Sun Nov 22, 2015 11:49 am

1. Why use Monero instead of Bitcoin? Bitcoin is much more accepted and liquid.

2. Why use Monero instead of Dash or Zerocoin/Zerocash? Aren't they just as private?

3. When will my grandma be able to use Monero?

Why does it have to be one or the other? Services like ShapeShift and xmr.to already provide low-cost, low-slippage rails between the two, and sidechain-like pegs will allow for even more fluidity between cryptocurrencies. Bitcoin isn't going away, and neither is Monero, so it's important to figure out which is good for particular purposes.Whilst not wanting to turn this into a this-currency-vs-that-currency debate, I will answer this, as I think it's important to understand the proverbial lay of the land.Designing a cryptographically sound solution to a privacy problem is seriously difficult. As Greg Maxwell puts it, "information wants to be free", and the weakness will always be the human element. The more heavily reliant your scheme is on the opsec of participants, the more prone to leaks it will be. Coupled with this is the problem of "thinking adversarially", which is something that goes deeply against our human nature. To illustrate how flawed our human reasoning is when we try to think adversarially: if a Bitcoin node can only connect to 8 peers, how many of those have to be honest for the node to determine which ones are dishonest? As a human you might reason "well, if 4 are honest, and 4 are dishonest but telling the same lie, it can't tell which is honest, so the answer has to be 5". Or maybe you'd reason that dishonest peers will mostly be telling different lies, so if eat least 2 agree then they must be the honest ones...right? The actual answer is 1. It only needs 1 honest peer to be able to determine that the rest are dishonest. This is because it follows the "longest chain with valid PoW" rule, and can rule out all other nodes as offering dishonest chains. Now knowing that most of us are so incapable of designing such an elegant solution, and our minds resort to broken and hacky things like "voting", we should immediately be suspicious of any and all new systems and schemes. This is especially true where they are promising something as sensitive as privacy, and where there is money to be made (pretty much unique to altcoins, no new open-source reverse proxy or database or other project has the potential to make money for its creator).Dash fails because, as djb describes in this excellent recent article , they have an "attacker economist" approach. In other words, instead of purposely designing their systems to be cryptographically sound so that the "attacker will definitely fail" or the "attacker will probably fail", they instead (unwittingly?) design it so that "the attacker's expected cost of carrying out an attack exceeds the attacker's expected benefit from doing so." The unfortunate knock-on effect is that such an approach only works like that for a limited time...as the value of the cryptocurrency grows, so does the level of sophistication of the attackers that find it an interesting target. Trying to solve the privacy problems in a way that relies on the honesty and opsec of a small group of individuals is simply privacy theatre, no different from those that claim that Bitcoin is private as long as there's no address reuse.On the other end of the scale is ZeroCoin, which is about as sophisticated as you can get, and in my opinion represents the future of cryptocurrency systems. In fact, it's sophistication is also its largest problem: the cryptography behind it needs a significant amount of peer review, and and implementation needs a significant amount of vetting, else you may end up with an exploitable bug where someone can double spend, or create a large number of coins, and nobody will be able to see it. In my mind I would need to give it 20-30 years before I could trust it with my livelihood.I'm intensely interested in the user experience, and in marrying something that is secure and cryptographically sound to an interface that is intuitive and rich. However, I also realise that this will likely require some security and privacy compromises. For example: when you use Monero you get a 25 word mnemonic that is your backup key for your wallet. Since 25 words might seem daunting for a "grandma-grade" product, a very simple Monero interface might eschew that for a shorter mnemonic, which is what MyMonero does. This is a compromise, as the shorter mnemonic is "less secure" (128-bit vs. the 256-bit entropy of the 25 word mnemonic), but that sort of compromise is just fine for 99% of the user base. As long as the remaining 1% can flip a switch and work with a longer mnemonic, or even work without a mnemonic at all (randomly generated private keys instead of deterministically generated), that is a compromise that can be made.To get Monero to grandma levels of usability is going to take a monumental amount of effort, and it will have to be done in a way that doesn't alienate or preclude our power-users...but I believe it is doable, and I believe that Monero can only be of benefit if it becomes useful and used by as many people as possible, even if they're using it for other privacy related means and not as a cryptocurrency.