. No amount of mixing can disguise that link.

http://chainz.cryptoid.info/xc/#!rich

'counter' is correct, you cannot see the balance of anyone using a CryptoNote-based cryptocurrency. It is inherently and truly cryptographically unlinkable and untraceable for ALL transactions.

Do you run a full Bitcoin node with the 20gb blockchain? Just checking.

Monero works (as do the rest of the CN coins including the reference code, as you pointed out), ZeroCash will work as well (although it will have a trusted accumulator problem that remains unsolved at this juncture). No others have this - if you can view the balance on an address it is not untraceable.

Well, remember that you first need to crack either end of a transaction before you even get to the ring signature stage. Pragmatically, then: let's say you've purchased "ileegil drukz" from Walter, a manufacturer. He gets busted by the DEA who beat him with a pipe wrench until he reveals his wallet password. Now they can see all of the incoming transfers. They pick one of them that has, say, a mixin of 5. They now have 5 seemingly valid signatures on each of the transaction outputs (but no direct way of knowing who those 5 signatories are, short of knowing the identity of every single wallet holder on the network). Quite literally the only way for them to prove a transaction happened is to have access to both the sender and the recipient's private keys.

There is no upper bound on mixin, but each signature increases the size of the transaction, so when we move to per-kb fees a higher mixin will cost more. Right now you're only bound by physical transaction size limits. Just to confirm that very high mixins work, I created a 1 XMR example transaction with a mixin of 100 no problem, and it was mined and confirmed with a minute.

I haven't had much time to look into what Bitshares is doing, I tend to focus solely on improving the already working privacy in Monero instead of constantly looking over the fence into everyone else's yard;)

No cryptocurrency has Visa-level scalability right now. Bitcoin *can* be pruned, but it hasn't been pruned yet. I honestly think that Visa-level scalability will come from off-chain transactions - so someone like Visa or PayPal or whoever will provide a way to use the current infrastructure for extremely rapid transacting, and then all accounts will have on-chain settlement every day or week or whatever.

In many, many years time when there is an extremely low-latency (nanosecond-scale) global network on ipv6 and disk space is faster+cheaper+more abundant and cryptography has advanced many fold it is entirely possible that an ancestor of today's cryptocurrencies will provide this level of transacting on-chain. The basic nature of "the size of a transaction" won't change much, so that level of scale is around 100 billion transactions per year (MasterCard: 34 billion in 2013, Visa: 58.5 billion in 2013) which averages out to around 200 000 transactions a minute. A Bitcoin-style pseudonymous network with no mixing (let's not forget that any mixing adds multiple transactions, ie. bloat) will run up about 1.32gb per 10-minute block. A Monero-style network (as it currently stands) will run up about 680mb per 1-minute block, about 6.8gb every 10 minutes. That's a yearly hit of 70tb (Bitcoin with no mixing) and 360tb (Monero). Both of these are unsustainable with our current technology, not only with regards to disk space but also with regards to the low-latency global network required to broadcast blocks and transactions.

The reality is that by the time this becomes possible from a network perspective in many, many years, I can guarantee that both 70tb and 360tb will be irrelevant figures. I already have a 1tb USB flash drive (Kingston HyperX Predator, released beginning of 2013), and WD released their 6th WD Red NAS drives the other day, so storage space is increasing rapidly. In fact, where Moore's law aims to pinpoint processor growth, Kryder's law shows a much sharper curve for storage space growth. His model says that a 14th drive will be available by 2020 and will cost $40, and you can extrapolate from there. By the time the current Internet reaches a point where ipv6 is commonplace and network speed and latency is such that moving even 1.32gb around in 10 minutes is a complete non-issue even in rural Africa, Kingston will have released its Wireless USB 7.0 compatible 2pb HyperZZZ SoaringEagle flash drive, and all this "blockchain bloat" stuff will be a non-issue.