Monero is not what I thought. I've changed my mind \ stacker news ~bitcoin

Monero is not what I thought. I've changed my mind

2919 sats \ 20 comments \ @VEINTIUNO 8 Aug 2023 bitcoin

You, as a decentralized person, have probably heard me say that monero is the best privacy tool, not only natively but also one of the best to give privacy to your satoshis (BTC).

Well, today I think differently to some extent. While I still consider monero to be the best privacy project, I can no longer say the same about the effect it has on satoshis as it is technically null.

Let me explain:

Previously I used to share that a private satoshi is one that is not tied to your identity, thus going through monero resulted in a good option. Now from a stricter perspective I consider private a satoshi whose record on the blockchain is not only not sociable to an identity, but also has a hidden past.

The nature of bitcoin is to be transaparent, its blockchain reflects every move made and its past and future can be traced.

When exchanging bitcoin for monero we make a sale. The satoshis you send to the buyer carry your history, this history may or may not be related to your identity, but they carry your addresses, your signature, and everything you have related them to.

The person who receives your satoshis, receives them with your history. It is true that it is not linked to the identity of the person who receives them, but we cannot call them private either, because the blockchain reflects all the past of those satoshis.

If you do the movement the other way around, i.e. you sell monero and receive satoshis, it is the same. You will receive satoshis with a verifiable past in the blockchain, a past not associated with your identity, but that does not comply with being a private satoshi.

So.

Monero is an excellent privacy tool, but its attributes are not transferable, they only apply within its own network. When you make a swap, what you do is an exchange with a random person, which serves perfectly well to dissociate identity, but it does not offer total privacy, but you absorb the history of those satoshis. This history can be from a random user with KYC, to satoshis listed in the blacklist of centralized services.

What can I do to give privacy to my satoshis?

A coinjoin - this is the real privacy tool designed for bitcoin. A coinjoin mixes the unspent outflows (UTXO) of a group of people, and distributes them equally among the participants.

Since the bitcoin blockchain is transparent, the coinjoin will be reflected in it as shown in the following image.

https://imgprxy.stacker.news/x4y5HUon_l-4hZjeWIX6utF5b_z3H9vcotu2LwfNr5w/rs:fit:600:500:0/g:no/aHR0cHM6Ly9zdWJzdGFja2Nkbi5jb20vaW1hZ2UvZmV0Y2gvd18xNDU2LGNfbGltaXQsZl93ZWJwLHFfYXV0bzpnb29kLGZsX3Byb2dyZXNzaXZlOnN0ZWVwL2h0dHBzJTNBJTJGJTJGc3Vic3RhY2stcG9zdC1tZWRpYS5zMy5hbWF6b25hd3MuY29tJTJGcHVibGljJTJGaW1hZ2VzJTJGN2FjZWU5OGEtMDk1Yi00NzllLTlhOTQtNzJkMTFmYzVhN2ZlXzEwMjR4NDI0LnBuZw

On the left side of the image is the outgoing transaction, on the right side is the transaction that returns the satoshis to your wallet but already mixed. You can see that all the amounts on the right side are the same, that is what makes it a private transaction, because it is not possible to deduce from which of the addresses on the left side each balance comes from.

In case the balance on the left has an associated identity, this is the last point of traceability, because at the output each address is a match possibility.

Is it a foolproof method?

No, there are cases like wasabi wallet, where an internal wallet error caused the transaction to lose privacy, by sending the transaction change mixed with a previously used address. The user could do nothing about it, as this process is automatic.

It is also possible (although exponentially more complicated) that if the coinjoin shows for example 10 exits, someone will follow up on those 10. That is why it is recommended that when doing the coinjoin process you leave it doing several mixes, so the obfuscation becomes exponentially more complicated and it doesn't cost you more.

Finally, the weak point of coinjoin is the user. Any minimal future mistake made with these satoshis, diminishes or completely eliminates the privacy achieved.

Conclusion

Going through monero and returning to bitcoin achieves that the satoshis are not associated with your identity, but you absorb the history of those satoshis.

Doing a coinjoin, obfuscates the traceability of the satoshis by cutting off the history as well as any associated identity.

Both methods need to be complemented with good privacy practices in the management of your satoshis such as:

Coin control
PayNyms
Payment codes
Navigate through tor
VPN
Using self-custody wallets
Connecting your wallet to your bitcoin node
Checking the block explorer from your bitcoin node

This article was originally published by BITCOIN EN ESPAÑOL

view all related items

566 sats \ 6 replies \ @siggy47 8 Aug 2023

I heard a very clear explanation of why monero's base chain privacy is its biggest problem by Tuur Demeester on Marty Bent's TFTC podcast. Check it out:https://fountain.fm/episode/EP5FUbCTYPr2e7FGBF8F Bitcoin’s chain is verifiable. Monero's is not. An inflation bug, for instance, can go undetected In monero, and it's possible that's already happened.

304 sats \ 0 replies \ @orthzar 8 Aug 2023

An inflation bug, for instance, can go undetected In monero, and it's possible that's already happened.

It's more than possible; it's very likely. Imagine spending a month of full-time work to find an inflation bug, but the bounty is not worth it. You'd be tempted to quietly inflate the supply of Monero in order to compensate yourself for the time you spent working. And then you'd disclose the bug to prevent someone else from finding it and making Monero worthless, which would prevent you from exploiting future inflation bugs. So there is a very clear risk/reward ratio for finding and subtly exploiting inflation bugs in Monero.

What's more, Monero developers, notably FluffyPony, say that you shouldn't hold XMR -- that you should only hold it long enough to buy something. This is the opposite of what most other cryptocurrency developers say, which is to buy and hold. I have to wonder if some of the Monero developers are subtly trying to keep people from getting wrecked in the event that some random person finds an inflation bug and dumps on all the exchanges.

745 sats \ 1 reply \ @deleted231216 8 Aug 2023

A lot of useful info in the sidebar: https://www.moneroinflation.com/ "We are 9y 114d 11h 20m 29s without an inflation bug" (i.e. since the launch of Monero in 2014) and here: https://sethforprivacy.com/posts/dispelling-monero-fud/#you-cant-audit-the-monero-supply

Block rewards are transparent and can be seen in any block explorer such as https://xmrchain.net

Nodes verify the supply via cryptographic range-proofs, meaning that it can be mathematically proven for every transaction that inputs - outputs = 0, without publicly revealing the exact amounts (only the sender and recipient can decrypt the encrypted amounts).

10 sats \ 0 replies \ @Craze 9 Aug 2023

exactly, the range proofs and the key frames verification makes a good cryptographic combination for verifications and legitimacy of transactions.

0 sats \ 0 replies \ @Muuny 8 Aug 2023

exactly!

0 sats \ 0 replies \ @yo2xncv0 18 Aug 2023 freebie

Sure, verifiability is a whole other argument, but what does that have do with the topic at hand: privacy?

There was a hidden inflation bug in Bitcoin only one anonymous user knew. They couldve easily exploited it, but very luckily they were an honest actor who secretly let the devs know (who couldve also decided to exploit it).

An exploited inflation bug would be catastrophic once it happened to either Bitcoin or Monero. Attackers have the advantage. There is no good solution to fix an exploited inflation bug without hurting honest users on either Bitcoin or Monero.

If they had exploited it, or it happens again in the future, how would detectable inflation help after the fact? It wouldnt.

https://bitcoincore.org/en/2018/09/20/notice/

www.coindesk.com/markets/2018/09/21/the-latest-bitcoin-bug-was-so-bad-developers-kept-its-full-details-a-secret

0 sats \ 0 replies \ @sapphirespire 9 Aug 2023 freebie

https://www.moneroinflation.com/

132 sats \ 9 replies \ @lightcoin_ 8 Aug 2023

Good analysis, and I mostly agree with the conclusion. Where I disagree is:

Coins that come from a CoinJoin also have a history. At the very least, they can be traced back to the CoinJoin from which they came. Depending on the characteristics of the coins or the mix it may be possible to trace the coins back further. For example, if most or all other mix participants in your anonset end up deanonymizing themselves somehow that leaves your coins sticking out like a sore thumb. This process can happen gradually over time as mixes "degrade" (people transfer/consolidate other coins from the mix, etc) so it might be months or years later that your coins are stripped naked of their privacy. Remixing guards against this degradation but also chews up mining fees... no easy answer here.
Monero coins also have a history. They can be harder to trace due to Monero's use of RingCT, but tracing is not completely infeasible, especially if you're the target of surveillance. This video gives a good high level overview of the fundamental attacks possible against RingCT. The gold standard in privacy nowadays is the Zerocash protocol, which fully end-to-end encrypts transaction metadata including the sender and recipient addresses and the asset and amount that was sent. This end-to-end encryption provides much stronger privacy (revealing much less metadata) than the "obfuscation" offered by RingCT. Zerocash was first implemented in Zcash but has also been implemented (or more or less the same zero knowledge crypto technique implemented) in Piratechain, Ycash, Aztec, and Railgun, with several more projects in testnet phase working on it (Penumbra, Anoma, Panther, et al). The developers of the Liquid bitcoin sidechain have also said they are working on extending their existing Confidential Transactions (hiding assets and amounts) implementation to support unlinkability (hiding sender and recipient addresses) as well. Long story short, if any alternative chain is used to supplement the privacy offered by CoinJoin I would recommend using a chain that supports Zerocash transactions, and only use the encrypted Zerocash transactions if the chain supports both encrypted and transparent transactions.

69 sats \ 0 replies \ @iguano 9 Aug 2023

Great read, thanks 🙏

0 sats \ 5 replies \ @llamabyte 11 Aug 2023

2018

isn't this outdate with the recent upgrades since then, Bulletproofs+ ?

0 sats \ 4 replies \ @lightcoin_ 11 Aug 2023

Bulletproofs+ makes the RingCT proofs smaller, it doesn't change the fundamental flaws with decoy protocols as described in the talk

0 sats \ 1 reply \ @llamabyte 11 Aug 2023

by the way, are you the spacechains guy ?

0 sats \ 0 replies \ @lightcoin_ 11 Aug 2023

0 sats \ 0 replies \ @llamabyte 11 Aug 2023

k thanks, watching it now.

0 sats \ 0 replies \ @yo2xncv0 18 Aug 2023 freebie

Senders are the only part of Monero that uses decoys. The only part that is obfuscation.

Amounts and recievers are completely hidden with zk and encryption and don't appear on chain at all. The transaction graph doesn't exist like it does with Bitcoin or Liquid.

Liquid: Alice sent $[?] to Bob

Monero: 6% chance Alice sent $[?] to [?]

And the upcoming Seraphis upgrade will replace sender privacy via ring sigs completely with full membership proofs.

0 sats \ 1 reply \ @Mailmanmail 9 Aug 2023 freebie

DASH's coinjoin is stronger than any other privacy solution besides Zerocash, its cheaper and much easier to use, and because DASH has instant transactions, you get fast, cheap private coins all the time with no history and an anonymity set of over 43 million (Zerocash's is 4.3 billion, but there's little difference at that scale).

Monero's anonymity set size for comparison is only 16. So it's much weaker than DASH.

11 sats \ 0 replies \ @Muuny 8 Aug 2023

This was great, a little long but I get it.

0 sats \ 0 replies \ @Mailmanmail 9 Aug 2023 freebie

The thing is, its even worse than this article implies: Monero's privacy doesn't even work in a Monero-only context either. There have been many researches done since 2018 that prove conclusively that it has always been easy/trivial to track Monero with just the info in the block chain.

For example, Monero used to make private transactions optional (ring size zero transactions). Due to the unique way in which Monero is constructed, having these zero ring transactions deanonymized the 5-7 ring ones as well. Then Monero had to make all transactions private by default to compensate. That bug was active for years though. Wired did an article about Monero exposing quite a lot about its privacy flaws:

Monero Privacy Protections Aren't as Strong as They Seem | WIRED https://www.wired.com/story/monero-privacy/

Aside from the bug I just mentioned, timing analyses allowed researchers to pinpoint the original spend coin with 90% accuracy, just using the blockchain. That was eventually patched, but as fluffypony says in the article, its never really going away. They raised the ring size in response, now its 16, but this still has like a 5% chance of working. Not to mention the newly released OSPEAD attack, which has worked since Monero began.

The guy who wrote about it said that it completely breaks user privacy and Monero's privacy would need to be redone. Its a form of statistical attack which completely unmasks users with just info from the blockchain. Its pretty wild. But the point is, don't have false hope, even in a Monero to Monero context, you don't gain any actual privacy. Coinjoin is always better because BTC doesn't have the same design flaws that Monero does.

Not to mention that Monero has an infinitely increasing supply with no cap, unlike BTC which is capped at 21 million. And hidden inflation bugs. Oh and did I mention that fluffypony was arrested for stealing $100k from his former employer 10 years ago in an office-space like invoice scam? Yeah, one of the founding members of the coin is a scammer...

0 sats \ 0 replies \ @llamabyte 11 Aug 2023

deleted by author