Author

Topic: Research into ZeroCoin ongoing, and a multiparty non-trusted setup proposed (Read 985 times)

hero member
Activity: 826
Merit: 500
This doesn't change my negative view of Zerocoin/Zerocash. Even if they have reduced the risk, the fact is that the opportunity for collusion still exists. It can never be eliminated nor detected if it did happen. Considering the enormous economic incentive associated with colluding, this is DOA. Might have applications somewhere, but not as an anonymous alternative to Bitcoin.
hero member
Activity: 672
Merit: 500
Quote
Of course, an unsolveable issue is when there's a bug that lets someone create a pile of coins that the creators didn't realize existed (as with Bitcoin), since no one can see how much money exists on the blockchain.

Well, that is again an issue and a much bigger one. As kazuki said, zerocoin is still untrustable and unusable
legendary
Activity: 1484
Merit: 1005
ZRC is the "ultimate" case for privacy, in which all tx are totally obscured from the eyes of everyone else and it's impossible to tell how much money anyone else has (or even the system has). The only balances you can effectively know are your own. At the same time you can opt to use cryptography to prove ownership of funds, and where the funds are sent to.

The issue with ZRC was always that you needed a trusted party to setup the initial parameters set. If the trusted party doesn't destroy their keys after setup, then they can freely generate money of out the air and basically control the entire system.

The ZRC guys are now saying that they have found a solution and are implementing it:
Quote
However, I will address this caveat of this trusted setup. So what is this? Our zkSNARK trusted setup is for initial public parameters of the system. It only happens at genesis time. After that, no trust is required in the system ever. However, if the trusted setup is compromised, then an attacker can fake new coins and could totally trash your economy. An attacker cannot break your anonymity or steal your coins. That said, we weould like to get rid of trusted setup.

There is a paper by some of us which will be appearing soon (BCGTV15) where we propose a multi-party protocol for sampling the parameters. Efficient MPC protocol. If just one is honest, then parameters are going to be completely secure, meaning that an attacker needs to compromise every single one of the participants presumably on the different continents, to break the setup assumptions.
From the MIT Bitcoin expo:
http://diyhpl.us/wiki/transcripts/mit-bitcoin-expo-2015/zerocash-and-zero-knowledge-succint-arguments-of-knowledge-libsnark/

Of course, an unsolveable issue is when there's a bug that lets someone create a pile of coins that the creators didn't realize existed (as with Bitcoin), since no one can see how much money exists on the blockchain. If the same event happened with ZRC, that user would own 99% of the ZRC that would even come into existence.
Jump to: