[Poll] What anonymous coin will succed?

[DonQuijote]

Only a POS coin will be succed, multipools are pow killer

[Brilliantrocket]

"In reality, humans display a systematic bias towards cooperative behavior in this and similar games, much more so than predicted by simple models of "rational" self-interested action."

That doesn't apply in non-cooperative games (which is what masternodes create).

If you're really interested in the game theory that shows why this is a bad idea, you can start here: http://www.ewp.rpi.edu/hartford/~stoddj/BE/IntroGameT.htm

What you really want is Nash equilibrium, but that's when a system comes to rest, not before. In the case of masternodes, those with the fastest access to resources and the most devious minds would initiate a systemic collapse. This could occur after quite a period of equilibrium, as the bad actors wait for price appreciation in order to ensure the barrier to entry for competitors is obliterated. They would launch an attack on masternode after masternode, obliterating them from the network. Those good actors with fast access to resources will also react, but it would only take a short time before they reason that one or more of the remaining masternodes must be operating in bad faith, and the best way to deal with this is to launch an attack of their own. Once sufficient numbers of masternodes have shut down and dumped their coins due to the cost prohibitive nature of defending against these attacks, a very small group (I'd hazard less than 10) will be left with a Nash equilibrium, knowing that they survived each other's onslaughts and were unable to take each other down permanently.

That sort of attack makes utterly no sense in the context of Darkcoin. Daily emission is 2880 coins, 20% of which goes to masternodes. At most an attacker could stand to gain 576 coins per day. If such an attack occurred, the Darkcoin price would tank quickly. So for the sake of a small number of soon to be devalued coins an attacker would compromise the value of their much larger investment (coins held in masternode)? Not to mention there's a high temporal and monetary cost for such an attack! While theoretically possible, similar to the sybil attack on MNs, such a move would be counter to the interest of the attacker. Keep grasping at straws, it's fun to watch.

[Brilliantrocket]

LOL - please do - how on earth would you Sybil attack Monero??

As to the rest of your points, I can do nothing but chuckle at your naiveté.

Would like to get some closure on recent discussions.

To help rpietila with the periodic summaries he typically adds to the OPs of his moderated threads, I suggest we try to compile a summary of the significant pluses and minuses of top anonymous coin designs.

Could we agree on wording such as the following? Please let me know if I left anything out that we discussed upthread. The following doesn't attempt to qualify how likely or predominant relative weaknesses are, as this is too complex to summarize succinctly.

* represents a feature which is claimed to be an advantage but may or may not be a liability.
?? means I guessed and am not sure.

Monero (Cryptonote coins)

+ cryptographically unlinkable & untraceable
- tx sybil attack (mitigated with mandatory tx fees)
- I2P (anonymity or DoS) sybil or timing analysis attack
- unprunable -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- slow PoW hash
- mining is not anonymous
* unvetted asic-resistant PoW hash, demonstrated GPU parity

Boolberry (Cryptonote optimization)

+ discards ring signatures reducing block chain size by a constant factor
+ prevents mixing with those who don't mix so unlinkability & untraceability isn't trivially broken
+ cryptographically unlinkable & untraceable
- tx sybil attack (mitigated with mandatory tx fees)
- no I2P/Tor IP obfuscation
- unprunable -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- mining is not anonymous (??)
* unvetted asic-resistant PoW hash, demonstrated GPU parity (??)

DarkCoin (this is the best CloakCoin's anonymity could improve to as it is similar conceptually in design)

+ prunable (but unimplemented)
- unlinkability Sybil attack on masternodes
- tx sybil attack (mitigated with mandatory tx fees)
- Tor (anonymity or DoS) sybil or timing analysis attack
- simultaneity or premix tx bloat -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- mining is not anonymous (??)

Zerocash

+ all coins mixed all the time, so no tx Sybil attack incentive (may not need tx fees if they adopt my secret??)
+ don't need to obfuscate IP address (I2P/Tor) because...
+ ...everything is cryptographically hidden...
- ...even the money supply -> compromised master setup or cryptanalysis breakage could create unlimited undetected coins
- unprunable (??) -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- unvetted new complex crypto could break anonymity and coin value retroactively
- mining is not anonymous (??)
- not released

It is I who chuckles at you. You do all that work, for the sake of making me rich. If you do it well, that is. If not, then your failure will amuse me greatly. Now back to work.

[othe]

Man you can´t even read, i quote it again.

- tx sybil attack (mitigated with mandatory tx fees)
- I2P (anonymity or DoS) sybil or timing analysis attack

And I2P, its not even implemented yet, sybil attacks there have nothing todo with what happens to monero.
Clearly having ip obfuscation inbuilt is better than not having it. Sybil attacks he mention are about ip-deobfuscation, nothing todo with the currency itself. They also exist in TOR, just for your info.

i marked the BOLD parts. BOLD means important.
i repeat it for you, READ THE BOLD PART.


Fun question for your:

I hope you remember when CCEX was hacked.
I hope you remember how many DRK were stolen then.
Also when Mintpal was hacked (Vericoin), DRK was withdrawn.

Count those 2 together, calculate how many Masternodes you can run with those coins. Tell us the percentage of Masternodes you own if you use those coins for Masternode setups.

Now imagine another big exchange gets hacked, lets say Mintpal and well Cryptsy too.

Stealing DRK is as dangerous as stealing pur PoS coins, if you have stolen enough you rule the whole network.


Now your anonymity is prolly completly broken and you are fucked.
Or, imagine the FBI goes there and confiscates the DRK, or they confiscated them somewhere else, lets say when the hypothetical SR3 gets raided.

Thats how govt can easily destroy DRK without even wasting money.

PS: Don´t believe everything a single person tells you.

It is I who chuckles at you. You do all that work, for the sake of making me rich. If you do it well, that is. If not, then your failure will amuse me greatly. Now back to work.

Some people have broader interest than money. One day you will grow up and notice that the life isn't about $.

[Brilliantrocket]

Man you can´t even read, i quote it again.

- tx sybil attack (mitigated with mandatory tx fees)
- I2P (anonymity or DoS) sybil or timing analysis attack

And I2P, its not even implemented yet, sybil attacks there have nothing todo with what happens to monero.
Clearly having ip obfuscation inbuilt is better than not having it. Sybil attacks he mention are about ip-deobfuscation, nothing todo with the currency itself. They also exist in TOR, just for your info.

i marked the BOLD parts. BOLD means important.
i repeat it for you, READ THE BOLD PART.


Fun question for your:

I hope you remember when CCEX was hacked.
I hope you remember how many DRK were stolen then.
Also when Mintpal was hacked (Vericoin), DRK was withdrawn.

Count those 2 together, calculate how many Masternodes you can run with those coins. Tell us the percentage of Masternodes you own if you use those coins for Masternode setups.

Now imagine another big exchange gets hacked, lets say Mintpal and well Cryptsy too.

Stealing DRK is as dangerous as stealing pur PoS coins, if you have stolen enough you rule the whole network.


PS: Don´t believe everything a single person tells you.

Now your anonymity is prolly completly broken and you are fucked.
Or, imagine the FBI goes there and confiscates the DRK, or they confiscated them somewhere else, lets say when the hypothetical SR3 gets raided.

Thats how govt can easily destroy DRK without even wasting money.

Is I2P no longer a planned part of Monero? Still planned? Then the criticism is relevant.

As to the stolen DRK, I did a calculation for owning 50% of the masternodes, how likely would it be to unmask transactions. The answer is that it wouldn't serve much good. Can't remember the % figure off the top of my head, but if even a single MN from the chain used to mix is honest, you're golden. .5^N, where N is the number of rounds used to mix. If N=8, you'd have less than half a percent chance to unmask a transaction.

The number of mix rounds can also be increased in the future, if necessary. Additionally, once the technology is open source, tens of coins will use it. An adversary would need to own a majority of the masternodes for all of them. Does that sound practical to you? Further, in the future there may be an option to use a set of "trusted" nodes. A sort of private network that you can choose, or setup for yourself.

[othe]

I2P is of course planned.
But I2P theoretical sybil attacks have nothing todo with Monero as a currency, nor will they hinder how it works.

Get a prepaid umts stick, run it inside Whonix (which additionally routes through tor) and you have a damn good IP Obfuscation, the best you can have nowadays.

Now if you come and mention the "DRK IP Obfuscation" then i will just laugh at you.

As to the stolen DRK, I did a calculation for owning 50% of the masternodes, how likely would it be to unmask transactions. The answer is that it wouldn't serve much good. Can't remember the % figure off the top of my head, but if even a single MN from the chain used to mix is honest, you're golden. .5^N, where N is the number of rounds used to mix. If N=8, you'd have less than half a percent chance to unmask a transaction.

The number of mix rounds can also be increased in the future, if necessary. Additionally, once the technology is open source, tens of coins will use it. An adversary would need to own a majority of the masternodes for all of them. Does that sound practical to you? Further, in the future there may be an option to use a set of "trusted" nodes. A sort of private network that you can choose, or setup for yourself.

If i own half of the masternodes, i would attack the others of course too. Then your math falls completly appart.
I guess i would try to patch the masternodes to communicate with my own masternodes as a priority, but impossible to say how with closed source binaries - well not impossible, but not worth my time.

Also if you get 50% of the MN, you get 10% of the mined coins and can setup further masternodes and get even more, sounds awesome.
I am also sure if its known that half of the masternodes are malicous, most MN users would sell and then i own even more nodes, even more awesome.

[Brilliantrocket]

I2P is of course planned.
But I2P theoretical sybil attacks have nothing todo with Monero as a currency, nor will they hinder how it works.

Get a prepaid umts stick, run it inside Whonix (which additionally routes through tor) and you have a damn good IP Obfuscation, the best you can have nowadays.

Now if you come and mention the "DRK IP Obfuscation" then i will just laugh at you.

What would you be laughing at? Something has been proposed, but that doesn't mean it's finalized. If the community decides that there's a better option, I'm sure Evan will be more than happy to pursue a different path.

[Brilliantrocket]

Some people have broader interest than money. One day you will grow up and notice that the life isn't about $.

Until I had financial security, that was all that really mattered. Hard to enjoy life when your conditions are less than optimal. Certainly some find ways. The reality is that very few people actually live, the vast majority just exist.

[drawingthemoon]

Monero can be sybil attacked by something Monero fears the most - Boolberry (soon to be renamed from the gist of things).

Keep working on keeping BBR down lads. I implore Darkcoiners to make it their second coin of choice. It is at a great price point, is far superior to Monero who have nothing but gangstas posing for them and shilling non stop.

Spread the word.

[Brilliantrocket]

Also if you get 50% of the MN, you get 10% of the mined coins and can setup further masternodes and get even more, sounds awesome.
I am also sure if its known that half of the masternodes are malicous, most MN users would sell and then i own even more nodes, even more awesome.

The tech is going to be open source. That alone makes any manipulations involving masternodes an exercise in futility.

[MystPhysX]

It's either going to be a cryptonote coin or Cloak. I wish TiPS was still going strong though.

[fluffypony]

That sort of attack makes utterly no sense in the context of Darkcoin. Daily emission is 2880 coins, 20% of which goes to masternodes. At most an attacker could stand to gain 576 coins per day. If such an attack occurred, the Darkcoin price would tank quickly. So for the sake of a small number of soon to be devalued coins an attacker would compromise the value of their much larger investment (coins held in masternode)? Not to mention there's a high temporal and monetary cost for such an attack! While theoretically possible, similar to the sybil attack on MNs, such a move would be counter to the interest of the attacker. Keep grasping at straws, it's fun to watch.

It wouldn't be done all at once, the nature of a system seeking Nash equilibrium is that it has to slowly unwind - devolve, if you will - towards chaos, before pulling back right at the end. The example closest to our frame of reference is Litecoin - with that much money invested in Litecoin, you'd expect companies profiting off peripheral Litecoin services and large Litecoin holders to spend whatever money they can to advance Litecoin and protect their investment. And yet they aren't and they don't, and Litecoin is dying because of it.

It is I who chuckles at you. You do all that work, for the sake of making me rich. If you do it well, that is. If not, then your failure will amuse me greatly. Now back to work.

As he says - we mitigate it with mandatory tx fees. AnonyMint thinks that the perfect hypothetical cryptocurrency must have zero tx fees, which is why he marks that same point as a "con" for all of the cryptocurrencies, including Darkcoin.

[negafen]

The anon coin boom is over. People are investing in the "asset" back coin like Ethereum and NXT.

Stellar also eating into anon coin market pie.

[illodin]

"In reality, humans display a systematic bias towards cooperative behavior in this and similar games, much more so than predicted by simple models of "rational" self-interested action."

That doesn't apply in non-cooperative games (which is what masternodes create).

Then why did you bring it up in the first place if it doesn't apply?

[177sis]

Absolutly DRK,the first and the best!

[fluffypony]

"In reality, humans display a systematic bias towards cooperative behavior in this and similar games, much more so than predicted by simple models of "rational" self-interested action."

That doesn't apply in non-cooperative games (which is what masternodes create).

Then why did you bring it up in the first place if it doesn't apply?

You misunderstand. The Prisoner's Dilemma DOES apply in both cooperative and non-cooperative games, the bias towards cooperative behaviour DOES NOT and cannot apply in non-cooperative games.

In other words: the Bitcoin protocol is a cooperative game. If every node tried to cheat there'd be chaos. Everyone on the network runs by the same rules, for fear of being rejected by the network if they do not.

However, Bitcoin mining is a non-cooperative game. Mining pools can and do DDoS each other in order to get more miners mining on their pool. We know this happens, and in the altcoin world small pools shut down regularly because they can't afford the upkeep when they are regularly DDoS'd. The two things that prevent this system from imploding are: 1. the community freaks out whenever a pool is above 30%, and so a pool that is a bad actor is forced to setup or buy out other pools to mask their behaviour; 2. pool fees are so tiny (some of them have no fee) that it's not that financially beneficial.

For another example of mining being a non-cooperative game prone to cheating, see Errata Security's post that applies another aspect of game theory to show how miners can cheat, or see Ittay Eyal and Emin Sirer's paper on Selfish Mining.

Also, to demonstrate I'm not proposing a merely theoretical attack (and this applies to Darkcoin's masternodes too, despite Brilliantrocket thinking that DDoS attacks are "March's problem"), I'll quote from that ErrataSec blog post:

The operators of one pool might try to DDoS the URLs of other pools. This would prevent those pools from sending out work to their members, lowering their hash rate, and making it more likely that non-DDoSed pools would win the lottery. People do this, and this has lead to arms races among pools. They are under frequent DDoS attacks, and are frequently having to upgrade their server infrastructure to cope with the attacks. Overall, it’s been a nuisance and hasn’t dramatically enabled anybody to significantly win at the mining game.

In Darkcoin - and again, this is a general criticism of the broken architecture and not FUD or a slight against anyone - masternodes are in a non-cooperative game. They have no obligation to cooperate with anyone, as long as they are publicly perceived to be following the mathematical constraints in the protocol. The huge reward they are paid on a daily basis (Brilliantrocket states it as 576 coins per day for all masternodes) makes attacking the competitors feasible and desirable.

Practically speaking, then, the question is: is there sufficient reason for a masternode to cheat in this manner? Well, let us say that Kim owns 3 masternodes, and is thus stuck wanting to reclaim 30 000 Darkcoin. Network is operating efficiently, Darkcoin is popular, and there are 2 000 masternodes (this was mentioned to me as the proposed maximum, I stand to be corrected). Let us assume (as it appears to be right now) that the block reward is based on minsubsidy and not on any sort of declining emission, and thus for the purposes of our example 576 Darkcoins a day is the total masternode reward for the period. Thus, Kim receives 0.15% of that reward, a total of 0.864 Darkcoins a day. For him to recoup his 3000 Darkcoin it will take him 3472 days, or about 9.5 years. I'm aware that he still has the original 3000, but that's a sunk cost - untouchable - and he thus needs to recoup it in order to operate as a profitable business. That it's an asset that doesn't in and of itself depreciate is not a reflection on profitability.

Now I know that the knee-jerk reaction is "but those 3000 Darkcoin only cost him $9000 at the time, he's recouped that already!" Of course, this is irrelevant, as Kim would have been better off just holding his 3000 Darkcoins instead of throwing them at a masternode and hoping to recoup it. Thus, Kim is motivated - eminently so - to destroy the other masternodes. If he attacks a single masternode long enough for them to give up and dump their coins, the price will merely take a small hit and recover, but he will increase his daily reward.

The reason this system (as defined in the example) will approach Nash equilibrium is because all of the masternode operators know that they have to keep the number of masternodes under 100 to have any profitability (because they will then be able to roll-over their 1k investment every 6 months), and thus there is motivation to be a bad actor. More importantly, if you get on the forums and claim that you are also being DDoS'd (maybe turn your masternode off for a few hours every week) you can play the victim, and nobody will know that you're a bad actor. A handful of these bad actors is enough to destroy the system from within.

Edit: was off by a factor of 10, as I thought it required 10k DRK not 1k DRK

[adhitthana]

Here is a question: If one had 1000 Bitcoins, today, and you wanted to hide any connection to yourself, using an altcoin how would one do it? Not that I only have 1000 BTC

[adhitthana]

[ Thus, Kim is motivated - eminently so - to destroy the other masternodes.

Are you saying you would be motivated to destroy other masternodes if you were in that position?
My own view is that when we assume (or maybe project) the worst in others there is little or no evidence to suggest this approach works in reality.
Using the ideas of a paranoid schizophrenic in their foreign policy seems to have been a failure for the US. Why would anyone assume it has merit?

What was not known at the time was that Nash was suffering from paranoid schizophrenia and, as a result, was deeply suspicious of everyone around him—including his colleagues—and was convinced that many were involved in conspiracies against him. It was this mistaken belief that led to his view of people as a whole that formed the basis for his theories. Footage of an older and wiser Nash was shown in which he acknowledges that his paranoid views of other people at the time were false.

Curtis examines how game theory was used to create the USA's nuclear strategy during the Cold War. Because no nuclear war occurred, it was believed that game theory had been correct in dictating the creation and maintenance of a massive American nuclear arsenal—because the Soviet Union had not attacked America with its nuclear weapons, the supposed deterrent must have worked. Game theory during the Cold War is a subject Curtis examined in more detail in the To The Brink of Eternity part of his first series, Pandora's Box, and he reuses much of the same archive material in doing so.

http://en.wikipedia.org/wiki/The_Trap_(TV_series)
Just asking.

[fluffypony]

Here is a question: If one had 1000 Bitcoins, today, and you wanted to hide any connection to yourself, using an altcoin how would one do it? Not that I only have 1000 BTC

You could launder it through Monero, but the slippage would be big or you'd have to take a little time. You'd have to have two disconnected profiles - you, and your mule. You would deposit the 1000 BTC on Poloniex and withdraw it to Monero (this withdrawal is cryptographically unlinkable and untraceable). In batches you'd trickle-deposit (these are also unlinkable and untraceable) into your mule's Poloniex account, selling and withdrawing the BTC. In terms of slippage, in the current market you'd buy 167 737 XMR at an average buy-in of 0.0059617 BTC. I'm terrible at TA, but you'd presumably want to wait and only sell above that price (it's traded above that at 3 points over the past 3 months, but past performance is not an indication of future results) to reduce your slippage. All in, to minimise slippage, you're probably looking at a 3 month exercise to wash the 1k BTC.

To any external observer, even one able to subpoena Poloniex, it would look like you deposited BTC and withdrew XMR. The XMR blockchain will reveal nothing about the movements of those funds thereafter, and I find it unlikely that any inference can be made (especially if you spread the return of funds over a few exchanges). Your mule account will appear to be an ordinary trader who occasionally dumps XMR and withdraws BTC.

[adhitthana]

Here is a question: If one had 1000 Bitcoins, today, and you wanted to hide any connection to yourself, using an altcoin how would one do it? Not that I only have 1000 BTC

You could launder it through Monero,

I see so much derision for Cloak that I had wondered if it was the best option presently, for that.  in view of it's popularity, but I guess the same would apply to it.