|
canth
Legendary
Offline
Activity: 1442
Merit: 1001
|
|
August 09, 2015, 09:10:28 PM |
|
A concern, I've read some "conspiracy theories" putting the NSA behind CryptoNote. I haven't gotten to deep into that research, so I'd love to hear from people that have.
<snip> Confidental Transactions from Blockstream hides the values of a transaction so business privacy is retained. CN doesn't do this. Agreed - this is a great feature, although given the head start that CN coins have and the likely lack of trust for using side chains for 'real' transactions for the next few years, I see this as more of an academic solution rather than a real one, in the short term. No CN coins and in fact no altcoins that I am aware of, have really solved the issue that centralization of mining can cause transactions to be censored. This is an open problem for cryptocurrency.
This is only a problem if the miner can identify which transactions they want to censor by linkability or other analysis. Presuming that you can maintain unlinkability, miners won't censor transactions unless they want to censor all transactions. There's no easy fix for that - if someone wants to spend lots of money suppressing nearly all transactions, you are correct - they can do this. The other problem for all anonymous coins is that neither I2P nor Tor are reliable anonymity against a national security agency. And the nations are compiling these records to compile future tax and criminal cases against you.
(yes of course I have solutions to all of these weaknesses)
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
August 10, 2015, 12:02:27 AM Last edit: August 10, 2015, 12:26:57 AM by smooth |
|
Confidental Transactions from Blockstream hides the values of a transaction so business privacy is retained. CN doesn't do this.
It does to some extent because there are multiple outputs with some being change and some being payment (or payments). How they are grouped is not visible, so combinatorially this can give reasonable privacy of the payment amount. The choice of outputs affects how much actual privacy there is in practice and the current algorithm in Monero is not great, but is being improved. As for size I gather that CT and CN are similar but I haven't reviewed it carefully.
|
|
|
|
TPTB_need_war
|
|
August 10, 2015, 07:11:01 AM |
|
No CN coins and in fact no altcoins that I am aware of, have really solved the issue that centralization of mining can cause transactions to be censored. This is an open problem for cryptocurrency.
This is only a problem if the miner can identify which transactions they want to censor by linkability or other analysis. Presuming that you can maintain unlinkability, miners won't censor transactions unless they want to censor all transactions. There's no easy fix for that - if someone wants to spend lots of money suppressing nearly all transactions, you are correct - they can do this. CN has a viewkey. If the government takes control of the mining because due to centralization they can regulate 51% of network hash rate, then they can require every transaction publicize its viewkey. Effectively the government can force anonymity to be turned off, if they control 51% of the network hash rate. Being able to guarantee that the mining will always be decentralized, is required to be able guarantee non-censorship. This is probably the major flaw of crypto-currency. I do believe I have a design solution and this should be published this year (hopefully). At this point, I wouldn't take my assertion as 100% given, because without peer review and implementation, one has to remember "devil is in the details" and faults could be discovered.
|
|
|
|
TPTB_need_war
|
|
August 10, 2015, 07:21:17 AM |
|
Confidental Transactions from Blockstream hides the values of a transaction so business privacy is retained. CN doesn't do this.
It does to some extent because there are multiple outputs with some being change and some being payment (or payments). How they are grouped is not visible, so combinatorially this can give reasonable privacy of the payment amount. The choice of outputs affects how much actual privacy there is in practice and the current algorithm in Monero is not great, but is being improved. As for size I gather that CT and CN are similar but I haven't reviewed it carefully. You could hide value with CN. Split your value into small morsels, mix, then recombine through mixes. So then no one knows who owns that large balance. Or simply use Monero as it is with balances split into powers-of-10 and thus (in theory) no one knows which sets of transactions are really the same transaction. Thus I agree with smooth's statement. However, I have my doubts as to whether those powers-of-10 balances are not correlated via timing analysis. I don't have a specific algorithm nor research paper to cite, but rather just that we are dropping patterns all over the place. In an ideal anonymity set, everything should look the same, so there is no entropy to analyze. So thus hiding value has the advantage of removing information that can be used to aid in combinatorial and timing analysis (combined). Also it has another advantage which I won't mention yet... In any case, I want to acceded that CN does in theory effectively add value privacy. I am just not confident that Monero is sufficient against the 5 Eyes and powerful analysis research that might be forthcoming if ever these CN coins become popular. Think of my work as (an attempt at) the second stage of furthering the technology.
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
August 10, 2015, 07:33:08 AM |
|
Confidental Transactions from Blockstream hides the values of a transaction so business privacy is retained. CN doesn't do this.
It does to some extent because there are multiple outputs with some being change and some being payment (or payments). How they are grouped is not visible, so combinatorially this can give reasonable privacy of the payment amount. The choice of outputs affects how much actual privacy there is in practice and the current algorithm in Monero is not great, but is being improved. As for size I gather that CT and CN are similar but I haven't reviewed it carefully. You could hide value with CN. Split your value into small morsels, mix, then recombine through mixes. So then no one knows who owns that large balance. Or simply use Monero as it is with balances split into powers-of-10 and thus (in theory) no one knows which sets of transactions are really the same transaction. Thus I agree with smooth's statement. However, I have my doubts as to whether those powers-of-10 balances are not correlated via timing analysis. I don't have a specific algorithm nor research paper to cite, but rather just that we are dropping patterns all over the place. In an ideal anonymity set, everything should look the same, so there is no entropy to analyze. So thus hiding value has the advantage of removing information that can be used to aid in combinatorial and timing analysis (combined). Also it has another advantage which I won't mention yet... In any case, I want to acceded that CN does in theory effectively add value privacy. I am just not confident that Monero is sufficient against the 5 Eyes and powerful analysis research that might be forthcoming if ever these CN coins become popular. Think of my work as (an attempt at) the second stage of furthering the technology. I'd just add that power-of-10 is not required by the protocol even today. That is just a convention. One might imagine other useful conventions that when further defined require only implementation in wallets. Anyway, the last part isn't too important since protocol changes are fine and even expected at this level of maturity. That doesn't invalidate or disagree with your comments about timing attacks, etc. I think careful use can mitigate most timing attacks even today, but that's not a solution for end users who don't know how to be careful and won't. So none of these solutions is fully ready for prime time today. Some are better than others is about the best we can claim right now.
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
August 10, 2015, 07:36:43 AM |
|
No CN coins and in fact no altcoins that I am aware of, have really solved the issue that centralization of mining can cause transactions to be censored. This is an open problem for cryptocurrency.
This is only a problem if the miner can identify which transactions they want to censor by linkability or other analysis. Presuming that you can maintain unlinkability, miners won't censor transactions unless they want to censor all transactions. There's no easy fix for that - if someone wants to spend lots of money suppressing nearly all transactions, you are correct - they can do this. CN has a viewkey. If the government takes control of the mining because due to centralization they can regulate 51% of network hash rate, then they can require every transaction publicize its viewkey. Effectively the government can force anonymity to be turned off, if they control 51% of the network hash rate. That's essentially the same as blocking all transactions and thereby preventing the protocol from being used at all (so people would then have to use another, transparent, one, which doesn't even need to be limited to a view key but could include signing it with your name). Anyway, I made exactly this point last year. Too much crap got posted last year for me to find it though, but the conclusion was identical.
|
|
|
|
TPTB_need_war
|
|
August 10, 2015, 10:19:20 AM |
|
No CN coins and in fact no altcoins that I am aware of, have really solved the issue that centralization of mining can cause transactions to be censored. This is an open problem for cryptocurrency.
This is only a problem if the miner can identify which transactions they want to censor by linkability or other analysis. Presuming that you can maintain unlinkability, miners won't censor transactions unless they want to censor all transactions. There's no easy fix for that - if someone wants to spend lots of money suppressing nearly all transactions, you are correct - they can do this. CN has a viewkey. If the government takes control of the mining because due to centralization they can regulate 51% of network hash rate, then they can require every transaction publicize its viewkey. Effectively the government can force anonymity to be turned off, if they control 51% of the network hash rate. That's essentially the same as blocking all transactions and thereby preventing the protocol from being used at all (so people would then have to use another, transparent, one, which doesn't even need to be limited to a view key but could include signing it with your name). Anyway, I made exactly this point last year. Too much crap got posted last year for me to find it though, but the conclusion was identical. I remember. We've had this same discussion at least twice in the past. Well there is a difference between shutting the coin down entirely and demanding that you must present your signed KYC serial number before your transaction will be allowed through the network. And that is essentially where I see Bitcoin and all crypto-currency headed. And I am trying to do something about that.
|
|
|
|
smooth
Legendary
Offline
Activity: 2968
Merit: 1198
|
|
August 10, 2015, 10:21:37 AM |
|
No CN coins and in fact no altcoins that I am aware of, have really solved the issue that centralization of mining can cause transactions to be censored. This is an open problem for cryptocurrency.
This is only a problem if the miner can identify which transactions they want to censor by linkability or other analysis. Presuming that you can maintain unlinkability, miners won't censor transactions unless they want to censor all transactions. There's no easy fix for that - if someone wants to spend lots of money suppressing nearly all transactions, you are correct - they can do this. CN has a viewkey. If the government takes control of the mining because due to centralization they can regulate 51% of network hash rate, then they can require every transaction publicize its viewkey. Effectively the government can force anonymity to be turned off, if they control 51% of the network hash rate. That's essentially the same as blocking all transactions and thereby preventing the protocol from being used at all (so people would then have to use another, transparent, one, which doesn't even need to be limited to a view key but could include signing it with your name). Anyway, I made exactly this point last year. Too much crap got posted last year for me to find it though, but the conclusion was identical. I remember. We've had this same discussion at least twice in the past. Well there is a difference between shutting the coin down entirely and demanding that you must present your signed KYC serial number before your transaction will be allowed through the network. And that is essentially where I see Bitcoin and all crypto-currency headed. And I am trying to do something about that. It's more of a philosophical question if you even consider such a requirement to be the same coin at all. Not really an important distinction imo. We agree in substance.
|
|
|
|
TPTB_need_war
|
|
August 10, 2015, 10:23:51 AM |
|
Confidental Transactions from Blockstream hides the values of a transaction so business privacy is retained. CN doesn't do this.
It does to some extent because there are multiple outputs with some being change and some being payment (or payments). How they are grouped is not visible, so combinatorially this can give reasonable privacy of the payment amount. The choice of outputs affects how much actual privacy there is in practice and the current algorithm in Monero is not great, but is being improved. As for size I gather that CT and CN are similar but I haven't reviewed it carefully. You could hide value with CN. Split your value into small morsels, mix, then recombine through mixes. So then no one knows who owns that large balance. Or simply use Monero as it is with balances split into powers-of-10 and thus (in theory) no one knows which sets of transactions are really the same transaction. Thus I agree with smooth's statement. However, I have my doubts as to whether those powers-of-10 balances are not correlated via timing analysis. I don't have a specific algorithm nor research paper to cite, but rather just that we are dropping patterns all over the place. In an ideal anonymity set, everything should look the same, so there is no entropy to analyze. So thus hiding value has the advantage of removing information that can be used to aid in combinatorial and timing analysis (combined). Also it has another advantage which I won't mention yet... In any case, I want to acceded that CN does in theory effectively add value privacy. I am just not confident that Monero is sufficient against the 5 Eyes and powerful analysis research that might be forthcoming if ever these CN coins become popular. Think of my work as (an attempt at) the second stage of furthering the technology. I'd just add that power-of-10 is not required by the protocol even today. That is just a convention. One might imagine other useful conventions that when further defined require only implementation in wallets. Anyway, the last part isn't too important since protocol changes are fine and even expected at this level of maturity. That doesn't invalidate or disagree with your comments about timing attacks, etc. I think careful use can mitigate most timing attacks even today, but that's not a solution for end users who don't know how to be careful and won't. So none of these solutions is fully ready for prime time today. Some are better than others is about the best we can claim right now. Yes flexibility and users (or their wallets) decide. I presume convention is often followed to maximize anonymity sets and reduce simultaneity conflicts. And agree that perfection exists only in words and we do live in here and now. And if one needs anonymity on chain here and now, Monero is probably the best option available. Even if someone were to design something "better" (different or some claimed advancement), will it even have enough adoption and all bugs worked out in time? Of course I don't know that either, even being on the inside as a developer. We appear to be in agreement. I am not telling anyone to not buy Monero, except for my advice to lighten up (on all crypto and gold) for the coming low in crypto this Spring 2016. For those who have well diversified and want to HODL through any sell off, then they can ignore my warning on that. Edit: it is possible I end up using Monero because it is what is working best when I need it. Well we've already used XMR in fact.
|
|
|
|
TPTB_need_war
|
|
August 10, 2015, 10:33:23 AM |
|
It's more of a philosophical question if you even consider such a requirement to be the same coin at all. Not really an important distinction imo. We agree in substance.
To recap past discussions, one can not be entirely sure how the world politics will play out. So it is even philosophical from the standpoint of each person's view on the landscape out there. I understand you meant philosophical on whether removal of anonymity is equivalent to a shut down. The reason I make the distinction is because humans have a tendency to conform in order to cope, so the government can maybe get what it wants which is compliance without destroying the entire Monero economy. Again that is one person's view point on the world landscape, so not to be taken as gospel. Last time I checked, my crystal ball wasn't perfect, lol.
|
|
|
|
canth
Legendary
Offline
Activity: 1442
Merit: 1001
|
|
August 10, 2015, 01:09:23 PM |
|
It's more of a philosophical question if you even consider such a requirement to be the same coin at all. Not really an important distinction imo. We agree in substance.
To recap past discussions, one can not be entirely sure how the world politics will play out. So it is even philosophical from the standpoint of each person's view on the landscape out there. I understand you meant philosophical on whether removal of anonymity is equivalent to a shut down. The reason I make the distinction is because humans have a tendency to conform in order to cope, so the government can maybe get what it wants which is compliance without destroying the entire Monero economy. Again that is one person's view point on the world landscape, so not to be taken as gospel. Last time I checked, my crystal ball wasn't perfect, lol. As long as some percentage of mining power doesn't require pub viewkeys to include transactions in a block, then private transactions are still possible - however, with really slow confirmations. Unless we're of course talking about a 51% attack which is a problem that all cryptocurrencies have. There's no defense against a 51% attack when your attacker suffers no repercussions and is equipped with essentially unlimited funds - aka, a state actor.
|
|
|
|
TPTB_need_war
|
|
August 13, 2015, 08:55:02 AM |
|
Unless we're of course talking about a 51% attack which is a problem that all cryptocurrencies have. There's no defense against a 51% attack when your attacker suffers no repercussions and is equipped with essentially unlimited funds - aka, a state actor.
I believe I know a defense. Await a white paper.
|
|
|
|
|
P-Funk
Sr. Member
Offline
Activity: 360
Merit: 250
Token
|
|
August 19, 2015, 10:06:02 AM |
|
That's all great but your currency's name sucks.
|
|
|
|
|