delete

[TheFascistMind]

There are so many significant costs (if one realizes that without radically decentralized mining we are just wasting our time) that are paid for protecting that silly scenario.

market caps seem to agree with leaving the ring signatures in ... and i actually would prefer it as well.

it seems odd that anonymint who is the MOST CONSERVATIVE on EVERYTHING to do with anoniminity is siding on the side of possibly not being able to prove anoniminity of prev transactions.

Because that argument also implies we can't trust any form of off chain anonymity (i.e. where only the mixed inputs and outputs are retained) and we can't use a mini block chain.

And thus we will never get radically decentralized mining. And as I pointed out, it is a silly pedantic worry that doesn't justify the ramifications as I have stated in this post.

[1714930024]

1714930024

[1714930024]

1714930024

[1714930024]

1714930024

[smooth]

(if one realizes that without radically decentralized mining we are just wasting our time)

See my edit.

Then again, I am not sure if ring signatures are even congruent with radically decentralized mining...

I disagree that a constant factor reduction in chain size will reliably give you radical decentralized mining. The constant factor gets overwhelmed by whatever super-linear scaling occurs, over a relatively small range.

You seem to offer some support to my second sentence then...

Oh quite possible. I'm not sure that any particular thing (ring sigs or otherwise) is congruent with radically decentralized mining. Until someone demonstrates it, we won't know.

[iCEBREAKER]

Litecoin was never interesting. It was an undifferentiated clone of Bitcoin, with the exception of CPU and later GPU mining. People may have liked that because they felt Bitcoin was heading in a bad direction, but even that certainly didn't make it interesting. It was just a throwback to what had already been done by Bitcoin at each stage (and still). Been there done that is never interesting.

If anything Bitcoin moving forward to GPU and ASIC mining was more interesting. Maybe interesting in a bad way (opinions differ of course), but still interesting.

Wow, look who doesn't know the diff between a "clone" and a "fork" today.  Someone is being a bit of a Grumpy Gus...   

Litecoin was and is very interesting, because it has a known dev (with MIT/GOOG pedigrees) who tweaked BTC in ways he thought optimal, based on the experience of BTC.

The market says LTC is the most interesting crypto coin next to the original.  Sorry if that hurts your feels, but that's the reality.

Using your wet blanket logic, Monero is an uninteresting "clone" also, because Bytecoin... 

[smooth]

Using your wet blanket logic, Monero is an uninteresting "clone" also, because Bytecoin... 

Agree. We have always said that the cryptonote tech is interesting and the original reason for Monero was to take that interesting tech and exercise good custody and ongoing development of it in a non-scam way.

By a combination of your logic and mine, "interesting" is not required for a high market value, and "interesting" coins can still self destruct by being scams.

[xulescu]

If everyone is not storing, then those who store will have an information advantage.

In XMR's present case, full nodes store everything.
In XMR's future case, full nodes store everything and SPV-style nodes store just a cache of what they need.

In BBR's present case, "somebody" stores everything and full nodes do not store rings.
In BBR's future case, "somebody" stores everything, full nodes do not store rings and SPV-style nodes are still required.

Do you see where I'm going with this?

No. Could you be more explicit?

In BBR's solution, the linear advantage that full nodes get does not solve any scalability issue (especially so for thin nodes) and introduces the trust / security model problem that is in no way a trivial pedanticry. Commiting the ring signatures with an additional "full" hash for each block would alleviate that problem, but still trusts "anybody" stores the signatures.

And to add to all that, open source is not the holy grail in code vetting. I will name three issues from recent memory that had different direct causes, but the same primary cause:

1. Heartbleed
2. Shellshock
3. Block 202612

The primary cause is "just because anyone can do it doesn't mean anyone will do it", both in terms of open source vetting and in terms of storing the signatures. It is a tragedy of the commons.

[smooth]

drop the minigun smooth

Kill streak bro.

[TheFascistMind]

Hopefully now you better understand my reservations about declaring a winner too soon and my opinion that we could see more developments in this space than the ones already factored in. And why I think the market is not jumping bananas to buy up XMR.

I am also interested to see what comes out of the bounty algorithm if it is implemented and better understood.

I think we still need some other fundamental breakthroughs. Ring signatures are interesting, but not sure yet if they are the Holy Grail.

Note I apologize for any impact on investment decisions this post has. I understand it is difficult for me to make such a post without stepping on someone's toes. I will try to go quiet as that is the best way to not offend interests and the best way to actually get some work done (health willing).

[crypto_zoidberg]

Again, see edit above.

Imagine that a code bug exists where coins can be double spent in ring sigs, creating coins out of thin air. The developer realizes this, exploits it secretly, and then waits to see if anyone notices. He pushes out a checkpoint that throws away the old ring sigs and sometime later the bug is fixed.

Possibly it is discovered by someone who has an archived version of the chain, but even then, it can't even be independently verified that their claimed version of the chain is the correct one. Maybe someone else comes up with a different one. There are no hashes to refute this.

It is far better to retain the ability but not the requirement to independently verify the chain, and retain the chain somewhere in a trustless decentralized network.

Even committing a hash of the early chain (full hash including, not excluding, ring sigs) when you trim it would be somewhat better, but as far as I know is not being done.

The trust model of the BBR ring sig trimming -- within the chain itself and not relying on external sources -- is simply that everything is okay below the checkpoint because the developer said so and put a checkpoint there.

BTW, one last comment on this. I'm not even saying the BBR trimming is a bad idea. I see a lot of merit in it. I'm just saying that it involves changing the trust model, and is not unequivocally a good idea. It is a trade off. Nor do I agree that the only choice is between the current BBR implementation and the current Monero implementation.

Smooth, RS have absolutely no relation with double spending protection, so i have no idea why you wrote all that.
Double spend protection in CN implemented in different way, and this keep works without RS.  Want to argue with that ?  

[surfer43]

In BBR's solution, the linear advantage that full nodes get does not solve any scalability issue (especially so for thin nodes) and introduces the trust / security model problem that is in no way a trivial pedanticry. Commiting the ring signatures with an additional "full" hash for each block would alleviate that problem, but still trusts "anybody" stores the signatures.

And to add to all that, open source is not the holy grail in code vetting. I will name three issues from recent memory that had different direct causes, but the same primary cause:

1. Heartbleed
2. Shellshock
3. Block 202612

The primary cause is "just because anyone can do it doesn't mean anyone will do it", both in terms of open source vetting and in terms of storing the signatures. It is a tragedy of the commons.

Are you suggesting that there is a "solution" to the scalability issue? To this problem there are only improvements, not an end-all be-all solution.

[smooth]

Smooth, RS have absolutely no relation with double spending protection, so i have no idea why you wrote all that.
Double spend protection in CN implemented in different way, and this keep works without RS.  Want to argue with that ?  

Somewhat. You are referring to key images. But key images are only validated with respect to a ring signature. Otherwise, I can come up with whatever (unique) key image I want and how would you know it isn't valid?

[smooth]

Hopefully now you better understand my reservations about declaring a winner too soon and my opinion that we could see more developments in this space than the ones already factored in. And why I think the market is not jumping bananas to buy up XMR.

This is quite obviously true just from a casual glance at the tiny market cap of XMR (and the slightly less tiny, but still tiny, market cap of DRK).

The people who need to pay attention to this are the "life savings" folks. Even rpeitila, the oft proclaimed Monero hawker/hyper/promotor/shill, has said that low ratios of Monero are appropriate relative to BTC and fiat. (Maybe someone has the link?)

But I'm afraid that anyone foolish enough to be in the "life savings" camp (assuming this isn't actually a straw man) is likely beyond reaching.

I think we still need some other fundamental breakthroughs. Ring signatures are interesting, but not sure yet if they are the Holy Grail.

Definitely agree.

Note I apologize for any impact on investment decisions this post has. I understand it is difficult for me to make such a post without stepping on someone's toes. I will try to go quiet as that is the best way to not offend interests and the best way to actually get some work done (health willing).

I disagree with the need for this apology. Investors benefit from information. It is up to them to decide what information to use.

[TheFascistMind]

I already answered you with this post.

Note you've made a strong argument for very clean source code and simplified crypto. Validates everything I've been working on. Thanks!

[xulescu]

I already answered you with this post.

Note you've made a strong argument for very clean source code and simplified crypto. Validates everything I've been working on. Thanks!

And I've already answered you with this: (don't get circular on me here)

I wholly agree with very clean code and the simplest crypto that is sufficient. I doubt anyone would challenge that.

You cannot just say "trusting nobody doesn't work with minichains, and that is the only idea for decentralization, thus I'll pretend the trust issues are PEDANTIC TRIVIALITIES".

[iCEBREAKER]

By a combination of your logic and mine, "interesting" is not required for a high market value, and "interesting" coins can still self destruct by being scams.

The market demonstrates its "interest" in a coin by purchasing it.  Thus, the higher the market cap the more the market has found a coin "interesting."

Even speaking strictly to the technology, observing Litecoin as a variable to Bitcoin's control is also an interesting experiment.

Stop molesting my sound logic with your subjective definitions!   

[crypto_zoidberg]

Smooth, RS have absolutely no relation with double spending protection, so i have no idea why you wrote all that.
Double spend protection in CN implemented in different way, and this keep works without RS.  Want to argue with that ?  

Somewhat. You are referring to key images. But key images are only validated with respect to a ring signature. Otherwise, I can come up with whatever (unique) key image I want and how would you know it isn't valid?

Really ? And how could you change key image without changeing tx id ?
Because transactions are fixed in blockchain with every data in it, including keyimages, but except ring signatures. In BBR.

[smooth]

Smooth, RS have absolutely no relation with double spending protection, so i have no idea why you wrote all that.
Double spend protection in CN implemented in different way, and this keep works without RS.  Want to argue with that ?  

Somewhat. You are referring to key images. But key images are only validated with respect to a ring signature. Otherwise, I can come up with whatever (unique) key image I want and how would you know it isn't valid?

Really ? And how could you change key image without changeing tx id ?
Because transactions are fixed in blockchain with every data in it, including keyimages, but except ring signatures. In BBR.

I didn't say change a key image after the fact. I said that you can't independently verify that it is valid once the ring sigs are gone. You are trusting that at some time in the past a consistent ring sig and key image ever existed. After trimming you can only see the key image, not the rest. And without the rest you can't verify its validity, only its uniqueness (VER step vs. LNK step in the white paper).

[TheFascistMind]

I already answered you with this post.

Note you've made a strong argument for very clean source code and simplified crypto. Validates everything I've been working on. Thanks!

And I've already answered you with this: (don't get circular on me here)

Lol.  

I wholly agree with very clean code and the simplest crypto that is sufficient. I doubt anyone would challenge that.

You cannot just say "trusting nobody doesn't work with minichains, and that is the only idea for decentralization, thus I'll pretend the trust issues are PEDANTIC TRIVIALITIES".

Well implementation is better than ideas, so I can only speak to what I may think is implementable in terms of radical decentralization. Understandably from your perspective, my words are just the same as hollow non-specified ideas other than what you have already contemplated about designs that might be possible.

I understood your opinion that BBR doesn't significantly increase decentralization and thus in your opinion the tradeoff isn't a clear gain. That tradeoff is not a slamdunk either way, so it is subjective. Whereas, I think coinmarketcap.com will show clearly when someone has demontrated a convincing result and the analysis no longer subjective. In short, neither XMR nor BBR have yet solved the issues around threats from mining, thus many figure might as well stay with Bitcoin since it has a higher hashrate. What is the point of moving to anonymity if it can be destroyed reasonably easily (apologies that is FUDdy, I don't mean it is likely but rather the same risks for altcoins). And still there is the vetting of the de-anonymization, impacts scaling, etc.. There are so many variables...I'm glossing over specifics, e.g. XMR's pools are currently not overly concentrated, etc..

Any way, that is my 2 cents on why there hasn't been mad rush to buy anonymous coins. The market doesn't yet trust them, combined with there isn't an incredible incentive and not a slamdunk win on many facets. Also CN is still new, had a choppy beginning, and BTC has been down.

Edit: the environment will change on at least two fronts. 1) the governments will become more hostile to capital, 2) altcoin tech will continue to be improved, heck even XMR might have some tricks up their sleeve coming...

Probably also BTC will bottom (I think < $200) and begin a new bubble phase. LTC had its big move during the 2013 bubble. Risk-off phases means altcoins are ignored.

Also someone might introduce another unexpected paradigm shift DOGE-like curve ball.

[xulescu]

I mostly agree with what you said. After all, the consumer market for anonymity is not yet rattled by the actions of the TLAs. This is one reason why BBR's emission curve is better than XMR's. No argument here. At this point at least, also taking into account the limitations of existing cryptos in general and CN in particular, our target is anonymous sparse transactions (such as sophisticated investors/speculators and other money managers with a pretty aggressive risk profile for holding, and private commercial entities for transfers).

I understand this is not your vision of The Anonymous Crypto and frankly is it not ours either. But there are steps to ubiquity and many barriers that have not been acceptably analyzed, much less solved. So until we have the slightest clue how to put things together to make a crypto system that checks all requirements for TAC we've decided to take the most advanced partial solution and try to refine it conservatively. BBR has a more aggressive approach.

We believe pruning the ring signatures is not conservative enough. We believe changing the PoW hash is not conservative enough. Any of these beliefs can change in the future.

I hope this makes it more clear.

[TheFascistMind]

xulescu, I agree.

Note that CryptoNote ring signatures (and probably Zerocash and Zerocoin also) breaks the type of unwinding in my proposal because derivative transactions are unlinkable.

Edit: similar functionality can be obtained in the current implementation of the longest chain rule, by waiting for 100 or so confirmations before accepting a payment as final (to extend out the duration cost for the extended time attacker has to keep his chain secret so your payment isn't orphaned by the attacker's chain). Thus unlinkable coins could still defeat ephemeral 50+% double-spending attacks, but with very slow payments.

Note the above is FUD in sense that I have not really formalized and verified merging instead of forking the block chain. I might still discover that merging is infeasible. But this is something to keep on your distant radar.

That is the qualitative difference I was arguing with smooth upthread.

The point is that between 25% and 50% of the network hashrate, the attacker can in theory win with selfish mining (and probably ramp up to 50% with it) and this is due to the fact that the chain is forked and not merged (I have a formal math proof of this). Also above 50%, the attacker gets winner-takes-all with short-term rented hardware, because the chain is forked and not merged.

I don't think gmaxell really understood me, yet I am not sure if I really understood all the variables yet. So this is a work in progress subject to failure.

The following also applies:

https://blog.ethereum.org/2014/07/11/toward-a-12-second-block-time/

[Spoetnik]

Litecoin was never interesting. It was an undifferentiated clone of Bitcoin, with the exception of CPU and later GPU mining. People may have liked that because they felt Bitcoin was heading in a bad direction, but even that certainly didn't make it interesting. It was just a throwback to what had already been done by Bitcoin at each stage (and still). Been there done that is never interesting.

If anything Bitcoin moving forward to GPU and ASIC mining was more interesting. Maybe interesting in a bad way (opinions differ of course), but still interesting.

Wow, look who doesn't know the diff between a "clone" and a "fork" today.  Someone is being a bit of a Grumpy Gus...   

Litecoin was and is very interesting, because it has a known dev (with MIT/GOOG pedigrees) who tweaked BTC in ways he thought optimal, based on the experience of BTC.

The market says LTC is the most interesting crypto coin next to the original.  Sorry if that hurts your feels, but that's the reality.

Using your wet blanket logic, Monero is an uninteresting "clone" also, because Bytecoin... 

Well said and a display ignorance or naivety if you prefer lol