Thread

Today we're going to talk a little bit about cryptography. This applies to Monero but also to Zcash, although in a slightly different way, but I'll stick to Monero. I am not saying that Monero is not private; in fact, it is very private. I am not going to deny the obvious, but I am going to explain why, in my opinion, Monero is not a good place to keep your savings for decades. I will try not to get too technical so that it is easy to understand. In Monero, two different things must be separated when auditing its supply: 1- Auditing how much XMR has been issued through mining (coinbase): This can be verified with a node (and is reproducible), because the protocol defines how much each block can pay, and the node can add up the coinbase rewards. This gives you a verifiable number of emissions per block. Adding coinbase is useful for mining issuance, but on its own it does not prove that coins have never been created due to a failure in private transactions. 2- Auditing that there was never hidden inflation in transactions Here, the honest answer is that it cannot be done with absolute certainty in the sense of being 100% mathematically provable by looking at the chain as public accounting, because Monero hides the amounts. In Monero's official post on supply auditability, they say it as it is: in opaque assets such as Monero or Zcash shielded, it is not possible to simply count the available supply, and therefore there is a risk of implementation flaws leading to undetectable inflation, flaws that could allow inflation undetectable by simple public accounting. They even conclude with the key idea: if you need absolute assurance of supply, that pushes you towards a transparent asset; if you hide amounts, you are shifting the assurance to the correctness of the proof/signature system. So how does Monero prevent inflation on a day-to-day basis? The nodes do verify that each transaction adds up, but they do so with cryptography: - In RingCT, the consensus verifies a balance equation in commitments (Pedersen commitments). - And it also uses range proofs (today Bulletproofs/Bulletproofs+) to ensure that the committed amounts are positive/in range and that you cannot sneak in negative or out-of-range values to fabricate money. In other words, if we assume that these proofs are correct and that the cryptographic assumptions hold, you should not be able to inflate the supply without the nodes rejecting it. Why is it still not absolute certainty? Because, as in Zcash Sprout, the hard problem is that if there were a soundness flaw or an implementation bug that allowed invalid but accepted proofs to be generated, the inflation could be undetectable to an outside observer who is just trying to add up coins, precisely because the amounts are hidden. So if there really was undetected inflation, then it is plausible that the cryptographic checks/tests as implemented at the time would not have detected it either. And, depending on the type of flaw, there is no guarantee that you can detect it retroactively today either. For this reason, Bitcoin did not and will not adopt these privacy methods because they would destroy one of its main features, the 100% verifiable supply.