Can someone with some developer brains compare
https://zcoin.io/get-zcoin/ implementation of zerocoin with ANC Anoncoin zerocoin work. It looks like the zerocoin content could be downloaded from github.com and added to the ANC to create a hardfork
https://github.com/Anoncoin/anoncoin.
ANC has the added benefit of having and integrated i2p tunnel. With my limited coding knowledge I've just gone through a bit of code and it looks very similar to ANC. I can't be the only one to have seen this? I'll get on irc2p and talk over the code. If this is the case, there is no need to crowdfund the zerocoin elements, but rather fund the integration of this existing zerocoin code into the ANC system. I'm struggling to see how it's much different than a cut and paste. Okay that's a bit exaggerated, but surely there must be a developer able to do this?
The zcoin implementation of zerocoin is done using a trusted source for accumulator namely
RSA-2048. The RSA-2048 number was created by RSA Laboratories in March 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers. It was thus created by a company incorporated in USA and this company is thus to be trusted to not have kept the original two prime factors. Because we cannot trust this company to not have kept the factors, it is to be assumed this company or employees can forge fake zcoins at will, which can be done easily when the factor are known. Furthermore they badly coded their zerocoin implementation with a typo that allowed to reuse spent zerocoin. Zcoin by this way in February suffered a heist of
370000 zcoin worth about 2600000$ now.
The Anoncoin implementation of zerocoin aim to use RSA-UFO as trustless
accumulators. In contrast, RSA-2048 or a multiparty computation both involve different degrees of trust. In a similar way that what happened with zcoin, if some entity known the prime factors they can then generate infinite amount of zerocoin with fake
Zero knowledge proof.
Hoppefully,
Sander gave a way to generate semiprime number with a certain degree of certainty in a trustless way using an algorithm. Those numbers are called
RSA-UFO for generalised RSA moduli of Unknown complete Factorisation. It is important to note that this work by Sander is superior to secure multiparty computation protocols. Indeed, if MPC are employed during system setup colluding member could recover P and Q and thus the problem of someone who known the trapdoor also remain in the distributed setting. In contrast nobody know the complete factorisation of the RSA-UFO thus the problem of trapdoor is resolved with this setup for the accumulator.
Gnosis implemented a function that on startup all Anoncoin wallet software
deterministically generates the same 16 raw UFOs using SHA-256 hashing of the numbers 0-15. This being done, people from the Anoncoin community brute forced those numbers for 75 days using the Elliptic Curve Method of factorization to remove the small factors up to 165 bits. If the RSA-UFO bit length after division by small factors is lower than 3456, the RSA-UFO was unfit for the security level we wanted because it would have been possible to use the General Number Field Sieve (GNFS) to factor it. It was shown by Monte-Carlo simulation that with this minimum number of 3456 bits the RSA-UFO was unfactorable with a certainty of 80%. By using 13 such RSA-UFO, and with only one of them needed to be secure, and the zerocoin having to be accumulated in all of them, the probability of all of them to be unsecure is 0.2^13=0.0000000008192 ~ 1 out of 1 billion.
So the procedure to generate the complete RSA UFOs is 1) create the 13 "raw" UFOs by hashing, and 2) divide out the small factors found in the UFO project. This is performed not only by the UFO clients and server, but also will be performed on startup by all Anoncoin wallet software. This is the trustless way to zerocoin we want to finalize in Anoncoin. In this way, the security will resist extremely powerful attackers able to remove factors by the Elliptic Curve Method (ECM) up to 768 bits and able to factor numbers up to 2048 bits using the Generalized Number Field Sieve (GNFS). This is far beyond what anybody is likely to be able to do for many decades.
To summarize, the difference between zerocoin-in-Anoncoin and zerocoin-in-Zcoin is that the latter is using a trusted accumulator. For Zcoin and Zcash, even using MPC, no amount of studying the source code will tell you if the master key was destroyed as it's supposed to be. Nobody can be sure. In contrast, studying the source of Anoncoin (and relevant papers on the crypto, and the RSA-UFO wiki page) enables people to verify that there are no backdoors. This is why Anoncoin aim for using such a trustless solution. This, combined with the only implementation of I2P-SAM in the wallet of all coin, development of the C++ i2p router i2pd with orignal, and cooperation with services such as exchanged.i2p lead us to be the best trustless anonymous coin on the market.
CS