Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][MRO] Monero - Anonymous Currency Based on Ring Signatures
by
David Latapie
on 09/05/2014, 10:22:51 UTC
Quote from: EFFV on May 08, 2014, 09:24:45 PM
This coin sounds pretty cool.
Can someone explain ring signatures to me?

Thanks
eizh made quite an interesting answer on reddit:

http://www.reddit.com/r/Monero/comments/24u04w/how_does_this_compare_to_other_anonymous_and/

Quote
I wrote a bit about this in the main post on bitcointalk. Reproduced below. It's mildly technical. If you have questions just ask here and I'll answer.
Ring signatures originate from the work of Rivest et al. in 2001 and the implementation in CryptoNote relies in particular on Fujisaki and Suzuki's work on traceable ring signatures. There are two other anonymity implementations currently available or in development. One is ZeroCoin/ZeroCash's use of zero-knowledge proofs. The others are based on gmaxwell's CoinJoin idea (such as mixing services for Bitcoin or the altcoin DarkCoin).
You can read about zero-knowledge proofs here. This is research-level cryptography that hasn't been subjected to years of cryptanalysis, so exploits may emerge down the road. Other issues include the RSA private key used to initiate the accumulator, which must be trusted to be destroyed by the generating party. It also obscures the entire economy, not just sender/receiver identities. This can be problematic if there are bugs that lead to inflation or manipulation because the damage is hidden from everybody.
MRO is more qualitatively similar to mixing implementations like CoinJoin. The differences arise in the departure from the Bitcoin protocol, which allows MRO to use new cryptography to provide decentralized and trustless mixing. The critical problem with mixing services is the need to trust the operators. As an example, blockchain.info's mixer gives the following disclaimer: "However if the server was compromised or under subpoena it could be force to keep logs. If this were to happen although you haven't gained any privacy you haven't lost any either."
The CoinJoin-inspired DarkCoin performs mixing with selected "masternodes" since it still uses ordinary signatures that can be mapped one-to-one. This is an improvement over a more centralized mixing service since a randomly-selected node is less likely to exhibit bad faith (such as keeping logs). However, this approach still relies on the health and good behavior of the nodes, which MRO's more fundamental approach is not vulnerable to.
MRO's ring signatures are also vastly more secure and convenient than CoinJoin because they mix outputs not transactions. This means a transaction doesn't involve waiting around to mix with others. Nor is a user restricted to mixing only if others are spending exactly the same amount. Arbitrary amounts can be sent at any time without the participation of others. This feature makes a timing analysis of the blockchain useless for mapping identities. The degree of anonymity is also a choice rather than decided by the protocol: do you want to be hidden as one among five or one among fifty? The size of the signature grows linearly with the ambiguity so greater anonymity is paid for with higher fees to miners.

Also see the ANN
Quote from: monero on April 25, 2014, 12:38:50 AM
How does this compare to other anonymous solutions?

Ring signatures originate from the work of Rivest et al. in 2001 and the implementation in CryptoNote relies in particular on Fujisaki and Suzuki's work on traceable ring signatures. There are two other anonymity implementations currently available or in development. One is ZeroCoin/ZeroCash's use of zero-knowledge proofs. The others are based on gmaxwell's CoinJoin idea (such as mixing services for Bitcoin or the altcoin DarkCoin).

You can read about zero-knowledge proofs here. This is research-level cryptography that hasn't been subjected to years of cryptanalysis, so exploits may emerge down the road. Other issues include the RSA private key used to initiate the accumulator, which must be trusted to be destroyed by the generating party. It also obscures the entire economy, not just sender/receiver identities. This can be problematic if there are bugs or exploits that lead to inflation or manipulation because the damage is hidden from everybody.

MRO is more qualitatively similar to mixing implementations like CoinJoin. The differences arise in the departure from the Bitcoin protocol, which allows MRO to use new cryptography to provide decentralized and trustless mixing. The critical problem with mixing services is the need to trust the operators. As an example, blockchain.info's mixer gives the following disclaimer: "However if the server was compromised or under subpoena it could be force to keep logs. If this were to happen although you haven't gained any privacy you haven't lost any either."

The CoinJoin-inspired DarkCoin performs mixing with selected "masternodes" since it still uses ordinary signatures that can be mapped one-to-one. This is an improvement over a more centralized mixing service since a randomly-selected node is less likely to exhibit bad faith (such as keeping logs). However, this approach still relies on the health and good behavior of the nodes, which MRO's more fundamental approach is not vulnerable to.

MRO's ring signatures are also far more secure and convenient than CoinJoin because they mix outputs not transactions. This means a transaction doesn't involve waiting around for other senders to mix with. Nor is a user restricted to mixing only if others are sending the same amount. Arbitrary amounts can be sent at any time without anyone else's participation. This feature makes a timing analysis of the blockchain useless for mapping identities. The degree of anonymity is also a choice rather than decided by the protocol: do you want to be hidden as one among five or one among fifty? The size of the signature grows linearly as O(n+1) with the ambiguity so greater anonymity is paid for with higher fees to miners.