both would be equally doomed if it was exploited today
1. In Bitcoin, you have
secp256k1, and in Monero, you have
Curve25519. They are fundamentally different, because the former has h=1, and the latter has h=8 (and using h>1 already caused some problems in the past).
2. If you would have ringCT in Bitcoin, it would be optional, and behind N-of-N Taproot multisig. Which means, that only those multisigs would be affected, everyone else could avoid overprinted coins. It is the same story, as with millisatoshis: if you find a bug there, then only LN users will be affected (and after closing their channels, the problem will be solved).
There could be a bug in seed generation and some hacker could drain all the funds in Bitcoin and Monero.
Is that stopping you from trusting it ?
Note that Monero will suffer more from that kind of bug, because if you know the private key to "H(G)", then you can print new coins, and remain undetected. In case of Bitcoin, you can only move existing ones, and that will alert the true owner of those coins (and everyone else, because it will be publicly visible, that for example Satoshi's coins were moved).
Also, we already had that kind of bugs. In Bitcoin, those funds just moved, for example from brainwallets.
https://mempool.space/address/1C7zdTfnkzmr13HfA2vNm5SJYRK6nEKyq8 (this is "correct horse battery staple", it received and spent 21.88971469 BTC at the time of writing, and there are much more unsafe keys like that).
Please watch it before continuing discussion.
Sure, here we go:
Because we rely on things we can't validate using our eyes and a calculator all the time (eg. hashing, key derivation)
We can validate hashing, and I did it some time ago:
https://bitcointalk.org/index.php?topic=5402178Also, when it comes to key derivation, then many people tried to reinvent the wheel, for example:
https://bitcointalk.org/index.php?topic=5321992Of course, that kind of key derivation is unsafe, but it can clearly show you, what is the difference between hardened and non-hardened keys (in case of non-hardened ones, you use SHA-256(pubkey||nonce), while for hardened ones, you simply have SHA-256(privkey||nonce), and you can easily see, why we use different KDFs in practice).
There is little value in worrying about this as if there's a break in something like the discrete logarithm problem then we have much bigger problems
If x-value of your public key is a hash of something, then it may be possible to create a valid signature, without solving "the discrete logarithm problem". There are transactions, and signatures out there, where nobody knows the private key, but they are valid, because of some bugs. Some examples:
https://bitcointalk.org/index.php?topic=5373858https://mempool.space/testnet/address/032baf163f5e27261ab3228e61fb86dc98054abd514751fce93d7444e8fbc6a293Literally nobody knows the private key to 032baf163f5e27261ab3228e61fb86dc98054abd514751fce93d7444e8fbc6a293. And it was moved, it is valid, it just exploited SIGHASH_SINGLE bug. And all of that without solving ECDLP, and burning the world.
message="Hello World"
address="1psPJZYEJrjPtY6kw5Tqtj4mW2yXSSDuH"
signature="GwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE="
Again, literally nobody knows the private key to 1psPJZYEJrjPtY6kw5Tqtj4mW2yXSSDuH, and the signature is valid, and can be verified. Because of exploiting public key recovery. Again, ECDLP solution not needed.
So, how can you guarantee, that there is no bug in Monero, which could be exploited in that way? In case of 032baf163f5e27261ab3228e61fb86dc98054abd514751fce93d7444e8fbc6a293, if you could do the same thing with H(G), then guess what: you would have an unlimited money printing machine! And in case of Bitcoin, only that single address is affected, not the whole system, with all UTXOs flying around.
Edit:
and by the time it's actually picked up, and that may be pretty quickly, it could be within minutes even, by the time it's picked up, there's already too much that's happened on-chain
Wrong. We have coinbase maturity for those cases. If you double-spend your funds in your coinbase transaction, then you need 100 confirmations, to move that further into any exchange, to sell those funds, and to affect any other coins. Which means 100 blocks * 10 minutes/block = 1000 minutes to resolve the problem. Even in case of Value Overflow Incident, the whole fix was after around 70 blocks, so no other coins were involved, except immature coinbase transactions.
So, those sentences may be true, if you wait 15-20 hours, and it will remain undetected for longer than that.
