[Cryptography] cryptography Digest, Vol 93, Issue 1

John Tromp john.tromp at gmail.com
Fri Jan 1 13:24:24 EST 2021 

> Date: Thu, 31 Dec 2020 09:11:04 +0000
> From: Howard Chu <hyc at symas.com>
> To: "Kapilkov, Michael" <mkapilkov at pace.edu>, 'Ray Dillinger'
>         <bear at sonic.net>, 'cryptography' <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] Bitcoin is a disaster.
> Message-ID: <749ca468-968d-f068-a29d-06affd3abf09 at symas.com>
> Content-Type: text/plain; charset=UTF-8

> Once again, Bitcoin isn't broken because nobody
> knew how to solve its issues - it's broken because people decided not to implement known fixes.

Lessening one problem by worsening another problem is not a fix. It is
a trade-off.

> Today Monero, which evolved from CryptoNote, uses RingCT to hide senders and transaction amounts.

Ring signatures take up more space, and worse, require full nodes to
maintain some data of all past outputs, which negatively affects
scalability.

> CT - Confidential Transactions - is one of many solutions created by Bitcoin developers, but
> never deployed onto the Bitcoin network.

CT makes transactions take up a lot more space, and worse, (for
Pedersen commitment based CT) prevents a fully transparent audit of
current total supply.

Again, a trade-off.

> This is why we continued to push for ASIC resistance in Monero. The RandomX PoW algorithm
> will remain resistant without any algorithm tweaks for at least 3-5 years before we need
> to look at re-tuning it.

Monero has a history of different PoWs that were each supposed to
prevent ASICs for many years. Until they didn't. Some of which were
actually mined by ASICs. Maybe RandomX will last a few years longer
than those before it. But an increasing fraction of Monero developers
is ready to throw in the towel when ASICs show up again, and switch to
an ASIC friendly PoW.
There is also a significant downside to these PoWs. First, they are
very complex. With RandomX the biggest offender by far. Second, they
are very costly to verify, requiring lots of memory and cycles,
whereas a good PoW is very easy to verify.

So again this choice of ASIC resistance is a trade-off at best.

> Privacy and security are pretty much diametrically opposed to efficiency/scalability.
> I don't see any way around that. I suppose we can accept different degrees of privacy.

On this chart [1] of chainsize growth rate vs privacy, Monero's RingCT
occupies a rather suboptimal design point, while others improve on
both privacy and scalability of bitcoin at the same time.

[1] forum.grin.mw/t/scalability-vs-privacy-chart/

regards,
-John

More information about the cryptography mailing list