Thanks Mr. Big. And to the other posters. I know very little about Bitcoin but I am learning day to day. One thing that I learned just now: bigger brains than I have thought long and hard about the anonymity problem, and have come to the same conclusion as some of the other posters in this thread and that is: (1) you cannot trust (or rather you have to trust, which is the problem) a central banker or central depository, and, (2) "washing works".
Re (1) a central banker: the thinking is that you have to trust a person to try to preserve your identity if you go to an exchange like LBC or Coinbase, or use an escrow middleman, like the guys who offer to accept cash and give you bitcoin (some of the escrow middlemen claim they don't keep logs of transactions for very long, but you have to take their word for it). In fact, you have to trust somebody for any transaction short of mining bitcoin yourself or finding a stranger who happens to want to trade their bitcoins for cash, and manually transferring your bitcoin (all the while using Tor while you email the stranger, and wearing dark sunglasses and fake wig at the cafe), you have to disclose your real identity in most places. Even if you don't disclose your identity, your internet address can be found and correlated to your purchase of bitcoin, that can be used to track you down (unless you are using a public internet access point, or Tor, or your friend's ISP) unless you break the link (wash coins). Hence, re (2), "washing works", as in the Zerocoin proposal, excerpt below, and many of the anonymity schemes for new cryptocoin take this approach.
So to take my original example that started this thread: suppose I set up an account with Coinbase, who insists on knowing my real identity. I buy bitcoin. I then go to some web host provider that accepts bitcoin, let's say it's GoDaddy just for argument's sake, and I buy a Wordpress-ready website in bitcoin using a fake name. The very next day after I set up my website, PapuaNew_GuineaCorruption.com, I get sued for defamation by a plaintiff from PNG. The plaintiff would find out from GoDaddy I paid in bitcoin, and, if the transaction is logged, which it surely is by GoDaddy, they would find out it came from Coinbase, and then Coinbase would tell the plaintiff my identity when served with either a court order, or, if they're really lame, a threatening letter from the plaintiff's lawyer. But to prevent this, if I can wash the coins from Coinbase, I am immune from a lawsuit. So I have to find a mixer, call it Blockchain.info, that I will park my bitcoins into between Coinbase and GoDaddy. But even the mixer could in theory be forced to disclose my identity, since I bet most mixers have a "Know Your Customer" policy like Coinbase does. So what prevents a lawsuit? Simply the passage of time it seems to me, given the nature of bitcoin and the 'permanent block chain recording of public transactions'.
More on this: if enough time passes at the mixing service Blockchain.info, then when they get a subpoena from the plaintiff, they can truthfully say that they don't know what my Coinbase bitcoin got turned into (that is, what bitcoin I got back for the bitcoin I turned into at Blockchain.info, that I later used to set up the website at GoDaddy), so the link between GoDaddy and Coinbase is broken. Put another way: if there's no log at Blockchain.info, the bitcoin used to set up the GoDaddy website in fact came from not me but some random person that also subscribes to Blockchain.info, and if the plaintiff tries to pursue them, they will be chasing a red herring and a dead end.
So what's the necessary passage of time needed for anonymity at Blockchain.info? Googling this, it turns out to be eight hours (but you have to trust Blockchain.info follows their stated business practices, and deletes their logs every eight hours on a rotating basis, which seems reasonable but just saying). Further of interest, note the Forbes article passage below that quotes a lawyer saying that technically joining LocalBitCoins is a money laundering offense, though it also seems like FUD by the lawyer.
TonyT
(
http://www.forbes.com/sites/jonmatonis/2013/06/05/the-politics-of-bitcoin-mixing-services/ ("The largest such service operating today is the Blockchain.info mixing service which has a maximum transaction size of 250 bitcoins and a 0.5% transaction fee. Transaction logs are removed after eight hours and customers can use the taint analysis tool to verify that coins were properly mixed. .. .Also, in-person exchange LocalBitcoins.com could act as a pure person-to-person mixing service for bitcoin users that meet in designated places like cafés. Personal mixing has the additional benefit of introducing plausible deniability into the entire bitcoin ecosystem because the coins cease becoming provably yours at that point. After seeing the LocalBitcoins selling-for-cash section in the U.S., Carol Van Cleef, a partner in Patton Boggs’ banking practice and adviser on anti-money laundering policies, ominously warned, “You better get yourself registered, or you better get your name off the list real fast.")
from a bitcointalk thread...
(text below copied from
http://pastebin.com/Dd60ZaT7 )
1.Summary transcript of Matthew Green's talk about Zerocoin/Zerocash at the Real World Crypto 2014 from Soundcloud:
https://soundcloud.com/rdlmitedu/140113_0001-wav3.* Bitcoin may not be particularly anonymous
4.* Zero-coin / Zero-cash to anonymize the bitcoin currency
5.* transactions recorded in public ledger; nothing sophisticated done with the ledger; people can identify and map your identity; if you're very paranoid you can prevent (maybe), but in general case hard to use bitcoin for privacy;
6.* this should matter to all of us; the technology behind bitcoin may be with us for a very long time; countermeasures are weak even in the face of unsophisticated attacks
7.* if we make bitcoin private, can possibly find applications beyond currency
9.* two approaches for anonymous version of bitcoin
10.* zerocoin - technique to implement electronic cash in bitcoin protocol
11.* zerocash - way to make zerocoin practical and deployable and usable as ecash currency
13.* zerocoin - join work with students and colleagues at John Hopkins (JH)
14.* bitcoin doesn't give us much privacy despite academic thinking from 1980s (esp. David Chong [David Chaum]) to build untraceable ecash
15.* ecash tried to tackle one problem without thinking of all other practical concerns; nobody in the history of academic ecash managed to setup a working, centralized bank; chong's bank attempt failed
16.* bitcoin solved this problem of a currency take-off and early adoption; but we need a different technique to get rid of a centralized bank
17.* zerocoin new approach for ecash to get rid of centralized bank; basic idea is public ledger (constructed by bitcoin) blockchain; use this to wash bitcoins that does not require us to trust a centralized party; key ingredient (blockchain) is given by free by the bulletin board;
18.* zerocoin high-level intuition of original protocol: layer on top of bitcoin; i have some bitcoin; i want to break the link between my current address and a future address; take my bitcoin and turn into zerocoin; they get mixed up; all people making zerocoins will shuffle them together so no linkage with creation and redemption; at some future point, can redeem zerocoins into bitcoins ideally unrelated; breaks graph analysis; when disappearing into the zerocoin network minimizes/removes leakage;
19.* zerocoins are numbers; digital commitments to a large serial number; viewing the commitment, you should not be able to tell the serial number; once these commitments are minted (easy to create), you put them on the bitcoin blockchain; new instruction in the bitcoin system to produce a transaction that spends a bitcoin for a zerocoin; anybody that sees this transaction sees that this valid zerocoin is worth some money;
20.* at some point in the future, you redeem; you first reveal the secret serial number to make the first zerocoin and put into transaction; prove that the serial number corresponds to a zerocoin; then prove that the zerocoin is one of the set placed on the blockchain (which somebody paid money);
21.* zero-knowledge proof; prove statements without using any other information other than that the fact that the statement is true; "there exists some zerocoin in the set of zerocoins placed on the blockchain & the serial number we're revealing is the actual serial number in the coin";
22.* if the proof is valid, then double-spend is impossible since serial number would have to be revealed again;
23.* efficiency is important here! the approach used is the accumulator; collect all the zerocoins into the accumulator, then prove that the zerocoin you're trying to spend is contained in the accumulator; proof of knowledge is 4KB; the entire thing is 25KB after optimization; for crypto this is awesome!; but developers hated adding this much to the blockchain; so unlikely to happen in real world
24.* summary: zerocoin good first approach, libzerocoin; but the problem is that the proofs are just too big; and coins have all the same value; but this means that if you want to spend fractional amounts of bitcoin, then it won't work (have to translate back to bitcoin)
25.* new solution: zerocash
26.* presented in May and Bitcoin conference in San Jose; in both conferences with teams working on small zero knowledge proofs aka SNARKS; other cryptographers already had them ready;
27.* SNARK - Succinct Non-interactive Arguments of Knowledge; Bryan Harno (MS Research); basic idea is that you can prove arbitrarily complex statements in 288 bytes; in addition to having these efficient proofs, there are compilers that have proofs that the program executed correctly; we should simply take existing libzerocoin code and run through the compiler to produce these proofs; but these compilers produce large circuits; the time to make a small proof takes hours or days;
28.* co-authors have spent a lot of time optimizing these proofs; the right way is NOT to take existing libzerocoin, but throw away RSA and other cryptographic techniques and replace with components that are easier to prove such as hash functions like SHA256 and Merkle trees; easy to prove hash with small circuits e.g. sha256 in 30K gates
29.* each coin is really the hash of some randomness and the serial number = commitment. once we have these coins we put in the hash tree; 64-depth key (2^64); when want to redeem; reveal the serial number, and can reveal 64-hashes before in the tree;
30.* if these proofs are powerful and efficient; why need bitcoin? why not put entire system into zerocoin and make everything anonymous through generation, use, redemption of coins? the only information that makes it into the blockchain is the fact that a transaction occurred. just show that two new coins where the value totals the bitcoin that you're splitting; when we merge we spend two coins we prove that the two = same value of the new coin; transfers can be done completely anonymously without knowing who and how much.
31.* can encrypt transactions and hash the values
32.* transaction fees have to be public, but everything else can be anonymous
33.* name for this process; generic transaction is called "pouring coins"
34.* is this efficient? one detail - the problem with zerocoin 1.0 was that the proofs were huge and took 0.33s; these results mixed; to merge/make takes 87s-108s on a single core; but on bright-side bitcoin takes up to an hour for each transaction; verification time is in ms; comparable to bitcoin; verification is in the network; the catch is that to verify the proofs you need a large set of public parameters; 1.2GB in size
35.* best part of this is that you already need 16GB to store the blockchain, so to add this is around 7% increase in storage
36.* somebody needs to generate these parameters; trusted party; possible to find a dozen people that people trust to set up the parameters;
37.* system that is efficient; will be separate system released in May; real-world crypto; want to get people to use;
38.* release an altchain; client that implements all these things; put it out there; hope that nobody puts a lot of money in this because these are new techniques and might break down; idea is to test this in an environment separate from bitcoin so we don't break anything else while trying to make this work
39.* should we even be doing this research? lots of people criticizing us. this is important research not just because people want to commit crimes, but because when you spend money your transactions are hidden from neighbours, but with bitcoin people can see your transactions; important to get it out there.
41.Thanks.
.