Switch Bitcoin and Monero #256
Comments
|
If any coins deserves to be first, it's either Bitcoin (usability) or Zcash (technical superiority). I have been fascinated by ring signatures and RingCT (albeit for the wrong reasons, the small anonymity subset per transactions makes for interesting attacks) and I'll honestly admit: it's theoretically inferior to the anonymity provided by zk-SNARKs. I'm by no means saying RingCT is bad or doesn't work, but on an individual basis, a transaction by Monero is less anonymous than a Zcash transaction. We already had a lengthy discussion about this in 207. I know we'll see a small flood of people supporting Monero making baseless claims, but the opinion of the biased masses don't automagically make it the truth. |
|
Zcash is not private by default. It is this way for solid technical reasons - constructing a shielded txn takes several GB of RAM and multiple minutes of CPU time. Quit pushing for the "theoretically superior" solution when it's known not to actually work in the real world. The fact is that 100% of Monero transactions are more private than 90% of Zcash transactions, because 90% of Zcash users don't use the privacy feature. Some of these take the default out of ignorance, some take it because they have no choice - e.g. busy crypto exchanges. Whatever the reason doesn't change the fact. |
|
|
Monero first. Zcrash is shit. |
|
@BitOfWisdon Your "link"s are not linked ;) |
|
Monero should be listed first. It is private by default. The other coins are not private by default. Monero transactions are almost instantaneously constructed, vs. an impractical amount of time required to construct a private Zcash transaction. Zcash's CEO has stated that their private transactions can be made too traceable. Peter Todd, a BTC developer and cryptographer who participated in the Zcash Trusted Setup, has called it a back door. Gregory Maxwell, another BTC developer and cryptographer, has said that Zcash is not unconditionally sound and that its Trusted Setup is a vulnerability. Bitcoin is not anonymous. Mixers only make it more difficult to trace BTC transactions, and that degree of difficulty is getting easier as technology progresses. This is to be expected of a public, non-private blockchain. |
|
I'm not qualified to comment about privacy in regard to Monero vs Zcash, however, as a currency, Zcash has an additional cause of concern that Monero and Bitcoin doesn't. Zcash required a trusted-setup while Monero or Bitcoin did not. If Zcash was compromised in the process, there is a potential that someone could create an infinite amount of Zcash. Whether or not user's privacy was compromised is less significant as Zcash ceases being a currency and looks more like monopoly money. While Privacytools is focused on privacy, I think it's fair to weight the potential that users lose substantial amounts of money into this equation. Bitcoin and Monero is truly decentralized while Zcash is not. |
|
Monero processed 3500 confidential transactions in the last 24hrs, Zcash did 631. Sources: http://moneroblocks.info/stats/transaction-stats and https://explorer.zcha.in/statistics/usage The fact alone that Monero is used 5.5x as much as Zcash for privacy critical transactions should give it priority. Monero can be converted directly for fiat more widely at exchanges. The cryptographic techniques behind Zcash are also newer and have been subjected to far less scrutiny than Monero's elliptic curve discrete logarithm primitives that have been proven secure over several decades. |
|
To expound upon the point of Peter Todd's involvement in the Zcash 'trused setup' ceremony: that he took it so seriously (read up on all the measures he took to mitigate leaking of his portion of the setup process) should underscore the fact that Zcash's privacy as a whole is wholly compromisable. If the trusted setup process were sound, he would not have had to go to such great lengths as he did in order to secure his portion of the setup. Because it requires any trust whatsoever, the entire process is suspect. If we are to operate upon Occam's Razor alone, we must conclude the simpler option of either A) all participants used perfect operational and informational security and in concert with one another acted in good faith to erase all remnants of the trusted setup parameters and its output, or B) at least one participant either made a mistake or was a bad actor. |
|
It would be great to hear arguments from Zcash proponents why they feel Zcash is technically superior. |
|
Zcash's reddit is a ghost town. Posted this three hours ago and all I got was a comment from a Monero fan on why Zcash would be considered more private than Monero. |
|
As you can see by my username I am a Zcash proponent, but not an expert. I just saw this posted on Reddit and honestly have never heard of the site your issue is about until today. I just wanted to point out that the concerns about Zcash regarding the trusted setup should be confined to possible arguments about unbounded inflation, but not compromises in privacy. This is due to the fact that if the trusted setup were somehow compromised the attacker would be theroretically be able to forge coins but the privacy of all Zcash users transactions would still remain intact. https://z.cash/blog/the-design-of-the-ceremony.html I will say that both Zcash and Moneros approaches to privacy both have benefits and drawbacks so neither is perfect but I do feel that the greater anynomity set provided by Zcash's method is a better approach overall. Also I think the fact that Zcash has chosen to make private transactions optional (for now, which will likely change in the future) which has resulted in the majority of the transactions on the chain to be transparent is more indicative of the lack of real-world use cases for all anonymous currencies (including Monero). Which has resulted in most of the daily transactions being conducted by day-traders on exchanges, mining pool payouts and individual miners. Lastly, I would suggest that whomever is deciding on this particular issue should decide what the specific privacy metrics are before making a decision on which is "better". Is it the actual technical side of the coin? Or is it the politics surrounding the coin that matter most? Thank you- Gibson |
|
Defaults don't matter. ZCash is more secure. People that can't choose "Private Address" when doing private transactions shouldn't be using cryptocurrency in the first place |
|
@DiMiTri101 Don't include the original message when replying via e-mail. |
Could you back that statement? |
|
Yea sorry this site sucks
…On Jul 11, 2017 12:59 PM, "Samuel Shifterovich" ***@***.***> wrote:
@DiMiTri101 <https://github.com/dimitri101> Don't include the original
message when replying via e-mail. It's ugly, but more importantly *an
adversary could mute this thread for you, since you included the
unsubscribe link.*
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/privacytoolsIO/privacytools.io/issues/256#issuecomment-314507612>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AantDiX_liGyQ7E6oszcEahFDOY4G9l5ks5sM6nYgaJpZM4ORruq>
.
|
|
Considering ZEC wallets have been frozen on at least 2 of the top exchanges due to rumors, I think that offering statistics on how many private transactions have been completed in the last 72 hours+ is a completely useless statistic. I wonder how many of the posters here are involved in these rumors. This is just unregulated FUD at its very best. |
|
@WalterMagnum Since no exchange supports z-addresses I think the fact that ZEC exchange wallets have been frozen is irrelevant to the question of how many private transactions have been completed. But it still highlights the fact that the raw usability of ZEC private transactions is still vastly inferior to the majority of cryptocoins, private or otherwise. |
|
@DiMiTri101 Zcash is not meant for speed. It is meant for privacy. A simple google search will tell you this. That is some well crafted FUD though. Well done. Someone who has no clue what they are looking at will read your post and take it to heart. |
|
@DiMiTri101 No one has given any reasons why Monero is superior in privacy to Zcash other than the fact that you must indicate whether you want your ZCash transaction to be transparent or private. This doesn't even seem like a drawback. All I see here is FUD and misinformation. Monero holders praying on the uneducated/misinformed. |
|
@DiMiTri101 Personal attacks will not prove your point to anyone who is rational. You simply discredit yourself. |
|
@DiMiTri101 Here is an explanation of ZEC SNARKS. https://z.cash/blog/snark-explain.html It isn't very hard to follow. It is mostly high school or undergrad level mathematics. |
|
@DiMiTri101 Are you even reading their site? You are using "toxic waste" and counterfeiting so out of context. Here is a page explaining it quite simply. https://z.cash/blog/the-design-of-the-ceremony.html |
|
Also, here is the Zcash github. Development is not closed source and is not private. https://github.com/zcash/zcash |
|
@DiMiTri101 Yes, that is more copy/paste out of context. Please read that page. It is clear that you just used Ctrl + F, and copy/pasted the first line you came across that fit your purposes. I really hope folks are willing to actually read this stuff and not form their opinions on 1 line of text. |
|
@DiMiTri101 So you would prefer them to lie to you? All cryptos have their pros and cons. There is no perfect currency. I am done being trolled. |
|
To try and bring some substance back into this conversation, I will stick to the facts: Yes, Zcash could THEORETICALLY hide the sender in a transaction better than Monero can. However, this isn't the only part of the story. Monero's transactions are:
One important factor in privacy is implementation, and I believe that Monero's privacy features are implemented better. |
|
@SamsungGalaxyPlayer If you are looking to make private transactions, why would you use an exchange? Wouldn't using an exchange defeat the purpose entirely? You would be relying on the exchange you use to protect your privacy as well as the crypto you are exchanging. The most upvoted post here promoting Monero is made by @hyc who has his own Monero github forks. Check his repos. |
|
@WalterMagnum even if you never use an exchange, any transaction that includes a t-address on any side sacrifices privacy. Since no merchant, wallet, or anything else supports z-addresses, it largely limits private use to a store of value in the official wallet. The second you spend it, you are no longer private. With Monero, you can use your Monero without losing your privacy. |
|
I'm aware of a potential conflict of interests as @kewde works for ShadowCash (now Particl). I'm not sure about a conflict of interests regarding Zcash. |
|
There seems to be some confusion about what an "anonymity set" is. It's not the number of places your coins could have gone, but the number of places your coins could have come from. The anonymity set of a transaction is fixed for all eternity. Nothing can retroactively change the possible origins of your coins. The claim that Monero's anonymity sets are "multiplicative" is brought up repeatedly in this Github issue. As an example: @hyc says:
This is incorrect. Zcash's shielded transactions "spend from" the set of every previous shielded output ever made. This set is fixed when the transaction is created. Monero's transactions "spend from" a small set of previous outputs. This set is also fixed when the transaction is created. It doesn't matter that future Monero transactions "could have spent" from those same inputs, and even if it did matter, the same thing happens in Zcash, because all of our future transactions also spend from all previous transactions. Monero's anonymity sets being small is a serious threat to user privacy. Imagine sending an adversary two payments with Monero. The two payments are likely to be close in the transaction graph, especially if you need change from the first payment. Even if the coins are somewhat distant in the transaction graph, the adversary will be able to associate the transactions together with high probability. This is just part of an entire category of statistical attacks Monero users are susceptible to. Zcash's shielded transactions have much larger anonymity sets despite not being as popular as transparent transactions, and so they can fundamentally resist transaction graph analysis. Hopefully someday we'll have "mandatory privacy" as well, but Monero needs it a lot more than we do. |
|
@ebfull when talking about the "anonymity set," it is important to note that Monero uses a multilayered approach to privacy. Ring Signatures, RingCT (which is currently used in 99%+ of all new transactions), Stealth Addresses, and soon Kovri all play an important role in anonymizing transactions and should be considered as a whole when assessing the overall level of privacy. Even if a particular output can be guessed by an adversary to be the "real" output used in a transaction, this is not enough information to definitively state that "Alice sent x amount to Bob in this particular transaction" given the other features of Monero that hides the transaction amounts and the recipient's public address from the blockchain. Moreover, there is an issue of what standard of proof should be met. From a legal prospective, generally, in criminal cases, the standard is "beyond a reasonable doubt" and in civil cases, "more likely than not." With 2 to 4 mixin, there is a probability of between 41% to 23%; if this is the only information an adversary is able to deduce, it is not enough proof to establish guilt or liability for a given transaction. Users would have plausible deniability. |
|
@kewde your position is that "Monero is less anonymous than a Zcash transaction" because of the "small anonymity subset" per transaction, how do you respond to the two counter points above that undermines that assertion? |
|
@alvinjoelsantos says:
The transaction graph analysis attacks that I mentioned in my previous comment work even if the transaction contents are completely opaque. Value and recipient privacy cannot increase the anonymity set. Further, Zcash has all of those privacy guarantees as well. |
|
@ebfull I didn't claim the lack of value and recipient privacy increases the anonymity set, I am asserting that guessing the correct output is a fact of little consequence when this is the only information that can be deduced. Transaction graph analysis can help an adversary guess the "real" output of a transaction, but this information alone is insufficient to deanonymize users and guessing the correct output holds no evidential value in a court of law. |
This isn't true. From the perspective of a recipient trying to find out where the coins they received came from, being able to statistically link transactions together is of enormous consequence. There are plenty of situtations where there is more context available to your adversary, and your adversary only needs to analyze a limited set of possibilities. My theory is that you're thinking about anonymity with only half the picture. In order to be anonymous, you need:
I think you brought up value privacy and stealth addresses and said "guess the "real" output of a transaction" because you're thinking about (2), whereas I'm thinking about (1). (2) is relatively easy to solve, and both of our systems accomplish it. (I think Zcash does so more thoroughly, but let's ignore that for the sake of conversation.) It is (1) where Monero is deficient. Ring signatures inherently cannot scale to large anonymity set sizes, and so if your adversary is the recipient of some funds, the transaction graph is a treasure-trove of information that allows them to partition the anonymity set especially given additional context. Again, in this situation it is hardly relevant that there is value or recipient privacy: those things only reduce the number of ways the anonymity set can be further partitioned. It is bad enough that just a couple payments can statistically eliminate every other participant of your anonymity set. It is even worse when you start to imagine things like adversarially controlled mixins, or when your adversary is both your sender and recipient. We cannot artificially limit the perspective of anonymity in a privacy-preserving system. We have to imagine every possible adversary. |
|
For argument sake, let's assume that in situation (1) the recipient is able to guess correctly that an output in a transaction is the real one in a ring signature . For an example, in this transaction, Now, you point out that there could be "more context available" to the adversary (e.g. other information besides knowing the real output) Then the argument shifts and it has to do more with maintaining proper OPSEC to prevent leakage of other information than outputs itself deanonymizing users. |
|
@alvinjoelsantos
You're raising a good point, it is true what you are saying, I doubt any democratic court on this planet can convict someone on the basis of a statistical correlation, something I think we can be very happy about. However the adversary has narrowed down his set of suspects, and there will most likely be more evidence to prove his guilt. A transaction, in itself, is almost never illegal. The adversary can be anyone, they aren't specifically governments either. The juridical process doesn't apply for a lunatic with a shotgun..
Also true, but the person that sent you the money knows with 100% certainty that that specific output is linked to a stealth address, and in the case of an exchange, they often know the exact identity of the person. As ebfull has suggested, there are real case scenarios of potential "adversarially controlled mixins" - exchanges for example control a relatively large portion of outputs to pick from as mixins. Let's assume that exchanges control X% of transaction outputs. The average transaction has two mixins, causing the following probabilities to emerge: Zcash gets a lot of "crap" because a lot of services prefer using t-addresses, but it's also a benefit, the centralized exchanges for example aren't creating toxic waste in the anonymity set.
I'm not saying RingCT is horrible or bad, it does it's job in most scenarios quite nicely - I'm saying that Zcash (in terms of privacy) is basically Monero but with a much larger anonymity set per transaction. Giving it the ability to resist against edge case scenarios (such as centralized entities poisoning the anonymity set to pick mixins from) more than RingCT. @Shifterovich |
Let's revisit my previous example:
Your adversary can know with high probability that two or more payments originated from the same entity. That's... well, deanonymization. One example that Richard Stallman likes to use is paying a publisher when you view articles on their website, in lieu of advertising. You just can't do this in a truly anonymous way with Monero.
I don't agree with this. Depending on what you're transacting or how you're transacting, you unavoidably leak information to your adversary, like when you make multiple payments to them. There are no OPSEC cop-outs here. Due to Monero's small anonymity sets, that adversary is very capable of deanonymizing you in Monero, but would otherwise not be able to with Zcash's shielded transactions. This is even despite the fact our shielded transactions are relatively less popular. |
Since stealth addresses are one-time-use, knowing that a specific output is linked to one stealth address tells you nothing about any other transaction. This is totally irrelevant. On the other hand, a person sending you money obviously knows your public wallet address, and probably knows a lot more about you because otherwise they'd have no reason to be sending you money in the first place.
The average exchange- and pool-generated transactions have two decoys, but the average user-generated transaction has four, because users don't use custom client software and don't tend to change client defaults. |
Our terminology doesn't match up here I believe: stealth addresses can be reused, the one-time addresses are derived from the stealth address? It doesn't matter really, when you go to spend the output that they sent you, they know the real identity behind it. I only make this argument because I want to point out that privacy is a matter of perspective: exchanges can link outputs to real identities and that's why small anonymity sets per transaction aren't great in those scenarios.
lol wut, that's nice information to have actually, it allows you to estimate how many transactions belong to centralized entities (exchanges and pools). I thought there was no way to distinguish between what transactions are initiated by exchanges vs initiated by users. http://moneroblocks.info/stats/ring-size These high numbers are worrying, I didn't take into account the coinbase tx's but if the government changes their KYC/AML rules for cryptocurrencies to accomodate deanonymization programs then they can link 70% of outputs to real identities. They would know ALL the real identities of the potential spenders for 17% of all transactions :| (= 0.7^5). Note that as the anonymity set grows to larger portions, this number becomes near zero. We can use the number of transactions initiated by exchanges to roughly estimate how many outputs they own. The "adversarially controlled mixins" scenario could be an interesting area of research, given that you can estimate the amount of outputs owned by the adversary (exchanges).. |
|
Wow, we're still debating whether Monero is a better choice than zCash? The level of incompetence here is staggering if not worrying. |
|
They couldn't even agree that Bitcoin shouldn't be listed first since it offers no privacy. Sad. |
|
Alphabay investigation show clearly what is the best private coin https://assets.documentcloud.org/documents/3898109/AlphaBay-Cazes-Forfeiture-Complaint.pdf http://i.imgur.com/SietBhv.png I |
|
|
|
https://steemit.com/cryptocurrency/@anonymint/is-monero-s-or-all-anonymity-broken An interesting article about miner centralization and how they can poison the anonymity set. |
|
Interesting, but incorrect. https://www.reddit.com/r/Monero/comments/6r2xsm/is_moneros_anonymity_broken/dl2hn3e/?context=3 |
|
Since you seem to have made another appearance here @kewde I'll repost my appeal/question from three weeks ago in #269 which has gone unanswered by both you and @privacytoolsIO as why #270 was not discussed despite claims of 'exploring every option': I was out for a couple days, but hopefully I can appeal to the people (largely @kewde given they committed and made the issue) who think that the best resolution is to simply remove the CC section and let users fall for scams. I'm going to operate off two points/assumptions:
Zcash will most likely get used less (and be more susceptible to timing attacks, have less liquidity making it less usable, etc) if there's no CC section as users will turn to the prism-break website where Zcash isn't featured (but Monero is) or they'll simply use a search engine of choice and potentially determine some other coin (e.g. Dash or whatever the integrated Tor + Bitcoin fork of the day ends up being) is 'good enough'. Therefore removing the CC section would run counter to whoever has the values I've presumed above. Having made a simple appeal, I'm then also curious as to why there was no constructive criticism/commentary for #270 by @kewde or @privacytoolsIO given:
Instead what happened was no constructive conversation or commentary of #270 before the merge. I get that for Zcash proponents being listed third is not ideal (I myself am really not a big fan of Bitcoin being first/listed at all given increasing deanonymity/analysis trends), but it is much better than Zcash not being listed at all as I highlighted above. It being listed third can be mitigated in part in addition to the description text highlighting technical merits by having header sub-text or something similar saying 'Sorted alpha desc' just to make it explicitly clear that Zcash isn't listed last (and Bitcoin first) because of technical merits. In attempting to avoid conflict regarding the listing order there will now be conflict about why CC isn't listed period (and no guarantee the conversations won't continue as is evident) and there is a chance people will either start deferring to the prism-break website or else use inferior privacy oriented coins which to the best of my knowledge, no one here wants. |
|
This should get resolved. With the amount of bad "privacy" coins, we should be recommending good cryptocurrencies. I think Monero - Zcash - Bitcoin is the best way to sort them. Bitcoin provides no privacy, and Monero/Zcash sorted alphabetically (and by popularity). If we can't have Monero first, putting Monero and Zcash in one box, explaining that it's arguable which currency provides better privacy works too. If we can't have that either, Zcash - Monero - Bitcoin is better than not recommending anything. I'd close the Monero/Zcash debate with "it's very arguable". They're two main privacy coins, both better than any of the other coins people can be easily misled into using. Whatever the order, recommending the right cryptocurrencies is more important than recommending email clients. We should focus on this issue. @kewde @beardog108 |
|
So, looks like I'm late to this party ... and yet, 5 months and a full-blown cryptocurrency explosion later, you (we?) still haven't actually posted any cryptocurrency recommendations? My dos centavos ... Monero - Zcash - Dash, with Bitcoin stuck into an "honorable mention" slot below, purely due to its status, but with a clear warning that it is not actually private. Monero and Zcash should definitely get the first two slots ... argue about which one deserves the #1 slot after the update is posted to the site -- they're both worthy. My main concern with the long-running debate above, is that Bitcoin is still in the top 3. Dash and at least a half-dozen other currencies are more deserving. Also ... the site managers/owners should be prepared to accept donations in all 3 of the top-recommended currencies ... eat your dogfood. |
This comment has been minimized.
This comment has been minimized.
ghost
added
|
Do we actually recommend any cryptocurrencies at the moment? I don't think this issue applies to the current version of the site. If we want to consider re-including a crypto page please create a new issue with discussions/recommendations! |
and others
See the #247 comment thread
@hyc:
The text was updated successfully, but these errors were encountered: