Shadowcash vs. Monero, an unbiased debate.

[TPTB_need_war]

Either a coin is capable of zk-anon or it is not.

Cryptonote ring sigs are not fully zero knowledge. The values of the transactions forces some correlations that wouldn't be there if the values were hidden. For one thing values requires smaller anonymity sets as for example noted in section 3.3.3 of the ShadowCash white paper (and similarly for Monero/Cryptonote):

http://shadow.cash/downloads/shadowcash-anon.pdf

3.3.3. To increase the pool of outputs available for ring signatures, the SDC value is
broken up into separate Shadow tokens for each decimal place of the total value.
The tokens are further broken up to values of 1, 3, 4 and 5. For example 1.7 sdc
would become 3 tokens of values 1.0, 0.3 and 0.4.

Smooth and I recently discussed this issue when I pointed out that Blockstream's Confidential Transactions hide values (but they don't provide untraceability).

Additionally we can't predict the types of sophisticated combinatorial analysis research that could come out against the data provided by revealing the values. As I said to smooth in that recent discussion:

You could hide value with CN. Split your value into small morsels, mix, then recombine through mixes. So then no one knows who owns that large balance.

Or simply use Monero as it is with balances split into powers-of-10 and thus (in theory) no one knows which sets of transactions are really the same transaction. Thus I agree with smooth's statement.

However, I have my doubts as to whether those powers-of-10 balances are not correlated via timing analysis. I don't have a specific algorithm nor research paper to cite, but rather just that we are dropping patterns all over the place. In an ideal anonymity set, everything should look the same, so there is no entropy to analyze.

So thus hiding value has the advantage of removing information that can be used to aid in combinatorial and timing analysis (combined).

Also it has another advantage which I won't mention yet...

In any case, I want to acceded that CN does in theory effectively add value privacy. I am just not confident that Monero is sufficient against the 5 Eyes and powerful analysis research that might be forthcoming if ever these CN coins become popular.

P.S. How does ShadowCash justify trying to obscure that it copied Cryptonote and doesn't even cite Cryptonote in its white paper? It looks to me they were trying to fool n00bs into thinking they had created something different or superior to the pre-existing Cryptonote?

[1714886325]

1714886325

[1714886325]

1714886325

[1714886325]

1714886325

[1714886325]

1714886325

[1714886325]

1714886325

[smooth]

copied ... doesn't even cite

There seems to be a lot of that going around.

They did include Cryptonote in their list of references BTW, but they never mentioned it anywhere in the paper.

[TPTB_need_war]

copied ... doesn't even cite

There seems to be a lot of that going around.

They did include Cryptonote in their list of references BTW, but they never mentioned it anywhere in the paper.

My white paper conspicuously cites Cryptonote

Apologies I did miss the entry at the end. They did put it in the References section.

[Wheatclove]

I2P traffic and IP addresses are encrypted 4? times. How exactly is it unsecure?

Sorry I am not going to be able to teach you the exhaustive reasons in a forum thread. This issue will be explained more in depth in a future white paper.

I understand it is very difficult for n00bs to understand.

If you can't back up an argument with evidence, don't make it?

[TPTB_need_war]

I2P traffic and IP addresses are encrypted 4? times. How exactly is it unsecure?

Sorry I am not going to be able to teach you the exhaustive reasons in a forum thread. This issue will be explained more in depth in a future white paper.

I understand it is very difficult for n00bs to understand.

If you can't back up an argument with evidence, don't make it?

It is not a simple argument to support. I have already supported in a document I have not yet published. I am not ready to publish it yet. But if you go to I2P's website, they readily admit what I've stated.

I2P was not designed to be robust against three letter agencies. It was designed to provide some privacy against normal adversaries.

I explained this is more detail in the "Economic Totalitarianism" thread. I'll try to dig up a link for you...wait...

[fluffypony]

Not my misunderstanding at all.

It would be better to say curve 25519 than Curve25519, because afaik the latter refers to a white paper for a ECC Diffie-Helman key exchange, which is a different purpose and more optimized than EdDSA which is for public/private key signing. Much more than a minor distinction (thanks to DJB for such premature optimization on the naming and confusion):

Fair enough, noted for next time.

[Wheatclove]

I2P traffic and IP addresses are encrypted 4? times. How exactly is it unsecure?

Sorry I am not going to be able to teach you the exhaustive reasons in a forum thread. This issue will be explained more in depth in a future white paper.

I understand it is very difficult for n00bs to understand.

If you can't back up an argument with evidence, don't make it?

It is not a simple argument to support. I have already supported in a document I have not yet published. I am not ready to publish it yet. But if you go to I2P's website, they readily admit what I've stated.

I2P was not designed to be robust against three letter agencies. It was designed to provide some privacy against normal adversaries.

I explained this is more detail in the "Economic Totalitarianism" thread. I'll try to dig up a link for you...wait...

Yeah, not asking you to pull out all the stops in regards to supporting your arguments, but directing curious minds to the proper resources to do their own research is helpful.

Thanks

[TPTB_need_war]

I started discussing I2P on page 21 and the discussion continued until at least page 24 of the thread:

https://bitcointalk.org/index.php?topic=1049048.msg11842826#msg11842826


Also I don't know where to find a technical description of ShadowCash's private messaging anonymity algorithm?? You can see my analysis of similar attempts on the prior linked and following linked post, and I very much doubt that ShadowCash is doing it correctly:

https://bitcointalk.org/index.php?topic=1049048.msg11844778#msg11844778

I am nearly certain that ShadowCash will have a flaw in it and that is probably why they are not detailing it in a white paper. They are hiding details.

Edit: Okay I found the ShadowChat white paper. I didn't know what to google for until just recently.

http://www.shadow.cash/downloads/shadowcoin-p2p-em.pdf

Section 3.3 Message Propagation makes it clear that is a Bitmessage-like clone. They are sending every encrypted message to every peer on the network, except grouped by 1 hour channels. So that means they send out a list of all messages to all peers, then peers only request an hourly channel which contains a message intended for them.

That is indeed Information Theoretic Security anonymity.

So thus I will give ShadowChat a thumbs up. This is the first proposal I've seen which is a potential alternative to Bitmessage.

From that description it may be feature incomplete from my perspective of what is really needed out by the market. And I will not detail now the other features I would like to see. They probably have many plans for the ShadowChat which I am not aware of.

However, I don't know if it can scale. That is one of the problems with Bitmessage. Imagine you have 1 million peers and you have to send a message digest to all of them. You can of course shrink the anonymity sets to the desired sizes by decreasing the channel width in time, but the digests still need to be sent to every peer. There are alternative ways to design the channels so digests are not sent to all peers. Appears they haven't done that yet.

Also there is no discussion of the spam resistance.

Again I am giving ShadowMarket a thumbs down.

[smooth]

Section 3.3 Message Propagation makes it clear that is a Bitmessage clone.

Curious that the white paper makes no mention of how their system is similar to and/or different from bitmessage.

But then, they did include bitmesssage in the list of references.

[TPTB_need_war]

Section 3.3 Message Propagation makes it clear that is a Bitmessage clone.

Curious that the white paper makes no mention of how their system is similar to and/or different from bitmessage.

But then, they did include bitmesssage in the list of references.

It is not scholarly to not discuss prior art and explain the differences. Which is typical of altcoins isn't it.

Also note I edited my post, to point out no discussions of spam resistance and scaling.

[Wheatclove]

I started discussing I2P on page 21 and the discussion continued until at least page 24 of the thread:

https://bitcointalk.org/index.php?topic=1049048.msg11842826#msg11842826


Also I don't know where to find a technical description of ShadowCash's private messaging anonymity algorithm?? You can see my analysis of similar attempts on the prior linked and following linked post, and I very much doubt that ShadowCash is doing it correctly:

https://bitcointalk.org/index.php?topic=1049048.msg11844778#msg11844778

I am nearly certain that ShadowCash will have a flaw in it and that is probably why they are not detailing it in a white paper. They are hiding details.

Edit: Okay I found the ShadowChat white paper. I didn't know what to google for until just recently.

http://www.shadow.cash/downloads/shadowcoin-p2p-em.pdf

Section 3.3 Message Propagation makes it clear that is a Bitmessage-like clone. They are sending every encrypted message to every peer on the network, except grouped by 1 hour channels. So that means they send out a list of all messages to all peers, then peers only request an hourly channel which contains a message intended for them.

That is indeed Information Theoretic Security anonymity.

So thus I will give ShadowChat a thumbs up. This is the first proposal I've seen which is a potential alternative to Bitmessage.

From that description it may be feature incomplete from my perspective of what is really needed out by the market. And I will not detail now the other features I would like to see. They probably have many plans for the ShadowChat which I am not aware of.

However, I don't know if it can scale. That is one of the problems with Bitmessage. Imagine you have 1 million peers and you have to send a message digest to all of them. You can of course shrink the anonymity sets to the desired sizes by decreasing the channel width in time, but the digests still need to be sent to every peer. There are alternative ways to design the channels so digests are not sent to all peers. Appears they haven't done that yet.

Also there is no discussion of the spam resistance.

Again I am giving ShadowMarket a thumbs down.

Thanks, I'll be taking a look at all of this when I can. Gives me some direction for my personal research

[TPTB_need_war]

So POS is a sham? it's as clear cut as that?

...

... and do, make subtle changes to their systems when presented with flaws, or order to "fix" the flaws. In formal and security analysis, any change, however subtle, means the analysis needs to be completely redone. Obviously you can see how this might make it infeasible to keep up with every new variation and show how each and every one of them are broken in specific detail.

Nevertheless it is possible to analyze these systems in broad terms and reach conclusions in terms of general principles, such as needing to consume some external resource (i.e. proof of "work", broadly) in order to reach a decentralized consensusmaintain unbounded entropy...

But anyway, what of Paul Stzorc's response to Vitalik? Riskless counter-contracts. In general with PoS it seems to me that Vitalik and the other PoS people are falling into the "make the security model confusing enough that even really smart people can't understand it = good security" error. Sure, PoS doesn't seem confusing, but with things like stake-grinding plus an endless parade of more unfamiliar-to-security-researchers workarounds it optimizes for a security model that's difficult to poke holes in during debate, but that a motivated attacker could eventually figure out how to attack precisely because it's too opaque to know that what the attack vectors are so that they can be defended against.

I maintained since 2013 that PoS can't pull from a large enough pool of entropy. The randomization of order can be gamed. Note a natural source of external entropy can't be employed (as this would require centralization).

The excessive use of resources in PoW can be easily solved by lowering the debasement rate (and transaction fees), but before you do this you have to remove the 50+% attack...

Proof-of-Work vs. Proof-of-Stake

Extending from my prior post, the bolded portion is an unnecessary assumption (i.e. a weaker assumption is also valid):

https://download.wpsoftware.net/bitcoin/pos.pdf#page=7

We further claim that a majority of the network is working on producing a DMMS which extends
the true history. An elegant reason that this is true is given by Vitalik Buterin in [But15]: since the
reward transaction is only recognized if its block occurs in the true history, a Nash equilibrium for
each miner is to go along with the majority⁶.

The arguments made against Bitcoin succumbing to malfeasance is that the participants are self-interested in the value of the network and this interest in the public good is not undersupplied (because total or massive losses in value are possible). If that assumption is true, the participants would also align with the longest chain even if they weren't paid (note I make no claim about whether participants would mine for free, which can be considered orthogonally to my point), because the alternative is no consensus and loss of network value. Moreover, the latter assumption claim is more easily supported than the former, because it is always an immediate causal event whereas the former could be an obscured causality.

Thus in the prior post I quoted from where Vitalik has refuted Andrew's arguments, and yet Andrew (and apparently Gregory Maxwell as well) still didn't get it. So you still think Maxwell is the supreme expert? He makes mistakes too. He is not omniscient.

⁶In that same blog post, Buterin says “if you are tired of opponents of proof of stake pointing you to this article[Poe14b]
by Andrew Poelstra, feel free to link them here in response”. It is not clear what he means by this; he did not, there or
anywhere, refute that paper’s claim that you cannot produce consensus except by consuming an external resource.

What part of "subjective condition" did Andrew (and Maxwell) not understand? Vitalik demonstrated an example whereby PoW suffers an analogous requirement for assumptions of mutual incentive for optimization of the public good as PoS does. Andrew is trying to argue that PoS is self-referential thus can never be absolute proof. But Vitalik shows by example that PoW is conditioned on subjectivity also.

The subjectivity claim against PoW may be weaker than against some variants of PoS (e.g. one-time spend addresses with check points), but the devil is in the details. PoW requires checkpoints to guard against 50+% attacks too. Checkpoints are a form of social trust (aka "assumptions of mutual incentive for optimization of the public good"), subjective (SPV-like) trust model which Maxwell alluded to.

Objective: a new node coming onto the network with no knowledge except (i) the protocol definition and (ii) the set of all blocks and other “important” messages that have been published can independently come to the exact same conclusion as the rest of the network on the current state.

Weakly subjective: a new node coming onto the network with no knowledge except (i) the protocol definition, (ii) the set of all blocks and other “important” messages that have been published and (iii) a state from less than N blocks ago that is known to be valid can independently come to the exact same conclusion as the rest of the network on the current state, unless there is an attacker that permanently has more than X percent control over the consensus set.

The main argument I had against Proof-of-Stake since my 2013 debates with Etlase2 was the entropy of the randomization function. I still have to look at how that is done in variants and see if my former criticism still applies.

P.S. Andrew's paper and Vitalik's blog are both excellent for raising clarity on the issue and much appreciated.

Edit: Ah I see my long-standing reservation against PoS has remained true thus far:

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/#comment-1730404390

Random contract execution and random hash functions every x nonces both proved flawed after some research. The plan is to use a variant of Hashimoto for v1.

[TPTB_need_war]

There is no proof that POW is superior to POS. If there was then people wouldnt use adjectives like "I think" and "probably". Hybrid POW launch and POS to sustain the network for the fucking win.

There is one thing that PoW can do which PoS can't. Distribute coins to new users who own no coins. PoW fails at this in practice because Bitcoin is dominated by ASICs. I think I may have an economic solution that destroys ASICs.

What happens to PoW-based coins that one day reach a point where it is no longer profitable for miners to continue to mine due to the required resources? Could very well be the case with LTC at some point for example (unless I am mistaken).

Also, you have some groups like 21e6 who are pushing the limits of computing for mining purposes (the ASIC manufacturer deal), just a handful of these types and you would have 3-4 individual "groups" that control 90% of the mining power of the market -- How is that good for a system that is intended for and relies on decentralization?

Just curious.

You raise real questions and indeed PoW may fail. That doesn't make PoS a success, it just makes it the other fail.

I think I may have a solution to this and solved the 51% attack also. Await white paper.

[tyz]

Both are good. Each has it's strenghs and weaknesses. It is more a religious question in my opinion, which of both is better.

[TPTB_need_war]

What happens to PoW-based coins that one day reach a point where it is no longer profitable for miners to continue to mine due to the required resources? Could very well be the case with LTC at some point for example (unless I am mistaken).

Monero counters this by having a minimum block reward (ie. it is permanently disinflationary), so there will be no reliance on fees. I would imagine that, in the face of global adoption, the hashrate will tend towards some technological ceiling (let's call that supply) with the equlibrium being curbed by "mining profit" incentives (let's call that demand). General mining decline is staved off by Monero's Smart Mining system, whereby users (including those using lightweight wallets) mine in the background to a threshold when not on battery power and when the system is idle (enabled-by-default-but-optional).

How does a declining block reward to some trickle constitute protection against a 51% attack?

Also, you have some groups like 21e6 who are pushing the limits of computing for mining purposes (the ASIC manufacturer deal), just a handful of these types and you would have 3-4 individual "groups" that control 90% of the mining power of the market -- How is that good for a system that is intended for and relies on decentralization?

Just curious.

Monero's PoW closes the performance gap between CPUs, GPUs, and ASICs, so whilst this is entirely possible it still means that (in the far future) CPU miners could be a measurable part of the hashrate. Couple this with Smart Mining, and for-profit mining farms, and it seems unlikely that a small number will be able to exercise control over a significant portion of the hashrate.

Mining centralization is also due to the rising transaction rate per second (see the current GavinCoin chaos for Bitcoin now) causing the increasing block size to not propagate without some centralization amongst a fewer number of high bandwidth nodes. Solutions such as IBLT are really just obfuscation of mining centralization.

This is a complex discussion from another thread that I am not going to repeat here.

Also afaik, ASICs haven't yet been designed for CryptoNite hash so I don't think you can reliably make that claim.

[TPTB_need_war]

Both are good. Each has it's strenghs and weaknesses. It is more a religious question in my opinion, which of both is better.

No there are distinct advantages for PoW:

• You can prove PoW's security. We know the failure points are 51% attack, 25 - 33% for selfish mining attack. Each PoS is adhoc, and can't prove generally/reliably the security nor characterize the entropy of the system. With PoS, generally you have no idea if you are secure or not. which is the antithesis of security.
• PoW can distribute coins, even widely to home users if you realize they will not count the cost of their electricity, but PoS can not distribute.

Whether someone can prove security math for a specific flavor of PoS, is something I am unaware of. Has anyone done it?

[kazuki49]

I would take TPTB_need_war/Anonymint words over the ones of the most people on this thread, he posted clues about who he is in other threads, Monero Research Labs delivered several worthy academic papers but he is an independent expert.

[TPTB_need_war]

PoS is nowhere close to PoW in terms of research. At this point the economic incentives to attack most PoS coins have not been high enough to prove worthwhile.
I am not saying that PoS has no chance to succeed or that PoW is perfect. I am saying that at this point the chances of an existential threat to PoS are far greater than to PoW.

Well of-course it is not .. ~90% of the crypto market cap is held by a PoW coin ...
The chaps over at NeuCoin have done extensive research on it .. you should read it : http://www.neucoin.org/en/whitepaper/

I read the summary. Will probably read the white paper in detail in the future.

They claim to prove sufficient security for some cases where the entropy of PoS has been attacked, but afaics they haven't proved every genre of attack, because afaics the entropy of PoS can't be characterized so we can't know what all the attacks might be. For example, let's say we took entropy for the modifier from a hash of the transactions for each block. But this hash can be gamed by the participants in the mining.

Their points against PoW I think can be eliminated, but again I will have to say await a white paper.

The basic problem with PoW now is we burden it with too much responsibility. Satoshi forgot to follow the Principle of Least Power and separation-of-concerns. I believe it possible to unburden PoW so that it is not longer an expensive appendage, but rather just a voting mechanism as it was originally intended to be, essentially one vote one computer because PoW won't have the power that it does not. Specifically I think it is possible to entirely filter the 51% attack. But I need to work through all the details formally before I can be sure of this.

[TPTB_need_war]

I would take TPTB_need_war/Anonymint words over the ones of the most people on this thread, he posted clues about who he is in other threads, Monero Research Labs delivered several worthy academic papers but he is an independent expert.

I would caution I make mistakes sometimes. I do try to correct and admit when I find an error in my work.

[TPTB_need_war]

This is a serious advantage for Shadow.

Why having two types of tx instead of one ?
Look at monero blockchain size. The private tx are way bigger than the public one

By keeping the two types of tx, you can avoid to surcharge the blockchain with private ones when they are not needed.
You can also imagine a lot of applications using that possibility of having both private and public tx.

Monero blockchain size might become a huge problem if it become really successful

Block chain scaling is a problem even for Bitcoin with no private transactions.

All cryptocoins have scalability problems.

I intend to attempt to solve this.

Public and private coin spaces are a problem, because they can weaken the anonymity for the private coin space. Think about it. If you allow people to spend off to non-anonymous space, then spend back into the anonymous space then anonymity sets break down.

The CN viewkey is superior in that you can give to a trusted party without giving it to the public. Public coin spaces of SDC give the anonymity breakage to everyone.

Logic on this stuff isn't always as obvious as n00bs think it is.