Topic: delete - page 43. (Read 165521 times)

You don't mean of course unexciting.

And checkpoints can't substitute for being resistant to forks in every case.

Any the increased use on chain mixing with large anonymity sets increases the risk of not being able to abandon a sustained bad fork, thus making the threat of forks that much more serious.

And centralized mining is very bad.


Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade.


Disagree. Blacklisting entire anonymity sets is legally and politically plausible (but I don't know how realistic any delisting is, certainly if mining is centralized it is much more realistic), and the anonymity set can't increase once blacklisted without culpability on the part of the users. Well at least for ring signatures. Thanks for helping me (re-)discover a key qualitative distinction which is very negative on ring signatures.


Why are you bringing that up? I hadn't mentioned that in our recent exchange and when I did mention it, I said the same as what you just wrote above.

Edit: I guess you are responding to my list of concerns about ring signatures. Btw, I contemplating that certain hash functions (e.g. SHA256) are much more vetted with cryptanalysis than the simultaneous equations in different number fields that I showed.

Yes, it is a very dull place, mostly.

I've enumerated my concerns. You'd have to try to specifically show me convincingly that each of those concerns has been vetted. Your claim without specifics is not convincing to me.


Since you are claiming authority and not sufficient explanation of the science to convince me you actually know what you are talking about, what are your credentials relative to the head of research at IBM?

I see no new ground here except "decentralized exchanges are good" (and "forks are bad").

I agree except that doesn't really solve the problem, not even in the future, since exchanges are just one example of a good being delivered rapidly (other coins in this case). With any other commerce transaction where the goods or services have been delivered double spending leaves someone holding the bag with no recourse. It doesn't really matter if the blockchain is traceable or not.

Also, the blacklist issue is greatly reduced because a blacklist as you propose would only be effective if put into place before mixing occurs. Once the mixing occurs, you can't undo it, and you can't effectively blacklist the root coins because far enough back you are essentially blacklisting all coins. Not that far even, given the exponential spread of mixing.

EDIT: Also, there is still no credible basis for a private key attack due to either de-anonymizing (traceability) or double spending. It hasn't been be disproven (indeed most of practical crypto is strictly speaking unproven), but continuing to repeat it as pure "there might be a flaw" is just uncertainty and doubt with no analysis backing it up and is not credible.

That is what I wrote too. And thus we can't be a non-relative observer, nothing is absolute, and the fundamental matter of the universe is cycles.

Debates with smooth sometimes really help me clarify my own designs.  


That is a risk but doesn't necessarily follow because afaics to absolutely enforce it you must be able to regulate or control the miners.

Also lack of traceability doesn't mean there can't be blacklists or whitelists. The crackdown could even cause people not to mix their coins since mixing with a delisted coin could delist the entire anonymity set.

Also perhaps you can imagine a coin design that was unlinkable because every transaction only had one input and one output. But it would have very high overhead. It would remain traceable.

The point I am making here is that anonymous coins need to be very resistant to fork attacks, because long duration forks are more intractable to recover from.

And my other salient point was that checkpoints can be an illusion.


Not at least for the coinbase double-spends.

For the other double-spends, I had proposed they both get trashed, because with a crack on private keys only the attacker can double-spend his coins. Of course everyone downstream is penalized, but stolen money is stolen money (the alternative might be to split the value between all recipients).


Analogously to tx fees, I don't think penalizing users is beneficial if it can be designed another way.


I don't understand. I am super hungry.


I believe only in decentralized exchanges for the future.

Again penalizing many users is not a design option I prefer.


Again I see a future only with decentralized exchanges and thus not mixed risk, except for on chain anonymity mixes.

But moreover, I think much more important for anonymous coins to very sure they can't be fork attacked with much less than 50% of the hashrate.


A distinction is that with on chain transparency (i.e. decentralized exchanges) then there is no collectivized bankruptcy (other than cascade into anonymity set mixes).

Jackpotcoin!!!!!!!!!!

I have bolded the "concern" which there is no proof of. You may study something forever but at some point it is assumed true until you can prove it false. And I would say the vetting has been more than adequate.

I hadn't seen the IBM announcement yet.


Even if this is true It's a far cry from a system capable of changing the world. I think Chaung is trying to justify his 3 billion budget. And the Hard part about this system when it is a reality is in fact going to be qualitatively deciphering the resulting data. So much for boolean.

The universe has no edge

Sorry, I know practically nothing about the Monero protocol, so I cannot say anything useful about the "attack"  specifically.  (The continuous difficulty adjustment and the 20% outlier rejection filter seem to make it hard to model statistically.  If the difficulty gets adjusted diring the data collection interval, one cannot assume that block finding is a Poisson process; unless the event times are remapped to a suitable variable-rate clock.)

I was only commenting on the suggestion (perhaps not even by you, it is hard to keep track of the debate) that the occurence of a pattern that has very low probability of occurring is evidence of manipulation.  It may be evidence, if the probability analysis is properly done, but it is very easy to slip and see manipulation where there isn't.

The mistake is easy to make if one takes a complicated pattern that has occurred.  Others have pointed out that fallacy.  If the pattern covers a dozen consecutive events, its probability will be very low -- but some pattern must occur at every point,so nothing strange there.

It does because you are imposing traceability, and with traceability comes the threat of blacklists or whitelists.

Also with the resolution of any double spend comes the judgement of which is the "correct" spend.

Monero coinbases can't be spent or used used as mixes until they are unlocked (rather short now IMO, but will probably change that) so unless the fork is prolonged, and you are on it for a prolonged period of time, none of your spends will be mixed with coinbases nor with anything downstream of coinbases. You also can't mix with an output you can't see, so the threat of chain replacement doesn't affect you as an innocent third party. Once the chain replacement is noticed, most likely exchanges (at least the well-run ones) go frozen rather quickly, and again few if any transactions will be affected.

With any coin you can certainly be downstream of a double spend with no real recourse. Lets say someone double spends to an exchange, and then you withdraw. You may very well get the double spent coins. What happens with a transparent or non-transaparent blockchain is that your withdraw from the exchange is unwound (when the other fork prevails) and the exchange is likely out a lot of coins and could go bankrupt. If not then they just reissue the withdraw transaction to you with some other coins.

I mean qualitatively. To which of my concerns do you claim there is no proof in any form?

P.S. I defer to head of quantum computing research at IBM on the veracity of the 10-15 years prediction. He explained his reasons. Google is your friend.

True that any coin mixing (i.e. not IP obfuscation mixing) is qualitatively equivalent, but coin mixing on chain could be explicitly denied by only allowing one input to a transaction (and dedicated means to merge balances would be needed) or the user could selectively agree not to use on chain mixing.

Non-decentralized mixers can mix coins with out multiple inputs per transaction, but these can't be trusted thus in my mind they are not anonymity any way.

Some transactions are unwound. Unwinding less transactions by being able to segregate transactions in the attacked fork and add to the non-attacked fork those which are not downstream from a double-spend or stolen coinbase afaics doesn't decrease fungibility? Rather it aids a potential political consensus to choose the non-attacked fork, i.e. afaics it adds fungibility.

Do you mean "quantifying"? And there has been no proof of that being the case in any shape or form. Please if you have something other than postulations please enlighten us.

Quantum computing is in fact on the horizon. The measurement of states is now possible I.E. viewable (and patented). Yet when that can be system can be correlated into a viable catalyst of programmable hardware is anybody's guess. I believe D-state holds the current patent (on one verifiable form) and I don't know of any relation to IBM in that realm. Now don't forget that this is just being able to actually view the state (no mean feat in itself). Considering a Qbit is in both states at the same time (at least as far as we can measure) Is a serious roadblock that is by no means written in stone.

Except that all chains have mechanisms of mixes, maybe not on chain, but good luck untangling any block chain after any significant period of time, once people have traded through exchanges (many that are effectively totally anonymous), used coin mixers, used coins to rent rigs and mine new coins, etc. You can probably do it for a small number of blocks, just as a fork of around 40 blocks caused no lasting trouble for Monero last month. But after hours or days, any chain is equally intractable to undo.

Furthermore I'm not convinced even if it could be done, that it would be helpful to users. Fungibility might very well be more valuable than the ability to pick winners and losers after an incident.

Yes and if sufficiently mixed, you can't try appease those who want the bad fork, because you can't extract their transactions from the bad fork and put into the good fork.

And this is the qualitative threat difference from block chains that don't mix transactions.