I'm not sure what you mean by "there is no proof". Proving you own the private key that can spend a UTXO without revealing that private key (asymetric cryptography) is also complex math, but pretty much everyone is trusting this math and has likely never tried to do it by hand. That's also a mathematical proof, although the assumption being made that it cannot be faked are vastly different.

Maybe I should have mentioned, "bulletproof" is a proving scheme that comes from academic cryptographers, just like SHA256, ECDSA and Schnorr signatures used by Bitcoin, it's not a Monero-specific protocol, although it's likely its biggest user. It follows the same scrutiny from bright and smart people.

At best we could argue zero knowledge proofs are younger than the other cryptographic primitives I mentioned, and we might want to wait to see if new schemes can offer different speed or proof size. But I believe the fear against them is largely unfounded now.

Anyway, as I said, I'm not a zero-knowledge maximalist, they are a means to an end, and the end is large anonymity sets, make multiple users indistinguishable from one another. Maybe we could manage to reach that end differently. But in our search for solutions, it would be a shame to not take into consideration the track record that some of them already have. 

 You pretty much get it. It's the fact that zero knowledge proofs are younger.

I also do think a lot about how a privacy token could work while having verifiable supply. The best option I've thought of so far would work like this:

There are no UTXOs, every unit of the currency has a keypair.

Every time there's a new block, every keypair changes based on seeds.

To send a transaction, you say to a network node "here's an encrypted message with moneys in it for a certain pubkey"

To confirm a transaction, the recipient says to the network "here are some moneys and their old keys and some new keys for them to change to" 

To retain anonymity, the sender and recipient can also listen for other network nodes sending the same kind of messages, and they can all mix in fake spam messages without blocking each other for it, within reason. You can also just pay a transaction fee to manually cycle your seeds now and then, or to cycle additional seeds other than the ones you're sending or receiving every time you send or receive any.

I'm kinda retarded and sometimes miss obvious flaws in my ideas but I'm pretty sure this would work or is close to something that would 

 I should clarify: this should result in the network easily knowing what units of currency there are, with chainalysis being much more difficult to perform / easier to evade compared to Bitcoin - anonymity still wouldn't be a blanket guarantee, if I'm wrapping my head around my own idea correctly  

 This is also my first time writing it all down so I might be missing parts of my thoughts. Like I just realized I'm pretty sure the point of having keypairs cycle based on seeds was to let partial chunks of the network operate in isolation e.g. your home server saying "leave verifying these keys up to me and those I transact with" and then staying connected to the network constantly cycling all its seeds without transaction fees and without the network knowing which ones are for new transactions and which ones aren't. 

 Also to be clear this wouldn't be a free lunch, the constant connection to the network would be used for the network's functionality instead of paying fees. 

 It is not plausible to suggest zero knowledge proofs are unreliable because "they are younger"
They've been around since the 80s and are well understood.

People have been talking about adding them to bitcoin since forever. I'm not aware of *anyone* who is opposed because they're skeptical of their mathematical properties.

Here Hal discussing them back in the day.
https://cointelegraph.com/news/bitcoin-pioneer-hal-finney-talks-zero-knowledge-proofs-newly-surfaced-video 

 Zero knowledge proofs in the context of cryptocurrency have been much less tested than the cryptographic signatures and other complex components of Bitcoin. I don't know why I keep having to explain this in different words here. Both Bitcoin and Monero have complex components that most users can't be expected to understand directly, but with Bitcoin those components were broken and fixed in world war 2 and with Monero those components are being tested for the first time. 

 By the way, I think most users can and should read about the basic premises of public-key cryptography and zero-knowledge proofs. But most users might not ever have any idea how to sign a Bitcoin transaction or verify a Monero wallet amount by hand without having software handle it for them. 

 This is just incorrect.
ECDSA was not standardized until 2005.

Relying on ECDSA without question but being suspicious of Pedersen committments is weird and arbitrary. 

 I have zero logical room for doubt that if the cryptography in Bitcoin can be broken by human efforts, it will be. I'd bet the network could survive by freezing and reverting to a previous block and continuing under an updated version of the protocol with different cryptographic standards.

In the mean time, Bitcoin supply is verifiable. A layman can access overwhelming proof that Bitcoin's available on-chain supply is what it's supposed to be, instead of relying on blind hope that the experts know what they're doing.

I don't know why you're refusing to recognize this.

If Monero's supply is perfectly verifiable to the experts out there, I am still waiting for an understandable explanation of how, and so are many other Monero users. 

 Their own website says that they can’t guarantee supply soundness so https://image.nostr.build/02a38bdb827adaa58098d3b48f9b5d3087cf5725be91be02028c249effc61e4b.jpg  

 Adding this to my wiki page on Monero 🤙 

 You can't revert without screwing over all the users who just gave away products/services for fake Bitcoin that would go poof. That happens to your blockchain even if it's transparent anyway. 

Bitcoin is verifiable with "napkin math" but we both know you are never going to do that for billions of transactions.
You simply run a node like any Monero users would (If you are the tiny fraction that even runs a node) and "blindly trust"

For that "advantage" that almost no one takes advantage of (no pun intended) you lose fungibility, privacy, targeted-censorship resistance, etc. Cool.

Here you go. Should take all of five minutes for you to understand what pedersen commitments are and the math behind them. Can't dumb it down more than this and we're not going to spoonfeed you just because you're too lazy to learn high school level math.

https://docs.grin.mw/wiki/miscellaneous/switch-commitments/ 

 Got better things to do than expect that link to have useful information, sorry. If you have an explanation, you're free to explain it. 

 And if you can't explain it, I won't believe you're lying, I will just continue to operate on the assumption that you could be. If that upsets you, you basically just need to chill. 

 You got better things to do...that's why you're replying to anons on Nostr for the past few days but can't skim a brief introduction on commitments for a couple minutes. Suuuuure lol.

No one is upset. You didn't address anything else I said because you cant.

If you can't click a link that's your own willful ignorance. I really don't care if you do or don't. 

 You just got very confused very quickly. Sorry about your brain issues, good luck.