Thanks for writing this. I think it is an important point that the safety of "mixing" schemes (including ringsigs) depends on the nature of the "decoy" inputs. I'd like to see a more rigorous analysis of what exactly the requirements are for safety of schemes like the one Monero currently uses, under adversarial conditions.
If someone wanted to gain more ability to break the privacy of future Monero transactions, the way to do it would be to generate lots of dummy transactions between now and then so that the future Monero transactions would accidentally choose your transactions as decoys, thinking that they were getting privacy that way, but actually since those are your transactions, it doesn't provide any privacy from you. Right?
Hello Zooko-Wilcox. Yw. Thx for reading. I had a thread on your Zcash forum bookmarked and was intending to alert you there, but I’ve been so busy past days.
Btw, I’m going to want to talk to y’all about implementing your technology on my upcoming Hypermesh. I will contact you as my project nears the juncture where I want to implement the anonymity technology. I need a cryptographer. I am not.
I would also.
That is the gist of it, and the prior Monero Research Labs report (MNL-001) only considered the case where the decoys were not being continuously populated. I discussed that in more detail in the comments section of this blog.
P.S. there was some discussion (also archived here) of this comment.