Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

Pandemonious conclusions hitherto absent from the blogosphere:

  • Hypothetically untraceability is unfixably broken in non-Z(ero)cash designs (e.g. Monero).
  • Mandatory untraceability and/or value hiding are unnecessary, thus unjustifiably too risky* (e.g. Z(ero)cash).
  • There is no foreseeable use case for an anonymity-only cryptocurrency.

* Unauditable obscurity of payer’s address1, transaction output’s address, or transferred value, plausibly enables an undisclosed cryptanalysis crack to undetectably create additional token supply. Plausibly applies even if transferred value is not hidden, e.g. Cryptonote even before Monero's value hiding RingCT; though extensive vetting of the ECDLP makes it perhaps less likely, yet as explained subsequently, Satoshi didn’t fully trust the (future) intractability of the ECDLP.

Not even as a side-chain because side-chains are irreparably insecure (specifically due to incentives incompatibility).

1 In the simplest non-multisig scripting case, an unspent transaction output (aka UTXO) designates a single payment address which (obscures until signed yet) only matches (because it is a cryptographic hash of) the public key of the private key which is authorized to sign a transaction to spend the output.

Anonymity vs. Privacy

Anonymity is the inability to link identity to (transparent or encrypted aka opaque, but inapplicable to inaccessible) information. Privacy obscures information by making it opaque or inaccessible.

Pseudonymity is the use of faux identities, but is only anonymous if the true identity can’t be linked to its pseudonyms.

Anonymity can exist without privacy, e.g. Stealth addresses delink the identity of the payee but do not obscure the value of the transaction output nor the address it pays to.

Privacy can exist without anonymity, e.g. a homomorphic system such as Z(ero)cash which obscures the payer’s address, transaction output’s address, and transferred value, can still leak the identity of the payer and/or payee via metadata or timing analysis without revealing the aforementioned private information.

Outside of cryptocurrency, we usually have a (hackable, tenuous) privacy of certain (e.g. financial details such as bank account balance) from the general public. Yet the information is not opaque nor inaccessible to those centralized third parties trusted to guard it, nor to hackers and national security agencies*. Thus we rarely have anonymity outside of cryptocurrency, except perhaps when employing a disguise (i.e. pseudonym) in a cash transaction or an inviolable trusted agent.

Civilization collapses into totalitarianism without anonymity and privacy; and they are also essential for the analogous reasons to enable functioning families and relationships.

* Which an inside source alleges are controlled by the Deep State … more details and corroboration.

Mixing Payers and Stealth Addresses

I first read the following definitions in the Cryptonote whitepaper in early 2014— the original anonymity* technology of Monero, Bytecoin, Boolberry, and some other cryptocurrencies.

Untraceability: for each incoming transaction all possible senders are equiprobable.

Unlinkability: for any two outgoing transactions it is impossible to prove they were sent to the same person.

Untraceability obscures which payer’s address1 paid; and unlinkability obscures the identity of who can sign for the transaction output’s address that receives the payment.

Untraceability is achieved by mixing potential (aka candidate, possibly but not provably already spent) transaction outputs (e.g. payer’s addresses1) such that it is intractable (at least for those who are not the payer and payee) to trace to descendant transactions. Ideally the anonymity set should be as large (i.e. include as many candidate outputs) as possible, in order to minimize the likelihood of tracing (antecedent transaction outputs to descendant transaction inputs) with Sybil attacks or timing, metadata, and/or combinatorial analysis. The algorithms, tradeoffs, and vulnerabilities of the various anonymity technologies are analyzed in the subsequent sections.

Unlinkability pays each transaction output to a unique address which isn’t the payee’s published payment address for the private key that can sign to spend each said transaction output. Thus, the payee’s incoming payments aren’t publicly (at least by those who are not the payers and payee) linked to each other nor to the payee’s published payment address. As explained in section 4.3 Unlinkable payments on page 6 of the Cryptonote whitepaper and in a Stackexchange Q&A, the payer designates the payment to the payee’s published payment address in such an (ideally cryptographic, e.g. employing a modified Diffie-Hellman exchange) protocol that a new “faux” address (i.e. functioning as an impenetrable veil for the published payment address) is created which only the payee can spend. It is intractable (at least by those who are not the payers and payee) to know which amongst all (current and future, shared only privately and publicly disclosed) published payment addresses corresponds to the private key that can sign to spend the transaction output that pays to a “faux” addresses. These Stealth Addresses are also an (ostensibly abandoned) Bitcoin Improvement Proposal #63 (aka BIP-63).

Unlinkability even without untraceability also achieves downstream payer’s anonymity (if not subverted by metadata correlation), because for all incoming payments to the same payee identity (i.e. the same published payment address associated with an identity), the transaction outputs are indistinguishable from different future payers.

Unlinkability is technologically uncomplicated and has less egregious tradeoffs compared to the untraceability that is provided by the various anonymity technologies.

* Cryptonote also includes a proof-of-work variant which does not pertain to analysis herein.


The claim is that untraceability is necessary to obscure the lineage of downstream UTXO to prevent tainting by illegal or objectionable activity associated with upstream transactions. It is argued that without untraceability then innocent downstream payees could be liable to society for proving they are not complicit.

A counter argument is that untraceability by payer mixing taints all those UTXO in the lineage of the mixes; and otherwise that even without untraceability the lineage of normal transaction activity forks out to taint huge swaths of the UTXO. So with or without untraceability, the presumption of groupwise fungibility due to numerous tainting upstream rests on the belief that if a large proportion (or all) of the UTXO are tainted then the repercussions of tainting will be minimized. Thus it is argued untraceability is unnecessary for fungibility.

However, Monero supporters pointed out that (no mixing of payers or) mixing with CoinJoin and CoinShuffle (i.e. on “transparent blockchains” that do not offer cryptographic mixing on chain), although untraceable from payers to payees, would not prevent an objectionable UTXO from being individually tainted before it could be mixed. This generalizes to the statement that any limited tainted downstream lineage could suffer repercussions separately from the entire UTXO.

But the irony is that this individualized tainting problem applies to all anonymity technologies for mixing payers which have an explicit (i.e. explicitly list the candidate payers’ UTXO in each transaction’s) anonymity set including Cryptonote derivative cryptocurrencies such as Monero and even Monero’s homomorphic RingCT upgrade. Z(ero)cash is currently the only known anonymity technology without an explicit anonymity set thus which does not have this individualized tainting problem. In Z(ero)cash, every UXTO is implicitly mixed with every (even already spent) UTXO that preceded it, because the payer’s UTXO is validated in a zero knowledge proof. But Z(ero)cash has some significant technical disadvantages and risks which will be detailed in a subsequent section.

In a high velocity of money scenario such as microtransactions for smart contracts or in-app upsells, the individualized tainting is less likely to be a problem, because with only unlinkability and no untraceability, the tainting will probably fork out to taint large swaths of the UTXO before investigations of nefarious activity conclude. Mixing payers for untraceability if compatible with the high velocity scenario would presumably accelerate the size of the lineal anonymity set, but perhaps unnecessarily so because if tainting became a problem (even in a low velocity of money scenario) then presumably payees would spend their UTXO to themselves to split it into smaller, more numerous chunks creating the appearance of larger swaths of UTXO lineage. Yet untraceability increases plausible deniability more than unlinkability because the probability of spending to yourself is diluted by the count of candidate payers in the anonymity set. But the untraceability need only be employed as an optional mixer that longer-term hodlers (i.e. those not in a high velocity scenario and thus vulnerable to investigations that conclude in tainting) run their coins through to insure fungibility. And the risks of Z(ero)cash as further explained in a subsequent section are significantly mitigated when Z(ero)cash is utilized only as an optional, ephemeral mixer for longer-term hodlers (ephemeral meaning coins are not held inside the mixer long-term). Yet the implication is that to avoid exchange rate delays and fluctuation risk when running coins through the optional mixer, the untraceability mixer should be denominated in the same token that the payee receives. But since side-chains are insolubly flawed (even if not merged mined and using a different consensus algorithm), thus Z(ero)cash is probably more valuable as a consulting firm for their open source technology that can be adopted by each competing alternative cryptocurrency blockchain, than as a standalone token with no features other than an optional, ephemeral anonymity mixer for another token which becomes more used because of its more desirable features.

The fungibility selling point appears to be motivated at least partially to give justification for the existence of cryptocurrencies that add no capabilities other than anonymity and do not even have some of Bitcoin’s minimal features such as multisig contracts and scripting. Yet the untraceability of Z(ero)cash can be useless in some cases for fungibility in conjunction with for example smart contracts and other blockchain features, because of correlation of metadata on the blockchain (not IP address correlation metadata). Improving this will afaics require technological improvements to the Z(ero)cash technology in the area of zero knowledge proofs, commitments, and nullifiers.

Afair, Mo𝒂nero supporters perpetuated the groupthink mania about the importance of anonymity for fungibility. I suspect this was (perhaps unconsciously driven by vested confirmation bias) a Hegelian dialectic “invented strawman crisis requires a solution” tactic (aka “never waste a good crisis”) jumping on the convenient timing opportunity (contributing to the aghast demonizing overreaction) in the wake of Mike Hearn’s stillborn brainstorming about “redlisting”. Seems even Z(ero)cash’s Zooko-Wilcox has also regurgitated the groupthink without analyzing and acknowledging the caveats above.

Mixing P(r)ayers

Let’s cut directly to the purulent realities.

If you are linked to transactions by metadata such as your IP address or your incidental web browsing activities and patterns (including browser fingerprints), no anonymity technology can maintain your anonymity against all adversaries.

Note in 2016, I mistakenly thought that in Z(ero)cash given malicious, colluding full nodes that a full node which scans for incoming payments on the behalf of a payee (analogous to delegating a “tracking key” to the full node as explained on page 8 of section 4.3 Unlinkable payments of the Cryptonote whitepaper) , somehow would not correlate the IP address of the payee (which requests scanning from a full node for the spendable public commitment) to the IP address when the payee spends the public commitment thus breaking untraceability to the new public output commitment(s) in the txₚₒᵤᵣ spend transaction. But Step #4 on page 8 of the whitepaper states that payees must scan pour transactions, thus same as for Cryptonote cryptocurrencies such as Monero, payees which are not running a full node would have to delegate scanning for incoming payments to a potentially malicious full node.

Tangentially note that Z(ero)cash has a weakness (which Cryptonote also has) that could be rectified wherein the multiple output commitments (c.f. section Step 3: extending coins for direct anonymous payments) are correlated to each other because they are published at the same time with the single spend transaction. If the payer employed a different IP address for each publishing of data to a full node (or different full nodes ass-u-me-ing the full nodes are not colluding to share IP addresses of payers), the Z(ero)cash commitment scheme could be further improved with a hierarchy of nested commitments so that spend transactions could be split into multiple orthogonal spend transactions. However, the maximum number of downstream (when the payee spends the payment) spend transactions per output would have to be decided in advance. Note though that the weakness can be avoided more efficiently in both Z(ero)cash and Cryptonote by paying the other output(s) to self, then sending another payment for each to the intended payee(s).

I am not clear if Peter Todd already thought of this, but it should be possible to improve both Cryptonote and Z(ero)cash such that the payee provides an extra public key, so that payers can encrypt the payment output destination identifier (i.e. the one-time output address in Cryptonote and the public commitment in Z(ero)cash) and publish the data which the full node must scan for separately from the spend transaction, so that only the payee can decrypt the data which reveals which spend transaction is for the payee. This would prevent malicious, colluding full nodes from achieving the aforementioned correlation of payee’s IP address if and only if the payer employs a different IP address when publishing the extra data than the IP address employed when publishing the spend transaction. So the improvement would avoid payee’s IP address correlation when either the payer or payee employ a different IP addresses every time they interact with a full node. Note that merely obfuscating the IP address with a mixnet such as Tor or I2P is not sufficient, because the IP address the full node sees may not change!

Also Peter Todd proposed prefixes for Stealth Addresses, which when the payee wants to scan for incoming payments, would ask the full node to return a large quantity of potential candidate payments to the payee, thus creating an anonymity set on the correlation of IP addresses. But note due to reducing to an explicit anonymity set, given the payee also has to scan for incoming payments for Z(ero)cash, this would make Z(ero)cash also incentives incompatible with proof-of-work as explained in the subsequent section (but only in the cases where IP addresses are not obfuscated).

Some claim that absolute anonymity from national security agencies is not the most popular goal; rather that privacy from the general public is the more realistic goal. But your private data as seen by nodes on the network often has a market value to various data mining markets (when aggregated for many users). Economics should dictate that your IP address is not likely obscured from the data mining market even when using a VPN unless users are paying more to the VPN service to mix their IP addresses than that VPN (or a Sybil attacker combined with timing analysis on the low-latency of VPNs) can earn on the open market for revealing the data.

Except as a new insight of mine, that is unless we assume some are motivated to control mix-net nodes so they can provide for their own more highly valued anonymity by controlling that the anonymity set will not be revealed (although it is likely a botnet would be more cost effective although potentially more incriminating). Nevertheless, at least for powerful adversaries there are plausible attacks on low-latency mix-nets such as Tor and I2P. And the more popular low-latency mix-nets become, the more resources data mining markets can justify expending on attacks. And high-latency mix-nets are not likely to be used because of extreme, random delays and the hen-egg dilemma of small anonymity sets due to non-use.

Those who assign a very high value to their anonymity can likely successfully obscure their IP address and metadata. Heck in the extreme, not only could they own a VPN and Tor node to route their transactions through, but could also (wearing a disguise of course 😉) access an unaccounted, public access WiFi hotspot, buy a botnet, or offer to pay a random person to allow sending transactions over that other person’s mobile phone. As @smooth once quipped, “even a pidgeon” could carry your transaction to the blockchain.

However it is highly dubious whether the vast majority of the masses could benefit from untraceability, except for the arguably dubious fungibility blacklisting FUD (especially if someday a novel blockchain consensus algorithm is truly decentralized so that tainting can not plausibly blacklist spending), given that to the extent that they succeed in obscuring their metadata, then even without untraceability, the unlinkability of stealth addresses provides anonymity for those who obtained their spendable outputs (aka UTXO) as anonymous payments uncorrelated by metadata. Untraceability is most needed only for increasing anonymity (set size) and plausible deniability for fungibility of tainted UTXO or for UTXO whose ownership is known to the adversary or public. In other words, untraceability is not a feature that the masses could benefit from and thus for previously explained reasons is best offered as an optional, ephemeral mixer. This refutes the claim for the general necessity of the “three prongs of resistance” for anonymity.

Only Z(ero)cash Is Anonymous With Proof-of-Work

Let the pandemonium begin.

It was quite a shock to me when I recently realized that all anonymity technologies for untraceability (i.e. via mixing payers) which have an explicit anonymity set including CoinJoin, CoinShuffle, and Cryptonote (that includes even Monero’s homomorphic RingCT upgrade), are incentives incompatible with proof-of-work resulting is loss of anonymity due to a Sybil attack.

All currently known untraceability anonymity technologies other than Z(ero)cash are ultimately Sybil attackable (i.e. iatrogenic “cures”) when deployed on proof-of-work blockchains. Z(ero)cash is not susceptible to a Sybil attack in any case, because the anonymity set is always implicitly all of the UTXO (even those already spent), so spamming the UTXO gains the Sybil attacker no probabilistic advantage.

This is fundamental and can not be “fixed”, because CoinJoin, CoinShuffle, and Cryptonote are only meaningful with an explicit anonymity set. Moving to an implicit anonymity set requires something like zk-SNARKS to lift the abelian group from low-level homomorphic properties such as public key signatures and homomorphic value hiding, to proving general arithmetic circuits. Arithmetic circuits are required because cryptographic trapdoors are required for creating zero knowledge protocols, trapdoors require an abelian group, and trapdoors can not be created directly on cryptographic hash functions given that hash functions are not an abelian group, yet cryptographic hash functions are required to create the commitments needed for implicit anonymity sets and hash functions can be modeled as arithmetic circuits. So essentially nothing can be done to make Cryptonote not use explicit anonymity sets without making it Z(ero)cash.

On proof-of-stake blockchains (or any other consensus algorithm where transaction fees can be burned), the other untraceability anonymity technologies do not have this specific Sybil attack vulnerability.

This vulnerability is because hypothetically miners can spam the UTXO anonymity sets at no cost by paying the transaction fees to themselves; and thus do unlimited Sybil attacks on the explicit anonymity sets of payer mixes. The non-colluding payers (aka UTXO) can be diluted such that it is intractably expensive in terms of transaction fees for any user to achieve sufficient non-colluding UTXO in mixing to overcome the de-anonymizing impact of the Sybil attack. In other words, the colluding Sybil attacking miner(s), fill up ≈99.99% of the UXTO with transactions they created, so that when an honest user explicitly selects UTXO for an anonymity set, that anonymity set likely includes only the attackers UTXO and thus the attacker knows the payer is the user’s UTXO thus de-anonymizing the mix. Whereas, this is not the case for Z(ero)cash because every (even small size) transaction implicitly employs the anonymity set of all historic UTXO. Note hypothetically this Sybil attack might even be effective at ratios significantly lower than ≈99.99% when combined with other aforementioned de-anonymizing analysis: “timing, metadata, and/or combinatorial analysis”.

When I originally brought up this attack to @smooth on BCT in February, he had retorted that such spam transactions would displace bona fide fee-paying transactions in a constrained block size scenario; and that miners who forsake the opportunity cost of the additional revenue would be less profitable, thus diminishing their proportion of the hashrate over time. At that time, I retorted that meant block size must be so constrained that it could not handle transient load spikes in transaction volume. Today @smooth elaborated on his perspective in a private communication:

“By design Monero can not and does not respond instantly to usage spikes. There will be a temporary backlog that users will have to negotiate via fee bidding. The back pressure on block size ensures that fake (miner stuffed) transactions are always bidding against real (paying customer) transactions at any point in time, therefore any attempt to sybil attack the output set has a quantifiable cost.”

That retort from @smooth will not prevent the Sybil attack when transaction volume is not constrained by block size for cryptocurrencies other than Monero (because Monero has a self-adjusting block size algorithm which always constrains block size to a recent moving average of transaction volume but it fails if miners have 51% control). Recently I realized the Sybil attack is also plausible for a stronger more fundamental reason, because proof-of-work trends towards a (likely surreptitious and undetectable) ≈100% winner-take-all oligarchy of mining hashrate which (even with only 51%) can censor from the longest-difficulty-chain all blocks of those who refuse to collude, thus dictating a fee market which can extract all the fee revenue the market can bear. The gracious (noting he is too busy and rushed) rebuttal from @smooth today was:

“Once we discard that claim we are left simply with your claim that PoW monopolizes. Possibly true but basically unprovable … Once censorship-resistance is lost, then any form of anonymity is pointless anyway, because miners can demand that users identify themselves (or be censored).”

Your last sentence is a somewhat incorrect or at least overreaching claim. Censoring transactions is a somewhat separate concern than whether anonymity was lost and is pointless. Z(ero)cash does not lose its anonymity set even if proof-of-work is 100% centralized nor in the case that the “moon math” cryptography is cracked (however if cryptographic hash functions are cracked Z(ero)cash would lose its anonymity but if hash functions fail then all cryptocurrency and blockchains are F.U.B.A.R.). What you mean is the miners can censor transactions which do not voluntary de-anonymize themselves, but that does not destroy the historic anonymity, nor is it necessary for the mining oligarchy adversary to do that (at least if not Z(ero)cash) given they can instead “likely surreptitiously and undetectably” continue running a de-anonymizing honeypot for fools instead of burning the entire thing to the ground rendering it useless to them (and destroying their sunk costs if the proof-of-work is on non-repurposeable ASICs). Please think more realistically about this in the context of data mining markets as I had mentioned. I warned the Monero flocks more than a year ago that Z(ero)cash was far superior to rings mixing and that is why I had abandoned my Zero Knowledge Transactions (my summer 2015 attempt at a more efficient variant of what Monero’s RingCT upgrade achieves). An adversary silently de-anonymizing the minions does not disturb the profit applecart of mining and speculation, as evident for Dash’s ongoing existence in spite of that no one who is not clueless about anonymity technology uses Dash for anonymity.

It is very important to note that the cryptographic anonymity algorithm (not to be conflated with validation of spends and total coin supply) of Z(ero)cash can not be cracked unless hash functions can be cracked; whereas, Cryptonote’s anonymity will be cracked if elliptic curve cryptography is. Satoshi was so much more confident about the security of hash functions versus ECC w.r.t. to cryptanalysis and future quantum computing, that he did a genius level design for Bitcoin emphasizing reliance on hash functions for security. Note for those who need a layman’s primer on ECC, I suggest chapter 7 The Cryptography Behind Bitcoin in the book Bitcoin for the Befuddled which can be previewed for free on Google Books.

On the centralization of proof-of-work, my stance after extensive study (and writing a yet unpublished 60 page white paper about it with 250+ cited references) it is absolutely provable that proof-of-work due to economics and game theory is an insoluble winner-take-all power vacuum that MUST centralize over time. I condense that “proof” below in the interests of concision. Bitcoin is proving correct the predictions of my analysis of the issue. The FBI has already written that Monero specifically (and we assume other anonymity cryptocurrencies) is on its radar of concern, so there are powerful adversaries that have an incentive to de-anonymize and control mining, especially if mining is the most profitable any way for those with the most economies-of-scale. Note for example that Bitmain does not have to mine with all the ASICs it manufacturers in order to extract the majority of all the profit that is produced by mining with the said ASICs. The economics and game theory trend to 51% control over mining is the norm— not a roll of the dice. A counter thought might be that if there are two or more competing factions in the mining, they would not get 51% agreement to Sybil attack spam the transaction volume, but in cooperative game theory, all factions are incentivized to cooperate on that which does not destroy the profit applecart if they all profit more by cooperating. So if one faction demands silently Sybil attacking (which looks good for the ecosystem that transactions are increasing causing the market cap to rise), then all factions agree because together they are more profitable by being able to extract the maximum fees that the market will bear instead of a competitive fee market (and numerous other ways to profit surreptitiously with 51% collusion without upsetting the applecart). The factions may even pretend in public to be enemies to keep the public from sniffing the collusion.

When it comes to ASICs, there are only two 14/16nm ASIC fabs in the world. As you well know as the lead @Aeon developer, economies-of-scale are in play in many facets of proof-of-work (not just ASICs) which apply also to Monero (some of which are mentioned below). Also as @tromp and I discussed in the past, it seems highly inconceivable that any design for a proof-of-work function could have within better than roughly two orders-of-magnitude less efficiency on CPUs/GPUs as compared to an ASIC. So if the market caps grow enough, Cryptonite (Monero) and Equihash (Zcash) could be implemented on an ASIC, but I speculate that the TPTB (who control the fabs) will not do it, for one reason because I presume they would logically prefer the honeypot (where fools think they are anonymous) to obscure that they are Sybil attacking it with their economies-of-scale oligarchy on mining (and also for the opportunity cost reason given those fabs are oversubscribed I presume economics would dictate dedicating resources to the proof-of-work functions that return the most efficiency advantages and profit/control opportunity).

What is the point of using an inferior anonymity technology that is less trustable than the competition? In my mind, this is the end of explicit rings mixing for those who are serious about the anonymity. Fuhgeddaboudit. Stick a fork in it, it’s done.

META: This is not speculation about what speculation markets will do (and I have no speculative nor investment holdings in anonymity cryptocurrencies at this time). Any impact of this epistle is likely to be over the longer-term not immediate, as users of anonymity, investors, and implementators absorb and adjust to the excessively detailed information herein. Anyone day trading based on blogging commentary is likely to drive themselves nuts. This is written to be informational, not a speculators’ gambit. Cryptocurrencies are mostly about speculation about speculation rather than speculation about market adoption by non-speculators, but although markets can be irrational or short-term focused, ultimately decentralization trumps centralized pumps (as evident by Android taking 80+% market share from iPhone) because growth based only on speculation alone is a greater-fool Tulip bubble. Growth based on genuine benefits for most people have wider scope and do not stop growing until they are replaced by something genuinely better, e.g. the Internet is not going away any time soon yet I’m reasonably convinced that Cryptonote and Dash will not be around in 10 years. Many speculators will remain focused on short-term ROI and prefer high volatility. Some long-term investors such as Warren Buffett prefer the long-term income generating businesses for consistent compounding because eventually every speculator loses everything. Yet even though he enjoins the opinion of majority of the youth demanding social justice and willing to bankrupt themselves to get an omniscient, top-down control over the goal of non-existent perfection by aiding and abetting corruption via taxing the carbon that creates food and life, Warren is incorrect to claim the solution to the damage caused by socialism such as the socialistic educational system (and the winner-take-all corruption of governance it entails which ends in totalitarianism and self-imposed civil chaos) is to double-down on more socialism. The West simply must dis—integrate, there is no other market based solution because the damage can not be undone any other way. So those who are only focused on speculation and not on real solutions, will eventually of course lose everything. Those who focus on correct fundamentals may find a way through the coming mess. Everyone who thinks I am Chicken Little, may want to remember Warren’s vindication when they said that about him before the bubble burst, yet he laments missing out on Google and Amazon so my point remains those investors who focus on fundamental value in our sector will ultimately prevail. For example, most speculators would not even know if a Cryptonote cryptocurrency was under a 51% attack in the form of a Sybil attack. They would cheer the rise in transaction volume. Even Bitcoin is being 51% attacked now, but most speculators do not contemplate surreptitious effects because they are only focused on overt impacts such as a hard fork. Yet all those myopic who are not diversified with a mix of speculation and value investing end up losing everything when TSHTF as the surreptitious effect blows up or is doxxed, because they did not pay attention to the fundamental issues. A cryptocurrency could possibly have both long-term fundamental value and near-term speculative opportunity, and afaics that has been sales pitch narrative for example for Ethereum being the future ‘‘world computer”. Expert investors are able to distinguish fundamental value from BS.

I (as @the_end_is_near, @iamnotback, or various other usernames) have proven in extensive discussions at (aka BCT) about the Bitcoin Scalepocalypse that no possible formulation of proof-of-work can have a fee market in the absence of both a protocol constrained block size and a 51% colluding hashrate oligarchy of miners to constrain it. Also due to transaction fees being incentives incompatible with proof-of-work without a perpetual minted block reward, thus even with a protocol constrained block size a 51% oligarchy of colluding miners must form in the absence of an inflationary perpetual minted block reward. And the cooperative game theory of proof-of-work is designed to create conflicting vested interests which due to crab bucket Schelling point prevent political consensus for periodic protocol block size increases*; thus, proof-of-work can not scale without an unlimited protocol block size and a 51% oligarchy of miners to constrain it (and tangential to the point here, Bitcoin will never scale transaction volume but it will scale economically as the reserve cryptocurrency with whales in control of the ultimately winner-take-all power vacuum). The absence of a fee market would destroy scaling with transaction spam. Additionally the absence of a fee market without perpetual minting of new tokens for block rewards would be a tragedy-of-the-commons in that transaction fees and thus security against double-spends would both trend towards 0. Even a perpetual tail reward such as Monero’s can not remove the opportunity cost (i.e. power vacuum) of not forming an oligarchy of mining to extract more revenue with a fee market (as well as the incentive to enable the undetectable hypothetical Sybil attack on the anonymity sets posited by this section). And thus Bitcoin’s insoluble-by-design protocol constrained block size and Monero’s automatic block size scaling algorithm are impotent against the formation and control of a 51% oligarchy of miners due to both this opportunity cost (power vacuum) reason and the fact that proof-of-work naturally centralizes due to economies-of-scale in (finance and) mining that accrue disproportionately more profit to those with greater hashrate, such as for example less hashrate wasted on mining old blocks due to propagation delays. The full details of this was discussed in great detail between @dinofelis, (the now banned) @iamnotback (aka myself), and others at BCT. The likely surreptitious leap from 51% to ~100% is accelerated by the control attained with 51% which starves the minority hashrate of income.

The issue is potentially further exacerbated for Monero (and probably all Cryptonote-based cryptocurrencies) because of the hypothetical combinatorial analysis unmasking attack due to saturation of overlapping rings, which I had communicated to @smooth in 2014 during the @BitcoinEXpress threat to attack Monero, and reiterated to him and their cryptographer Shen Noether (aka @NobleSir) on Reddit during our RingCT discussions in 2015. They had mentioned this attack briefly in one of their subsequent Monero Research Labs reports, but up until recently I couldn’t entirely understand (although I did envision issues, especially with denominations before the addition of homomorphic value hiding with the RingCT upgrade) why they did not eliminate the possibility of overlapping rings by enforcing deterministic payer mixing anonymity sets, which would also have facilitated pruning entirely spent sets from the UTXO. Now I realize they could not diminish the superset grab bag for selecting the anonymity set of payers (as admitted by Shen Noether in his point “[5]…although the zcash proponents note that a ring signature is a ‘smaller’ anonymity set…”), because of the Sybil attack problem; thus the two attacks compound each other in a contagion.

* The whales have every incentive to not defect to any individual whale group’s tragedy-of-the-commons attempt to take control over the commons. Thus whales (and even dolphins) should follow the literally million (sic) “buttcoins” leader MPeX in selling the hardfork. Afaics, the Bitmain conglomerate controls Litecoin as a plan B partially as an altcoin hedge in case MPeX is correct.

Dash (formerly DarkCoin aka DRK), CoinJoin, and CoinShuffle

Besides it being indicative that I found a high school level probability math error in Dash’s security, others such as @smooth have explained in great detail the egregious flaws in Dash’s iatrogenic masternode “cure” to CoinJoin’s insoluble jamming problem which apparently I had been the first to point out in 2014 to Gregory Maxwell (the Bitcoin/Blockstream Core developer who invented CoinJoin).

CoinShuffle improves on CoinJoin by providing a protocol for weeding out those participants who are jamming a single instance of the protocol (such that the insolubly flawed blacklisting required by CoinJoin isn’t necessary) and adds obfuscation of participants’ IP addresses inherent in the onion-routing-like protocol for mixing the payers. However, CoinShuffle retains the simultaneity requirement weakness of CoinJoin; and it is a very slow protocol that is not suitable for transactions that can not tolerate up to roughly a minute of additional delay.


I wrote in a prior section:

It is very important to note that the cryptographic anonymity algorithm (not to be conflated with validation of spends and total coin supply) of Z(ero)cash can not be cracked unless cryptographic hash functions can be cracked; whereas, Cryptonote’s anonymity will be cracked if elliptic curve cryptography is. Satoshi was so much more confident about the security of hash functions versus ECC w.r.t. to cryptanalysis and future quantum computing, that he did a genius level design for Bitcoin emphasizing reliance on hash functions for security. Note for those who need a layman’s primer on ECC, I suggest chapter 7 The Cryptography Behind Bitcoin in the book Bitcoin for the Befuddled which can be previewed for free on Google Books.

Z(ero)cash does not lose its anonymity set even if … the “moon math” cryptography is cracked (however if cryptographic hash functions are cracked Z(ero)cash would lose its anonymity but if hash functions fail then all cryptocurrency and blockchains are F.U.B.A.R.).

Satoshi designed Bitcoin with an emphasis on protecting against the threat of theft of coins due to future unknown cryptanalysis and in anticipation of quantum computing. He obviously thought cryptographic hash functions were much less likely to be cracked than math theoretic security such as the intractability of “factoring” the elliptic curve discrete logarithm problem (aka ECDLP). TODO: but he was likely aware of AsciiBoost vulnerability w.r.t. to hash functions for hash-linked blockchains as he designed it in.

Z(ero)cash employs cryptographic hash functions for commitments and …

  1. Satoshi allowed for AsciiBoost and quantum attack (Iota) on PoW.
  2. Grover's alg and Bernstein Post -Quantum Cryptography assessment

Explain how I analyzed that Satoshi designed Bitcoin to be super resistant to future cryptanalysis but Z(ero)cash has poor such design and thus is a liability on the system due to potential to create unlimited tokens if not employed only as an optional mixer which never allows more backing tokens to be withdrawn than were minted into mixer … which again basically kills the potential of Z(ero)cash as a standalone anonymity-only token …


For comic relief, remember that after I invented Zero Knowledge Transactions, I created the absolutely anonymous concept.

The web pages linked in this document have been archived to the Internet archive.


This comment has been minimized.

Copy link

@ValentinJesse ValentinJesse commented Aug 11, 2017

You have 2 instances of "AsciiBoost" that need to be replaced with "AsicBoost". Otherwise an enjoyable read.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment