This is a very one-sided discussion which makes it seem like it was written by a person who wants Monero's value to rise. It doesn't mention any drawbacks of Monero - like poor scalability - that blocks it's wide adoption. There's also a good deal of FUD around Dash and Zcash, which has been quickly refuted on reddit [1].
Apart from that I liked this post and it shone some light on issues I wasn't aware of.
Note that Monero's scalability problem also exists in Zcash - an indefinitely growing list of spent tokens; if scalability is a drawback of Monero it's a drawback for Zcash.
An indefinitely growing list of spent transactions is the least of Monero's scaling issues. Monero doesn't scale to large anonymity sets.
Monero uses CryptNote's ring signature approach, which scales linearly with the number of coins you want to mix with. Want to fully mix 1,000 coins together? You need a 30kb transaction[0]. You chunk those coins into smaller mixing sets, but then they aren't fully mixed. In anything using this approach, your anonymity set is limited by what you can transmit across the network in any given transaction or a small set of transactions. I've never seen an exact proposal for mixing tx size and I'd be very interested to see one, but if it was more than 100 coins per tx I'd be surprised.
In ZCash, transactions are constant size and are fully mixed with every other coin in the current anonymity set.
Both approaches do have the indefinitely growing list of spent tokens issue. Which in practice means you need to move coins into a new anonymity set after e.g. 2^32 serial numbers and throw away the old coins and spent serial number list[1]. So there is an inherent limit on the maximal anonymity set you get out of any anonymous ecash scheme. Zerocash hits that limit. Due to its per transaction scaling issues, CryptoNote simply can't.
As a result, in ZCash, your coin is hidden amongst all the coins in the maximal anonymity set. In Cryptonote/Monero, it's hidden amongst a far smaller fraction of that set. In Monero, you are far less anonymous. All things being equal, you want to be more anonymous.
Of course, all other things are not equal. There are merits to both Zerocash and CryptNote on a technical level, but scalability isn't where CryptNote shines.
[0] Assume one group element per signature in the ring at 32 bytes per element. The real scheme is likely worse.
[1] There more sophisticated approaches that can be used.
> In Cryptonote/Monero, it's hidden amongst a far smaller fraction of that set.
Just wanted to point out that it's not that simple - what you are referring to is more like coinjoin level of anonymity. In Monero / Cryptonote, since one-time keys are used for each transaction, when you receive coins, they are in fact hidden among the entire set (which is the same anonymity level as Zerocash). The received coins can then be used as non-signers in "many" ring sigs, and so they have been possibly spent at any time for the remainder of the blockchain - the anonymity set for when a coin is spent is therefore "all" the ring sigs it is a member of, and since they remain on the blockchain indefinitely, this can therefore grow infinitely large.
Edit: I mean, it's fine to downvote, but at least providing a comment is helpful if you disagree.
That is a good point; I should have clarified I was talking about transaction scalability in general, not _anonymous_ transaction scalability.
In any case, hopefully ZK-SNARKS continue to be optimized sufficiently that there's no question about which approach is better; I know you guys have done tremendous work on achieving that goal. Thank you!
> which scales linearly with the number of coins you want to mix with. Want to fully mix 1,000 coins together? You need a 30kb transaction
Actually, it does not scale linearly, it scales logarithmically in the worst case.
If you create a transaction to send 1543XMR, it splits it into 4 pieces: 1000, 500, 40, and 3, respectively. Each of these transactions are put into a ring signature, where the other transactions in the ring are selected from the pool of all other transactions of the same size, since the creation of the network. I'm not sure why you think that it scales linearly on the amount of coins sent.
Edit: Unless you mean, "to achieve perfect anonymity, you need to mix your coins with every other transaction of the same size, which scales linearly with the total number of transactions performed since the start of the network", in which case, yes. It is linear. But thats serious overkill, theres no reason to have a ring size that large.
If we consider imperfect anonymity, we need to consider more than the size of the anonymity set, we need to consider how likely it is a given coin in the anonymity set is the actual one we are hiding. This is a bayesian thing that depends on that attackers prior knowledge. For many coins it may be vanishingly close to zero. Which means they don't really contribute to the anonymity set. Which means you can end up with a large looking anonymity set that is equivalent to a perfect anonymity set of say 5 coins.
How big is the anonymity set for a given CryptoNote transaction? You might think it 1) clearly is at least the size of all the coins in the tx and 2) actually it's the union of those coins anonymity sets. But what are the probabilities? I don't know. But consider a few possible issues.
If you sample the coins in the mixing set for your tx uniformly from the whole blockchain, than
many of them will be very old, but the actual coin you are spending is likely new. This also applies to the sets you are taking the union of. Couple this with other issues such as long term intersection attacks, and it gets very hard to say how much anonymity you really have. Especially because we don't know what techniques the companies that are doing coin tracing have and more significantly, what third party data they are correlating with beyond just the blockchain. Perfect anonymity and very large anonymity sets is the best defense we have against this stuff.
As to your last statement: even if the supposition is that the true signer is the most recent output on the blockchain, that is nothing but an unprovable supposition, which means that Monero enables plausible deniability at the very least.
Since transactions are both unlinkable (for any two outgoing transactions it is impossible to prove they were sent to
the same person) and untraceable (for each incoming transaction all possible senders are equiprobable) the anonymityset continues to grow, which makes the privacy risk cryptographically negligible.
If you're referring to Monero, can you explain how it's "designed" to provide massive increases in wealth for early adopters? Is it the volunteer contributions? Lack of ICO? Perhaps it's the fact that the current market price is lower than when the coin was released two years ago. That surely gives the early adopters an advantage....
There are plenty of early adopters who purchased Monero for several dollars each. And it languished at 30-50 cents for well over a year. And is now only ~$1.
So there's been plenty of time for anyone to be an early adopter....continuing through today and easily for months to come.
Or skip Monero altogether. Aeon, a related project is available right now for less than 1 penny. And has been for quite some time.
So, as to your question, Done. You can be an "early adopter" right now.
In practice, many of the gatekeepers to the layman using Bitcoin require so much documentation that anonymity should not be a major selling point. Perhaps you can acquire a few thousands USD worth that is anonymous, but trying to scale that anonymity doesn't go easily. Ironically, the needlessly growing inquisition into how I was using Bitcoin is what forced me to close my Coinbase account. They pretty much require the same information as a bank does, including photocopies of your state ID, even tax documents.
Having used a handful of the exchanges and other more casual wallets like Circle, it's obvious that the trend is towards more "security" and legitimacy by vetting users and knowing their real world identities, etc. Which can include Skype interview, scanning personal bills to prove addresses and so forth.
This is not really specific to Bitcoin, but to any player/system that is going to become popular and thus used/supported by companies and/or integrated with the rest of global infrastructure.
The laws in almost everywhere (except niche jurisdictions that treat holding offshore accounts as their main industry) pretty much require you to know your customer and not be an enabler of any anonymous transfers of money - or alternatively, be treated as responsible for any "bad" money passing through you.
Any institution that would enable you to trade a scalable amount of USD for Monero or some new cryptopayment solution would also have to require the same information to know your real world identity.
Any institution that would enable you to trade a significant amount of such new cryptocurrency for USD would be required (perhaps not immediately, but definitely if/when it becomes sufficiently popular) to report that to IRS, who would then request documentation about the transactions and originators where you obtained that amount (which you surely reported when filing your taxes, didn't you?), and it doesn't really matter that much that the blockchain is anonymous since essentially you'll give them the transaction details anyway or go to jail.
If no institutions enable that, then the cryptocurrency cannot be liquid enough for everyday use, as it's not easy to trade it with other liquid currencies.
I'm always surprised how people seem to focus on bitcoin's alleged anonymity. It was quite clear from the beginning that bitcoin is not completely anonymous, or rather that it is not more anonymous than internet itself is. Just as you don't have to give your name or a photocopy of your passport to register to a website, you don't have to do that either to use bitcoin. So to a degree it is anonymous, but only when compared to other payments systems like Paypal for instance.
This relative anonymity is not what attracted the vast majority of bitcoin users anyway. It was more the idea of a public, decentralized ledger.
>> it is not more anonymous than internet itself is
It's less anonymous than that. Not a 100% accurate analogy but this would be similar to having your browsing history stored in a public location mapped to your IPs.
like I said, not the best analogy, but.... you can go through a proxy or reboot your cable modem for example and because your web site hits are not linked (contrary to blockchain txs linked back all the way to where you acquired the coins) - I'd argue that this would be more anonymous than BTC.
there are btc addresses tied to your wallet (in my analogy this would be an IP address) mapped to transactions with a major kicker being that the coin involved in these transactions is traceable back to where you acquired it and then back to where it was mined in the first place.
so my analogy is actually less 'severe' than the reality of the bitcoin setup.
P2P protocols like BitTorrent and Bitcoin are less private than client-server protocols. A random grad student in the Netherlands could track nearly every Bitcoin peer if they wanted to, but they can't track people posting to HN.
I'd also mention that bitcoin had a BIP at some point to add stealth address support to the core (BIP63) with a couple of wallets providing support for those.
Stealth addresses aren't nearly enough. It needs to be mandatory stealth addresses + some sort of mandatory passive mixing that can't be Sybil attacked + Confidential Transactions. At a minimum.
Yup, Stealth Addresses are just a small fix to one usecase, not a general solution. And I say this as the guy who came up with the name and played a part in developing the exact protocol Dark Wallet implemented (many others deserve credit, including for the underlying math).
This is an utterly stupid comment. If you read an article that slammed MongoDB's eventual consistency and encouraged people to use mysql instead would you call it a "mysql pump?
Your comments in this thread are unfortunately breaking the HN guidelines, by calling names and generally being uncivil. Please don't present your argument that way. It poisons the atmosphere and makes your argument less credible. Instead, please refresh your memory about what HN is looking for by reading the following, and then post civilly and substantively (or not at all) in the future.
That's fair enough, but consider that SakiWatanabe's comment is equally uncivil and insulting to an open-source project and the contributors that have built it. Why is that allowed, but when I call that person out I get SJW safe-space thrown at me? Don't you think that is hypocritical as a moderation strategy?
I didn't notice that comment. It's bad because it's a shallow dismissal, but yours were worse because you called names and conducted yourself flamewar-style, and you did it repeatedly in the thread.
I don't think it's hypocritical, for a couple reasons: (1) it's impossible for us to read all the comments, and (2) one bad comment doesn't justify another.
HN is not a good place to "call that person out"—that just causes threads to degenerate nastily. On HN, an appropriate way to respond to such a comment might be to remind the commenter that unsubstantive dismissals aren't helpful, and then point out some relevant good things about the article.
> Another problem with ZCash is the fact that it’s brand new cryptography.
It's using libsodium. This is an alarmist and false statement.
> Nobody can really guarantee that there aren’t some bugs in the system that will make it possible to deanonymize transactions or create coins out of thin air.
Sure, that's technically true of all crypto-currencies.
You can't be serious. It's using libsodium in one part of the code, so therefore ALL cryptography uses libsodium? You do know that Bitcoin has already switched most of the secp256k1 stuff away from OpenSSL and to libsecp256k1, and ZCash will follow suit?
But more importantly than that it uses libsnark for the actual clever bits, which has already been critically broken[1] precisely because it is so new and poorly tested.
Even the cryptography in ZeroCash/ZeroCoin is too new to be trusted with a financial system. That is not alarmist, that is practical. Relying on old, established cryptography is precisely why Bitcoin hasn't been trivially broken, and the zk-snarks cryptography will need to go through the same peer-review and refinement process over the next decade or two.
Not to pile on (the other response is dead on), but
you also seem to be assuming that libsodium is magic crypto dust, offering strong security anywhere you sprinkle it. It isn't.
To be sure, libsodium is shiny and nifty and wonderful, but the root cause of a large number of crypto insecurities is in key management. A bunch of others can be regarded as subtle mistakes in using an otherwise solid algorithm.
Assuming that using a trusted implementation of a trusted algorithm means your crypto is solid is roughly like saying, "my car as airbags, so it is safe."
Apart from that I liked this post and it shone some light on issues I wasn't aware of.
[1] https://www.reddit.com/r/btc/comments/4nai1r/on_fungibility_...