it isnt meaningful to compare the total hashes of different algos
if you want to compare I think the only sensible metric is the *amount of energy used* to generate the total hash for each network.
so
still a rounding error 😅
Discussion
You catch Peter Todd’s recent monero post on Twitter?
No sir
Not trying to stir the pot, but it is interesting to think about. I don’t know how monero privacy works well enough to know how one would be able to hide an inflation bug, but had heard such things before, and trust he knows what he’s talking about.
Yea it’s an interesting point. Since there is a smaller pool of people in Monero and it is harder to verify because of privacy features. It is more believable that a bug like this could go undetected. Not saying that IS happening but seems plausible.
Assuming the premise is true, that it COULD be hidden (pretty sure retep is correct), it’s an argument for public ledger over monero, even if very slim chance given the code is open source
these are indeed the trade-offs.
gain default privacy,
lose "back of the envelope" supply guarantee.
posted this yesterday on the subject.
basically
mistrusting cryptography that proves supply just a symptom of being Early Days
nostr:note190zr0vnkuq802f34llx0fclk5l4xdj7qzmyeuywc7a5lsmxpk04senlhlx
"if such a bug existed, your incentives (as an attacker) would be to slurp up all of the liquidity immediately before 1) someone else starts using the same exploit or 2) devs notice and patch/fork
pretty simple logic"
Not as strong of a guarantee as transparent verification of course, but makes strong enough sense to me incentives wise
oh hey
miss that guy
but yeah
you'd be taking a huge gamble sitting on an exploit like that.
i cant imagine what would make an adversary so confident no one else would notice.
Decent heuristic, but it’s still possible one would milk it slowly if it were a sneaky enough bug, rather than make any obvious moves to draw suspicion. I get that it’s more FUD than anything, but can’t rule it out 100% from my understanding.
Still have yet to read resource from kanzan, but will get to it
its impossible to prove a negative and there's always a nonzero chance of something somehow existing somewhere.
magical flying unicorns that poop strawberries.
prove they dont exist.
Bitcoin too.
everyone has to decide for themselves what *reasonable risk* looks like.
Well, it would worry me slightly, but I totally get where you’re coming from, and I’m sure this is among the most common FUD you encounter. Not trying to beat a dead horse, or score some token win
i get it 😀
its just people are *already* trusting cryptography they dont understand on Bitcoin.
the only difference is they've already decided #Bitcoin is trustworthy.
then they hear about #monero and they get really uptight about "why should I trust THESE cryptograhic primitives"
its like nigga did you go into elliptic curves when you learned about Bitcoin?
not you or anyone in specific
just generally
the only difference is just they arbitrarily decided Bitcoin was trustworthy.
mostly because there were enough OTHER PEOPLE telling them it is trustworthy.
which is a reasonable metric, not saying i dont use it too.
but specifically in the supply verification discussion its a weird intellectual idiosyncrasy that is under recognized.
why would someone decide specific cryptographic primitives they dont understand are ok to trust,
but OTHER cryptographic primitives they don't understand are NOT ok to trust?
¯\_(ツ)_/¯
Haha fair points. I do somewhat understand ECC fwiw. I take on faith that ecdlp holds, sure, that’s just kinda how cryptographic standards work (time tested and open).
Rather than write more, I’ll do a bit of homework and return sometime soonish to this topic. Thanks for entertaining me while I learn some things
lol
I'm probably about the same in "somewhat understanding ECC"
also xsomewhat understanding" Pedersen committments that guarantee supply.
sometimes its good
sometimes a little knowledge is a terrible thing...
Mmm pedersen commitments, now we’re talking. That’s why I wanna get into the technicals a bit. Found my reading on confidential transactions intriguing
https://www.rareskills.io/post/pedersen-commitment
i cant find the latest thread on this stuff but heres one good one
Thanks. Read a couple papers on them recently. Maxwell’s and a couple more. Will bookmark this ty
people do have their reasons of course
like nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s and nostr:npub1klkk3vrzme455yh9rl2jshq7rc8dpegj3ndf82c3ks2sk40dxt7qulx3vt think that the ledger has to be 100% surveilled to be trustworthy.
which is a opinion people can have.
I think its pretty weird tbh.
much more likely that people's perception of cryptographically secure systems will change over time
and in the future it won't be so edgy to trust an obfuscated, but mathematically guaranteed supply.
like only a weird subset of people though it was ok to trust elliptic curve cryptography ten years ago.
The more compelling argument is the cost of verification, onchain privacy techniques lead to expensive worst case verification of blocks, see the recent zcash spam attack that basically stalled the entire network. I'm not sure, but I'd guess Monero FMP has similar attack vectors.
undoubtedly verification is more expensive.
its a different conversation and I'm not sure of the specific trade-offs either.
tagged you because you were referring to transparency as a cypherpunk ideal.
Acshooally... I did go into elliptic curve cryptography before I got any btc. Not that I can repeat any of that stuff now...
Its the tail emission, mostly. I think I can also criticize ring signatures, but there's no point when there's the tail emission. That existing is a bad faith move. Its an attitude problem.
lol
its true some of us do/did.
but the vast majority didn't and wont.
i maintain that a hard cap is an unnecessary gamble and ultimately a design flaw.
"there will only be 21M" is a stupid meme.
ring signatures are obviously the weakest part of monero privacy, thats been understood for many years.
What’s weak with ring sigs? Just bullet points, if you don’t mind
what? you dont want another essay 😢
lol
basically
so we're hiding the true output with 15 other decoy outputs.
if The Adversary can get access to the wallet that sent a tx (perhaps an exchange colliding with LE), they know the true spend.
so if we use the compromised exchange to receive monero regularly
and then
consolidate some or all of those outputs into a single TX0, the common input heuristic is effective.
also
because we're dealing with decoys, theres the question of HOW decoys are selected.
although its mostly standardized, its not like its a consensus rule and some wallets are different.
so if the sampling of decoys isn't truly random its possible we could use the wallet "bias" to probabilistically eliminate decoys.
if the user is aware of these attacks they're easy to compensate for.
and if you're not concerned with targeted surveillance it doesnt matter anyway,
but there *are attacks.
which is why Monero expects to fork out Ring sigs in favor of FCMP by the end of this year (Coming Soon™).
Then it will be a zcash-like "could be any output" situation.
it became an essay 🫣
I meant the bullet thing only to say like, don’t feel you have to go in depth, I just want to know which points to consider when I study them a bit more (too deep will be wasted effort at this time). I thought they were theoretically sound.
Interesting points. Thanks for summarizing them, will have to learn a bit more on the decoy thing but now I know to keep an eye out for it.
for keeping up on #monero stuff
i recommend Xenu (Antimoonboy) YT
https://www.youtube.com/watch?v=Ast80KcAaug
you can also listen to the Monero Talk pod.
but Doug kinda gets on my nerves personally.
I think the important distinction to make about the cryptography differences between Monero vs Bitcoin is that Bitcoin uses pretty old, standard, well established cryptography, whereas zero knowledge proofs are a relatively new field that is only recently seeing real world use cases.
Monero is on the cutting edge of cryptography. People are weary of new things until some time has passed, to be confident that most of the kinks have been worked out.
Correct me if I'm wrong but Pedersen Commitments are over 30 years old. Basically the same age as the cryptography used in Bitcoin. It doesn't really seem that cutting edge. Maybe you could say that about the ZKPs used in Zcash or other projects.
I'm not sure what Pedersen Commitments are (and my quick search results didn't seem relevant to this conversation). But although the cryptography might be somewhat old already, the cryptography is only recently (in in ZCash and Monero) starting to get used outside of academia.
Sorry, I meant to say range proofs, and although they are pretty old, I see now that Moneros specific implementation is actually relatively new
Ah, was wondering as I was reading along what the chronology might be. That seems about right from what I remember
I think the specific implementation of Pedersen commitments is live since RingCt was introduced in January 2017
Will take your word for it as that’s deep in the weeds for me. I realize now I don’t know the chronology of a lot of the pieces. CTs were invented in 2014, or was that just the optimization by Blockstream and they date back further? I could look this stuff up, but if you happen to know please share. Ring sigs, range proofs, (anything I’m missing?) created quite a bit earlier?
pretty sure the idea of RingCT predates Bitcoin
i think it was Nick Szabo...?
ring signatures too, i think the idea is from before bitcoin.
range proofs,
which are the foundational maths,
are ancient.
mostly developed in the cryptography boom of the 80s and 90s I think.
Sounds right. I might have to dig a little just to satisfy curiosity on all these things
nice basic explanation here
Looks worth reading. 📝
worth noting the difference between a theoretical issue and and implementation one.
this is an *implementation concern.
ie, the maths aren't suspect, the concern is around how its applied.
as with Bitcoin, if you cant verify the implementation yourself,
what techniques can a person use to establish trust?
lol
no.
the drama between Peter and Amir goes waaay back.
and I trust Amir WAAAAY more than Peter Todd.
if you want to go into details about how inflation might be detected on monero
i suggest reading the methodology on this page:
Ah, thank you. Third is the type of thing I was after. Not sure I’ll delve in just yet, but some point.
Just so I’m clear, is Peter’s claim wrong in some semantic way (you do have a way of splitting hairs), or that it’s flat out impossible to sneak extra coins in given how monero works?
Peter is just throwing shade.
Amir comes out and says "monero should be valued much higher"
and Peter feels like he has to retort to Amir by saying "well maybe there's downward price pressure because it's compromised and someone is slowly dumping on the market"
he doesn't have any special insight into it.
Hmm, not like Peter to make technically wrong claims.
Anyway, thanks for the link, will harass you with questions about it down the line 😅
its not a technical claim.
theres always a nonzero chance theres an inflation exploit.
theres a nonzero chance theres an undetected inflation bug on Bitcoin.
noise.
Yes to inflation bugs, but we would see it in btc right away on chain, and am assuming that’s not the case with monero (I am woefully clueless on any technicals of xmr, sorry).
Guess I’m still interested in knowing what controls are guaranteed by xmr (just from a theoretical understanding), so will look into what you sent.
in monero every tx has to prove that
the sum of the inputs equals the sum of the outputs
to be accepted as valid.
and i dunno, sometimes things are not obvious even when values are transparent.
bugs can be sneaky.
also
bitcoiners make a big noise about auditability
but when was the last time you summed up the utxo set to confirm the supply?
even if people do anything at all its usually just run gettxsetoutinfo on their node. it's never that they build a little tool to do it themselves
point is,
bitcoiners are trusting others to confirm the supply for them too
its not that different than monero.
Feelin like you pulled semantic jiujitsu on me, but I wasn’t gonna press you further as I don’t have time to get into it… will come back to this once I research a bit more though.
As for verifying supply, plenty of times, but yes always relying on the command
I welcome your criticism of my thought process 😉
Naw what he say?
Exactly
These arguments are not based in reality.
huh?
i don't think you understood what I said.
the OP isnt comparing sha256 hash to RandomX.
I know he isn’t he is stating Monero is Secure and Bitcoin is NOT Secure which is absurd. Monero could be attacked with magnitudes less hash and energy than Bitcoin.
You were saying energy usage is a better metric and I responding by saying that the energy to generate those hashes for Monero are less than the energy needed to generate the hashes for bitcoin therefore would take less energy per hash to attack Monero. I Didn’t articulate it very well.
I'm not sure how the joules/hash works out for the respective algos.
hard to come up with an average since there are so many different Asics or cpus used...
but yeah, basically you're right.
asic resistance is another trade-off.
we get good decentralization at the expense of warehouse hash machines.
I get that. But the greatest security risk is a 51% attack and that would be very easy to do on Monero in comparison to Bitcoin therefore Bitcoin is secure in comparison to Monero not the other way around. Having tail emissions doesn’t make up for the lack of hashes.
its just a different vulnerability.
sure, Monero is more vulnerable to a hash attack.
otoh
Bitcoin is indeed gambling that there will be enough tx fees to incentivize miners in the future.
i think a tail emission is a no-brainer. more for game theory, free-rider reasons than "mining death spiral" reasons
and like, why not?
but here we are.
Realistically even less secure since CPU mining is less energy intensive than asics