Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin (Read 37707 times)

I wonder who would use a coin that depends on the good will of the developers to destroy a file that contains access to the supply and so on (the so called masterkey).

I guess I should have bought some tho, those things tend to pump so much. Now, who knows if the pump is over and it will instadump as soon as it gets on Poloniex.

price so high added in exchenge C-cex also https://c-cex.com/?p=zcoin-btc

https://bittrex.com/Market/Index?MarketName=BTC-XZC
congrats

I'm really very curious to see if these ideas could lead to integration of the zerocash project code down the road into bitcoin itself.  
I noticed the following remarks:


And this:

But there is no question at this point that the bitcoin development process needs to work out an anonymity solution.  From my perspective, I don't think that it has to require that the users actually utilize it, in other words, why not go down the path of making it an option (supported in the protocol, not imposed, but showing up in Core as a transaction option that the user can select to apply to any particular transaction, or none at all).  Conceptually at least, this has been the approach of blockchain.info, which with its CoinJoin (SharedCoin) implementation, leaves it up to the user as to whether to use the CoinJoin process (by being able to select 'SharedCoin' as a transaction type, or not).  While this is a good privacy feature, it's been pointed out (in Coindesk and elsewhere) that SharedCoin users can be readily identified.  (Not to mention, it's a web wallet...)
My point in this little ramble-on is that I see reason in jgarzik's assertion that it would likely be best to not impose it universally.  In other words, if a user wants to participate in utilizing the Zerocash feature (assuming that this would be incorporated into and supported in the bitcoin protocol itself) then that should be an option that would be displayed in Bitcoin Core wallet.  Zerocash is a significantly different proposal than SharedCoin, but conceptually, the idea of having anonymous transactions as an option is appealing for a number of reasons.  For example, the concepts suggested in my project [[ http://abis.io ]] favor the idea of a 'giving system' being incorporated into decentralized virtual currency wallets, but every aspect of this would be under the control of the user and could be changed at any time, making it completely voluntary and allowing for the maximum choice possible.  [In addition, one of the possibilities that I envision from the eventual implementation of http://abis.io ~ for which I am reworking / working up a new specification ~ is that people could choose to make an obvious public record of what their donations are (or not! as it's a choice), and if they did, they could tally up their microdonations for deductions purposes at the end of the year (or not! if they chose anonymity in their transactions under ABIS).]  Choice and consent should also be an objective of any process which offers something better (like anonymity) to the user.  And I think also the Foundation Board, dues-paying members, developers, and everyone can help anonymity happen with bitcoin while preserving that choice.  

In another thread, I've asked the following questions:


I'd love to hear the Zerocash developers respond to this, obviously, and anyone else interested I would really appreciate your thoughts.
Some of my own ideas to support basic bitcoin development generally _and_ progress on the anonymity side are shown at:
https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/issues/19

(brief edit:  I also feel that this is worthy of attention....
https://tahoe-lafs.org/pipermail/tahoe-dev/2014-May/009062.html (from zooko) and see also the following statements regarding multiparty computation setup in zerocash
https://twitter.com/matthew_d_green/status/472208415867928576 h/t zooko, matthewdgreen)

OK, so I feel like I've said more than enough on this....  I look forward to your thoughts, replies, ideas.

from what I've read from the things that comes out of traditional academia on the topic of bitcoin is absolutely worthless. there is something inherently wrong with this kind of reasoning, which seems to be obsessed with adding complexity to systems, instead of designing robust and simple systems. while studying the underlying concepts might be interesting, I'm pretty sure the effort is much better spend elsewhere. after all, code of trust protocols has to be audited, and if only 5 people understand the math, nobody is going to accept it.

The Etherum forum has a huge head start and the people there seem to have high engagement.

FYI there's a newer ZeroCash talk by Eli Ben-Sasson at:
https://www.youtube.com/watch?v=l7LSSE0bRRo
Note: I personally neither approve nor disapprove of anything said there.

i think still under developement
good news coming probably
If you want innovation just see: Emunie( forum.emunie.com and for beta test the EMU go to beta.emunie.com) and Ethereum 

what's going on about zerocoin?

Are there any actual examples of double-spends happening to someone who accepts 0-confirmation transactions in the wild? I've always attributed Litecoin's success to being the first Scrypt coin with a fair launch, consistent rules, and good community support.

Zerocoin will challenge Litecoin if it has fast confirmations.

XCP did this : during the burn period, the later you burned, the less XCP you received per BTC.

I think the thing to do would be to define an exponentially declining incentive for early adoption into the inflation schedule. For instance, first 100k coins moved each get 1 bonus betacoin. Next 100k get 0.5 bonus, etc. Similar to how bitcoin halving works, except it's coin-based, not time-based. But ideally, you'd do it in a continuous way, rather than have steep halvings. Something like N(c) = 1 + exp(-c * ln(2) / 100000), where N(c) is the number of betacoins that the c'th bitcoin destroyed results in.

I would not be surprised if it was released as a testnet.

Are there any infos out yet regarding the initial distribution of Zerocoins? Will they be mined or created from destroyed Bitcoins o else?

Are there any plans to keep the new chain exclusively experimental, like a Testnet or are they intended to be full on usable from the beginning?

Will the new altchain be as decentralized as Bitcoin or semi-or completely centralized?

The answer to what happens if 0-Coin takes off as an independent altchain is quite simple. People will invest their money in it, in order to profit from the appreciation against Bitcoin. Would that lead to a collapse of Bitcoin's value? I dont think it would in the short-medium term as like you have rightly stated many risks are associated with a new protocol such as Zerocoin. Some more risk prone investors will put some percentage of their holdings into this new currency, while others will stick with their proven and so far secure Bitoin investments. As the risks over time fade away and Zerocoin's advantages outweigh it's risks over the Bitcoin alternative we could see Zerocoin emerging as the more valuable and/or more used alternative of the two. In any way it will be a gradual process where the market balances the value transfer, processing all available information to agree on a price.

Concerning "digital scarcity": If I understand your concept of digital scarcity in this context correctly, you are afraid that the value of all finite Bitcoins+Namecoins+Litecoins+etc. will be eroded away by every new altcoin that springs up. Well, I cant see how this is not already happening and how an independant Zerocoin altchain would change that development. I think I can console your mind because not every new altchain with its added monetary base has the same effect. When a new run off the mill alt chain comes around people are reluctant to convert their assests into that coin, thus keeping the newest addition to that percived "digital scarcity" almost meaningless. The best example is Ripple with their 100 Billion XRP premined was added to that pool of digital currency units that make up the total supply of the digital scarcity. Did the advent of Ripple devalue all Bitcoins in existance instantly?

TLDR:

I think one should not worry about a sudden devaluation of Bitcoin because a new competitor comes around the corner. This market mechanic of investing your money into promising projects can be a valuable incentive for development of innovation and improvement of new ideas in the crypto zoo. And like someone else said: If you are afraid of devaluation of your Bitcoin stash, just put some into the new alt and you are good

plugged in with listen mode.

You know that is a good idea, practical, can be done now, no experimental crypto risk.  Greatly reduces fungibility risks and might buy a few years.  Lets do it!

Zerocoin or equivalent can catchup when it does.

Adam

Yes thats pretty much it.  Technically the coin is c=g^s*h^r and c is seen by everyone when it is added to the accumulator (though s and r are not seen by anyone).  But when it is spent s the coin serial number becomes disclosed and is stored in the doble spend db, c is hidden because of the ZKP and r is still not revealed).

Adam

I guess we have to see it first.  I hope they are going to publish the crypto before the alt, presumably because the zerocoin v1 paper came out long before the library.


I think fungibility guarantee via coin anonymity is the right thing to do, as the strongest form of fungibility is cryptographically enforced fungibility.   

But I think user privacy is orthogonal to coin fungibility.  I can prove my identity while sending an anonymous fungible coin or not as I choose, if the coin is cryptographically fungible I have a choice.  As is with bitcoin I have limited choice because the coin leaks linkages.

Usually if you have anonymity as a building block users can opt to disclose and prove because the anonymity will also have keys and the user can publish their keys.  So I think it likely that opt-in public association of an identity with specific coins, or maybe with unlinkable but validatable amount of coins would be technically available, and I can see its a useful feature, so should be made an option for users.  (Eg to prove they have the bitcoins they claim to be holding for users, or disclose the amount of donations received).

About privacy in my view bitcoin is a bit too open which I think is not so much by design, but because its difficult to have privacy and the auditability SPV operation needs, because miners need to validate, and to validate they need to see amounts and transfer histories.   (Hence the interest in zerocoin and zerocoin2.)  Without needing to support SPV clients one could do committed-tx and it would be a step forward.

I think Ideally transacting parties should be able to choose the level of privacy from each other and from the public.  eg pseudonymous to each other but private to the public.  Or identified seller (because its a regulated business) and identified business (because the user need to validate the reputation of the seller), but private from the public.  In event of need to reveal more detail to selected other parties, or to the public to prove good faith, they should also be able to do that eg by publishing some keys.

In this way policing can be done by asking for information from transacting parties.  And demonstrating openness (eg for donations, charities, public companies) can be done by publishing keys.  And financial auditing can be done by a charity or company giving their accountant or auditor keys to view their transactions (but not necessarily the sender identity).

There are also privacy preserving forms of auditing.  Eg homomorphic values can still allow auditing that values add up by anyone and yet hide amounts and/or payer psueodnym is unknown (close to single use addresses but slightly stronger privacy).

So I think if we can get a cryptographic private, efficient, distributed coin with conservative security for the coin anonymity/fungibility layer then we are golden.  We can engineer/architect the selective disclosure, selective identity and different privacy concepts to dove tail with transacting party wishes.  I would say bitcoin should not make any global rule about maximum allowed privacy, because rules are different in different countries.  Rather payments should be private between the transacting parties, and it is up to the transacting parties to keep records and answer requests for information disclosure, and to provide identity to regulated businesses in their respective jurisdictions,

But its hard to do get the efficient, distributed and private ecash, thats so far proving to be another triangle thing like pick 2: efficient, distributed, private. 

So lets have a look at what we have:

- bitcoin (efficient, distributed, but taintable privacy)
- chaum or brands ecash are (efficient, cryptographic privacy, but centralized)
- coinjoin (efficient, distributed, smudged taint privacy)
- opentransactions (efficient, cryptographic private, limited redundancy)
- committed-tx (efficient, private except parties see payment history, decentralized but no SPV)
- zerocoin v1 (private, decentralized, but inefficient)
- holygrail (efficient, distributed, cryptographic privacy)

we have to see how zerocoin v2 stacks up.  Another risk point can be bleeding edge crypto that hasnt seen 10yrs of review.  Things with security proofs have been broken before.  Hardness assumptions for new things sometimes erode or slip.

Adam