Yea it’s an interesting point. Since there is a smaller pool of people in Monero and it is harder to verify because of privacy features. It is more believable that a bug like this could go undetected. Not saying that IS happening but seems plausible.
Discussion
Assuming the premise is true, that it COULD be hidden (pretty sure retep is correct), it’s an argument for public ledger over monero, even if very slim chance given the code is open source
these are indeed the trade-offs.
gain default privacy,
lose "back of the envelope" supply guarantee.
posted this yesterday on the subject.
basically
mistrusting cryptography that proves supply just a symptom of being Early Days
nostr:note190zr0vnkuq802f34llx0fclk5l4xdj7qzmyeuywc7a5lsmxpk04senlhlx
"if such a bug existed, your incentives (as an attacker) would be to slurp up all of the liquidity immediately before 1) someone else starts using the same exploit or 2) devs notice and patch/fork
pretty simple logic"
Not as strong of a guarantee as transparent verification of course, but makes strong enough sense to me incentives wise
oh hey
miss that guy
but yeah
you'd be taking a huge gamble sitting on an exploit like that.
i cant imagine what would make an adversary so confident no one else would notice.
Decent heuristic, but it’s still possible one would milk it slowly if it were a sneaky enough bug, rather than make any obvious moves to draw suspicion. I get that it’s more FUD than anything, but can’t rule it out 100% from my understanding.
Still have yet to read resource from kanzan, but will get to it
its impossible to prove a negative and there's always a nonzero chance of something somehow existing somewhere.
magical flying unicorns that poop strawberries.
prove they dont exist.
Bitcoin too.
everyone has to decide for themselves what *reasonable risk* looks like.
Well, it would worry me slightly, but I totally get where you’re coming from, and I’m sure this is among the most common FUD you encounter. Not trying to beat a dead horse, or score some token win
i get it 😀
its just people are *already* trusting cryptography they dont understand on Bitcoin.
the only difference is they've already decided #Bitcoin is trustworthy.
then they hear about #monero and they get really uptight about "why should I trust THESE cryptograhic primitives"
its like nigga did you go into elliptic curves when you learned about Bitcoin?
not you or anyone in specific
just generally
the only difference is just they arbitrarily decided Bitcoin was trustworthy.
mostly because there were enough OTHER PEOPLE telling them it is trustworthy.
which is a reasonable metric, not saying i dont use it too.
but specifically in the supply verification discussion its a weird intellectual idiosyncrasy that is under recognized.
why would someone decide specific cryptographic primitives they dont understand are ok to trust,
but OTHER cryptographic primitives they don't understand are NOT ok to trust?
¯\_(ツ)_/¯
Haha fair points. I do somewhat understand ECC fwiw. I take on faith that ecdlp holds, sure, that’s just kinda how cryptographic standards work (time tested and open).
Rather than write more, I’ll do a bit of homework and return sometime soonish to this topic. Thanks for entertaining me while I learn some things
lol
I'm probably about the same in "somewhat understanding ECC"
also xsomewhat understanding" Pedersen committments that guarantee supply.
sometimes its good
sometimes a little knowledge is a terrible thing...
Mmm pedersen commitments, now we’re talking. That’s why I wanna get into the technicals a bit. Found my reading on confidential transactions intriguing
https://www.rareskills.io/post/pedersen-commitment
i cant find the latest thread on this stuff but heres one good one
Thanks. Read a couple papers on them recently. Maxwell’s and a couple more. Will bookmark this ty
people do have their reasons of course
like nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s and nostr:npub1klkk3vrzme455yh9rl2jshq7rc8dpegj3ndf82c3ks2sk40dxt7qulx3vt think that the ledger has to be 100% surveilled to be trustworthy.
which is a opinion people can have.
I think its pretty weird tbh.
much more likely that people's perception of cryptographically secure systems will change over time
and in the future it won't be so edgy to trust an obfuscated, but mathematically guaranteed supply.
like only a weird subset of people though it was ok to trust elliptic curve cryptography ten years ago.
The more compelling argument is the cost of verification, onchain privacy techniques lead to expensive worst case verification of blocks, see the recent zcash spam attack that basically stalled the entire network. I'm not sure, but I'd guess Monero FMP has similar attack vectors.
undoubtedly verification is more expensive.
its a different conversation and I'm not sure of the specific trade-offs either.
tagged you because you were referring to transparency as a cypherpunk ideal.
Acshooally... I did go into elliptic curve cryptography before I got any btc. Not that I can repeat any of that stuff now...
Its the tail emission, mostly. I think I can also criticize ring signatures, but there's no point when there's the tail emission. That existing is a bad faith move. Its an attitude problem.
lol
its true some of us do/did.
but the vast majority didn't and wont.
i maintain that a hard cap is an unnecessary gamble and ultimately a design flaw.
"there will only be 21M" is a stupid meme.
ring signatures are obviously the weakest part of monero privacy, thats been understood for many years.
What’s weak with ring sigs? Just bullet points, if you don’t mind
what? you dont want another essay 😢
lol
basically
so we're hiding the true output with 15 other decoy outputs.
if The Adversary can get access to the wallet that sent a tx (perhaps an exchange colliding with LE), they know the true spend.
so if we use the compromised exchange to receive monero regularly
and then
consolidate some or all of those outputs into a single TX0, the common input heuristic is effective.
also
because we're dealing with decoys, theres the question of HOW decoys are selected.
although its mostly standardized, its not like its a consensus rule and some wallets are different.
so if the sampling of decoys isn't truly random its possible we could use the wallet "bias" to probabilistically eliminate decoys.
if the user is aware of these attacks they're easy to compensate for.
and if you're not concerned with targeted surveillance it doesnt matter anyway,
but there *are attacks.
which is why Monero expects to fork out Ring sigs in favor of FCMP by the end of this year (Coming Soon™).
Then it will be a zcash-like "could be any output" situation.
it became an essay 🫣
I meant the bullet thing only to say like, don’t feel you have to go in depth, I just want to know which points to consider when I study them a bit more (too deep will be wasted effort at this time). I thought they were theoretically sound.
Interesting points. Thanks for summarizing them, will have to learn a bit more on the decoy thing but now I know to keep an eye out for it.
for keeping up on #monero stuff
i recommend Xenu (Antimoonboy) YT
https://www.youtube.com/watch?v=Ast80KcAaug
you can also listen to the Monero Talk pod.
but Doug kinda gets on my nerves personally.
I think the important distinction to make about the cryptography differences between Monero vs Bitcoin is that Bitcoin uses pretty old, standard, well established cryptography, whereas zero knowledge proofs are a relatively new field that is only recently seeing real world use cases.
Monero is on the cutting edge of cryptography. People are weary of new things until some time has passed, to be confident that most of the kinks have been worked out.
Correct me if I'm wrong but Pedersen Commitments are over 30 years old. Basically the same age as the cryptography used in Bitcoin. It doesn't really seem that cutting edge. Maybe you could say that about the ZKPs used in Zcash or other projects.
I'm not sure what Pedersen Commitments are (and my quick search results didn't seem relevant to this conversation). But although the cryptography might be somewhat old already, the cryptography is only recently (in in ZCash and Monero) starting to get used outside of academia.
Sorry, I meant to say range proofs, and although they are pretty old, I see now that Moneros specific implementation is actually relatively new
Ah, was wondering as I was reading along what the chronology might be. That seems about right from what I remember
I think the specific implementation of Pedersen commitments is live since RingCt was introduced in January 2017
Will take your word for it as that’s deep in the weeds for me. I realize now I don’t know the chronology of a lot of the pieces. CTs were invented in 2014, or was that just the optimization by Blockstream and they date back further? I could look this stuff up, but if you happen to know please share. Ring sigs, range proofs, (anything I’m missing?) created quite a bit earlier?
pretty sure the idea of RingCT predates Bitcoin
i think it was Nick Szabo...?
ring signatures too, i think the idea is from before bitcoin.
range proofs,
which are the foundational maths,
are ancient.
mostly developed in the cryptography boom of the 80s and 90s I think.
Sounds right. I might have to dig a little just to satisfy curiosity on all these things
nice basic explanation here
Looks worth reading. 📝
worth noting the difference between a theoretical issue and and implementation one.
this is an *implementation concern.
ie, the maths aren't suspect, the concern is around how its applied.
as with Bitcoin, if you cant verify the implementation yourself,
what techniques can a person use to establish trust?