
On Fungibility, Bitcoin, Monero and why ZCash is a bad idea - Expez
http://weuse.cash/2016/06/09/btc-xmr-zcash/
======
ikken
This is a very one-sided discussion which makes it seem like it was written by
a person who wants Monero's value to rise. It doesn't mention any drawbacks of
Monero - like poor scalability - that blocks it's wide adoption. There's also
a good deal of FUD around Dash and Zcash, which has been quickly refuted on
reddit [1].

Apart from that I liked this post and it shone some light on issues I wasn't
aware of.

[1]
[https://www.reddit.com/r/btc/comments/4nai1r/on_fungibility_...](https://www.reddit.com/r/btc/comments/4nai1r/on_fungibility_bitcoin_monero_and_why_zcash_is_a/)

~~~
petertodd
Note that Monero's scalability problem also exists in Zcash - an indefinitely
growing list of spent tokens; if scalability is a drawback of Monero it's a
drawback for Zcash.

~~~
ianmiers
An indefinitely growing list of spent transactions is the least of Monero's
scaling issues. Monero doesn't scale to large anonymity sets.

Monero uses CryptNote's ring signature approach, which scales linearly with
the number of coins you want to mix with. Want to fully mix 1,000 coins
together? You need a 30kb transaction[0]. You chunk those coins into smaller
mixing sets, but then they aren't fully mixed. In anything using this
approach, your anonymity set is limited by what you can transmit across the
network in any given transaction or a small set of transactions. I've never
seen an exact proposal for mixing tx size and I'd be very interested to see
one, but if it was more than 100 coins per tx I'd be surprised.

In ZCash, transactions are constant size and are fully mixed with every other
coin in the current anonymity set.

Both approaches do have the indefinitely growing list of spent tokens issue.
Which in practice means you need to move coins into a new anonymity set after
e.g. 2^32 serial numbers and throw away the old coins and spent serial number
list[1]. So there is an inherent limit on the maximal anonymity set you get
out of any anonymous ecash scheme. Zerocash hits that limit. Due to its per
transaction scaling issues, CryptoNote simply can't.

As a result, in ZCash, your coin is hidden amongst all the coins in the
maximal anonymity set. In Cryptonote/Monero, it's hidden amongst a far smaller
fraction of that set. In Monero, you are far less anonymous. All things being
equal, you want to be more anonymous.

Of course, all other things are not equal. There are merits to both Zerocash
and CryptNote on a technical level, but scalability isn't where CryptNote
shines.

[0] Assume one group element per signature in the ring at 32 bytes per
element. The real scheme is likely worse.

[1] There more sophisticated approaches that can be used.

~~~
droffel
> which scales linearly with the number of coins you want to mix with. Want to
> fully mix 1,000 coins together? You need a 30kb transaction

Actually, it does not scale linearly, it scales logarithmically in the worst
case.

If you create a transaction to send 1543XMR, it splits it into 4 pieces: 1000,
500, 40, and 3, respectively. Each of these transactions are put into a ring
signature, where the other transactions in the ring are selected from the pool
of all other transactions of the same size, since the creation of the network.
I'm not sure why you think that it scales linearly on the amount of coins
sent.

Edit: Unless you mean, "to achieve perfect anonymity, you need to mix your
coins with every other transaction of the same size, which scales linearly
with the total number of transactions performed since the start of the
network", in which case, yes. It is linear. But thats serious overkill, theres
no reason to have a ring size that large.

~~~
ianmiers
Yes, I meant perfect anonymity.

If we consider imperfect anonymity, we need to consider more than the size of
the anonymity set, we need to consider how likely it is a given coin in the
anonymity set is the actual one we are hiding. This is a bayesian thing that
depends on that attackers prior knowledge. For many coins it may be
vanishingly close to zero. Which means they don't really contribute to the
anonymity set. Which means you can end up with a large looking anonymity set
that is equivalent to a perfect anonymity set of say 5 coins.

How big is the anonymity set for a given CryptoNote transaction? You might
think it 1) clearly is at least the size of all the coins in the tx and 2)
actually it's the union of those coins anonymity sets. But what are the
probabilities? I don't know. But consider a few possible issues.

If you sample the coins in the mixing set for your tx uniformly from the whole
blockchain, than many of them will be very old, but the actual coin you are
spending is likely new. This also applies to the sets you are taking the union
of. Couple this with other issues such as long term intersection attacks, and
it gets very hard to say how much anonymity you really have. Especially
because we don't know what techniques the companies that are doing coin
tracing have and more significantly, what third party data they are
correlating with beyond just the blockchain. Perfect anonymity and very large
anonymity sets is the best defense we have against this stuff.

~~~
plasticmachine
Unsurprisingly, there exists research by the Monero Research Lab highlighting
temporal association attacks and other possibilities.

[https://lab.getmonero.org/pubs/MRL-0001.pdf](https://lab.getmonero.org/pubs/MRL-0001.pdf)
[https://lab.getmonero.org/pubs/MRL-0004.pdf](https://lab.getmonero.org/pubs/MRL-0004.pdf)

As to your last statement: even if the supposition is that the true signer is
the most recent output on the blockchain, that is nothing but an unprovable
supposition, which means that Monero enables plausible deniability at the very
least.

Since transactions are both unlinkable (for any two outgoing transactions it
is impossible to prove they were sent to the same person) and untraceable (for
each incoming transaction all possible senders are equiprobable) the
anonymityset continues to grow, which makes the privacy risk cryptographically
negligible.

------
Olscore
In practice, many of the gatekeepers to the layman using Bitcoin require so
much documentation that anonymity should not be a major selling point. Perhaps
you can acquire a few thousands USD worth that is anonymous, but trying to
scale that anonymity doesn't go easily. Ironically, the needlessly growing
inquisition into how I was using Bitcoin is what forced me to close my
Coinbase account. They pretty much require the same information as a bank
does, including photocopies of your state ID, even tax documents.

Having used a handful of the exchanges and other more casual wallets like
Circle, it's obvious that the trend is towards more "security" and legitimacy
by vetting users and knowing their real world identities, etc. Which can
include Skype interview, scanning personal bills to prove addresses and so
forth.

~~~
PeterisP
This is not really specific to Bitcoin, but to any player/system that is going
to become popular and thus used/supported by companies and/or integrated with
the rest of global infrastructure.

The laws in almost everywhere (except niche jurisdictions that treat holding
offshore accounts as their main industry) pretty much require you to know your
customer and not be an enabler of any anonymous transfers of money - or
alternatively, be treated as responsible for any "bad" money passing through
you.

Any institution that would enable you to trade a scalable amount of USD for
Monero or some new cryptopayment solution would also have to require the same
information to know your real world identity.

Any institution that would enable you to trade a significant amount of such
new cryptocurrency for USD would be required (perhaps not immediately, but
definitely if/when it becomes sufficiently popular) to report that to IRS, who
would then request documentation about the transactions and originators where
you obtained that amount (which you surely reported when filing your taxes,
didn't you?), and it doesn't really matter that much that the blockchain is
anonymous since essentially you'll give them the transaction details anyway or
go to jail.

If no institutions enable that, then the cryptocurrency cannot be liquid
enough for everyday use, as it's not easy to trade it with other liquid
currencies.

~~~
mindslight
A major feature of untraceability is that exchanges can know your identity in
this way, yet your transactions still remain confidential.

------
grondilu
I'm always surprised how people seem to focus on bitcoin's alleged anonymity.
It was quite clear from the beginning that bitcoin is not completely
anonymous, or rather that it is not more anonymous than internet itself is.
Just as you don't have to give your name or a photocopy of your passport to
register to a website, you don't have to do that either to use bitcoin. So to
a degree it is anonymous, but only when compared to other payments systems
like Paypal for instance.

This relative anonymity is not what attracted the vast majority of bitcoin
users anyway. It was more the idea of a public, decentralized ledger.

~~~
ChemicalWarfare
>> it is not more anonymous than internet itself is

It's less anonymous than that. Not a 100% accurate analogy but this would be
similar to having your browsing history stored in a public location mapped to
your IPs.

~~~
grondilu
There are no IPs in the blockchain, are there?

~~~
ChemicalWarfare
there are btc addresses tied to your wallet (in my analogy this would be an IP
address) mapped to transactions with a major kicker being that the coin
involved in these transactions is traceable back to where you acquired it and
then back to where it was mined in the first place.

so my analogy is actually less 'severe' than the reality of the bitcoin setup.

------
ChemicalWarfare
Good read till the "Enter Monero" line :)

I'd also mention that bitcoin had a BIP at some point to add stealth address
support to the core (BIP63) with a couple of wallets providing support for
those.

~~~
plasticmachine
Stealth addresses aren't nearly enough. It needs to be mandatory stealth
addresses + some sort of mandatory passive mixing that can't be Sybil attacked
+ Confidential Transactions. At a minimum.

~~~
petertodd
Yup, Stealth Addresses are just a small fix to one usecase, not a general
solution. And I say this as the guy who came up with the name and played a
part in developing the exact protocol Dark Wallet implemented (many others
deserve credit, including for the underlying math).

~~~
ChemicalWarfare
Just mentioned those since the OP's article is talking about monero using
stealth addresses but doesn't mention these when talking about bitcoin.

SX and DarkWallet was what kind of pulled me personally into the bitcoin
"ecosystem", very entertaining read trying to understand all of that :)

------
SakiWatanabe
Sounds like a Monero pump to me

~~~
plasticmachine
This is an utterly stupid comment. If you read an article that slammed
MongoDB's eventual consistency and encouraged people to use mysql instead
would you call it a "mysql pump?

This is also not the first time someone has smacked down ZCash for being ill-
conceived and dangerous: [https://blog.okturtles.com/2016/03/the-zcash-
catch/](https://blog.okturtles.com/2016/03/the-zcash-catch/)

~~~
dang
Your comments in this thread are unfortunately breaking the HN guidelines, by
calling names and generally being uncivil. Please don't present your argument
that way. It poisons the atmosphere and makes your argument less credible.
Instead, please refresh your memory about what HN is looking for by reading
the following, and then post civilly and substantively (or not at all) in the
future.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

[https://news.ycombinator.com/newswelcome.html](https://news.ycombinator.com/newswelcome.html)

~~~
plasticmachine
That's fair enough, but consider that SakiWatanabe's comment is equally
uncivil and insulting to an open-source project and the contributors that have
built it. Why is that allowed, but when I call that person out I get SJW safe-
space thrown at me? Don't you think that is hypocritical as a moderation
strategy?

~~~
dang
I didn't notice that comment. It's bad because it's a shallow dismissal, but
yours were worse because you called names and conducted yourself flamewar-
style, and you did it repeatedly in the thread.

I don't think it's hypocritical, for a couple reasons: (1) it's impossible for
us to read all the comments, and (2) one bad comment doesn't justify another.

HN is not a good place to "call that person out"—that just causes threads to
degenerate nastily. On HN, an appropriate way to respond to such a comment
might be to remind the commenter that unsubstantive dismissals aren't helpful,
and then point out some relevant good things about the article.

~~~
plasticmachine
Fair enough, I retract my name-calling.

------
CiPHPerCoder
> Another problem with ZCash is the fact that it’s brand new cryptography.

It's using libsodium. This is an alarmist and false statement.

> Nobody can really guarantee that there aren’t some bugs in the system that
> will make it possible to deanonymize transactions or create coins out of
> thin air.

Sure, that's technically true of all crypto-currencies.

~~~
plasticmachine
You can't be serious. It's using libsodium in one part of the code, so
therefore ALL cryptography uses libsodium? You do know that Bitcoin has
already switched most of the secp256k1 stuff away from OpenSSL and to
libsecp256k1, and ZCash will follow suit?

But more importantly than that it uses libsnark for the actual clever bits,
which has already been critically broken[1] precisely because it is so new and
poorly tested.

Even the cryptography in ZeroCash/ZeroCoin is too new to be trusted with a
financial system. That is not alarmist, that is practical. Relying on old,
established cryptography is precisely why Bitcoin hasn't been trivially
broken, and the zk-snarks cryptography will need to go through the same peer-
review and refinement process over the next decade or two.

[1]
[https://leastauthority.com/blog/a_bug_in_libsnark.html](https://leastauthority.com/blog/a_bug_in_libsnark.html)

------
VMG
The navigation header effect is infuriating.

