XMR vs DRK

[majamina]

This assumes that one un-compromised round of Darksend is enough.

Enough for what? Could you elaborate please?

The problem is that this will not work with a partially compromised masternode network. I could very likely still end up with and effective Darksend of 1 round.

I'm trying to get my head round this

While I keep trying, maybe you could illustrate with an example of some kind.

[1714229202]

1714229202

[1714229202]

1714229202

[1714229202]

1714229202

[Johnny Mnemonic]

Well that's not the concern. The concern is an adversary spying on a small but significant portion of masternode activity (say 15%). Your one tx might have an astronomically low probability of being revealed, but other transactions on the network won't be so lucky.

yes they will, that's how probability works

if there is an unbelievably tiny probability or catching a DS transaction with 15% of the network, you will catch an unbelievably tiny number of transactions....i.e. none in any sensible timeframe.

You will still catch transactions. If you fire a gun into a large crowd, someone will get hit, even if everyone's individual probability is low.

A robust anonymity solution will make it just as costly to unmask one solution vs any other.

OK, let's see.  

(DISCLAIMER: I'm not a mathematician, I just fucked around in a spreadsheet....feel free to rip this to shreds and I will eat humble pie)

If I fire a gun into a crowd the probability of hitting someone is either 1, as you suggest, or very close to 1.

If I compromise 15% of the masternode network (per your example) and, for the sake of argument, everyone is mixing with 4 rounds of Darksend, the probability of tracing a transaction - i.e. having a complete set of data for a transaction is:

1.22265E-66

Let's say there are 1 million transactions in 24 hours, so multiply that figure by 1 million and we get:

0.00000000000000000000000000000000000000000000000000000000000122265

This is how many complete transactions we are likely to sample in one day at 1m tx/day. So divide that into 1 to find out how many days are required to (probably) assemble a complete transaction:

817898000000000000000000000000000000000000000000000000000000

Assuming my calculations are correct (see disclaimer) and I was a betting man, I'd go with firing the gun into a crowd

Of course this doesn't take into account possible extrapolation techniques that fluffy referred to, but does address your point on probability (probably, again see disclaimer )

That probability depends on every transaction using 4 rounds of mixing (not likely), as well as assembling a 100% complete transaction, which isn't necessary for an attacker to draw hasty conclusions.

It would be nice to know what are the average or most comonly used mixing rounds in a darksend, and calculate probability based on that. Or, even better, calculate attacker probability based on the minimum allowable amount of mixing, to establish a "worst case scenario" or baseline probability.

[ArticMine]

This assumes that one un-compromised round of Darksend is enough.

Enough for what? Could you elaborate please?

The problem is that this will not work with a partially compromised masternode network. I could very likely still end up with and effective Darksend of 1 round.

I'm trying to get my head round this

While I keep trying, maybe you could illustrate with an example of some kind.

Let us say I face an attack that will work against 1 round of Darksend but will fail against 2 rounds of Darksend. This could be the Sybil example I quoted above. If the attacker has also partially compromised the masternode network, then I need a sequence of 2 un-compromised Darksend rounds for protection from this attack. In this example sequence 1 will not work

1) Honest Malicious Honest Malicious Honest Malicious

but sequence 2 will work

2) Malicious Honest Honest Malicious Malicious Honest

because of the bold part. So it is the probability of the sequence of n honest masternodes in the chain that matters, and this is much lower than the probability of a single honest masternode in the chain.

[majamina]

That probability depends on every transaction using 4 rounds of mixing (not likely), as well as assembling a 100% complete transaction, which isn't necessary for an attacker to draw hasty conclusions.

yep, but if you do the calculation using just one round it's still a huge number of days.

As for complete transactions, I agree that's not included....but I was answering your 'gun in the crowd' point, which has a probabilty of near 1, which is astronomically different to the proabilities we're talking about here.

It would be nice to know what are the average or most comonly used mixing rounds in a darksend, and calculate probability based on that. Or, even better, calculate attacker probability based on the minimum allowable amount of mixing, to establish a "worst case scenario" or baseline probability.

ok i'll do it then

with 15% of the network compromised and just one round of darksend per transaction the probability is 3.32526E-17 or .0000000000000000332526

mutiply by 1,000,000 for transactions per day (which is a really big number of darksend transactions, by the way):

.0000000000332526

and divide into 1 for number of days to get a complete transaction:

30072836410

[toknormal]

Well, people like me appreciate the analysis.

Then analyse this:

I added two numbers together to produce a result of 8.

Which two were they ?

(Clue: I mixed them - no cryptography involved, so should be easy for you   )

[majamina]

Let us say I face an attack that will work against 1 round of Darksend but will fail against 2 rounds of Darksend. This could be the Sybil example I quoted above. If the attacker has also partially compromised the masternode network, then I need a sequence of 2 un-compromised Darksend rounds for protection from this attack. In this example sequence 1 will not work

1) Honest Malicious Honest Malicious Honest Malicious

but sequence 2 will work

2) Malicious Honest Honest Malicious Malicious Honest

because of the bold part. So it is the probability of the sequence of n honest masternodes in the chain that matters, and this is much lower than the probability of a single honest masternode in the chain.

OK thanks for the example, I'll consider this and will also read the referenced sections of Kristov's paper in detail.

Will probably get some sleep before responding on here.

[Johnny Mnemonic]

Well, people like me appreciate the analysis.

Then analyse this:

I added two numbers together to produce a result of 8.

Which two were they ?

(Clue: I mixed them - no cryptography involved, so should be easy for you   )

It will be easy if I put a gun to your head and force you to tell me. Hence the masternode centralization concern.

[majamina]

It will be easy if I put a gun to your head and force you to tell me. Hence the masternode centralization concern.

You have a 2,400 barreled transcontinental mega-rifle? 

[oblox]

Well, people like me appreciate the analysis.

Then analyse this:

I added two numbers together to produce a result of 8.

Which two were they ?

(Clue: I mixed them - no cryptography involved, so should be easy for you  )

It will be easy if I put a gun to your head and force you to tell me. Hence the masternode centralization concern.

The gun-to-the-head argument also applies to any coin, including Monero, in terms of giving up keys, access, or association to information.

[Joshuar]

Well, people like me appreciate the analysis.

Then analyse this:

I added two numbers together to produce a result of 8.

Which two were they ?

(Clue: I mixed them - no cryptography involved, so should be easy for you   )

It will be easy if I put a gun to your head and force you to tell me. Hence the masternode centralization concern.

The gun-to-the-head argument also applies to any coin, including Monero, in terms of giving up keys, access, or association to information.

Dash is far, far more susceptible in that analogy. For Cryptonote coins i.e Monero, you need no external nodes to mix transactions/provide privacy/anonymity. With Dash, the government(s) can take control of the servers the masternodes are hosted on, threaten with jailtime for masternodes owners, etc etc.

[majamina]

Dash is far, far more susceptible in that analogy. For Cryptonote coins i.e Monero, you need no external nodes to mix transactions/provide privacy/anonymity. With Dash, the government(s) can take control of the servers the masternodes are hosted on, threaten with jailtime for masternodes owners, etc etc.

We went through this stuff in quite some detail. The conclusion, correct me if I'm wrong, was that versus guv/TLA all coins are fucked, so any argument about that is obsolete.

[Joshuar]

Dash is far, far more susceptible in that analogy. For Cryptonote coins i.e Monero, you need no external nodes to mix transactions/provide privacy/anonymity. With Dash, the government(s) can take control of the servers the masternodes are hosted on, threaten with jailtime for masternodes owners, etc etc.

We went through this stuff in quite some detail. The conclusion, correct me if I'm wrong, was that versus guv/TLA all coins are fucked, so any argument about that is obsolete.

Not equally though. While it may be possible to force users of any coin no matter how anon to reveal themselves through force or w/e, coins that utilize an external source to provide anonymity such as Dash are far, far more susceptible to such a thing, than coins that do not such as Monero or future Zerocash.

[majamina]

Dash is far, far more susceptible in that analogy. For Cryptonote coins i.e Monero, you need no external nodes to mix transactions/provide privacy/anonymity. With Dash, the government(s) can take control of the servers the masternodes are hosted on, threaten with jailtime for masternodes owners, etc etc.

We went through this stuff in quite some detail. The conclusion, correct me if I'm wrong, was that versus guv/TLA all coins are fucked, so any argument about that is obsolete.

Not equally though. While it may be possible to force users of any coin no matter how anon to reveal themselves through force or w/e, coins that utilize an external source to provide anonymity are far, far more susceptible, such as Dash, than coins that do not, such as Monero or future Zerocash.

we're into re-iteration territory here, but one more quick go won't hurt.

- if the adversary is guv/TLA then Monero & DASH are both dead in the water.

- if the adversary is not guv/TLA then who is it exactly, and how do you propose that they compromise the MN network?

[Joshuar]

Dash is far, far more susceptible in that analogy. For Cryptonote coins i.e Monero, you need no external nodes to mix transactions/provide privacy/anonymity. With Dash, the government(s) can take control of the servers the masternodes are hosted on, threaten with jailtime for masternodes owners, etc etc.

We went through this stuff in quite some detail. The conclusion, correct me if I'm wrong, was that versus guv/TLA all coins are fucked, so any argument about that is obsolete.

Not equally though. While it may be possible to force users of any coin no matter how anon to reveal themselves through force or w/e, coins that utilize an external source to provide anonymity are far, far more susceptible, such as Dash, than coins that do not, such as Monero or future Zerocash.

we're into re-iteration territory here, but one more quick go won't hurt.

- if the adversary is guv/TLA then Monero & DASH are both dead in the water.

- if the adversary is not guv/TLA then who is it exactly, and how do you propose that they compromise the MN network?

As I said earlier, not equally. The government will have a hell of a easier time forcing masternode owners to give themselves in or just taking down the servers the masternodes are hosted on, than forcing users of Monero or Zerocash to do the same. It's a hell of a lot harder for the gov to do that to users of coins that dont utilize external masternodes to provide anonymity(monero).

For non gov entities, I suppose finding another flaw in darksends rounds, or a flaw in masternodes themselves would be much more plausible.

[vokain]

Well, people like me appreciate the analysis.

Then analyse this:

I added two numbers together to produce a result of 8.

Which two were they ?

(Clue: I mixed them - no cryptography involved, so should be easy for you   )

It will be easy if I put a gun to your head and force you to tell me. Hence the masternode centralization concern.

The gun-to-the-head argument also applies to any coin, including Monero, in terms of giving up keys, access, or association to information.

But the difference is, if you hold up every Monero miner, due to blockchain anonymity, you still can't deanonymize the network's keyholders...I think.

[Joshuar]

Well, people like me appreciate the analysis.

Then analyse this:

I added two numbers together to produce a result of 8.

Which two were they ?

(Clue: I mixed them - no cryptography involved, so should be easy for you   )

It will be easy if I put a gun to your head and force you to tell me. Hence the masternode centralization concern.

The gun-to-the-head argument also applies to any coin, including Monero, in terms of giving up keys, access, or association to information.

But the difference is, if you hold up every Monero miner, due to blockchain anonymity, you still couldn't deanonymize the network's keyholders...I think.

Yep, If i remember correctly gmaxwell and andytoshi provided ring signature blinding. So even if 100% of the participants admitted it wasnt them, you cant prove who actually was in the transaction.

[nsimmons]

Extremely big, yes.

I was too slow with my edit so I will repost here:
----------------------------
Hypothetical Situation:

Coffee shop owner:  "OK, that'll be .7865 DASH please.  My address is Xkh65Rfk8...
Me:  "OK, sent."

Coffee shop owner checks his wallet and .7865 DASH appear.

Is his response A) "Thank you, come again" or B) "Can you cryptographically proof you sent me the funds?"

That's fine when the business has large reputational constraints. Quite different when dealing with an actor who might be on the margins. Which would include most non brick and mortar businesses. That is to say if the reputational constraints are extremely dispraportionate than what you are discibing works fine. I.E. the difference in the value of starbucks reputation compared to the value of my reputation. However if the two parties are at all similar, than there exists a risk where if you accuse him of being dishonest, he can turn around and say no it was actually you who was dishonest, he is in a position to inflict equal damage to your reputation as you are to his. Cryptographic proof shows, atleast more clearly, who is in the right.

When NASA first started sending up astronauts, they quickly discovered that ballpoint pens would not work in zero gravity. To combat the problem, NASA scientists spent a decade and $12 billion to develop a pen that writes in zero gravity, upside down, underwater, on almost any surface, and at temperatures ranging from below freezing to 300 degrees Celsius.

The Russians used a pencil.

Lets kill this false tale starting now

http://www.scientificamerican.com/article/fact-or-fiction-nasa-spen/

Of course the story is not true, that wasn't my point. "Coffee shop owner" doesn't give a damn, he just wants to be paid promptly and efficiently.  DASH payments using darksend (rename coming soon I hope) and instantx produce an untraceable transaction in 5 seconds.  If the coffee shop owner keeps books listing his customers, he can check this transaction off as "paid".  If he doesn't need to know who gave him payment...

I love this, I can lie if it suits my purpose, If I get called out, I can claim I was being hyperbolic.

12 billion dollars, the entire Apollo program cost less than 20. Next time pick a better lie.

[oaxaca]

The government will have a hell of a easier time forcing masternode owners to give themselves in or just taking down the servers the masternodes are hosted on, than forcing users of Monero or Zerocash to do the same. It's a hell of a lot harder for the gov to do that to users of coins that dont utilize external masternodes to provide anonymity(monero).

If an evil Govt shut down a VPS, the same masternode can reappear in another country as soon as an instance is provisioned.  Minutes or hours.  No fuss, no muss.

For non gov entities, I suppose finding another flaw in darksends rounds, or a flaw in masternodes themselves would be much more plausible.

What does that even mean?

[majamina]

As I said earlier, not equally. The government will have a hell of a easier time forcing masternode owners to give themselves in or just taking down the servers the masternodes are hosted on, than forcing users of Monero or Zerocash to do the same. It's a hell of a lot harder for the gov to do that to users of coins that dont utilize external masternodes to provide anonymity(monero).

For non gov entities, I suppose finding another flaw in darksends rounds, or a flaw in masternodes themselves would be much more plausible.

Look, people host MNs on VPS cos it's easy to do and the workload is lightweight (presently). You think if Guv started going after VPS people would still host on there? No, they'd host in just the same places that Monero workloads are hosted, meaning the challenge of finding the nodes would be equitable.

Anyway, the point is that guv/TLA is an unassailable adversary - they're going to win whatever you do.

The real-world, fit-for-purpose debate has to be around lesser adversaries, so give me just one example of such an adversary who could mount a successful attack on a 2,400 strong network of nodes spread across 30+ countries.

[oaxaca]

Extremely big, yes.

I was too slow with my edit so I will repost here:
----------------------------
Hypothetical Situation:

Coffee shop owner:  "OK, that'll be .7865 DASH please.  My address is Xkh65Rfk8...
Me:  "OK, sent."

Coffee shop owner checks his wallet and .7865 DASH appear.

Is his response A) "Thank you, come again" or B) "Can you cryptographically proof you sent me the funds?"

That's fine when the business has large reputational constraints. Quite different when dealing with an actor who might be on the margins. Which would include most non brick and mortar businesses. That is to say if the reputational constraints are extremely dispraportionate than what you are discibing works fine. I.E. the difference in the value of starbucks reputation compared to the value of my reputation. However if the two parties are at all similar, than there exists a risk where if you accuse him of being dishonest, he can turn around and say no it was actually you who was dishonest, he is in a position to inflict equal damage to your reputation as you are to his. Cryptographic proof shows, atleast more clearly, who is in the right.

When NASA first started sending up astronauts, they quickly discovered that ballpoint pens would not work in zero gravity. To combat the problem, NASA scientists spent a decade and $12 billion to develop a pen that writes in zero gravity, upside down, underwater, on almost any surface, and at temperatures ranging from below freezing to 300 degrees Celsius.

The Russians used a pencil.

Lets kill this false tale starting now

http://www.scientificamerican.com/article/fact-or-fiction-nasa-spen/

Of course the story is not true, that wasn't my point. "Coffee shop owner" doesn't give a damn, he just wants to be paid promptly and efficiently.  DASH payments using darksend (rename coming soon I hope) and instantx produce an untraceable transaction in 5 seconds.  If the coffee shop owner keeps books listing his customers, he can check this transaction off as "paid".  If he doesn't need to know who gave him payment...

I love this, I can lie if it suits my purpose, If I get called out, I can claim I was being hyperbolic.

12 billion dollars, the entire Apollo program cost less than 20. Next time pick a better lie.

wow.  Should I have fully defined the words?

<allegory>
blah blah NASA blah
</allegory>

sheesh.