Why use this complex mixnet stuff (that won't really work well) when Zerocash elegantly solves the problem and is entirely autononomous. To quote smooth (he was referring to Cryptonote but he should have been referring to Zerocash), "a pidgeon could carry your transaction to the block chain and it wouldn't matter". Let me rephrase that, "a truck with your name painted on the side could carry your transaction to the block chain and it wouldn't matter". With Zerocash, everything is hidden so even if you put your name in the transaction packets, it wouldn't affect your anonymity because no one can see any of the details of the transaction. All they will see is you put your name on this encrypted blob of data. So you are worried about the compromised key of Zerocash leading to a hidden inflation of the money supply (I was too), but it doesn't affect the anonymity in any case. Well even that has solutions, e.g. make multiple sets of keys and sign all transactions with more than one signature so you have more assurance that all of the keys weren't fraudulently generated. Or run Zerocash only as a mixer and net out all the coins in/out periodically to be sure it is not creating coins out-of-thin-air.
Well I don't agree with the bolded, and therefore I don't agree with your conclusions about zerocash. Conceding your IP traffic opens you up to a lot of timing and correlation attacks independent of the blockchain. The problem with blockchain analysis is that it can disclose a lot about you even if your net traffic is private. I contend you need both.
I also contend that the point of the pigeon example is that there will always be ways to make your net traffic private (at least what minimal net traffic is needed to send transactions), and even if regular users can't be relied upon to use great opsec, reasonably good opsec and network-level privacy can be automated and hidden where users don't need to know about it, just as end-to-end encryption in messaging apps now make using encryption easy even though using encryption directly (and correctly) can be hard.
Anyway, all that really matters is that people make serious and competent efforts to solve these problems. Even if one project doesn't get everything right immediately, lessons can be learned and applied by others.
EDIT: The above was a bit too extreme. I do
somewhat agree with the bold in that identifying one transaction doesn't support blockchain analysis to unravel a large part of the rest, which means the blockchain can't become an amplification of existing surveillance techniques. After all we don't expect that having a private blockchain by itself suddenly blocks all surveillance. I also agree (of course) that Zerocash is more effective in theory at protecting privacy than the techniques currently used in Monero. But then, comparing some future solution and assuming no undiscovered issues against something that exists now and is almost two-years mature is always pretty one-sided. Likely that will apply to what we are now calling Zerocash at some time in the future as well.
Taking your edit into consideration, I don't have any disagreement. I also quoted AnonyMint (myself) yesterday in my thread:
Theoretically all the other anonymity paradigms can be unmasked by correlating IP addresses. That doesn't mean the others are useless, just not as 100% certain as Zerocash.
I want to emphasize the point in your edit that for most of us to maintain perfection on obfuscation of our IP address is really implausible. For example, some of us probably think we can just hop down to our local library or retail outlet and use the unregistered WiFi to escape correlation. But assuming you are hiding from the government and thus the NSA (e.g. taxation or being the developer of an unregistered investment security altcoin) the problem is, you may be the only person in your geographical area doing that, given how small the usage of for example XMR is. And by the time some CN coin is widely used, the governments will have outlawed anonymous WiFi.
If you really have a reason to be anonymous, then the threat level of losing your anonymity is typically measured in jail time. There simply isn't anything you can do to 100% assure your IP address is obfuscated. And the data is likely being saved forever so our future risk is never ameliorated (in spite of recent news that the NSA would delete archives of telephone conversations). Whereas, with Zerocash up to limitation of the failure of number theory, you are 100% protected from your IP address being correlated with your block chain activity. That is not a gradation of difference, rather it is paradigmatic difference:
[...8<...]
Well that is the sort of statistical pattern that I think it implausible to hide if the person who needs to know thus can afford the resources to know.
I don't think in this
Technocracy age of Big Data, one can't hope to obscure patterns on large data sets. The generative essence of the implausibility is that the
statistical patterns hidden at one layer, leak into the next layer, so it becomes a requirement for a globally leak-proof synergy of activity in cyberspace. It seems futile from that high-level perspective. And I stubbornly didn't want to accept that, but having really looked deeply at the technical issues, I now lean to that being the hard reality.
That is why I posit that the paradigm of wealth stored in forms that others can easily emulate, tax, and expropriate is dying.
[...8<...]
---8<---
...but then
the problem is the anonymity leaks as these anonymous mixes are then traded for coins in a system that is used in everyday commerce (e.g. microtransactions).
Granted maybe you can think of scenarios where privacy from other peeping Toms is the only goal and in that case Cryptonote alone (never mind Tor or I2P) is probably sufficient in most cases. But your threat level going forward is likely not just an individual, but rather the big data collection of corporations such as Facebook and Google which track every damn thing we do via cookies, etc.. And the likelihood these behemoths will be forced to cooperate with the NSA in the coming 666 world order that is developing. Have you all not seen the proclamations of the G20 to cooperate on sharing information about tax evaders? Have you all not seen that China has 10 cameras on every rooftop and London apparently the same. And even if one argues these behemoths won't target you as a nobody, don't forget their employees or hackers could obtain the data and blackmail you or what ever.
Zerocash could possibly ameliorate that horrible future (because all incriminating data is entirely encrypted into a featureless blob before it leaves your computer). So I say paradigmatic distinction.
Smooth you and I (and others) are leaders helping to insure privacy of crypto (not just currency but also smart contracts). Let's get this right.
Zerocash can I think be altered to encrypt the smart contract data as well. Also it has paradigmatic advantage over Ethereum in that the contract doesn't have to be rerun on every verification node, as I wrote in 2014:
The second link above leads to a post which links to:
Charles & Vitalik,
I agree with the premise of decentralized database of contracts that eliminates centralized trust, but getting there requires we also pay attention to some realities.
As I explained to Charles on the phone last year, there is a fundamental flaw in your design which as far as I can see makes it untenable.
A Turing complete scripting layer run by the full clients (mining nodes) is subject to the
Halting problem. You are begging for Murphy's Law due to centralizing chaos. When we run JavaScript in our Chrome browser, we are not requiring Google's servers to run the scripts. I see your mitigation is to charge the contract per line of code executed (beyond 16) for each transaction on the contract. However the cost of execution is "not one size fits all", thus you prevent innovation and bind together that which should be decentralized freedom.
Perhaps the tenable solution will be something along the lines of
CoinWitness, where the script is run externally and only the proof is run by the mining nodes. On
your blog you mention this technology but not for the purpose of fixing the problem I am claiming.
As I explained to Charles on the phone, I don't think your proof-of-work will remain consumer PC cpu-only.
Also you
admit on your blog that you don't address the centralizing of mining.
Interested to see the progress you all make.
Note the technology in CoinWitness is essentially the zk-SNARKs employed in Zerocash.