Would like to get some closure on recent discussions.
To help rpietila with the periodic summaries he typically adds to the OPs of his moderated threads, I suggest we try to compile a summary of the significant pluses and minuses of top anonymous coin designs.
Could we agree on wording such as the following? Please let me know if I left anything out that we discussed upthread. The following doesn't attempt to qualify how likely or predominant relative weaknesses are, as this is too complex to summarize succinctly.
* represents a feature which is claimed to be an advantage but may or may not be a liability.
?? means I guessed and am not sure.
Monero (Cryptonote coins)+ cryptographically unlinkable & untraceable
- tx sybil attack (mitigated with mandatory tx fees)
- I2P (anonymity or DoS) sybil or timing analysis attack
- unprunable -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- slow PoW hash
- mining is
not anonymous*
unvetted asic-resistant PoW hash, demonstrated GPU parity
Boolberry (Cryptonote optimization)
+
discards ring signatures reducing block chain size by a constant factor
+ prevents mixing with those who don't mix so unlinkability & untraceability isn't trivially broken
+ cryptographically unlinkable & untraceable
- tx sybil attack (mitigated with mandatory tx fees)
- no I2P/Tor IP obfuscation
- unprunable -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- mining is not anonymous (??)
*
unvetted asic-resistant PoW hash, demonstrated GPU parity (??)
DarkCoin (
this is the best CloakCoin's anonymity could improve to as it is similar conceptually in design)
+ prunable (but unimplemented)
- unlinkability Sybil attack on masternodes
- tx sybil attack (mitigated with mandatory tx fees)
- Tor (anonymity or DoS) sybil or timing analysis attack
- simultaneity or premix tx bloat -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- mining is not anonymous (??)
Zerocash+ all coins mixed all the time, so no tx Sybil attack incentive (may not need tx fees if they adopt my secret??)
+ don't need to obfuscate IP address (I2P/Tor) because...
+ ...everything is cryptographically hidden...
- ...even the money supply -> compromised master setup or cryptanalysis breakage could create unlimited undetected coins
- unprunable (??) -> mining centralization or less scalable
- public key cryptography not quantum nor number theoretic immune
- unvetted new complex crypto could break anonymity and coin value retroactively
- mining is not anonymous (??)
- not released