Pages:
Author

Topic: Zero Knowledge Transactions (Read 18664 times)

sr. member
Activity: 336
Merit: 265
March 02, 2017, 10:54:17 PM
Another issue with Monero's anonymity occurred to me tonight when I was at the grocery store and I was thinking about how can we have anonymity yet also comply with the need to report our earnings and expenditures for government tax compliance. If everyone is reporting, then the anonymity sets collapse and so does the anonymity for everyone (even those who didn't report).

So I got to thinking (yeah all inside the grocery store) that from my work in designing Zero Knowledge Transactions (my unvetted design which competes with and predates Monero's RingCT and which is based on Compact Confident Transactions which in theory are more efficient than Blockstream's CT which RingCT is based on), that I am pretty sure we can do a NIZKP (zero knowledge proof) of a total of all payments sent and received using CCT (not sure if can also do it with CT). Thus we could prove to the government how much we expended and earned without giving the government the detailed amounts for each transaction, thus not breaking the anonmity sets.

But then I realized this won't work with ring signatures, because ring signatures require that the sender isn't known publicly. Thus there is no way to prove the sum without revealing which ring signatures are yours, thus unmasking your anonymity.

So I realized that instead we need offline anonymity mixing like CoinJoin. Then I remember that last year in my discussions with @jl777, I had revealed my invention for how to remove the jamming problem from CoinJoin and make them scale and work properly. I specifically figured out how to let the signers sign independently of each other!

So I am thinking I might have the best anonymity solution after all! But I will need to think out the details more later. How ironic would that be if I win in the end against @Shen-noether. Oh how sweet it would be after how he was so condescending to me when I did peer review with him on Reddit. I had pretty much put anonymity on the low priority queue because it seemed like Monero and Zcash had it all wrapped up (and it seemed to me that anonymity wasn't the huge market to drive millions into crypto, yet here in this thread I can see it is important to some investors). But hmmm, maybe they don't! My only interest in anonymity lately (in 2016) was to contemplate how to make it lightweight and compatible with microtransactions. Hence the invention I had sort of explained to @jl777 (but he decided to clone Zcash instead).

Any way, I'd like to get some feedback on the issue I've raised?

P.S. I am going to try to ask someone to vet my ZKT soon, so I will know if my method of removing the onerous "proof of the square" was valid or not. Removing that proof which was added when Andrew Polestra found a flaw in CCT (not my work), was what caused CCT to be less efficient and less viable because it then required huge elliptic curves 768-bit or larger.


MimbleWimble provides the mechanism for non-interactive CoinJoin which is essentially the same idea I expressed last year as well to @jl777 (I think perhaps before MimbleWimble was published but I'd need to dig into my archives to remember when I did what given the delirium I was experiencing it is all a blur now), so by watching this you'll better understand:

https://www.youtube.com/watch?v=aHTRlbCaUyM

Note I am not interested in MW's blockchain compression feature for the project I am working on, because it carries with it too many drawbacks and afaics it is unnecessarily in my framework for a blockchain.

If my fix removing the inefficient proof-of-square for CCT is correct (and it probably isn't, probably has a math error), then it would be more efficient than Blockstream's CT that MW is employing.

Note Monero/Cryptonote's RingCT has the same problem as MW in that:

though it is unclear how to design a safe peer-to-peer network capable of exploiting this ability

In other words, Tor and I2P aren't guaranteed to anonymous (many think they are just honeypots). So might as well integrate mixnet into the P2P network.
sr. member
Activity: 336
Merit: 265
February 25, 2017, 09:38:42 AM
Did you ever test your MBTI? You sound like a ENTP/J.

You were nearly spot on:

https://bitcointalksearch.org/topic/m.6247919
legendary
Activity: 2464
Merit: 1145
February 25, 2017, 09:06:54 AM
EDIT: I just realized I misunderstood your point.

Well you understood part of it. I agree that we can't have others in the anonymity set unmasking their own transactions, because then it aids in unmasking the others as well.

Apologies I am not always writing clearly. Combination of:

  • Being only high 80s to low 90s percentile in writing skills, spelling, and vocabulary, but I am 99th percentile in reading comprehension and my conceptual "visual abstract mathematics" skill is lower level genius perhaps (at least in the 130 - 140 IQ range, perhaps higher). I've wondered if I am mildly Aspergers (the speech and language aspects only) but not sure, probably not. I also seem to have a mild dyslexia (so often order gets transposed or entire portions get dropped). And given my active abstract mind, this communication capability that others might see as above average, is from my vantage point a major disability sort of like being inside a jail and unable to communicate but rather than shutting down introvert I am extrovert. Btw, I think this is probably why I love programming because the vocabulary is small but the abstract domain is large.
  • Still suffering frequent (but not continuous) delirium of chronic fatigue due to my TB meds
  • Was very sleepy when I wrote that

Here is a new summary:

https://bitcointalksearch.org/topic/m.17968724

Edit:

Btw, I think this is probably why I love programming because the vocabulary is small but the abstract domain is large.

It's curious that I think the same about myself being an introvert ))

I don't know why it went the opposite direction for me. Maybe it is my high level of skill in athletics and thus I was able to relate socially on aspects other than my intellectual interests. I had also seen those as two distinct sides of myself. But I would also go introvert at times, wanting to get away from boring social interaction and get back on my computer and intellectual pursuits. Maybe you can relate?

My father and mother are both very skilled in vocabulary and writing, yet my father is an introvert by nature and very good faked extrovert. My mother is an extrovert.

More I think about, I was an extrovert since early childhood or even as an infant. I remember when I was 5, I would walk up to a group of adult strangers in the park and entertain them in conversation. I remember at a very early age, I became very interested in the philosophical conversations my 160 IQ step-father was having and I realized I could follow all the logic easily.

Did you ever test your MBTI? You sound like a ENTP/J.
It helped me to find out my strength and weaknesses and focuss on areas which i needed to improve.
newbie
Activity: 55
Merit: 0
February 25, 2017, 02:56:49 AM
If you can, I hope you can join us with your revolutionary Zero Knowledge Transactions: [email protected]
sr. member
Activity: 336
Merit: 265
February 24, 2017, 08:15:08 PM
EDIT: I just realized I misunderstood your point.

Well you understood part of it. I agree that we can't have others in the anonymity set unmasking their own transactions, because then it aids in unmasking the others as well.

Apologies I am not always writing clearly. Combination of:

  • Being only high 80s to low 90s percentile in writing skills, spelling, and vocabulary, but I am 99th percentile in reading comprehension and my conceptual "visual abstract mathematics" skill is lower level genius perhaps (at least in the 130 - 140 IQ range, perhaps higher). I've wondered if I am mildly Aspergers (the speech and language aspects only) but not sure, probably not. I also seem to have a mild dyslexia (so often order gets transposed or entire portions get dropped). And given my active abstract mind, this communication capability that others might see as above average, is from my vantage point a major disability sort of like being inside a jail and unable to communicate but rather than shutting down introvert I am extrovert. Btw, I think this is probably why I love programming because the vocabulary is small but the abstract domain is large.
  • Still suffering frequent (but not continuous) delirium of chronic fatigue due to my TB meds
  • Was very sleepy when I wrote that

Here is a new summary:

https://bitcointalksearch.org/topic/m.17968724

Edit:

Btw, I think this is probably why I love programming because the vocabulary is small but the abstract domain is large.

It's curious that I think the same about myself being an introvert ))

I don't know why it went the opposite direction for me. Maybe it is my high level of skill in athletics and thus I was able to relate socially on aspects other than my intellectual interests. I had also seen those as two distinct sides of myself. But I would also go introvert at times, wanting to get away from boring social interaction and get back on my computer and intellectual pursuits. Maybe you can relate?

My father and mother are both very skilled in vocabulary and writing, yet my father is an introvert by nature and very good faked extrovert. My mother is an extrovert.

More I think about, I was an extrovert since early childhood or even as an infant. I remember when I was 5, I would walk up to a group of adult strangers in the park and entertain them in conversation. I remember at a very early age, I became very interested in the philosophical conversations my 160 IQ step-father was having and I realized I could follow all the logic easily.
hero member
Activity: 770
Merit: 629
February 24, 2017, 09:38:41 AM
Another issue with Monero's anonymity occurred to me tonight when I was at the grocery store and I was thinking about how can we have anonymity yet also comply with the need to report our earnings and expenditures for government tax compliance. If everyone is reporting, then the anonymity sets collapse and so does the anonymity for everyone (even those who didn't report).

I think that problem is unsolvable.  You cannot be anonymous if nobody else is.  If all transactions of all other actors are known, I don't think there is the slightest mechanism for your transaction not to be known.  If your partners in transactions have reported all the transactions with you (whether receiving or sending), then you don't even have to report anything: it is already reported.

There's no point in mixing, using ZKproofs, or whatever, if you are the only person not reporting, because all your counter parties have already reported everything, and the checksum on everyone's havings reveals exactly your balance.  

Just as you cannot be anonymous if you are alone on an island, you cannot be anonymous if everyone else is reporting everything.


EDIT: I just realized I misunderstood your point.
sr. member
Activity: 336
Merit: 265
February 24, 2017, 09:21:44 AM
Another issue with Monero's anonymity occurred to me tonight when I was at the grocery store and I was thinking about how can we have anonymity yet also comply with the need to report our earnings and expenditures for government tax compliance. If everyone is reporting, then the anonymity sets collapse and so does the anonymity for everyone (even those who didn't report).

So I got to thinking (yeah all inside the grocery store) that from my work in designing Zero Knowledge Transactions (my unvetted design which competes with and predates Monero's RingCT and which is based on Compact Confident Transactions which in theory are more efficient than Blockstream's CT which RingCT is based on), that I am pretty sure we can do a NIZKP (zero knowledge proof) of a total of all payments sent and received using CCT (not sure if can also do it with CT). Thus we could prove to the government how much we expended and earned without giving the government the detailed amounts for each transaction, thus not breaking the anonmity sets.

But then I realized this won't work with ring signatures, because ring signatures require that the sender isn't known publicly. Thus there is no way to prove the sum without revealing which ring signatures are yours, thus unmasking your anonymity.

So I realized that instead we need offline anonymity mixing like CoinJoin. Then I remember that last year in my discussions with @jl777, I had revealed my invention for how to remove the jamming problem from CoinJoin and make them scale and work properly. I specifically figured out how to let the signers sign independently of each other!

So I am thinking I might have the best anonymity solution after all! But I will need to think out the details more later. How ironic would that be if I win in the end against @Shen-noether. Oh how sweet it would be after how he was so condescending to me when I did peer review with him on Reddit. I had pretty much put anonymity on the low priority queue because it seemed like Monero and Zcash had it all wrapped up (and it seemed to me that anonymity wasn't the huge market to drive millions into crypto, yet here in this thread I can see it is important to some investors). But hmmm, maybe they don't! My only interest in anonymity lately (in 2016) was to contemplate how to make it lightweight and compatible with microtransactions. Hence the invention I had sort of explained to @jl777 (but he decided to clone Zcash instead).

Any way, I'd like to get some feedback on the issue I've raised?

P.S. I am going to try to ask someone to vet my ZKT soon, so I will know if my method of removing the onerous "proof of the square" was valid or not. Removing that proof which was added when Andrew Polestra found a flaw in CCT (not my work), was what caused CCT to be less efficient and less viable because it then required huge elliptic curves 768-bit or larger.
sr. member
Activity: 336
Merit: 265
September 10, 2016, 08:26:47 AM
I believe perhaps this latest idea may be the most practical for privacy system that can scale to the masses and fits their meager expectations for privacy.

I would think that MimbleWimble holds the most promise for a scalable anonymous design...

First time I heard of that (my head has been buried on Steem and curing my illness, not anonymity tech lately) and I am reading now, and already it helped me:

I had requested that @smooth provide me a link to a "knapsack" algorithm that Monero was originally contemplating (which may have been similar in some facets), but I never received a reply to that request.

So here I found the knapsack paper (see link I inserted into the quote):

OWAS had the good idea to combine the transactions in blocks.

Edit: I will not go off on the MimbleWimble (and OWAS) tangent right now to compare to my idea. I will do so when I have the incentive to do so. Right now my priorities are on other work.
legendary
Activity: 990
Merit: 1108
September 10, 2016, 08:17:13 AM
I believe perhaps this latest idea may be the most practical for privacy system that can scale to the masses and fits their meager expectations for privacy.

I would think that MimbleWimble holds the most promise for a scalable anonymous design...
sr. member
Activity: 336
Merit: 265
September 10, 2016, 07:46:46 AM
I am surprised that no one has pointed out that hiding values, e.g. Blockstreams Confidential Transactions, is immune to IP address meta-data correlation, because hiding value doesn't require hiding identity.

Thus RingCT is retrogressive (and even bloats the block chain).

Now if we talk about the most optimized implementation of homomorphic data hiding, then I fixed and improved Compact Confidential Transactions as part of my work on my Zero Knowledge Transactions.

So if that will be the new area of provable privacy, then I can still kick ass on Monero/Aeon.

Hmmm. I didn't realize I was still holding a superior asset. This gives another thing to add to my coin to kick ass on you fuckers. Right on!
newbie
Activity: 14
Merit: 0
May 17, 2016, 06:31:28 PM
Can you expressly define "superior anonyminty" ?  Anonymint has claimed anonyminty is an impossibility and a degree of privacy is what we can expect, all things considered.

Don't fret, because as the angel investor of the banned AnonyMint, I am in possession of a copy of his unpublished Zero Knowledge Transactions research.

http://oi65.tinypic.com/6oml3n.jpg
sr. member
Activity: 420
Merit: 262
January 22, 2016, 08:47:01 PM
I am surprised that no one has pointed out that hiding values, e.g. Blockstreams Confidential Transactions, is immune to IP address meta-data correlation, because hiding value doesn't require hiding identity.

Thus RingCT is retrogressive (and even bloats the block chain).

Now if we talk about the most optimized implementation of homomorphic data hiding, then I fixed and improved Compact Confidential Transactions as part of my work on my Zero Knowledge Transactions.

So if that will be the new area of provable privacy, then I can still kick ass on Monero/Aeon.

Hmmm. I didn't realize I was still holding a superior asset. This gives another thing to add to my coin to kick ass on you fuckers. Right on!
sr. member
Activity: 420
Merit: 262
January 20, 2016, 07:38:19 PM
Other than the prior post, the Zerocash forum has begun removing and censoring my posts. So yet another attempt to pull the wool over speculator eyes and not open source on factual discussion.

So many deluded folks in crypto who get offended when they realize they aren't even close to understanding all the issues I understand about crypto currency, and the ramnifications that their projects are ill-focused and not ready for prime time.
sr. member
Activity: 420
Merit: 262
January 20, 2016, 03:16:34 PM
A for-profit coin company, i dont care what they make, iwill never trust them.

Agreed that is the opportunity to beat them by open sourcing their code. But you will also need my block chain technology to make the big win.

moreover RingCT will move Monero closer to Zcash

Sorry no. It is still not immune to meta-data and the theoretical combinatorial analysis. Not reliable. Not realistic.

We need to move forward. It is up to you, I know my thinking and priorities on this matter.


A for profit company with closed source code controlling the initial key for a zerocash like currency is a regulatory nightmare.

No closed source. The key would be produced publicly at a ceremony.



Would this metadata and combinatorial analysis hold even if mixin 10 was a default on all tx's?

The meta-data (e.g. IP address, browser cookie, timing analysis and location of connection, what you said in facebook or on the phone, etc) correlation problem isn't likely impacted no matter how many times or inputs you ring mix. It is very difficult for mere mortals to cover their tracks on all the possible meta-data correlations. It is unfathomably difficult. Don't fool yourself into thinking it isn't.

The combinatorial analysis flaw (which I introduced to smooth during the BCX incident and hence followed up in debate with Shen-noether) is very theoretical and may or may not be plausible. In my thinking, it comes more into play if combined with meta-data breakdown of the anonymity systemically. Mixing more may help somewhat, but it can also make it worse because it is the excessive overlapping in mixes that causes the combinatorial unmasking.

In short, it is a clusterfuck (not a clean, clear, provable solution) and that is why I abandoned it.



...
All miners will have to register as money transmitters under FinCEN regulations, same as the issue for Dash masternodes. There has seriously bad implications in their investment strategy. But their code and developers are valuable. The investors can probably recover their money on the initial IPO. They should IPO the damn thing and do it legally and not mess with this "master of the universe" idea above.

I am contemplating contacting them, but I need to think through their economic options. It may be impossible to get them to do the right thing.

But they could definitely benefit from my endorsement in an IPO. A legal IPO! As well, they could benefit from my block chain tech.
...

Miners do not have to register as MSBs. Please read the guidance. https://www.fincen.gov/news_room/rp/rulings/html/FIN-2014-R001.html The jury is very much out on Dash masternodes. How will the investors recover the funds from an IPO? If it is by emission then the IPO company is an MSB in the United States.

My interpretation of FinCEN guidance is miners would have to register as MSBs if they are forced to transfer some of the coinbase to some other party. Just because it is enforced by the protocol, doesn't absolve the miner from (the legal culpability of) creating the block which created new supply and transferred it to a third party.

Disclaimer: IANAL.



I hate when n00bs make me repeat the same shit over and over and over again. Do you think my time is free?

The masterkey has to be produced in a way that no one knows it. The proposals had been to use a public ceremony and a computer examined by everyone attending, to be sure the masterkey is unknown to anyone.

Note if the masterkey is known, that person can create coins out-of-thin-air, but he can't unmask the anonymity. That is a crucial distinction.

This is why I proposed the idea of using Zerocash as a mixer that eventually times out, so that we can be sure the mixer hasn't created any new coins. Everyone going into the mixer takes the risk that they may not be able to come out of the mixer if the attacker has already created coins. Then we could have many of these mixers in a free market, and users would decide which mixers they trust. Again anonymity is never compromised and the run on the bank can only be a loss to participants, not to the entire ecosystem. I am pretty sure this solves the problem and this is why we can take their open source and beat them.

I am loaded with ideas and designs to solve real problems in crypto. Hopefully some smart devs are going to realize they are better off working with me.

I am aware of that. However, for an stand-alone altcoin creating coins out-of-thin-air is just as detrimental as unmasking the anonymity, because both will likely result in the coin dying.

I already proposed a solution in my prior reply to you that is using their technology in ephemeral mixers, which thus avoids systemic risk and reveals which mixers are compromised (which is likely to be quite rare because participants will learn to judge which masterkeys were generated correctly at ceremony).

Free markets always work best as long as systemic risk is avoided.


RingCT has the same problem. I explained in I believe both the chess thread and my Zero Knowledge Transactions thread. This is another reason I abandoned it (in addition to the inability to get reliable anonymity since it doesn't hide meta-data the way Zerocash/Zcash does).


No it doesn't, because coinbase transactions are mixin = 0 in Monero and therefore you can check if the total supply hasn't been tampered with.

Wrong! Wrong! Wrong! Exemplifies that you are a n00b who should STFU.

If there is a flaw in the cryptography for proving the homomorphic sums (and that is new cryptography), then indeed the attacker can create new value out-of-thin-air and not be detected. I am not going to explain the examples and math again. I already did in the past. Go ask Shen-noether.

You should have paid attention the last time I explained this! You always want to use me but then you don't respect me enough to reward me[1] and then you expect me to correct for your inability to study and remember my posts carefully.

I don't think you should bet against them, because Zerocash has anonymity and nothing else does! The community will make sure it is peer reviewed. We must. You had better start figuring out how to transition and pronto.

I don't say I do. eb3f stated on reddit the following: "Monero uses ring signatures, as you may know, which is battle-tested and well-understood in the cryptography world and in practice". Even with community review it will take a long time to get to this state. I also don't agree with bolded here, but I won't go on a back-and-forth discussion with you over that.

Again my point is that you could have the safest snot in the world, but if people can't use snot for anything, then they are going to put their energies into perfecting and peer reviewing what they need.

Seems you all often miss the points entirely. They fly right over your heads.

I do agree that the new cryptography for Zerocash and zk-snarks is more complex than the new cryptography for homomorphic proof-of-sums for RingCT (or my ZKT), but I don't think that helps given the meta-data problem for RingCT/ZKT/Cryptonote (and every anonymity technology other than Zerocash). What is the point of pursuing a direction which is known to be unreliable and fundamentally flawed (in a way that can never be fixed), when we can pursue a direction that fixes the meta-data problem and is a matter of convincing whether the technology is sound with much peer review. Certainly the peer review can be done over time, and probably incentivized if the technology has a popular application.

I'll let others which are more knowledgeable comment on the metadata.

Please don't tell me I will have to waste more of my time defending an obvious point (for anyone who has the slightest technological understanding).

I am frustrated how much fucking time we waste. You all have been convincing yourselves in your little delusions for years of what ever circle jerk bubbles you prefer to be in (which often include ridiculing/dismissing me).

Edit: correction:

[1] I was rewarded by smooth, jl777, and rpietila. Big thanks to them. Very much so. I am just frustrated because I need a viable financial direction and we need to work smart and find a way that we can make these matters work in our favor. And I am trying to find people who value me and find a way to get it done.



...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.



...

No closed source. The key would be produced publicly at a ceremony.
...

Using what operating system and firmware?

Of course they will need to convince the public the master key is sound. Or use my idea above of having multiple mixers and timing them out. I believe there is a solution, yet I will agree the current organization of their plans seems legally and structurally flawed.

That is why I say we can transition and beat them. But the technology is real anonymity. If you want real anonymity, you have to find a way to use their technology. Period. (and I have been studying this for a long time)

This does not answer my question which is cut and dry and goes to the heart of the trust issue.

If you apply that line of thinking, then every anonymity is insecure because operating systems and computers are never 100% secure.

I already proposed how to spread the risk out and make it non-systemic.

Note that Monero (Cryptonote one-time rings and every other kind of anonymity technology) also has systemic risk due to combinatorial analysis cascade as more and more users are unmasked with meta-data and overlapping mixes.

Proprietary software solutions have by their very nature a centralized systemic risk that Free Libre Open Source software solutions do not. The type of risks you describe in Monero are trivial compared to the risk of the DRM in the operating system used to generate master key in a centralized proprietary solution such as the one you propose. Furthermore I still do not have an answer to what is a straight forward yes or no question.  

The masterkey is generated once and only the public key is retained. As long as no one saw nor can recover the private key before it was discarded, then there is nothing proprietary remaining in the use of the Zerocash open source. The Zerocash open source code requires a public key to be pasted in. It is the public (ceremony) generation of that key, which determines whether anyone had access to the private key when the public key was created.

DRM has nothing to do with it all. Thus I assume you don't understand the issue.

The only issue is whether the public key can be computed at a public ceremony and the private key was securely discarded. So for example, they could use any computer, encase it in lead before running the computation, and no external connection to the computer other than the screen which reads out the public key.

Then slide the computer into a barrel of acid so that it is permanently destroyed. All done at a public ceremony so there can be no cheating.

Of course one could envision elaborate/exotic means of cheating, such as using radio waves to communicate the private key out to external actor, but again that is why I wrote encase it in lead. There is the issue of how to destroy it while not momentarily removing it from its communication barrier. But I am confident these physics issues can be worked out to a sufficient level of trust.

As for trust, not even the Elliptic Curve Cryptography and other math we use for crypto can be 100% trusted. So if you start arguing silly about 100% trust, then it is safe to ignore as loony.

...
I am imagining that the type of people designing such a technology would do better than generate a masterkey on Windows et al. I'm actually imagining purpose-built, auditable software and maybe even hardware.

Auditable by whom?

It comes down to Free Software vs Proprietary software. The same is true for the hardware. There is a reason why my question is being avoided here.

By the attendees of said masterkey-generation ceremony.

Actually by anyone who uses the currency. The role of the attendees is to verify that all the software has not changed between what was used and what is released to the public.

Edit: The minute one tries to protect "intellectual property" at any level the trust is gone.

FUD. The ceremony is only to computer a public key, nothing else. No other software has to be audited. Only need to confirm that the private key was not communicated from the computer to any one. Period.



...
FUD. The ceremony is only to computer a public key, nothing else. No other software has to be audited. Only need to confirm that the private key was not communicated from the computer to any one. Period.

How do you know that the public key you see on the screen is the one that was computed and not one that was pre computed before the computer was "placed in lead"?

Edit: DRM in the OS has everything to do with this since it is the perfect place to hide the private key. That is what DRM is designed to do hide private keys.

The hardware has to be audited. But we also have to audit our hardware that we use to run Cryptonote. If Intel is planting spies in the hardware, then we are screwed.

100% trust is impossible. And this is another reason I deprioritized anonymity. It is a clusterfuck.

Also I think perhaps Zerocash was working on a way to generate the public key decentralized, but I haven't kept up with progress on that.

Indeed Zerocash could end up being a Trojan Horse (a way to get fiat in the back door) and that is why I made my proposal to use them only as ephemeral mixes that die periodically, so then we will know if the key was compromised or not.

The result of my proposal is:

  • Stolen coins isn't systemic to the overall coin (same as losing some coins to Mt. Gox and Cryptsy isn't), and at least participants get ongoing ceremonies to get better and better at auditing the hardware.
  • No anonymity is ever lost.
  • No NET coin supply is ever created out-of-thin-air (instead some people lose coins if they chose an insecure mixer that had a compromised key), which is also the case for both Zerocash and RIngCT where coin supply could be created out of thin air and we would never know it due to a bug in cryptography.

That will kick ass on Monero, because if I pass through the mixer, I know my anonymity is provable and I know I didn't lose my coins. It is only people who still sitting inside the mixer who risk losing coins. Everything has a risk. I would much rather the microscopic risk of a compromised key (causing me to lose some coins) to the sure risk of meta-data correlation in Monero which can send me to jail! Surely I would be judicious about not mixing all my coins at the same time and not all in the same mixer.



TPTB said that not even math can be trusted 100%, then how can we put 100% trust on any device for fair start of a trustless currency

If can't trust the math, throw Monero in the garbage can too.

My point is that nothing is 100%. We have to weigh the reasonable risks and benefits.



Quote
But I am confident these physics issues can be worked out to a sufficient level of trust.

Only need to confirm that the private key was not communicated from the computer to any one.

I find this kinda weak against your general absolutism. "So Simple Yet So Complex".


After all, what stops all 3 letter agencies, who can own blockchains and can do analysis and attacks etc, to stage the whole thing? Will i be allowed to check that computer?

I mean, i have near to zero understanding of cryptography, but your search for the perfect/ideal solution looks like making you ready to take a huge and dangerous bet.  

I proposed ephemeral mixers based on Zerocash technology. They will be ferreted out if they are doing this, because it will be known that the key was compromised when the mixer expires and everyone has to cash out of the mixer back into the public coin. The bastards can't keep doing it over and over again. The participants will get wise as to the methods the attackers are using.

I am not absolutist. Rather I think correctly and realistically when I weigh marketing, tradeoffs, and delusion as follows:

That will kick ass on Monero, because if I pass through the mixer, I know my anonymity is provable and I know I didn't lose my coins. It is only people who still sitting inside the mixer who risk losing coins. Everything has a risk. I would much rather the microscopic risk of a compromised key (causing me to lose some coins) to the sure risk of meta-data correlation in Monero which can send me to jail! Surely I would be judicious about not mixing all my coins at the same time and not all in the same mixer.

Marketing and design are holistically joined at the hip. Those fools who said the marketing can come later are clueless.



One more point I considered in my holistic analysis is that for most transactions we can't be anonymous. Thus anonymity is more suited to those who want to receive some payment anonymously and hide the funds there and extract them only to public funds in small morsels or to spend in other rare anonymous transactions (e.g. buying some gold bars from someone you trust won't reveal your identity).

In that case one might think you can just use Stealth Addresses (unlinkability) and run a full node to confirm receipt of funds anonymously. No need for Cryptonote, RingCT, nor ZeroCash. But the problem is the payer can be identified and be pressured to reveal your identity.

So this is why we need Zerocash to make the untraceability impervious to meta-data correlation.

But the problem with my proposal for ephemeral Zerocash mixers is that when we take the coins out of the mixer they can now be correlated to our meta-data (e.g. IP address, etc). So thus it seems to hide large funds and only take out small portions publicly as needed, will incur risk of losing those coins in my proposal, but at least they will be provably anonymous.

Anonymity is a clusterfuck. If we can't make trusted hardware, then anonymity is unprovable. Period.

So just give up on anonymity, or get busy trying to make hardware we can trust?

(or if Zerocash has developed a provably secure way to generate a master public key, which I doubt)



DRM has nothing to do with it all. Thus I assume you don't understand the issue.

You are not giving him due credit. (AM is not a typical BTCT slouch.)  It is an allusion to "reflections on trusting trust" https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

I think I did correct my myopia in the subsequent reply to him. And I think the points reached sort of a stalemate. I don't dismiss his point, but if that white paper above is our concern, then none of the software we use is trustworthy. Okay I understand the point that doing something once and we all have to rely on that, is different than we all each download our software and run diverse hardware. But is it? Seems we all are running the hardware made by Intel and all the download links run through routers controlled by TPTB.

So all-in-all, I accepted his point. I think anonymity is a clusterfuck. Given the way Zerocash's forum treated me (they removed all my posts after they realized I was explaining serious flaws and challenges), I don't expect any success from them either.

I'd like to move on away from anonymity. Maybe one day in the future we could make some mixers based on Zerocash (long after their effort has faded into the dust) and maybe use it for some few esoteric uses for anonymity. But reliable anonymity on a widescale is unfortunately a delusion that even I had to finally come to grips with. Sad to say.

As for unreliable anonymity, I can do that now with Bitcoin. I just go use an unregistered wireless network connection. Eventually that will be impossible, but for now it is available in some jurisdictions.

If someone could identify a use for ring mixing that applied to businesses who don't mind if the NSA is tracking their privacy, then perhaps I could be convinced there is a market. But as I wrote before, the NSA has employees and those employees can't be trusted to not sell your privacy to your competitors. Corruption is the rule, not the exception. A mouse will always eat the cheese.

I start to comprehend now how it might be true when Martin Armstrong says we might descend into a Dark Age.

The only way I can think to fight back now is go for popularity and control in the hands of the people. Win the political war.



Is there a better alternative for anonymous transactions currently working and available?

There is nothing available for reliable anonymous transactions. For unreliable anonymity, I might as well just use Bitcoin and jump over to my local McDonalds on the unregistered WiFi connection. So yes there is a better alternative, Bitcoin. And it is more widely accepted.

I would not entrust not receiving jail time on the assumption my meta-data can't be correlated, neither with Monero nor Bitcoin. The only anonymous things I would do would be legal things I want to hide from for example the public, but not from the NSA (and the employees of the NSA). In that case, I can do this reasonably well using Bitcoin.

I can't make the sources of my transaction untraceable with Bitcoin (unless I use some unreliable mixer, CoinJoin, or CoinShuffle), i.e. if someone wanted to premine and then make it impossible to connect them to the premined coins. So maybe we can argue that Cryptonote/Monero would help people who want to create scams. But decentralized exchanges might accomplish the same (not sure about that yet, still analyzing them).

In short, I just can't see what is the large market for this unreliable anonymity in Cryptonote as compared to the unreliable anonymity in Bitcoin?

Hey I am not happy it worked out that way. As much as I don't like the boastfulness of some Monero's community (not all the devs), I still would prefer if anonymity was realistic. I am saddened. And especially pissed off to have expended so much effort on anonymity and not have realized sooner.

Actually the market for Monero might be criminals. They may have the incentive to study how to guard their meta-data and willing to take the risk on the combinatorial unmasking (since a criminal mind seems to ignore the prospect of jail time). But they need to be mixed with regular users, otherwise their anonymity sets may not be large enough. I don't want to be in a project who sole main use case is criminals.

Please confine yourself to that question.

Hitler claiming to support Libertarian principles (e.g. anonymity).  Cheesy

Have you ever heard of the concept of respecting the freedom of others. I am flabberghast that you think you can tell me what I can write about. Do I tell you what you can write about.
sr. member
Activity: 420
Merit: 262
January 20, 2016, 01:31:33 PM

Okay so this is not http://z.cash (which is the inferior zerocoin) and apparently is the real Zerocash! Wow. I am happy to see this in open source. Real progress at last. Maybe this is the reason for the dump of Monero?

I am happy to see this because I want to use something like this and also because I do not expect them to get the details correct on mining (no one has yet!). So there will be an opportunity to integrate this open source into a better block chain.

Major opportunities right now in crypto. Pick who you want to work with and pick carefully. I am looking for a few good men.

Okay so this is not http://z.cash (which is the inferior zerocoin) and apparently is the real Zerocash!

They are the same

Quote
The Zerocash protocol is being developed into a full-fledged digital currency, Zcash.

I don't know what happened. Last time I thought I loaded that page, I was looking at two young developers one of which was Asian. I need to sort out my confusion. I am very perplexed as to what I accidentally loaded last time.




This is what I had seen before and I have no idea why the wires in my brain crossed and throught it was z.cash I had recently view before (perhaps I am just overloaded with so many technical issues in my mind at the moment and I just woke up). Apologies for the unnecessary noise due to my error.

Zerocoin implementation that is supposed to launch early this year:
http://moneta.cash/technology.html
https://github.com/MonetaOfficial/moneta

I think it is basically a rebranded version of Zerovert, which was a closed-source implementation released last year. One of the creators is one of Matthew Green's former students.

That is Zerocoin, not Zerocash. Zerocoin is a mixer only for sending coins to your self and delinking, thus it is subject to all metadata correlation breakage the same as for Monero (Cryptonote coins and ShadowCash and everything else!).

Only Zerocash hides everything and thus is immune to metadata correlation. Zerocash mints zerocoins (which are not the same as the coins in Zerocoin). Zerocoin was created by some of the same people who created Zerocash, but they are totally different technologies. Zerocash is much more powerful anonymity because all the coins and all the actions (e.g. transfer payment to another) are totally hidden in one big blob.

With that being said, it's still unproven technology, and I think there are some issues with launching the currency in a trustless manner, so for now Monero is probably most bestest.

It is not even clear if Zerocash will work in a real world implementation for scalability and DDoS reasons (and maybe other issues).

But none of that absolves the fact that Monero is fundamentally (mostly) useless for the reasons I stated upthread.



A for-profit coin company, i dont care what they make, iwill never trust them.

Agreed that is the opportunity to beat them by open sourcing their code. But you will also need my block chain technology to make the big win.

moreover RingCT will move Monero closer to Zcash

Sorry no. It is still not immune to meta-data and the theoretical combinatorial analysis. Not reliable. Not realistic.

We need to move forward. It is up to you, I know my thinking and priorities on this matter.
sr. member
Activity: 420
Merit: 262
January 18, 2016, 11:34:44 AM
Not chess related but besides anonymity I think it is worth reminding people of another technical reason that makes CryptoNote coins much different than bitcoin.

CryptoNote uses the Schnorr signatures algorithm instead of Elliptic Curve Digital Signature Algorithm used by bitcoin

I think an elliptic curve discussion would be on topic if we have enough volunteers both willing and competent enough to discuss it.

https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
https://en.bitcoin.it/wiki/Secp256k1
https://en.wikipedia.org/wiki/Schnorr_signature
https://en.wikipedia.org/wiki/Curve25519

This site offers some interesting comparisons although some of the conclusions (such as those on Secp256k1) may be controversial:
http://safecurves.cr.yp.to/

This should make bitcoin users feel better:

I believe that the ECC/NSA thread you referenced did eventually nail down every parameter used to create secp256k1 and answers most if not all concerns.
Yes, There is a python script that produces every parameter for secp256k1 from first principles, except the generator— and both myself and D. J. Bernstein have given the proof that in-advance choice of the generator is harmless outside of restricted conditions that aren't relevant to normal Bitcoin usage.

I have been asked in a PM if I would like to comment on this. I am not an expert and have no formal training in algebraic abstract math. Everything I know about this particular field (and cryptography in general) is self-taught mostly in 2014 and 2015. And I have big gaps in my understanding which can only be resolved by teaching myself the higher math courses I didn't take at the university and I don't have time for attaining that base knowledge. Nevertheless I can comment conceptually and understand enough to have for example combined Cryptonote with Compact Confidential Transactions to form what I named Zero Knowledge Transactions. And I understand enough to have digested Shen-noether's Ring Confidential white paper over a period of a day or few days. And I was able to analyze the differences and similarities and ramifications of the high level differences in our approach. So with that in mind, I will comment on the above quoted issue.

Afaik, the main difference between the Secp256k1 type of ECC that Bitcoin uses and the Ed25519 Berstein version of the twisted Edwards curve that Cryptonote uses, is that Ed25519 has no branching in the code and thus has no timing attacks (although one might reason that timing attacks might be less useful in crypto currency, I am not sure if that is true in all scenarios). And (perhaps more importantly) Ed25519 does not require a new random number on each subsequent signature, thus is deemed to less vulnerable to a faulty random number generator (or injection of virus thereof in the operating system). Also Ed25519 is moderately faster and has a prime order which is deemed to more secure (I don't remember if Secp256k1 has a prime order or not).

http://ed25519.cr.yp.to/

So Secp256k1 is probably secure but Ed25519 is more secure.

Please feel free to quote me and claim it as an advantage for Cryptonote coins, but please acknowledge that I have also criticized Cryptonote for not solving the fundamental block chain Tragedy of the Commons economic issues and my opinion that metadata correlation makes their anonymity impractical for any (or most?) mainstream uses.
legendary
Activity: 1078
Merit: 1050
January 16, 2016, 06:24:44 PM
@TPTB_need_war who are you anyway? What have you created, let alone developed that works!?

Please take some sound advice. Lower your Bitcointalk lurking frequency, reduce your expectations on people who really don't believe you are capable of anything other then chasing your tail in circles.

Turn your screen off, go outside, get some gas and food for your family. Most importantly, go spend some time with them. This will never pay your bills, and at the rate you are going. I dare say you will be in a home before to long. Unable to wipe your own backside. Because until you can at least take responcibility for your duties in life, you will never make it at this table! So why bother.
sr. member
Activity: 420
Merit: 262
January 16, 2016, 01:04:28 PM
Quote
Both are fundamentally broken.

https://bitcointalksearch.org/topic/m.13518156 (Ethereum)
https://bitcointalksearch.org/topic/m.13569087 (Block chain scaling Tragedy of the Commons applies to Monero also)
https://bitcointalksearch.org/topic/m.13569178 (Monero's anonymity is unreliable/unprovable and thus useless for fungibility or other important use cases)


"Broken" and "Success" are relative terms.  Both are broken less than bitcoin and bring attributes to the table that fiat does not.  

If you have any suggestions that are less broken ... I'm all ears.

An absolutist uses words like broken.  A realist uses terms like "best alternative".  Opening myself up to all available options those are the two answering the big questions.  Privacy, programmable blockchain and both more scalable than bitcoin.

What alternatives are less broken than these two I mentioned?

Don't you understand that "fundamentally broken" means they don't work for the features they claim that are an improvement over Bitcoin.

The link I provided to you for Ethereum explains that afaik they never solved the primary economic issue facing scaling programmable block chains, which is that every full node has to verify the block chain, thus every full node has to run the programmable script. But the problem is who to pay the gas (ether) to so that all full nodes are paid for verification? This has DDoS implications as well. In short, they never solved the core economic problem and thus Ethereum is just a fucking toy that can't actually work.

Ditto Monero as explained below (the arguments were in the links I provided to you before but again I am always forced to repeat myself because readers are so clueless about technology that they can't even understand what I write).

I think Monero is the best money to stay anonymous. It uses the ring signature. The mixing is built into the protocol.

You are a n00b and you don't do enough research to know what you are writing about. Why should anyone believe you?

Monero is not anonymous when your metadata can be correlated. One example of metadata which unmasks your anonymity is your IP address. And no, Tor and I2P mixnets do not hide your IP address from the government, in fact they are thought to be Sybil attacked honeypots that not only tell the government your IP address but also alert the NSA et al that you should come under extra scrutiny.

And IP address is not the only metadata that can destroy your anonymity in ring signatures. Other examples can include cookies in your browser and other activity you did on the web. Other examples also include telephone calls and other activity you did around that time, which have statistical significance.

I wrote about that in the link in the post I made upthread which is quoted below.

None of them will surely keep you anonymous.

Zerocash is the only design which might be very reliable, but it does not exist in any altcoin yet.

Period.

Some elaboration is at the following post (and also in the archives of my posts):

https://bitcointalksearch.org/topic/m.13569178

Ring signatures do not obscure everything. Only Zerocash can obscure everything so that then metadata is no longer a problem. I see Vitalik @ Ethereum has been reading my Bitcointalk posts, because now he has written a blog post to copy most of the points I have been making for the past months.

Additionally I have been making the point since the BCX incident that ring signatures can theoretically be unmasked by combinatorial analysis of the block chain. In the recent debate I had with Monero's cryptographer Shen-noether at Reddit about his white papers, I pointed out that his proposed solution to combinatorial unmasking was flawed. He and smooth did the usual ad hominem attack on my person, and then I rebutted them with logical facts and they were forced to finally put their tail between their legs.

Bullshit. So much bullshit in these discussions of cryptocurrency technology. Especially coming from all the Monero pumpers who haven't done their homework, because they are retarded, closed-minded, and boastfully so.

TPTB_need_war, what about ShadowCash?

Just a (arguably plagiarized) copy of Cryptonote technology, so same conclusions as for Monero.

https://z.cash/ is the only potential solution for making metadata correlation irrelevant, but all I know about it is here:

http://zerocash-project.org/

Seems the project died or stalled? Afaik they've been quiet past months or most of 2015?

Also scaling issues will probably still apply thus it is possible that Zerocash doesn't scale to world wide use, or other problems such as DDoS. I won't know until I dig deeper into it. Perhaps they discovered such issues and stopped working on it.

Anonymity is very difficult to achieve. I would guess maybe impossible once all the technical factors are considered. But I am still willing to try. I personally will come back to Zerocash's technology later, after I finish fixing block chain scaling and decentralization (which is more important priority and more realistic).
sr. member
Activity: 420
Merit: 262
January 11, 2016, 05:59:42 AM
He is making 100% offtopic accusations that are based on exactly nothing to back them up, nothing even slightly relevant.

He is also one of the most qualified people on this forum to review anonymity solutions, having written his own white paper on the subject, so even a cursory glance is valuable.

evidence: https://bitcointalksearch.org/topic/m.13211623

Let's hear why this solution is different to Dash's and then we'll take it from there.

Clarification. I didn't release the white paper. But since it is no longer of proprietary value to hide it since I am no longer going to implement Zero Knowledge Transactions, then I will endeavor to clean up the white paper and release it sometime this year. Hopefully I can find time within the next couple of months.

ZKT combines Cryptonote with Mixles' Compact Confidential Transactions. Shen-noether accomplished a similar design but combining with Blockstream's Confidential Transactions.

So these are End-to-End Principled anonymity that hide both sender and value. No simultaneity crap like Dash and this new crap from the infamous plagiarist John Conner.

The reason I am not implementing it because it requires obscuring your IP address and all other metadata, which is impractical. Apparently Monero is implementing it (at least they are toying with implementing it) and so no need for me to duplicate their effort.

Only Zerocash can give us reliable anonymity that is immune to metadata. So for now I put anonymity on the back burner and we will come back to Zerocash if we first solve the SUSTAINABLE, DECENTRALIZED, PERMISSIONLESS block chain issue, since that is more important. No design yet can truly claim those properties.

As for resource issues, reliable anonymity will not be cheap. Thus it probably can't be for every transaction. It will probably need to be an optional set of coins. In Zerocash they name the anonymous set of coins 'zerocoins' (not to be confused with Zerocoin).

My main grip with John Conner is he doesn't put all the technical details in a white paper, because he is apparently wants to avoid peer review. Smooth doesn't have time to reverse engineer his half-assed white papers either. So we can't entirely explain the flaws without wasting a lot of our valuable time. But I can already tell you this chainblender is flawed at least in that it has a simultaneity requirement which thus violates the End-to-End Principle. Looks like there are other flaws similar to the masternode concept of mixing (which Evan of Dash has apparently finally admitted).
sr. member
Activity: 420
Merit: 262
December 17, 2015, 08:31:56 AM
I have continued this off-topic discussion about block chain consensus in a more appropriate thread. This thread has nothing to do with block chain consensus. LongAndShort, please when starting a new line of discussion, find an appropriate thread to introduce your thread jack.

Please explain the relationship between zk-snarks and trees.

If it pertains to block chain consensus, please in another thread. I have an idea what he is referring to. His SNARKy attitude will be dealt with in a humbling manner.
Pages:
Jump to: