pull down to refresh

Good analysis, and I mostly agree with the conclusion. Where I disagree is:
  • Coins that come from a CoinJoin also have a history. At the very least, they can be traced back to the CoinJoin from which they came. Depending on the characteristics of the coins or the mix it may be possible to trace the coins back further. For example, if most or all other mix participants in your anonset end up deanonymizing themselves somehow that leaves your coins sticking out like a sore thumb. This process can happen gradually over time as mixes "degrade" (people transfer/consolidate other coins from the mix, etc) so it might be months or years later that your coins are stripped naked of their privacy. Remixing guards against this degradation but also chews up mining fees... no easy answer here.
  • Monero coins also have a history. They can be harder to trace due to Monero's use of RingCT, but tracing is not completely infeasible, especially if you're the target of surveillance. This video gives a good high level overview of the fundamental attacks possible against RingCT. The gold standard in privacy nowadays is the Zerocash protocol, which fully end-to-end encrypts transaction metadata including the sender and recipient addresses and the asset and amount that was sent. This end-to-end encryption provides much stronger privacy (revealing much less metadata) than the "obfuscation" offered by RingCT. Zerocash was first implemented in Zcash but has also been implemented (or more or less the same zero knowledge crypto technique implemented) in Piratechain, Ycash, Aztec, and Railgun, with several more projects in testnet phase working on it (Penumbra, Anoma, Panther, et al). The developers of the Liquid bitcoin sidechain have also said they are working on extending their existing Confidential Transactions (hiding assets and amounts) implementation to support unlinkability (hiding sender and recipient addresses) as well. Long story short, if any alternative chain is used to supplement the privacy offered by CoinJoin I would recommend using a chain that supports Zerocash transactions, and only use the encrypted Zerocash transactions if the chain supports both encrypted and transparent transactions.
Great read, thanks 🙏
reply
2018
isn't this outdate with the recent upgrades since then, Bulletproofs+ ?
reply
Bulletproofs+ makes the RingCT proofs smaller, it doesn't change the fundamental flaws with decoy protocols as described in the talk
reply
by the way, are you the spacechains guy ?
reply
k thanks, watching it now.
reply
Senders are the only part of Monero that uses decoys. The only part that is obfuscation.
Amounts and recievers are completely hidden with zk and encryption and don't appear on chain at all. The transaction graph doesn't exist like it does with Bitcoin or Liquid.
Liquid: Alice sent $[?] to Bob
Monero: 6% chance Alice sent $[?] to [?]
And the upcoming Seraphis upgrade will replace sender privacy via ring sigs completely with full membership proofs.
DASH's coinjoin is stronger than any other privacy solution besides Zerocash, its cheaper and much easier to use, and because DASH has instant transactions, you get fast, cheap private coins all the time with no history and an anonymity set of over 43 million (Zerocash's is 4.3 billion, but there's little difference at that scale).
Monero's anonymity set size for comparison is only 16. So it's much weaker than DASH.