Firo (formerly Zcoin) Comparison - Reading Assignment

Read this terrific (if slightly biased) piece on how Zcoin fits into the Privacy Coin ecosystem. There are some great insights here, and not just about Zcoin! Answer the questions and post your answers below:

https://web.archive.org/web/20191106135348/https://zcoin.io/zcoins-privacy-technology-compares-competition/

Questions:

  1. What two primary weaknesses of Monero are discussed?
  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
  3. What is Lelantus and how does it improve on Sigma?
  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
  5. OPINION: Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
4 Likes
  1. The first is the anonymity is not entirely granted, because using Cryptonote it is not possible to erase the link between transactions (as it only uses decoys to do so) meaning that it would be possible to make some odds-calculations about information related to the transaction. The other weakness is related to supply auditability, which makes it impossible in Monero’s case to monitor the amount of “real” coins.
  2. They are performed by analyzing the timing between ZCoin Mint and ZCoin Spend transactions in order to try to identify which ones are connected. The valuable information at that point would be related to sending and receiving addresses, as it would be possible to identify relations between different addresses. A way to prevent such type of attack is to keep some minted coins in store to spend them when needed, avoiding to spend freshly minted coins right after the process.
  3. Lelantus is Aram Jivanyan’s creation, to work on improving Sigma procotol by removing the requirement for fixed denominations and allowing for direct anonymous hidden payments. It all impacts on privacy levels improving them and making the process safer and better designed.
  4. Comparing the two I would say the the best “pro” is the fact that the proof size is lower and they are fastly verified, leading to simpler and wider scalability of ZCash project, whereas the worst “con” would probably be the fact that the cryptographic techniques used in such project are quite new and they have not been tested enough, therefore they are less safe and more at risk of bugs and other issues.
  5. It shows the number of decoys that can be included in a transaction using ring signatures on Monero. However, both by considering it alone or when comparing it to other privacy coins, that is an incredibly low anonymity set size, meaning that even if transactions are not transparent it would be possible to analyze them and try to “see through” the number of decoys. Nevertheless, Monero’s system is still useful since its anonymity level increases as the number of transactions increase.
2 Likes

1.Ring signatures as currently implemented in CryptoNote currencies also have limitations concerning practical ring size (the number of other outputs you are taking) as the size of a transaction grows linearly as the ring size increases. This is why by Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring. Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are. This is primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.

Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

2.A minted zerocoin is represented by a public bitstring, which is a commitment to the serial number but hides the serial number at the time of minting. Users are supposed to choose a random serial number to ensure that it is unique (with very high probability). However, an attacker can, instead of taking a new random serial number, freely choose the serial number when he mints a zerocoin.

This leads to the following attack: An honest user tries to spend her (honestly generated) zerocoin and sends the spend transaction (including the serial number) to the network. An attacker, which is assumed to have control over the victim’s network, now blocks that message such that it never reaches the nodes of the cryptocurrency. Then the attacker mints a new malicious zerocoin with the exact same serial number. The attacker can now spend this maliciously zerocoin, revealing the serial number.

Some care is required when doing Sigma mints and spends. Users have to keep coins minted before they intend to spend to prevent timing attacks

  1. Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan. Lelantus extends the original Zerocoin functionality to support confidential transactions while also significantly improving on the protocol performance. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4.Pro. Very high anonymity in the many thousands (if not more) with a single mint and spend transaction and completely breaks transaction links between addresses.

Con. Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.

5.It is the number of how many decoys that can be included in a transaction using ring signatures on Monero.It can be possible to analyze since but 11 is a low anonymity set but the anonymity level increase with the number of transactions.

1 Like
  1. What two primary weaknesses of Monero are discussed?

:black_small_square: Does not break transaction links, merely obscures them, hence a ‘decoy’ model

:black_small_square: Risks of blockchai being deanoymized in the future or through incorrect implementations

  1. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

Still uses fixed denominations. It’ll be easier to discern patterns of mints and spends if one is not careful and anonymity sets are limited to practically around 100,000 before performance degrades. It is recommended that users mint coins in reserve before they even want to spend.

  1. What is Lelantus and how does it improve on Sigma?

Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts. Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan as part of our efforts to continuously improve our privacy protocol and its full paper is available to read here.

Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

  1. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important
    ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.

  1. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?

That is number of decoy signatures appended to a transaction.

  1. After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.

Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

2.Users have to keep coins minted before they intend to spend to prevent timing attacks
3.Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan as part of their efforts to continuously improve the privacy protocol. Lelantus expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.
4.Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.
Con: Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected. Bugs of this nature were both found [before launch]. I find this the biggest problem. If there is no supply audit, the system is prone to be abused sooner or later.
5. 11 means now many decoys can be included in a XMR transaction. It seems that the anonymity of XMR transactions increases with their number.

1 Like
  1. What two primary weaknesses of Monero are discussed?
    Ring size is 11, anonymity set is only limited to the ring size which is small. Also from the timing of the real transaction and decoys, the real transaction is deducable because the UTXO used should be recent.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    When the user mints and spends at the same time with a small delay, then sender and receiver are linkable. Creating a delay between minting and spending helps to unlink sender and receiver.

  3. What is Lelantus and how does it improve on Sigma?
    Lelantus is an upgrade to Sigma, it doesn’t require a trusted setup, doesn’t require fixed denominations and allows direct payment from sender to receiver without converting between zerocoins and basecoins.

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

  • Most important pro: Much higher anonymity set. Research has shown that Monero is still traceable in practice because of the low anonymity set of the ring size and quality of decoys is not always good.

  • Most important con: Trusted setup. The whole point of crypto and the original problem crypto should solve is to minimize trust, but the trusted setup defeats the original purpose of crypto. Although the privacy solution might be the greatest, the original problem we want to solve with blockchains is trust.

  1. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
    It is a comparison between apples and oranges. In Monero, the anonymity size reflects the number of potential UTXOs while for the others, it reflects the number of possible receivers and senders.
1 Like
  1. What two primary weaknesses of Monero are discussed?

    • Because links between transactions are not broken but merely obscured with decoy inputs and outputs, odds can be calculated that they are linked even though they cant be proven directly.
    • Due to the element of transaction timing it can be guessed which transaction is the real one as in any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction.
  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

    • If minting and spending of a coin are time closely behind eachother, it is probable that these two are linked, thereby the sender and receiver addresses and the transaction amount would be deanonymized. To prevent this one would have to keep coins minted for a longer period of time.
  3. What is Lelantus and how does it improve on Sigma?

    • Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.
  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

    • Links between sender and receiver are completely severed. No link guessing possible. I think this is more important than speed (being also a positive).
    • Difficult and dangerous to use as an incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.
  5. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?

    • This is the minimum fixed ringCT size.
2 Likes

1- Does not break transaction links, merely obscures them, hence a ‘decoy’ model.
Scalability issues because of large transaction sizes and a non prunable blockchain

2- Some care is required when doing Sigma mints and spends. Users have to keep coins minted before they intend to spend to prevent timing attacks

3- It improves on sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4- The most important pro when compared to Monero is the anonymity set encompassing all coins minted and breaks transaction links between addresses. In Monero the Ring size is practically limited.
The main ‘con’ is that it uses relatively new cryptography and based on cryptographic assumptions (KEA) that have been criticized. On the other hand Monero, is a well researched cryptography.

5- 11 is the number of decoys that can be included in a transaction, this is the number of UTXOs that can be included in a transaction. Also the anonymity increases as time passes as outputs become the new inputs of new mixes.

2 Likes
  1. “Does not break transaction links, merely obscures them, hence a ‘decoy’ model”, and “large transaction sizes and a non prunable blockchain”

  2. “doing mints and spends immediately or using the same IP address for a mint and spend can possibly compromise anonymity thus some care is required. It is recommended that users mint coins in reserve before they even want to spend. The longer the coin stays in a minted form, the better the anonymity.”

  3. “removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.”

  4. 'pro’s of Zcash unlinking to addresses and verification speeds and size of proofs , ‘con’ the dangers of ‘security through obscurity‘ because it can have huge amounts of bugs that only a couple of worldwide genius could figure it out.

  5. It represents the current transactions default RingCT ‘decoy’ array size, it does not take into account ‘stealth address’ to destination Bob and the values hiding with RingCT and bulletproofs.

1 Like
  1. What two primary weaknesses of Monero are discussed?
    Ring size is limited (to 11), as the size of transactions grows linerly with it and doesn´t break the links between transactions, but obscures then, and with timing analysis is possible to make assumptions in order to identify the real transaction.
    Ring Confidential Transactions, which hides transaction amounts, sacrifies supply auditability.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    Minting and spending at regular intervals, do mints and spends immediately or using the same IP address for a mint and spend can compromise anonymity.
    It is recommended mint coins in reserve before spend, the longer the coin stays in a minted form, the better the anonymity, use different time zones and use different conexions to he internet or Tor / VPN.

  3. What is Lelantus and how does it improve on Sigma?
    Lelantus is the next set of privacy implementations for Zcoin; it expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amount (can do direct anonymous payments without having to convert to base coin).

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    Pro: best anonimity set, which means highest privacy that is the meaning of existance for this coins.
    Con: Relatively new cryptography, which mean fundation layers could be removed in the future.

  5. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
    It is the size of “ring signature”, the number of past output transactions that you include in the transaction to obscure yours.
    It does no take into account that each next transaction obscures it more and the next coming improvements like Bulletproof.

1 Like
  1. Anonymity set is only limited to the ring size which is small.

  2. They are performed by analyzing the timing between ZCoin Mint and ZCoin Spend transactions. To prevent such type of attack is to keep some minted coins in store to spend them when needed, avoiding to spend freshly minted coins right after the process.

  3. Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan. It improves Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

  4. Zcash vs monero: Higher anonymity set making it less traceable than monery.
    Zcash vs monero: Trustel is not achieved. How can it be trusted when Roger Ver invested in it? :wink:

  5. It´s the minimum fixed ringCT size.

1 Like
  1. weakness of monero. the size of the ring of transactions grows lineraly as the ring size increases. does not break transaction link, it simply adds decoys. finally sometime in the future a quantum computer might break them
    2.sigma still uses fixed denominations. it will be easy to discern patterns of mints and spends if one is not careful. It is recommended that users mint coint in reserve before they want to spend them
    3.lelantus improves on sigma by removing the requirement of fixed denominations and allowing for direct anonymous hidden payments
  2. con; Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.
    pro.very high anonymity set and completely breaks links between adresses
  3. this means the anonymity set is 11. that is your own signature and 10 other signatures acting as decoys
1 Like
What two primary weaknesses of Monero are discussed?
  • The number signatures which can be included in the ring is small, limiting the anonymity set. Statistics and timing can be used to guess the real signature. The links are “masked” not “broken”.
  • RingCT hiding the transaction amounts counteracts the ability to audit the coin supply to determine how many coins exist or if coins have been falsely created.
How are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

Timing attacks look for patterns in mints and spends. A timing attack could link sender and receiver by looking for a mint and spend that happened close together for the same amounts. Or mint/spends that happen at consistent intervals.

Timing attacks are possible mainly because the protocol does not attempt to mask the correlation between when mints and spends happen. It’s up to the users to be smart about when and how they mint and spend their zerocoins.

It is recommended for users to maintain a certain percentage of their coins as minted so they always have minted coins ready to spend long in advance. Use of a VPN or Tor is also required to prevent linking transactions by IP logging.

What is Lelantus and how does it improve on Sigma?

An extension of Sigma that:

  • Removes fixed denominations (double blind commitments)
  • Direct anonymous transactions that do not reveal amount (modified bullet proofs)
When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’?
  • Pro: Zcash provides a much larger anonymity set as it breaks the link between senders and receivers (where Monero only “masks” it)
  • Con: zkSNARKs are new research and are so complex very few people are cabable of understanding them so the risk of bugs in the code is much higher. Monero is built using more battle tested and simple cryptography that is easier to code and maintain.
Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?

11 is the min RingCT signature size not the max size.
I feel there’s something else I’m missing, but can’t put my finger on it at the moment.

1 Like
  1. Relatively small ring size since the transaction size grows linearly as the ring size increases which reducing the anonymity set. It is also susceptible to timing analysis of the transactions which can narrow the possibility of determining which coin is real in a ring set. If there is a weakness in the ring signature implementation or quantum computers evolve, it may someday allow to retroactively expose the entire blockchain history, as well as enable forging coins. Supply auditability is also sacrificed.

  2. Timing attacks can be used to determine which transactions in a ring signature are real based on how recently the coin was minted which can expose the input addresses of the transaction. This can be limited by “preminting” coins to spend later.

  3. Lelantus doesn’t require fixed denominations, and allows for direct anonymous payments that do not reveal amounts and makes it harder to tie spends to mints.

  4. Pro: Breaks transaction links between addresses and has small proof sizes.

Con: Private transactions are computationally intensive and it requires a complicated trusted setup.

  1. Monero’s anonymity set is 11 which is the amount of participants in the ring. This only limits the anonymity for a single transaction, so anonymity increases with the number of transactions.
1 Like

Your intuition is right! It’s accurate in some cases, but it’s not black-and-white. So Alice sends Monero to Bob…

If an attacker can identify the ring signature where Alice is the true signer, he’s connected Alice’s ‘address’ to the tx. Bob is still protected by a one-time-use stealth address. Alice’s address which was linked to the tx is too.

We know that the weakness of stealth addresses is linking or dusting attacks. So let’s say Carol and Alice both send Monero to Bob, and he uses both UTXOs together as transaction inputs to Dave. Alice wants to link Carol to Bob.

She can assume that:

  1. If Bob’s UTXO from her was sent with another UTXO, that other UTXO was probably Bob as well.
  2. The sender was 1 of 11 signatures on that other transaction. If 1 of those is Carol, then a connection has been found and Bob only has ‘plausible deniability’, not true privacy.

But how will Alice know that some signature was Carol’s? Carol’s UTXO was from a stealth address as well, so Alice would need to dust/link her in order to dust/link Bob.

This is possible, but it’s very difficult. It highlights the difference between ‘theoretical’ and ‘actual’ anonymity set. Similarly, Zcoin can claim anonymity set of 2^16, but as we saw the actual number of ‘decoys’ is nowhere near that big.

  • What two primary weaknesses of Monero are discussed?
    Monero has a relatively small ring size of 11.
    In Monero’s implementation of RingCT, someone who breaks the discrete logarithm that underpins RingCT can forge coins without anyone knowing it.

  • One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    When the user mints and spends at the same time with a small delay, then sender and receiver are linkable. Users have to keep coins minted before they intend to spend to prevent timing attacks.

  • What is Lelantus and how does it improve on Sigma?
    Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

  • Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    most important pro-Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses-anonymity is a key factor in the space.
    most important con- Complicated construction and difficult to understand in full meaning that only a handful of people can grasp the cryptography and code and may be prone to errors- a great tech that no one will implament is useless.

  • Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
    It represents the current transactions default RingCT ‘decoy’ array size, it does not take into account ‘stealth address’ to destination

1 Like

1. What two primary weaknesses of Monero are discussed?
Two primary weaknesses of Monero discussed in the article include the lack of audibility and the limitations of ring signatures in regard to anonymity set.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
Timing attacks are performed by the attacker making assumptions regarding how long an encryption operation takes. Users who mint/spend coins as they are needed leave themselves vulnerable to deanonymization, as anyone actively watching the blockchain can potentially find spending patterns. Vulnerable information includes input and output denominations regarding minting and spending. One surefire way to prevent exploits in this vulnerability is to mint coins ahead of time.

3. What is Lelantus and how does it improve on Sigma?
Lelantus was created by Zcoin’s cryptographer Aram Jivanyan and is an effort to further improve upon Sigma. Lelantus improves upon Sigma by removing the requirement for fixed denominations while utilizing a modified version of bulletproofs to obfuscate transaction amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
Compared to Monero, the most important ‘pro’ of Zcash is the complete decoupling of sender and receiver; whereas, Monero uses decoys to obfuscate transactions. Zcash’s anonymity set is gigantic with its ability to transfer ‘Zerocoins’ without needing to convert back to a base coin. Monero’s decoy tactic doesn’t entirely separate the sender from the receiver; further, Zcoin claims that observers can detect the correct transaction 45% of the time in Monero.
Zcash’s most important ‘con’ is the novel zkSNARKs. Most describe zkSNARKs as a new technology that only a handful of people understand. This proves to be a potentially catastrophic issue when cryptographers, scientists, auditors, and engineering teams constantly vetted the code but failed to discover Zcash’s counterfeiting bug over the course of years. That’s not to say that zkSNARKs should not be used ever; however, users take an inherent risk that most likely won’t diminish for some time. One undisputable constant with respect to code: bugs.

5. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
According to Zcoin’s article, Monero’s anonymity set is 11 which is like saying a billionaire’s net worth is $11 million because that’s how much his house is worth. The claimed anonymity set of ring signatures in Monero is but one of the many technologies that make up Monero. The author failed to include ringCT, bulletproofs, and stealth addresses in his anonymity set assessment.

1 Like
  1. What two primary weaknesses of Monero are discussed?
    Limitations in the ring signatures (researchers have found ways to identify which is the real transaction, with quite high probability). Auditability “sacrifice” due to transaction amounts being hidden by RingCT.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    Timing attacks are performed by trying to correlate spend and mint events. Doing mints and spends immediately or using the same IP address for a mint and spend can possibly compromise anonymity. It is recommended that users mint coins in reserve before they even want to spend. The longer the coin stays in a minted form, the better the anonymity.

  3. What is Lelantus and how does it improve on Sigma?
    A new privacy protocol that improves Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts…

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    Most important pro: the best anonymity set. I think that this is one of the key features/points of a good privacy coin.
    Most important con: Complicated construction and difficult to understand. I think that this can slow the development of the project and makes it more prone to errors/bugs.

  5. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
    11 would be the minimum decoys in a single transaction (performed using RingCT). But the table does not take into account that the addresses involved in the transaction are one-time-use stealth addresses.

1 Like

Q1: Two of the mentioned weaknesses are that XMR does not break TX links it just hides them with decoys and the other was the audit-ability for XMR was non existent meaning hidden inflation could go undetected.

Q2: From what I’ve read so far a timing attack works like this; an attacker can see when someone is minting/spending on regular intervals like every Friday at midnight, or the attacker can see someone just minted a coin and spent it instantly and track their IP address.

Q3: Lelantus is an improvement to Sigma. It retains all the benefits Sigma has and adds on to them by removing the need for fixed denominations and also hides TX amounts.

Q4; The best pro I would choose personally is the higher anonymity set bc that is in essence the whole idea behind the crypto movement. However its greatest con is also its greatest weakness bc while it does provide the highest anonymity we have to rely and put trust in a small group of people to set it up and for them to also not turn around and forge their own coins later on at their discretion.

Q5: It does not account for future transactions obscuring it more and more as new TXs increase the anonymity set.

1 Like
  1. doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs and limited anonymity set.
    if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.
  2. If a coin is minted and spent in too short of a time, they will be easier to be linked by observers; amount spent (same denomination), sender and receiver. Prevention by keeping minted coins in reserve, and only spend coins directly from the mint reserve.
  3. Further expansion on Sigma; no more fixed denominations and possibility of direct spending
  4. Pro: breaking of connection between transactions (no chainanalysis will link transactions now and in the future). Con: zkSNARKs very unproven, untested, not well understood unmature tech, compared to Monero’s cryptography which is better understood and battle tested.
  5. It represents UTXO’s in one transaction, but in Monero the overall anonymity increases with the number of transactions.
1 Like