[FiloSottile]

And as others said before, Monero does some sketchy weak mixing of something like a 100 tx, which is really not enough for long term anonymity (think what happens when the other 99 outputs are spent). EDIT: there are a couple papers linked in a child comment that seem to analyze this which I haven't read entirely yet; the following two points still stand.

You don't need an exchange to use z-addresses, just receive into a one-use t, and then make it disappear into your main z-address yourself.

Finally, you have to trust that AT LEAST ONE won't collude, because you need all pieces to fake Zcash, which is very different.

Enough with this FUD. It's innovative tech, I expected HN to appreciate it more than the usual cryptocurrency circles.

[otheotheothe]

Hello Mr. Cloudflare, Your whole understanding of how XMR works seems to be wrong; theres no concept of spend outputs at all, to deanonymize tx with a certain certainity one would have to own around 83% of the networks outputs.

Theres a good academic read about this here: https://lab.getmonero.org/pubs/MRL-0001.pdf and here: https://lab.getmonero.org/pubs/MRL-0004.pdf

And also a privacy improvement which gets into effect in about 25 hours or so with the next hardfork called RingCT, which has been peer reviewed by Ledger journal: http://www.ledgerjournal.org/ojs/index.php/ledger/article/do...

Optional privacy a la ZCASH is broken by design and cannot work, you are still able to have tainted coins and do blacklisting etc, its effectily useless, also it opens up a whole world of other attack vectors like this one: https://github.com/zcash/zcash/issues/1360#issuecomment-2461...

A good read for everyone unbiased tho a bit old is here (which explains the inner workings): https://lab.getmonero.org/pubs/MRL-0003.pdf

[otheotheothe]

Theres are a whole bunch of different downsides at ZCash too:

- multisig with zaddresses seems not to be possible. - Using Z Addresses on a Smartphone or HW device like Trezor is too resource intensive

Looks like a privacy disaster to me, as no one will be using it.

[aminorex]

20% of the mining goes to the controlling corporation. This is not decentralization; it's a blatant grab at your wallet.

[FiloSottile]

I hope there is no need to spell out that my understanding of the Monero technology is not an official position of my employer, is there?

[otheotheothe]

No i just called you that way as i saw your talk at 3c33 about TLS :)

[plasticmachine]

Your lack of understanding of how Monero works is embarrassing. Please educate yourself before commenting!

As to the trusted setup, there are a few salient points:

- you don't have to "just trust one participant", what if 3 of them collude and 3 were compromised?

- every participant booted off the same ISO which was provided by a single person. The claim is that the ISO can be built deterministically, but that still does not prevent it being compromised in subtle ways, and it seems that hardly anyone has bothered to try verify the ISO build process even subsequent to the ceremony.

- even when there was clear evidence that someone's phone was compromised, the ceremony went ahead. This is a huge red flag - why not just stop the ceremony and rethink it, given the fact that there was obvious infiltration?

- why only 6 participants? Why were they chosen by Zooko? Why was there no open application process where applicants could be considered by the community? Why were no members of academic institutions involved as participants?

The way the trusted setup was conducted is shocking, this is privacy theatre at best.

On your closing remark about it being innovative: nobody doubts that the ZeroCash white paper is innovative, but it is also too new for us to be trusting it. Would you advocate for TLS 1.3 to default to only use some encryption method that was in a very recent, largely unreviewed whitepaper, especially when that whitepaper contains math that is particularly hard to grok (Greg Maxwell calls it "moon math")? Why do we hold all of our cryptography to such high standards, distrusting everything that is new and unproven, but we're expected to give a financial system a pass? Would you feel the same if all of your net worth was held in that financial system?