Gold collapsing. Bitcoin UP.

[smooth]

we do know satoshi left b/c he didn't want to get carted away.

We do, or you made that up?

As far as I know he simply said he was going to work on something else.

well, the ppl i define as normally social that leave to go work somewhere else stop in to say hi every once in a while.

Again, I ask, do you know why he left (and have any source whatsoever for that) or are you just making shit up?

iCEBREAKER would probably say to check twitter for satoshi stopping in to say hi.

[1714063603]

1714063603

[1714063603]

1714063603

[1714063603]

1714063603

[1714063603]

1714063603

[1714063603]

1714063603

[1714063603]

1714063603

[cypherdoc]

we do know satoshi left b/c he didn't want to get carted away.

We do, or you made that up?

As far as I know he simply said he was going to work on something else.

well, the ppl i define as normally social that leave to go work somewhere else stop in to say hi every once in a while.

Again, I ask, do you know why he left (and have any source whatsoever for that) or are you just making shit up?

iCEBREAKER would probably say to check twitter for satoshi stopping in to say hi.

I think maybe the point you are  trying to make here is that you as a core dev for  Monero don't have anything to worry about.

OK, I can accept that.

[TPTB_need_war]

I suppose Cypherdoc will hallucinate and postulate the possible possibilities (excluding the impossible impossibilities) that Martin Armstrong was in a thread discussion with Meni Rosenfeld and Adam Back in 2014. Or he will ululate that Armstrong using my name TPTB_need_war is claiming to be AnonyMint who was actually another person. Or any permutation thereof including but not limited to the introduction to the plot some Space Cowboys horseback on UFO pixie dust flying carpets dressed in dainty lace lingerie and rawhide boots singing "I'm Too Sexy, for this coin".

Thanks Meni for sharing that.

On the historical technical level (not applicable to be implemented in Bitcoin), Adam Back did not mention the double-spending solution where the person who double-spends would expose their identity.

Hal Finney summarized it.

The offline double-spend of Chaum reveals identity.  Brands also has a mechanism to do that (reveal private key and all attributes, one of which could be identity).

...

The main problem with doing that in bitcoin is if you accidentally send twice (because your client crashes) you lose money.  And people keep reusing addresses.  These extended addresses would "discourage" address reuse (which some would say is a good thing:)

Note Adam Back replied to me (AnonyMint). The bolded statement (my emphasis) is incorrect. Numerous copies of a signature can be sent without changing the signature. Instead, the reason that penalizing double-spending by revealing the private key won't work for crypto-currency is because we need an ordering of transactions so we know which of the double-spend(s) are invalid, so that the first person paid attains probablistic non-repudiation after waiting for sufficient confirmations. This attribute remains in my radical redesign of mining despite the fact that certain censorship critical attributes can't be 50% attacked as they can be in all existing PoW schemes that I am aware of. In other words, you could create an alternative chain with a 50% attack in my radical redesign of PoW, but if you tried to actually achieve anything with it, the undesired effects would be filtered out. This is what modular design achieves.

In any case, the concept is sort of inane. Who ever receives a payment can trace all the way back through the chain of payment history of obscured amounts. So afaics the anonymity breaks down over time to eventually 0. Please correct me if I am mistaken.

I think I conflated with the "respendable commited-tx". The homomorphic encryption was 5 slides above that. So perhaps the HE does not have the flaw I assumed. So it hides payment amounts but doesn't mix outputs from numerous entities. You'd still need CoinJoin for that, which is unscalable. And if you add on-chain ring sigs, then you don't need the HE. Also I don't understand how hiding the amount helps when the amount needs to be same for all those who are mixing in CoinJoin   (otherwise analysis of permutations between input and output amounts can decrease the anonymity set).

So far this looks like another one of those half-baked Gregory Maxwell ideas.   I await clarification.

Links:

https://bitcointalk.org/index.php?topic=509674.0
https://bitcointalk.org/index.php?topic=305791.0

I was pushing too hard for too many days (and too many calories feeding those bad bacteria which drive immunological inflammation), M.S. inflammation flaring-up due to it, thus the incorrect "analysis" above was the result of delirium:



I will be posting a new analysis next.

[smooth]

we do know satoshi left b/c he didn't want to get carted away.

We do, or you made that up?

As far as I know he simply said he was going to work on something else.

well, the ppl i define as normally social that leave to go work somewhere else stop in to say hi every once in a while.

Again, I ask, do you know why he left (and have any source whatsoever for that) or are you just making shit up?

iCEBREAKER would probably say to check twitter for satoshi stopping in to say hi.

I think maybe the point you are  trying to make here is that you as a core dev for  Monero don't have anything to worry about.

OK, I can accept that.

That's one of the most bizarre deliberate misreadings I've seen in a while.

No, the point I'm making is that you appear to be making shit up.

[cypherdoc]

we do know satoshi left b/c he didn't want to get carted away.

We do, or you made that up?

As far as I know he simply said he was going to work on something else.

well, the ppl i define as normally social that leave to go work somewhere else stop in to say hi every once in a while.

Again, I ask, do you know why he left (and have any source whatsoever for that) or are you just making shit up?

iCEBREAKER would probably say to check twitter for satoshi stopping in to say hi.

I think maybe the point you are  trying to make here is that you as a core dev for  Monero don't have anything to worry about.

OK, I can accept that.

That's one of the most bizarre deliberate misreadings I've seen in a while.

No, the point I'm making is that you appear to be making shit up.

you could've picked alot better topics to nitpick at since that seems to be your motive here.

ok, i admit it, i don't know that.  but i'd contend there are probably thousands of Bitcoiner's out there who would agree with me.  you can poll them if you want.  it's not the BIG DEAL you're trying to make of it.

[TPTB_need_war]

Cryptonote/Monero vs. Sumcoin/Blockstream's Confidential Transactions

In any case, the concept is sort of inane. Who ever receives a payment can trace all the way back through the chain of payment history of obscured amounts. So afaics the anonymity breaks down over time to eventually 0. Please correct me if I am mistaken.

Afaics, the anonymity does degenerate in a way that it doesn't in Cyptonote (Monero), which is conceptually relevant to my initial objection above regarding the fact that the recipients must be able to prove the amount they received (i.e. the Sumcoin viewkey).

Let's consider the more intelligible summary in the claimed Sumcoin improvement to Blockstream's Confidential Transactions as follows.

https://people.xiph.org/~greg/confidential_values.txt

I remember watching Adam Back's talk about this concept when he was in Israel at a meeting I think sponsored by Meni Rosenfeld.

Request for comments

http://voxelsoft.com/dev/sumcoin.pdf

you sure were very quick to include Blockstream's Elements and Confidential txs in your work.
(sorry no time to read the paper right now)

Let me quote from that Sumcoin white paper as follows.

5.2 Comparison to alternatives

...
A Sumcoin user needs not mix coins of relatedequal denominations, she can simply
spend to multiple addresses. A hidden satoshi will mix as well as a hidden [non-fraction of a] coin [e.g. 1 Bitcoin].

5.3 Social

Sumcoin is more like cash than Bitcoin. Users of cash, and Sumcoins, tend not
to discover the value of other user’s transactions. Bitcoin nodes see the value of
all unrelated transactions on the global network.

With cash transactions, if a party chooses to publicly disclose a transaction
amount, their claim would initially stand unproven. They would need additional
evidence, such as a confirmation from the counterparty (or intermediary)
to prove the claim. With Sumcoin, such disclosure is immediately and forever
provable on the blockchain. This permanent and undeniable record should discourage
the use of this technology for nerfarious purposes.

Properly kept, crypto-currencies such as Bitcoin are the least practical asset
class to take from an owner without consent. This process reduces to probabilistic
rubber hose cryptanalysis in extremis, which may only be feasible on a small
scale. Unfortunately, not all owners can be assumed to make sufficient effort to
protect their coins...

The author apparently thinks that users won't reveal their view keys in public. But the recipients viewkey can also be hacked or pressured with rubber hoses. The author doesn't state the holistic problem (conceptually analogous to holistic issue I had pointed out to the Monero devs during the BCX debacle), that as values are revealed where the coin histories are not untraceable and unlinkable, then solving for other unknown values in the system is a system of simultaneous equations (then there was the discussion about practical computability and complexity classes P and NP).

So mixing is still required.

Also compared to Cryptonote where the values (denominations) of mixes have been forced to be equal, unmasking some values will reduce (unmasking) the anonymity set of mixing that was done by any external protocol if unequal values were used for the inputs and outputs. If I am not mistaken, hacking the private key of the recipient in Cryptonote does not weaken the anonymity set of the ring of outputs serving as inputs to the transaction. In other words, in Monero the viewkey is controlled by the sender; whereas in these new homomorphic (not homocoin, lol) encryption schemes the recipient gets the viewkey.

However this new homomorphic encryption of sums does appear to add some value where it is not reasonable to mix with equal denominations, e.g. such as merging outputs of Cryptonote ring (i.e. might be useful to combine both types of onchain anonymity?). I find it very interesting and I am impressed with the work of the author of Sumcoin. Adam Back outlined how it might be feasible to simulate ring signatures by mixing zero and non-zero denominations as follows which I presume is an analogous special case of what Sumcoin mentioned about mixing unequal inputs and outputs in a transaction.

Lets call the homomorphic coin for short morphcoin (and not homocoin;)  Or ringcoin from the additional implication of the below extended protocol.

One more proof which allows a ringcoin (ring signature analog of Greg Maxwell's coinjoin) is to create a ring input R=g^v'*h^x' and change C' and then prove that with respect to someone else's coin where it can be publicly audited that C=R*C' (ie the coin adds up) and C' is the change left for the original owner.  The proof you need to make that an acceptable proposition for the original owner (subtracting random amounts from his coin!) is that either R=g^(v'=0)*h^x' OR  RP(C') and RP(R) such that C=R*C') where RP is the range proof construction from parent post.  

That proves either you have a coin with 0 value (so its safe to subtract it without someone else's permission or cooperation from their coin) OR that you know the coin private key, so you can subtract whatever you want because you're its owner.  The way the subtraction is proven not to underflow, is you split the coin into two or more outputs range proofs that add up to the original coin, proving you are the owner.  The coin private keys for C is x, for R is x' and C' is x" and x' is random and x"=x-x' mod n, so final validation is simply EC addition of the split proceeds (which could be spent to other person and change address eg.)

The OR construction is standard and the same technique as in parent post to allow to prove v_i=0 or v_i=1 (namely you intentionally allow a maximum of one forgery, by adding one degree of freedom to the choice of the challenge).

Now a ringcoin is like coinjoin, but more powerful because you dont need the cooperation of the other coins!  That makes sense because you are provably not removing any value from them (as you dont know their private keys).   The additional cost for the "v'=0 OR "clause should be small, about 3 or 4 values (96-128bytes) on top of the two range-proof encrypted values.

...

Again to summarize:

Ringcoin is like coinjoin except you the spender choose who to mix your inputs with, and you take 0 from each input, but because the value is homorphically encrypted no one but you can tell that, and you dont need to mix other people's outputs.

Ringcoin seems likely to outperform zerocoin in anonymity, certainly in performance (coins can have flexible value unlike zerocoin which is one denomination, or dilutes the anonymity set if you have multiple denominations and 2 output coins are 10x smaller and much CPU cheaper to create and verify).  You can mix with 10 ringcoin inputs per 40kB zerocoin proof, and you dont have the competing anonymity-set issues from having to balance number of denominations (for efficiency of payments eg $1000 coins = 1000x $1 coin payment) against anonymity set (introduce $1, $10, $100, $1000 coins and now you can infer possible sources from handling of coins of required value and so reduces the anonymity-set).  Unlike zerocoin there is no unwanted trapdoor (the n=p*q issue where p, q is a global trap door allowing coin forgery that you cant prove you destroyed).

5.1 Features

...

In addition to standing on its own, Sumcoin can be
implemented as a sidechain[42] or integrated into the Monero (or Bitcoin) protocol
as a hard fork with a new transaction version. Spent transaction pruning[43]
is possible in Sumcoin.

Everyone can stop caring about block chain size once my radical redesign of PoW is realized.

[OROBTC]

...

[cross-posted, but relevant here because of latest conversations]


Monero & Bitcoin (thx, rpietila and troller for inspiring this post)

I have been trying to get a handle on two issues re the two cryptos:

1)  BTC has rather good acceptance, that is, the products you can buy using BTC are rather wide.  This is good.  

What is available using Monero?  How easy/difficult is it to buy Monero?

2)  With a little work (and about 0.6% - 1.0%), you can hide your trail a little better by mixing BTC.  

IIUC, one of the main attractions of Monero is that the anonymity is/will be better than using BTC.  TPTB_need_war has stated that Monero is not yet secure, can anyone explain (in words that even my grandma could understand) Monero and anonymity?

*   *   *

An easy to use, widely accepted and anonymous crypto would be a great thing.

[TPTB_need_war]

1)  BTC has rather good acceptance, that is, the products you can buy using BTC are rather wide.  This is good.  

What is available using Monero?  How easy/difficult is it to buy Monero?

You can spend XMR any where BTC is accepted by employing XMR.to or ShapeShift.io. You don't even need a login account for ShapeShift.io.

I believe those are derivatives of the insight I (posting as AnonyMint) made in 2013 that unit-of-account is dying in relative importance because with crypto-currency all liquid units-of-account are convertible in real-time. Rpietila reiterated that point recently in the Economic Totalitarianism thread.

2)  With a little work (and about 0.6% - 1.0%), you can hide your trail a little better by mixing BTC.

No! Those are centralized servers and you have no way to know that they are not compromised. Also research has shown they can be unmasked with traffic analysis. Google afair "Coin fog".

IIUC, one of the main attractions of Monero is that the anonymity is/will be better than using BTC.  TPTB_need_war has stated that Monero is not yet secure, can anyone explain (in words that even my grandma could understand) Monero and anonymity?

Bottom line is that Monero has the only robust onchain anonymity that I am aware of thus far. Only onchain anonymity is really trustworthy and scalable (assuming you've obscured your IP address when sending the transaction to the network or used a pigeon).

I have stated that I am not 100% convinced that the anonymity sets can't be combinatorially unmasked because as far as I know Monero allows unlimited overlapping rings. That is for further study. Also I'd like to see quantum computing resistant ring sigs, because eventually elliptic curve stuff will be cracked by a quantum computer (IBM says maybe as soon as 15 years from and the block chain is a permanent record).

We've explained the nuances upthread and else where, but that is all you really need to know. Smooth might chime in as well.

My prior post compares Monero's onchain anonymity to the new onchain anonymity proposals from Sumcoin and Blockstream's Confidential Transactions (for their side chains).

An easy to use, widely accepted and anonymous crypto would be a great thing.

It is inevitable. And probably within this year. See all the innovation pushing this direction. Just hang on.

[TPTB_need_war]

you could've picked alot better topics to nitpick at since that seems to be your motive here.

You are always the victim. Freudian slips amass.

[OROBTC]

...

TPTB

Thanks for clarifying some info re Monero & BTC.

Ah, sorry for mis-characterizing your earlier comments on Monero, you already know that my understanding of cryptos is still at the beginner level.

*   *   *

Yes, I will hang on!  Innovation is indeed happening quickly.  I look forward to cryptos becoming easier to use.

This year would be great, but I have lots of time...  

[TPTB_need_war]

Ah, sorry for mis-characterizing your earlier comments on Monero, you already know that my understanding of cryptos is still at the beginner level.

Actually my mistake as I forget to address that aspect of your post. Please re-read my prior reply to you; I elaborated.

[TPTB_need_war]

Long term, it might be possible to auto-generate equivalent-difficulty hash functions. A new hash function for every block. That would fix things back down to FPGA technology level, and contribute better to generic hardware development.

I climbed down that theoretical physics rabbit hole and I am convinced there is nothing there. The entropy is limited by the number of opcodes in the hardware or software instruction set. It is not possible to spontaneously generate deterministic order of out disorder; and PoW requires a deterministic winner of each block. Order that arises from chaos was already there but under sampled (i.e. unobserved).

Will you comment on whether you are the author of the Sumcoin whitepaper?

[TPTB_need_war]

The main problem side chains has introduced for me, is they can steal my technology and put it in a side chain. So I will just have to put it in a side chain first and make sure I am siphoning value from BTC in a way that can't technologically be improved upon. I know how to do this because it was already necessary in my design.

So everything is falling right into place for me. Monero has eventually been co-opted by side chains (unfortunately).

The above is incorrect. On further thought, I have solved the economic threat of Blockstream's pegged side chains (it threatened to turn all innovation into Communism!). There is a win-win solution for side chains and altcoins to co-exist.  

Exciting times ahead...

On another topic, again I reiterate that Blockstream's pegged side chains will render MPEX's Bitcoin XT (aka "GavinCoin") short impotent, because Bitcoin XT can then be put into a pegged side chain, thus MPEX et al shorting the BTC value in one chain shorts the BTC value in all pegged chains including MPEX's Bitcoin Core chain. MPEX, iCEBREAKER, and other hard-Core supporters may think this is okay because they can retain their Core side chain, but I assert TPTB can then 50% the minority side chain driving it to extinction (the users will move their value to the non-attacked chain).

This is the reason that all side chains that wish to remain decentralized are coming to my redesign of PoW.

As I've stated, the redesign is agnostic to the type of onchain encryption and anonymity offered. Multiple offerings are possible.

Pegged side chains makes coin value orthogonal to block chain choice. My further modularization makes block chain consensus algorithm orthogonal to block chain transaction algorithms.

This is why money is interested to get in early on my technology, yet I have refused most because they don't wish or don't know how to invest anonymously. Yet Cypherdoc thinks I had trouble obtaining a measily $10,000. I'm contemplating selling the design and project to a team that is willing to be non-anonymous. I am also being realistic about what one (getting old) man with subdued but lingering Multiple Sclerosis can accomplish anonymously. Might be better to get something now and see the project move faster to fruition than fail and get nothing and the world not get the design timely.

I think I had already mentioned that the following article is interesting but I solve the problem non-heuristically.

https://blog.ethereum.org/2015/06/06/the-problem-of-censorship/

[TPTB_need_war]

I really think Bitcoin should stick to the business of money not the business of business. Blockstream is turning Bitcoin into a vehicle for speculation via SC's.

Its sad to see iCELatte and marcus et al cheering the above sidecoin as a competitor to Bitcoin. It just shows how much misunderstanding there is about Bitcoin as Money which is its original goal.

The properties of money are unit-of-account, store-of-value, and medium-of-exchange.

Pegged side chains do not adversely impact any of those attributes.

Pegged side chains is a more efficient and granular way of voting for technological progress than the all-or-nothing, high-drama politics of hard forks with MPEX GavinCoin WMD mutual annihilation.

It makes these votes more orthogonal to the three attributes of money! The "all-or-nothing, high-drama politics of hard forks with MPEX GavinCoin WMD mutual annihilation" can adversely impact the three attributes.

You don't have the logic skills of a programmer. Give up. Quit. Or. Learn. To. Be. More. Humble. About technical issues.

[TPTB_need_war]

the initial implementation merely runs off federated servers and doesn't require a source code change like Gavin's block size increase.

That may be the real motivation for minimizing the hard fork increase, so that when it needs to be done again later, hopefully by then the market will be clamoring to get rid of the federated servers. Maybe they see that as their best hope of getting the change into source code in the most timely way.

So maybe if there would be a compromise such as you proposed, that might grease the gears.

[TPTB_need_war]

Did you sleep well after getting spanked and pouting until downvoted?  

Lol, there he goes again a programming dunce making incorrect technical statements.

Cypherdoc what if the side chain uses a different hashing algorithm than Bitcoin? What if it doesn't use PoW? What if it is uses PoW in a clever way that resists 50+% attacks (e.g. my design)?

what do you expect being in a Blockstream thread with all it's supporters cheerleading?  

why don't you answer the questions i posed since no one else seems to be able to?

There you go being the victim again.

Done.

[TPTB_need_war]

iCELatte, have you dumped your XMR, btw?  the federated SC of Monero will make them worthless.

Incorrect. At least not if Monero is clever about what they do.  

[TPTB_need_war]

So what if you take that idea of DMMS and replace it with a static plain signature, and the result is a centralized system which is better than just trusting a single server. It's a system where you can have real-time auditing by most participants, and where dishonesty is machine detectable. Censorship is not machine-detectable in this system.

Now invert his (Jorge Timon's) insight and you have my design. That is the paradigm shift epiphany.

[TPTB_need_war]

...changing the protocol to allow SPV proofs is an abuse of centralized power.

No worries. Core is doomed. A pegged side-chain with SPV built-in will win. Then minority Core will be 50+% attacked into oblivion. MPEX's short will be nullified by the peg.

[TPTB_need_war]

I'm advocating the most valuable feature of Bitcoin is the size of the network, that's what makes it better money than alts.

To be entirely nullified by my radical redesign of PoW.