[the_stc]

On 2: Monero is almost the same. ShapeShift does 7-15% of all tx at least. How many transactions are actually private after you consider hacks or LE warrants? Those TX are what you depend on to get false spends.

On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.

I chose Monero too for similar reasons inc ZCash people openly saying they support backdoors for LE [but promising ZCash would never have them]. And taking 20% of block reward and not doing anything useful with it [for millions I expect really polished clients and some quick upgrades].

But the low ringsize is weak [hence going from 3 to 5 to now 7]. All ring members are not equal to n^k is very naive. Fee, ringsize, payment ID, in/out count are all metadata that distinguish on-blockchain. Let alone off-blockchain such as keys being hacked/warranted.

Given this and Monero's lack of disclaimer or warning at all about how to use it safely... a paranoid person might suspect ill-motives. [Consider: MyMonero, the Monero 'lead' Web Wallet, goes out of its way to suggest users use a few higher ringsizes to get better privacy, when we know this makes their TX stand out. This is something that presumably he could change with 1 or 2 lines of code but has not.]

[IIAOPSW]

>On 2: ...How many transactions are actually private after you consider hacks or LE warrants?

That's actually a difficult question. I won't try to estimate here. But IIRC something like 95% of ZCash tx are non-private by user opt in, and the remaining 5% are also vulnerable to things like warrants at the exchange and timing attacks. So the bar is set really low for Monero to have the best anonymity set of all privacy tokens.

>On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.

I think Monero is in a similar-but-better position. True the core team can be compromised and true the core team is more powerful than others. But I view this as a necessary centralization to get the ball rolling. I want the Monero core team to eventually be more hands off. Spagini's "I'm not a CEO" statement inspires confidence.

>But the low ringsize is weak [hence going from 3 to 5 to now 7].

can't wait for bulletproofs!

>All ring members are not equal to n^k is very naive.

I was intentionally very cautious with my words here. What I actually said was "Over the course of k steps the possible transaction history might be in any of n^k states". I did not say that all n^k states are equally likely. The actual amount of entropy in the Monero blockchain is much harder to explain/estimate so I used n^k as an upper bound.

[the_stc]

>and the remaining 5% are also vulnerable to things like warrants at the exchange and timing attacks

I was under the impression that no exchanges handle shielded transactions. What do you mean by timing? I would assume you go t-z-t and leave it quite a while as shielded.

>can't wait for bulletproofs!

Bulletproofs do not help verification time which is why we have low ring size. Going from 5 to 21 ringsize only increases size 8%. 15 is even less, a reasonable compromise on size. There is an unspecified perf target that must be met on verification.

[IIAOPSW]

>I would assume you go t-z-t and leave it quite a while as shielded.

Many people skip the "leave it a while" step.

Also you can look at things like x-amount left this exchange and y-amount entered this exchange.