Zero Knowledge Transactions

[TPTB_need_war]

Here is an excerpt from my fully completed white paper for my revolutionary anonymity invention.

I am proposing to release this white paper either publicly or for exclusive implementation in Monero or other coin, which ever the community prefers; and forsake my former plans to implement it first in my Ion project. The benefit is to get this anonymity breakthrough implemented sooner for those of us in the community who desire such a feature.

Other potential benefits include enabling me to demonstrate an example of my technical capabilities, demonstrate that I am for sharing/open source, and to rebuild to my entirely depleted savings so I could for example seek proper health care for my strange autoimmune-like chronic illness which includes relapsing chronic fatigue syndrome, peripheral neuropathy, gut pain, and strange head pain/sensations which potentially implicate Multiple Sclerosis (3+ years suffering). Also it would enable me to refund my Ion project angel investors, in case due to my health I am unable to complete Ion. Note I can still code features because I am not ill every moment, but the concern is whether I have enough good hours to complete and manage an entire crypto project. I may have found a breakthrough on my health to be explained soon, but I am hedging my opportunities just in case.

Forsaking the "first mover" advantage of implementing it first in Ion, I lose the strategy by which I intended to capture compensation for the following work I already completed. Thus I need to compensated via some other means, and a donation model has been suggested to me. I am interested to test a "Kickstarter" style funding threshold which is discussed below.

Zero Knowledge Transactions

Shelby Moore†

15 July 2015

Abstract: Our conditional security¹, autonomous transaction model conceals the origination, destination, and conveyed content from the view of third parties. For a monetary transaction, these obscured three are respectively the payer, payee, and transferred monetary value. The originator knows the destination; the payee and payer know the conveyed value, and the payer isn’t revealed to the payee.

We improve upon, unify, and generalize the concepts from Cryptonote^[Sab13] and Compact Confidential Transactions^[Luk15]. Security remains relatively simple math and conditional on the hardness of ECDLP and the cryptographic hash in the Random Oracle model— avoiding Zerocash’s^[SCG14] complex math, complex new cryptographic assumptions, inability to unwind orphaned transaction branches independently (because it conceals everything), and trusting trust setup process^[Wil15].

¹ Conditional security relies on unproven computational hardness assumptions— e.g. compared to computing each possible value, the cost of “factoring” the elliptic curve discrete logarithm problem (ECDLP)^[CPS11] is conjectured to increase exponentially with the bit width^[Cor15]. Even unconditional security’s reliance on proven assumptions of prohibitive cost is not equivalent to information-theoretic security— the inability to break security even with unlimited computing power, due to unavailable information.

I also excerpt the section names below, without revealing all the text and math which embodies the epiphany of the invention.

1   Anonymous transactions

1.1   Anonymous transaction properties

1.2   Non-autonomous strategies

1.3   Computer security

2   Hiding transaction values

Concealing the transferred values provides fungibility against discrimination by value and conceals private business data. Also the transaction values may be unequal in transactions that mix inputs and outputs from unrelated parties for the purpose of achieving an anonymity set. Zerocash^[SCG14] conceals transaction values but has the tradeoffs enumerated in the Abstract. Mixing technologies such as Zerocoin^[MGG13], Cryptonote^[Sab13], CoinJoin^[Max13], and CoinShuffle^[RMK14], all suffer from the requirement of equal input values. This places a simultaneity requirement on retaining system wide consistent denominations available in each wallet at all times, so that any transaction can be performed spontaneously without the latency to split values before mixing.

For example, the wallets for the Cryptonote clone Monero, typically maintain all balances in powers-of-ten denominations, which bloats the block chain and peer network. In theory, unlinkability is potentially lost in a cascade of correlations when numerous instances of transaction change are merged in a subsequent transaction that doesn’t employ an anonymity set because of the requirement for equal values. Although Cryptonote provides implicit value privacy as a side-effect of the untraceability of the payer and unlinkability of the payee, the transparent value data increases the entropy footprint for attackers to target with potentially sophisticated combinatorial and timing analysis algorithms. Concealing value data reduces the information available for analysis.

In a decentralized transaction confirmation scheme we will propose in a separate research paper, the requirement for equal values for transaction inputs would greatly complicate if not make impractical the requirement for mandatory mixing between transactions that is required to provably eliminate a combinatorial unmasking attack^[MNM15] against Cryptonote.

2.1   Committed value

Compact Confidential Transactions (CCT)^[Luk15] introduced the committed value, which is the concealed value x made more fuzzy with sufficient random bits and multiplied by the elliptic curve cryptography (ECC) base point G:

committedValue = V = x ⋅ G

A brute force attack must enumerate every possible x to find a match to the public committedValue and G. Given 64-bit values, a brute force attack must enumerate at most 2⁶⁴−1 values. Berstein estimated in 2006^[Ber06] that rho attacks^[Cor15] might be feasible against 160-bit ECC. The entropy of Bitcoin values typically use only a small portion of the 64-bit range.

Thus in a fuzzed x some random least significant bits are prepended to the concealed value to add more entropy to the committedValue. These fuzzbits are blinding sub-satoshis.

2.2   Homomorphic proof of sum

2.3   NIZKP of no overflow and positive value

A sum of concealed output values that exceeds the group order ℓ of the base point G would wrap around to G thus potentially satisfying the proof of sum for a sum of outputs that exceeds the sum of the inputs.

A negative concealed output value paid to the payer that would never be spent to a third party could satisfy the proof of sum combined with another concealed output value that exceeds the sum of the inputs.

In non-interactive zero knowledge it is proven (a.k.a. NIZKP) that each concealed output value 'x' is known, positive, and smaller than group order ℓ divided by the number of outputs. Zero knowledge means x is not revealed in the proof.

Our proof replaces CCT’s proof-of-square with a more efficient method so that a computationally expensive, unvetted 768-bit ECC is not required.

[The remainder of this section is omitted since it contains the invention described in the prior sentence that even Gmaxell and others from Blockstream did not solve.]

2.4   Parameter choices

3   Hiding payer and payee

3.1   Analysis of autonomous one-time ring signatures

3.2   Hiding payer, payee, and value

References

^[Luk15]   Denis Lukianov, Compact Confidential Transactions for Bitcoin, July 3 revision.

Please read the prior discussion about the above anonymity feature, including my recent peer review that identified/revealed the flaw in an attempt to create the same invention by someone who may be affiliated with Monero.

I have estimated that the work done would cost $112,000 at my highest-level of opportunity cost achieved in my career:

I had roughly 200 man hours (2+ weeks @ 14 hour days) in development time for that crypto breakthrough on anonymity, including the research, invention, and writing the white paper. I was able to work very intensely in some spurts during June & July and my gf can attest to that. It was August & September due to some egregious errors on diet and fasting that sent me into a tailspin on health (will be explaining this theory shortly).

My inflation-adjusted income earning capacity was $563 per hour. Thus fair value for that work just based on the hourly compensation is $112,600. I had to risk doing my work before compensation from the market for CoolPage. Ditto for this anonymity invention. So the risk weighted hourly rate is justified. If you get offered $100-$300 per hour for guaranteed compensation that is a different category. The very high rate is to compensate for the risk of not being ever compensated.

So now you can see why very highly paid developers do not work on crypto. They have the potential to earn much more money outside of crypto and crypto is too small to afford the best developers.

But there is no way I would set a crowdfunded donations threshold that high, because I doubt it could be reached (because it isn't a comparative equity offering) and even though it might be my opportunity cost from 2001 when I was at the top of my career, it isn't my recent opportunity cost. I am in strange situation because on the one hand if I finish a project like Ion, I could potentially earn more per hour (inflation-adjusted) than I did in 2001 but the risk of not completing such a project or the project not being successful for what ever reason is significant (how many altcoins have succeed versus how many have died even if considering what talent I bring to bear).

AltcoinUK, I am not going to set a threshold as high as $112,000 for the donation bounty on that one anonymity invention, even though I think it is a very significant feature. I am just stating what my earning opportunity cost had been inflation-adjusted from 2001. So hopefully the market will understand I am not going to give that feature away for $10,000.

Above I am referring to the work I already did, not any additional work to implement the anonymity design in a coin.

I am not against being paid to help implement this anonymity design, but I think it should be a separate funding because for one reason we don't know yet which coin wants to implement this anonymity design. As I said I will let the community decide if the crowdfunded donations will be for releasing the above design publicly or privately to one coin (such as Monero) for them to get a jumpstart on implementation before they announce and release publicly. I believe the best for the community is have the white paper released publicly so not only can it be peer reviewed by any one (not just a chosen few) and so that coins can compete to implement it first so we get this feature implemented asap. If there is another coin that wants to try to raise donations and have this design be exclusively for this coin, then make a serious post in this thread how you plan to achieve that.

So I propose to set a  minimum crowdfunding, donation threshold of $21,000 to release my white paper publicly. The terms I propose is that if the threshold is not reached (and I don't opt to accept the lower threshold reached) or if the white paper is broken such that it can't do what is claimed in the above excerpted Abstract and I can't fix it, then the donations are returned.

I'd really like to receive about $75,000 total for the work already done plus assisting on implementation. If I am not mistaken, the guy who was selected to optimize Monero's mining algorithm pocketed an alleged $150,000 worth of coins before releasing the optimization generally. I would be quite pleased (and motivated to work in crypto on the donations funding model) if the total donations for the work already done would exceed the threshold and reach roughly $35,000. Yet I propose to set the minimum threshold to $21,000 and we can see if donations exceed it. I am not even sure if we can reach the $21,000 level for this work I did?

Note the extra $1000 over $20,000 is to cover the 4 BTC we donated to Denis Lukianov after I completed my invention.

There appear to be different ways to collect the donations for a crowdfunded campaign. Kickstarter takes only fiat and about 8% fees total, but you get exposure to a wider audience of donators. Monero has some methodology for funding improvements but the entire process isn't described in full detail and do we want to make this exclusively for Monero? I didn't find any good crypto crowdfunding platforms. Mike Hearn's Lighthouse has some severe restrictions such as only 684 donators max and the exact donation amount has to be reached (can't be lower or higher). And Swarm seems to be socialist.

Thus the alternative to Kickstarter appears to be having all donations go to a Bitcoin address controlled by a trusted escrow person (or persons with multi-sig). The escrow would enforce the terms I have proposed. I would nominate smooth but I have not checked with him if he is willing to do this. I would propose to offer him 1% fee for his time and effort, unless he decides to implement this in Aeon in which case he should donate his fee to the implementer or to Denis Lukianov the author of the CCT white paper from which I gained much inspiration (and some discussion) to make this invention (but the invention came only from me). He could counter-propose if he is interested and thinks my proposed terms are not suitable. I would also like to hear from the community who they would nominate to do the escrow, and your general thoughts on how best to proceed.

I also hope that any coin that successfully implements this new anonymity invention, also makes some token donation to Denis Lukianov. My angel investors already donated 4 BTC to him thus far. We would probably donate more to him if ever Ion was successfully launched with this anonymity feature.

We could perhaps have both Kickstarter and Bitcoin escrow and sum the two to reach the threshold, but I don't know how we can integrate that with Kickstarter's policies so probably this is not possible.

We could perhaps have two donation addresses, one for those who want public release and another for those who want private release to Monero's chosen few reviewers. You could donate even to both and receive a refund for the losing option.

Note I also invented an improvement to the CCT algorithm (CCT is an alternative to Blockstream's CT) as noted in the excerpted quote from the white paper, but in the unlikely event this improvement is incorrect, my anonymity invention can still be used with the original CCT algorithm, so it would still satisfy the claims of the Abstract. It appears that my anonymity invention can also be alternatively integrated with Blockstream's CT instead of CCT, but that is not required to meet the claims of the Abstract.

[1714528447]

1714528447

[1714528447]

1714528447

[rangedriver]

What about if I cured your illness? Would you be willing to release your whitepaper for free?

[TPTB_need_war]

What about if I cured your illness? Would you be willing to release your whitepaper for free?

Comrade, may I ask why you propose for me to not receive donations and thus not pay you for helping to cure me?

Do you think it helps incentivize crypto development if the crypto market is unable to pay for fair value?

[smooth]

What about if I cured your illness? Would you be willing to release your whitepaper for free?

Comrade, may I ask why you propose for me to not receive donations and thus not pay you for helping to cure me?

Do you think it helps incentivize crypto development if the crypto market is unable to pay for fair value?

Who is to say that "fair value" isn't a trade of a cure for a whitepaper?

Nothing wrong with that if both parties are happy with the deal.

[rangedriver]

What about if I cured your illness? Would you be willing to release your whitepaper for free?

Comrade, may I ask why you propose for me to not receive donations and thus not pay you for helping to cure me?

Do you think it helps incentivize crypto development if the crypto market is unable to pay for fair value?

I haven't voted yet.

I have a marginal interest in the whitepaper, but to tell the truth I'm kinda more fascinated by your illness.

[TPTB_need_war]

What about if I cured your illness? Would you be willing to release your whitepaper for free?

Comrade, may I ask why you propose for me to not receive donations and thus not pay you for helping to cure me?

Do you think it helps incentivize crypto development if the crypto market is unable to pay for fair value?

Who is to say that "fair value" isn't a trade of a cure for a whitepaper?

Nothing wrong with that if both parties are happy with the deal.

First of all, it isn't fungible so it doesn't as an example of market-based compensation to incentivize other developers who are not ill. Kickstarter has a large economy-of-scale, because it is fungible (for both donators and creators). Remember one of your greatest arguments for the benefit of Monero's anonymity has been fungibility (against blacklisting, whitelisting, redlisting, etc) is a requirement for money.

Secondly, he could rather assign the value of his donation and we could agree on the value and I could continue to receive donations from others since not only did state I had numerous goals not just funding the potential diagnosis of my illness but also there is no non-Communist reason to limit the market expression of fair value. In short, he attempted to monopolize the market function and apply Communism. He tried to determine that everyone else should get it for free and unable to donate. His proposal bound everyone else, not just himself and myself.

I am for free markets. How about your smooth? You for Communism or free markets?

I have a marginal interest in the whitepaper, but to tell the truth I'm kinda more fascinated by your illness.

Thank you. I will have a post about new insight into my illness later. I'll probably link to it from here and/or the Ion project thread.



Edit: I had always felt donations was sort of Communistic, but at least only those who had a vested interested would donate, so I am not surprised that the votes are reflecting a private advantage for Monero to implement it first. I always felt "first mover" advantage is the only way to really extract the true value from the work in crypto.

[smooth]

What about if I cured your illness? Would you be willing to release your whitepaper for free?

Comrade, may I ask why you propose for me to not receive donations and thus not pay you for helping to cure me?

Do you think it helps incentivize crypto development if the crypto market is unable to pay for fair value?

Who is to say that "fair value" isn't a trade of a cure for a whitepaper?

Nothing wrong with that if both parties are happy with the deal.

First of all, it isn't fungible so it doesn't as an example of market-based compensation to incentivize other developers who are not ill. Kickstarter has a large economy-of-scale, because it is fungible (for both donators and creators). Remember one of your greatest arguments for the benefit of Monero's anonymity has been fungibility (against blacklisting, whitelisting, redlisting, etc) is a requirement for money.

Secondly, he could rather assign the value of his donation and we could agree on the value and I could continue to receive donations from others since not only did state I had numerous goals not just funding the potential diagnosis of my illness but also there is no non-Communist reason to limit the market expression of fair value. In short, he attempted to monopolize the market function and apply Communism. He tried to determine that everyone else should get it for free and unable to donate. His proposal bound everyone else, not just himself and myself.

I am for free markets. How about your smooth? You for Communism or free markets?

If you two agree, that's a free market. If one of you does not, then the deal doesn't happen (still a free market). There was nothing wrong with him offering it.

[rangedriver]

In short, he attempted to monopolize the market function and apply Communism. He tried to determine that everyone else should get it for free and unable to donate.

That's not really what I was advocating. I was talking about a private deal. Your health, in return for the whitepaper.

[TPTB_need_war]

In short, he attempted to monopolize the market function and apply Communism. He tried to determine that everyone else should get it for free and unable to donate.

That's not really what I was advocating. I was talking about a private deal. Your health, in return for the whitepaper.

Your use of the term "release" make this seem more unbelievable as that term is synonymous with public release in every normal use of English I have seen in this context. But okay thanks for the "clarification".

[TPTB_need_war]

If you two agree, that's a free market. If one of you does not, then the deal doesn't happen (still a free market). There was nothing wrong with him offering it.

It is not a free market to use political gimicks to try to make someone look like they are not sincere about wanting to cure their illness as a way to cut off the market function that the sincere person is trying to propose. It was basically saying to me "accept communism or show everyone you aren't really sick".

And you are also playing politics I think. Sad.

I am just trying to get something fair done here. Why is it always like pulling teeth to get anything done in crypto without underhanded attacks?

[smooth]

If you two agree, that's a free market. If one of you does not, then the deal doesn't happen (still a free market). There was nothing wrong with him offering it.

It is not a free market to use political gimicks to try to make someone look like they are not sincere about wanting to cure their illness as a way to cut off the market function that the sincere person is trying to propose. It was basically saying to me "accept communism or show everyone you aren't really sick".

And you are also playing politics I think. Sad.

I am just trying to get something fair done here. Why is it always like pulling teeth to get anything done in crypto without underhanded attacks?

I have no idea what's a gimmick. Maybe you are right. I'm certainly making no attack.

From what I see, someone has something he thinks you might want, and you seem to have something he might want. So there is the potential for a trade.

I fail to see how that wouldn't be more efficient, assuming there is room for a trade there, than a complicated and potentially expensive ordeal involving Kickstarter (who almost certainly takes fees, right?), escrows, etc.

But if it was indeed a gimmick then please disregard.

[illodin]

If there is another coin that wants to try to raise donations and have this design be exclusively for this coin, then make a serious post in this thread how you plan to achieve that.

Are there any specific requirements for a coin's protocol / blockchain etc in order for the feature to be feasibly implemented? Does it need to be a Cryptonote coin, or could it be implemented on DASH (former Darkcoin) for example?

[r0ach]

I've talked to Smooth a lot about anonymity telling him it's not useful unless you can fix scaling first.  If you only have enough TPS for a clearing mechanism between banks, on-chain anonymity doesn't do anything when most transactions will be done off-chain anyway.  Since you seem to have the exact same viewpoint, how exactly would this design even help Monero?  Does it at least reduce overhead to Bitcoin level?

My opinion is that collateral bid systems using PoS where the top 100/500/1000 wallet addresses that choose to lock stake and act as deterministic nodes is the easiest way to solve scalability at the moment.  Larimer thinks you can have anonymity in such a system already:

Confidential Transfers hide the amounts being transfered while still allowing those who validate the blockchain to verify that the balances transfered sum to 0 and are not negative. Stealth transfers are used to automatically generate a unique key for every transfer. The combination of these two features means that it becomes pratically impossible for a 3rd party to identify how much you have sent or received or who is sending money to whom.

Without achieving the scaling part first, won't this purchase be kind of useless when it will inevitably be overun by some kind of second tier anonymity system latched on top of a deterministic PoS network?

[TPTB_need_war]

If you two agree, that's a free market. If one of you does not, then the deal doesn't happen (still a free market). There was nothing wrong with him offering it.

It is not a free market to use political gimicks to try to make someone look like they are not sincere about wanting to cure their illness as a way to cut off the market function that the sincere person is trying to propose. It was basically saying to me "accept communism or show everyone you aren't really sick".

And you are also playing politics I think. Sad.

I am just trying to get something fair done here. Why is it always like pulling teeth to get anything done in crypto without underhanded attacks?

I have no idea what's a gimmick. Maybe you are right. I'm certainly making no attack.

From what I see, someone has something he thinks you might want, and you seem to have something he might want. So there is the potential for a trade.

I fail to see how that wouldn't be more efficient, assuming there is room for a trade there, than a complicated and potentially expensive ordeal involving Kickstarter (who almost certainly takes fees, right?), escrows, etc.

But if it was indeed a gimmick then please disregard.

Well the first mode of action I think would be to ask me if he and I could determine the value of what he can offer on my health. I do plan to give him a link to my recent findings. Most certainly I am willing to transfer resources from myself for a cure to my health. It is possible I may have found the vital information, but you know I've said that before, so I am being cautious about opinion of my recent discovery.

Okay I am sorry if you didn't see any potential gimmick and hadn't said yet that I was suspecting one. It could potentially just be a misunderstanding and his quick and not so careful way of phrasing his offer.

[rangedriver]

It is not a free market to use political gimicks to try to make someone look like they are not sincere about wanting to cure their illness as a way to cut off the market function that the sincere person is trying to propose. It was basically saying to me "accept communism or show everyone you aren't really sick".

That wasn't my intention at all.

I'm quite certain you are sick, and moreover, I think I know what's wrong with you. That was kinda my point. If you've definitely ruled out Lyme disease and haven't taken any cholesterol lowering medication within the past three years, then I think I can help.

In so far as the whitepaper is concerned, yeah, it has the intrigue of Tarantino's glowing suitcase, naturally. I'd concur that I'd do a trade for that. Of the oft times I've been ill over the past 38 years there have been many occasions I would glady sell my soul for the cure. So that was my perspective.

But I don't really see what difference it makes what I do with the whitepaper once traded. Whether I give it away on street corners, or keep it to myself.... who cares?

But like I said, I genuinely am more intrigued about the variables of your illness. I only have a marginal interest in the paper.

To be honest: If it was down to me I would simply join forces with smooth and adapt your technology for use with Aeon. Given current low prices you could get significant returns from your tech without giving away development control. To me that's a sensible solution which I think you'd be happy with.

Fuck it, if you did that I'd help you with your illness for free.

[Fuserleer]

I've talked to Smooth a lot about anonymity telling him it's not useful unless you can fix scaling first.  If you only have enough TPS for a clearing mechanism between banks, on-chain anonymity doesn't do anything when most transactions will be done off-chain anyway.  Since you seem to have the exact same viewpoint, how exactly would this design even help Monero?  Does it at least reduce overhead to Bitcoin level?

My opinion is that collateral bid systems using PoS where the top 100/500/1000 wallet addresses that choose to lock stake and act as deterministic nodes is the easiest way to solve scalability at the moment.  Larimer thinks you can have anonymity in such a system already:

Confidential Transfers hide the amounts being transfered while still allowing those who validate the blockchain to verify that the balances transfered sum to 0 and are not negative. Stealth transfers are used to automatically generate a unique key for every transfer. The combination of these two features means that it becomes pratically impossible for a 3rd party to identify how much you have sent or received or who is sending money to whom.

Without achieving the scaling part first, won't this purchase be kind of useless when it will inevitably be overun by some kind of second tier anonymity system latched on top of a deterministic PoS network?

For once I agree with you, if most transactions take place off chain/ledger/whatever then the majority of transactions are "anonymous" as they are not publicly recorded.

Its kind of a catch-22 though I feel, as high anon + scaling to high load is very difficult and I don't think concealing the value of a transaction is going to play nice with scalability.  

I'm betting on decoupling the sender from the receiver being the best workable solution to achieving high anon + high scalability, where the sender is unable to discover where exactly the payment ended up in the ledger nor discover any information about the receivers account (balance, historic transactions).

TPTB no disrespect to the work you are doing, its important nonetheless, just my thoughts.  Its good to see at least something tangible coming out from your end finally

I have a query though, in your abstract "...and the payer isn’t revealed to the payee"  Shouldn't the payee know who the payer is?  What if someone sends me a payment without me expecting it, how do I know who its from?  I don't see any real purpose for not revealing the payer to the payee :|

[TPTB_need_war]

If there is another coin that wants to try to raise donations and have this design be exclusively for this coin, then make a serious post in this thread how you plan to achieve that.

Are there any specific requirements for a coin's protocol / blockchain etc in order for the feature to be feasibly implemented? Does it need to be a Cryptonote coin, or could it be implemented on DASH (former Darkcoin) for example?

Afaics, the only requirement is to be able to refer to UXTO for the inputs to the rings, so a balances only design wouldn't work.

A huge advantage over Cryptonote rings, is you don't have to use equal denominations, thus you radically simplify wallets and reduce block chain bloat significantly. So this makes it much easier to integrate than Cryptonote because you don't have that complex simultaneity requirement on powers-of-ten UXTO.

I haven't studied Dash/DRK, but I assume it has a UXTO (unspent transactions outputs).

It might not even need to be a hard fork, depending on the block chain format's flexibility, but unlikely.

Hey if Dash wants to pay me more, then I will go to the highest bidder. That is the nature of a free market. I haven't earned an income for many years. I really need it. Even my 2003 model year SUV is starting to fall apart.


Edit: I am giving up one of my jewels because I am really in a bad financial situation. Not only health, but I have negative networth right now. I am living off cash my angel investors gave me. I want to create some buffer of savings if possible.

[TPTB_need_war]

I have a query though, in your abstract "...and the payer isn’t revealed to the payee"  Shouldn't the payee know who the payer is?  What if someone sends me a payment without me expecting it, how do I know who its from?  I don't see any real purpose for not revealing the payer to the payee :|

This is also the case for Cryptonote. No one but the payer knows which of the public addresses in the ring challenge was the signer of the transaction.

In theory one can add the feature that the payer can optionally feed his address through the non-interactive Diffie-Hellman exchange of private data in the unlinkability step of Cryptonote:

https://cryptonote.org/whitepaper.pdf#page=6

[othe]

Please read the prior discussion about the above anonymity feature, including my recent peer review that identified/revealed the flaw in an attempt to create the same invention by someone who may be affiliated with Monero.

First of all you revealed no flaw, as the linkability has been addressed in v0.3 in the so called WORK IN PROGRESS. As noted here: https://www.reddit.com/r/Monero/comments/3oi16k/ring_ct_for_monero_a_work_in_progress_comments/cw27qla

Second of all; this stuff has been discussed by gmaxwell, andytoshi and shen + others in june/july on #bitcoin-wizards and other channels and there are logs of it all over the place; so much for your "invention".

I'd really like to receive about $75,000 total for the work already done plus assisting on implementation. If I am not mistaken, the guy who was selected to optimize Monero's mining algorithm pocketed an alleged $150,000 worth of coins before releasing the optimization generally.

Only in your head bro, DGA just commented the cryptostuff later, NoodleDoodle did the optimizations in the daemon.

[smooth]

Larimer thinks you can have anonymity in such a system already:

Confidential Transfers hide the amounts being transfered while still allowing those who validate the blockchain to verify that the balances transfered sum to 0 and are not negative. Stealth transfers are used to automatically generate a unique key for every transfer. The combination of these two features means that it becomes pratically impossible for a 3rd party to identify how much you have sent or received or who is sending money to whom.

Maybe, but attacks on anonymity can be quite subtle, with various combinatorial, timing, and sybil type attacks, so I wouldn't be so confident. If you look at unlinkability, untraceability, and amount hiding as three prongs of resistance to blockchain analysis, then he's entirely missing one prong, which makes his argument quite weak. Blockstream has stated likewise about CT not hiding what they call transaction metadata, only content. Stealth is a nice convenience feature, but largely similar to just having good address reuse practices in Bitcoin (which can also be achieved via payment protocols and HD address chains). To do this well, you really need another piece, at least some sort of good coinjoin/coinshuffle type solution, and that is really hard to do well (potentially impossible) given sybil and timing attacks. At least Dash tries, but Larimer dismisses the problem too easily.

So I'd characterize Larimer's argument as largely wishful thinking and/or hype (i.e. this is what I have therefore this is what is needed, the marketers variation of the arguing from the conclusion fallacy).

But that's an entirely different argument from whether strong privacy/anonymity/fungibility (it is very hard to separate any of these from the others) is more important than scalability (or vice versa). I suppose you could also make that argument that without all of these things you don't really have a very strong solution overall and again are engaging in wishful thinking (which was in many ways the premise of TPTB's original Ion "Bitcoin killer" concept, before he neutered it).