Oddbean

A #Bitcoin node audits the entirety of the history from the beginning and at all times. It’s all open and I’m sure you know this. But your argument is essentially the equivalent of saying that nobody has any idea if they ever did their accounting properly because they’re just trusting their calculator… I’m sorry, but that’s a very poor argument that has no value in the real world, only in some silly hypothetical. (I.e. in practice it actually just works very easily) It would be extremely obvious if a node software didn’t do the simple job of auditing the open #Bitcoin timechain history. You can just look to see if something’s wrong. Funny that you use that example actually, because something like Monero doesn’t get that benefit. If the BTC audit was messed up you *could* check it very easy on pen and paper. If there’s something wrong with bulletproof or ring signature implementation/value outputs, how long before somebody figures it out? Literally nothing would stand out as obviously incorrect or flawed. 🤔 In addition, all cryptography has a shelf life. If your amounts are separate from the signatures, you can update the cryptography to fix a vulnerable system. Bitcoin can continue to work indefinitely, even if/when quantum computers start to threaten its ownership assurances. Something that uses cryptography to obscure the amounts, however, doesn’t get that benefit. You’d have to disallow any and all use of the old system, essentially a reset, because broken cryptography means you now have no clue how many coins there are. Even allowing 1 old signature becomes a risk to the entire thing. The supply matters first and foremost above everything. Without it being immutable, the “money” doesn’t even exist. This is why, despite all the reasons we’ve wanted privacy in the foundation of Bitcoin, nothing has persisted and the trade off on the long term is too much. It just makes more sense to build it into higher layers, than at the base, unless we can find some way to obscure the ownership of many different amounts within a UTXO that doesn’t threaten the full audit in any way. (Also I don’t see what note you are responding to, so I might have missed some context)

"I’m sorry, but that’s a very poor argument that has no value in the real world, only in some silly hypothetical. (I.e. in practice it actually just works very easily)" Let's say I'm wrong and put aside the "passive" noderunners thing for the moment for the sake of argument, what I also said is that the vast majority of Bitcoin users don't run a node so are simply trusting others . And in those cases they are in a similar situation, if not worse, than Monero noderunners. Maybe you didn't see it, but like I told BitcoinStu, I don't disagree with anything you're saying about Bitcoin noderunnners. "It would be extremely obvious if a node software didn’t do the simple job of auditing" It's not so obvious to me. We have several examples in Bitcoins history where it wasn't necessarily so obvious to everyone running a node. This one required some random anon to even point it out to devs before anyone realized what was going on. bitcoincore.org/en/2018/09/20/notice "Funny that you use that example actually, because something like Monero doesn’t get that benefit. If the BTC audit was messed up you *could* check it very easy on pen and paper" I never claimed that it did. And I agree you *could* with Bitcoin but who *does* in the real world, honestly? If a couple users do this, and do so often, how does it change the fact that 99.9% aren't verifying themselves? They can't claim the benefits of a transparent chain as you are saying because they never take advantage of those properties. I can shout until I'm blue in the face that I *can* do something, but I never actually did it until I *do* it. "You’d have to disallow any and all use of the old system, essentially a reset, because broken cryptography means you now have no clue how many coins there are" Pretty sure Zcash kept their supply sound and got around this scenario by using turnstiles, but not an ideal solution for sure (exploiters can leave legit user SooL) I think we can agree that each method isn't perfect and has it's own downsides (basechain privacy vs basechain auditability) Each project has different priorities and I think they should follow them to their conclusions At least that will show us what works in practice (maybe they'll each succeed in a different way) If I can ultimately transact with strong privacy, on Monero or some layer of Bitcoin, without any severe trade-offs to self-custody or permissionlessness, it's a win/win for me.