delete

[TheFascistMind]

my recipient has lost his funds.

Yes this is what happens in a double spend scenario

What if I've died, moved on, lost my private key, etc.. I can't reissue the transaction.

Then you are a small edge case, especially for plausible fork lengths, and even more especially for plausible fork lengths given regular checkpoints (as in Bitcoin and every other reasonable coin). Given the possibility of forks (even normal ones transient ones) you always need to be prepared to reissue your transaction for some reasonable period of time.

The far more likely cases are that: 1) nothing happens, or 2) you simply see the coins back in your wallet and resend them.

Smooth I am sorry you didn't read yesterday's discussion I had with NewLiberty. I refuse to repeat the same discussion again.

Checkpoints are an illusion given a sustained attacker. Once the attackers' chain get mixed up with enough important transactions, you will have users screaming bloody murder if you try to unwind them.

You entirely dismiss the concept of time. Ding dong!

"Hey I sold out of XMR when I saw the attack underway and I got out before the stampede in the price, and I damn well don't agree to clawback of my fiat from Polonoxious to the current miniscule price".

Once consensus is sufficiently violated, it is possible you may never get it back again or at least it will be tough slog.

[1714180166]

1714180166

[smooth]

my recipient has lost his funds.

Yes this is what happens in a double spend scenario

What if I've died, moved on, lost my private key, etc.. I can't reissue the transaction.

Then you are a small edge case, especially for plausible fork lengths, and even more especially for plausible fork lengths given regular checkpoints (as in Bitcoin and every other reasonable coin). Given the possibility of forks (even normal ones transient ones) you always need to be prepared to reissue your transaction for some reasonable period of time.

The far more likely cases are that: 1) nothing happens, or 2) you simply see the coins back in your wallet and resend them.

Smooth I am sorry you didn't read yesterday's discussion I had with NewLiberty. I refuse to repeat the same discussion again.

Checkpoints are an illusion given a sustained attacker. Once the attackers' chain get mixed up with enough important transactions, you will have users screaming bloody murder if you try to unwind them.

You entirely dismiss the concept of time. Ding dong!

"Hey I sold out of XMR when I saw the attack underway and I got out before the stampede in the price, and I damn well don't agree to clawback of my fiat from Polonoxious to the current miniscule price".

As I said, one way or another, one chain (fork) will survive. Users on the other chain may scream bloody murder, but arguing with math will get you nowhere.

As for what happens with their fiat, that will be between them and their exchange. Exchanges deal with hacks, coin bugs, etc. Its part of the terrain. Some survive it, some don't.

[TheFascistMind]

As I said, one way or another, one chain (fork) will survive. Users on the other chain may scream bloody murder, but arguing with math will get you nowhere.

Yes and if sufficiently mixed, you can't try appease those who want the bad fork, because you can't extract their transactions from the bad fork and put into the good fork.

And this is the qualitative threat difference from block chains that don't mix transactions.

[smooth]

As I said, one way or another, one chain (fork) will survive. Users on the other chain may scream bloody murder, but arguing with math will get you nowhere.

Yes and if sufficiently mixed, you can't try appease those who want the bad fork, because you can't extract their transactions from the bad fork and put into the good fork.

And this is the qualitative threat difference from block chains that don't mix transactions.

Except that all chains have mechanisms of mixes, maybe not on chain, but good luck untangling any block chain after any significant period of time, once people have traded through exchanges (many that are effectively totally anonymous), used coin mixers, used coins to rent rigs and mine new coins, etc. You can probably do it for a small number of blocks, just as a fork of around 40 blocks caused no lasting trouble for Monero last month. But after hours or days, any chain is equally intractable to undo.

Furthermore I'm not convinced even if it could be done, that it would be helpful to users. Fungibility might very well be more valuable than the ability to pick winners and losers after an incident.

[Hueristic]

A minor price drop is nothing more than the weak hands pissing themselves and they will regret it soon enough and buy back in at a loss.

This thread has become a joke.

Unless ring signatures are qualitatively the wrong solution for anonymity. The jury is still out on this one. Needs more analysis.

One thing I don't like personally is IBM says we are 10-15 years from a quantum computer and all that anonymity history goes poof and then the government backtrack and go after all those assets that were hidden from the coming global implosion 2016 - 2032....

Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us.

Quantum computing is in fact on the horizon. The measurement of states is now possible I.E. viewable (and patented). Yet when that can be system can be correlated into a viable catalyst of programmable hardware is anybody's guess. I believe D-state holds the current patent (on one verifiable form) and I don't know of any relation to IBM in that realm. Now don't forget that this is just being able to actually view the state (no mean feat in itself). Considering a Qbit is in both states at the same time (at least as far as we can measure) Is a serious roadblock that is by no means written in stone.

[TheFascistMind]

As I said, one way or another, one chain (fork) will survive. Users on the other chain may scream bloody murder, but arguing with math will get you nowhere.

Yes and if sufficiently mixed, you can't try appease those who want the bad fork, because you can't extract their transactions from the bad fork and put into the good fork.

And this is the qualitative threat difference from block chains that don't mix transactions.

Except that all chains have mechanisms of mixes, maybe not on chain, but good luck untangling any block chain after any significant period of time, once people have traded through exchanges (many that are effectively totally anonymous), used coin mixers, used coins to rent rigs and mine new coins, etc. You can probably do it for a small number of blocks, just as a fork of around 40 blocks caused no lasting trouble for Monero last month. But after hours or days, any chain is equally intractable to undo.

Furthermore I'm not convinced even if it could be done, that it would be helpful to users. Fungibility might very well be more valuable than the ability to pick winners and losers after an incident.

True that any coin mixing (i.e. not IP obfuscation mixing) is qualitatively equivalent, but coin mixing on chain could be explicitly denied by only allowing one input to a transaction (and dedicated means to merge balances would be needed) or the user could selectively agree not to use on chain mixing.

Non-decentralized mixers can mix coins with out multiple inputs per transaction, but these can't be trusted thus in my mind they are not anonymity any way.

Some transactions are unwound. Unwinding less transactions by being able to segregate transactions in the attacked fork and add to the non-attacked fork those which are not downstream from a double-spend or stolen coinbase afaics doesn't decrease fungibility? Rather it aids a potential political consensus to choose the non-attacked fork, i.e. afaics it adds fungibility.

[TheFascistMind]

A minor price drop is nothing more than the weak hands pissing themselves and they will regret it soon enough and buy back in at a loss.

This thread has become a joke.

Unless ring signatures are qualitatively the wrong solution for anonymity. The jury is still out on this one. Needs more analysis....

Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us.

I mean qualitatively. To which of my concerns do you claim there is no proof in any form?

P.S. I defer to head of quantum computing research at IBM on the veracity of the 10-15 years prediction. He explained his reasons. Google is your friend.

[smooth]

Some transactions are unwound. Unwinding less transactions by being able to segregate transactions in the attacked fork and add to the non-attacked fork those which are not downstream from a double-spend or stolen coinbase afaics doesn't decrease fungibility? Rather it aids a potential political consensus to choose the non-attacked fork.

It does because you are imposing traceability, and with traceability comes the threat of blacklists or whitelists.

Also with the resolution of any double spend comes the judgement of which is the "correct" spend.

Monero coinbases can't be spent or used used as mixes until they are unlocked (rather short now IMO, but will probably change that) so unless the fork is prolonged, and you are on it for a prolonged period of time, none of your spends will be mixed with coinbases nor with anything downstream of coinbases. You also can't mix with an output you can't see, so the threat of chain replacement doesn't affect you as an innocent third party. Once the chain replacement is noticed, most likely exchanges (at least the well-run ones) go frozen rather quickly, and again few if any transactions will be affected.

With any coin you can certainly be downstream of a double spend with no real recourse. Lets say someone double spends to an exchange, and then you withdraw. You may very well get the double spent coins. What happens with a transparent or non-transaparent blockchain is that your withdraw from the exchange is unwound (when the other fork prevails) and the exchange is likely out a lot of coins and could go bankrupt. If not then they just reissue the withdraw transaction to you with some other coins.

[JorgeStolfi]

Did you miss the entire discussion about permutations of consecutive independent trials (i.e. not separated by 65 minutes each)?

If someone is causing the block rate to be higher than one per minute, that should be detected by counting blocks in some long interval (say, 10 hours) .

Afaics, that won't help you identify an intentional segregation of fast and slow blocks to manipulate the 80/20 discard window of the CN difficulty adjustment algorithm.

If the block rate is OK but the suspicion is that the timing of blocks is being manipulated, that should be detected by plotting a histogram of block-to-block gaps, or of number of blocks in successive 2 minute intervals, again over a long enough period.

I don't see how that will identify an intentional segregation since the 80/20 discard is relative to its own statistics? Do you mean comparing histogram histories?

Computing the probability of a certain complicated pattern occurring, after seeing it occur, is a tricky business.  The chance of my mother marrying my father was one in two billions or so; that does not mean that my mere existence is a sign that something fishy is going one with the universe...

You said you read the upthread discussion, yet you continue the strawman. My point was to refute the anti-FUD-campaign which was turning into a Monica Lewinsky or Steve Jobs denial, "no malfunction in our devices"[1].

[1] "don't touch it that way"

Sorry, I know practically nothing about the Monero protocol, so I cannot say anything useful about the "attack"  specifically.  (The continuous difficulty adjustment and the 20% outlier rejection filter seem to make it hard to model statistically.  If the difficulty gets adjusted diring the data collection interval, one cannot assume that block finding is a Poisson process; unless the event times are remapped to a suitable variable-rate clock.)

I was only commenting on the suggestion (perhaps not even by you, it is hard to keep track of the debate) that the occurence of a pattern that has very low probability of occurring is evidence of manipulation.  It may be evidence, if the probability analysis is properly done, but it is very easy to slip and see manipulation where there isn't.

The mistake is easy to make if one takes a complicated pattern that has occurred.  Others have pointed out that fallacy.  If the pattern covers a dozen consecutive events, its probability will be very low -- but some pattern must occur at every point,so nothing strange there.

[nioc]

You are correct that if our best known algorithms are impractical to implement with current resources, it doesn't mean there isn't any possible algorithm that will. But here I want to take you back to my discovery about the edge of the universe. I was toying around with the duality of the Bottom and Top type in the two difference classes of programming languages and it made me realize that time and the universe is co-inductive and thus the finality or edge is indeterminate, which is analogous to undecidable in the Halting problem.

I totally remember reading about that discovery in Nature or Science...oh wait, it was published on Google Groups. Such legit

The universe has no edge

[Hueristic]

A minor price drop is nothing more than the weak hands pissing themselves and they will regret it soon enough and buy back in at a loss.

This thread has become a joke.

Unless ring signatures are qualitatively the wrong solution for anonymity. The jury is still out on this one. Needs more analysis....

Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us.

I mean qualitatively. To which of my concerns do you claim there is no proof in any form?

P.S. I defer to head of quantum computing research at IBM on the veracity of the 10-15 years prediction. He explained his reasons. Google is your friend.

I have bolded the "concern" which there is no proof of. You may study something forever but at some point it is assumed true until you can prove it false. And I would say the vetting has been more than adequate.

I hadn't seen the IBM announcement yet.

However, it is unclear when such a computer would be commercially available. Chuang said it is expected that between seven and 10 atoms will be used in tandem in more advanced quantum computers within the next two years.

Even if this is true It's a far cry from a system capable of changing the world. I think Chaung is trying to justify his 3 billion budget. And the Hard part about this system when it is a reality is in fact going to be qualitatively deciphering the resulting data. So much for boolean.

[nioc]

Summary ?

Scam coin.

move along.. nothing to see here.



- so there you have it.. my opinion (the correct one)

Jackpotcoin!!!!!!!!!!

[TheFascistMind]

Debates with smooth sometimes really help me clarify my own designs.  

Some transactions are unwound. Unwinding less transactions by being able to segregate transactions in the attacked fork and add to the non-attacked fork those which are not downstream from a double-spend or stolen coinbase afaics doesn't decrease fungibility? Rather it aids a potential political consensus to choose the non-attacked fork.

It does because you are imposing traceability, and with traceability comes the threat of blacklists or whitelists.

That is a risk but doesn't necessarily follow because afaics to absolutely enforce it you must be able to regulate or control the miners.

Also lack of traceability doesn't mean there can't be blacklists or whitelists. The crackdown could even cause people not to mix their coins since mixing with a delisted coin could delist the entire anonymity set.

Also perhaps you can imagine a coin design that was unlinkable because every transaction only had one input and one output. But it would have very high overhead. It would remain traceable.

The point I am making here is that anonymous coins need to be very resistant to fork attacks, because long duration forks are more intractable to recover from.

And my other salient point was that checkpoints can be an illusion.

Also with the resolution of any double spend comes the judgement of which is the "correct" spend.

Not at least for the coinbase double-spends.

For the other double-spends, I had proposed they both get trashed, because with a crack on private keys only the attacker can double-spend his coins. Of course everyone downstream is penalized, but stolen money is stolen money (the alternative might be to split the value between all recipients).

Monero coinbases can't be spent or used used as mixes until they are unlocked (rather short now IMO, but will probably change that) so unless the fork is prolonged, and you are on it for a prolonged period of time, none of your spends will be mixed with coinbases nor with anything downstream of coinbases.

Analogously to tx fees, I don't think penalizing users is beneficial if it can be designed another way.

You also can't mix with an output you can't see, so the threat of chain replacement doesn't affect you as an innocent third party.

I don't understand. I am super hungry.

Once the chain replacement is noticed, most likely exchanges (at least the well-run ones) go frozen rather quickly, and again few if any transactions will be affected.

I believe only in decentralized exchanges for the future.

Again penalizing many users is not a design option I prefer.

With any coin you can certainly be downstream of a double spend with no real recourse. Lets say someone double spends to an exchange, and then you withdraw.

Again I see a future only with decentralized exchanges and thus not mixed risk, except for on chain anonymity mixes.

But moreover, I think much more important for anonymous coins to very sure they can't be fork attacked with much less than 50% of the hashrate.

What happens with a transparent or non-transaparent blockchain is that your withdraw from the exchange is unwound (when the other fork prevails) and the exchange is likely out a lot of coins and could go bankrupt. If not then they just reissue the withdraw transaction to you with some other coins.

A distinction is that with on chain transparency (i.e. decentralized exchanges) then there is no collectivized bankruptcy (other than cascade into anonymity set mixes).

[TheFascistMind]

You are correct that if our best known algorithms are impractical to implement with current resources, it doesn't mean there isn't any possible algorithm that will. But here I want to take you back to my discovery about the edge of the universe. I was toying around with the duality of the Bottom and Top type in the two difference classes of programming languages and it made me realize that time and the universe is co-inductive and thus the finality or edge is indeterminate, which is analogous to undecidable in the Halting problem.

I totally remember reading about that discovery in Nature or Science...oh wait, it was published on Google Groups. Such legit

The universe has no edge

That is what I wrote too. And thus we can't be a non-relative observer, nothing is absolute, and the fundamental matter of the universe is cycles.

[smooth]

I see no new ground here except "decentralized exchanges are good" (and "forks are bad").

I agree except that doesn't really solve the problem, not even in the future, since exchanges are just one example of a good being delivered rapidly (other coins in this case). With any other commerce transaction where the goods or services have been delivered double spending leaves someone holding the bag with no recourse. It doesn't really matter if the blockchain is traceable or not.

Also, the blacklist issue is greatly reduced because a blacklist as you propose would only be effective if put into place before mixing occurs. Once the mixing occurs, you can't undo it, and you can't effectively blacklist the root coins because far enough back you are essentially blacklisting all coins. Not that far even, given the exponential spread of mixing.

EDIT: Also, there is still no credible basis for a private key attack due to either de-anonymizing (traceability) or double spending. It hasn't been be disproven (indeed most of practical crypto is strictly speaking unproven), but continuing to repeat it as pure "there might be a flaw" is just uncertainty and doubt with no analysis backing it up and is not credible.

[TheFascistMind]

A minor price drop is nothing more than the weak hands pissing themselves and they will regret it soon enough and buy back in at a loss.

This thread has become a joke.

Unless ring signatures are qualitatively the wrong solution for anonymity. The jury is still out on this one. Needs more analysis....

Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us.

I mean qualitatively. To which of my concerns do you claim there is no proof in any form?

P.S. I defer to head of quantum computing research at IBM on the veracity of the 10-15 years prediction. He explained his reasons. Google is your friend.

I have bolded the "concern" which there is no proof of. You may study something forever but at some point it is assumed true until you can prove it false. And I would say the vetting has been more than adequate.

I've enumerated my concerns. You'd have to try to specifically show me convincingly that each of those concerns has been vetted. Your claim without specifics is not convincing to me.

I hadn't seen the IBM announcement yet.

However, it is unclear when such a computer would be commercially available. Chuang said it is expected that between seven and 10 atoms will be used in tandem in more advanced quantum computers within the next two years.

Even if this is true It's a far cry from a system capable of changing the world. I think Chaung is trying to justify his 3 billion budget. And the Hard part about this system when it is a reality is in fact going to be qualitatively deciphering the resulting data. So much for boolean.

Since you are claiming authority and not sufficient explanation of the science to convince me you actually know what you are talking about, what are your credentials relative to the head of research at IBM?

[JorgeStolfi]

The universe has no edge

Yes, it is a very dull place, mostly.

[TheFascistMind]

I see no new ground here except "decentralized exchanges are good" (and "forks are bad").

And checkpoints can't substitute for being resistant to forks in every case.

Any the increased use on chain mixing with large anonymity sets increases the risk of not being able to abandon a sustained bad fork, thus making the threat of forks that much more serious.

And centralized mining is very bad.

I agree except that doesn't really solve the problem, not even in the future, since exchanges are just one example of a good being delivered rapidly (other coins in this case). With any other commerce transaction where the goods or services have been delivered double spending leaves someone holding the bag with no recourse. It doesn't really matter if the blockchain is traceable or not.

Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade.

Also, the blacklist issue is greatly reduced because a blacklist as you propose would only be effective if put into place before mixing occurs. Once the mixing occurs, you can't undo it, and you can't effectively blacklist the root coins because far enough back you are essentially blacklisting all coins. Not that far even, given the exponential spread of mixing.

Disagree. Blacklisting entire anonymity sets is legally and politically plausible (but I don't know how realistic any delisting is, certainly if mining is centralized it is much more realistic), and the anonymity set can't increase once blacklisted without culpability on the part of the users. Well at least for ring signatures. Thanks for helping me (re-)discover a key qualitative distinction which is very negative on ring signatures.

EDIT: Also, there is still no credible basis for a private key attack due to either de-anonymizing (traceability) or double spending. It hasn't been be disproven (indeed most of practical crypto is strictly speaking unproven), but continuing to repeat it as pure "there might be a flaw" is just uncertainty and doubt with no analysis backing it up and is not credible.

Why are you bringing that up? I hadn't mentioned that in our recent exchange and when I did mention it, I said the same as what you just wrote above.

Edit: I guess you are responding to my list of concerns about ring signatures. Btw, I contemplating that certain hash functions (e.g. SHA256) are much more vetted with cryptanalysis than the simultaneous equations in different number fields that I showed.

[TheFascistMind]

The universe has no edge

Yes, it is a very dull place, mostly.

You don't mean of course unexciting.

[smooth]

Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade

Exchanges are just an example of a commerce transaction. You buy alpaca socks. The alpaca socks guy uses your coins and some coins from other socks buyers to buy wool, and then maybe the wool seller buys socks too. Lots of mixing going on there. If they are in-person transactions (or an online service instead of a delivered good) there is likely no trail of identity, or at best an incomplete one. Humpty Dumpty is not getting put back together, transparent or non-transaparent chain.

Blacklisting entire anonymity sets is legally and politically plausible

It is largely useless, since you are blacklisting coins that might well have already been spent. You also can't practically blacklist the downstream, as you can with Bitcoin (in fact some have argued some version of this is required by the law) because you would be blacklisting many and even most coins after some rounds of mixing.

There is a very narrow window of opportunity to actually know whether coins are unspent, before they are used by anyone in a mix. And once they are used, it is only a short time from there before exponential spreading means they are then mixed all over the place and downstream blacklisting is impractical.

However, if the original "Schrodenger coins" can be blacklisted, then perhaps this is arguably a good result. Law enforcement can (with proper due process, at least in theory) at least try to blacklist the original criminal's coins without affecting people who may receive (perhaps retroactively) blacklisted coins in trade.

EDIT: Also, there is still no credible basis for a private key attack due to either de-anonymizing (traceability) or double spending. It hasn't been be disproven (indeed most of practical crypto is strictly speaking unproven), but continuing to repeat it as pure "there might be a flaw" is just uncertainty and doubt with no analysis backing it up and is not credible.

Why are you bringing that up? I hadn't mentioned that in our recent exchange and when I did mention it, I said the same as what you just wrote above.

You did mention it.

because with a crack on private keys only the attacker can double-spend his coins

Or did you mean "without?"

That being the case, what you said is untrue. Anyone can double spend, simply by spending on whatever fork does not survive. You buy alpaca socks on the doomed fork, the socks are sent to you, and then the fork is abandoned. You have the socks and the coins. If you are honest you can certainly send the coins to the alpaca sock seller, but nothing forces that. But who knows, if you are on the fork long enough, maybe the coins you sent were also double spent to you and disappear as well. There is no solution to this that makes everyone whole. Transaction finality is a judgement call.