Anonymity

[Ayers]

Monero offers unparalleled priquidity.  I made that up.  I'm proud of it.  (privacy * liquidity) = priquidity.  I also haven't slept in too darn long.

is monero really anonymous? how can someone know if his coin are sent to someone else? the other can just cheat can't he?

[Este Nuno]

Monero offers unparalleled priquidity.  I made that up.  I'm proud of it.  (privacy * liquidity) = priquidity.  I also haven't slept in too darn long.

is monero really anonymous? how can someone know if his coin are sent to someone else? the other can just cheat can't he?

fluffypony is a Monero dev and has a few posts in this very thread explaining and answering questions related to that.

[Lauda]

Don't worry, you haven't spoiled anything. I live in South Africa, I know exactly what most people can afford more than most people here.

The "most people" you refer to will use a web wallet or an SPV-style wallet, regardless of the disk space they can afford. Full nodes for Bitcoin (and in future for Monero) are only run by crypto enthusiasts or companies who have a vested interest in doing so...and both groups of people can and do own sufficient storage space even at this very moment to soak up a 110gb blockchain.

To your last point, currently the only other way to provide cryptographically untraceable and unlinkable transactions is ZeroCash, which has been discussed at length and has drawbacks of its own (eg. the accumulator creation event trust issue). All the other methods that exist add layers of obfuscation, but do not provide cryptographically untraceable and unlinkable transactions.

Oh then you understand the issues in areas where people are poor. You must realize that not all of them are able to use web wallets (not enough knowledge related to technology overall. Would you be able to provide an objective opinion between Monero and Darksend+ (even though you're a developer there), if you have followed the development on this side too? (new update - Evan posted recently that the release is a few days away). Theoretically the transactions aren't untraceable and unlinkable, but they do add a lot more anonymity compared to the likes of Bitcoin.

[entertheabyss]

Anoncoin is working on ZeroTrust, a completely trustless implementation of ZeroCoin using RSA_UFOs

Source:
https://wiki.anoncoin.net/Zerocoin
https://wiki.anoncoin.net/RSA_UFO

[othe]

Imagine 2 blockchains processing the same amount of transcations. Now Chain 1 is running with ringsignatures and Chain 2 is not.

Now lets say that every year 500 GB of transaction data gets produced and no blockchain pruning and shrinking is available.
After 1/2/3/4/5 years
Chain 1: 750GB/1.5 TB/2.25TB/3TB/3.75TB
Chain 2: 500GB/1TB/1.5TB/2TB/2.5 TB

And this is under the best case scenario that ringsignatures only produce 50% bigger tx. This number can be higher!

-snip-
Will a 110gb blockchain on full nodes really matter by 2019, when everyone is sporting 40tb drives? By direct comparison: Bitcoin's blockchain takes up 0.5% of today's 4tb drives, and comparably Monero would take up 0.275% of 2019's 40tb drives. In other words, disk space and Internet capacity is rapidly outstripping potential blockchain growth.

Ring signatures provide cryptographically untraceable and unlinkable transactions for a small sacrifice in blockchain storage in a world where disk space is not at a premium.

Sorry to spoil it for you, but most people do not have money to afford a 1TB thumb drive nor a 6TB HDD. In my country I rarely see people who have a 1TB HDD or higher (excluding myself). How do you plan to have a wider adoption? Although you never know, we might have 40TB drives we might still be stuck with the current limitations (look at batteries - minor/none improvement for years).
There are other ways to provide untraceable and unlinkable transactions. While ring signatures might bloat the blockchain a bit, they could do for now I guess.

On the flipside, those people will never ever have the cash to run a DRK Masternode where u need 1000 coins, i consider that a real issue as you need them for mixing, wheres Monero runs totally passive.

Oh then you understand the issues in areas where people are poor. You must realize that not all of them are able to use web wallets (not enough knowledge related to technology overall.

I dont get your point, its no difference to use a Liteweight wallet or a Fullwallet - both can look and feel exactly the same. And without Internet connection you can´t use cryptocurrency anyway - or well you could make an offline Monero transaction and bring it to someone with internet i guess - but have fun doing that with an active mixer engine.

[fluffypony]

Don't worry, you haven't spoiled anything. I live in South Africa, I know exactly what most people can afford more than most people here.

The "most people" you refer to will use a web wallet or an SPV-style wallet, regardless of the disk space they can afford. Full nodes for Bitcoin (and in future for Monero) are only run by crypto enthusiasts or companies who have a vested interest in doing so...and both groups of people can and do own sufficient storage space even at this very moment to soak up a 110gb blockchain.

To your last point, currently the only other way to provide cryptographically untraceable and unlinkable transactions is ZeroCash, which has been discussed at length and has drawbacks of its own (eg. the accumulator creation event trust issue). All the other methods that exist add layers of obfuscation, but do not provide cryptographically untraceable and unlinkable transactions.

Oh then you understand the issues in areas where people are poor. You must realize that not all of them are able to use web wallets (not enough knowledge related to technology overall. Would you be able to provide an objective opinion between Monero and Darksend+ (even though you're a developer there), if you have followed the development on this side too? (new update - Evan posted recently that the release is a few days away). Theoretically the transactions aren't untraceable and unlinkable, but they do add a lot more anonymity compared to the likes of Bitcoin.

I follow a lot of developments in cryptography, so I have of course been watching Darkcoin's progress. It definitely does add a lot more anonymity than Bitcoin provides, and that's certainly something that is to be applauded. Speaking purely from a cryptography perspective (and please do not take this as any sort of "FUD attack" or me being "anti-competitive" - I believe every cryptocurrency must carve out its own niche over time) there are two things that concern me:

1. Outputs can still be linked to addresses. If you send 20 DRK and it sends all these other outputs along with it to obfuscate, the 20 DRK still ends up in someone's address. That this can be observed on the blockchain means that analysis is easy, and we all know how often people leak addresses associated with their wallet (eg. posting it up for giveaways etc. etc.) This is an immutable problem in any Bitcoin-forked cryptocurrency that exists, as the solution (stealth addresses computed w/random data) has to be enforced for every transaction from the genesis block. If you enforce it halfway through you're stuck with old outputs that don't use stealth addresses, which makes it exceedingly complex to ensure the anonymityset is not at-risk.

2. Masternodes are an Achilles' heel. Let us say that there are 10 000 masternodes on the network. Their IP addresses and the port they operate on is, by necessity, known to the network. Let's assume that an attacker controls 5 masternodes of the 10 000. Let's also assume that each of the masternodes on the network is on a dedicated server (none of them use a VPS, because a VPS could be trivially owned by the host operating system) and each of these servers is on a 1gbps unmetered, dedicated port (clearly not the case right now, but I'm talking about a future time). How hard would it be for an attacker to knock the other 9995 masternodes off the network, leaving theirs as the only accessible masternodes (and thus not only earning them all the fees, but giving them perfect insight into transactions moving within their controlled group)? Well, NTP amplification attacks have let attackers launch 400Gbps attacks against a single machine from a sole 2mbps connection. SNMP has a theoretical 650x amplification factor. All an attacker needs to do is max out the unmetered port in an obvious attack, and the datacenter will have to react. Even straight up LOIC-style / botnet SYN floods to the port that the masternode has open will lead to the DC null-routing traffic to that box, typically for 6 hours whilst they wait for the attack to stop. Mitigating this is an extremely difficult and expensive operation for each masternode to individually undertake, and not all DCs will even be able to provide DDoS mitigation at this level. An unsophisticated attacker using extremely traditional tools can knock all of the masternodes off the network except those they control. This is a threat to anonymity.

Incidentally, the other problem with masternodes that nobody seems to have thought of is that the limited number of them will mean they're in direct competition with each other. It is in a masternode operator's financial interests to make life difficult for the rest of them - DDoS attacks, reporting the box to the datacenter, anything that can knock a single competitor off the masternode network means more fees for the remaining masternodes. This is different to PoW mining where, for instance, knocking the pools offline doesn't mean you'll get more transaction fees, as miners always have backup pools. I'm not sure how sustainable this is as a system if it unmistakably pitches operators against each other to fight for fees. Given the cost and capital required to own a masternode, it's appreciable that this will happen as a natural result of wanting to maximise masternode profits.

[Lauda]

-snip-
Incidentally, the other problem with masternodes that nobody seems to have thought of is that the limited number of them will mean they're in direct competition with each other. It is in a masternode operator's financial interests to make life difficult for the rest of them - DDoS attacks, reporting the box to the datacenter, anything that can knock a single competitor off the masternode network means more fees for the remaining masternodes. This is different to PoW mining where, for instance, knocking the pools offline doesn't mean you'll get more transaction fees, as miners always have backup pools. I'm not sure how sustainable this is as a system if it unmistakably pitches operators against each other to fight for fees. Given the cost and capital required to own a masternode, it's appreciable that this will happen as a natural result of wanting to maximise masternode profits.

No, I'm definitely not considering this as an attack or something similar. At least you are not: a) ignoring my questions (for stupid reasons like blind followers tend to); b) do not spread FUD about competing coins. I've took some time re-reading this, and it's obviously that your knowledge exceeds mine (well you're a developer after all). I'll get some input elsewhere and respond afterwards (!) accordingly.
Well the issue is that the IP and port of the MNs are known to the network and thus making them vulnerable. Well I don't think that all MNs will be able to get knocked down by this, surely there will be a few individuals to host a few MNs with high security. Don't you think so?
Yeah I think it is limited to 2000(?). Well your concerns are based on the MNs not being good enough (either concept/current implementation).
I also did not know the extend of NTP nor SNMP application, this is knowledge that I will have to hold onto.

[fluffypony]

Well the issue is that the IP and port of the MNs are known to the network and thus making them vulnerable. Well I don't think that all MNs will be able to get knocked down by this, surely there will be a few individuals to host a few MNs with high security. Don't you think so?

Absolutely - but the cost of doing this is extremely high. During a DDoS a datacenter is having their bandwidth saturated, and it's affecting other customers in the datacenter, so they will typically get their upstream bandwidth provider to null-route all traffic bound for that IP address. The upstream bandwidth provider's equipment is all muscle, no brain, on massive amounts of bandwidth, so it can't route things based on the type of data, only on the destination. Typically this means that DDoS mitigation is done, for example, by having round-robin DNS that spreads the load out to different data centers, and when under attack the DNS records can be updated faster than an attacker can reroute his DDoS. If the attack is sufficiently clever and sufficiently large there will be downtime, but it'll be measured in minutes and not in hours.

The only way to mitigate this is to scrub the data at line rate, which means you need your own very powerful, very clever, very expensive routers collocated at the DC. You're also going to need to rent at least 20gbps of the DC's bandwidth, even if you're only using a tiny tiny fraction of that, as a DDoS attack will fill that pipe and your routers will need to scrub it and only let clean data through. It's definitely doable, but it'll cost you tens of thousands of Dollars a month.

[illodin]

If a method is implemented where the wallet can determine the number of running masternodes with a certain level of probability before anonymizing its non-anonymized coins, the incentive to dos the masternodes is taken away. You had some ideas here, but even a superpeer group keeping the count would go a long way imo while a totally trustless solution is found.

[fluffypony]

If a method is implemented where the wallet can determine the number of running masternodes with a certain level of probability before anonymizing its non-anonymized coins, the incentive to dos the masternodes is taken away. You had some ideas here, but even a superpeer group keeping the count would go a long way imo while a totally trustless solution is found.

That's true, although my idea was a little half-baked and not entirely thought through;) It still doesn't solve the problem of masternode operators being willing to attack each other to boost their own profits, though, and it doesn't give you any insight as to whether a masternode has been hacked and is being maliciously controlled. If they're hell-bent on using externally observable transaction mixing / coinjoin-style mixing, then the real solution is for every node to be involved in mixing (as with i2p or BitMessage, for instance), and for there to be no financial incentive to mix and no ability to disable it. That's the only way you avoid Sybil attacks and remove the risk of masternodes destroying each other. Then you'd need to add stealth addresses where output destinations are computed with random data, and hard fork so that any tx that has non-stealth outputs is rejected.

[Este Nuno]

Well the issue is that the IP and port of the MNs are known to the network and thus making them vulnerable. Well I don't think that all MNs will be able to get knocked down by this, surely there will be a few individuals to host a few MNs with high security. Don't you think so?

Absolutely - but the cost of doing this is extremely high. During a DDoS a datacenter is having their bandwidth saturated, and it's affecting other customers in the datacenter, so they will typically get their upstream bandwidth provider to null-route all traffic bound for that IP address. The upstream bandwidth provider's equipment is all muscle, no brain, on massive amounts of bandwidth, so it can't route things based on the type of data, only on the destination. Typically this means that DDoS mitigation is done, for example, by having round-robin DNS that spreads the load out to different data centers, and when under attack the DNS records can be updated faster than an attacker can reroute his DDoS. If the attack is sufficiently clever and sufficiently large there will be downtime, but it'll be measured in minutes and not in hours.

The only way to mitigate this is to scrub the data at line rate, which means you need your own very powerful, very clever, very expensive routers collocated at the DC. You're also going to need to rent at least 20gbps of the DC's bandwidth, even if you're only using a tiny tiny fraction of that, as a DDoS attack will fill that pipe and your routers will need to scrub it and only let clean data through. It's definitely doable, but it'll cost you tens of thousands of Dollars a month.

Problems like these make problems like Monero's blockchain bloat seem trivial in comparison.

This actually kind of sucks for me because I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

I guess at this point the only hope is XC's closed source solution. But I'm not holding my breath tbh.

[Lauda]

@Fluffypony

Very good questions. I'm excited that we're starting to see some higher level questions again.

1.) Payee addresses are arguably the less important aspect of privacy. As the sender, it's more important to protect your identity. The other side can simply be addressed by generating a new change address per payment. Between the two of these the system would be completely anonymous. Also, after receiving payment, your client will prepare the funds again, increasing their anonymity.

2.) There's not a perfect solution to this yet, but Masternode operators have an interest in getting more darkcoin and keeping their existing inventment as valuable as possible. By attacking the network, they would cause harm to their investment. Also, the client is resistant to DDOS attack currently and masternode operators are instructed to close all other ports and have some kind of DDOS protection.

As a longer term solution, we could not broadcast the IPs of masternodes, but an identifier. Users could then say they want to broadcast to that masternode, but not actually connect to it. This would hide the identities and create a much more robust system.

Any other concerns? Looks like that he is interested in such discussions, which isn't surprising considering the amount of trolling in the coin thread.

[aminorex]

I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

Why?

[sumantso]

BTSX with TITAN is a good candidate https://bitcointalk.org/index.php?topic=687251.0

Although I can't compare with other anonymous implementations as I know little of them.

[Este Nuno]

I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

Why?

Because I'm involved with a project that is a new implementation of the latest version of Bitcoin and I'd like for it to be able to implement some level of anonymity at some point within the next year or two. The focus of the project isn't on anonymity at this point at all but personally I hope that eventually there will be solutions that won't require building everything from scratch like CryptoNote did.

Wishful thinking perhaps.

[DannyElfman]

I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

Why?

Because I'm involved with a project that is a new implementation of the latest version of Bitcoin and I'd like for it to be able to implement some level of anonymity at some point within the next year or two. The focus of the project isn't on anonymity at this point at all but personally I hope that eventually there will be solutions that won't require building everything from scratch like CryptoNote did.

Wishful thinking perhaps.

There are ways to add anonymity to bitcoin without changing the code. It won't be on source level, but with service providers. You could do something like a DAC mixer.

[Este Nuno]

I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

Why?

Because I'm involved with a project that is a new implementation of the latest version of Bitcoin and I'd like for it to be able to implement some level of anonymity at some point within the next year or two. The focus of the project isn't on anonymity at this point at all but personally I hope that eventually there will be solutions that won't require building everything from scratch like CryptoNote did.

Wishful thinking perhaps.

There are ways to add anonymity to bitcoin without changing the code. It won't be on source level, but with service providers. You could do something like a DAC mixer.

But even in this case don't you still have to trust the DAC's master or owner or whatever? Unless it was truly independent I guess.

[DannyElfman]

I'm really hoping someone comes up with a solid anon solution that can be implemented in to Bitcoin style blockchain tech at some point.

Why?

Because I'm involved with a project that is a new implementation of the latest version of Bitcoin and I'd like for it to be able to implement some level of anonymity at some point within the next year or two. The focus of the project isn't on anonymity at this point at all but personally I hope that eventually there will be solutions that won't require building everything from scratch like CryptoNote did.

Wishful thinking perhaps.

There are ways to add anonymity to bitcoin without changing the code. It won't be on source level, but with service providers. You could do something like a DAC mixer.

But even in this case don't you still have to trust the DAC's master or owner or whatever? Unless it was truly independent I guess.

The definition of DAC is that it is 100% autonomous. There are semi-smart contracts that are like those you were just thinking off.

[MajidBC]

That was clever. So both ends of transaction is needed.
And, per-kb fee is the limiting factor not to set the number of signatures so high, unless we want to transfer a high amount of money, or a very secret one (for instance to Walter White).

Who is the designer of this transaction method? Is this published in a scientific journal, for instance in a cryptography one?

At the moment we're on a flat per-tx fee, so it's still cheap either way, but yes - once we move to per-kb fees it'll be more expensive to use large signature groups (although not prohibitively so).

The original CryptoNote whitepaper is here: https://cryptonote.org/whitepaper.pdf

The CN whitepaper had not been peer reviewed, so we took that job on ourselves.

Our mathematicians and cryptographers raw (and sometimes snarky;) annotations are here: http://monero.cc/downloads/whitepaper_annotated.pdf
The review of the CN whitepaper as presented by one of our mathematicians is here: http://monero.cc/downloads/whitepaper_review.pdf

All worthy reads, and as you can see there's actual mathematics and cryptography and not just pretty pictures:-P

Thanks for the recommendations. I read some parts of the last one, I have M.Sc in Mathematics and it's good to see some mathematics in cryptocurrency. It looked interesting. I will study it completely later.

[MajidBC]

ring signatures used in coins like monero cause blockchain bloat making them unusable for mainstream adoption...so no...XC is what your looking for, read it and weep if your not invested already https://bitcointalk.org/index.php?topic=630547.0  

Can you explain a little about mainstream adoption and its compatibility problem with the ring signatures?

It's a very tired argument that gets pulled out and rebutted each time. The Monero blockchain is currently 5.5x the size of the Bitcoin one for comparable total transactions (so linearly larger than Bitcoin's). So when we've had 44 million transactions (as Bitcoin has over its 5.5 year existence) our blockchain will be about 110gb vs. Bitcoin's current 20gb blockchain. This is, in itself, not a problem, as by the time we get there in a few  years disk space will be appreciably larger, and we'll have the same full node problem Bitcoin has (who seriously keeps the full 20gb Bitcoin blockchain on their laptop, for instance) - the majority of our userbase will use lightweight wallets.

A lot of the people that state that Monero has a "blockchain bloat" problem are picking up snippets of conversation between quite intelligent people on the matter without actually understanding the issue. Monero has exactly the same "bloat" problem as XC, DarkCoin, and anything else that uses a form of mixing - you are going to incur additional entries in the blockchain for every mix (or in Monero's case for every additional signature in a ring), which means the blockchain for all of them is going to be linearly larger than Bitcoin's for the same number of transactions. It is a compromise you accept if you want transaction privacy: it uses more space in the blockchain. However, the advantage that a Bitcoin-derived altcoin has is that it can prune the bloated blockchain, whereas with Monero you can never tell if a utxo has actually been spent or just used in a ring signature, so pruning in the Bitcoin sense is not possible. THIS is what they're actually claiming - that all of the blockchains are going to bloat, but Monero's can't be pruned the way Bitcoin's can. It's very, very important to note alongside this that the Bitcoin blockchain has never been pruned, the code to operate off a pruned blockchain is simply not there (that notwithstanding, as of Bitcoin Core 0.9.0 it does have the ability to prune provably unspendable outputs, but that is not the same as the blockchain pruning we are referring to). Therefore, none of these Bitcoin-derived altcoins are actually able to prune their blockchain, despite their belief that they can flick a switch and voila, magically small blockchain. Not unless they have the ability to write code that the Bitcoin core developers and hundreds of contributors have yet to write.

I'm learning a lot from you. I think it's a good trade off, bigger hard disk space but un-linkable and untraceable transaction. I don't know anything about how blockchain works, but I'm thinking about a wallet which deletes the data which is, for example, a month old and can be used just for send/receive. Another wallet for the network. I haven't read the last posts here, and I guess I will find my answer there.