Is Monero’s (or All) Anonymity Broken?steemCreated with Sketch.

in #cryptocurrency4 years ago (edited)

Cryptonote anonymity algorithm cryptocurrencies such as Monero are designed to be honeypots.

I discovered that hypothetically every anonymity technology (except Zerocash*) has a pathological, irreparable design flaw outlined below, which renders the anonymity undependable. Worse yet, there might be no way for users to know their anonymity has been compromised because the perpetrator would want to maintain the deceit of the valuable honeypot; which by the way, is also the case with Tor.

A honeypot is a Trojan horse subterfuge disguised as something (i.e. the “honey”) that is needed to achieve a goal (e.g. anonymity) which defeats the goal that was sought.

“Beware of Geeks bearing gifts”

* This blog discusses Zerocash (not zerocoin!), which is the original name of the technology employed in Zcash and its clones. This blog compares the technology of Zerocash to the Cryptonote/RingCT technologies in Monero and clones. This blog is not claiming that the Zcash token or any particular clone is superior to Monero as an investment. See the discussion in the comments for more details.

List of low-latency mixnet (i.e. Tor or I2P) vulnerabilities include: this, this, this, this, this, this and this.

Divide and Conquer

The flaw is that the set of transactions mixed together that provides the anonymity set, is never all of the unspent transactions (UTXO) on the blockchain.

Thus, the miners can Sybil attack by creating transactions that spend to self, filling up the anonymity sets with as many of their own (i.e. “white sheep”) transactions as is necessary to deanonymize each honest (i.e. “black sheep”) payer.

These filler transactions cost the miner nothing because the perpetrating miner surreptitiously pays the outputs and the transaction fees to self.

It is unknowable which transactions were created by the miner, because there is no linkage (not even in proof-of-stake) between UTXO and the identify of the entity (“miner”) that appends a block of transactions to the blockchain. Thus the undetectable perpetrating miner can even recoup the transaction fees of sending transactions to blocks created by non-complicit miners, by including offsetting non-complicit transactions in the perpetrating miner’s blocks. Thus, users can’t defeat this vulnerability by limiting their mixes to transactions of blocks from miners they trust, because they are unable to distinguish the complicit transactions from the non-complicit ones—i.e. the complicity (identity) of the transactions can be Sybil attacked because that is the definition of anonymity.

Thus the perpetrator will own X% of the transactions in every anonymity set, where X is the perpetrator’s percentage of the network hashrate. And I will explain further how this vulnerability combined with two other vulnerabilities can enable the perpetrator to deanonymize (i.e. unmask the anonymity of) the users.

When I had discussed this vulnerability with @smooth earlier this year, he claimed complicit miners would deprive themselves of income if the block size is limited and blocks are full, because perpetrating miners would displace transaction fee income with their own transactions. At the time, I responded that a perpetrator with 51% of the hashrate could make sure only his blocks were allowed on the blockchain. But I henceforth realized that both of our superficial analyses were incorrect. I was incorrect because orphaning of 49% of the blocks would be an unambiguously detectable attack due to the long-term sustained sky high orphan rate (which normally is roughly < 1%). And @smooth was incorrect because:

Thus perpetrating miners wouldn’t care about displacing 2% of their total rewards, when by doing so they can gain access to a very valuable honeypot.

And also to correct an ostensibly implicit misunderstanding that both @smooth and I had concerning whether Monero’s dynamically-adjusting block size algorithm has any impact on this vulnerability. Note that whether the block size is limited or not has nothing to do with the vulnerability, because if the perpetrator attempted to create for free more than X% of the transactions, the excess must go in the perpetrator’s blocks (else the transaction fees cost will not be offset) and thus users could choose to not mix with transactions from larger blocks.


Some people are inclined to emphasize that the number of Monero transactions are too small; and the perpetrator wouldn’t have been around during the first three years of blockchain history. But it is the value of transactions and the value of any “illicit” activity being enabled by them that drives the economic value of the honeypot, such as to law enforcement and draconian capital controls frenzy descending on the world. The FBI has mentioned Monero is on its radar. And ratio between the complicit and non-complicit transactions in the recent UTXO (which isn’t knowable) is what matters, not the number of transactions. The older UTXO are harmful for mixing in recent transactions as explained in the subsequent Overlapping Mix Sets section.

For analyzing how large X% may be, proof-of-work mining always becomes concentrated by those who have the most economies-of-scale. For example, Bitmain does not have to mine with all the ASICs it manufacturers in order to extract the majority of all the profit that is produced by mining with the said ASICs. The economics and game theory trend to oligarchy control over mining is the norm—not a roll of the dice. And for Cryptonote/Monero, the perpetrator has the added advantage of gaining additional value from this vulnerability that the non-complicit miner doesn’t. Economics rules outcomes. Selling access to the honeypot is irrefutably more profitable than not doing so, unless offsetting costs of doing so are too great. That applies even with Monero’s current CPU/GPU mining; and note that every proof-of-work algorithm can given sufficient capital investment be ASIC mined with orders-of-magnitude more efficiency (even @tromp agrees there are no possible exceptions!). Due to the natural phenomenon of economies-of-scale concentration, there are only two semiconductor chip fabs in the world which make all 14/16nm ASICs.

Additionally, per the research mentioned in the prior section, Monero’s perpetual (“tail”) block reward will not prevent its proof-of-work from becoming dysfunctional in the future, in the absence of an oligarchy of miners. But an oligarchy of miners would have an economic incentive to sell access to the deanonymization honeypot, because absent a whistle-blower like Edward Snowden, no one will know (or at least be able to prove) that such access and honeypot is deployed.

Dash, CoinJoin, and Masternodes

Silently deanonymizing the minions does not disturb the profit applecart of mining and speculation, as evident by Dash’s (not Dashcoin) speculation market success even though no one—who properly understands anonymity technology—uses Dash’s masternode scam honeypot which is analogous to the lack of robust anonymity provided by a VPN.

I wrote:

As I had been the first to point out in 2014 that CoinJoin can always be jammed, and thus masternodes were required in order to make CoinJoin functional. And as you explain, masternodes compromise the anonymity.

I also found a high school level probability math error in Dash’s security.

Combinatorial Blockchain Analysis Deanonymization

With the vulnerability of the Divide and Conquer section, the perpetrator owns (i.e. knows the identify of) X% “white sheep” transactions in every anonymity set mix. But with that information alone, it is unknown which of the remaining (100 − x)% “black sheep” is the payer—i.e. all the remaining “black sheep” UTXO in the anonymity set mix are equiprobable to be the payer.

However, the perpetrator has at least two additional vulnerabilities which can be exploited together to form a combinatorial analysis which further narrows the unknowns in the anonymity set mixes to potentially a single “black sheep” payee.

Metadata Correlation

Firstly, although any given payee might be diligent about always employing a different IP address for every spend transaction, in general not all payees will, because as of now it is inconvenient, many users are ambivalent/unaware, and for the medium-term future probably eventually implausible for most users as governments clamp down on for example WiFi hotspots that do not adhere to increasingly draconian user tracking regulations. And even if users do employ a different IP address for every spend transaction, many of them due to their ignorance of the technical issues will still be correlated by other metadata such as browser fingerprints, web browsing activity, viruses on their device, etc..*

Such metadata correlation enables a linkage between spend transaction in any case, and possibly even identifying the person signing them (if the metadata can be linked to a real identity). But that doesn’t identify which UTXO “black sheep” in anonymity sets is the payer. To correlate to the UTXO, the payer would have not been running a full node when the UTXO was received as a payee. Because the payee would have linked his IP address (or potentially other metadata) to the UTXO when requesting that a full node scan for incoming payments.

Thus for the Cryptonote ring signatures (including Monero’s RingCT upgrade), the perpetrator is able to identify which of the “black sheep” in anonymity sets is the payer when correlating the same IP address (or other meta data) between ring signature mix transactions because for example users don’t run a full node or otherwise leak metadata correlations.

     .     .     .

* I’m referring here to a perpetrator which has the resources of the national security agencies or is otherwise earning enough from having the profit advantage in mining provided by the honeypot, to hire an army of hackers, payoff insiders at ISPs, etc..

Some claim that absolute anonymity from national security agencies is not the most popular goal; rather that privacy from the general public is the more realistic goal. But such a distinction may not actually exist especially for businesses and high net worth individuals (i.e. the market that actually needs privacy), because private data as seen by nodes on the network often has a market value to various data mining markets (when aggregated for many users). For example, economics should dictate that metadata such as IP address is not likely obscured from the data mining market even when using a VPN unless users are paying more to the VPN service to obscure identity than that VPN (or a Sybil attacker combined with timing analysis on the low-latency of VPNs) can earn on the open market for revealing the data. Hackers already routinely hack secret data then auction it off on the Internet. “Elementary [economics] my dear Watson”.

Overlapping Mix Sets

Every payee must mix his transaction with other UTXO to form an anonymity set mix (which obviously is a subset of all the transaction outputs), but it is unknowable which of those UXTO (of those which aren’t owned by the perpetrator, which is also publicly unknowable) are compromised as explained in the prior section. Although that doesn’t directly identify the remaining payees who were diligent not to use the same IP address for each spend transaction, it does convert those identified careless “black sheep” into “white sheep” thus further decreasing size of the set of "black sheep" in anonymity sets which are equiprobable to be the remaining diligent payees. In other words, the carelessness of other users reduces the effective anonymity set size of the diligent users, in addition to the reduced anonymity set size due to the vulnerability of the Divide and Conquer section. And note that increasing the size of the anonymity set mixes (or equivalently mixing over and over again), doesn’t improve matters because the two vulnerabilities mentioned thus far scale proportionally to the anonymity set mix size—i.e. the number of bad apples is a proportion.

Secondly, the perpetrator has another vulnerability to exploit to further narrow the remaining diligent “black sheep” to one per anonymity set.

Ring signature transaction enable the payer to select which UTXO to mix into the anonymity set of his spend transaction (obviously in order to obscure which of the UTXO is the payee, the deanonymization of which is what we are discussing). Thus there is no restriction to prevent different spend transactions from having overlapping sets of UTXO. If these instances of overlap exceed the number of equiprobable unknown “black sheep”, then through a process of elimination it is mathematically possible to identify the payer of each spend transaction. Note that there is nothing any payer can do to prevent this because other payers are free to mix any payee’s UTXO. And the (risk of) instances of overlap for any UTXO increase indefinitely because no UTXO can ever be marked as spent, because it is supposed to be unknowable which of the UTXO was spent in each ring signature anonymity set. In other words, the probability of being deanonymized by overlapping mixes, increases the longer that a spend transaction has been on the blockchain.

A simplified example can demonstrate this. Each line is a ring signature where each number represents a UTXO address:

[1, 2, 3]
[2, 3, 4]
[3, 4, 1]
[4, 2, 1]

Note that each UTXO is equiprobable to be the payer of each of the above four transactions. However if the perpetrator issued the first transaction spending UTXO numbered 1 and has identified the second transaction as spending UTXO numbered 2 due to metadata correlation, then the perpetrator knows that 3 and 4 are the payers of the third and fourth transaction respectively.

But only the perpetrator knows this, and so if another ring signature transaction includes any of those UTXO which the perpetrator has already identified as spent, e.g. [3, 4, 9] so then the perpetrator knows that 9 is the payer and so on indefinitely.

     .     .     .

I had communicated (archived here) this vulnerability to @smooth in 2014 because I was trying to help determine if there were any technological vulnerabilities in Monero that BitcoinEXpress could exploit in his threat to attack Monero at that time.*

I reiterated and further explained (archived here) the vulnerability and my proposed solution to Monero’s cryptographer Shen Noether (aka @NobleSir) on Reddit during our discussions in 2015 (archived here) about the RingCT homomorphic encryption upgrade he invented to add the hiding of monetary values to Cryptonote’s ring signatures, because I had been simultaneously inventing a similar integration of Cryptonote ring signatures with Confidential Compact Transactions (CCT) which I named Zero Knowledge Transactions.

I had proposed as an improvement to Monero the grouping of UTXO into sets to restrict ring signatures to mixing UTXO within its explicit grouping. This would have provided the benefit that it would be possible to know when all UTXO in a grouping were spent when the count of spends was equal to the number of UTXO in the grouping, so that the grouping could be marked as spent and purged from the UTXO (my use of the term “pruned”).

In hindsight, my aforementioned improvement is also vulnerable and thus untenable because it limits the payer to an anonymity set which is temporally local to the UTXO received as a payee; thus enabling a complicit miner to target specific UTXO for deanonymization by temporal positioning of the perpetrating miner’s transactions in the explicit grouping. Now I realize Monero couldn’t accept my proposed improvement to diminish the superset grab bag for selecting the anonymity set of payers, because of the Sybil attack problem I explained in the Divide and Conquer section; thus the vulnerabilities I have enumerated compound each other in an irreparable contagion.

For comic relief, remember that after I invented Zero Knowledge Transactions, I coined the absolutely anonymous concept.

     .     .     .

* At that time, I received gracious donations of 2.5 ₿ from @rpietila, 2.5 ₿ from @smooth, and 5 ₿ from @jl777 for my assistance when ₿ was roughly $300, which was very much appreciated as I had no other income at that time and my savings were nearly depleted due to my 5+ year struggle with a mystery illness which ended up being diagnosed as “gut TB” and treated in 2017.

as admitted by Shen Noether (archived here) in his point “[5]…although the zcash proponents note that a ring signature is a ‘smaller’ anonymity set…”.


I’ll probably write another blog, Zerocash’s Technology Explained for Dummies, since afaik no one has written that yet. Herein I will only summarize the facets of Zerocash (not zerocoin!) that make its anonymity more dependable.

The anonymity set mix in Zerocash is always the entire set of transactions past and future—there are no definable subsets. Thus the exploits in the sections Divide and Conquer and Overlapping Mix Sets aren’t possible. Although it is possible for users to deanonymize themselves by not being diligent as explained in the Metadata Correlation section, unlike in non-Zerocash anonymity technologies, the carelessness of some users doesn’t diminish the anonymity of the diligent users, because there are no subsets of anonymity which can be narrowed. Zooko Wilcox-O'Hearn wrote in 2015:

A usability difference might be that in a [non-Zerocash] system, a recipient may need to distinguish “how much privacy” comes with the sender's amount, whereas in Zerocash there is a known “standard amount of privacy”.

As alluded to in the Metadata Correlation section and thus same as for Cryptonote/Monero, the diligent user must run a full node so that his IP address is not correlated when filtering the entire set of new transactions for incoming payments. And the user should never submit new transactions to the network from the IP address of his full node, nor communicate with the same IP address (or other correlated metadata) to his full node. Or don’t communicate with the full node over the Internet.

Although both Monero’s RingCT upgrade and Zerocash could have an undetected increase in the money supply if elliptic curve cryptography (ECC)* is cracked (also for Zerocash in the case that the systemic private key setup is compromised by human trust), it is very important to note that the cryptographic anonymity algorithm (not to be conflated with validation of total coin supply) of Zerocash can’t be cracked unless SHA256 is cracked; whereas, Monero/Cryptonote’s anonymity algorithm will be cracked if ECC is.

I would much rather my anonymity can only break if hash functions break which is the case for Zerocash but not Monero, RingCT, or Cryptonote, because if hash functions fail then all cryptocurrency and blockchains are F.U.B.A.R..

Whereas, if only ECC fails, in carefully designed cryptocurrencies such as Bitcoin remain secure (and Zerocash remains anonymous), but unfortunately Cryptonote/Monero will not remain secure nor anonymous because explicit mixing of ring signatures doesn’t allow the public key addresses to remain protected as hashed until spent!

Satoshi was so much more confident about the robustness of the security of hash functions (such as SHA256) versus ECC w.r.t. to future cryptanalysis, quantum computing, and potential for planted back doors, that he did a genius level design for Bitcoin emphasizing reliance on hash functions for security.

All currently known non-centralized anonymity set mixing technologies other than Zerocash—including Cryptonote, CoinJoin/Dash, and Shadowcash—are vulnerable to the Sybil attack explained in the Divide and Conquer section because they require explicit anonymity mix subsets. Zerocash is not susceptible because the anonymity set is always implicitly all of the UTXO (even those already spent), so spamming the UTXO gains the Sybil attacker no probabilistic advantage.

This is fundamental and the explicit anonymity set technologies can not be “fixed”, because moving to an implicit anonymity set requires something like zk-SNARKS to lift the abelian group from low-level homomorphic properties such as public key signatures and homomorphic value hiding, to proving general arithmetic circuits. Arithmetic circuits are required because cryptographic trapdoors are required for creating zero knowledge protocols, trapdoors require an abelian group, and trapdoors can not be created directly on cryptographic hash functions given that hash functions are not an abelian group, yet cryptographic hash functions are required to create the commitments needed for implicit anonymity sets and hash functions can be modeled as arithmetic circuits. Thus, Cryptonote can’t be improved to use implicit anonymity sets and have its anonymity algorithm rely on the conditional security of hash functions instead of that of the presumed math theoretic intractability of “factoring” the elliptic curve discrete logarithm problem (ECDLP)1.

     .     .     .

* Note for those who need a layman’s primer on ECC, I suggest chapter 7 The Cryptography Behind Bitcoin in the book Bitcoin for the Befuddled which can be previewed for free on Google Books.

Which is conjectured to increase exponentially with the bit width.2 Even unconditional security’s reliance on proven assumptions of prohibitive cost is not equivalent to information-theoretic security—the inability to break security even with unlimited computing power, due to unavailable information.

Civilization Requires Anonymity and Privacy

Civilization collapses into totalitarianism without anonymity and privacy; and they are also essential for the analogous reasons to enable functioning families and relationships.

Privacy is the hiding of data or actions. Anonymity is privacy of the associated identities. And pseudonymity is the use of a faux identity.

For example, an IP address can be a pseudonym of the human utilizing a WiFi hotspot that’s not logging user identities. An example of anonymity is cryptographically mixing known identities (in an anonymity set) such that all are equiprobable. With Stealth address, all payees are mathematically equiprobable. Hiding the transferred token amount in Zerocash or RingCT’s transactions is an example of cryptographic privacy. Analogs in the non-computerized world are trusted agents and locks—i.e. without cryptography anonymity can’t be independently verified and relies on trust.

Fungibility and Conclusions

In a prior very rough draft of this blog, I explained in more detail that even without the anonymity set mixing (e.g. the ring signatures aspect of Cryptonote), the separate unlinkability technology of Cryptonote (aka BIP-63 Stealth addresses) provides the downstream anonymity that is required for those who are diligent at obscuring their metadata (such as IP address, which includes the necessity to run a full node).

The untraceability of anonymity set mixing is only needed for obscuring UTXO that is not already anonymous with the use of Stealth addresses for unlinkable payments.

Other than that need, the argument for needing untraceability on every transaction is to prevent tainting of UTXO with a claim that this is necessary to maintain fungibility. I thoroughly debunked that argument in my prior rough draft. The irony I pointed out is that the explicit anonymity mix subsets of Cryptonote/Monero are inferior for resisting deleterious implications of taint than Zerocash’s superior untraceability with no explicit anonymity subsets. And (especially in a cryptocurrency with very high velocity of money transaction volume) the natural downstream mixing of transactions will spread the taint out analogous to the employment of explicit anonymity sets (and possibility faster, presuming that Cryptonote can never realistically be a blockchain design that supports real-time confirmations and noting 0-confirmations is incentives incompatible as transaction fee revenues increase).

The bottom line is that the most popular medium-of-exchange unit will require high, real-time transaction volume and be incompatible with users running full nodes and using powerful untraceability. Zerocash is the superior untraceability mixer but anonymity set mixers will be relegated to a special case optional mixer not employed on most transactions. And as an optional mixer then the threat of creating undetected money supply is mitigated by the fact that the amount of tokens that can be spent out of the mixer must can't be greater than the tokens that were spent into it.

Yet the implication is that to avoid exchange rate delays and fluctuation risk when running coins through the optional mixer, the untraceability mixer should be denominated in the same token units as the popular medium-of-exchange. Thus dedicated anonymity cryptocurrencies have no future—not even as side-chains, because side-chains are irreparably flawed (even if not merged mined and using a different consensus algorithm).

So my (not near-term, but over medium-term) conclusion is goodbye Monero and Dash. Eventually perhaps goodbye Zerocash as a dedicated anonymity token, but being the best technology by far eventually as an optional mixer on a popular medium-of-exchange cryptocurrency* that can handle high, real-time transaction volume.

     .     .     .

* Such as my coming Bitnet altcoin.


1 I. Chatzigiannakis, A. Pyrgelis, P. Spirakis, Y. Stamatiou, Elliptic Curve Based Zero Knowledge Proofs and Their Applicability on Resource Constrained Devices, §3. Zero Knowledge Protocols Based on the ECDLP, 8 July 2011.

2 Andrea Corbellini, Elliptic Curve Cryptography: breaking security and a comparison with RSA, 8 June 2014.


More research coming out on the vulnerabilities of anonymity with explicit anonymity mix sets:

New research vindicates my analysis of the vulnerabilities of Monero

Research has proven my blog to be correct. Page 11 even mentions “chain reactions on the CryptoNote protocol [8]”, where [8] is the MRL-0001 (Monero Research Labs first report), which was created because of what I explained to @smooth in 2014. See above in my blog the relevant sections Combinatorial Blockchain Analysis Deanonymization and Overlapping Mix Sets . I also previously wrote some additional comments on this blog about that.

Note the research is not even using the ability of miners to pay themselves the transaction fees as posited in my blog above, which would amplify the results in the research.

Monero’s Secret ASICs

So the following combined with the post I’m replying to, the recent vindication about my prior warnings to Monero not being able to attain ASIC resistance, I’m now entirely 100% vindicated.

I read today:

A few months ago, it was publicly exposed that ASICs had been developed in secret to mine Monero. My sources say that they had been mining on these secret ASICs since early 2017, and got almost a full year of secret mining in before discovery. The ROI on those secret ASICs was massive, and gave the group more than enough money to try again with other ASIC resistant coins.

It’s estimated that Monero’s secret ASICs made up more than 50% of the hashrate for almost a full year before discovery, and during that time, nobody noticed. During that time, a huge fraction of the Monero issuance was centralizing into the hands of a small group, and a 51% attack could have been executed at any time.

So this probably means 100% of Monero’s anonymity mix sets were probably entirely compromised.

I have always said Monero is a honeypot. Lots of people are going to prison because they thought they were anonymous.

P.S. Privacy and anonymity are very difficult in this modern, highly statist era:

random_walker Arvind Narayanan tweeted @ 17 Aug 2017 - 12:58 UTC

When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies……

Disclaimer: I am just a bot trying to be helpful.

very detailed post. The anonymity of coins has blown wide open recently and the battle continues . I believe cloakcoin came out with something cool recently

CloakCoin and Verge are just using onion routing for anonymity (i.e. same as using Tor or I2P), which is known to be a honeypot as I explained in my blog:

Worse yet, there might be no way for users to know their anonymity has been compromised because the perpetrator would want to maintain the deceit of the valuable honeypot; which by the way, is also the case with Tor.

List of low-latency mixnet (i.e. Tor or I2P) vulnerabilities include: this, this, this, this, this, this and this.

n00bs are so easily fooled by technobabble lies and deception.

Thanks for your comment thus giving me the opportunity to respond to misunderstandings that other readers may share with you. It helps.

Hmmm is this enough confirmation that Tor is a honey pot as you mentioned. The Tor Project Defends the Human Rights Racists Oppose

Well technically no, although I provided sufficient technical justification in my prior comment post above.

But yes in the sense that Tor is being presented to the public as an enabler of the enemy of the politically correct Social Justice Workers (SJWs)—the enemy of a “good” and “fair” society—when in fact it is controlled by the DEEP STATE which also controls Wikileaks. Wikileaks is another example of presented to the public as being an antagonist to the corrupt status quo, but is apparently controlled by Rothschild and was used to purposefully put Trump into the presidency (which btw I predicted) in order to foment the upcoming civil war, to instigate upcoming wars with China, Russia, Middle East, and so it can all be blamed on Trump and the “neo-Nazis”. Bitcoin appears to me to be another plan of the DEEP STATE.

Yep, TOR: Pro-free speech, but that speech has limits... racist content. lmfao. You couldn't make this shit up. That's why I think it's a good tell that they are as you say, controlled by the deep state.

torproject The Tor Project tweeted @ 17 Aug 2017 - 18:52 UTC

We heard Daily Stormer moved to a Tor onion service. We're here to defend the human rights these racists oppose.……

Disclaimer: I am just a bot trying to be helpful.

How do you think anonymity would be implemented in a coin? Are there any which you think are doing it better?

I outlined the design I am contemplating in the blog and in the comments which ensued at Reddit which I copied into comments here.

Concisely, Stealth addresses for the high volume, real-time transactions and an optional Zerocash technology mixer denominated in the same token units, i.e. you can transfer you tokens into the mixer without any exchange risk, then transfer them back out to transact with the Stealth addresses. You could review my replies to @smooth, @JollyMort, and @jonas_h on Reddit for more details wherein I covered the issues about the trusted setup, slow speed of creating Zerocash transactions, etc..

Also another factor is that my Bitnet altcoin will not use proof-of-stake nor proof-of-work and it will burn the transaction fees (new blog is coming about this), so I claim this would make any sustained Sybil attack much more costly (and besides the Zerocash technology mixer is less susceptible to Sybil attack for the reasons I explained in the blog).

You are an absolute mad man! I'm going to have to finish this later, but it looks absolutely pressing. Thanks! Looks like great food for thought.

I must be mad, because I battle censorship everywhere I try to relay the truth to readers, thus Steem being the one community on the Internet that I can’t be censored unless the blockchain is!…

…yet Mircea Popescu thinks Steem has no value

(what is the point of posting my material only to my own private echo chamber blog) and limiting my interaction to obedient sycophants. Yet this guy claims to super smart. Duh)

The Monero Stackexchange has deleted my answer that linked to this blog, removed some of my comments from that Q&A page that had refuted errors in other comments and answers, and closed the Q&A page to further answers from me to prevent me from telling the truth. So they are censoring the truth from their FAQs:



Thanks for writing this. I think it is an important point that the safety of "mixing" schemes (including ringsigs) depends on the nature of the "decoy" inputs. I'd like to see a more rigorous analysis of what exactly the requirements are for safety of schemes like the one Monero currently uses, under adversarial conditions.

If someone wanted to gain more ability to break the privacy of future Monero transactions, the way to do it would be to generate lots of dummy transactions between now and then so that the future Monero transactions would accidentally choose your transactions as decoys, thinking that they were getting privacy that way, but actually since those are your transactions, it doesn't provide any privacy from you. Right?

Hello Zooko-Wilcox. Yw. Thx for reading. I had a thread on your Zcash forum bookmarked and was intending to alert you there, but I’ve been so busy past days.

Btw, I’m going to want to talk to y’all about implementing your technology on my upcoming Hypermesh. I will contact you as my project nears the juncture where I want to implement the anonymity technology. I need a cryptographer. I am not.

I'd like to see a more rigorous analysis of what exactly the requirements are for safety of schemes like the one Monero currently uses, under adversarial conditions.

I would also.

Monero transactions would accidentally choose your transactions as decoys, thinking that they were getting privacy that way, but actually since those are your transactions, it doesn't provide any privacy from you. Right?

That is the gist of it, and the prior Monero Research Labs report (MNL-001) only considered the case where the decoys were not being continuously populated. I discussed that in more detail in the comments section of this blog.

P.S. there was some discussion (also archived here) of this comment.

good stuff. i need to sit down for this.

Very Insightful Post @anonymint - Thank You

Great post thanks. Wish I understood it! :)

I’d like to be able to explain it more slowly with more examples and diagrams, but:

  1. I do not have enough time to create all that. I need to be coding on my altcoin project.
  2. It would not fit in a blog.

I do appreciate those who upvote your comment indicating to me how many people do not totally understand what I wrote.

Please feel free to ask me some questions (there are no dumb questions, just ask), or just point to the first thing that was confusing and I will try to elaborate. I enjoy jamming with my readers.

I’m very sleepy. After I sleep, I will re-read my blog again and see if I can improve clarity without adding too many words. I do realize there were probably gears turning in my head while writing that do not convey through the words written. That usually happens with a detailed technical document on first drafts; and can often be detected by an astute author on careful reading when rested.

It's going to take me some time to read the article and get some way close to getting my head around it, but worth the effort I'm sure. Appreciate the more layman approach. BTW, I linked to your article from this one You might be aware that the Keiser Report is one of the few financial shows that pushes awareness of crypto, though usually concentrating on BTC, so rather unconsciously ironic with timing to highlight Monero yesterday!
THX again ;-)

As a prerequisite for understanding, my blog was lacking a layman’s introduction on Cryptonote’s ring signatures:

I will expound a little bit on the linked introduction above.

Cryptonote’s “one-time” ring signatures enable the signer of a transaction to group his public key with his choice of the public keys of other UTXO (unspent transaction outputs) on the blockchain.

(Tangentially note all transaction outputs are forever “unspent” because it is anonymous as to when they were spent, unless anonymity is unmasked as this blog posits; thus there is a claim that we should not name these UTXO and instead name them TXO)

The number of public keys grouped is called the “number of mixins” or “mixin level”.

The signature is constructed in a mathematical way such that it proves the signer (his public key) is always associated with a certain generated “id” number I which is named the “key image” (no matter which public keys other than his own he chooses for the grouping), but this generated number does not enable anyone to know which of the public keys in the grouping is the signer. When they say the ring signature is “traceable” or “one-time” , they mean this generated “id” number, not the actual correlation of which signer.

Thus the validator of the blockchain can prevent the each signer of a transaction output from double-spending, because the blockchain stores the generated numbers and so if the signer attempts to spend again, there will be duplicate generated number already on the blockchain. In that way, the actual signer of each transaction is obscured in a grouping, yet the double-spend prevention feature of blockchains is maintained. This was quite genius and exciting when it was first released, but my blog posits how it can be deanonymized.

Note the generated number is derived from the public key of the signer in such a way that it is not tractable to reverse the derivation and determine who was the signer. This however only holds true if ECC (elliptic curve cryptography) and cryptographic properties of the chosen hash function remain intractable to crack.

I will not attempt to explain the math here. Someday perhaps I or someone will write a Cryptonote for Dummies blog on the math. It is actually quite interesting and if you understood math in high school then this can be explained to you at least a high level overview of the algebra.

Edit: the reason the image near the top has values of 1 on the coins is because Cryptonote required equal denominations for all UTXO in the ring mix set because the token values were not obscured. Monero’s RingCT upgrades Cryptonote adding homomorphic encryption of values.

Thanks for the clarification - the mists are clearing a little for me!

seems promising

I read the whole article and I am interested in your bitnet altcoin. Coworkers and I are trying to make a silly eth-token but we are also trying to create a truly untraceable currency.
Please reach out to me if you need a team (security engineers, graphic artist, developers)

I’m hesitant to give out my email address here. Please either add me on LinkedIn (see my introductory blog for the link), or send me username ecash a buddy request on . So we can trade contact information.

I have a different economic onboarding and ecosystem monetization business model plan than Steem(it). So there will be opportunity there for independent developers in the ecosystem that side-steps needing to make an ICO and incur that increasingly risky regulatory environment.

My next blog is to be a bombshell with a much wider scope in its crosshairs.

What I've read has Zcash too its weaknesses.

Yes, but my blog is not about Zcash. It is about the Zerocash technology (employed in Zcash and clones) which I propose to use in a different design that I claim mitigates those disadvantages and allows the advantages to shine. Details were discussed with jonas_h, discussed with JollyMort, discussed with @smooth, and I referred others to these discussions.

Thanks for pointing this out, so I could provide clarification.

Thank you for reply. Your post is very interesting. Honestly speaking I understand maybe 10-20%.
Monero and Zcash have their strengths and weaknesses. Is it possible to improve these currencies with updates or maybe you could gather a community and create your own cryptocurrency?


Thanks for posting this!

So, which coin do you recommend the most for anonymity ?

I don’t have any recommendations at this time. I’m claiming we developers have work to do.

Yep this was a great read and eye opener

I have a question about the Dash part... What are this two Dash you are talking? I know only Dash the coin... and I hear about this Dash ICO who got hacked....You are talking about the last one?

The “not Dashcoin” link I provided covers all that in great detail. Is something confusing in the linked document? Dashcoin was a Cryptonote cryptocurrency that Evan of Darkcoin tried to claim his purchased by purchasing only the Github account of the main developer. So Darkcoin became Dash. Perhaps you just wanted me to add this short summary to the Steem blockcain for safe keeping.

this is the most interesting article i've read in weeks. I want in on this new coin when its ready. It will be a zk snark class coin right?

If you are referring to the self-promotion of my “Bitnet” altcoin project plans (which is all vaporware currently), I’m proposing in the blog that ideally a high transaction volume altcoin* would employ unlinkable Stealth addresses normally for most transactions and have the zk-snarks Zcash-clone mixer for optional usage (and I explained the reasoning for that in the blog) with both sharing the same token unit and token supply, i.e. Zcash-like clone but with Stealth addresses for the tokens outside the mixer. Another difference would be my altcoin design isn‘t proof-of-work nor proof-of-stake. It requires something totally different to solve the problem of centralization. I’ve pointed out the research which shows that proof-of-work is incentives incompatible when the block reward diminishes and revenue is significantly from transaction fees (thus requiring a mining oligarchy to maintain functional order). Proof-of-stake has the analogous issue. Steem is controlled by an oligarchy of whales. We can’t base the future of the Internet on oligarchies, because that is just more of the same Iron Law of Political Economics clusterfuck that we are already in.

* such as nanotransactions analogous to those Steem requires every time you do any action that must be recorded on the blockchain.

I dont know what to say, im doing a paper report has my final university project about cybersecurity in the blockchain. This post has allready alot of analisys and research. Thanks alot for the content, im gonna study it!

Somebody please boost that ! Subscribed for life !

Pay-to-end-point or P2EP aka PayJoin is a CoinJoin-like protocol which can anonymize the receiver and allows for unequal spend amounts.

Hi! I just upvoted you!

I found similar article on Monero that covers the everything from why it matters to how to buy and store it:

Bytecoin is the only CryptoNote based cryptocurrency that is not scam. Monero is scam

Good job! It is always pleasure to read detailed posts like this.


Someone asked me about Wasabi Privacy Wallet, but I don’t have time to focus on it at this very moment.

Something about SNARKs and STARKs that I forgot I wrote.

This blog of mine is vindicated!

Also another summary of why Monero could be a honeypot.

Nice detailed review. What about XVG Verge?

very interesting read! thanks !!
On a side note, can you take a look at VIVO coin, its a Dash fork apparently (..) but on Neoscrypt algo.

the site is :
Would be great to hear your thoughts!

Thank you!