# Pastebin NGTQdhT4
---
layout: post
title: About Monero's supply auditability
summary: Information on supply auditing and how it relates to computational hardness assumptions and tradeoffs
tags: [announcements]
author: ...
---

We often hear questions and concerns about the topic of supply auditing, and how it applies to different projects. This post is intended to briefly and informally discuss the practical tradeoffs that projects make in their designs as they apply to the soundness of supply. It intentionally glosses over some technical details that, while important and subtle, may serve to muddy the waters for many readers.

Let's define what we might mean by supply auditing and soundness. When the term is used, it is often undefined in a way that doesn't help the discussion. For some people, it might mean that in any particular transaction, you can see the amounts being used and do simple arithmetic to convince yourself that no new assets were created in an attempt to game the supply. Transparent assets like Bitcoin or Ethereum do this; look at any transaction in a block explorer, and you'll see the amounts consumed and generated.

This approach is a design choice, and it has tradeoffs. As has been debated endlessly in blog posts and academic papers and conferences, you might not want the amounts involved in your transactions to be visible to the entire world. This could lead to personal risk, but also reduces the fungibility of the asset and can lead to all sorts of adversarial heuristics. Transparent amounts, even when denominated, can be detrimental for privacy.

Other projects make different design choices intentionally. In assets that focus more heavily on fungibility, amounts are not presented in the clear. Take popular projects like Monero or (shielded) Zcash, for example. In these projects, amounts are hidden using cryptographic structures called Pedersen commitments that hide amounts. To show that a transaction balances, the sender generates a signature or proof that uses clever (but well-understood) arithmetic on these hidden amounts to demonstrate to the network that no new assets were created. The benefit is to help with indistinguishability, which is beneficial for fungibility, security, and privacy.

So where's the tradeoff? The sender's signature or proof shows that it can reconstruct the hidden amounts, which should only be mathematically possible if they properly balance. However, Pedersen commitments are called computationally binding; this means that, given effectively infinite computing power, an all-powerful adversary could attempt to find a way to represent a different amount in a transaction that appears the same once it's hidden. If this were possible, a transaction would appear to balance, but use unexpected amounts that the network can't see.

Is this a practical risk? To put it very bluntly, no. The computational complexity required to pull off such a stunt (barring an arguably far-off-in-the-distance breakthrough that breaks the entire internet's security) is absurdly, time-scale-of-the-universe high. And one could imagine that such an all-powerful adversary could just as easily break other computational hardness problems like reconstructing private keys in assets like Bitcoin as well. There are many, many cryptographic constructions with similar computational hardness requirements that are guaranteed with _extremely_ high probability. Pederson committments are not unique in this regard.

It's far more likely that a consensus or implementation bug would plague a project than an adversary with world-ending computational power would break a hardness assumption. These bugs are real concerns and have happened before in Monero, Zcash, Bitcoin, and other assets. Transparent coins are still susceptible to implementation bugs. Audits and peer review are extremely important to help reduce the chance of these, but these implementation risks are greater than the risk of someone breaking soundness.

https://i.imgur.com/G1Sz9T1.png

There are tradeoffs inherent in supply-audit design choices. You can choose to represent amounts in the clear, like Bitcoin does; you can be sure that the supply is what you expect it to be, but you sacrifice fungibility and could expose users to personal risk. Or you can choose to hide amounts like (shielded) Zcash or Monero do; you improve privacy and fungibility, but at the negligible risk of offloading supply guarantees to well-understood cryptographic hardness assumptions.

If your personal use case requires an absolute, 100%, no-holds-barred guarantee of supply, and you understand the risks inherent with this, then you need a transparent asset. But if you want to mitigate the risks associated with visible amounts, and are willing to accept cryptographic hardness assumptions that will hold much longer than you and your descendants will be around, then choose an asset focused on privacy and fungibility.