I had written:

Monero and Zcash are real projects that exist now. I even admitted that with large enough mixins (or churn) Monero can be made probabilistically anonymous. I think Monero should first focus on redoing that Monero Research Labs paper from 2014, and model all the vulnerabilities I mentioned so that users can get some quantitative estimates of realistic level of mixing they need to be doing in order to be reasonably safe. Again I pointed out that increased mixing on Monero will be at least less efficient than Zerocash technology in the sort of design I contemplate (perhaps possibly so much so that it discourages usage or full node usage thus fighting against itself to some extent but we need a quantitative model to know more than just handwaving).

I elaborated on this near the bottom of a comment post.

Click that link above as it contains more details.

One emphatic summary point I want to reiterate is that:

Nothing Monero developers and claimed experts can do with dismissive words that will make a $millionaire—who is relying on the anonymity of his money—trust the unreliability of Monero.

When your anonymity is lost, you can’t get it back. Monero could be a honeypot now enabling the Five Eyes, CIA, FBI, etc to track down $millionaires who are trying to avoid being raped by the collapsing Western economic system, and we may never know that Monero was a honeypot aiding in that process.

The only thing that @smooth, @ArticMine, @fluffypony, etc. can do to restore confidence is to produce a research paper with correct math which takes into account all of the vulnerabilities that their MNL-0001 research admitted that it did not. Confidence can only be restored with math. The onus is on them, because I have already explained vulnerabilities which their research paper does not address. Dismissive words prove nothing. They can claim my words mean nothing, but until they show the math to prove it, then you the astute reader know they are unable to do so and thus you can’t be sure if your anonymity is safe enough on Monero. And you might prefer something more reliably anonymous, such as for the moment perhaps gold or a future cryptocurrency such as the one I am working on.

This has nothing to do with speculation. Speculators may not care at all about their anonymity. I dunno.

FYI, I have not had time to check the veracity of this revelation.

_{P.S. What irks me about some vocal members of Monero’s community is they are so snobbish/boastful (and derogatory towards others and their projects) about how they are the highly superior decentralized, open source, academic, best and most developers, etc.. Yet when presented with new vulnerabilities that they had not modeled in their white papers, they resort to marketing spin and dismissiveness, instead of responding to the academic challenge with math. Hypocrites don’t impress me. I remember when I used to always tell them back in 2014 and 2015 that Tor and all onion routing is a honeypot. They were dismissive about that too. It has always been not about rationality and math, and afaics I conclude more about deception and lining their pockets with speculators’ money.}

@anonymous wrote:

@anonymint wrote:

@smooth is saying that you can always mix enough times to subvert the attack.

If a percentage of nodes are malicious, wouldn't additional mixing decrease privacy as it would increase the chances that those nodes could uncover you over each iteration?

In one theory you only need to be anonymous at one point on the chain of transactions in order for the chain of them to be untraceable from start to end of the chain. So that is the theory @smooth is employing.

But there are at least several problems with that theory:

1. It has to be mathematically modeled with all the vulnerabilities I enumerated, because there can be non-linear combinatorial cascade, such that anonymity sets collapse in a domino effect.

2. Identifying the person midway through a chain (series of transactions spending to yourself) of ring signature (Cryptonote or Monero’s RingCT) transactions is metadata which may enable you to break the chain from start to end. So yeah, more opportunities to deanonymize (what @smooth or @ArticMine referred to as “churn”) may in effect be worse than using larger ring sets with fewer transactions.

This shit gets very complex! Which is why it is very unwise to employ an anonymity technology such as Cryptonote/Monero ring signatures which has an explicit anonymity set and thus is inherently inferior as I explained in my blog and comments below the blog. The zkSNARKs are technologically superior when it comes to anonymity sets. Any way, at the appropriate time (meaning when Bitnet is launched thus I have funding) I will hire mathematicians and cryptographers to develop thorough models to make this all irrefutable so we can put an end to their bluffing and dismissive game.

P.S. Responsible Disclosure in Cryptocurrencies

I wrote:

This is death to Bitcoin as a decentralized, fungible token system. Cryptonote/Monero anonymity could not help , because ring signatures only attempt to obscure potential sender identity, but do nothing to obscure the timing of UTXO formation. Whereas, the Zerocash zkSNARKs anonymity technology does obscure the timing of UTXO formation!