[Cryptography] cryptography Digest, Vol 93, Issue 1
Lee Clagett
forum at leeclagett.com
Sun Jan 3 20:33:26 EST 2021
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 2, 2021 12:36 PM, John Tromp <john.tromp at gmail.com> wrote:
> > > Constants matter. A 4 day IBD (initial block download) is way worse
>
> > > than a 1 day IBD.
> > > If you prune away 7/8th of the data then you don't have that disadvantage any more.
>
> I don't follow. The IBD must comprise the entire Monero tx history.
> Only after downloading and verifying all of that, could a full node
> decide to prune what it stores on disk.
>
> > > Compared with Mimblewimble, a Monero tx is nearly 30x larger than a MW
> > > one with spent outputs.
> > > That may be, but MimbleWimble privacy is easily broken, and Monero's is not.
> > > The CipherTrace CEO says this pretty plainly.
> > > https://www.reddit.com/r/CryptoCurrency/comments/ijzj17/ciphertrace_develops_monerotracing_tool_to_aid_us/g3hg9eq/?utm_source=reddit&utm_medium=web2x&context=3
>
> All he says there is what we agree on already, namely that
> "MimbleWimble privacy is worse than Monero". He doesn't say it's
> easily broken.
> I could quote Ian Miers on slide 54 of
> https://slideslive.com/38911785/satoshi-has-no-clothes-failures-in-onchain-privacy
> saying that decoy systems are not private.
>
> But I think such pure binary qualifications are not that helpful. In
> the end, privacy is a spectrum, as shown in
> forum.grin.mw/t/scalability-vs-privacy-chart/
> To me, MW sits at a very advantageous starting point from which
> various avenues are open to reduce the remaining privacy leak of
> input-output linkability, thanks to the ease of aggregating
> transactions.
A spy can see the inputs<->outputs of a transaction if it is along
the Dandelion++ "stem path" in Grin. The Dandelion++ paper did sybil
analysis for a spy trying to identify the IP-origin. This case is
different - if a spy is any node along the path the entire input+output
information is leaked. I could not find any analysis for this variation.
The transaction also needs 1+ other transactions on the Dandelion++ path
within a 30s time period, otherwise the flooding phase leaks the
input+output information to every node on the network. Increasing the
node count actually hurts the privacy - a transaction is less likely to
be aggregated before the flood to all nodes. You'd need some node count
+ transaction volume balance (not sure if anyone has done this
analysis).
> And while both MW and RingCT lack support for Bitcoin script, MW makes
> up for that with scriptless scripts.
> These support an amazing range of functionality, including both
> absolute and relative time locks, from which one can build
> bi-directional payment channels.
>
> regards,
> -John
>
Lee
More information about the cryptography
mailing list