Cross-posting...

It isn't a pathetic argument. One of the advantages of a distributed ledger is that it is broadcast. Thus it is impossible to tell who is reading it. That adds a lot of anonymity right there, compared to solutions that involve some sort of routing. Because any sort of routing is a big red arrow pointing right at you. A lot of the snake oil coins rely on randomizing a bunch of stuff ("pick random nodes!") and claim that works because it sounds secure to non-experts, but without carefully thinking about the range of possible attacks such as sybil attacks or economic attacks on the nodes.

A distributed ledger system by its effectively broadcast nature removes even the possibility of any or all of these "nodes" being compromised.

Why would you risk it?

It's an interesting version of FUD you guys have come up with to attack Monero. I commend you for your creativity. "It's all public so it can't be anonymous!" "Someone will crack it!"

BTW, most or all internet traffic is probably being logged right now by the NSA and probably others. Almost certainly anything encrypted is. It is not a sound assumption to think that ANYTHING you send out to the internet won't exist forever and can't eventually be cracked. At least with a public ledger, many more people will be trying to crack it and one of them might tell you if he succeeds, at which point you can take remedial action. All that TLA stuff happens in secret -- it might be cracked and you continue to use for 30 years, although honestly I strongly believe that most of the amateur-hour efforts that pass for "anonymous coins" are likely cracked from the start by the NSA and others. There is at least SOME chance that some real crypto is not fully cracked.

This is a very important point, that apparently only I can respond to adequately. So therefor I am forced to return momentarily.

True that everything sent to the internet might be recorded.

Even I can not accuse smooth of committing a category error when he equated the statistical probability of an anonymity set (mix) with encryption. Encryption is what can be cracked over time.

Anonymity set risk (i.e. the probability that you can be identified) is constant over time, or even if it declines due to non-encryption related circumstances identifying others in your anonymity set (e.g. people confess their identities), it doesn't decline due to cracking the encryption. However every known method of creating an anonymity set requires some encryption, e.g. onion routing encrypts onion layers. Thus if you crack the encryption used to create the off chain anonymity set, and you have saved all the traffic, you have cracked the anonymity.

Nevertheless the salient rebuttal to smooth's astute point is:

1. Cryptonote's (and Zerocash's) encryption is not based on known quantum proof algorithms. Moreover, if we consider the 2013 math breakthrough I quoted which cracked the discrete logarithm for small characteristics, we see that math direction has no applicability to McEliece quantum computing proof encryption. It is not an unreasonable assumption that the entropy of McEliece is

*exponentially* higher, because the public keys are on the order of 65,535 bytes and the modeled security level (e.g. 128-bit) scales to key size much more exponentially than for discrete logarithm or elliptic curve based public key cryptography. Thus I am positing to you that in addition to the quantum proof attribute, the

**time horizon for cracking McEliece with math could reasonably be argued to likely be exponentially longer** than for the encryption used in Cryptonote and all other feasible on chain anonymity.

Currently I know of no research for quantum proof one-time ring signatures (only regular ring signatures and nothing like the Zero Knowledge proof needed for making them one-time) and even if it is invented, the key sizes are apparently going to be 10 - 100X larger than the already bloated Cryptonote ring signatures. So even if we find clever ways to prune or compress the hypothetical quantum proof Cryptonote block chain, the insurmountable problem remains that the bandwidth requirements on the network will explode and you can just forget any hope of micro payments, i.e. social networking widescale adoption. That hope is already dubious with the existing bloat of non-quantum proof Cryptonote, and not just because of the bloated rings sent over the network, but also because lite clients break the unlinkability.

So whereas McEliece encryption can not be feasible with on chain anonymity, it is feasible for off chain because the large public keys don't need to be transmitted with every transaction (and mining share!) nor stored with the block chain.

**Thus an off chain anonymity system could use multiple types of encryption layered, so if all but one is broken the anonymity is not.**2. Whereas with Cryptonote (and Zerocash) what needs to be unencrypted is neatly compressed with complete organization on the block chain, off chain routing can create mazes of extreme complexity. In the asymptotic case, the authorities would need to cross correlate every encrypted packet ever sent on the internet. In other words, the computational requirements can be beyond any feasible computer projected many decades into the future, even if they crack the encryption. I am not saying all off chain systems mix this widely, but it is a conceptually valid distinction.

3. Cryptonote has no IP obfuscation built in (yet), thus unless you are using Tor with it, the on chain anonymity is already cracked. Which means even if you use Tor, if the others in your anonymity set ring didn't use Tor, then you are de-anonymized. And even when Cryptonote adds I2P or Tor support by default, it isn't planned to be supported for mining, and those low-latency mixnets are shown in research to be vulnerable to timing analysis. There are mathematically characterized better designs for IP obfuscation for crypto-currency than I2P and Tor.

4. Smooth will know what I am talking about when I say there is a tension in Cryptonote between the anonymity set group size and the efficiency of any future pruning feature. Off chain anonymity doesn't have this dilemma (inefficiency) which again is another contributing factor of probably restricting on chain anonymity to low adoption as a currency (no way you will do micro payments for social media). And as NewLiberty borrowed from my past points, if you don't have a widely adopted currency, then you don't have a large anonymity set. Also without a widely adopted anonymous currency, then you have to convert to a non-anonymous currency to pay for things (which blows up Smoothie's nonsense about all users must jump through hoops).

5. You won't get decentralized mining without off chain anonymity.

So again I reiterate, why risk it with on chain anonymity when there can be designs that are exponentially more secure with your anonymity into the future?

P.S. I agree with smooth and others that the anonymity model of DRK (and Neo and Cloak, etc) is not well defined. There is no scholarly whitepaper characterizing the math of their system. Thus in the current predicament, I can understand why scholarly people trust Cryptonote more. I certainly do too.

Edit:

6. The claim that Cryptonote has a larger anonymity set because it can mix from the entire history of the block chain, whereas CoinJoin has a simultaneity constraint, is not true because to be prunable the rings must be restricted to small groups, and as I showed in my bounty algorithm upthread, if you allow widely overlapping mixing then the rings can in theory be de-anonymized.