[XMR] Monero Improvement Technical Discussion

[smooth]

I don't know why you guys are so unable to discuss issues without freaking out. Smooth if you are truly diversified, then why can't you act more calm. Did you promise all the speculators that you were surety? Remember Proverbs says, "Don't be surety for another".

Nobody is freaking out, just trying to stay on topic, and I sure as hell never promised investors or speculators anything. I'm the one who gets shit for telling them their investment will probably go to zero, remember? Your comments about moving to zksnarks are on topic, so that's all fine.

Look way back in 2014 when you launched Monero, I told you smooth and fluffypony that IP address correlation was the weakness. Fluffypony proceed to try to integrate I2P. I warned you all many times that was not an adequate direction. But you wouldn't listen.

I2P, and even somewhat Tor, is perceived as adequate by 99% of the market. The remaining 1% may be smarter but isn't obviously much of a market at all. Very niche-y.

[1714856760]

1714856760

[1714856760]

1714856760

[1714856760]

1714856760

[TPTB_need_war]

Look way back in 2014 when you launched Monero, I told you smooth and fluffypony that IP address correlation was the weakness. Fluffypony proceed to try to integrate I2P. I warned you all many times that was not an adequate direction. But you wouldn't listen.

I2P, and even somewhat Tor, is perceived as adequate by 99% of the market. The remaining 1% may be smarter but isn't obviously much of a market at all. Very niche-y.

By the speculators because they are clueless.

But the corporations do not use darknets. They want privacy on the block chain, like we have disk encryption. Mention dark nets, illegal drug trade, etc, and they won't touch it with a 100 foot pole.

I would guess that many corporations do use Tor now for certain things. I2P will be integrated and invisible. No one will know or care how it works, except that the obvious network level vulnerabilities having to do with broadcasting transactions will be removed, and it will pass routine (though not intelligence agency level) technical muster for being private sufficient to satisfy most of the market. That's my opinion, and you are welcome to disagree.

Zerocash still needs IP obfuscation for a lot of private usages in practice too. They acknowledge it in the paper.

Zerocash does not need IP obfuscation when all the transactions are in the private zerocoins. Cite the section of the paper. I think you must be misunderstanding something. You are probably conflating the use of the regular non-anonymous coins mentioned in the paper.

Here you are making excuses again. Corporations are not going to trust unprovable shit. And moreover, mixnets are always vulnerable to flood attacks. They are very, very unreliable. Not only do I disagree, but I also think you are ignoring basic fundamental realities about the technologies.

Edit: arguing for Tor/I2P is akin to arguing for Dash's off chain mixing. Now look in the mirror and remember your arguments for End-to-End Principled ring sigs (versus off chain mixing) and realize the same logic applies to why Zerocash is superior to using off chain mixnets. Hypocrite.

Edit#2: okay I see the section you are referring to:

6.4 Additional anonymity considerations
Zerocash only anonymizes the transaction ledger. Network trac used to announce transactions,
retrieve blocks, and contact merchants still leaks identifying information (e.g., IP addresses). Thus
users need some anonymity network to safely use Zerocash. The most obvious way to do this is
via Tor [DMS04]. Given that Zerocash transactions are not low latency themselves, Mixnets (e.g.,
Mixminion [DDM03]) are also a viable way to add anonymity (and one that, unlike Tor, is not as
vulnerable to trac analysis). Using mixnets that provide email-like functionality has the added
benet of providing an out-of-band notication mechanism that can replace
Receive
.
Additionally, although in theory all users have a single view of the block chain, a powerful
attacker could potentially fabricate an additional block
solely
for a targeted user. Spending any
coins with respect to the updated Merkle tree in this \poison-pill" block will uniquely identify the
targeted user. To mitigate such attacks, users should check with trusted peers their view of the
block chain and, for sensitive transactions, only spend coins relative to blocks further back in the
ledger (since creating the illusion for multiple blocks is far harder).

I will need to understand this attack better. Seems to me they are saying that you need to spend from a block where your pour transaction was the only transaction in the block. But the user would I think know this and thus not spend the coin any more. Thus I believe the anonymity remains provable without the use of any mixnet. I will need to understand this more deeply to be sure.

[smooth]

Those are two separate issues.

Corporations are not going to trust unprovable shit

1. You can not prove that the properties of on-chain input mixing are unprovable. In fact, obviously some properties are definitely provable, so really the question is which ones.

2. I disagree with the above statement. They do so all the time. Cryptography itself isn't even provable beyond stated assumptions. And certainly not elliptic curve cryptography without which Zerocash does not exist (nor Cryptonote, but I'm told that Cryptonote is still mathematically stronger -- outside my expertise).

All this stuff is about using the "best" available tool where "best" is not a simple metric.

[TPTB_need_war]

Those are two separate issues.

They are saying the IP address is leaked. They are not saying it can be correlated to any transaction, except for that bizarre attack in the second point which seems to be detectable and only likely in a (near) majority hashrate attack. This appears to be a non-issue.

[smooth]

Those are two separate issues.

They are saying the IP address is leaked. They are not saying it can be correlated to any transaction, except for that bizarre attack in the second point which seems to be detectable and only likely in a (near) majority hashrate attack. This appears to be a non-issue.

They are saying that nearly any practical use where privacy is desired will still require shielding the network layer to remain private. Partial solutions that hide connections between transactions on the chain but still put a big shining beacon all over your online activity (and these days almost all activity is online, even when you are "offline" and using a mobile device) are largely useless.

"Zerocash only anonymizes the transaction ledger"

Not good enough.

[TPTB_need_war]

Those are two separate issues.

Corporations are not going to trust unprovable shit

1. You can not prove that the properties of on-chain input mixing are unprovable. In fact, obviously some properties are definitely provable, so really the question is which ones.

Nonsense. The meta-data can be correlated. It is unprovable as to what of a myriad of scenarios will be correlated and not correlated. The entropy of the universe is unbounded.  

2. I disagree with the above statement. They do so all the time. Cryptography itself isn't even provable beyond stated assumptions.

Very strong assumptions backed by a lot of math. And a lot very smart mathematicians and cryptographers trying to break the math.

If cryptography is broken, then society may stop functioning and we may regress several decades in living standards.

And certainly not elliptic curve cryptography without which Zerocash does not exist (nor Cryptonote, but I'm told that Cryptonote is still mathematically stronger -- outside my expertise).

Cryptonote is likely more mathematically well supported. Zerocash will indeed need to garnish more peer review for it to be as trusted as ECC.

All this stuff is about using the "best" available tool where "best" is not a simple metric.

Dash is better than Monero then! Come on smooth don't be a hypocrite. On chain anonymity is End-to-End Principled. Off chain mixing is not. That is fundamental and has been (one of) the argument(s) employed by Monero against Dash.

On chain anonymity is provable with math, except not for Cryptonote because the combinatorial analysis math is unfathomable and can't be expressed in a closed form. With Zerocash, the math of the anonymity set is simple; it is everyone. Every transaction in the universe is in your anonymity set in Zerocash.

Cryptonote isn't even close not even with orders-of-magnitude close. And that is not even factoring in the meta-data issue.

You are trying to equate a microbe to an elephant. The elephant is in your living room and you are denying it.

[smooth]

2. I disagree with the above statement. They do so all the time. Cryptography itself isn't even provable beyond stated assumptions.

Very strong assumptions backed by a lot of math. And a lot very smart mathematicians and cryptographers trying to break the math.

If cryptography is broken, then society may stop functioning and we may regress several decades in living standards.

I didn't say it was broken, I said it was unprovable. Of course some cryptography is actually broken too, which is somewhat related.

And certainly not elliptic curve cryptography without which Zerocash does not exist (nor Cryptonote, but I'm told that Cryptonote is still mathematically stronger -- outside my expertise).

Cryptonote is likely more mathematically well supported. Zerocash will indeed need to garnish more peer review for it to be as trusted as ECC.

Not just a peer review issue. I'm told the math itself is actually weaker (necessarily assumptions are stronger). But I'll leave that to the mathematicians.

And no I don't agree that Tor and I2P are the same as Dash. Those tools are mature, based on well-understood principles that are proven to observe certain properties given other certain assumptions.

Not one of these layers is provably secure in all manners. Not CryptoNote, not Dash, not Tor, not I2P, not Zerocash, not ECC. You layer the pieces together and get a solution, ideally layering pieces that are well designed and have understood and desired properties. Dash is none of that, it just one guy (with at best weak qualifications) making everything up as he goes along.

On chain anonymity is provable with math, except not for Cryptonote because the combinatorial analysis math is unfathomable and can't be expressed in a closed form

Proof?

I think likely false. Random selection means definable properties and generally favorable adversarial properties too. I'm pretty sure many of these properties can be expressed in closed form.

Less true for the broader issues of privacy outside of the chain, but as we know every system has those issues. We pick the pieces with the most desired properties.

Or we decide the available components are not good enough for our personal goals and move on to doing something else with our life. If that sounds like a suggestion, it is, but meant as a sincere one, not, "Get lost".

[TPTB_need_war]

2. I disagree with the above statement. They do so all the time. Cryptography itself isn't even provable beyond stated assumptions.

Very strong assumptionssupport backed by a lot of math. And a lot very smart mathematicians and cryptographers trying to break the math.

If cryptography is broken, then society may stop functioning and we may regress several decades in living standards.

I didn't say it was broken, I said it was unprovable. Of course some cryptography is actually broken too, which is somewhat related.

Do you always ignore my first sentence.

Number theoretic assumptions with strong support are not in the same class as the unprovable nature of meta-data correlation.

You are equating different categories which are not equal in risk. Not even orders-of-magnitude close in risk.

And certainly not elliptic curve cryptography without which Zerocash does not exist (nor Cryptonote, but I'm told that Cryptonote is still mathematically stronger -- outside my expertise).

Cryptonote is likely more mathematically well supported. Zerocash will indeed need to garnish more peer review for it to be as trusted as ECC.

Not just a peer review issue. I'm told the math itself is actually weaker (necessarily assumptions are stronger). But I'll leave that to the mathematicians.

The paper mentions I think 80 and 128-bit security levels, but I assume the bit security can be increased.

As for any alleged stronger number theoretic assumptions (thus weaker support and security assurances) with the bilinear pairings, I am also not expert enough in algebraic math to judge that.

And no I don't agree that Tor and I2P are the same as Dash. Those tools are mature, based on well-understood principles that are proven to observe certain properties given other certain assumptions.

Tor and I2P are fundamentally flawed if one is asking for provable reliability of their anonymity.

Ditto Dash.

The distinction is useless to the person who doesn't need anonymity 99% of the time and rather needs it 99.999999% of the time.

Not one of these layers is provably secure in all manners. Not CryptoNote, not Dash, not Tor, not I2P, not Zerocash.

Again you equate things which have orders-of-magnitude difference in risk level. Zerocash is orders-of-magnitude more provable (not counting any doubts about the peer review of the math).

You layer the pieces together and get a solution, ideally layering pieces that are well designed and have understood and desired properties. Dash is none of that, it just one guy making everything up as he goes along.

Layering 1 in 100 failure rate mixnexts with 1 in 10,000 failure rate Cryptonote means 1 in 100 failure rate. Layering doesn't help you with anonymity, because the LCD (weakest layer) dominates the outcome.

[smooth]

Strong number theoretic assumptions are not in the same class as the unprovable nature of meta-data correlation.

If you are talking about meta-data on chain, then it is characterizable. If you are talking about metadata off chain, then all solutions must address it, or be confined to very limited use cases that don't involve accompanying interaction, such as (maybe) donations.

The distinction is useless to the person who doesn't need anonymity 99% of the time and rather needs it 99.999999% of the time.

Sounds like you haven't been paying attention to the part where Monero told you for the past two years that is isn't trying to be NSA proof.

This is the Technical Improvement thread though, so if you have ideas how to improve it to better approach that ideal (whether or not reaching it), please present them in technical form, otherwise this discussion will be winding down.

Layering 1 in 100 failure rate mixnexts with 1 in 10,000 failure rate Cryptonote means 1 in 100 failure rate. Layering doesn't help you with anonymity, cause the LCD (weakest layer) dominates the outcome.

In that case a user engaging in online activity that involves a mixnet for everything but payment, along with a 1 in a zillion Zerocash failure for payment, will also suffer from overall 1/100 failure rate. The numbers are made up of course.

[TPTB_need_war]

Strong number theoretic assumptions are not in the same class as the unprovable nature of meta-data correlation.

If you are talking about metadata off chain, then all solutions much address it.

Zerocash not. That has been my entire point. The on chain transactions can't be correlated to the off chain meta-data.

No wonder you guys are treating me like shit. You are completely clueless about these issues. Every single point you are wrong.

]The distinction is useless to the person who doesn't need anonymity 99% of the time and rather needs it 99.999999% of the time.

Sounds like you haven't been paying attention to the part where Monero told you for the past two years that is isn't trying to be NSA proof.

Sounds like you are not paying attention today, where I have asked you what those markets are and in every case I have explained they are tiny and/or Zerocash is preferred for the markets you suggested.

Layering 1 in 100 failure rate mixnexts with 1 in 10,000 failure rate Cryptonote means 1 in 100 failure rate. Layering doesn't help you with anonymity, cause the LCD (weakest layer) dominates the outcome.

In that case a user engaging in online activity that involves a mixnet for everything but payment along with a 1 in a zillion Zerocash failure will also suffer from overall 1/100 failure rate. The numbers are made up of course.

Incorrect.

[smooth]

Strong number theoretic assumptions are not in the same class as the unprovable nature of meta-data correlation.

If you are talking about metadata off chain, then all solutions much address it.

Zerocash not. That has been my entire point. The on chain transactions can't be correlated to the off chain meta-data.

The ZeroCash developers disagree that is usefully sufficient, as do I. Let's just leave it at that.

As I said earlier:

This is the Technical Improvement thread though, so if you have ideas how to improve it to better approach that ideal (whether or not reaching it), please present them in technical form, otherwise this discussion will be winding down.

Your suggestion was merge the Zerocash protocol into Monero. Okay. I'm not even saying that will or won't happen.

Any other Technical Improvements to propose?

[TPTB_need_war]

Another point is layering Tor/I2P is another requirement on the use of the block chain which Zerocash doesn't force on the user.

The more layers you bind together in future's contracts, the less degrees-of-freedom the block chain has.

There are so many basic concepts that you all should have contemplated within the nearly 2 years since Monero was released.

[GingerAle]

So can we conclude that Monero's underlying cryptonote technology will not be the best privacy technology forever?

Can we conclude that Monero is one of the few fully functioning private cryptocurrency networks currently?

Can we conclude that off chain data (ip addresses) are something that needs to be addressed for all private cryptocurrency networks?

Can we conclude that a possible technical improvement to Monero would be some kind of zero-proof knowledge thing?

TPTB, I commend your enthusiasm, but one of the problems I think in this conversation is a lack of brevity. No one has time to read ALL of this, so things are missed, and you get frustrated. If you want to have useful discussions, it's probably better to not have paragraphs of text, regardless of how much needs to be said. Writing 1 paragraph is much more difficult than writing 10 pages.

[Shrikez]

I invest in people and the kind of people they attract and convince to embark on a common journey. That's why I like Monero and don't like Dash, to name one example.

Shrikez if ever you invest in something I was involved in or created, it won't be because you admired how I was able to bring a community of speculators together with some developers and manage the group-think circle-jerk.

Your and my perception of said group seem to differ. Of course there is some confirmation bias, it's human and you yourself are not free from it, can't be.

All the best, stay focused.

[GingerAle]

My god this is boring. Let me know when you are done so I can repost the fusion block thing. I had some good asci diagrams.

[TPTB_need_war]

So can we conclude that Monero's underlying cryptonote technology will not be the best privacy technology forever?

Can we conclude that Monero is one of the few fully functioning private cryptocurrency networks currently?

Can we conclude that off chain data (ip addresses) are something that needs to be addressed for all private cryptocurrency networks?

Can we conclude that a possible technical improvement to Monero would be some kind of zero-proof knowledge thing?

TPTB, I commend your enthusiasm, but one of the problems I think in this conversation is a lack of brevity. No one has time to read ALL of this, so things are missed, and you get frustrated. If you want to have useful discussions, it's probably better to not have paragraphs of text, regardless of how much needs to be said. Writing 1 paragraph is much more difficult than writing 10 pages.

Off the top of my head to return the favor for you not deleting posts and I may be missing a few points:

• zk-snarks can be used to make any script anonymous, not just currency as for CN/RingCT. Businesses will need this.
• Anonymity of Zerocash (ZC) is never compromised by compromising the masterkey, only the coin supply is.
• ZC makes the entire block chain a blob uncorrelated to meta-data, whereas CN/RingCT have distinct UTXO which can be so correlated.
• ZC doesn't require Tor/I2P thus has more degrees-of-freedom and is End-to-End principled, whereas CN/RingCT are not.
• Both ZC and CN/RingCT can lose anonymity or have undetectable increase in coin supply if the crypto is cracked.
• CN/RingCT has the lowest common denominator anonymity which is usually I2P, i.e. maybe 99% vs 99.999% for ZC.
• Businesses will favor the more provable, more End-to-End freedom choice of ZC.
• I think the chance of jail time when using CN/RingCT for any action that the State doesn't want you to do, is very high. The anonymity is not robust, as I summarized above.
• I can't think of any user adoption markets of any significant size of CN/RingCT, other than selling it to speculators. In other words, I view CN/RingCT as just another pump job albeit with some strong developers (who hopefully will get better leadership).
• I am saying that CN/RingCT is not a viable technology. So arguing that it is the best we have for now, IMO doesn't make much sense, unless that is just a sales pitch to speculators (again keeping in mind the Securities Law and the Howey test in the USA and the implications of leading speculators into an investment with misleading prospectus and not registered with the SEC).

Edit: some of those points have finer points of contention. So review the long discussion for that.

For example, in the cases where one needs to use Tor/I2P with ZC, those transactions are often impossible to make anonymous by any means because they involve for example buying a product from a retailer who compiles with government regulations (KYC, etc).

[DaveyJones]

So can we conclude that Monero's underlying cryptonote technology will not be the best privacy technology forever?

Can we conclude that Monero is one of the few fully functioning private cryptocurrency networks currently?

Can we conclude that off chain data (ip addresses) are something that needs to be addressed for all private cryptocurrency networks?

Can we conclude that a possible technical improvement to Monero would be some kind of zero-proof knowledge thing?

TPTB, I commend your enthusiasm, but one of the problems I think in this conversation is a lack of brevity. No one has time to read ALL of this, so things are missed, and you get frustrated. If you want to have useful discussions, it's probably better to not have paragraphs of text, regardless of how much needs to be said. Writing 1 paragraph is much more difficult than writing 10 pages.

Off the top of my head to return the favor for you not deleting posts and I may be missing a few points:

• zk-snarks can be used to make any script anonymous, not just currency as for CN/RingCT
• Anonymity of Zerocash (ZC) is never compromised by compromising the masterkey, only the coin supply is.
• ZC makes the entire block chain a blob uncorrelated to meta-data, whereas CN/RingCT have distinct UTXO which can be so correlated.
• ZC doesn't require Tor/I2P thus has more degrees-of-freedom and is End-to-End principled, whereas CN/RingCT are not.
• Both ZC and CN/RingCT can lose anonymity or have undetectable increase in coin supply if the crypto is cracked.
• CN/RingCT has the lowest common denominator anonymity which is usually I2P, i.e. maybe 99% vs 99.999% for ZC.
• Businesses will favor the more provable, more End-to-End freedom choice of ZC.
• I think the chance of jail time when using CN/RingCT for any action that the State doesn't want you to do, is very high. The anonymity is not robust, as I summarized above.
• I can't think of any user adoption markets of any significant size of CN/RingCT, other than selling it to speculators. In other words, I view CN/RingCT as just another pump job albeit with some strong developers (who hopefully will get better leadership).
• I am saying that CN/RingCT is not a viable technology. So arguing that it is the best we have for now, IMO doesn't make much sense, unless that is just a sales pitch to speculators (again keeping in mind the Securities Law and the Howey test in the USA and the implications of leading speculators into an investment with misleading prospectus and not registered with the SEC).

As you digged deeper into the topic and talk about businesses adopting ZC rather than CN... does ZC have the option to be auditable? Real Businesses favor something that can be audited. Can you actually proof you own xxx Amount of ZC without handing over your whole keys? CN got Viewkey for that, what does ZC have? ( besides neither guesses, of what or what not businesses will adopt by us actually hold any fact or argument, as its not up to us but those who run the businesses.

Sorry for the bad english hope you get the points

[TPTB_need_war]

As you digged deeper into the topic and talk about businesses adopting ZC rather than CN... does ZC have the option to be auditable? Real Businesses favor something that can be audited. Can you actually proof you own xxx Amount of ZC without handing over your whole keys? CN got Viewkey for that, what does ZC have? ( besides neither guesses, of what or what not businesses will adopt by us actually hold any fact or argument, as its not up to us but those who run the businesses.

Sorry for the bad english hope you get the points

Good point. Someone should check.

P.S. I edited my prior post.

[smooth]

So can we conclude that Monero's underlying cryptonote technology will not be the best privacy technology forever?

Can we conclude that Monero is one of the few fully functioning private cryptocurrency networks currently?

Can we conclude that off chain data (ip addresses) are something that needs to be addressed for all private cryptocurrency networks?

Can we conclude that a possible technical improvement to Monero would be some kind of zero-proof knowledge thing?

TPTB, I commend your enthusiasm, but one of the problems I think in this conversation is a lack of brevity. No one has time to read ALL of this, so things are missed, and you get frustrated. If you want to have useful discussions, it's probably better to not have paragraphs of text, regardless of how much needs to be said. Writing 1 paragraph is much more difficult than writing 10 pages.

Off the top of my head to return the favor for you not deleting posts and I may be missing a few points:

• zk-snarks can be used to make any script anonymous, not just currency as for CN/RingCT
• Anonymity of Zerocash (ZC) is never compromised by compromising the masterkey, only the coin supply is.
• ZC makes the entire block chain a blob uncorrelated to meta-data, whereas CN/RingCT have distinct UTXO which can be so correlated.
• ZC doesn't require Tor/I2P thus has more degrees-of-freedom and is End-to-End principled, whereas CN/RingCT are not.
• Both ZC and CN/RingCT can lose anonymity or have undetectable increase in coin supply if the crypto is cracked.
• CN/RingCT has the lowest common denominator anonymity which is usually I2P, i.e. maybe 99% vs 99.999% for ZC.
• Businesses will favor the more provable, more End-to-End freedom choice of ZC.
• I think the chance of jail time when using CN/RingCT for any action that the State doesn't want you to do, is very high. The anonymity is not robust, as I summarized above.
• I can't think of any user adoption markets of any significant size of CN/RingCT, other than selling it to speculators. In other words, I view CN/RingCT as just another pump job albeit with some strong developers (who hopefully will get better leadership).
• I am saying that CN/RingCT is not a viable technology. So arguing that it is the best we have for now, IMO doesn't make much sense, unless that is just a sales pitch to speculators (again keeping in mind the Securities Law and the Howey test in the USA and the implications of leading speculators into an investment with misleading prospectus and not registered with the SEC).

As you digged deeper into the topic and talk about businesses adopting ZC rather than CN... does ZC have the option to be auditable? Real Businesses favor something that can be audited. Can you actually proof you own xxx Amount of ZC without handing over your whole keys? CN got Viewkey for that, what does ZC have? ( besides neither guesses, of what or what not businesses will adopt by us actually hold any fact or argument, as its not up to us but those who run the businesses.

Sorry for the bad english hope you get the points

ZC is very immature at this point. You can't even make payments with more than one output. No multisig or other sort of contracts, even simple ones. There is no "view key" though it has been mentioned that one could be added. For more complex contracts, the current approach will be infeasible for the foreseeable future (it is barely feasible for simple coin pours -- it takes 1 minute on a desktop). Eventually that stuff can be worked out (feasibility beyond a certainly point is not guaranteed though, just reasonable to expect eventually with technological advances), but we are talking about some indefinite future.

There is always going to be some better technology on the horizon. By the time Zerocash becomes more mature, there will likely be something else on the horizon that is superior in various ways, yet itself not mature. And so it continues.

[TPTB_need_war]

What is missing from your analysis smooth is that at what level of featureness are businesses willing to embrace block chains. I argue CN/RingCT is below the acceptable level and can not be raised to that level because the fundamentals are not End-to-End principled (also because can only make the payers, payees, and values obscured and not any type of script and other aspects of the block chain data). Business will prefer private databases where they can hide all the data until public block chains mature enough to do so. Public block chains promise more interoption and network effects, once we can make them truly private.

I try to light a fire under you guys to get you refocused on technology that can meet your goal of being a privacy block chain for businesses. That is where the real market is.