Pages:
Author

Topic: I have come to the conclusion that "on chain anon" defeats the purpose. (Read 2772 times)

newbie
Activity: 14
Merit: 0
sr. member
Activity: 448
Merit: 250
electroneum.com
By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.

With enough time and resources any thing can be cracked including Bitcoin lol

Irrelevant, Bitcoin doesn't put anonymity on the block chain. Please re-read my quoted point above more carefully.

THIS^^^

AND THIS    V V V

sr. member
Activity: 448
Merit: 250
electroneum.com
Don't tell me that some of you cryptonote guys have pushed your argument to the point that barring quantum computers you are in the clear.

This is why I support Neos. I am really big on it. I have been trying to yell it from the damn rooftops if you haven't noticed me around.  Smiley

I have respect for what you are trying to do and all of your hard work. It is just dangerous. 
sr. member
Activity: 263
Merit: 250
I'm gonna go out on a limb and put practical quantum computers in the same box with practical cold fusion and room temperature superconductors. It's happening in the next 10-20 years for the last 50 years or so.
member
Activity: 112
Merit: 10
Quote
2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.

I do have a question about this (for some fun reason I was reading a drugdealer blackmarket subbreddit the other day about bitcoin being "anonymous enough").  Is it the kind of deal where one quantum computer spends one year and breaks 3 addresses anonymity?  Or one computer spends a year and breaks the entire chain anonymity?

newbie
Activity: 42
Merit: 0
Cross-posting...

1. You can't increase the key size of the historic chain.
2. Cracking historically spent coins is not a threat. The threat is cracking anonymity history at any time in the future.
3. The crack threats are not just due to key length. Key length won't help you in some cases against math discoveries, and certainly won't help against quantum computers.
4. Your heirs won't be dead in 10 - 15 years (or less or slightly more).
5. Why risk it when there are possible designs where you don't have to.

And those aren't the only inefficiencies in Cryptonote that can be eliminated with other possible designs.

As I wrote upthread, I never understood why people were so quick to jump on Cryptonote as the Holy Grail of anonymity.

Math discoveries in SOME cases lol okay like?

 Just because there is a way to somewhat shorten the amount of time it may take to crack a key or anonymity doesn't mean that it can't be mitigated in a simple way as using a longer key length.

Perhaps you forgot about the discovery of differential cryptanalysis that rendered all 1970s and 1980s crypto cracked (and no one knew it!).

Can't you read?

http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext#body-3

Quote
The Future

Barbulescu says the research group has considered trying to push its ideas to medium- and large-characteristic systems, "but there is a huge difficulty porting this algorithm to these other cases," he says. "But if we were able to extend it to large characteristic, then it would be an earthquake in cryptography because every time there is an improvement in discrete logarithm, there is a corresponding improvement in factorization (RSA), because the problems are similar."

Meanwhile, though, existing RSA-based systems should be considered secure. "There are some buzz articles floating around on the Web saying that this is the endgame for RSA," Thomé says. "It is wrong to say that."

The University of Waterloo's Menezes says he is not aware of any cryptosystems in use today that are suddenly at risk because of the work by the French team. However, he warns, "There will be faster algorithms, better implementations of the existing algorithm perhaps through special-purpose hardware, and better analysis. Maybe the algorithms are faster than we think they are."

Why can't you understand that once it is broken, you can't go back and hide the history on the block chain.

What ever you've already released to the block chain, is never going to get more secure. It WILL BE CRACKED SOMEDAY.

That is why do not put your anonymity on the block chain. Mix your inputs and outputs off chain, then put that in a transaction on the block chain (i.e. use CoinJoin).

Then the anonymity can never be cracked in the way it can be on chain with Cryptonote's ring signatures and Diffie-Hellman one-time private keys.

I hope I don't have to explain that again and again.

Just because someday it could be cracked doesn't mean it will be cracked you make as if everyone out there is gunning to destroy anonymity technology.

Sorry but if it takes 10 or 20 or 100 years to be cracked why would I really care? In that time I would likely have moved from one address to another and traded into and out of XMR or another CN coin or I would in the worst case be dead.

Anonymity has 0 value to me once I am dead and gone from this world.

With enough time and resources any thing can be cracked.... No surprise there lol

Why risk it when you don't have to? There are designs that don't risk it.

You can't predict when the crack will occur. It could be within a year or 20 years. But 100 years is much less likely. Think about what technology was like 100 years ago.

BCX, he isn't the sharpest tool in the shed.

You under estimate the power of cross chain transactions that aren't linked to any exchange.

Especially if the deal is done while in person where the correspondence of the trade is not recorded anywhere on the internet.

You are only thinking of yourself. Most people don't jump through hoops. They use a product and expect it to deliver what it promised as main feature.

If you can scare most of the people by attacking the low hanging fruit, society pisses on that coin forever after.

Edit: and as a developer, I don't want to be responsible for millions of people being subjected to State wrath some years from now.

You are asking me to be INTENTIONALLY cavalier, irresponsible and careless as a developer.
newbie
Activity: 42
Merit: 0
By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.

With enough time and resources any thing can be cracked including Bitcoin lol

Irrelevant, Bitcoin doesn't put anonymity on the block chain. Please re-read my quoted point above more carefully.
legendary
Activity: 2492
Merit: 1491
LEALANA Bitcoin Grim Reaper
Think about it. The fact that we are relying on a public information with a twist to be secure is not the answer.

Interesting that I was making the same point today in private communication before I had seen your thread.

1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.

3. There was a recent breakthrough in math for factoring which hints at the remote possibility in the future of a potential crack of the basic math used for all existing crypto-currencies (that use elliptic curve or RSA cryptography):

http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext#body-3



By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.


I don't see a future in ring signatures

Do investors realize that Cryptonote can't run lite clients without destroying their unlinkability, because you have to publish the "tracking key" to delegate the search for received payments if you did not download the full block chain.

But publishing that "tracking key" breaks the unlinkability:

https://cryptonote.org/whitepaper.pdf#page=8

"If Bob wants to have an audit compatible address where all incoming transaction are
linkable, he can either publish his tracking key...In both cases every person is
able to “recognize” all of Bob’s incoming transaction"


Edit: the "Trading off anonymity set size for decreased bandwidth/CPU" section in the following paper hints at a solution where only a portion of the block chain needs to be downloaded in exchange for reduced anonymity set size, but afaik this is not in Cryptonote and I did not analyze how or if it can be integrated (and off the top of my head, I think this might further reduce anonymity sets in intersection with a potential block chain pruning design for Cryptonote):

http://sourceforge.net/p/bitcoin/mailman/message/31813471/

With enough time and resources any thing can be cracked including Bitcoin lol
newbie
Activity: 42
Merit: 0

1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.


Maybe if there is a way to re-encrypt the whole blockchain with a stronger encryption over time, past anonymity is not endangered by computational advances. Just an idea that flew in my mind.

It has already been seen, you can't increase the encryption strength. Somebody stored a copy.
hero member
Activity: 508
Merit: 500
Jahaha

1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.


Maybe if there is a way to re-encrypt the whole blockchain with a stronger encryption over time, past anonymity is not endangered by computational advances. Just an idea that flew in my mind.
newbie
Activity: 42
Merit: 0
Think about it. The fact that we are relying on a public information with a twist to be secure is not the answer.

Interesting that I was making the same point today in private communication before I had seen your thread.

1. All crypto will be cracked eventually, it is just a matter of time. First we have key length requirements increase over time:

http://www.keylength.com/en/compare/

2. Next we have IBM's head of research for quantum computing (with a $3 billion budget) expecting that quantum computing will arrive in 10 - 15 years. All the crypto-currencies to date use crypto that can be cracked with a sufficiently powerful quantum computer. May not happen in 10 years, but eventually it will.

3. There was a recent breakthrough in math for factoring which hints at the remote possibility in the future of a potential crack of the basic math used for all existing crypto-currencies (that use elliptic curve or RSA cryptography):

http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext#body-3



By your logic "it's not secure, it will eventually be cracked" then private/public keys are in the same boat, no?  

Yes but not the same threat. Cracking ancient spent private key keys harms no one, thus no problem with keeping transactions on the block chain. Cracking ancient anonymity potentially harms up to and including everyone, thus IMO an unacceptable risk of keeping the correlation of the outputs and inputs (the anonymity mix) of a mixing transaction on the block chain.


I don't see a future in ring signatures

Do investors realize that Cryptonote can't run lite clients without destroying their unlinkability, because you have to publish the "tracking key" to delegate the search for received payments if you did not download the full block chain.

But publishing that "tracking key" breaks the unlinkability:

https://cryptonote.org/whitepaper.pdf#page=8

"If Bob wants to have an audit compatible address where all incoming transaction are
linkable, he can either publish his tracking key...In both cases every person is
able to “recognize” all of Bob’s incoming transaction"


Edit: the "Trading off anonymity set size for decreased bandwidth/CPU" section in the following paper hints at a solution where only a portion of the block chain needs to be downloaded in exchange for reduced anonymity set size, but afaik this is not in Cryptonote and I did not analyze how or if it can be integrated (and off the top of my head, I think this might further reduce anonymity sets in intersection with a potential block chain pruning design for Cryptonote):

http://sourceforge.net/p/bitcoin/mailman/message/31813471/
legendary
Activity: 2968
Merit: 1198

What I'm telling you is that the same broad categories of issues you mention (i.e. "There could be a flaw") are exactly applicable to off-chain methods as well as on-chain methods. None of these have been "proven secure" and likely never will. For example, are you aware that most of the basic cryptography primitives that underlie Bitcoin or other systems have not been "proven secure." They are used because they have been analyzed to death and no fatal flaws have yet been found. That's how these things work.

Specifically on the question of off-chain anon, mixers and relays can be compromised or impersonated or sybil attacked, or subjected to timing-based attack and post-mixing, transactions can be unmixed by various forms of analysis. These are all known and demonstrated problems, plus there might well be other ones. Chain or no chain there are attack vectors and potential attack vectors. You're confused if you think one has been shown to be "more secure" (whatever that means) than the other at this juncture.

But hey, feel free to support your favorite projects, BTCD or whatever. Nothing wrong with that.


full member
Activity: 279
Merit: 100
You are far from someone who is unbiased, as you are one of the main people from Monero arent you?

How about addressing the substance of my comments instead trying to dismiss them by way of association. I'm not trying to hide my affiliation with the Monero project (tacotime too above BTW), but it doesn't answer the question.

Smooth, I don't think you are going to give the idea of anonymous transactions ON THE CHAIN is something that people need to take a second look at.

I'm not sure I understood that. If you are asking whether it could be rethought, my answer would be absolutely.  

. .... and make baseless claims about "most respected and talented developers" without any kind of source for that statement, you are throwing FUD.


THIS below is what Im talking about, Im not making the stuff up smooth



there is no math proof that there is no vulnerability here and your assessment that it is possible is good enough for me to be concerned.

Good point there is no proof yet that it isn't possible.

Note I have not assessed that the cracking the private keys is possible. I just asked that we have to look for the literature on cracks where there are two simultaneous equations. I've seen nothing from smooth's mathematicians yet on this.

I have accessed that Sybil attacking the anonymity is likely amplified. And appears smooth is leaning that way too, but no final conclusion yet.


Yes, smooth how did that turn out? It just doesn't seem as safe to me, I don't hear of anyone saying that, or devs admitting to the possibly that these issues exist in BTCD, Neos, etc.



if there is a non-zero chance of a fatal exploit, then better to be safe than sorry and pursue it to the best of our abilities





there is no math proof that there is no vulnerability here and your assessment that it is possible is good enough for me to be concerned.





My opinion is that there is no way to "come to the conclusion" without actually doing the work to build out systems and see if they hold up. That is what we are doing.



Ok, then.


hero member
Activity: 798
Merit: 1000
‘Try to be nice’
its all academic, i explained this to the Monero guys .

but as its "academic" it doesn't matter either way as long as it is "neutral"


so let me quantify that -:

i.e as long as the "on chain" aspect if "cracked" does not give away more information than if it had not existed, i.e a control system with no "Anon" features , if it does, then it is clearly flawed.

most of the time on purpose {yawn} no one cares about this stuff.
legendary
Activity: 2968
Merit: 1198
You are far from someone who is unbiased, as you are one of the main people from Monero arent you?

How about addressing the substance of my comments instead trying to dismiss them by way of association. I'm not trying to hide my affiliation with the Monero project (tacotime too above BTW), but it doesn't answer the question.

Quote
Smooth, I don't think you are going to give the idea of anonymous transactions ON THE CHAIN is something that people need to take a second look at.

I'm not sure I understood that. If you are asking whether it could be rethought, my answer would be absolutely.  

If you are saying that "I have come to the conclusion" and then later add "I could be wrong" and make baseless claims about "most respected and talented developers" without any kind of source for that statement, you are throwing FUD.

My opinion is that there is no way to "come to the conclusion" without actually doing the work to build out systems and see if they hold up. That is what we are doing.

full member
Activity: 279
Merit: 100
This is NOT fud.
And yes, I could be wrong.

It is precisely FUD. If you don't have actual hard facts and can specifically identify and explain an actual mechanism of failure, you are relying on Fear Uncertainty and Doubt. "yes, I could be wrong" = FUD.

Also your claim about "most anon technologies" and "most respected and talented developers" falls apart when looked at carefully. Your evidence is that you cherry picked some projects and personalities that support your premise. Even then the people you cite don't even agree, at least not unconditionally. For example, are you aware that jl777 is actively supporting BBR = on chain anonymity?


You are far from someone who is unbiased, as you are one of the main people from Monero arent you?

Smooth, I don't think you are going to give the idea of anonymous transactions ON THE CHAIN is something that people need to take a second look at.

I agree that some of the coins that are claiming anon off of the chain are nothing but mixers, but others such as BTCD, NEOS, will outlast high prices, hype, and clever marketing, and most importantly.... ATTACKS!

Oh yeah, and speaking of developers. Jl777. Yes, he does support BBR which uses on the chain anon. But he plays a much more active role in BTCD which uses off the chain anon.

Like you said, Jl777 supports BBR, so why hasn't he used CN tech on BTCD? Because it is not as safe for the end user is why.

This is what makes me think that I am not the only one that believes this.. when it comes to keeping yourself anonymous.

When you look on out past what is a good speculation tool, and what is the new flashy tech of the day, and focus on what is really going to keep users identities safe, it is your more decentralized off chain anon coins that will protect people long term.

legendary
Activity: 2968
Merit: 1198
This is NOT fud.
And yes, I could be wrong.

It is precisely FUD. If you don't have actual hard facts and can specifically identify and explain an actual mechanism of failure, you are relying on Fear Uncertainty and Doubt. "yes, I could be wrong" = FUD.

Also your claim about "most anon technologies" and "most respected and talented developers" falls apart when looked at carefully. Your evidence is that you cherry picked some projects and personalities that support your premise. Even then the people you cite don't even agree, at least not unconditionally. For example, are you aware that jl777 is actively supporting BBR = on chain anonymity?
hero member
Activity: 672
Merit: 500
You are very naive thinking something based on sound cryptography is intrinsically less secure than something based on obscurity. If the records are ... not there... I wonder if that's an acceptable solution.

I don't care if you think those members are "known and well respected". I don't believe anyone without doing my research first.
full member
Activity: 279
Merit: 100
It seems to me people here believes security through obfuscation is an acceptable solution. It has been demonstrated to be problematic in many, many cases.
Cryptography is not "just a twist". It is a sound concept, every time an hash is compromised it is considered a major achievement.
Quote
Why are most anon technologies not "on the chain"?
Because claiming security though obfuscation is way easier.
"I promise you I won't release your data". What technologies are you talking about?
Quote
Why are the most respected and talented developers not choosing to have the "on chain anon"?
Who are you talking about?


who am I talking about jl777, AM, ya might have heard of them lol

There is one of the most respected members of the community, and one of the most respected developers right there.

That's enough for me. They know the actuall coding and technology much more than me. Enough for me to think that my take on the situation has merit. In my opinion you are completely naive to think the tech that is publicly available is more secure than tech that is not.

Let me say this again, you are completely naive to think that tech that is publicly on the public ledger to be exploited, is more secure than a technical solution that is off of the chain, and all of the records are, well NOT THERE!!

Think people, think!!! I just seems SO OBVIOUS to me. And the argument that, "well, then let's just say that Bitcoin is a danger because it's all on the chain".

That's all you CN people have? That's comparing apples to oranges, actually those are still fruit. It's like comparing apples to garbage bags.

To even suggest that ring signatures are as secure as Bitcoin's crypto security is an insult to everyones intelligence here. That just proves my point that you are playing up, and pumping something, and like it was said "playing crypto musical chairs".

Well, the point still stands. Yes, you can make a lot of money of of Bytecoin clones/forks, but just make sure you are close to a chair/exit if you stand to lose you ass when it hits the floor.

Facts people, facts. There is some opinion here, like you are naive if you believe otherwise, idk, you could be crazy, or ignorant to the truth, or caught up in a wishful thinking maze of bitcoin in your eyes.

Watch out, whos knows what day it will be, but one day the CryptoNote music will come to a dead silence.

Fact

hero member
Activity: 672
Merit: 500
It seems to me people here believes security through obfuscation is an acceptable solution. It has been demonstrated to be problematic in many, many cases.
Cryptography is not "just a twist". It is a sound concept, every time an hash is compromised it is considered a major achievement.
Quote
Why are most anon technologies not "on the chain"?
Because claiming security though obfuscation is way easier.
"I promise you I won't release your data". What technologies are you talking about?
Quote
Why are the most respected and talented developers not choosing to have the "on chain anon"?
Who are you talking about?
Pages:
Jump to: