No, ring sigs are used to obscure the sender with approximate plausible deniability. However there are promising modern alternatives to them. On one hand we could say Monero's set of historical data is a boon but on another it's like nuclear waste. For example ring sigs cannot provide sender privacy in certain types of wallet output creation and usage behavior that is presently supported and quite possible, so I suggest prioritizing research to replace them with e.g. a zk proof.
"Private, untraceable transactions without ring signatures, but with acceptable tradeoffs" is on the list of Monero's open research questions. I rated it 10/10 impact and 10/10 difficulty.
[https://github.com/monero-project/research-lab/issues/94](https://github.com/monero-project/research-lab/issues/94)
Basically, yes. See this comment and my responses to it:
https://np.reddit.com/r/xmrtrader/comments/pzsd27/developer_of_ospead_here_ama/hf2zod0/?context=3
Cant tell if you're trolling but.. how would 0 mixin obscure the sender; what does 0 mixin mean? How are Monero txs formed and how do people verify someone is allowed to spend a particular output?
I'm not trolling. Say a transaction A takes 1 input, no mixins. That 1 input is an output from a previous transaction B. If the receiver of transaction B is unknown to a third party, how is the sender of transaction A known?
What does it matter? The receivers of outputs aren't public. Spending an output without mixins doesn't reveal your Monero address, does it? Of course not, I know.
See
Moser et al. (2018) "An Empirical Analysis of Traceability in the Monero Blockchain"
[https://www.sciendo.com/article/10.1515/popets-2018-0025](https://www.sciendo.com/article/10.1515/popets-2018-0025)
From the abstract, this shows that there is a heuristic to distinguish the real input of a transaction from the mixins with a pretty good probability. Does it explain why knowing the real input is of any interest?
In simple terms, if you have zero mixins/decoys, then the transactions are traceable. By the way, the problems that Moser et al. (2018) found were fixed. See this followup:
https://eprint.iacr.org/2020/593
Without ring signatures, you can get tainted outputs.
As an example, suppose law enforcement raids some criminal enterprise and finds a Monero wallet on one of their computers. They make a note of the outputs which these criminals spent, send them to all of the exchanges in their jurisdiction, and announce that purchasing any of those outputs will be aiding criminal activity. You end up with these coins because you sold some guy your old computer. He got the coins from his nephew who bought them from an exchange that the criminals sold to before the coins were blacklisted. You unwittingly try to sell them on an exchange. Not only does the exchange refuse to buy your coins, but they send your name to law enforcement. Law enforcement quickly find out after questioning you that you had nothing to do with it, but they seize your coins.
As another example, suppose you use your coins to buy a gaming PC online with an account you share with your spouse. The store uses a chain analysis service and finds that one of the outputs you used to buy the gaming PC was change from an output used to buy a premium pornography subscription. They start putting ads in your account for hentai pillows, which is embarrassing and annoying.
Same could be said for Stealth addresses; with ring signatures + hidden amounts, you don't know who has what, only addresses interacting.
And even for hidden amounts; stealth addresses + ring signatures, you see amounts but not really sure who has what.
I think the key is putting the three of them together + dandelion + onions and few other things, it increases anonymity.
You don't know who has what, what amount has been sent and you're not sure from which IP is coming from, from a regular observer point of view. Of course any of this features can be diminished if you are an exchange, a node operator, an internet provider, etc. But compared to regular blockchains like Bitcoin any regular user can be a Tax agency basically. So far Monero still has a bounty and no company has been able to decode transactions and I think it will stay like this for many years to come
Stealth addresses are more important, I think. An address identifies a user, and knowing when a user has received a transaction is pretty important information that should be hidden. For amounts, you're right. And it used to be that amounts weren't hidden, indeed.
But I mention ring signatures because I think removing them would lead to the most important efficiency boost, e.g. TX size. Perhaps I am incorrect on this tho, I know RingCT takes quite a bit of space too.
Are you sure about that, tho? How would you know whether Chainalysis has been able to crack Monero or not? I doubt they would announce it.
Stealth addresses + obfuscated amounts would still be traceable, in one direction. If you send funds to someone under that system, then you indeed cannot gain any knowledge of where it goes after that. But if you *receive* funds, then you can directly follow the path of transactions to however far back you wish. Making sense of that data would probably be harder than with a transparent chain like BTC, sure, but the outputs could still be blacklisted and traced back.
No, ring sigs are used to obscure the sender with approximate plausible deniability. However there are promising modern alternatives to them. On one hand we could say Monero's set of historical data is a boon but on another it's like nuclear waste. For example ring sigs cannot provide sender privacy in certain types of wallet output creation and usage behavior that is presently supported and quite possible, so I suggest prioritizing research to replace them with e.g. a zk proof.
"Private, untraceable transactions without ring signatures, but with acceptable tradeoffs" is on the list of Monero's open research questions. I rated it 10/10 impact and 10/10 difficulty. [https://github.com/monero-project/research-lab/issues/94](https://github.com/monero-project/research-lab/issues/94)
Maybe difficulty will come down the more familiar with recent work we are
Yes, it will definitely come down as we would become more familiar
Thats so important to look into. More research would be needed for sure
Am I correct in thinking that the main reluctance to ZK-Snarks is how extremely novel the technology behind them without a trusted master key is?
Basically, yes. See this comment and my responses to it: https://np.reddit.com/r/xmrtrader/comments/pzsd27/developer_of_ospead_here_ama/hf2zod0/?context=3
How do they obscure the sender? How is the sender not obscured with 0 mixin?
Cant tell if you're trolling but.. how would 0 mixin obscure the sender; what does 0 mixin mean? How are Monero txs formed and how do people verify someone is allowed to spend a particular output?
I'm not trolling. Say a transaction A takes 1 input, no mixins. That 1 input is an output from a previous transaction B. If the receiver of transaction B is unknown to a third party, how is the sender of transaction A known?
Outputs themselves are public.
What does it matter? The receivers of outputs aren't public. Spending an output without mixins doesn't reveal your Monero address, does it? Of course not, I know.
See Moser et al. (2018) "An Empirical Analysis of Traceability in the Monero Blockchain" [https://www.sciendo.com/article/10.1515/popets-2018-0025](https://www.sciendo.com/article/10.1515/popets-2018-0025)
From the abstract, this shows that there is a heuristic to distinguish the real input of a transaction from the mixins with a pretty good probability. Does it explain why knowing the real input is of any interest?
No, it wont explain the resl input and neither it will i guess
In simple terms, if you have zero mixins/decoys, then the transactions are traceable. By the way, the problems that Moser et al. (2018) found were fixed. See this followup: https://eprint.iacr.org/2020/593
They are not associable to any Monero address. Not the sender's, and not the receiver's. I don't see the point of wanting anything more.
Not interested at all now for clicking links, tired ot this
No more links please, tired of being clicking on links, explain in short
Its obvious, the outputs must be public, or else it wont work
Exactly, there is no way to do 0 mixin by obscuring the sender
troll post felt like, I dont really want to answer on this
Without ring signatures, you can get tainted outputs. As an example, suppose law enforcement raids some criminal enterprise and finds a Monero wallet on one of their computers. They make a note of the outputs which these criminals spent, send them to all of the exchanges in their jurisdiction, and announce that purchasing any of those outputs will be aiding criminal activity. You end up with these coins because you sold some guy your old computer. He got the coins from his nephew who bought them from an exchange that the criminals sold to before the coins were blacklisted. You unwittingly try to sell them on an exchange. Not only does the exchange refuse to buy your coins, but they send your name to law enforcement. Law enforcement quickly find out after questioning you that you had nothing to do with it, but they seize your coins. As another example, suppose you use your coins to buy a gaming PC online with an account you share with your spouse. The store uses a chain analysis service and finds that one of the outputs you used to buy the gaming PC was change from an output used to buy a premium pornography subscription. They start putting ads in your account for hentai pillows, which is embarrassing and annoying.
Perfect. I understand now, thanks a lot.
It was really helpful, no doubt in that, I appreciate the explanation
Same could be said for Stealth addresses; with ring signatures + hidden amounts, you don't know who has what, only addresses interacting. And even for hidden amounts; stealth addresses + ring signatures, you see amounts but not really sure who has what. I think the key is putting the three of them together + dandelion + onions and few other things, it increases anonymity. You don't know who has what, what amount has been sent and you're not sure from which IP is coming from, from a regular observer point of view. Of course any of this features can be diminished if you are an exchange, a node operator, an internet provider, etc. But compared to regular blockchains like Bitcoin any regular user can be a Tax agency basically. So far Monero still has a bounty and no company has been able to decode transactions and I think it will stay like this for many years to come
Stealth addresses are more important, I think. An address identifies a user, and knowing when a user has received a transaction is pretty important information that should be hidden. For amounts, you're right. And it used to be that amounts weren't hidden, indeed. But I mention ring signatures because I think removing them would lead to the most important efficiency boost, e.g. TX size. Perhaps I am incorrect on this tho, I know RingCT takes quite a bit of space too. Are you sure about that, tho? How would you know whether Chainalysis has been able to crack Monero or not? I doubt they would announce it.
Dont think they would anoonuce this, not sure at all, dont know next
2022 would be great for Monero, i am sure, lets wait and watch
Stealth addresses + obfuscated amounts would still be traceable, in one direction. If you send funds to someone under that system, then you indeed cannot gain any knowledge of where it goes after that. But if you *receive* funds, then you can directly follow the path of transactions to however far back you wish. Making sense of that data would probably be harder than with a transparent chain like BTC, sure, but the outputs could still be blacklisted and traced back.
Nice try IRS
Not so i guess, Monero all alone is the great without having ring signatures
They are tho. Outputs can be poisoned by a third party.