Bitcoin Forum
November 10, 2024, 01:54:43 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: I have come to the conclusion that "on chain anon" defeats the purpose.  (Read 2764 times)
This is a self-moderated topic. If you do not want to be moderated by the person who started this topic, create a new topic.
ed_teech
Hero Member
*****
Offline Offline

Activity: 508
Merit: 500


Jahaha


View Profile
October 08, 2014, 10:41:20 AM
 #21


1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.


Maybe if there is a way to re-encrypt the whole blockchain with a stronger encryption over time, past anonymity is not endangered by computational advances. Just an idea that flew in my mind.
TheFascistMind
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
October 08, 2014, 11:04:53 AM
 #22


1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.


Maybe if there is a way to re-encrypt the whole blockchain with a stronger encryption over time, past anonymity is not endangered by computational advances. Just an idea that flew in my mind.

It has already been seen, you can't increase the encryption strength. Somebody stored a copy.
smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1474


LEALANA Bitcoin Grim Reaper


View Profile
October 08, 2014, 12:23:23 PM
 #23

Think about it. The fact that we are relying on a public information with a twist to be secure is not the answer.

Interesting that I was making the same point today in private communication before I had seen your thread.

1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.

3. There was a recent breakthrough in math for factoring which hints at the remote possibility in the future of a potential crack of the basic math used for all existing crypto-currencies (that use elliptic curve or RSA cryptography):

http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext#body-3



By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.


I don't see a future in ring signatures

Do investors realize that Cryptonote can't run lite clients without destroying their unlinkability, because you have to publish the "tracking key" to delegate the search for received payments if you did not download the full block chain.

But publishing that "tracking key" breaks the unlinkability:

https://cryptonote.org/whitepaper.pdf#page=8

"If Bob wants to have an audit compatible address where all incoming transaction are
linkable, he can either publish his tracking key...In both cases every person is
able to “recognize” all of Bob’s incoming transaction"


Edit: the "Trading off anonymity set size for decreased bandwidth/CPU" section in the following paper hints at a solution where only a portion of the block chain needs to be downloaded in exchange for reduced anonymity set size, but afaik this is not in Cryptonote and I did not analyze how or if it can be integrated (and off the top of my head, I think this might further reduce anonymity sets in intersection with a potential block chain pruning design for Cryptonote):

http://sourceforge.net/p/bitcoin/mailman/message/31813471/

With enough time and resources any thing can be cracked including Bitcoin lol

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
TheFascistMind
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
October 08, 2014, 12:30:01 PM
 #24

By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.

With enough time and resources any thing can be cracked including Bitcoin lol

Irrelevant, Bitcoin doesn't put anonymity on the block chain. Please re-read my quoted point above more carefully.
TheFascistMind
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
October 08, 2014, 12:41:14 PM
Last edit: October 08, 2014, 01:23:03 PM by TheFascistMind
 #25

Cross-posting...

1. You can't increase the key size of the historic chain.
2. Cracking historically spent coins is not a threat. The threat is cracking anonymity history at any time in the future.
3. The crack threats are not just due to key length. Key length won't help you in some cases against math discoveries, and certainly won't help against quantum computers.
4. Your heirs won't be dead in 10 - 15 years (or less or slightly more).
5. Why risk it when there are possible designs where you don't have to.

And those aren't the only inefficiencies in Cryptonote that can be eliminated with other possible designs.

As I wrote upthread, I never understood why people were so quick to jump on Cryptonote as the Holy Grail of anonymity.

Math discoveries in SOME cases lol okay like?

 Just because there is a way to somewhat shorten the amount of time it may take to crack a key or anonymity doesn't mean that it can't be mitigated in a simple way as using a longer key length.

Perhaps you forgot about the discovery of differential cryptanalysis that rendered all 1970s and 1980s crypto cracked (and no one knew it!).

Can't you read?

http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext#body-3

Quote
The Future

Barbulescu says the research group has considered trying to push its ideas to medium- and large-characteristic systems, "but there is a huge difficulty porting this algorithm to these other cases," he says. "But if we were able to extend it to large characteristic, then it would be an earthquake in cryptography because every time there is an improvement in discrete logarithm, there is a corresponding improvement in factorization (RSA), because the problems are similar."

Meanwhile, though, existing RSA-based systems should be considered secure. "There are some buzz articles floating around on the Web saying that this is the endgame for RSA," Thomé says. "It is wrong to say that."

The University of Waterloo's Menezes says he is not aware of any cryptosystems in use today that are suddenly at risk because of the work by the French team. However, he warns, "There will be faster algorithms, better implementations of the existing algorithm perhaps through special-purpose hardware, and better analysis. Maybe the algorithms are faster than we think they are."

Why can't you understand that once it is broken, you can't go back and hide the history on the block chain.

What ever you've already released to the block chain, is never going to get more secure. It WILL BE CRACKED SOMEDAY.

That is why do not put your anonymity on the block chain. Mix your inputs and outputs off chain, then put that in a transaction on the block chain (i.e. use CoinJoin).

Then the anonymity can never be cracked in the way it can be on chain with Cryptonote's ring signatures and Diffie-Hellman one-time private keys.

I hope I don't have to explain that again and again.

Just because someday it could be cracked doesn't mean it will be cracked you make as if everyone out there is gunning to destroy anonymity technology.

Sorry but if it takes 10 or 20 or 100 years to be cracked why would I really care? In that time I would likely have moved from one address to another and traded into and out of XMR or another CN coin or I would in the worst case be dead.

Anonymity has 0 value to me once I am dead and gone from this world.

With enough time and resources any thing can be cracked.... No surprise there lol

Why risk it when you don't have to? There are designs that don't risk it.

You can't predict when the crack will occur. It could be within a year or 20 years. But 100 years is much less likely. Think about what technology was like 100 years ago.

BCX, he isn't the sharpest tool in the shed.

You under estimate the power of cross chain transactions that aren't linked to any exchange.

Especially if the deal is done while in person where the correspondence of the trade is not recorded anywhere on the internet.

You are only thinking of yourself. Most people don't jump through hoops. They use a product and expect it to deliver what it promised as main feature.

If you can scare most of the people by attacking the low hanging fruit, society pisses on that coin forever after.

Edit: and as a developer, I don't want to be responsible for millions of people being subjected to State wrath some years from now.

You are asking me to be INTENTIONALLY cavalier, irresponsible and careless as a developer.
robinwilliams
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
October 08, 2014, 02:18:31 PM
 #26

Quote
2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.

I do have a question about this (for some fun reason I was reading a drugdealer blackmarket subbreddit the other day about bitcoin being "anonymous enough").  Is it the kind of deal where one quantum computer spends one year and breaks 3 addresses anonymity?  Or one computer spends a year and breaks the entire chain anonymity?

xulescu
Sr. Member
****
Offline Offline

Activity: 263
Merit: 250


View Profile
October 08, 2014, 05:08:28 PM
 #27

I'm gonna go out on a limb and put practical quantum computers in the same box with practical cold fusion and room temperature superconductors. It's happening in the next 10-20 years for the last 50 years or so.
Chris001
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250

electroneum.com


View Profile
October 08, 2014, 05:33:52 PM
 #28

Don't tell me that some of you cryptonote guys have pushed your argument to the point that barring quantum computers you are in the clear.

This is why I support Neos. I am really big on it. I have been trying to yell it from the damn rooftops if you haven't noticed me around.  Smiley

I have respect for what you are trying to do and all of your hard work. It is just dangerous. 

https://bitcointalk.org/index.php?action=trust;u=186785
Here is the link to my trust settings here on forum. This trust system is very unfair. I make good on every deal Ive ever made. I had many, many deals as you can see and I never scammed anyone. All it takes is a random account to give you negative trust and youre screwed. Tomatocage has never even talked to me ever but when the random acct hit me with negative trust, Tomatocage came right behind him and marked neg trust again so obviously he was the one who did it. You can look at Tomatocage trust and see how many of his compeditors at the currency exchange thread he labeled scammers. I never scammed anyone. My trust was green over 20 before this. I hope it never happens to you because the mods cant help you.
Chris001
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250

electroneum.com


View Profile
October 08, 2014, 05:35:38 PM
 #29

By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.

With enough time and resources any thing can be cracked including Bitcoin lol

Irrelevant, Bitcoin doesn't put anonymity on the block chain. Please re-read my quoted point above more carefully.

THIS^^^

AND THIS    V V V


https://bitcointalk.org/index.php?action=trust;u=186785
Here is the link to my trust settings here on forum. This trust system is very unfair. I make good on every deal Ive ever made. I had many, many deals as you can see and I never scammed anyone. All it takes is a random account to give you negative trust and youre screwed. Tomatocage has never even talked to me ever but when the random acct hit me with negative trust, Tomatocage came right behind him and marked neg trust again so obviously he was the one who did it. You can look at Tomatocage trust and see how many of his compeditors at the currency exchange thread he labeled scammers. I never scammed anyone. My trust was green over 20 before this. I hope it never happens to you because the mods cant help you.
YouWillBeProvenWrong
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
October 08, 2014, 11:49:51 PM
Last edit: October 09, 2014, 12:11:56 AM by YouWillBeProvenWrong
 #30

Cross-posting...

It isn't a pathetic argument. One of the advantages of a distributed ledger is that it is broadcast. Thus it is impossible to tell who is reading it. That adds a lot of anonymity right there, compared to solutions that involve some sort of routing. Because any sort of routing is a big red arrow pointing right at you. A lot of the snake oil coins rely on randomizing a bunch of stuff ("pick random nodes!") and claim that works because it sounds secure to non-experts, but without carefully thinking about the range of possible attacks such as sybil attacks or economic attacks on the nodes.

A distributed ledger system by its effectively broadcast nature removes even the possibility of any or all of these "nodes" being compromised.

Why would you risk it?

It's an interesting version of FUD you guys have come up with to attack Monero. I commend you for your creativity. "It's all public so it can't be anonymous!" "Someone will crack it!"

BTW, most or all internet traffic is probably being logged right now by the NSA and probably others. Almost certainly anything encrypted is. It is not a sound assumption to think that ANYTHING you send out to the internet won't exist forever and can't eventually be cracked. At least with a public ledger, many more people will be trying to crack it and one of them might tell you if he succeeds, at which point you can take remedial action. All that TLA stuff happens in secret -- it might be cracked and you continue to use for 30 years, although honestly I strongly believe that most of the amateur-hour efforts that pass for "anonymous coins" are likely cracked from the start by the NSA and others. There is at least SOME chance that some real crypto is not fully cracked.

This is a very important point, that apparently only I can respond to adequately. So therefor I am forced to return momentarily.

True that everything sent to the internet might be recorded.

Even I can not accuse smooth of committing a category error when he equated the statistical probability of an anonymity set (mix) with encryption. Encryption is what can be cracked over time.

Anonymity set risk (i.e. the probability that you can be identified) is constant over time, or even if it declines due to non-encryption related circumstances identifying others in your anonymity set (e.g. people confess their identities), it doesn't decline due to cracking the encryption. However every known method of creating an anonymity set requires some encryption, e.g. onion routing encrypts onion layers. Thus if you crack the encryption used to create the off chain anonymity set, and you have saved all the traffic, you have cracked the anonymity.

Nevertheless the salient rebuttal to smooth's astute point is:

1. Cryptonote's (and Zerocash's) encryption is not based on known quantum proof algorithms. Moreover, if we consider the 2013 math breakthrough I quoted which cracked the discrete logarithm for small characteristics, we see that math direction has no applicability to McEliece quantum computing proof encryption. It is not an unreasonable assumption that the entropy of McEliece is exponentially higher, because the public keys are on the order of 65,535 bytes and the modeled security level (e.g. 128-bit) scales to key size much more exponentially than for discrete logarithm or elliptic curve based public key cryptography. Thus I am positing to you that in addition to the quantum proof attribute, the time horizon for cracking McEliece with math could reasonably be argued to likely be exponentially longer than for the encryption used in Cryptonote and all other feasible on chain anonymity.

Currently I know of no research for quantum proof one-time ring signatures (only regular ring signatures and nothing like the Zero Knowledge proof needed for making them one-time) and even if it is invented, the key sizes are apparently going to be 10 - 100X larger than the already bloated Cryptonote ring signatures. So even if we find clever ways to prune or compress the hypothetical quantum proof Cryptonote block chain, the insurmountable problem remains that the bandwidth requirements on the network will explode and you can just forget any hope of micro payments, i.e. social networking widescale adoption. That hope is already dubious with the existing bloat of non-quantum proof Cryptonote, and not just because of the bloated rings sent over the network, but also because lite clients break the unlinkability.

So whereas McEliece encryption can not be feasible with on chain anonymity, it is feasible for off chain because the large public keys don't need to be transmitted with every transaction (and mining share!) nor stored with the block chain. Thus an off chain anonymity system could use multiple types of encryption layered, so if all but one is broken the anonymity is not.


2. Whereas with Cryptonote (and Zerocash) what needs to be unencrypted is neatly compressed with complete organization on the block chain, off chain routing can create mazes of extreme complexity. In the asymptotic case, the authorities would need to cross correlate every encrypted packet ever sent on the internet. In other words, the computational requirements can be beyond any feasible computer projected many decades into the future, even if they crack the encryption. I am not saying all off chain systems mix this widely, but it is a conceptually valid distinction.


3. Cryptonote has no IP obfuscation built in (yet), thus unless you are using Tor with it, the on chain anonymity is already cracked. Which means even if you use Tor, if the others in your anonymity set ring didn't use Tor, then you are de-anonymized. And even when Cryptonote adds I2P or Tor support by default, it isn't planned to be supported for mining, and those low-latency mixnets are shown in research to be vulnerable to timing analysis. There are mathematically characterized better designs for IP obfuscation for crypto-currency than I2P and Tor.


4. Smooth will know what I am talking about when I say there is a tension in Cryptonote between the anonymity set group size and the efficiency of any future pruning feature. Off chain anonymity doesn't have this dilemma (inefficiency) which again is another contributing factor of probably restricting on chain anonymity to low adoption as a currency (no way you will do micro payments for social media). And as NewLiberty borrowed from my past points, if you don't have a widely adopted currency, then you don't have a large anonymity set. Also without a widely adopted anonymous currency, then you have to convert to a non-anonymous currency to pay for things (which blows up Smoothie's nonsense about all users must jump through hoops).


5. You won't get decentralized mining without off chain anonymity.


So again I reiterate, why risk it with on chain anonymity when there can be designs that are exponentially more secure with your anonymity into the future?


P.S. I agree with smooth and others that the anonymity model of DRK (and Neo and Cloak, etc) is not well defined. There is no scholarly whitepaper characterizing the math of their system. Thus in the current predicament, I can understand why scholarly people trust Cryptonote more. I certainly do too.


Edit:

6. The claim that Cryptonote has a larger anonymity set because it can mix from the entire history of the block chain, whereas CoinJoin has a simultaneity constraint, is not true because to be prunable the rings must be restricted to small groups, and as I showed in my bounty algorithm upthread, if you allow widely overlapping mixing then the rings can in theory be de-anonymized.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!