delete

[YouWillBeProvenWrong]

It isn't a pathetic argument. One of the advantages of a distributed ledger is that it is broadcast. Thus it is impossible to tell who is reading it. That adds a lot of anonymity right there, compared to solutions that involve some sort of routing. Because any sort of routing is a big red arrow pointing right at you. A lot of the snake oil coins rely on randomizing a bunch of stuff ("pick random nodes!") and claim that works because it sounds secure to non-experts, but without carefully thinking about the range of possible attacks such as sybil attacks or economic attacks on the nodes.

A distributed ledger system by its effectively broadcast nature removes even the possibility of any or all of these "nodes" being compromised.

Why would you risk it?

It's an interesting version of FUD you guys have come up with to attack Monero. I commend you for your creativity. "It's all public so it can't be anonymous!" "Someone will crack it!"

BTW, most or all internet traffic is probably being logged right now by the NSA and probably others. Almost certainly anything encrypted is. It is not a sound assumption to think that ANYTHING you send out to the internet won't exist forever and can't eventually be cracked. At least with a public ledger, many more people will be trying to crack it and one of them might tell you if he succeeds, at which point you can take remedial action. All that TLA stuff happens in secret -- it might be cracked and you continue to use for 30 years, although honestly I strongly believe that most of the amateur-hour efforts that pass for "anonymous coins" are likely cracked from the start by the NSA and others. There is at least SOME chance that some real crypto is not fully cracked.

This is a very important point, that apparently only I can respond to adequately. So therefor I am forced to return momentarily.

True that everything sent to the internet might be recorded.

Even I can not accuse smooth of committing a category error when he equated the statistical probability of an anonymity set (mix) with encryption. Encryption is what can be cracked over time.

Anonymity set risk (i.e. the probability that you can be identified) is constant over time, or even if it declines due to non-encryption related circumstances identifying others in your anonymity set (e.g. people confess their identities), it doesn't decline due to cracking the encryption. However every known method of creating an anonymity set requires some encryption, e.g. onion routing encrypts onion layers. Thus if you crack the encryption used to create the off chain anonymity set, and you have saved all the traffic, you have cracked the anonymity.

Nevertheless the salient rebuttal to smooth's astute point is:

1. Cryptonote's (and Zerocash's) encryption is not based on known quantum proof algorithms. Moreover, if we consider the 2013 math breakthrough I quoted which cracked the discrete logarithm for small characteristics, we see that math direction has no applicability to McEliece quantum computing proof encryption. It is not an unreasonable assumption that the entropy of McEliece is exponentially higher, because the public keys are on the order of 65,535 bytes and the modeled security level (e.g. 128-bit) scales to key size much more exponentially than for discrete logarithm or elliptic curve based public key cryptography. Thus I am positing to you that in addition to the quantum proof attribute, the time horizon for cracking McEliece with math could reasonably be argued to likely be exponentially longer than for the encryption used in Cryptonote and all other feasible on chain anonymity.

Currently I know of no research for quantum proof one-time ring signatures (only regular ring signatures and nothing like the Zero Knowledge proof needed for making them one-time) and even if it is invented, the key sizes are apparently going to be 10 - 100X larger than the already bloated Cryptonote ring signatures. So even if we find clever ways to prune or compress the hypothetical quantum proof Cryptonote block chain, the insurmountable problem remains that the bandwidth requirements on the network will explode and you can just forget any hope of micro payments, i.e. social networking widescale adoption. That hope is already dubious with the existing bloat of non-quantum proof Cryptonote, and not just because of the bloated rings sent over the network, but also because lite clients break the unlinkability.

So whereas McEliece encryption can not be feasible with on chain anonymity, it is feasible for off chain because the large public keys don't need to be transmitted with every transaction (and mining share!) nor stored with the block chain. Thus an off chain anonymity system could use multiple types of encryption layered, so if all but one is broken the anonymity is not.


2. Whereas with Cryptonote (and Zerocash) what needs to be unencrypted is neatly compressed with complete organization on the block chain, off chain routing can create mazes of extreme complexity. In the asymptotic case, the authorities would need to cross correlate every encrypted packet ever sent on the internet. In other words, the computational requirements can be beyond any feasible computer projected many decades into the future, even if they crack the encryption. I am not saying all off chain systems mix this widely, but it is a conceptually valid distinction.


3. Cryptonote has no IP obfuscation built in (yet), thus unless you are using Tor with it, the on chain anonymity is already cracked. Which means even if you use Tor, if the others in your anonymity set ring didn't use Tor, then you are de-anonymized. And even when Cryptonote adds I2P or Tor support by default, it isn't planned to be supported for mining, and those low-latency mixnets are shown in research to be vulnerable to timing analysis. There are mathematically characterized better designs for IP obfuscation for crypto-currency than I2P and Tor.


4. Smooth will know what I am talking about when I say there is a tension in Cryptonote between the anonymity set group size and the efficiency of any future pruning feature. Off chain anonymity doesn't have this dilemma (inefficiency) which again is another contributing factor of probably restricting on chain anonymity to low adoption as a currency (no way you will do micro payments for social media). And as NewLiberty borrowed from my past points, if you don't have a widely adopted currency, then you don't have a large anonymity set. Also without a widely adopted anonymous currency, then you have to convert to a non-anonymous currency to pay for things (which blows up Smoothie's nonsense about all users must jump through hoops).


5. You won't get decentralized mining without off chain anonymity.


So again I reiterate, why risk it with on chain anonymity when there can be designs that are exponentially more secure with your anonymity into the future?


P.S. I agree with smooth and others that the anonymity model of DRK (and Neo and Cloak, etc) is not well defined. There is no scholarly whitepaper characterizing the math of their system. Thus in the current predicament, I can understand why scholarly people trust Cryptonote more. I certainly do too.


Edit:

6. The claim that Cryptonote has a larger anonymity set because it can mix from the entire history of the block chain, whereas CoinJoin has a simultaneity constraint, is not true because to be prunable the rings must be restricted to small groups, and as I showed in my bounty algorithm upthread, if you allow widely overlapping mixing then the rings can in theory be de-anonymized.

[1714035869]

1714035869

[1714035869]

1714035869

[1714035869]

1714035869

[nioc]

apparently only I can respond to adequately

At least you now have an appropriate sn

[YouWillBeProvenWrong]

LOL I thought TFM had scrambled his password, I even said goodbye.

this forum is clown-town.

Thank you for saying good bye. I took all of those to heart and that I was sufficient for me (I didn't care about smoothie's taunts).

I really want to leave and I will. Smooth made a very strong point that needs an equally informed rebuttal.

Cryptonote is probably the best we've got for now of what exists for anonymity. DRK is not well specified mathematically.

I don't want to attack your investments. Please understand I want to attack the global 666 currency plan underway.

I'd also like to make some money, and I hope all of you can make some money too.

I don't think we are nemesis. All of us here in cryptoland want essentially the same idealism (well not all perhaps but many of us).

If we think of the larger pie out there, all of us can benefit more by working towards that, then tearing each other down and letting Suckerberg and Thail take all the large scale outcomes.

Peace.

(hell I don't know if I will ever get any coin released or not. Others read my posts and go work on things. For example, you can be sure the DRK folks are reading all my posts carefully and scheming. So please don't accuse me of being the only person capable of implementing CoinJoin convincingly with math proofs. I do wonder why no extremely capable developer has offered to work with me, because my designs and maths go far beyond what I've shared in public).

[YouWillBeProvenWrong]

A coin made by you would certainly be interesting.

Due to politics, I will never tell you if I am on a coin. You will have to deduce it (which might not be that difficult). I prefer plausible deniability. Look I am no where near releasing anything. Code has been written, but I have variable health over the past months. So don't hold your breath.

Thanks for the kind words.

Peace to all forum members.

[coinsolidation]

open hosts file

Code:

0.0.0.0 bitcointalk.org

[smooth]

2. Whereas with Cryptonote (and Zerocash) what needs to be unencrypted is neatly compressed with complete organization on the block chain, off chain routing can create mazes of extreme complexity. In the asymptotic case, the authorities would need to cross correlate every encrypted packet ever sent on the internet.

Only if things are implemented "properly" at every level. That is a huge assumption I'm not prepared to make with any of the current altcoin efforts. I'd rather rely on well-designed and well-vetted encryption. Implementations of large systems that require sending information around the internet to mixing nodes and such has a huge attack surface. Cryptography implementations are potentially orders of magnitude smaller (and Cryptonote really isn't that complex) so far, far easier to vet at a systemic level. Granted the issue of quantum computing vulnerability is valid, but it likely to be a acceptable risk to a great many users, but not to you. Fair enough. Build something better.

3. Cryptonote has no IP obfuscation built in (yet), thus unless you are using Tor with it, the on chain anonymity is already cracked. Which means even if you use Tor, if the others in your anonymity set ring didn't use Tor, then you are de-anonymized. And even when Cryptonote adds I2P or Tor support by default, it isn't planned to be supported for mining, and those low-latency mixnets are shown in research to be vulnerable to timing analysis. There are mathematically characterized better designs for IP obfuscation for crypto-currency than I2P and Tor.

Tor is already supported for mining. There is no reason why you can't connect to a pool using Tor. Most pools require no registration, so any coins that go back to you via pool payments can't be traced to you by any mechanism other than attacking Tor.

5. You won't get decentralized mining without off chain anonymity.

Not proven, nor proven that you can get decentralized mining with off chain anonymity.

So again I reiterate, why risk it with on chain anonymity when there can be designs that are exponentially more secure with your anonymity into the future?

Why risk off chain routing attacks when (some future non-existant) on-chain system can be made exponentially more secure, with greater scrutiny of the components parts (encryption) then some large and nearly impossible to analyze set of interconnected elements.

See, FUD works in either direction. Stop doing it, and start building. When we see how much better your system is, we will all be convinced! (The salesmen representing other coins, including other off-chain anonymity coins won't, but you can't ever convince them no matter what you say or do.)

6. The claim that Cryptonote has a larger anonymity set because it can mix from the entire history of the block chain, whereas CoinJoin has a simultaneity constraint, is not true because to be prunable the rings must be restricted to small groups, and as I showed in my bounty algorithm upthread, if you allow widely overlapping mixing then the rings can in theory be de-anonymized.

You didn't show anything at all about the scope and degree of unmixing, so we have nothing to say here, just more FUD.

In short, prove on-chain wrong by constructing something better. Until then you are behaving similarly to the shills you hate.

[YouWillBeProvenWrong]

open hosts file

Code:

0.0.0.0 bitcointalk.org

 

I learned that trick only a few years ago. Give me a bit more time to master it.

[coinsolidation]

open hosts file

Code:

0.0.0.0 bitcointalk.org

 

I learned that trick only a few years ago. Give me a bit more time to master it.

trouble is once you know how to do it, you can remove it! GL

[robinwilliams]

Why risk off chain routing attacks when (some future non-existant) on-chain system can be made exponentially more secure, with greater scrutiny of the components parts (encryption) then some large and nearly impossible to analyze set of interconnected elements.

+1. 

[YouWillBeProvenWrong]

Why risk off chain routing attacks when (some future non-existant) on-chain system can be made exponentially more secure, with greater scrutiny of the components parts (encryption) then some large and nearly impossible to analyze set of interconnected elements.

+1.  

That snippet from smooth was entirely FUD. He has a category error is misequating Tor or I2P with all possible formations of off chain mixing. There are forms which are mathematically modeled.

2. Whereas with Cryptonote (and Zerocash) what needs to be unencrypted is neatly compressed with complete organization on the block chain, off chain routing can create mazes of extreme complexity. In the asymptotic case, the authorities would need to cross correlate every encrypted packet ever sent on the internet.

Only if things are implemented "properly" at every level. That is a huge assumption I'm not prepared to make with any of the current altcoin efforts. I'd rather rely on well-designed and well-vetted encryption.

I made that same point myself. Note you did not refute #1.

Implementations of large systems that require sending information around the internet to mixing nodes and such has a huge attack surface. Cryptography implementations are potentially orders of magnitude smaller (and Cryptonote really isn't that complex) so far, far easier to vet at a systemic level.

FUD per the above reply to robinwilliams and #6 below.

Granted the issue of quantum computing vulnerability is valid, but it likely to be a acceptable risk to a great many users, but not to you. Fair enough. Build something better.

You CN people keep trying to pigeon-hole my #1 it as quantum computing only whereas I have shown you that small characteristic discrete logarithms were cracked in 2013 and they speculate about moving to higher characteristics. You ignore the fact that differential cryptanalysis breakthrough in the past broke almost all known encryption at the time (1970s), and nobody knew it had been cracked for many years. Heck discrete logarithm might be cracked now by the NSA and they are not telling us. Thus being able to use multiple layer encryption methods is essential to any level of great trust for anonymity, because unlike for spending, anonymity needs to remain uncracked for a long time into the future.

3. Cryptonote has no IP obfuscation built in (yet), thus unless you are using Tor with it, the on chain anonymity is already cracked. Which means even if you use Tor, if the others in your anonymity set ring didn't use Tor, then you are de-anonymized. And even when Cryptonote adds I2P or Tor support by default, it isn't planned to be supported for mining, and those low-latency mixnets are shown in research to be vulnerable to timing analysis. There are mathematically characterized better designs for IP obfuscation for crypto-currency than I2P and Tor.

Tor is already supported for mining. There is no reason why you can't connect to a pool using Tor. Most pools require no registration, so any coins that go back to you via pool payments can't be traced to you by any mechanism other than attacking Tor.

I said built-in so everyone uses it. Meaning dumb users click and go.

Also using Tor puts those miners at a disadvantage in speed compared to those who don't.

And Tor (and I2P) anonymity is not well characterized mathematically. Many argue they are not reliably anonymous. So if you argue against off chain mixing, you fail to note that your on chain depends on your off chain IP obfuscation, so your entire thesis of defense collapses in a house of cards.

Also note you did not refute #5 (well you can't because you don't know my designs).

5. You won't get decentralized mining without off chain anonymity.

Not proven, nor proven that you can get decentralized mining with off chain anonymity.

You haven't learned by now to respect my knowledge yet. But one day you will learn that when I make a statement like that, it has been vetted.

So again I reiterate, why risk it with on chain anonymity when there can be designs that are exponentially more secure with your anonymity into the future?

Why risk off chain routing attacks when (some future non-existant) on-chain system can be made exponentially more secure, with greater scrutiny of the components parts (encryption) then some large and nearly impossible to analyze set of interconnected elements.

See, FUD works in either direction. Stop doing it, and start building.

Did I ever disagree publicly with building?

Am I not doing a service to readers by sharing insights into the factors they must consider?

Have Cryptonote proven everything about its anonymity? (big fat no! see #6 below)

My post wasn't written in salesman tone. It was an intellectual exchange.

6. The claim that Cryptonote has a larger anonymity set because it can mix from the entire history of the block chain, whereas CoinJoin has a simultaneity constraint, is not true because to be prunable the rings must be restricted to small groups, and as I showed in my bounty algorithm upthread, if you allow widely overlapping mixing then the rings can in theory be de-anonymized.

You didn't show anything at all about the scope and degree of unmixing, so we have nothing to say here, just more FUD.

In short, prove on-chain wrong by constructing something better. Until then you are behaving similar to the shills you hate.

Until you run the bounty algorithm on your real block chain, you don't know either how much of Cryptonote anonymity is being de-anonymized by overly overlapped rings.

If on balance, you consider that Cryptonote can never scale to micro payments, it seems the ship is leaning to one side.

[smooth]

That snippet from smooth was entirely FUD.

Most of my message was intended as FUD, as a sort of example lesson to show how FUD begets FUD. It isn't helpful.

Build (or fully describe) something, then we can analyze it.

well you can't because you don't know my designs

Exactly!

you will learn that when I make a statement like that, it has been vetted.

Did you really just appeal to yourself as an authority?

Show your work.

[YouWillBeProvenWrong]

And Tor (and I2P) anonymity is not well characterized mathematically. Many argue they are not reliably anonymous. So if you argue against off chain mixing, you fail to note that your on chain depends on your off chain IP obfuscation, so your entire thesis of defense collapses in a house of cards.

You have made no point.

I made a very strong non-FUD point, which is off chain can layer multiple encryption. On chain just adds vulnerability and costs us a lot in terms of targeting mass adopted design factors.

[smooth]

So if you argue against off chain mixing, you fail to note that your on chain depends on your off chain IP obfuscation, so your entire thesis of defense collapses in a house of cards.

The two are complementary. Even Bitcoin can be used with Tor, etc. But even if Tor, etc. are assumed to be totally bulletproof, that does not provide any protection against blochchain analysis.

Cryptonote can be viewed as Bitcoin with defense to blockchain analysis added. Other existing solutions attempt to do that with masternodes, network peers, etc. I think our approach that relies on cryptography rather than shuffling data around the Internet between various nodes is easier to analyze and therefore more likely to actually deliver what it promises. (Though, as always, no 100% guarantees in life.)

Other approaches that are distinct from both Cryptonote and current off-chain mixers may also be useful, or even potentially (much) better, but Cryptonote is here now. That is worth a lot and even in its current rough (but rapidly improving) form, improves greatly on Bitcoin with respect to privacy.

On chain just adds vulnerability

Okay, now it is pretty clear that you are "selling" your approach. It may not be what you intend, but that's how it is coming off.

Go build it. A demo is worth 1000 posts.

[YouWillBeProvenWrong]

So if you argue against off chain mixing, you fail to note that your on chain depends on your off chain IP obfuscation, so your entire thesis of defense collapses in a house of cards.

The two are complementary.

Logic fail.

Long ago you and I discussed in public that linking together transactions if your IP conveys your identity thus breaks down the anonymity of rings. That was when you guys decided to add I2P because I informed you about that problem.

[YouWillBeProvenWrong]

So if you argue against off chain mixing, you fail to note that your on chain depends on your off chain IP obfuscation, so your entire thesis of defense collapses in a house of cards.

The two are complementary.

Logic fail.

That was when you guys decided to add I2P because I informed you about that problem.

Thats why anoncoin decided too? lol

Actually you will find I was the apparently the first to publicly raise their awareness of the timing analysis type weaknesses in Tor (and thus by implication I2P). Summer or Autumn of 2013.

[smooth]

Long ago you and I discussed in public that linking together transactions if your IP conveys your identity thus breaks down the anonymity of rings. That was when you guys decided to add I2P because I informed you about that problem.

1. Thank you for whatever constructive suggestions you make to improve the product. I'm not even sure whether your input was instrumental in starting the I2P effort -- that was something that fluffpony was behind -- not me. But if it was, then thank you. We welcome constructive input from anyone.

2. You're confusing linking and tracing. The purpose of ring signatures is to impede tracing. Linking can be avoided even in Bitcoin just by not reusing addresses (though is more convenient in Monero). Tracing can't be done at all via IP-level attacks, as far as I can tell, since the blockchain is effectively broadcast. No one can know from analyzing your network activity which transactions you are receiving, only which ones you send.

[YouWillBeProvenWrong]

Long ago you and I discussed in public that linking together transactions if your IP conveys your identity thus breaks down the anonymity of rings. That was when you guys decided to add I2P because I informed you about that problem.

...

2. You're confusing linking and tracing. The purpose of ring signatures is to impede tracing. Linking can be avoided even in Bitcoin just by not reusing addresses (though is more convenient in Monero). Tracing can't be done at all via IP-level attacks, as far as I can tell, since the blockchain is effectively broadcast. No one can know from analyzing your network activity which transactions you are receiving, only which ones you send.

We had this same exact discussion publicly long ago, but at that time I hadn't yet conceived the bounty algorithm.

You know who the spender is of the transaction, you break them. Even though you don't know which public key corresponds to which person's identity (but you know that too if users want to use lite clients!), by linking together multiple rings spent from the same person, you can break down the rings by cross-correlation. It is similar to the bounty algorithm concept, but will converge absolutelywith higher certainty if you know every IP address. Or if you only know some of them, it will aid my bounty algorithm as more information for de-anonymizing the rings.

On chain just adds vulnerability

Okay, now it is pretty clear that you are "selling" your approach.

No it was a factual statement, not even FUD.

It is not fair to criticize me for not rushing to release some anonymity design that is not well characterized, if you simultaneously criticize DRK for rushing and releasing anonymity design that is not well characterized.

Also you know I've asked for implementation help.

Edit: the point is you can't claim (you haven't proven) rings add anything over off chain. And they apparently can't efficiently layer multiple encryption.

I do find rings more well understood than DRK mysterious "masternodes". But that doesn't mean I am saying CN rings are extremely well characterized. Overlapping rings and IP tracing can de-anonymize the rings with cross-correlation. None of this is proven affirmatively or disproven.

[smooth]

You know who the spender is of the transaction, you break them.

IP tracing doesn't help you here. There is no way to know which of the one-time keys in a ring correspond to "you" (the IP user). You need to know the spender in terms of a one-time key pair (or identified transaction on the blockchain -- equivalent). So no IP tracing doesn't break rings.

[YouWillBeProvenWrong]

You know who the spender is of the transaction, you break them.

IP tracing doesn't help you here. There is no way to know which of the one-time keys in a ring correspond to "you" (the IP user).

Re-read my post. Apparently you didn't read it.

[YouWillBeProvenWrong]

Also here is some vaporware...

...there is some design with off chain, where the anonymity mix is never sent to the internet.

 

As for authority and believing each other's undocumented (secret) claims, remember you long ago assured me that is possible to prune CN rings with a certain design. I have since I think stumbled onto what that design would be. Conversely, you can choose to believe me or not.