Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Altcoin Discussion
Re: Monero's ANON FAIL !
by
dinofelis
on 12/12/2016, 06:17:38 UTC
Quote from: rapazev on December 11, 2016, 09:59:50 PM
Quote from: jwinterm on December 11, 2016, 03:47:18 AM
Quote from: toknormal on December 11, 2016, 03:30:57 AM
..."privacy" was never a monetary property in its own right...

Can you distinguish one ounce of gold from another? One stack of $100 bills from another? (Not really.) The point is that you can distinguish one bitcoin from another, as lots of folks that have been banned from Coinbase have found out, and that is a problem. With Monero this is much less of or not a problem at all.

that's fungibility.
Anonymity isn't the only way to achieve fungibility, but yeah, i agree with you.

fungibility is important to any type of currency and a big problem in bitcoin(probably one of the main reason against massive adoption).

With a block chain type of currency (aka a crypto currency), anonymity IS the only way to obtain fungibility.

In fact, both notions are about equivalent, even though they inspire different ideas.  Anonymity comes down to "only A and B know about the transaction from A to B".  Fungibility comes down to "when A pays B, B doesn't know where A got the money from".  This is in fact almost the same notion.

The difference seems to reside in this:
With anonymity, nobody knows about A paying B, except A and B themselves.  With fungibility, everybody may potentially know that A paid B, but shouldn't know where A's money came from.  But one sees that this doesn't work.  Because if everybody knows that A paid B, and everybody knows who paid A, then one DOES have knowledge where the money came from that A used to pay B, and fungibility is gone again.

So the only way to reach fungibility is anonymity.  Hence both notions are equivalent.

Now, a block chain is all about being able to verify publicly that there is a conservation (or an accepted form of creation) of currency by having a list of publicly known transactions where that conservation is known to be valid (or that creation is known to be according to the accepted rules).  The most obvious way is to see all transactions.  Then you can verify obviously that conservation holds, and that every coin can be traced back to an agreed-upon way of creation.  

As such, if in the block chain, it is possible for B to know where A got his money from, the currency of that chain is not fungible.  But that seems to pose a problem.  How can one have a "chain of transactions back to the moment of creation" (which is the verification mechanism of a block chain) and at the same time "not know where the money came from" (which is the concept of fungibility) ?  People like toknormal seem to think that this is fundamentally a contradiction.  They think that a block chain implies automatically lack of fungibility and lack of anonymity.  However, they miss that "tracing back a coin" is only ONE way to verify conservation of money in a transaction, and legit creation, which is the essential part of a monetary asset.  Are there others ?

Well, monero and zcash are two examples of how this can be achieved cryptographically with two different techniques: ring signatures versus zero knowledge proofs.  The cryptography used allows both to verify the validity of transactions or of creation (which was the reason why the block chain was invented), and at the same time, to hide the origins of the funds to some extend.

DASH and mixers do it in a different way, by using the "partial fungibility" of a multiple-input multiple-output transaction.

In all these anonymisation techniques, the block chain still proves conservation of money in transactions, and legit creation, but doesn't do this by showing the explicit transactions, but simply by providing proofs of the check sums in different ways.

They reconcile, in different ways, the apparent contradiction between the concept of a block chain on one hand, and the monetary necessity of fungibility which comes down to anonymity.

In a mixer like with DASH, if A paid B, but mixes with C who paid D, E who paid F and so on, we end up only knowing that A, B and C paid someone, and that D E and F got paid and that the balances check.  This is what is needed for the monetary asset.  However, privacy information is leaked, in that we know that D got paid by A, B or C, that E got paid by A, B or C, and that F got paid by A, B or C, and that A, B and C did spend their money.

With monero, something similar happens.  If A paid B, we know that A, D, E or F paid B.  It could also be that A actually paid Q, or that D paid Z.  However, we know cryptographically that if ever it was A that paid B, that A won't be able to spend that money again ; that if ever it was D, he won't be able to spend it again, etc.... but if it wasn't A, A can still spend it, so maybe A didn't spend his coins after all.    In other words, we know that the balances check.  But we don't know which balances, and we don't know who did spend his coins and who didn't.

With ZCASH, we only know that, if B can pay you with a note, that he got that note from someone else, who can't spend it any more, but who got it himself from someone else etc.... until the conversion of a legit "open" coin into a note.  (unless someone kept the golden key and can produce notes at will...)