[Cryptography] cryptography Digest, Vol 93, Issue 1

Howard Chu hyc at symas.com
Sat Jan 2 01:07:17 EST 2021 

John Tromp wrote:
>> Today Monero, which evolved from CryptoNote, uses RingCT to hide senders and transaction amounts.
> 
> Ring signatures take up more space, and worse, require full nodes to
> maintain some data of all past outputs, which negatively affects
> scalability.

A Monero transaction takes a lot less space than all of the coinjoins and other
nonsense that would be required to give even a fraction of privacy to a Bitcoin
user.

These days the average Monero transaction (2in/2out) is about 4x larger than
the average Bitcoin transaction. The total volume is nowhere near the
limits of current network bandwidth or storage capabilities, so the 4x
difference is moot. In Big-O terms, both chains are equal here.

The requirement to store all outputs has already been mitigated by the use
of pruning; individual nodes can get away with storing only 1/8th of the
total output set. As the chain grows in the future this fraction can be
reduced even further.

>> CT - Confidential Transactions - is one of many solutions created by Bitcoin developers, but
>> never deployed onto the Bitcoin network.
> 
> CT makes transactions take up a lot more space, and worse, (for
> Pedersen commitment based CT) prevents a fully transparent audit of
> current total supply.

Coinbase emissions are still transparent, so total supply is known.
Proof of correctness of a CT transaction (sum of inputs == sum of outputs) is
also a done deal. In practice, Monero has had no coin supply bugs, while Bitcoin
has had more than one, even with its full transparency. This point of auditability
keeps being brought up but it doesn't hold water. In either case it comes down
to getting the math right, not whether the inputs are transparent or not.

> Again, a trade-off.

>> This is why we continued to push for ASIC resistance in Monero. The RandomX PoW algorithm
>> will remain resistant without any algorithm tweaks for at least 3-5 years before we need
>> to look at re-tuning it.
> 
> Monero has a history of different PoWs that were each supposed to
> prevent ASICs for many years. Until they didn't.

This is a lie, and you know it because you were present during a lot of the PoW
design work, when we were looking for alternatives, evaluating and discarding your
Cuckoo Cycle.

The 3 tweaks to CryptoNight were intentionally minor in scope, intended only to break
the known ASICs at that point in time and buy time to finish development of the long
term solution - which was originally RandomJS and eventually became RandomX.
None of the CryptoNight tweaks were ever expected to last more than 6 months each.
It was known from the outset that they would be easy to adapt to, but the priority
was preserving functionality for all of the legitimate miners at the time.

> Some of which were
> actually mined by ASICs. Maybe RandomX will last a few years longer
> than those before it. But an increasing fraction of Monero developers
> is ready to throw in the towel when ASICs show up again, and switch to
> an ASIC friendly PoW.

> There is also a significant downside to these PoWs. First, they are
> very complex. With RandomX the biggest offender by far. Second, they
> are very costly to verify, requiring lots of memory and cycles,
> whereas a good PoW is very easy to verify.
> 
> So again this choice of ASIC resistance is a trade-off at best.

RandomX was tuned to take no longer to verify than CryptoNight, so you're way
off base here. Memory cost of verification is higher, yes, but 256MB vs 2MB is
still well within the capability of all common computing devices, including
smartphones.

>> Privacy and security are pretty much diametrically opposed to efficiency/scalability.
>> I don't see any way around that. I suppose we can accept different degrees of privacy.
> 
> On this chart [1] of chainsize growth rate vs privacy, Monero's RingCT
> occupies a rather suboptimal design point, while others improve on
> both privacy and scalability of bitcoin at the same time.
> 
> [1] forum.grin.mw/t/scalability-vs-privacy-chart/

Disinfo. MinbleWimble only delivers privacy if nobody chooses to operate an
archival node. - but anyone can do so, and unwind all transaction history.

Speaking of tradeoffs - what good is a system that requires sender and
receiver to both be online simultaneously. You need only look at email to
understand the value of sender and recipient operating asynchronously.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the cryptography mailing list