Anonymity

[uvt9]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

I think you need more professional promotion, simply saying "blah blah XXX is what you need blah blah ..." would sound stupid and make people stay away from what you're trying to promote.

I don't deny that Ring Signatures cause bigger blockchain, but consider it as a tradeoff to achieve superior privacy which is unmatched by any coin based on Bitcoin protocol (including XC).

About mass adoption, average users will end up using light weight clients on their phone/PC, leaving full nodes run on dedicated servers around the world.

[1713859075]

1713859075

[1713859075]

1713859075

[1713859075]

1713859075

[1713859075]

1713859075

[fluffypony]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

Do you run a full Bitcoin node with the 20gb blockchain? Just checking.

[Coingrab]

What about Zerocash / coin anonymity These are supposed to be totally anonymous. wont they be untraceable when they go live?

If they go live anyway. I haven't heard anything for a while now.

Doesn't mean it's not coming though. Maybe they're just hard at work.

What I've read on it anyway was its real good but dog ass slow and so they need to speed it up somehow.

[MajidBC]

Thanks for the response. I just read about Bitcoin mixer. It's an easy idea, but I guess its implementation is complicated. How much is the fee for it?
...
Do you think governments will forbid anonymous transactions? For example, by forcing exchanges not to accept them.

Coinjoin is very weak.  Read about coinjoin sudoku.

Exchanges are nice but not necessary.  There will always be variation between jurisdictions anyhow, and crypto is global.

Yup, I just read the following paragraph from http://www.coinjoinsudoku.com/advisory/

Executive Summary:

The SharedCoin mixing service provided by Blockchain.info offers only limited privacy to users due to weaknesses in its design. Bitcoin users should carefully consider their privacy requirements and evaluate other mixing services if they require serious privacy guarantees. A tool for analyzing SharedCoin and other CoinJoin-based mixing protocols will be released approximately two weeks following this advisory to allow SharedCoin users adequate time to protect their privacy.

[MajidBC]

Basically, with ring signatures a transaction output is signed by you and by a group of random signatories (garnered from the utxoset, and the number of signatures is specified by you). Only one of these signatures is "true" (and that can be determined by the recipient), but to an outside observer they cannot determine which of the N signatures on an output is true, as they all appear to be valid.

Firstly, thanks for the comprehensive explanation. You said in the quoted paragraph "the number of signatures is specified by you". Of course, the bigger, the harder to find the sender, right? Is there any bound for it? And, where can I set that?

Well, remember that you first need to crack either end of a transaction before you even get to the ring signature stage. Pragmatically, then: let's say you've purchased "ileegil drukz" from Walter, a manufacturer. He gets busted by the DEA who beat him with a pipe wrench until he reveals his wallet password. Now they can see all of the incoming transfers. They pick one of them that has, say, a mixin of 5. They now have 5 seemingly valid signatures on each of the transaction outputs (but no direct way of knowing who those 5 signatories are, short of knowing the identity of every single wallet holder on the network). Quite literally the only way for them to prove a transaction happened is to have access to both the sender and the recipient's private keys.

There is no upper bound on mixin, but each signature increases the size of the transaction, so when we move to per-kb fees a higher mixin will cost more. Right now you're only bound by physical transaction size limits. Just to confirm that very high mixins work, I created a 1 XMR example transaction with a mixin of 100 no problem, and it was mined and confirmed with a minute.

That was clever. So both ends of transaction is needed.
And, per-kb fee is the limiting factor not to set the number of signatures so high, unless we want to transfer a high amount of money, or a very secret one (for instance to Walter White).

Who is the designer of this transaction method? Is this published in a scientific journal, for instance in a cryptography one?

[MajidBC]

Is anonymity very important? i think the important thing is benefit of mankind.

Without anonymity, the best working picture of the future is that of a boot endlessly stomping on a human face.
https://bitcointalk.org/index.php?topic=624223.msg7998097#msg7998097

Couldn't agree more. Anonymity (i.e. privacy) is human right regulated by UN Universal Declaration of Human Rights, if nowhere else in your country. One should learn from the history, not ignore it.

Additionally, i personally believe that privacy is one of few (if not the only efficient one) peaceful tools that ppl have to motivate their states to reorganize and optimize itself, if/when corruption gets out of control - i.e. when corruption is that large that fair elections are not possibility anymore, or when fair elections are possible but don't change anything. This second part may be hard to understand for someone that lives in well organized country, but there are really fu*ked up countries in the World.

@Christ-Clin
Have you read the book "1984" by George Orwell?

[MajidBC]

Is anonymity very important? i think the important thing is benefit of mankind.

Without anonymity, the best working picture of the future is that of a boot endlessly stomping on a human face.
https://bitcointalk.org/index.php?topic=624223.msg7998097#msg7998097

Couldn't agree more. Anonymity (i.e. privacy) is human right regulated by UN Universal Declaration of Human Rights, if nowhere else in your country. One should learn from the history, not ignore it.

Additionally, i personally believe that privacy is one of few (if not the only efficient one) peaceful tools that ppl have to motivate their states to reorganize and optimize itself, if/when corruption gets out of control - i.e. when corruption is that large that fair elections are not possibility anymore, or when fair elections are possible but don't change anything. This second part may be hard to understand for someone that lives in well organized country, but there are really fu*ked up countries in the World.

The NSA scandal was disappointing. Is the same thing true about other countries? For instance, Europeans, is your privacy violated by your governments, like the US?

[MajidBC]

One of the bitcointalk ads says:
"Even if you use Bitcoin through Tor, the way transactions are handled by the network makes anonymity difficult to achieve. Do not expect your transactions to be anonymous unless you really know what you're doing."

In your opinion, which coin really has anonymous transaction? Is total anonymity possible at all?

The ad talks about how your IP could be linked to your transaction.

Now if you use TOR but still didn't hide your traces before, than an ovserver could link your previous transactions to an IP because all Txs are linked.

So to achive anonymity with bitcoin you need to cut the link between your transactions and your IP and in addition to that you need to unlink your transactions from your personal details. Tumblers can help with that.

Thanks for the explanation. You explained it very simple.

[MajidBC]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

[fluffypony]

That was clever. So both ends of transaction is needed.
And, per-kb fee is the limiting factor not to set the number of signatures so high, unless we want to transfer a high amount of money, or a very secret one (for instance to Walter White).

Who is the designer of this transaction method? Is this published in a scientific journal, for instance in a cryptography one?

At the moment we're on a flat per-tx fee, so it's still cheap either way, but yes - once we move to per-kb fees it'll be more expensive to use large signature groups (although not prohibitively so).

The original CryptoNote whitepaper is here: https://cryptonote.org/whitepaper.pdf

The CN whitepaper had not been peer reviewed, so we took that job on ourselves.

Our mathematicians and cryptographers raw (and sometimes snarky;) annotations are here: http://monero.cc/downloads/whitepaper_annotated.pdf
The review of the CN whitepaper as presented by one of our mathematicians is here: http://monero.cc/downloads/whitepaper_review.pdf

All worthy reads, and as you can see there's actual mathematics and cryptography and not just pretty pictures:-P

[fluffypony]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

It's a very tired argument that gets pulled out and rebutted each time. The Monero blockchain is currently 5.5x the size of the Bitcoin one for comparable total transactions (so linearly larger than Bitcoin's). So when we've had 44 million transactions (as Bitcoin has over its 5.5 year existence) our blockchain will be about 110gb vs. Bitcoin's current 20gb blockchain. This is, in itself, not a problem, as by the time we get there in a few  years disk space will be appreciably larger, and we'll have the same full node problem Bitcoin has (who seriously keeps the full 20gb Bitcoin blockchain on their laptop, for instance) - the majority of our userbase will use lightweight wallets.

A lot of the people that state that Monero has a "blockchain bloat" problem are picking up snippets of conversation between quite intelligent people on the matter without actually understanding the issue. Monero has exactly the same "bloat" problem as XC, DarkCoin, and anything else that uses a form of mixing - you are going to incur additional entries in the blockchain for every mix (or in Monero's case for every additional signature in a ring), which means the blockchain for all of them is going to be linearly larger than Bitcoin's for the same number of transactions. It is a compromise you accept if you want transaction privacy: it uses more space in the blockchain. However, the advantage that a Bitcoin-derived altcoin has is that it can prune the bloated blockchain, whereas with Monero you can never tell if a utxo has actually been spent or just used in a ring signature, so pruning in the Bitcoin sense is not possible. THIS is what they're actually claiming - that all of the blockchains are going to bloat, but Monero's can't be pruned the way Bitcoin's can. It's very, very important to note alongside this that the Bitcoin blockchain has never been pruned, the code to operate off a pruned blockchain is simply not there (that notwithstanding, as of Bitcoin Core 0.9.0 it does have the ability to prune provably unspendable outputs, but that is not the same as the blockchain pruning we are referring to). Therefore, none of these Bitcoin-derived altcoins are actually able to prune their blockchain, despite their belief that they can flick a switch and voila, magically small blockchain. Not unless they have the ability to write code that the Bitcoin core developers and hundreds of contributors have yet to write.

[illodin]

One of the points that is often not mentioned with the Bitcoin-forked altcoins that claim anonymous transactions is that you have to give out your recipient address to receive coins. The process in-between may protect the sender, but if the receiver's address is found (eg. mentioned on a forum or on IRC once) the receiver is at-risk, since it can be seen that they received a transaction of a certain amount.

Isn't this what stealth addresses are for? And they can be implemented in any bitcoin based coin?

[kbm]

One of the points that is often not mentioned with the Bitcoin-forked altcoins that claim anonymous transactions is that you have to give out your recipient address to receive coins. The process in-between may protect the sender, but if the receiver's address is found (eg. mentioned on a forum or on IRC once) the receiver is at-risk, since it can be seen that they received a transaction of a certain amount.

Isn't this what stealth addresses are for? And they can be implemented in any bitcoin based coin?

My understanding is that the stealth addressing (coupled w/ RS) used in CN is there to provide a reasonable doubt when viewing only the blockchain tx's without a view key, but that doubt can still be removed by providing a view key from the specific person's wallet you'd be looking for information from any time in the future. Is there such a system in bitcoin where I can reveal my stealth address as being concretely owned by my own address in such a manner in bitcoin (that's native to the protocol)?

Short of giving someone total control of my wallet (which would allow sending money, not only viewing transactions), and the way listed below, can I prove that the stealth address was my own and that I sent a transaction to someone?

I think the only way to provide proof with the bitcoin stealth address is by:

you can put your stealth address as part of your OpenPGP key, and with the web-of-trust I can be be sure I'm paying the right person. Or do the same thing with a X.509 certificate.

Which would require trust and reputation. Not sure if I'm right here though, anyone know any better?

[fluffypony]

One of the points that is often not mentioned with the Bitcoin-forked altcoins that claim anonymous transactions is that you have to give out your recipient address to receive coins. The process in-between may protect the sender, but if the receiver's address is found (eg. mentioned on a forum or on IRC once) the receiver is at-risk, since it can be seen that they received a transaction of a certain amount.

Isn't this what stealth addresses are for? And they can be implemented in any bitcoin based coin?

Yes exactly:) The problem with any of the Bitcoin-based coins currently in existence is that they cannot/will not FORCE stealth addresses. In other words, if I've received 5 WhateverCoins from you to my stealth address, chances are when I go to spend them I'm going to send them to a non-stealth (regular) address, which thus reveals me to be the recipient of the output. Stealth addresses have to be the ONLY way to transact, and it has to be in from the genesis block on.

The other thing to consider is that stealth addresses *alone* do not protect you. If our aforementioned hypothetical drug manufacturer is busted and gives law enforcement access to his wallet, they correlate an output of a certain amount with that which was paid by you (and vice versa for a payer that is busted). Thus, the other thing that is required is to have a clever mix of outputs such that blockchain analysis can't find unique amounts. Take, for example, this Monero transaction. At first glance it appears to be for 93.487 XMR. But, as you can see, the outputs are 90, 3, 0.4, 0.08, and 0.007 XMR. Thus there's no way of telling the actual amount for this transaction. It could be 90 XMR (with the other outputs merely returning to the sender), or it could be 3.487, or 93, or 90.08, and so on. So now we're, cryptographically, creating transactions are very hard to trace by blockchain analysis alone, even if one party is fully pipe-wrench compromised.

The final step is, of course, plausible deniability. This is what ring signatures provide - the ability for each of those outputs of a transaction to be digitally signed by a group of seemingly valid signatures, such that it is impossible without fully owning the sender and recipient wallets to know if an output "belongs" to someone. And the ring group isn't as small as the mixin you set, the mixin is per output. Thus, on the transaction mentioned above which had 5 outputs: if the sender had sent that with a mixin of 50 that's 250 "people" signing that transaction, for which an observer is unsure which output is true by blockchain analysis alone, which does not even have a unique amount that can be traced.

[DannyElfman]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

[Este Nuno]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

I don't really find it that bad. People will still be able to run nodes no problem and regular people can use thin clients. Assuming that standard Bitcoin style thin clients work with ring sig tech. I assume it does but I don't know.

[fluffypony]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0 

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

Your figures are off, the actual figure for Monero is closer to around 5.5x linearly larger than Bitcoin for comparable transaction amounts. I've already gone over this tired and blatantly incorrect argument further up in this thread so I won't rehash things too much, but suffice it to say that your timeline misses some important details (I mean besides the fact that no cryptocurrency actually has working pruning, just the theoretical prospect of it).

The first is that you're missing time as a frame of reference. Those two chains don't exist at the same time, and by the time the ring signatures chain reaches the level of transactions chain 1 has the lay of the land will be different. In other words, Bitcoin's blockchain right now is 20gb as it processes 61 000 transactions a day with a huge market cap and massive amounts of global reach. If Monero, for instance, reached that level in 5 years time it would have a 110gb blockchain by the middle of 2019. I have a 1tb Kingston thumb drive in my pocket, WD just released the 6tb version of their Red NAS series of drives. With HGST pushing HAMR drives for next year, they expect that in the next 5 years there will be 40tb - 60tb drives that are as readily available and cheap as 4tb - 6tb drives today. Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

[Lauda]

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

-snip-
Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

Sorry to spoil it for you, but most people do not have money to afford a 1TB thumb drive nor a 6TB HDD. In my country I rarely see people who have a 1TB HDD or higher (excluding myself). How do you plan to have a wider adoption? Although you never know, we might have 40TB drives we might still be stuck with the current limitations (look at batteries - minor/none improvement for years).
There are other ways to provide untraceable and unlinkable transactions. While ring signatures might bloat the blockchain a bit, they could do for now I guess.

[Este Nuno]

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

-snip-
Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

Sorry to spoil it for you, but most people do not have money to afford a 1TB thumb drive nor a 6TB HDD. In my country I rarely see people who have a 1TB HDD or higher (excluding myself). How do you plan to have a wider adoption? Although you never know, we might have 40TB drives we might still be stuck with the current limitations (look at batteries - minor/none improvement for years).
There are other ways to provide untraceable and unlinkable transactions. While ring signatures might bloat the blockchain a bit, they could do for now I guess.

But they will be able to afford them in 2019. I think his point was that if he has these today then by then storage will easily cover the needs of the blockchain for many people.

[fluffypony]

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

-snip-
Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

Sorry to spoil it for you, but most people do not have money to afford a 1TB thumb drive nor a 6TB HDD. In my country I rarely see people who have a 1TB HDD or higher (excluding myself). How do you plan to have a wider adoption? Although you never know, we might have 40TB drives we might still be stuck with the current limitations (look at batteries - minor/none improvement for years).
There are other ways to provide untraceable and unlinkable transactions. While ring signatures might bloat the blockchain a bit, they could do for now I guess.

Don't worry, you haven't spoiled anything. I live in South Africa, I know exactly what most people can afford more than most people here.

The "most people" you refer to will use a web wallet or an SPV-style wallet, regardless of the disk space they can afford. Full nodes for Bitcoin (and in future for Monero) are only run by crypto enthusiasts or companies who have a vested interest in doing so...and both groups of people can and do own sufficient storage space even at this very moment to soak up a 110gb blockchain.

To your last point, currently the only other way to provide cryptographically untraceable and unlinkable transactions is ZeroCash, which has been discussed at length and has drawbacks of its own (eg. the accumulator creation event trust issue). All the other methods that exist add layers of obfuscation, but do not provide cryptographically untraceable and unlinkable transactions.