The codebase was mostly fine (except for the crippled miner and the stripped comments) but the CryptoNote reference project itself was also launched by scammers

So I heard Mimblewimble attack deanonymized Grin 96% a couple years ago, but maybe this fixes it? forum.grin.mw/t/mimblewimble-coinswap-proposal/8322

Has anyone looked at viability of MimbleWimble for privacy and anonymity given these developments?

lumberjack: I'm not extremely confident it's useful. As I understand how that works, someone watching the blockchain like a hawk could still deanonymize a shit ton of stuff. (Maybe my understanding is flawed, though.)

apotheon: How would they deanonymize via blockchain analysis?

looks like it racks up a lot of txn fees to perform

Hyc: how would mining and block rewards work on a distant planet that was atomic swapping back to the Monero earth chain? Split the 0.6xmr block reward between the two chains or create additional supply?

so, in theory, you could take a wallet with seedphrase X, and use it. And then create a "new" wallet by restoring with seedphrase X and offset Y, and use it. And then create another "new" wallet with seedphrase X, and offset W....

selsta: no, CryptoNote itself was the scam, they launched Bytecoin and a number of other forks in an attempt to establish legitimacy. Probably worth reading the seminal topic on it: bitcointalk.org/index.php?topic=740112.0

fluffypony: yea I did read that some time ago

selsta: 100% - I do think the CN whitepaper is sound, and there are some aspects of the codebase that weren't horrible, but it's pretty egregious that they stripped out all the comments

2014 / 2015 was a rough time for us and the codebase 😆

does someone want to explain to me how i sign with z ? From the zero commitments ?

let the commitments to zero be done in the MLSAG, page 32. section 3.5 . I get that with alpha_j i am seeding the ring. And then i close the ring at that instance with r = alpha - (c_pi * k_pi,j).

i know z = (x_j - x'_j) . C_a - C'_a = zG .

c_(π+1) = H_n(m, [α_1 G], [α_1 H_p(K_π,1)], ? [z_1G] ?

is it ? [z_1G] ? but then how do i close it ?

lumberjack: I think I made a mistake in my take yesterday. It does seem like it could work -- as long as nobody cares about timely transactions, or is willing to accept absurdly high fees, or mines. I might easily still be misunderstanding something, but it looks like one of those three things has to (mostly) be true for it to work. I'm just not sure, though. That's my impression without

putting a lot more time into thinking about it, at least.

err, "as long as nobody cares about timely transactions, or *everyone* is willing to accept absurdly high fines, or *everyone* mines"

slight correction, there

garth: I think hyc's thesis on something like that would be "you need separate regional/planetary blockchains and a bridge between them for slower cross-chain transactions".

apotheon: Hmm is there an estimate transactions per second listed for the new scheme? What would fees be like?

lumberjack123: The proposed solution seems (to me) to be to either complete transactions very slowly (thus allowing time to resolve a lot of self-spends) or at great cost (by packing all this stuff into a very short time with extremely high block mining rates).

. . . or, possibly, just allowing people who pay extremely high fees to complete transactions sooner and others "some day".

That doesn’t answer my question