some monero guy in irc says this is literally written to address exactly the point you’re making: https://lab.getmonero.org/pubs/MRL-0001.pdf
Ah I remember reading that Monero Research Labs document a long time ago. I had forgotten about it.
That document admits that their model does not apply to my blog. I quote from the above linked document as follows:
…simplest strategy for Burns would be to just spam the network as fast as possible with his own transactions. But with fees, this isn’t free.
…
Note that, as time goes on, a UTXO is more likely to be chosen for mixins, but is also more likely to have been exposed from previous users revealing their transactions by spending them with 0 mixins, complicating the wisdom of choosing UTXOs for the ring signature from a uniform distribution.
My blog explains how the fees can be free (actually 2% of the block reward cost, offset by the income of the honeypot) for the perpetrating miner. So that debunks that research paper.
Additionally, the authors admit their model doesn’t factor in the fact that older UTXO have a higher probability of having been chosen then new UTXO. Their model is too simplistic and thus is not applicable to the interaction of the 3 vulnerabilities I presented.
Their model for example assumed that the perpetrator wasn’t able to continue adding “black balls” (which btw in my blog are the “white sheep”, colors are transposed in our notations):
…Burns doesn’t have to take a single action after his initial seed transactions are planted in the UTXO set. This fixed initial cost for the attacker leading to a never-ending stream of information in the form of traceable transactions from other users…
That assumption makes their model inapplicable to my blog, because I show two vulnerabilities (Divide and Conquer and Metadata Correlation) that continue to add “black balls” (aka “white sheep”) ongoing.
Additionally that document says nothing about my other points that make Zerocash superior, such as that the anonymity of Zerocash only breaks if SHA256 breaks, but anonymity of Monero breaks if ECC does. And that the user of Zerocash doesn’t have to be concerned about the carelessness of other users (that he is not transacting with) impacting his own anonymity set. And other points about the disadvantages of explicit anonymity subsets such as fungibility being superior on Zerocash.
More comments from Monero private chats are being forwarded to me:
Needmoney90, [01.08.17 22:00]
Like, that was the first paper released by the MRL, and it describes why the 'attack' in this article doesnt work
Yes it was written because of I communicated the possible attack to @smooth who relayed it to their cryptographers. I caused that paper to be written. I explained that in my blog.
Needmoney90, [01.08.17 22:00]
Basic statisticsNeedmoney90, [01.08.17 22:01]
Its not even an intermediate paper, if this guy had done any research at all, he would know his method didnt work :/Needmoney90, [01.08.17 22:01]
He didnt even skim the first research paper published by us lol"
No you snobbish Monerotard. You asshurls never change. You didn’t read carefully the damn paper you’re citing and the model’s relationship to my blog.
"He claims miners can create outputs for free - MRL-001 established that it's pointless without owning like 80% of the outputs. We'd realize very quickly if a miner was creating 80% spurious outputs, because the tx growth would be insane, we'd outstrip Bitcoin."
No you would not realize an 80% increase if it was gradually raised or had been going on for a long time. You have no way to know whether the existing transaction volume already includes the 80%, i.e. if Monero has been a honeypot ongoing. Did you even read the Really? section of my blog wherein I made that point already! You Monerotards don’t even take the time to read carefully.
You can’t extrapolate that statistically derived 80% factor when the model they used doesn’t even apply as explained above. That chart they showed assumed that the perpetrator is not continuing to compromise more transactions ongoing, so it is inane to claim that it is pointless to do so, when the model doesn’t even factor in doing so. Once you factor in those things they didn’t model the quantitative results of the model can change. The authors even admit that the dynamic factors would need further study:
Technically, for any sort of “critical mass” sort of problem, there’s going to be a steady state problem lurking under the surface, and we definitely have some dynamical systems stuff flying about in this problem. Maybe some ambitious undergraduate wants to pick up where we leave off and contribute to the cryptocurrency community by expanding on all of this.
EDIT: @tie-warutho flagged this post and trying to hide it (and also thus trying to lower my 63 reputation score here).
Why would you flag this? If you have a rebuttal, then rebut with a reply. This comment post is not spam.
RE: Is Monero’s (or All) Anonymity Broken?