XMR vs DRK

[ArticMine]

These probability calculations are misleading because they are from the perspective of the individual transactor as opposed to the attacker.

Evan is basically saying "The networlk isn't secure, but there's so fucking many of you that the chances of your transactions being traced are slim. Here's a really low percentage to distract you: 0.000000000000001%. Wow!"

The probability calculations make the assumption that only one round of Darksend is needed for privacy / fungibility. The correct analysis would entail calculating the probability of say 4 un-compromised Darksend rounds in sequence out of say a 20 round Darksend given that x% of the masternodes are compromised.

Edit:fluffypony hints at this issue in this post. https://bitcointalk.org/index.php?topic=1001642.msg10901590#msg10901590

[1714472854]

1714472854

[1714472854]

1714472854

[1714472854]

1714472854

[1714472854]

1714472854

[5w00p]

How many reviews and analyses by groups of university research-level mathematicians have been performed on D___coin?

Monero has had four thus far. https://lab.getmonero.org/

[Anon136]

Extremely big, yes.

I was too slow with my edit so I will repost here:
----------------------------
Hypothetical Situation:

Coffee shop owner:  "OK, that'll be .7865 DASH please.  My address is Xkh65Rfk8...
Me:  "OK, sent."

Coffee shop owner checks his wallet and .7865 DASH appear.

Is his response A) "Thank you, come again" or B) "Can you cryptographically proof you sent me the funds?"

That's fine when the business has large reputational constraints. Quite different when dealing with an actor who might be on the margins. Which would include most non brick and mortar businesses. That is to say if the reputational constraints are extremely dispraportionate than what you are discibing works fine. I.E. the difference in the value of starbucks reputation compared to the value of my reputation. However if the two parties are at all similar, than there exists a risk where if you accuse him of being dishonest, he can turn around and say no it was actually you who was dishonest, he is in a position to inflict equal damage to your reputation as you are to his. Cryptographic proof shows, atleast more clearly, who is in the right.

[xxxgoodgirls]

How many reviews and analyses by groups of university research-level mathematicians have been performed on D___coin?

Monero has had four thus far. https://lab.getmonero.org/

One so far by Kristov Atlas

http://blog.anonymousbitcoinbook.com/2014/09/paper-an-analysis-of-darkcoins-blockchain-privacy-via-darksend/

Paper of the review

https://dashtalk.org/threads/reply-to-kristovs-paper.2325/

Imho to be also considered it was reviewed back in sept 2014 and darksend has been improved several times since then (i.e. masternode blinding)

[5w00p]

I knew about that one, but thank you for the links.

Mr. Atlas is an individual, not a group, and I do not know his educational credentials, and they are not listed in the paper nor on his website.
That is not to say that he not intelligent and well-versed in many things crypto-related.

[Melbustus]

OK...perhaps you can give us, say, the top-ten of those factors that can fingerprint the data.

Also could you please explain how it is trivial to extrapolate the data when you control 50% of the MNs in your example above.

OK, I'm still not sure this is a fair representation. Hopefully someone who knows more about Darksend can chime in. I'll do some more research in the meantime.

And no offence, but you got it wrong about Darksend yesterday so I'm not sure that your assessment can be considered reliable.

do you have a specific vulnerability you want to bring to DRK's attention?  Sounds like more waffle and time wasting.

There seems to be a disconnect here. I know Darkcoin is build on a flaky foundation, I don't need to prove that. Proving the opposite is critical, and neither the Darkcoin leadership nor its proponents have done so (nor do I have any reason to believe they will do so).

When you make statements like the above I'm reminded that this thread is a landmine - if I spend the hours researching and extrapolating it will be pointless, as proponents will nitpick. The only way I could possibly win is to spend days and weeks creating a proof-of-concept to demonstrate validity, and even then there will just be some lipstick-on-a-pig move to patch one particular leak in the overflowing dam.

Majamina, your final comment and BlockaFett's comment is the real nail in the coffin here - I'm doing free analysis in my spare time (how much did Kristov Atlas get paid again?) based on virtually nonexistent technical documentation, so of course there are assumptions I have to make in the interest of expediency. An incorrect assumption in one area does not invalidate my analysis in another, unrelated area. Were this a formal analysis I would not have raised that point, as I would have gone through the code and done heaps of testing before asserting a fact.

At this stage there are a series of major flaws that remain untouched because of the obsession with "proving" that a single attack surface doesn't exist. There has not been a single iota of proof - stating something as if it is fact, or showing some graphs without a model showing its assumptions are not proof, not by any definition of the term. If you want further analysis and specifics I will gladly provide you with my hourly rate and expected engagement period, but beyond that I've reached the end of what I'm willing to do for free. That is not a cop-out, it is just the reality when every suggested attack has to get ground down to minutiae whilst ignoring large swathes of what attackers are capable of. The discussion in this thread has been like talking to someone who sticks their fingers in their ears and goes "na na na, you're wrong, na na na na".

Again, and for the record: you cannot discount an attack by claiming ignorance, simply stating it isn't possible, or turning everything into an accusation of trolling / FUD.

I have observed, in this thread and others, that the bulk of the Darkcoin proponents are like those in the anti-vaccination movement. It doesn't matter what I say, what Bitcoin core developers say, what cryptographers say, or what the creator of BitTorrent says about Darkcoin. It doesn't matter what anyone theorises, it won't even matter if a body of evidence is presented. Anti-vaccinators won't change their minds until their child dies, and Darkcoin proponents won't change their minds until people start suffering.

RationalWiki sums up what the parallel to what we're observing with Darkcoin:



I'd say this thread has been fun, but it hasn't.

[emphasis mine]


Well, people like me appreciate the analysis. True, you may not influence people who are heavily financially invested in DRK, but people who are legitimately interested in evaluating the technology will probably pay attention.

[majamina]

Well that's not the concern. The concern is an adversary spying on a small but significant portion of masternode activity (say 15%). Your one tx might have an astronomically low probability of being revealed, but other transactions on the network won't be so lucky.

yes they will, that's how probability works

if there is an unbelievably tiny probability or catching a DS transaction with 15% of the network, you will catch an unbelievably tiny number of transactions....i.e. none in any sensible timeframe.

You will still catch transactions. If you fire a gun into a large crowd, someone will get hit, even if everyone's individual probability is low.

A robust anonymity solution will make it just as costly to unmask one solution vs any other.

OK, let's see. 

(DISCLAIMER: I'm not a mathematician, I just fucked around in a spreadsheet....feel free to rip this to shreds and I will eat humble pie)

If I fire a gun into a crowd the probability of hitting someone is either 1, as you suggest, or very close to 1.

If I compromise 15% of the masternode network (per your example) and, for the sake of argument, everyone is mixing with 4 rounds of Darksend, the probability of tracing a transaction - i.e. having a complete set of data for a transaction is:

1.22265E-66

Let's say there are 1 million transactions in 24 hours, so multiply that figure by 1 million and we get:

0.00000000000000000000000000000000000000000000000000000000000122265

This is how many complete transactions we are likely to sample in one day at 1m tx/day. So divide that into 1 to find out how many days are required to (probably) assemble a complete transaction:

817898000000000000000000000000000000000000000000000000000000

Assuming my calculations are correct (see disclaimer) and I was a betting man, I'd go with firing the gun into a crowd

Of course this doesn't take into account possible extrapolation techniques that fluffy referred to, but does address your point on probability (probably, again see disclaimer )

[majamina]

Well, people like me appreciate the analysis. True, you may not influence people who are heavily financially invested in DRK, but people who are legitimately interested in evaluating the technology will probably pay attention.

I would appreciate it too.

I know I've nitpicked at fluffy, but I respect his knowledge and would love to see him properly review DASH. The more I learn about the Monero project the more it interests me, so to see a fair (and I stress fair) review of DASH by fluffy would be very interesting for me as an investor.

[oaxaca]

Extremely big, yes.

I was too slow with my edit so I will repost here:
----------------------------
Hypothetical Situation:

Coffee shop owner:  "OK, that'll be .7865 DASH please.  My address is Xkh65Rfk8...
Me:  "OK, sent."

Coffee shop owner checks his wallet and .7865 DASH appear.

Is his response A) "Thank you, come again" or B) "Can you cryptographically proof you sent me the funds?"

That's fine when the business has large reputational constraints. Quite different when dealing with an actor who might be on the margins. Which would include most non brick and mortar businesses. That is to say if the reputational constraints are extremely dispraportionate than what you are discibing works fine. I.E. the difference in the value of starbucks reputation compared to the value of my reputation. However if the two parties are at all similar, than there exists a risk where if you accuse him of being dishonest, he can turn around and say no it was actually you who was dishonest, he is in a position to inflict equal damage to your reputation as you are to his. Cryptographic proof shows, atleast more clearly, who is in the right.

When NASA first started sending up astronauts, they quickly discovered that ballpoint pens would not work in zero gravity. To combat the problem, NASA scientists spent a decade and $12 billion to develop a pen that writes in zero gravity, upside down, underwater, on almost any surface, and at temperatures ranging from below freezing to 300 degrees Celsius.

The Russians used a pencil.

[generalizethis]

I still don't understand what these "probabilities" illustrate? Either a transaction is traceable or it isn't. What exactly are the probabilities for?

For the gentleman (whose name I forgot sorry!) The refusal to comment on the implications of the chart, should the data be valid, shows yourself to be disingenuous. As a scientist and educator, I have no problem challenging the data behind a graph while recognizing the implication of that graph as it stands. It saves time, and shows respect for a worthy opponent. (Not to mention, demonstrates you have at least the education necessary to comprehend the math behind it.) There were many (and still a few, though much less) who disputed the validity of the data coming out of the LHC when the discovery of the Higg's Boson was announced. There was no disputing of the fact that the charts seemed to indicate that fact--if--the data was subsequently verified; which it was.

Your unwillingness to commit to the significance of majamina's chart reveals a mindset more concerned with preserving your personal status than one of someone who is truly in pursuit of the truth. That was sadly apparent after my reading the first few posts on this thread, and why I have refused to participate here.  I will watch for a little while to see the response this post gets. And maybe, if, it is received (and even countered) in a respectful manner I continue to check in.

Peace to you all...

That's a lot of presumptions based off minuscule data. I wasn't disputing the chart--I just had a hunch that the infographic and chart was disingenuous and didn't include all the variables to conclude that dark was as anonymous as Monero (or good enough), and my hunch was proved correct by Fluffy.

Now, if I entertained the idea that it was legitimate and dark was indeed every bit as secure and anonymous as Monero (notice no one in drk land ever makes this claim, but Bitcoin devs praise Monero's anonymity while never mentioning drk--just funny, thought I'd twist the knife a bit), but again I'll play fool to your sales pitch and for the sake of argument say drk is as anonymous as Monero, what then? Well, since i'm an investor, I say, "Hmmm, since anonymity is an even trait, lets go to trait two: leadership. On one hand I have a dev team respected by their peers, with a clear goal, and is open and honest from everything to development to the chance of failure (not only of their coin, but all cryptos) and treats peers whom they respect and who are working on rival technologies with kindness and openness (see G. Maxwell). Now on the other hand I have a dev who lied about when he was going to launch his coin, then proceeds to mine it an incredible speed, locks it to only Linux, and manages to get 1.5 million coins in 8 hours and then claims it was a mistake--cool, did he own it? No, he said it was an accident and then didn't relaunch the coin. So what am I to think? Is he bad with his own project or is he a bold face liar? Doesn't matter--because if he fast mined it and "owned-it", I'd at least know he was ballsy. And if he made a mistake with his code and said "whoops, happens, sorry guys, deepest apologies,"  all would be forgiven once he fixed the code and did a relaunch."

Except that's not what happened. He either lied which means he can't own up to his actions, or he made a mistake and compounded it with an even bigger mistake that was more easily avoidable and would have done much to restore faith in his project. Now compound that with buzz words, fantastic promises, name changes, and little to no respect from well-known devs and you get me saying I'll go with Monero if all things are equal. You guys have terrible leadership and there isn't a gimmick in the world that can fix that.

And yes, I'm not a scientist or cryptographer, but I know who the smartest person in the room is, and when it's not me, I listen. So drowning Fluffy out with claims of you haven't proved it beyond my impossible standard of doubt is like congressman holding up a snowball and claiming, "See, no global warming!"

[majamina]

And yes, I'm not a scientist or cryptographer, but I know who the smartest person in the room is, and when it's not me, I listen. So drowning Fluffy out with claims of you haven't proved it beyond my impossible standard of doubt is like congressman holding up a snowball and claiming, "See, no global warming!"

I agree with this wholeheartedly and have listened to fluffy, but he hasn't given any solid reasons why DASH is not fit-for-purpose. He was also wrong about Darksend.

[GingerAle]

Extremely big, yes.

I was too slow with my edit so I will repost here:
----------------------------
Hypothetical Situation:

Coffee shop owner:  "OK, that'll be .7865 DASH please.  My address is Xkh65Rfk8...
Me:  "OK, sent."

Coffee shop owner checks his wallet and .7865 DASH appear.

Is his response A) "Thank you, come again" or B) "Can you cryptographically proof you sent me the funds?"

That's fine when the business has large reputational constraints. Quite different when dealing with an actor who might be on the margins. Which would include most non brick and mortar businesses. That is to say if the reputational constraints are extremely dispraportionate than what you are discibing works fine. I.E. the difference in the value of starbucks reputation compared to the value of my reputation. However if the two parties are at all similar, than there exists a risk where if you accuse him of being dishonest, he can turn around and say no it was actually you who was dishonest, he is in a position to inflict equal damage to your reputation as you are to his. Cryptographic proof shows, atleast more clearly, who is in the right.

When NASA first started sending up astronauts, they quickly discovered that ballpoint pens would not work in zero gravity. To combat the problem, NASA scientists spent a decade and $12 billion to develop a pen that writes in zero gravity, upside down, underwater, on almost any surface, and at temperatures ranging from below freezing to 300 degrees Celsius.

The Russians used a pencil.

Lets kill this false tale starting now

http://www.scientificamerican.com/article/fact-or-fiction-nasa-spen/

[ArticMine]

Well that's not the concern. The concern is an adversary spying on a small but significant portion of masternode activity (say 15%). Your one tx might have an astronomically low probability of being revealed, but other transactions on the network won't be so lucky.

yes they will, that's how probability works

if there is an unbelievably tiny probability or catching a DS transaction with 15% of the network, you will catch an unbelievably tiny number of transactions....i.e. none in any sensible timeframe.

You will still catch transactions. If you fire a gun into a large crowd, someone will get hit, even if everyone's individual probability is low.

A robust anonymity solution will make it just as costly to unmask one solution vs any other.

OK, let's see. 

(DISCLAIMER: I'm not a mathematician, I just fucked around in a spreadsheet....feel free to rip this to shreds and I will eat humble pie)

If I fire a gun into a crowd the probability of hitting someone is either 1, as you suggest, or very close to 1.

If I compromise 15% of the masternode network (per your example) and, for the sake of argument, everyone is mixing with 4 rounds of Darksend, the probability of tracing a transaction - i.e. having a complete set of data for a transaction is:

1.22265E-66

Let's say there are 1 million transactions in 24 hours, so multiply that figure by 1 million and we get:

0.00000000000000000000000000000000000000000000000000000000000122265

This is how many complete transactions we are likely to sample in one day at 1m tx/day. So divide that into 1 to find out how many days are required to (probably) assemble a complete transaction:

817898000000000000000000000000000000000000000000000000000000

Assuming my calculations are correct (see disclaimer) and I was a betting man, I'd go with firing the gun into a crowd

Of course this doesn't take into account possible extrapolation techniques that fluffy referred to, but does address your point on probability (probably, again see disclaimer )

This assumes that one un-compromised round of Darksend is enough.

[oaxaca]

Extremely big, yes.

I was too slow with my edit so I will repost here:
----------------------------
Hypothetical Situation:

Coffee shop owner:  "OK, that'll be .7865 DASH please.  My address is Xkh65Rfk8...
Me:  "OK, sent."

Coffee shop owner checks his wallet and .7865 DASH appear.

Is his response A) "Thank you, come again" or B) "Can you cryptographically proof you sent me the funds?"

That's fine when the business has large reputational constraints. Quite different when dealing with an actor who might be on the margins. Which would include most non brick and mortar businesses. That is to say if the reputational constraints are extremely dispraportionate than what you are discibing works fine. I.E. the difference in the value of starbucks reputation compared to the value of my reputation. However if the two parties are at all similar, than there exists a risk where if you accuse him of being dishonest, he can turn around and say no it was actually you who was dishonest, he is in a position to inflict equal damage to your reputation as you are to his. Cryptographic proof shows, atleast more clearly, who is in the right.

When NASA first started sending up astronauts, they quickly discovered that ballpoint pens would not work in zero gravity. To combat the problem, NASA scientists spent a decade and $12 billion to develop a pen that writes in zero gravity, upside down, underwater, on almost any surface, and at temperatures ranging from below freezing to 300 degrees Celsius.

The Russians used a pencil.

Lets kill this false tale starting now

http://www.scientificamerican.com/article/fact-or-fiction-nasa-spen/

Of course the story is not true, that wasn't my point. "Coffee shop owner" doesn't give a damn, he just wants to be paid promptly and efficiently.  DASH payments using darksend (rename coming soon I hope) and instantx produce an untraceable transaction in 5 seconds.  If the coffee shop owner keeps books listing his customers, he can check this transaction off as "paid".  If he doesn't need to know who gave him payment...

[majamina]

This assumes that one un-compromised round of Darksend is enough.

Enough for what? Could you elaborate please?

[GingerAle]

Well, because this is where the conversation is happening, maybe FINALLY i can get some input to a point I raised in another version of this thread.

The coupling of darkcoin privacy tech to the currency value.

If DRK goes to the moon, as it were, this could lead to an increasingly small number of masternodes - people cashing out. The ridiculous MN rewards may be enough to keep people in, maybe not.

Or, it will lead to a centralization of masternodes to people that can afford the price. And guess who those people usually are?

oh yeah the banks we were trying to get away from, or the governments that can just print money to entice anyone.



and what happens if, to mitigate this, it is proposed to decrease the stake required to 500 drk? forking.

its crazy - the cheaper DRK is, the more secure the privacy tech because anyone can provide the resource to the network..... because thats the whole point of decentralization.........

[generalizethis]

Well, because this is where the conversation is happening, maybe FINALLY i can get some input to a point I raised in another version of this thread.

The coupling of darkcoin privacy tech to the currency value.

If DRK goes to the moon, as it were, this could lead to an increasingly small number of masternodes - people cashing out. The ridiculous MN rewards may be enough to keep people in, maybe not.

Or, it will lead to a centralization of masternodes to people that can afford the price. And guess who those people usually are?

oh yeah the banks we were trying to get away from, or the governments that can just print money to entice anyone.



and what happens if, to mitigate this, it is proposed to decrease the stake required to 500 drk? forking.

its crazy - the cheaper DRK is, the more secure the privacy tech because anyone can provide the resource to the network..... because thats the whole point of decentralization.........

What about miners? How are they compensated compared to masternodes?

[pandher]

its crazy - the cheaper DRK is, the more secure the privacy tech because anyone can provide the resource to the network..... because thats the whole point of decentralization.........

The whole concept is flawed to the core. I have thought about it for lengths and the conclusion was that the only viable solution for anonymity right now is Cryptonote. Nothing comes close to the ease of the blockchain doing the whole work without fuss or uncertainties

[majamina]

Well, because this is where the conversation is happening, maybe FINALLY i can get some input to a point I raised in another version of this thread.

The coupling of darkcoin privacy tech to the currency value.

If DRK goes to the moon, as it were, this could lead to an increasingly small number of masternodes - people cashing out. The ridiculous MN rewards may be enough to keep people in, maybe not.

But if DRK goes to the moon and loads of people dump MNs, it will come back down from the moon as 1000s of coins flood the market.

Question is, I suppose, who snaps up the coins and what do they do with them?

[ArticMine]

This assumes that one un-compromised round of Darksend is enough.

Enough for what? Could you elaborate please?

For the level of privacy / fungibility desired by the user. For example in his paper http://cdn.anonymousbitcoinbook.com/darkcoin/darksend-paper/Atlas_Darksend-Analysis-v001.pdf Kristov proposes using multiple levels of Darksend to mitigate the impact of a Sybil attack.

Users can reduce the impact of Sybil attacking peers by increasing the number of rounds of Darksend+ they require their funds to go through in order to be “anonymized.” Increasing the minimum number of Darksend+ peers per mixing transaction also increases the amount of work required for would-be Sybil attackers.

One of the problems with the probability arguments that have been made by many Darkcoin/Dash proponents is that they only apply for the most basic level of protection. When one starts to combine attacks then these arguments break down. For multiple rounds of Darksend to provided additional protection one needs a sequence of un-compromised masternodes. So it is not for example the probability of getting a single Darksend round that is un-compromised, with a partially compromised masternode network, it is the probability of getting for example 4 Darksend rounds in sequence out of a 20 round Darksend with a partially compromised masternode network that matters.

Edit: With Monero I can increase my privacy /  fungibility by increasing the mixing level. The equivalent in Darkcoin/Dash to a large degree is to increase the number of rounds of Darksend. The problem is that this will not work with a partially compromised masternode network. I could very likely still end up with and effective Darksend of 1 round. One the Monero side MRL0004 provided an excellent discussion of some of these risks. https://lab.getmonero.org/pubs/MRL-0004.pdf