Transparency in Bitcoin & Monero
Bitcoin
Bitcoin is open and transparent. The protocol is open, the wallet is open-source, and, most importantly, the blockchain is open. The transparency of the blockchain is key, it has been critical in the phenomenal success of Bitcoin. The blockchain is the work of a genius, but its really not that hard to understand. Any IT professional will already know the building blocks such as Public/Private Key encryption and signatures, and the structure itself is straight forward and logical. There are tens of millions of people who could understand it with a day or two of study and then move on to analyzing the blockchain and verifying its integrity. And a lot of people have done this. There are large numbers of open-source tools available for dealing with Bitcoin, everything from independent implementations of the wallet in any programming language you can think of, to analysis suites attempting to make some sense of the transactions taking place. The blockchain is constantly being examined by a large number of independent groups and any abnormalities are identified very rapidly.
The transparency of the blockchain enables anybody to easily verify the following three characteristics:
- no coins appear out of nowhere, except for those generated by mining - every input comes from an output
- no coin is spent more than once - every output is used as an input once or not used at all
- the total amount of coins that exist is equal to the total amount of coins that have been legitimately generated - the amount of coins generated is the sum of all coinbase transactions, the amount of coins that exist is the sum of all the unspent outputs
These three characteristics confirm that the Bitcoin system is working properly, that new coins are not being generated out of nowhere or disappearing into space. Critically, these characteristics can be confirmed completely independently of the Bitcoin protocol. There's no circular argument here, the ability to verify the correct functioning of the protocol does not depend on the protocol being correct.
Of course, the problem with this transparency is the lack of anonymity.
Monero
Monero is an alternative cryptocurrency that has evolved from the CryptoNote cryptocurrency. Unlike most alternative coins, CryptoNote is not an adjustment or evolution of the Bitcoin software but designed and built from the ground up. It solves Bitcoin's anonymity problem, making all transaction anonymous and includes some other great features such as anonymous destination addresses. It uses fascinating complex math that has not seen widespread use.
And there's my first concern with Monero, the complexity. In my extensive experience as an engineer, complexity is a big cause of problems. Simple stuff works, complex stuff breaks. Whether you're talking about security, availability, or performance - the simpler the better. Its a minor concern, but my spider-senses are tingling.
And then there's the math itself. In math, some stuff is provably true but a lot, particularly in the field of cryptography, is not. The history books are littered with "absolutely perfect" cryptosystems which, it turns out, were far from perfect. Some of the math is backed by some seriously respectable names in crypto mathematics, but this stuff definitely falls into the set of systems that cannot be proved to be correct. All that we can say is that no-one is known to have broken this math. Which is okay, but remember this because it comes up later.
And then there's the implementation: implementing complex systems is difficult, just look at the number of IT security vulnerabilities that are constantly being found and then imagine how many are not being found. Just because it looks like the math might be solid, does not mean that its been implemented correctly.
Lets look at the Monero blockchain. Now we have a problem, we can't trace coins through the blockchain, which is of course by design, its how Monero achieves its anonymity.
For a single transaction, Monero will use one output from a previous transaction as the input and several "fake" inputs. They aren't really fake, they're legitimate outputs selected from the blockchain but the person who generated the transaction doesn't have the private keys to them and they're only used to hide the real input. The inputs are signed using a "ring signature", which is a technique that is used to prove that the signature applies to one of the inputs but its impossible to tell which one.
So, with transactions like that, we cant tell which input to the transaction has actually been used. An output from a transaction may actually appear as an input to many transactions but it will only be really used in one of them.
Given this type of blockchain, lets look at the characteristics listed above:
- no coins appear out of nowhere, except those generated by mining - yes, this can be verified. Every output of a transaction comes from one of the inputs.
- no coin is spent more than once - an output may appear as an input to several transactions but we cant tell if the input is really used, so we cant tell whether the output has been spent or not - the "key image" in Monero prevents double spend and we can certainly verify that a key image has only been used once, but the question was whether we can verify if the coin has been spent more than once. If we assume that the key image works as intended, then yes, we can say that a coin has not been spent twice, but that's a big assumption and that is not independent verification.
- the total amount of coins that exist is equal to the total amount of coins that have been legitimately generated - we can count the number of coins generated by mining, but we cant tell whether outputs have been used or not and therefore we can't calculate the total amount of coins that exist. So no, we cant tell whether the total amount of coins that exist is equal to the total amount of coins that have been legitimately generated.
Conclusion
We cannot independently verify that the Monero blockchain is correct. The currency depends on the complex math, which cannot be proven to be correct. How do we know that some genius somewhere has not figured out a way to bypass the "key image" that prevents double spend? With a transparent blockchain, we would know if someone was duplicating coins or generating coins out of thin air. With Monero, we wont ever know.
TLDR; It is not possible to independently verify the Monero blockchain. In finance, that's a big fail.
Monero is quite the antithesis of complex. Yes, parts of the cryptography are more complex than Bitcoin's, but as a counterpoint Bitcoin's scripting system is orders of magnitude more complex than what Monero allows. This, too, is fraught with "complexity", "tingling spider senses", claims of new functions being "untested", and worries about "implementation issues".
In fact, the problems you raise with Monero's cryptography are far more trivially answered than problems arising from a custom, previously unknown and untested scripting language. That's because much of Monero's core cryptography is bog standard, and relies on a known-good implementation in SUPERCOP (from which libsodium / TweetNaCL et. al. are derived).
As to the concerns about key images, they are neither complex nor are they unproven. The paper in which this scheme is described is the 2006 paper by Eiichiro Fujisaki and Koutarou Suzuki on Traceable Ring Signatures. It has a decade of review, and scores of citations in other papers, so unless you have some novel attack to demonstrate we can safely assume it presents no more risk than Bitcoin's use of SHA-256, which was introduced just a few years before.
More importantly, Fujisaki's traceable ring signatures were an extension of linkable ring signatures, which are established and improved in the following papers (links not provided, use Google) -
J. K. Liu, V. K. Wei, and D. S. Wong. Linkable spontaneous anonymous group signature for ad hoc groups (extended abstract). In ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 325–335, 2004.
P. P. Tsang, V. K. Wei, T. K. Chan, M. H. Au, J. K. Liu, and D. S. Wong. Separable linkable threshold ring signatures. In INDCRYPT 2004, volume 3348 of Lecture Notes in Computer Science, pages 389–398, 2004.
J. K. Liu and D. S. Wong. Linkable ring signatures: Security models and new schemes. In ICCSA 2005, volume 3481 of Lecture Notes in Computer Science, pages 614–623, 2005.
P. P. Tsang and V. K. Wei. Short linkable ring signatures for e-voting, e-cash and attestation. In IPSEC 2005, 2005.
M. H. Au, S. S. M. Chow, W. Susilo, and P. P. Tsang. Short linkable ring signatures revisited. In EUROPKI 2006, volume 4043 of Lecture Notes in Computer Science, pages 101–115, 2006.
If you want to learn more about how Monero's cryptography works, which I strongly advise before writing another article, then I'd recommend the Monero Research Lab primer, "Monero is Not That Mysterious".
tl;dr it is silly to claim that it's not possible to independently verify the Monero blockchain, that's like claiming it's impossible to verify the Bitcoin blockchain because anyone could have brute-forced a Bitcoin private key, or found a hash collision.
@fluffypony is the main developer of Monero and he just slapped you around like a red-head step child!
Congratulations @barnaby! You have received a personal award!
Click on the badge to view your own Board of Honor on SteemitBoard.
For more information about this award, click here
Congratulations @barnaby! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!