Why wouldn't you just delete the line "when clearly there is no more NIZKP in the source than exists in Monero's keyimage system." instead of striking through since it is obvious fud? Advertising, that's why.
Because anyone that gets email notifications has the full text of what I said anyway. If you'd prefer, I'll gladly remove the strikethrough, since the point is valid. Also, if there's a miraculous advancement in
NIZKP implementation in the source please do point it out to me and I will absolutely publicly admit my gross inability to notice it.
Hi Fluffy,
I just spoke with SDCDev regarding the comment above:
"it's in 'generate signature' (
https://github.com/SDCDev/shadowcoin/commit/317b9b1f5121ecde162fd8d37fbd587182c45fef), its just the hash commitment from the signature... we don't have snarks or full zero knowledge, just a zero knowledge proof. The keyimage is the tag.. the zkp is the whole construction of tag... the algorithm in the paper pretty much translates directly to the code" - SDCDev
WP:
http://shadow.cash/downloads/shadowcash-anon.pdfNote: SDCDev has stated he will be responding himself with a clearer explanation.
Rynomster or anyone else: Feel free to correct me wherever I'm wrong as this is also a learning process for me.AFAIK Cryptonote doesn't destroy or mint coin during its process. If I'm correct, then this is the biggest difference between the two schemes.
My understanding of Shadowcash:
Shadowcash is similar to Zerocoin in the sense that it uses anonymous token system to destroy SDC then mint new Shadow (SDC-to-Shadow); However, unlike Zerocoin, it doesn't require a trusted setup to convert Bitcoin into newly minted Zerocoin.
Below is an image of the Zerocoin minting process:
(continued)
The Shadowcash network destroys the SDC and mints Shadow in it's place (SDC-to-Shadow) via smaller denominations of Shadow Tokens (Shadow) equal to that of the destroyed SDC. These Shadow Tokens (SDT) make up the members of the ring signature. The newly minted Shadow tokens have no link to the destroyed Shadowcoin, because it is sent to dual-key stealth address. Non-interactive zero knowledge proofs (NIZKPs) are used when sending Shadow-to-Shadow between Stealth Addresses; Furthermore removing linkability between parties. The only way to redeem Shadow is to provide ownership of the tokens through ownership of the address via a traceable ring signature. Thus, if you don't own the address containing the Shadow then the network won't allow you to mint (redeem) new Shadowcoin (Shadow-to-SDC).
How can anyone be sure that there are no "phantom tokens"? Who is going to control the creation of these tokens? Is it all based on trust, are you serious? wtf
they can only be created by sending SDC -> Shadow, there are api:
>shadowcoind help anon
anoninfo [recalculate]
anonoutputs [systemTotals] [show_immature_outputs]
estimateanonfee
[narration]
reloadanondata
sendanontoanon [narration] [comment] [comment-to]
sendanontosdc [narration] [comment] [comment-to]
sendsdctoanon [narration] [comment] [comment-to]
and in the wallet there is a chain data page, which shows all the anonymous outputs in the system.
Shadowcash doesn't seem similar to cryptonote other than the use of ring signatures. IMO, ShadowCash seems more advanced in it's implementation vs Cryptonote because Shadowcash destroys the inputs (SDC) and creates anonymous outputs (Shadow).
From the Monero thread regarding I/Os:
So miner(or anybody) knows sum of all spent inputs and outputs ?
The ins and outs each have amounts, so you can add that up.
Am I right ?
Transaction
input(a1=5 XMR, random=6 XMR) output( g1=3 XMR, a3=1 XMR, keyImage_a1 )
ringSing(pub a1, pub random and private a1)
using VER and LNK everybody can verify that a1 holds 5 XMR, so I'm able to spend 4 XMR and miner can take 1 XMR fee ?
implies a1 was used (because I can't spend random)
implies a1_priv * H_p(A1_pub) = keyImage_a1
Am I missing something ?
I'm not sure of your notation here Is 'random' a foreign output used for a ring sig? In that case, that's not how it works. Each input uses a separate ring sig, with other outputs of the same same.
And what does g1 (or a3 for that matter) denote on your output?
yes I want use "foreign output used for a ring sig" to obscure transaction. I'll pull it from block chain.
g1(I pay for god) and a3(my new address) does not matter.
Okay well like I said, each input will have it own set of foreign outputs used for mixing. Such outputs will all be of the same size, so this doesn't change the amount of the transaction, just its possible funding sources. Perhaps you want to revise your example?
Please can you make example:
1) I have unspent output 5 XMR, I want to pay 3 XMR for goods and 1 XMR transaction fee.
2) I want obscure my payment with 1 foreign input what holds 6 XMR.
You can't do #2 with the the protocol works today. There is a modification from gmaxwell that allows using foreign outputs of different sizes but it isn't implemented anywhere AFAIK.
Your foreign ouputs need to be of the same size.
So we would have (borrowing some of your notation)
tx(input(ring(a1(5 XMR),f1(5 XMR),f2(5 XMR),f3(5 XMR)) -> output(r1(3 XMR),c1(1 XMR)))
a1 = our own upspent output
f1..f3 = foreign outputs of size equal to a1
r1 = output owned by recipient
c1 = change output owned by us
We could also include additional inputs (and generate more change) if we wanted to further obscure the amount of the transaction.
Did you forgot to add keyImage for a1 ? Or how can be this transaction verified ?
Like I said before, understanding this scheme has been a learning process for me. If I'm incorrect in any of information, Ryno or anyone else please feel free to correct me.
I spent the better part of the day preparing a guide/explanation slide presentation (draft) that goes over the flow from start to finish. The information in the presentation comes from the WP and IRC, so I'm sure it's 100%. Ryno still needs to verify everything though.
I think the visualization of the process will help people understand the groundbreaking innovation made here and more importantly - how to use it. It's truly a unique system.
(1st Draft and will edit accordingly)
https://docs.google.com/presentation/d/1yX2jN618Rnzs4g2ri_utdKdHbny6-xnRcPhOuhLNGB0/edit#slide=id.g577a31a2a_086I'm working with crz to create a proper technical infographic that shows the process similar to the zerocoin and cryptonote images above. Not sure when those will be released but feel free to donate to crz!
http://shadowtalk.org/topic/74/new-branding-wallet-logo-icons-visuals-infographics-media/12Thanks!
Excellent post CST. Worth restating is the fact that cryptonote simply obfuscates the outputs, whereas Shadow destroys them... a huge difference.
you made me laugh 
