Topic: delete - page 14. (Read 165538 times)

At least you now have an appropriate sn

This is a very important point, that apparently only I can respond to adequately. So therefor I am forced to return momentarily.

True that everything sent to the internet might be recorded.

Even I can not accuse smooth of committing a category error when he equated the statistical probability of an anonymity set (mix) with encryption. Encryption is what can be cracked over time.

Anonymity set risk (i.e. the probability that you can be identified) is constant over time, or even if it declines due to non-encryption related circumstances identifying others in your anonymity set (e.g. people confess their identities), it doesn't decline due to cracking the encryption. However every known method of creating an anonymity set requires some encryption, e.g. onion routing encrypts onion layers. Thus if you crack the encryption used to create the off chain anonymity set, and you have saved all the traffic, you have cracked the anonymity.

Nevertheless the salient rebuttal to smooth's astute point is:

1. Cryptonote's (and Zerocash's) encryption is not based on known quantum proof algorithms. Moreover, if we consider the 2013 math breakthrough I quoted which cracked the discrete logarithm for small characteristics, we see that math direction has no applicability to McEliece quantum computing proof encryption. It is not an unreasonable assumption that the entropy of McEliece is exponentially higher, because the public keys are on the order of 65,535 bytes and the modeled security level (e.g. 128-bit) scales to key size much more exponentially than for discrete logarithm or elliptic curve based public key cryptography. Thus I am positing to you that in addition to the quantum proof attribute, the time horizon for cracking McEliece with math could reasonably be argued to likely be exponentially longer than for the encryption used in Cryptonote and all other feasible on chain anonymity.

Currently I know of no research for quantum proof one-time ring signatures (only regular ring signatures and nothing like the Zero Knowledge proof needed for making them one-time) and even if it is invented, the key sizes are apparently going to be 10 - 100X larger than the already bloated Cryptonote ring signatures. So even if we find clever ways to prune or compress the hypothetical quantum proof Cryptonote block chain, the insurmountable problem remains that the bandwidth requirements on the network will explode and you can just forget any hope of micro payments, i.e. social networking widescale adoption. That hope is already dubious with the existing bloat of non-quantum proof Cryptonote, and not just because of the bloated rings sent over the network, but also because lite clients break the unlinkability.

So whereas McEliece encryption can not be feasible with on chain anonymity, it is feasible for off chain because the large public keys don't need to be transmitted with every transaction (and mining share!) nor stored with the block chain. Thus an off chain anonymity system could use multiple types of encryption layered, so if all but one is broken the anonymity is not.


2. Whereas with Cryptonote (and Zerocash) what needs to be unencrypted is neatly compressed with complete organization on the block chain, off chain routing can create mazes of extreme complexity. In the asymptotic case, the authorities would need to cross correlate every encrypted packet ever sent on the internet. In other words, the computational requirements can be beyond any feasible computer projected many decades into the future, even if they crack the encryption. I am not saying all off chain systems mix this widely, but it is a conceptually valid distinction.


3. Cryptonote has no IP obfuscation built in (yet), thus unless you are using Tor with it, the on chain anonymity is already cracked. Which means even if you use Tor, if the others in your anonymity set ring didn't use Tor, then you are de-anonymized. And even when Cryptonote adds I2P or Tor support by default, it isn't planned to be supported for mining, and those low-latency mixnets are shown in research to be vulnerable to timing analysis. There are mathematically characterized better designs for IP obfuscation for crypto-currency than I2P and Tor.


4. Smooth will know what I am talking about when I say there is a tension in Cryptonote between the anonymity set group size and the efficiency of any future pruning feature. Off chain anonymity doesn't have this dilemma (inefficiency) which again is another contributing factor of probably restricting on chain anonymity to low adoption as a currency (no way you will do micro payments for social media). And as NewLiberty borrowed from my past points, if you don't have a widely adopted currency, then you don't have a large anonymity set. Also without a widely adopted anonymous currency, then you have to convert to a non-anonymous currency to pay for things (which blows up Smoothie's nonsense about all users must jump through hoops).


5. You won't get decentralized mining without off chain anonymity.


So again I reiterate, why risk it with on chain anonymity when there can be designs that are exponentially more secure with your anonymity into the future?


P.S. I agree with smooth and others that the anonymity model of DRK (and Neo and Cloak, etc) is not well defined. There is no scholarly whitepaper characterizing the math of their system. Thus in the current predicament, I can understand why scholarly people trust Cryptonote more. I certainly do too.


Edit:

6. The claim that Cryptonote has a larger anonymity set because it can mix from the entire history of the block chain, whereas CoinJoin has a simultaneity constraint, is not true because to be prunable the rings must be restricted to small groups, and as I showed in my bounty algorithm upthread, if you allow widely overlapping mixing then the rings can in theory be de-anonymized.

Sorry man, trolling at this level gets old so fast it's not even funny by the time I start.

My pathos is unbounded, weep for me.

shutup n00b i lavitate like chriss angle

stop n00bings its patethic

You're catching on.  Soon you may see the levity...

AM/TFM hates centralized everything. He'd rather if everything came from the bottom up. His bottom, supposedly.


lol lberty if u thnk u cn jst CLONE prefection leik dat u must b rly butthurt yo rofl if ure so smarrt how cum u cant fgure it out that

ZERO GRAVITAS MEANS ZERO "WEIGTH"

That's part of it too.  Also he reads judgmentally.  Its because he knows he is right, so until you can demonstrate that you understand that he is right, he doesn't listen to the part where you can show him that there is more to the picture.

There is an old saying.  "Those who know everything, can learn nothing."
Still, some of my favorite people are like this.

Two great posts from NewLiberty

Perfection needs competition.
So I'm forking this, changing all the buzzwords to be future-proof with our interplanetary character set  ISO/IEC 10646XXX, and basing launch on a d16 perpetual spin event in zero gravitas.

He appears to like to tell others what to do. As if we really need to listen to him. lol 

There is a corollary to this.  Adoption and usage is important for privacy.  What good are ring signatures if there are too few folks in the rings.  Tor had this issue, and it was one of the reasons cited for making it public rather than keeping it only US Navy.
...and so I would suggest that the fewer hoops the better.
Also each hoop is a potential tripping point where privacy can be lost.

TFM often expresses (expressed?) important points poorly.  I get the impression that he thinks much faster than he types and being frustrated by that, takes it out on us, lol.

In reply to a concerned citizen gentleman,

UBERcoin ANNouncement
Launching the latest and last cryptomoney

Total emission: 1337 coins.

Emmision schedule: 72 hours of UBERPoW special hashing function (using special FDIV instruction that makes it 100MHz proof). After that, switch to DERPoS, or Distributed Entropic Regenerative Proof of Stake, the final generation in PoS staking technology. Staking interest is pegged to a basket of ECB and BoJ refi rates, adjusting programmatically as a linear combination of the two.

Launch: to be decided by an hourly D20 roll, with LAUNCH if the dice never stops spinning on a corner.

Moar tech: state of the art ANONOSITY, ultrafast synking, fast blocks, BCI capable wallet "spend with the power of your mind", Web 9000.1 ready, smart contracts, smarter DAC management, super-Turing complete block chain.

JOIN THE REVOLUCION NAO!!

Yes really. For the reason I stated.

That many Bitcoin clones all do things more or less the same way is not an argument. They pretty much have because they never get into the underlying implementation and the developers have no real knowledge of cryptography, so they all have to attach various forms of mixing on top of blockchain. How you expect that to be more secure than building the anonymity into the actual cryptography is a mystery to me.

It's an interesting version of FUD you guys have come up with to attack Monero. I commend you for your creativity. "It's all public so it can't be anonymous!" "Someone will crack it!"

BTW, most or all internet traffic is probably being logged right now by the NSA and probably others. Almost certainly anything encrypted is. It is not a sound assumption to think that ANYTHING you send out to the internet won't exist forever and can't eventually be cracked. At least with a public ledger, many more people will be trying to crack it and one of them might tell you if he succeeds, at which point you can take remedial action. All that TLA stuff happens in secret -- it might be cracked and you continue to use for 30 years, although honestly I strongly believe that most of the amateur-hour efforts that pass for "anonymous coins" are likely cracked from the start by the NSA and others. There is at least SOME chance that some real crypto is not fully cracked.

I am asking the same thing? Why would you risk it. Cryptonote is a ticking timebomb.

"One of the advantages of a distributed ledger is that it is broadcast. Thus it is impossible to tell who is reading it. That adds a lot of anonymity right there"

Really smooth? No that is NOT adding anonymity to transactions.

Look how Jl777 approached it with BTCD, not on the chain.
Neos not on the chain. ETC ssd, ETC

It isn't a pathetic argument. One of the advantages of a distributed ledger is that it is broadcast. Thus it is impossible to tell who is reading it. That adds a lot of anonymity right there, compared to solutions that involve some sort of routing. Because any sort of routing is a big red arrow pointing right at you. A lot of the snake oil coins rely on randomizing a bunch of stuff ("pick random nodes!") and claim that works because it sounds secure to non-experts, but without carefully thinking about the range of possible attacks such as sybil attacks or economic attacks on the nodes.

A distributed ledger system by its effectively broadcast nature removes even the possibility of any or all of these "nodes" being compromised.

Why would you risk it?

You are saying that cryptonote technology is no different than using cypto in the first place, and that is absolutely ridiculous. What kind of an argument is that?

It's pretty easy to see the difference, as I am sure you do. So why the lame association?

I was not talking about cryptonote in particular, so it doesn't matter if you or I, we like it or not. There isn't anything cryptonote specific in my post.

You're saying offchain solutions fulfill our needs for anonymity, so we shouldn't seek for onchain ones. I call it absurd because onchain is the fundamental of crypto (that is why I say you can use fiat to avoid it), and offchain solutions are circumvoluted ways that assume some server, nodes, whatever, are honest or not compromised. It is fundamentally different from assuming math and crypto are not compromised.

That is a pathetic argument.

"If you don't like cryptonote coins then you should stick to credit cards", maybe Im going to scramble my password too

Im ready to blow my head off just thinking how to respond to such nonsense lol

Let me reformulate:

With your level of grasping things, you should stick to credit cards and fiat.

Having stuff on a public ledger is obviously a requirement for anything that is based on a decentralized consensus. Then the fact that those pieces of information publicly available on the public legder provide as little information as possible about you (what you do with your money) is an interesting challenge. Bitcoin has its own answer, cryptonote has its own answer. But saying "let's not put anything on the public ledger" is nonsense and is not an answer. Stick to your credit card or send cash by snailmail, it's offchain.