| 1. | Mining pools must be hidden services in a high-latency improvement over Tor. The low-latency Tor is shown in recent events and research to not be anonymous (as I had warned for over a year and everyone thought I was crazy). This is the only way that mining is truly decentralized in the sense that the authorities would not be in top-down control over mining and thus transaction processing. But the economics of mining pools is such that they will always trend to centralization, even if they are anonymous. At least we could hope for the situation we have now in Bitcoin where the users migrate away from a pool when it approaches 50% of the network hashrate. Mining pools as high-latency hidden services would increase significantly the latency (i.e. propagation delay) on the block chain network, thus block times probably could never be fast[1]. The orphan rate issue can probably solved[2] so that dependence on propagation latency would be eliminated but Vitalik has pointed out some of the complex interplay between propagation delay and fast block times[1]. Also we have to consider if it is possible to decrease the verification delay for propagation. |
| 2. | IP anonymity would be provided by the high-latency improvement over Tor. Block chain unlinkability and untraceability anonymity would need to be provided by prunable Cryptonote one-time, ring-signatures. Ring-signatures can be pruned if the inputs that are allowed to be mixed in each ring are limited to a defined set for all in that set. The pruning occurs when all in that set have been spent. This is also necessary to eliminate overlapping rings which could otherwise be used (along with Sybil attacks) to correlate and unmask the anonymity (which is the unmasking algorithm I was paid 5 BTC by jl777 and 2.5 BTC by Monero folks for finding). Afaik, no Cryptonote coin yet implements this improvement. Afaics, Zerocash fails to interact with my solution to the problem of selfish-mining and rented hardware attacks. Zerocoin (e.g. Anoncoin) has problems[3]. CoinJoin (e.g. Darkcoin) is jammable and the only "solution" is to trust masternodes to unmask the anonymity and not reveal it, but the masternodes can be Sybil attacked; it also suffers from a simultaneity requirement. All on chain anonymity mixing strategies are vulnerable to Sybil attack where adversary sends many transactions to reduce the anonymity set sizes. One mitigation is to employ tx fees. Tx fees place a cost on the adversary and all the users. This tx fee must be sent to the ether, else an adversary would have an incentive to invest in mining to recover the cost. If the adversary controls a significant portion of the coin's money supply, the cost is significantly offset by the resultant deflation, but not for the other users who do not control a significant portion (I will not write down the math, perhaps someone will in the discussion). Net costs on the adversary must be higher than the value to the adversary of unmasking the anonymity. If we are talking about governments and tax authority (especially a world government or G20 cooperation), that value is high. If txs were charged mining hashrate, the adversary would be limited to Sybil attack proportional to the adversary's portion of the network hashrate and users would be limited by their hashrate as to volume of txs they can send. If the threshold was set so that users typically only send tx volume which is 10% of their threshold (so they don't typically have a problem sending a tx), then the adversary could send 10X more tx volume than the proportion of his portion of the hashrate, e.g. with 10% of the hashrate the adversary could own (1 x 10/(9 + 1 x 10) = 53% of the txs and thus 53% of the anonymity sets. A solution is users could send for mixing continuously at their maximum mining hashrate threshold without impacting their threshold to send a non-mixed tx, but non-mixed outputs would need to be marked so they aren't included in ring sets so they don't reduce anonymity set size. This encourages a design where users are always mining and mixing. |
| 3. | All anonymity strategies that rely on elliptic curves or other variants of factoring trapdoors are not secure against future quantum computing and potential advances in factoring[4]. This is important because everything can be saved and past anonymity can be broken in the future which is important if we are talking about snubbing government regulation and confiscations (ahem "taxes"). McEliece public key cryptosystems are secure against these. There is no known, well-vetted quantum proof Diffie-Helman, which Cyptonote depends on. Also there is no McEliece-based one-time ring signture, although I have seen a research paper for McEliece ring-signature and another paper for zero-knowledge proofs in McEliece, so it might be possible. Note I am not referring to using Elliptic curves for signing the tx, which is not the same risk as using them for the anonymity encryption; but in Cryptonote ring-sigs, these can't be unconflated. |
| [1] | https://blog.ethereum.org/2014/07/11/toward-a-12-second-block-time/ http://www.tik.ee.ethz.ch/file/49318d3f56c1d525aabf7fda78b23fc0/P2P2013_041.pdf http://bitcoin.stackexchange.com/a/4958 https://bitcointalk.org/index.php?topic=250735.msg2666847#msg2666847 https://eprint.iacr.org/2013/881.pdf#page=11 |
| [2] | https://bitcointalk.org/index.php?topic=339902.msg3647346#msg3647346 https://bitcointalk.org/index.php?topic=600436.msg9692846#msg9692846 |
| [3] |
|
| [4] | http://cacm.acm.org/news/170850-french-team-invents-faster-code-breaking-algorithm/fulltext |