Oddbean new post about | logout
 Relying on Pedersen Commitments and Range Proofs to audit your network is not a real audit.  Any cryptographic flaw or exploit in them could and probably would go unnoticed.  That's the point.  You can't just add up all the coins.  Instead you have to use cryptographic proofs to even know how much monero there is. 
 In that case passively running a node is not a real audit either. Did go through a billion+ transactions and make sure every input/output canceled out? Or are you just trusting your node software to do it correctly for you? If so, what is the difference in practice? 
 In Bitcoin, every node independently verifies every transaction against a fully transparent ledger. The amounts, addresses, and transaction history are all visible and can be checked manually if desired. You don’t just trust the software; you can verify the entire ledger yourself.

In Monero, you can't manually verify individual amounts or trace transactions due to the privacy features like Pedersen commitments and range proofs. You have to trust that these cryptographic methods are flawless and implemented correctly.

So, the key difference in practice is that Bitcoin’s auditability is direct and transparent, while Monero’s is indirect and relies heavily on cryptographic assurances.

Hopefully this quite important difference is clear now. 
 You *can* verify the entire ledger yourself, but *do* you? 

Your argument is akin to saying "I'm not fat because I *can* lift weights (but don't)"

Being able to do something, but never doing it, is functionally indistinguishable. Otherwise you're just trusting others.

The few that do actually audit are able to truly say that, but passive Bitcoin node runners have no/much weaker arguments against Monero. Most Bitcoiners don't even run a node let alone manually verify. 
 Your analogy of lifting weights to auditing the Bitcoin ledger misses a critical distinction: the default state of a Bitcoin node.

When running a Bitcoin node, the software inherently audits the entire ledger, validating every block, every transaction, every input and output. This process is automated but fully transparent and open to verification at any point. Even if node operators don't manually check each transaction, the protocol ensures that every node is in agreement, validating the integrity of the entire blockchain continuously.

Contrast this with Monero: While it’s true that Monero’s cryptographic methods verify transactions under the hood, the privacy mechanisms mean you cannot independently verify the actual amounts or track the flow of funds. If there were a flaw in the cryptographic assumptions or an undetected bug, inflation could happen unnoticed. The auditability here is limited to what cryptography allows, not to the same degree of direct transparency Bitcoin offers.

Yes, most Bitcoin users might not manually audit every transaction, but they don’t need to. Bitcoin's transparency means anyone can verify and the collective effort of thousands of nodes ensures that fraudulent transactions are spotted and rejected. With Monero, that level of transparency isn't an option due to its privacy focus. The two systems operate under fundamentally different trust models: one based on open transparency and collective verification, and the other on private cryptography. It’s not about what you can do in theory but what the system allows you to verify independently at any time 
 In other words you're trusting proper software implementation and other Bitcoiners to verify for you. Double spend bugs have already happened in the past that passive node runners didn't detect on Bitcoin and can happen again. Only "manual verifiers" are relevant and unique in this regard and have a real argument. If you don't do this you are not much different from any Monero node runner.

The last part is basically: "Yea I'm strong because my friend lifts weights" 

To keep to the analogy, while your one friend can help you lift something heavy once in awhile, that doesn't make *you* strong, and you're still trusting/relying on him to lift heavy things for you (relying on a few other Bitcoiners to verify for you AKA trusting) 
 In Bitcoin, every node does more than just 'rely on others'—it independently validates all transactions and blocks against the full ledger. This isn't the same as saying 'my friend lifts weights for me.' It's more like being part of a gym where everyone lifts weights regularly. Each node in the Bitcoin network continuously checks for double spends, invalid blocks, or any deviations from the protocol, and nodes would reject such anomalies automatically. Yes, this process is automated, but it is still a form of active verification. Passive node runners are still contributing to the security and decentralization of the network by running this software.

Yes, there have been bugs and issues in Bitcoin's history, but the key difference is transparency. When a bug or double spend occurs, it's visible on the public ledger, and anyone can examine the blockchain to understand what happened. This isn't true for Monero due to its obfuscated transaction data. If a flaw exists in Monero's cryptographic assumptions, detecting it without transparency would be far more challenging, especially for passive users who can only rely on cryptographic proofs, not visible transactions.

Your argument suggests that because most Bitcoiners don’t manually audit transactions, they’re akin to Monero node runners. However, Monero node runners can't manually verify the total supply or audit individual transactions because the protocol doesn't allow it. The difference isn't about whether or not individual users actively engage in auditing; it’s about the system's openness and the ability for anyone, at any time, to verify the entire ledger if they choose.

So, while some Bitcoin users might rely on the broader network to audit the blockchain, they still could audit independently if they wished. This inherent capability provides a level of assurance and trust that isn’t dependent solely on cryptographic methods, unlike Monero. The option to verify independently or trust the network is a choice Bitcoin offers, while Monero, due to its privacy focus, inherently restricts this transparency."

 
 What you say is we need an independent script that verifies the Monero supply. It's actually a great idea as this has been the most prominent critique from maxis.

Pedersen commitments are well understood. 
 It's trivial to do this, learn to code 
 from monero.backends.jsonrpc import JSONRPCDaemon
from monero.transaction import Transaction

# Connect to your Monero node's JSON-RPC server
daemon_rpc_host = "127.0.0.1"
daemon_rpc_port = "18081"
rpc_user = "your_rpc_username"
rpc_password = "your_rpc_password"

daemon = JSONRPCDaemon(host=daemon_rpc_host, port=daemon_rpc_port, user=rpc_user, password=rpc_password)

def verify_monero_supply():
    try:
        # Step 1: Verify total mined supply based on the emission schedule
        total_mined = 0.0
        last_block_height = daemon.info().height - 1

        for block_height in range(1, last_block_height + 1):
            block = daemon.get_block_by_height(block_height)
            # Verify block reward aligns with the expected reward
            total_mined += block.reward

        # Step 2: Verify cryptographic proofs in each transaction
        for block_height in range(1, last_block_height + 1):
            block = daemon.get_block_by_height(block_height)
            for txid in block.tx_hashes:
                tx = daemon.get_transaction(txid)
                transaction = Transaction(tx)
                # Verify Pedersen Commitments
                if not transaction.verify_pedersen_commitments():
                    print(f"Failed Pedersen commitment verification in transaction {txid}")
                    return
                # Verify Bulletproofs (range proofs)
                if not transaction.verify_bulletproofs():
                    print(f"Failed Bulletproof verification in transaction {txid}")
                    return
                # Verify Ring Signatures
                if not transaction.verify_ring_signatures():
                    print(f"Failed Ring Signature verification in transaction {txid}")
                    return

        print(f"Total Monero Mined: {total_mined:.12f} XMR")
        print("All cryptographic proofs verified successfully. No inflation detected.")

    except Exception as e:
        print(f"An error occurred during verification: {e}")

if __name__ == "__main__":
    verify_monero_supply()



There you go.  The problem is it relies on complex cryptography to accomplish this, which is one of the criticisms of Monero.  For more details study the library's implementation of 
verify_pedersen_commitments
verify_bulletproofs
verify_ring_signatures

As far as pedersen being well understood... by whom, by you?  I don't think so. 
 "On the other hand, we need computers, and the method will convince only those that trust both math and the computer they use."


https://crypto.stackexchange.com/questions/64437/what-is-a-pedersen-commitment#64443


Not a cryptographer, but the math behind is not so difficult. But as the commentor of the link wrote. There is trust involved in math and in the machine you use.

I'd suggest you to talk ti some of the cryptographers you'll find in the Monero community.

For some use cases it is not acceptable to trust, in that cases Bitcoin is preferable over Monero. For other use cases the trust is acceptable.

Most Monero supporters also have been early Bitcoiners. Therefore hold huge bags of both coins. Would I ever consider to spend Bitcoin without going through Monero first? No, because I don't know the future and how the future dictators will treat my financial past. Do I treat Bitcoin as a store of value. Yes.

By the way. Monero is a rather stable coin, like you'd expect from a currency.


 
 Your argument seems to focus around what _I_ do.. It's not about me.  The point is ANYONE can audit it.  In Monero, no one can.

If you still don't understand the difference between active auditing and an inability to audit the total supply then I am not sure how much more I can help you understand. 
 I'm pointing out that if this is your argument against Monero there is little difference between that and the vast majority of Bitcoiners in practice.

How many Bitcoiners run nodes? 
How many of those node runners are actively verifying it's transparent input/outputs- 0.001%?
Far fewer than you make it seem.

An advantage that one never takes advantage of...is not an advantage 
 I'm not arguing "against Monero" I'm simply helping you understand the differences between an open public ledger that can easily be audited with someone with basic python skills and a protocol that requires complex cryptographic proofs just to ask it how many coins there are. 
 Now you too can manually audit the bitccoin without employing and cryptographic proofs:

def audit_bitcoin_supply():
	block_count = rpc_connection.getblockcount()
	total_supply = 0.0
	total_utxo_amount = 0.0
	for block_number in range(0, block_count + 1):
		block_hash = rpc_connection.getblockhash(block_number)
		block = rpc_connection.getblock(block_hash)
		coinbase_txid = block['tx'][0]  # Coinbase transaction is always the first transaction
		coinbase_tx = rpc_connection.getrawtransaction(coinbase_txid, True)
		block_reward = sum(vout['value'] for vout in coinbase_tx['vout'])
		total_supply += block_reward
	unspent_txos = rpc_connection.listunspent(0)
	total_utxo_amount = sum(utxo['amount'] for utxo in unspent_txos)
	print(f"Total Bitcoin Supply (based on block rewards): {total_supply:.8f} BTC")
	print(f"Total Bitcoin in UTXOs: {total_utxo_amount:.8f} BTC")
	print(f"Difference: {total_supply - total_utxo_amount:.8f} BTC") 
 You can't audit fractional reserves in CEX. Not for Bitcoin and not for Monero. 
 People who fractionally reserve bitcoin go bankrupt.  See FTX for details.

Rehypothecating the most bullish asset in human history in it's infancy when volatility is incredibly high is not something experienced asset managers would even consider.  It takes a fool like SBF to have the hubris to even attempt it.  And you see where that ended him up, in a prison cell. 
 Those who don't know how to operate proper fractional reserves go bankrupt.

Binance for example managed quite well so far.

Coinbase and BlackRock will only go bankrupt when USD hyperinflates as they can print as many USD for cash settled ETFs as they need to not default on bad trades thanks to the BlackRock-FED connection. 
 And what proof do you have that binance fractionally reserves things?  You have none this is just speculation and conjecture. 
 Well, as you are not new you seem to have ignored the discussions around it for at least 3 to 4 years. What does that tell me about you?

It at least tells me that most Bitcoiners so far did not learn anything from Monero's past which to me signals that Bitcoin is not fit to challenge the state apparatus. You either do have exceptional observation, adversarial thinking and executing strategies (like early Btcoiners from 2009-2012) or you will get played by forces that do.

 
 For a starter try to use a search engine and put in Binance + fractional reserves then read up on a ton of observations, test runs, withdrawal issues,... 
 Yes but I don't care in the least.  I give exactly 0.00000000 fucks about Binance or if/when/where/why they are defrauding people. 
 There are very real threats to bitcoin, Binance is not one of them. 
 I don't care if Binance is rehypothecating bitcoin.  It matters nothing to me, nor to bitcoin.  Anyone stupid enough to do that will be exposed in the end.

Binance is no threat to bitcoin. 
 do you see how easy that was?  Simple arithmetic.  Now compare that to the logic required to attempt to verify Monero:

transaction.verify_pedersen_commitments():
transaction.verify_bulletproofs():
transaction.verify_ring_signatures():

have a look in the Monero python cryptography libraries for those functions.  So much for simple arithmetic.  They are vastly complex, certainly beyond my ability to understand.  Maybe you're a better software engineer and cryptographer than me.

So your argument that "Monero can be audited too" is just simply invalid.  It's not the same, apples and oranges.
 
 But what if you're the vast majority of Bitcoiners that never do that "simple arithmetic"

You just keep bragging to us that you can (but don't ever do it) 
 I just fucking did it for you, lol.  Run that script and see for yourself. 
 I know and I see that. But it still doesn't avoid that the vast majority of Bitcoiners don't do this. They don't even run a node.

For those that do (and do so often) I already agreed they have a reasonable argument against Monero if they want the best possible verifiability/auditability 
 In short.  To remain thin ANYONE can lift weights.  It's possible to make others thin if enough people lift weights.  Unlike Monero where you rely on cryptographic proof to lose weight.

I hope you now understand this fundamental difference. 
 I think we're talking past each other and arguing different points  
 yes that's entirely possible and would explain why we keep repeating ourselves.

The reason I brought up Monero at all in this conversation was that I was suggesting Bitcoin is feature complete, and that adding new opcodes, while they could potentially add some marginal improvement, are incredibly risky and irresponsible.  

Someone suggested that bitcoin should have privacy and I was attempting to explain why that can't really happen and some of the tradeoffs associated with it. 
 A #Bitcoin node audits the entirety of the history from the beginning and at all times. It’s all open and I’m sure you know this.

But your argument is essentially the equivalent of saying that nobody has any idea if they ever did their accounting properly because they’re just trusting their calculator… I’m sorry, but that’s a very poor argument that has no value in the real world, only in some silly hypothetical. (I.e. in practice it actually just works very easily)

It would be extremely obvious if a node software didn’t do the simple job of auditing the open #Bitcoin timechain history. You can just look to see if something’s wrong.

Funny that you use that example actually, because something like Monero doesn’t get that benefit. If the BTC audit was messed up you *could* check it very easy on pen and paper. If there’s something wrong with bulletproof or ring signature implementation/value outputs, how long before somebody figures it out? Literally nothing would stand out as obviously incorrect or flawed. 🤔

In addition, all cryptography has a shelf life. If your amounts are separate from the signatures, you can update the cryptography to fix a vulnerable system. Bitcoin can continue to work indefinitely, even if/when quantum computers start to threaten its ownership assurances. Something that uses cryptography to obscure the amounts, however, doesn’t get that benefit. You’d have to disallow any and all use of the old system, essentially a reset, because broken cryptography means you now have no clue how many coins there are. Even allowing 1 old signature becomes a risk to the entire thing. The supply matters first and foremost above everything. Without it being immutable, the “money” doesn’t even exist. This is why, despite all the reasons we’ve wanted privacy in the foundation of Bitcoin, nothing has persisted and the trade off on the long term is too much. It just makes more sense to build it into higher layers, than at the base, unless we can find some way to obscure the ownership of many different amounts within a UTXO that doesn’t threaten the full audit in any way.

(Also I don’t see what note you are responding to, so I might have missed some context) 
 Yes he's exactly right. 
 "I’m sorry, but that’s a very poor argument that has no value in the real world, only in some silly hypothetical. (I.e. in practice it actually just works very easily)"
Let's say I'm wrong and put aside the "passive" noderunners thing for the moment for the sake of argument, what I also said is that the vast majority of Bitcoin users don't run a node so are simply trusting others . And in those cases they are in a similar situation, if not worse, than Monero noderunners. Maybe you didn't see it, but like I told BitcoinStu, I don't disagree with anything you're saying about Bitcoin noderunnners.

"It would be extremely obvious if a node software didn’t do the simple job of auditing"
It's not so obvious to me. We have several examples in Bitcoins history where it wasn't necessarily so obvious to everyone running a node. This one required some random anon to even point it out to devs before anyone realized what was going on.
bitcoincore.org/en/2018/09/20/notice

"Funny that you use that example actually, because something like Monero doesn’t get that benefit. If the BTC audit was messed up you *could* check it very easy on pen and paper"
I never claimed that it did. And I agree you *could* with Bitcoin but who *does* in the real world, honestly? If a couple users do this, and do so often, how does it change the fact that 99.9% aren't verifying themselves? They can't claim the benefits of a transparent chain as you are saying because they never take advantage of those properties. I can shout until I'm blue in the face that I *can* do something, but I never actually did it until I *do* it.

"You’d have to disallow any and all use of the old system, essentially a reset, because broken cryptography means you now have no clue how many coins there are"
Pretty sure Zcash kept their supply sound and got around this scenario by using turnstiles, but not an ideal solution for sure (exploiters can leave legit user SooL)

I think we can agree that each method isn't perfect and has it's own downsides (basechain privacy vs basechain auditability)
Each project has different priorities and I think they should follow them to their conclusions
At least that will show us what works in practice (maybe they'll each succeed in a different way)

If I can ultimately transact with strong privacy, on Monero or some layer of Bitcoin, without any severe trade-offs to self-custody or permissionlessness, it's a win/win for me.