Zero Knowledge Transactions

[smooth]

My advice to you is to perhaps try less to narrow your views by thinking about block chains. I encourage you to think more about trees.

By placing that comment in this thread about anonymity, that exhibits to me you don't have a very good grasp of the technologies of crypto since block chain consensus algorithms are orthogonal to anonymity algorithms.

Trees and DAGs are not a solution for block chain consensus (and they have nothing to do with anonymity). They fork uncontrollably. This will all be explained. Just let Iota, Railblocks, etc. go forth, then at the appropriate time it will be explained they are technically flawed. We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period. Proof-of-stake is discussed else where and I don't to repeat what I have already written in my archives (someday I will summarize it all in a paper).

Then of course there is no reason for me to elaborate. You seem to have cured cancer here as well and think you have it all under control.

If i'm to be honest though. I don't think you have even brushed the surface of zk-snarks and its ability to do away with the blockchain. I don't think you understand how it even functions or can potentially function. I'm sure one day we can chat, when your head is not so far up your ass that all you can see is what you are digesting.

Please explain the relationship between zk-snarks and trees.

[1453335555]

1453335555

[1453335555]

1453335555

[1453335555]

1453335555

[1453335555]

1453335555

[1453335555]

1453335555

[1453335555]

1453335555

[TPTB_need_war]

I have continued this off-topic discussion about block chain consensus in a more appropriate thread. This thread has nothing to do with block chain consensus. LongAndShort, please when starting a new line of discussion, find an appropriate thread to introduce your thread jack.

Please explain the relationship between zk-snarks and trees.

If it pertains to block chain consensus, please in another thread. I have an idea what he is referring to. His SNARKy attitude will be dealt with in a humbling manner.

[TPTB_need_war]

He is making 100% offtopic accusations that are based on exactly nothing to back them up, nothing even slightly relevant.

He is also one of the most qualified people on this forum to review anonymity solutions, having written his own white paper on the subject, so even a cursory glance is valuable.

evidence: https://bitcointalk.org/index.php?topic=1284083.msg13211623#msg13211623

Let's hear why this solution is different to Dash's and then we'll take it from there.

Clarification. I didn't release the white paper. But since it is no longer of proprietary value to hide it since I am no longer going to implement Zero Knowledge Transactions, then I will endeavor to clean up the white paper and release it sometime this year. Hopefully I can find time within the next couple of months.

ZKT combines Cryptonote with Mixles' Compact Confidential Transactions. Shen-noether accomplished a similar design but combining with Blockstream's Confidential Transactions.

So these are End-to-End Principled anonymity that hide both sender and value. No simultaneity crap like Dash and this new crap from the infamous plagiarist John Conner.

The reason I am not implementing it because it requires obscuring your IP address and all other metadata, which is impractical. Apparently Monero is implementing it (at least they are toying with implementing it) and so no need for me to duplicate their effort.

Only Zerocash can give us reliable anonymity that is immune to metadata. So for now I put anonymity on the back burner and we will come back to Zerocash if we first solve the SUSTAINABLE, DECENTRALIZED, PERMISSIONLESS block chain issue, since that is more important. No design yet can truly claim those properties.

As for resource issues, reliable anonymity will not be cheap. Thus it probably can't be for every transaction. It will probably need to be an optional set of coins. In Zerocash they name the anonymous set of coins 'zerocoins' (not to be confused with Zerocoin).

My main grip with John Conner is he doesn't put all the technical details in a white paper, because he is apparently wants to avoid peer review. Smooth doesn't have time to reverse engineer his half-assed white papers either. So we can't entirely explain the flaws without wasting a lot of our valuable time. But I can already tell you this chainblender is flawed at least in that it has a simultaneity requirement which thus violates the End-to-End Principle. Looks like there are other flaws similar to the masternode concept of mixing (which Evan of Dash has apparently finally admitted).

[TPTB_need_war]

Both are fundamentally broken.

https://bitcointalk.org/index.php?topic=1323408.msg13518156#msg13518156 (Ethereum)
https://bitcointalk.org/index.php?topic=1319681.msg13569087#msg13569087 (Block chain scaling Tragedy of the Commons applies to Monero also)
https://bitcointalk.org/index.php?topic=1319681.msg13569178#msg13569178 (Monero's anonymity is unreliable/unprovable and thus useless for fungibility or other important use cases)

"Broken" and "Success" are relative terms.  Both are broken less than bitcoin and bring attributes to the table that fiat does not.  

If you have any suggestions that are less broken ... I'm all ears.

An absolutist uses words like broken.  A realist uses terms like "best alternative".  Opening myself up to all available options those are the two answering the big questions.  Privacy, programmable blockchain and both more scalable than bitcoin.

What alternatives are less broken than these two I mentioned?

Don't you understand that "fundamentally broken" means they don't work for the features they claim that are an improvement over Bitcoin.

The link I provided to you for Ethereum explains that afaik they never solved the primary economic issue facing scaling programmable block chains, which is that every full node has to verify the block chain, thus every full node has to run the programmable script. But the problem is who to pay the gas (ether) to so that all full nodes are paid for verification? This has DDoS implications as well. In short, they never solved the core economic problem and thus Ethereum is just a fucking toy that can't actually work.

Ditto Monero as explained below (the arguments were in the links I provided to you before but again I am always forced to repeat myself because readers are so clueless about technology that they can't even understand what I write).

I think Monero is the best money to stay anonymous. It uses the ring signature. The mixing is built into the protocol.

You are a n00b and you don't do enough research to know what you are writing about. Why should anyone believe you?

Monero is not anonymous when your metadata can be correlated. One example of metadata which unmasks your anonymity is your IP address. And no, Tor and I2P mixnets do not hide your IP address from the government, in fact they are thought to be Sybil attacked honeypots that not only tell the government your IP address but also alert the NSA et al that you should come under extra scrutiny.

And IP address is not the only metadata that can destroy your anonymity in ring signatures. Other examples can include cookies in your browser and other activity you did on the web. Other examples also include telephone calls and other activity you did around that time, which have statistical significance.

I wrote about that in the link in the post I made upthread which is quoted below.

None of them will surely keep you anonymous.

Zerocash is the only design which might be very reliable, but it does not exist in any altcoin yet.

Period.

Some elaboration is at the following post (and also in the archives of my posts):

https://bitcointalk.org/index.php?topic=1319681.msg13569178#msg13569178

Ring signatures do not obscure everything. Only Zerocash can obscure everything so that then metadata is no longer a problem. I see Vitalik @ Ethereum has been reading my Bitcointalk posts, because now he has written a blog post to copy most of the points I have been making for the past months.

Additionally I have been making the point since the BCX incident that ring signatures can theoretically be unmasked by combinatorial analysis of the block chain. In the recent debate I had with Monero's cryptographer Shen-noether at Reddit about his white papers, I pointed out that his proposed solution to combinatorial unmasking was flawed. He and smooth did the usual ad hominem attack on my person, and then I rebutted them with logical facts and they were forced to finally put their tail between their legs.

Bullshit. So much bullshit in these discussions of cryptocurrency technology. Especially coming from all the Monero pumpers who haven't done their homework, because they are retarded, closed-minded, and boastfully so.

TPTB_need_war, what about ShadowCash?

Just a (arguably plagiarized) copy of Cryptonote technology, so same conclusions as for Monero.

https://z.cash/ is the only potential solution for making metadata correlation irrelevant, but all I know about it is here:

http://zerocash-project.org/

Seems the project died or stalled? Afaik they've been quiet past months or most of 2015?

Also scaling issues will probably still apply thus it is possible that Zerocash doesn't scale to world wide use, or other problems such as DDoS. I won't know until I dig deeper into it. Perhaps they discovered such issues and stopped working on it.

Anonymity is very difficult to achieve. I would guess maybe impossible once all the technical factors are considered. But I am still willing to try. I personally will come back to Zerocash's technology later, after I finish fixing block chain scaling and decentralization (which is more important priority and more realistic).

[LongAndShort]

@TPTB_need_war who are you anyway? What have you created, let alone developed that works!?

Please take some sound advice. Lower your Bitcointalk lurking frequency, reduce your expectations on people who really don't believe you are capable of anything other then chasing your tail in circles.

Turn your screen off, go outside, get some gas and food for your family. Most importantly, go spend some time with them. This will never pay your bills, and at the rate you are going. I dare say you will be in a home before to long. Unable to wipe your own backside. Because until you can at least take responcibility for your duties in life, you will never make it at this table! So why bother.

[TPTB_need_war]

Not chess related but besides anonymity I think it is worth reminding people of another technical reason that makes CryptoNote coins much different than bitcoin.

CryptoNote uses the Schnorr signatures algorithm instead of Elliptic Curve Digital Signature Algorithm used by bitcoin

I think an elliptic curve discussion would be on topic if we have enough volunteers both willing and competent enough to discuss it.

https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
https://en.bitcoin.it/wiki/Secp256k1
https://en.wikipedia.org/wiki/Schnorr_signature
https://en.wikipedia.org/wiki/Curve25519

This site offers some interesting comparisons although some of the conclusions (such as those on Secp256k1) may be controversial:
http://safecurves.cr.yp.to/

This should make bitcoin users feel better:

I believe that the ECC/NSA thread you referenced did eventually nail down every parameter used to create secp256k1 and answers most if not all concerns.

Yes, There is a python script that produces every parameter for secp256k1 from first principles, except the generator— and both myself and D. J. Bernstein have given the proof that in-advance choice of the generator is harmless outside of restricted conditions that aren't relevant to normal Bitcoin usage.

I have been asked in a PM if I would like to comment on this. I am not an expert and have no formal training in algebraic abstract math. Everything I know about this particular field (and cryptography in general) is self-taught mostly in 2014 and 2015. And I have big gaps in my understanding which can only be resolved by teaching myself the higher math courses I didn't take at the university and I don't have time for attaining that base knowledge. Nevertheless I can comment conceptually and understand enough to have for example combined Cryptonote with Compact Confidential Transactions to form what I named Zero Knowledge Transactions. And I understand enough to have digested Shen-noether's Ring Confidential white paper over a period of a day or few days. And I was able to analyze the differences and similarities and ramifications of the high level differences in our approach. So with that in mind, I will comment on the above quoted issue.

Afaik, the main difference between the Secp256k1 type of ECC that Bitcoin uses and the Ed25519 Berstein version of the twisted Edwards curve that Cryptonote uses, is that Ed25519 has no branching in the code and thus has no timing attacks (although one might reason that timing attacks might be less useful in crypto currency, I am not sure if that is true in all scenarios). And (perhaps more importantly) Ed25519 does not require a new random number on each subsequent signature, thus is deemed to less vulnerable to a faulty random number generator (or injection of virus thereof in the operating system). Also Ed25519 is moderately faster and has a prime order which is deemed to more secure (I don't remember if Secp256k1 has a prime order or not).

http://ed25519.cr.yp.to/

So Secp256k1 is probably secure but Ed25519 is more secure.

Please feel free to quote me and claim it as an advantage for Cryptonote coins, but please acknowledge that I have also criticized Cryptonote for not solving the fundamental block chain Tragedy of the Commons economic issues and my opinion that metadata correlation makes their anonymity impractical for any (or most?) mainstream uses.

[TPTB_need_war]

zcash alpha has been launched

https://github.com/Electric-Coin-Company/zcash

http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-launches-in-alpha/

Okay so this is not http://z.cash (which is the inferior zerocoin) and apparently is the real Zerocash! Wow. I am happy to see this in open source. Real progress at last. Maybe this is the reason for the dump of Monero?

I am happy to see this because I want to use something like this and also because I do not expect them to get the details correct on mining (no one has yet!). So there will be an opportunity to integrate this open source into a better block chain.

Major opportunities right now in crypto. Pick who you want to work with and pick carefully. I am looking for a few good men.

Okay so this is not http://z.cash (which is the inferior zerocoin) and apparently is the real Zerocash!

They are the same

The Zerocash protocol is being developed into a full-fledged digital currency, Zcash.

I don't know what happened. Last time I thought I loaded that page, I was looking at two young developers one of which was Asian. I need to sort out my confusion. I am very perplexed as to what I accidentally loaded last time.

This is what I had seen before and I have no idea why the wires in my brain crossed and throught it was z.cash I had recently view before (perhaps I am just overloaded with so many technical issues in my mind at the moment and I just woke up). Apologies for the unnecessary noise due to my error.

Zerocoin implementation that is supposed to launch early this year:
http://moneta.cash/technology.html
https://github.com/MonetaOfficial/moneta

I think it is basically a rebranded version of Zerovert, which was a closed-source implementation released last year. One of the creators is one of Matthew Green's former students.

That is Zerocoin, not Zerocash. Zerocoin is a mixer only for sending coins to your self and delinking, thus it is subject to all metadata correlation breakage the same as for Monero (Cryptonote coins and ShadowCash and everything else!).

Only Zerocash hides everything and thus is immune to metadata correlation. Zerocash mints zerocoins (which are not the same as the coins in Zerocoin). Zerocoin was created by some of the same people who created Zerocash, but they are totally different technologies. Zerocash is much more powerful anonymity because all the coins and all the actions (e.g. transfer payment to another) are totally hidden in one big blob.

With that being said, it's still unproven technology, and I think there are some issues with launching the currency in a trustless manner, so for now Monero is probably most bestest.

It is not even clear if Zerocash will work in a real world implementation for scalability and DDoS reasons (and maybe other issues).

But none of that absolves the fact that Monero is fundamentally (mostly) useless for the reasons I stated upthread.

A for-profit coin company, i dont care what they make, iwill never trust them.

Agreed that is the opportunity to beat them by open sourcing their code. But you will also need my block chain technology to make the big win.

moreover RingCT will move Monero closer to Zcash

Sorry no. It is still not immune to meta-data and the theoretical combinatorial analysis. Not reliable. Not realistic.

We need to move forward. It is up to you, I know my thinking and priorities on this matter.

[TPTB_need_war]

A for-profit coin company, i dont care what they make, iwill never trust them.

Agreed that is the opportunity to beat them by open sourcing their code. But you will also need my block chain technology to make the big win.

moreover RingCT will move Monero closer to Zcash

Sorry no. It is still not immune to meta-data and the theoretical combinatorial analysis. Not reliable. Not realistic.

We need to move forward. It is up to you, I know my thinking and priorities on this matter.

A for profit company with closed source code controlling the initial key for a zerocash like currency is a regulatory nightmare.

No closed source. The key would be produced publicly at a ceremony.

Would this metadata and combinatorial analysis hold even if mixin 10 was a default on all tx's?

The meta-data (e.g. IP address, browser cookie, timing analysis and location of connection, what you said in facebook or on the phone, etc) correlation problem isn't likely impacted no matter how many times or inputs you ring mix. It is very difficult for mere mortals to cover their tracks on all the possible meta-data correlations. It is unfathomably difficult. Don't fool yourself into thinking it isn't.

The combinatorial analysis flaw (which I introduced to smooth during the BCX incident and hence followed up in debate with Shen-noether) is very theoretical and may or may not be plausible. In my thinking, it comes more into play if combined with meta-data breakdown of the anonymity systemically. Mixing more may help somewhat, but it can also make it worse because it is the excessive overlapping in mixes that causes the combinatorial unmasking.

In short, it is a clusterfuck (not a clean, clear, provable solution) and that is why I abandoned it.

...
All miners will have to register as money transmitters under FinCEN regulations, same as the issue for Dash masternodes. There has seriously bad implications in their investment strategy. But their code and developers are valuable. The investors can probably recover their money on the initial IPO. They should IPO the damn thing and do it legally and not mess with this "master of the universe" idea above.

I am contemplating contacting them, but I need to think through their economic options. It may be impossible to get them to do the right thing.

But they could definitely benefit from my endorsement in an IPO. A legal IPO! As well, they could benefit from my block chain tech.
...

Miners do not have to register as MSBs. Please read the guidance. https://www.fincen.gov/news_room/rp/rulings/html/FIN-2014-R001.html The jury is very much out on Dash masternodes. How will the investors recover the funds from an IPO? If it is by emission then the IPO company is an MSB in the United States.

My interpretation of FinCEN guidance is miners would have to register as MSBs if they are forced to transfer some of the coinbase to some other party. Just because it is enforced by the protocol, doesn't absolve the miner from (the legal culpability of) creating the block which created new supply and transferred it to a third party.

Disclaimer: IANAL.


I hate when n00bs make me repeat the same shit over and over and over again. Do you think my time is free?

The masterkey has to be produced in a way that no one knows it. The proposals had been to use a public ceremony and a computer examined by everyone attending, to be sure the masterkey is unknown to anyone.

Note if the masterkey is known, that person can create coins out-of-thin-air, but he can't unmask the anonymity. That is a crucial distinction.

This is why I proposed the idea of using Zerocash as a mixer that eventually times out, so that we can be sure the mixer hasn't created any new coins. Everyone going into the mixer takes the risk that they may not be able to come out of the mixer if the attacker has already created coins. Then we could have many of these mixers in a free market, and users would decide which mixers they trust. Again anonymity is never compromised and the run on the bank can only be a loss to participants, not to the entire ecosystem. I am pretty sure this solves the problem and this is why we can take their open source and beat them.

I am loaded with ideas and designs to solve real problems in crypto. Hopefully some smart devs are going to realize they are better off working with me.

I am aware of that. However, for an stand-alone altcoin creating coins out-of-thin-air is just as detrimental as unmasking the anonymity, because both will likely result in the coin dying.

I already proposed a solution in my prior reply to you that is using their technology in ephemeral mixers, which thus avoids systemic risk and reveals which mixers are compromised (which is likely to be quite rare because participants will learn to judge which masterkeys were generated correctly at ceremony).

Free markets always work best as long as systemic risk is avoided.

RingCT has the same problem. I explained in I believe both the chess thread and my Zero Knowledge Transactions thread. This is another reason I abandoned it (in addition to the inability to get reliable anonymity since it doesn't hide meta-data the way Zerocash/Zcash does).

No it doesn't, because coinbase transactions are mixin = 0 in Monero and therefore you can check if the total supply hasn't been tampered with.

Wrong! Wrong! Wrong! Exemplifies that you are a n00b who should STFU.

If there is a flaw in the cryptography for proving the homomorphic sums (and that is new cryptography), then indeed the attacker can create new value out-of-thin-air and not be detected. I am not going to explain the examples and math again. I already did in the past. Go ask Shen-noether.

You should have paid attention the last time I explained this! You always want to use me but then you don't respect me enough to reward me[1] and then you expect me to correct for your inability to study and remember my posts carefully.

I don't think you should bet against them, because Zerocash has anonymity and nothing else does! The community will make sure it is peer reviewed. We must. You had better start figuring out how to transition and pronto.

I don't say I do. eb3f stated on reddit the following: "Monero uses ring signatures, as you may know, which is battle-tested and well-understood in the cryptography world and in practice". Even with community review it will take a long time to get to this state. I also don't agree with bolded here, but I won't go on a back-and-forth discussion with you over that.

Again my point is that you could have the safest snot in the world, but if people can't use snot for anything, then they are going to put their energies into perfecting and peer reviewing what they need.

Seems you all often miss the points entirely. They fly right over your heads.

I do agree that the new cryptography for Zerocash and zk-snarks is more complex than the new cryptography for homomorphic proof-of-sums for RingCT (or my ZKT), but I don't think that helps given the meta-data problem for RingCT/ZKT/Cryptonote (and every anonymity technology other than Zerocash). What is the point of pursuing a direction which is known to be unreliable and fundamentally flawed (in a way that can never be fixed), when we can pursue a direction that fixes the meta-data problem and is a matter of convincing whether the technology is sound with much peer review. Certainly the peer review can be done over time, and probably incentivized if the technology has a popular application.

I'll let others which are more knowledgeable comment on the metadata.

Please don't tell me I will have to waste more of my time defending an obvious point (for anyone who has the slightest technological understanding).

I am frustrated how much fucking time we waste. You all have been convincing yourselves in your little delusions for years of what ever circle jerk bubbles you prefer to be in (which often include ridiculing/dismissing me).

Edit: correction:

[1] I was rewarded by smooth, jl777, and rpietila. Big thanks to them. Very much so. I am just frustrated because I need a viable financial direction and we need to work smart and find a way that we can make these matters work in our favor. And I am trying to find people who value me and find a way to get it done.

...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

Proprietary software solutions have by their very nature a centralized systemic risk that Free Libre Open Source software solutions do not. The type of risks you describe in Monero are trivial compared to the risk of the DRM in the operating system used to generate master key in a centralized proprietary solution such as the one you propose. Furthermore I still do not have an answer to what is a straight forward yes or no question.  

The masterkey is generated once and only the public key is retained. As long as no one saw nor can recover the private key before it was discarded, then there is nothing proprietary remaining in the use of the Zerocash open source. The Zerocash open source code requires a public key to be pasted in. It is the public (ceremony) generation of that key, which determines whether anyone had access to the private key when the public key was created.

DRM has nothing to do with it all. Thus I assume you don't understand the issue.

The only issue is whether the public key can be computed at a public ceremony and the private key was securely discarded. So for example, they could use any computer, encase it in lead before running the computation, and no external connection to the computer other than the screen which reads out the public key.

Then slide the computer into a barrel of acid so that it is permanently destroyed. All done at a public ceremony so there can be no cheating.

Of course one could envision elaborate/exotic means of cheating, such as using radio waves to communicate the private key out to external actor, but again that is why I wrote encase it in lead. There is the issue of how to destroy it while not momentarily removing it from its communication barrier. But I am confident these physics issues can be worked out to a sufficient level of trust.

As for trust, not even the Elliptic Curve Cryptography and other math we use for crypto can be 100% trusted. So if you start arguing silly about 100% trust, then it is safe to ignore as loony.

...
I am imagining that the type of people designing such a technology would do better than generate a masterkey on Windows et al. I'm actually imagining purpose-built, auditable software and maybe even hardware.

Auditable by whom?

It comes down to Free Software vs Proprietary software. The same is true for the hardware. There is a reason why my question is being avoided here.

By the attendees of said masterkey-generation ceremony.

Actually by anyone who uses the currency. The role of the attendees is to verify that all the software has not changed between what was used and what is released to the public.

Edit: The minute one tries to protect "intellectual property" at any level the trust is gone.

FUD. The ceremony is only to computer a public key, nothing else. No other software has to be audited. Only need to confirm that the private key was not communicated from the computer to any one. Period.

...
FUD. The ceremony is only to computer a public key, nothing else. No other software has to be audited. Only need to confirm that the private key was not communicated from the computer to any one. Period.

How do you know that the public key you see on the screen is the one that was computed and not one that was pre computed before the computer was "placed in lead"?

Edit: DRM in the OS has everything to do with this since it is the perfect place to hide the private key. That is what DRM is designed to do hide private keys.

The hardware has to be audited. But we also have to audit our hardware that we use to run Cryptonote. If Intel is planting spies in the hardware, then we are screwed.

100% trust is impossible. And this is another reason I deprioritized anonymity. It is a clusterfuck.

Also I think perhaps Zerocash was working on a way to generate the public key decentralized, but I haven't kept up with progress on that.

Indeed Zerocash could end up being a Trojan Horse (a way to get fiat in the back door) and that is why I made my proposal to use them only as ephemeral mixes that die periodically, so then we will know if the key was compromised or not.

The result of my proposal is:

• Stolen coins isn't systemic to the overall coin (same as losing some coins to Mt. Gox and Cryptsy isn't), and at least participants get ongoing ceremonies to get better and better at auditing the hardware.
• No anonymity is ever lost.
• No NET coin supply is ever created out-of-thin-air (instead some people lose coins if they chose an insecure mixer that had a compromised key), which is also the case for both Zerocash and RIngCT where coin supply could be created out of thin air and we would never know it due to a bug in cryptography.

That will kick ass on Monero, because if I pass through the mixer, I know my anonymity is provable and I know I didn't lose my coins. It is only people who still sitting inside the mixer who risk losing coins. Everything has a risk. I would much rather the microscopic risk of a compromised key (causing me to lose some coins) to the sure risk of meta-data correlation in Monero which can send me to jail! Surely I would be judicious about not mixing all my coins at the same time and not all in the same mixer.

TPTB said that not even math can be trusted 100%, then how can we put 100% trust on any device for fair start of a trustless currency

If can't trust the math, throw Monero in the garbage can too.

My point is that nothing is 100%. We have to weigh the reasonable risks and benefits.

But I am confident these physics issues can be worked out to a sufficient level of trust.

Only need to confirm that the private key was not communicated from the computer to any one.

I find this kinda weak against your general absolutism. "So Simple Yet So Complex".


After all, what stops all 3 letter agencies, who can own blockchains and can do analysis and attacks etc, to stage the whole thing? Will i be allowed to check that computer?

I mean, i have near to zero understanding of cryptography, but your search for the perfect/ideal solution looks like making you ready to take a huge and dangerous bet.  

I proposed ephemeral mixers based on Zerocash technology. They will be ferreted out if they are doing this, because it will be known that the key was compromised when the mixer expires and everyone has to cash out of the mixer back into the public coin. The bastards can't keep doing it over and over again. The participants will get wise as to the methods the attackers are using.

I am not absolutist. Rather I think correctly and realistically when I weigh marketing, tradeoffs, and delusion as follows:

That will kick ass on Monero, because if I pass through the mixer, I know my anonymity is provable and I know I didn't lose my coins. It is only people who still sitting inside the mixer who risk losing coins. Everything has a risk. I would much rather the microscopic risk of a compromised key (causing me to lose some coins) to the sure risk of meta-data correlation in Monero which can send me to jail! Surely I would be judicious about not mixing all my coins at the same time and not all in the same mixer.

Marketing and design are holistically joined at the hip. Those fools who said the marketing can come later are clueless.

One more point I considered in my holistic analysis is that for most transactions we can't be anonymous. Thus anonymity is more suited to those who want to receive some payment anonymously and hide the funds there and extract them only to public funds in small morsels or to spend in other rare anonymous transactions (e.g. buying some gold bars from someone you trust won't reveal your identity).

In that case one might think you can just use Stealth Addresses (unlinkability) and run a full node to confirm receipt of funds anonymously. No need for Cryptonote, RingCT, nor ZeroCash. But the problem is the payer can be identified and be pressured to reveal your identity.

So this is why we need Zerocash to make the untraceability impervious to meta-data correlation.

But the problem with my proposal for ephemeral Zerocash mixers is that when we take the coins out of the mixer they can now be correlated to our meta-data (e.g. IP address, etc). So thus it seems to hide large funds and only take out small portions publicly as needed, will incur risk of losing those coins in my proposal, but at least they will be provably anonymous.

Anonymity is a clusterfuck. If we can't make trusted hardware, then anonymity is unprovable. Period.

So just give up on anonymity, or get busy trying to make hardware we can trust?

(or if Zerocash has developed a provably secure way to generate a master public key, which I doubt)