[XMR] Monero Improvement Technical Discussion

[MoneroMooo]

As a general rule of thumb, a party cannot rely on another party to cooperate in doing something detrimental to the second party.

If the network wants to detect whether blocks A and B are found by Alice, Alice will make sure to generate two different fingerprints.

Besides, you wouldn't want to embed a fingerprint of the miner in a block for a currency that prides itself on being unlinkable.

Thermal noise is used as a random source, so I'm not even sure you could get any kind of fingerprint by reading off an audio device anyway. Not that you can read off the hardware. My VMs certainly don;t have an HW audio device,

[1714054982]

1714054982

[1714054982]

1714054982

[1714054982]

1714054982

[GingerAle]

moneromoo, can you add this functionality, or does it already exist?

I noticed here that this dude wants to check his paper wallet balance with a viewkey

https://www.reddit.com/r/Monero/comments/3v631e/how_do_i_use_my_view_key_to_view_my_balance/

so obviously he can do that.

But what if they want to check the balance in an offline computer (for increased security or whatever)

can simplewallet access the blockchain without the daemon being syncd? I've noticed that simplewallet gets mad when the daemon isn't syncd. Surely it can just access the blockchain db.

[smooth]

moneromoo, can you add this functionality, or does it already exist?

I noticed here that this dude wants to check his paper wallet balance with a viewkey

https://www.reddit.com/r/Monero/comments/3v631e/how_do_i_use_my_view_key_to_view_my_balance/

so obviously he can do that.

But what if they want to check the balance in an offline computer (for increased security or whatever)

can simplewallet access the blockchain without the daemon being syncd? I've noticed that simplewallet gets mad when the daemon isn't syncd. Surely it can just access the blockchain db.

Seems like the wallet should still work even if the computer is offline, but maybe with a warning of the highest block is "too old"

[GingerAle]

So I was reading this
http://www.scribd.com/doc/273443462/A-Transaction-Fee-Market-Exists-Without-a-Block-Size-Limit#scribd

and my thoughts started to drift when I encountered the concept that orphanization is one of the impediments to picking what to mine and the whole block size fee market debate etc...

Is there any work in this space regarding what could be called sister blocks, or fusion blocks?

Basically, the way I understand it (and granted, my assumptions could be flawed) is that there exists a set of transactions in the mempool. We'll just use 5 here

Trans1
Trans2
Trans3
Trans4
Trans5

If miner A decides to put 1,2,3 in his block (block A), and miner B decides to put 3,4,5 in his block (block B), they are both technically valid blocks (they both have the previous block's hash and contain valid transactions from the mempool). However, due to the nature of satoshi consensus, if block A makes it into the chain first, block B becomes orphan - even though it is entirely valid.

It's even easier to understand the inefficiency of satoshi consensus if block A has 1,2,3 and block B has 4,5. In this case, there's really no reason both blocks aren't valid.

I see now as I continue to think about this the problem lies in the transaction fees associated with each transaction, for if they exist in two blocks, which block finder gets the reward? But this isn't an intractable problem.

Essentially what I'm thinking is that you can imagine these two blocks existing as blebs on the chain.
                         .
._._._._._._._._._./
                        \,

each dot is a block, and the comma indicates a sister block
in current protocol, this would happen
                         ._._._
._._._._._._._._._./
                        \,_,

And eventually one chain would grow longer (which is ultimately influenced by bandwidth) and the entire sister chain would be dropped, and if your node was on that chain you'd experience a reorg (right?).

why couldn't something be implemented where the above fork turns into a bleb

                         .
._._._._._._._._._./\.
                        \,/

which is eventually resolved to a fusion block

._._._._._._._._._._!_._


where the ! indicates a fusion block. When encountering a potential orphan scenario (daemon receives two blocks in close proximity, or already has added a block but then receives a similar block for the same block height) instead of the daemon rejecting one as orphan, it scans the sister block as a candidate for fusion. There would be some parameters (X% of transactions overlap, only concurrent block height are candidates (this is effectively the time window)). As part of this, the system would somehow need to be able to send transaction fees to different blockfinders, but again this seems tractable (though I await to be schooled as to why its not possible). In addition, the block reward itself would need to be apportioned.

Or is this what a reorg does? The way I understand reorgs, this is different than a reorg.

Though upon creation of the fusion block a reorganization would have to occur. So at the cost of overall bandwidth we provide a countermeasure for the loss of economic incentive for large blocks.

And one problem to address is that you would need a new block header for the fusion block, but this could really just be the hash of the two sister blocks. Both sisters are valid, therefore the hash of those valid blocks is valid.

Ok back to work.

[TPTB_need_war]

...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

[ArticMine]

...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

Proprietary software solutions have by their very nature a centralized systemic risk that Free Libre Open Source software solutions do not. The type of risks you describe in Monero are trivial compared to the risk of the DRM in the operating system used to generate master key in a centralized proprietary solution such as the one you propose. Furthermore I still do not have an answer to what is a straight forward yes or no question. 

[vokain]

...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

Proprietary software solutions have by their very nature a centralized systemic risk that Free Libre Open Source software solutions do not. The type of risks you describe in Monero are trivial compared to the risk of the DRM in the operating system used to generate master key in a centralized proprietary solution such as the one you propose. Furthermore I still do not have an answer to what is a straight forward yes or no question.  

I am imagining that the type of people designing such a technology would do better than generate a masterkey on Windows et al. I'm actually imagining purpose-built, (encouragedly) auditable software and maybe even hardware.

[ArticMine]

...
I am imagining that the type of people designing such a technology would do better than generate a masterkey on Windows et al. I'm actually imagining purpose-built, auditable software and maybe even hardware.

Auditable by whom?

It comes down to Free Software vs Proprietary software. The same is true for the hardware. There is a reason why my question is being avoided here.

[vokain]

...
I am imagining that the type of people designing such a technology would do better than generate a masterkey on Windows et al. I'm actually imagining purpose-built, auditable software and maybe even hardware.

Auditable by whom?

It comes down to Free Software vs Proprietary software. The same is true for the hardware. There is a reason why my question is being avoided here.

By the attendees of said masterkey-generation ceremony.

[ArticMine]

...
I am imagining that the type of people designing such a technology would do better than generate a masterkey on Windows et al. I'm actually imagining purpose-built, auditable software and maybe even hardware.

Auditable by whom?

It comes down to Free Software vs Proprietary software. The same is true for the hardware. There is a reason why my question is being avoided here.

By the attendees of said masterkey-generation ceremony.

Actually by anyone who uses the currency. The role of the attendees is to verify that all the software has not changed between what was used and what is released to the public.

Edit: The minute one tries to protect "intellectual property" at any level the trust is gone.

[TPTB_need_war]

...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

Proprietary software solutions have by their very nature a centralized systemic risk that Free Libre Open Source software solutions do not. The type of risks you describe in Monero are trivial compared to the risk of the DRM in the operating system used to generate master key in a centralized proprietary solution such as the one you propose. Furthermore I still do not have an answer to what is a straight forward yes or no question.  

The masterkey is generated once and only the public key is retained. As long as no one saw nor can recover the private key before it was discarded, then there is nothing proprietary remaining in the use of the Zerocash open source. The Zerocash open source code requires a public key to be pasted in. It is the public (ceremony) generation of that key, which determines whether anyone had access to the private key when the public key was created.

DRM has nothing to do with it all. Thus I assume you don't understand the issue.

The only issue is whether the public key can be computed at a public ceremony and the private key was securely discarded. So for example, they could use any computer, encase it in lead before running the computation, and no external connection to the computer other than the screen which reads out the public key.

Then slide the computer into a barrel of acid so that it is permanently destroyed. All done at a public ceremony so there can be no cheating.

Of course one could envision elaborate/exotic means of cheating, such as using radio waves to communicate the private key out to external actor, but again that is why I wrote encase it in lead. There is the issue of how to destroy it while not momentarily removing it from its communication barrier. But I am confident these physics issues can be worked out to a sufficient level of trust.

As for trust, not even the Elliptic Curve Cryptography and other math we use for crypto can be 100% trusted. So if you start arguing silly about 100% trust, then it is safe to ignore as loony.

[GingerAle]

damn. saw this thread bumped and got excited it was in response to my fusion block idea. Instead its this zeroknowledge vaporcoin stuff. You better bring it all back in somehow to MONERO improvement technical discussion lest I wield my moderation powers and shrinkify everything.

is monero implementing ZKP? Last I heard thats a big negative.

This one:

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

might have some legs. As you mentioned, I think the meta-data (what can be referred to as out-of band) can't really be addressed by any protocol. No computer code can stop you from posting on facebook the exact time that you purchased a drone on amazon. I think the general idea though is that with monero (and others) any analysis has a much more steep effort wall than bitcoin.

[TPTB_need_war]

...
FUD. The ceremony is only to computer a public key, nothing else. No other software has to be audited. Only need to confirm that the private key was not communicated from the computer to any one. Period.

How do you know that the public key you see on the screen is the one that was computed and not one that was pre computed before the computer was "placed in lead"?

Edit: DRM in the OS has everything to do with this since it is the perfect place to hide the private key. That is what DRM is designed to do hide private keys.

The hardware has to be audited. But we also have to audit our hardware that we use to run Cryptonote. If Intel is planting spies in the hardware, then we are screwed.

100% trust is impossible. And this is another reason I deprioritized anonymity. It is a clusterfuck.

Also I think perhaps Zerocash was working on a way to generate the public key decentralized, but I haven't kept up with progress on that.

Indeed Zerocash could end up being a Trojan Horse (a way to get fiat in the back door) and that is why I made my proposal to use them only as ephemeral mixes that die periodically, so then we will know if the key was compromised or not.

The result of my proposal is:

• Stolen coins isn't systemic to the overall coin (same as losing some coins to Mt. Gox and Cryptsy isn't), and at least participants get ongoing ceremonies to get better and better at auditing the hardware.
• No anonymity is ever lost.
• No NET coin supply is ever created out-of-thin-air (instead some people lose coins if they chose an insecure mixer that had a compromised key), which is also the case for both Zerocash and RIngCT where coin supply could be created out of thin air and we would never know it due to a bug in cryptography.

That will kick ass on Monero, because if I pass through the mixer, I know my anonymity is provable and I know I didn't lose my coins. It is only people who still sitting inside the mixer who risk losing coins. Everything has a risk. I would much rather the microscopic risk of a compromised key (causing me to lose some coins) to the sure risk of meta-data correlation in Monero which can send me to jail! Surely I would be judicious about not mixing all my coins at the same time and not all in the same mixer.

[GreekBitcoin]

But I am confident these physics issues can be worked out to a sufficient level of trust.

Only need to confirm that the private key was not communicated from the computer to any one.

I find this kinda weak against your general absolutism. "So Simple Yet So Complex".


After all, what stops all 3 letter agencies, who can own blockchains and can do analysis and attacks etc, to stage the whole thing? Will i be allowed to check that computer?

I mean, i have near to zero understanding of cryptography, but your search for the perfect/ideal solution looks like making you ready to take a huge and dangerous bet.  

[TPTB_need_war]

But I am confident these physics issues can be worked out to a sufficient level of trust.

Only need to confirm that the private key was not communicated from the computer to any one.

I find this kinda weak against your general absolutism. "So Simple Yet So Complex".


After all, what stops all 3 letter agencies, who can own blockchains and can do analysis and attacks etc, to stage the whole thing? Will i be allowed to check that computer?

I mean, i have near to zero understanding of cryptography, but your search for the perfect/ideal solution looks like making you ready to take a huge and dangerous bet.  

I proposed ephemeral mixers based on Zerocash technology. They will be ferreted out if they are doing this, because it will be known that the key was compromised when the mixer expires and everyone has to cash out of the mixer back into the public coin. The bastards can't keep doing it over and over again. The participants will get wise as to the methods the attackers are using.

I am not absolutist. Rather I think correctly and realistically when I weigh marketing, tradeoffs, and delusion as follows:

That will kick ass on Monero, because if I pass through the mixer, I know my anonymity is provable and I know I didn't lose my coins. It is only people who still sitting inside the mixer who risk losing coins. Everything has a risk. I would much rather the microscopic risk of a compromised key (causing me to lose some coins) to the sure risk of meta-data correlation in Monero which can send me to jail! Surely I would be judicious about not mixing all my coins at the same time and not all in the same mixer.

Marketing and design are holistically joined at the hip. Those fools who said the marketing can come later are clueless.

[TPTB_need_war]

One more point I considered in my holistic analysis is that for most transactions we can't be anonymous. Thus anonymity is more suited to those who want to receive some payment anonymously and hide the funds there and extract them only to public funds in small morsels or to spend in other rare anonymous transactions (e.g. buying some gold bars from someone you trust won't reveal your identity).

In that case one might think you can just use Stealth Addresses (unlinkability) and run a full node to confirm receipt of funds anonymously. No need for Cryptonote, RingCT, nor ZeroCash. But the problem is the payer can be identified and be pressured to reveal your identity.

So this is why we need Zerocash to make the untraceability impervious to meta-data correlation.

But the problem with my proposal for ephemeral Zerocash mixers is that when we take the coins out of the mixer they can now be correlated to our meta-data (e.g. IP address, etc). So thus it seems to hide large funds and only take out small portions publicly as needed, will incur risk of losing those coins in my proposal, but at least they will be provably anonymous.

Anonymity is a clusterfuck. If we can't make trusted hardware, then anonymity is unprovable. Period.

So just give up on anonymity, or get busy trying to make hardware we can trust?

(or if Zerocash has developed a provably secure way to generate a master public key, which I doubt)

[aminorex]

DRM has nothing to do with it all. Thus I assume you don't understand the issue.

You are not giving him due credit. (AM is not a typical BTCT slouch.)  It is an allusion to "reflections on trusting trust" https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

[smooth]

Chip fabs are a very high capital investment. Thus they can't run away from the directives of the national security agencies.

That is certainly true. Indeed I personally distrust current chips and horde some older platforms that were much less feasible to backdoor in a manner that would be useful today. When they break or wear out I will lose that option though. Still there is a diversity even of current chips and they may not all be backdoored in an equivalent manner or by cooperating parties, if they all are at all.

[smooth]

I would not entrust not receiving jail time on the assumption my meta-data can't be correlated, neither with Monero nor Bitcoin. The only anonymous things I would do would be legal things I want to hide from for example the public, but not from the NSA (and the employees of the NSA). In that case, I can do this reasonably well using Bitcoin.

I can't make the sources of my transaction untraceable with Bitcoin (unless I use some unreliable mixer, CoinJoin, or CoinShuffle), i.e. if someone wanted to premine and then make it impossible to connect them to the premined coins. So maybe we can argue that Cryptonote/Monero would help people who want to create scams. But decentralized exchanges might accomplish the same (not sure about that yet, still analyzing them).

Let's try to stop thinking like clueless anarchists and start to think like businessmen who want to market our products to real markets.

Would that be on topic here? I'm pretty sure the answer is no

This thread is about Monero technical ideas, discussion, ONLY. If you barge in here with something non-technical, I will delete it.

What's the deal with you and Monero anyway? You have  many of your own threads. Why not just discuss your broad ideas about marketing products to real markets there instead?

[TPTB_need_war]

Do you have specific technical proposals how to improve Monero?

I am thinking best to adopt zk-snarks because (in high level conceptual thinking which could possibly be missing some key detail) it is more general to any sort of block chain contract (script) a business might want to do, not just currency. As well, I argued in the prior post that businesses will not likely adopt a privacy solution for currency which forces them to trust Tor or I2P to obscure their IP address meta-data (and that isn't even the only meta-data that will need to be obscured and some other meta-data might even be impossible to obscure).

Thus I argue if corporations are going to adopt privacy on block chains, they will choose zk-snarks in spite of your arguments that the masterkey must be created in a secure way. Corporations trust the institutions of society, e.g. the police, the courts, the government, etc.. Also afaics corporations are sort of a hierarchical structure with smaller companies serving larger companies, and so they are likely to fall in line to what larger corporations demand for interoption. What I am saying is that the top-down structure of corporatism means accepting that someone at the very top gets to create the masterkey for Zerocash.

Of course I would prefer an anonymity solution that has no caveats. But after all my study (and even inventions of anonymity solutions) I have learned there can't exist anonymity systems w/o caveats.

Thus if we are choosing which set of caveats (tradeoffs) we prefer to develop around, I think we must incorporate the needs of markets into our thought process.

I simply don't see any markets for Cryptonote style anonymity. I wish I could think of a market, but I can't. Whereas, zk-snarks seems to potentially have real business applications.

And that is damn unbiased opinion, because I have nothing to gain from zk-snarks. I have no knowledge of how to code them nor do I yet completely understand them. It doesn't give me any advantage whatsoever to come to the conclusion they are superior to develop around. Hell, I even have Zero Knowledge Transactions which is superior to RingCT which I had to abandon because I came to this realization. I am a loser too.

I don't know why you guys are so unable to discuss issues without freaking out. Smooth if you are truly diversified, then why can't you act more calm. Did you promise all the speculators that you were surety? Remember Proverbs says, "Don't be surety for another".

Look way back in 2014 when you launched Monero, I told you smooth and fluffypony that IP address correlation was the weakness. Fluffypony proceeded to try to integrate I2P. I warned you all many times that was not an adequate direction. But you wouldn't listen.

And now you attack me and are angry at me for trying to help you not waste more of your time and effort.

I simply don't understand you guys. Why can't you be more open-minded and also more amicable to people who want to discuss matters?

Is it pride? Somebody shot your baby.