Pages:
Author

Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin (Read 37819 times)

legendary
Activity: 1610
Merit: 1183
I wonder who would use a coin that depends on the good will of the developers to destroy a file that contains access to the supply and so on (the so called masterkey).

I guess I should have bought some tho, those things tend to pump so much. Now, who knows if the pump is over and it will instadump as soon as it gets on Poloniex.
member
Activity: 89
Merit: 10
price so high added in exchenge C-cex also https://c-cex.com/?p=zcoin-btc
sr. member
Activity: 952
Merit: 308
sr. member
Activity: 278
Merit: 252
ABISprotocol on Gist
I really like Adam's very creative idea earlier in this thread to have a pure-zerocoin system:

https://bitcointalksearch.org/topic/m.2420768

The zerocoin paper proposed a hybrid bitcoin-zerocoin system. Bitcoins would be temporarily exchanged for zerocoins, and then exchanged back. Adam's idea was that zerocoins would be exchanged directly for zerocoins. Zerocoins could be mined directly, too. All this is a simple modification of the zerocoin protocol. In fact, it would be simpler in terms of code size, because you wouldn't have to support bitcoin transactions. No scripting language, no bitcoin validation rules. Just pure zerocoin spend transactions.

This would also free us from the forced assumption of bitcoin-zerocoin parity. The heavy resource requirements of zerocoin might naturally break that parity. (Admittedly, zerocoin would first be implemented as an extension to an alt, so the value in terms of bitcoins would float. But the simplification is still a win.)

There are various proposals to do P2P exchanges between altcoin chains. I don't know what the status is as far as Bitcoin support in the bitcoin-qt client. You'd have to have a new client to do the P2P protocol. But even if we had to rely on an exchange, it would be an interesting experiment.

The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

I'm really very curious to see if these ideas could lead to integration of the zerocash project code down the road into bitcoin itself.  
I noticed the following remarks:

https://twitter.com/matthew_d_green/status/401798811070107648

Quote
We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.

Is a 98% reduction in proof size enough to overcome any existing valid reasons to not merge ZeroCoin functionality?

And this:
It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

But engineering hurdles remain:
  • 1. Requires a hard fork
  • 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I would rather see automatic mixing and privacy built into every client.

But there is no question at this point that the bitcoin development process needs to work out an anonymity solution.  From my perspective, I don't think that it has to require that the users actually utilize it, in other words, why not go down the path of making it an option (supported in the protocol, not imposed, but showing up in Core as a transaction option that the user can select to apply to any particular transaction, or none at all).  Conceptually at least, this has been the approach of blockchain.info, which with its CoinJoin (SharedCoin) implementation, leaves it up to the user as to whether to use the CoinJoin process (by being able to select 'SharedCoin' as a transaction type, or not).  While this is a good privacy feature, it's been pointed out (in Coindesk and elsewhere) that SharedCoin users can be readily identified.  (Not to mention, it's a web wallet...)
My point in this little ramble-on is that I see reason in jgarzik's assertion that it would likely be best to not impose it universally.  In other words, if a user wants to participate in utilizing the Zerocash feature (assuming that this would be incorporated into and supported in the bitcoin protocol itself) then that should be an option that would be displayed in Bitcoin Core wallet.  Zerocash is a significantly different proposal than SharedCoin, but conceptually, the idea of having anonymous transactions as an option is appealing for a number of reasons.  For example, the concepts suggested in my project [[ http://abis.io ]] favor the idea of a 'giving system' being incorporated into decentralized virtual currency wallets, but every aspect of this would be under the control of the user and could be changed at any time, making it completely voluntary and allowing for the maximum choice possible.  [In addition, one of the possibilities that I envision from the eventual implementation of http://abis.io ~ for which I am reworking / working up a new specification ~ is that people could choose to make an obvious public record of what their donations are (or not! as it's a choice), and if they did, they could tally up their microdonations for deductions purposes at the end of the year (or not! if they chose anonymity in their transactions under ABIS).]  Choice and consent should also be an objective of any process which offers something better (like anonymity) to the user.  And I think also the Foundation Board, dues-paying members, developers, and everyone can help anonymity happen with bitcoin while preserving that choice.  

In another thread, I've asked the following questions:

(...)
As a member you're free to ask— though a better forum might be the foundation forum.  Since this isn't the foundation's current area of interest I'd expect you'd see more success elsewhere with less effort though.
I really don't see how the Foundation can just stare slack-jawed at the developments in NY (USA), not to mention China, the Russian Federation, and apart from that, the transnational effects of TISA, and do nothing in the way of funding anonymity in bitcoin development.

The Foundation forum, you say?  You have to be joking.  There is almost zero support in the Foundation forum for ideas related to anonymity.  There are a lot of reasons for that, but some of them have been discussed quite a bit in Issue #10 on the Bylaws repository ~ my initial remarks on it can be found here:
https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/issues/10#issuecomment-45282288
I've opened a pull request which is being considered by the Board on that issue, #16 (and as I understand it, #17 will also be considered by the Board).

I do agree with you that there might be more success elsewhere with less effort.  But I haven't entirely given up on the idea of a Foundation that could be more responsive to user needs and concerns, including the obvious need for anonymity across the network.

Regarding your ideas that you linked to in your comment at
http://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt
on "OUTPUT DISTRIBUTION OBFUSCATION"

I would greatly like to see this (or something like it) become part of people's everyday bitcoin transaction experience.  

You're right about Zerocash being untested (it's anticipated to have a release in November or December), although I'm confident that when it is released the issues you've discussed with it will at that point have been addressed more than satisfactorily by the developers.

You mentioned also that you "spent a bit of time making recommendations about how it could be integrated in Bitcoin with them in email and in person— but the people involved seem to be very interested in creating an altcoin specifically as an altcoin."  It's my understanding that they felt that they felt an altcoin path was more reasonable because it would be unlikely that the bitcoin development team would ever integrate their anonymity work (even if refined) into bitcoin itself, but perhaps I'm wrong, for as you say, you have e-mailed them and met with them in person about it.  So then, what is the obstacle to this happening?  I would love to be proved so completely wrong in my assumptions about this matter and have someone from the zerocash team show up on this thread and say in reply somewhere here, "Oh, hey ABISprotocol, you are wrong, we _were_ actually invited to gradually work zerocash into bitcoin, and we're actually confident that there's an opportunity for this to happen at some point down the development road!"  However, that's not the sense I get at this time, but it does prompt some questions:

1) If there is an avenue for zerocash developers to work more closely with bitcoin, what does that look like?  Does it mean that @imichaelmiers & @matthewdgreen (on github) could be invited to work directly on the bitcoin protocol, and have the ability to make commits along with yourself, Gavin, and others?

2) Because (as I mentioned in my issue in the Bylaws repository on this, issue #19), "basic development of the bitcoin protocol, so as to increase the number of persons who are paid to clear basic development backlog and maintenance, (should be) the highest priority,"
isn't there a way where teams (such as the bitcoin development team and the zerocash team) could join forces to help get funding for this to occur?  It seems like the development team has been very vocal about the fact that basic development and maintenance of bitcoin is not well supported or funded (at least not as much as it should be).

3) You suggested that there are other avenues for funding that involve less effort than trying to get the Foundation to change its Bylaws in a way that would enhance such funding.   What avenues do you have in mind?

thanks in advance for your answers and for engaging this topic so thoughtfully.

I'd love to hear the Zerocash developers respond to this, obviously, and anyone else interested I would really appreciate your thoughts.
Some of my own ideas to support basic bitcoin development generally _and_ progress on the anonymity side are shown at:
https://github.com/pmlaw/The-Bitcoin-Foundation-Legal-Repo/issues/19

(brief edit:  I also feel that this is worthy of attention....
https://tahoe-lafs.org/pipermail/tahoe-dev/2014-May/009062.html (from zooko) and see also the following statements regarding multiparty computation setup in zerocash
https://twitter.com/matthew_d_green/status/472208415867928576 h/t zooko, matthewdgreen)


OK, so I feel like I've said more than enough on this....  I look forward to your thoughts, replies, ideas.


full member
Activity: 140
Merit: 107
from what I've read from the things that comes out of traditional academia on the topic of bitcoin is absolutely worthless. there is something inherently wrong with this kind of reasoning, which seems to be obsessed with adding complexity to systems, instead of designing robust and simple systems. while studying the underlying concepts might be interesting, I'm pretty sure the effort is much better spend elsewhere. after all, code of trust protocols has to be audited, and if only 5 people understand the math, nobody is going to accept it.
newbie
Activity: 19
Merit: 0
what's going on about zerocoin?

i think still under developement
good news coming probably
If you want innovation just see: Emunie( forum.emunie.com and for beta test the EMU go to beta.emunie.com) and Ethereum  Grin


The Etherum forum has a huge head start and the people there seem to have high engagement.
sr. member
Activity: 360
Merit: 251
FYI there's a newer ZeroCash talk by Eli Ben-Sasson at:
https://www.youtube.com/watch?v=l7LSSE0bRRo
Note: I personally neither approve nor disapprove of anything said there.
member
Activity: 84
Merit: 10
what's going on about zerocoin?

i think still under developement
good news coming probably
If you want innovation just see: Emunie( forum.emunie.com and for beta test the EMU go to beta.emunie.com) and Ethereum  Grin
hero member
Activity: 703
Merit: 500
what's going on about zerocoin?
hero member
Activity: 950
Merit: 1001
Zerocoin will challenge Litecoin if it has fast confirmations.

Are there any actual examples of double-spends happening to someone who accepts 0-confirmation transactions in the wild? I've always attributed Litecoin's success to being the first Scrypt coin with a fair launch, consistent rules, and good community support.
legendary
Activity: 1456
Merit: 1000
Zerocoin will challenge Litecoin if it has fast confirmations.
legendary
Activity: 2156
Merit: 1131
The betaCoin model is interesting, but I'd just make one import remark though: in this model, there's no financial incentive for people to migrate from bitcoin stable to bitcoin beta, since stable coins will always be more valuable than beta coins. This means that, from a monetary point of view, this beta risks being just a testnet++. Not many people will transfer their coins into it (it is not a reasonable investment strategy), and without much aggregated value, would it really have enough manpower behind it? If Gavin and Garzik are being fully employed to work on Bitcoin right now, it's precisely because bitcoins are valuable to lots of people. If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.
Thanks
I think the thing to do would be to define an exponentially declining incentive for early adoption into the inflation schedule. For instance, first 100k coins moved each get 1 bonus betacoin. Next 100k get 0.5 bonus, etc. Similar to how bitcoin halving works, except it's coin-based, not time-based. But ideally, you'd do it in a continuous way, rather than have steep halvings. Something like N(c) = 1 + exp(-c * ln(2) / 100000), where N(c) is the number of betacoins that the c'th bitcoin destroyed results in.

XCP did this : during the burn period, the later you burned, the less XCP you received per BTC.
bpd
member
Activity: 114
Merit: 10
The betaCoin model is interesting, but I'd just make one import remark though: in this model, there's no financial incentive for people to migrate from bitcoin stable to bitcoin beta, since stable coins will always be more valuable than beta coins. This means that, from a monetary point of view, this beta risks being just a testnet++. Not many people will transfer their coins into it (it is not a reasonable investment strategy), and without much aggregated value, would it really have enough manpower behind it? If Gavin and Garzik are being fully employed to work on Bitcoin right now, it's precisely because bitcoins are valuable to lots of people. If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.

Thanks

I think the thing to do would be to define an exponentially declining incentive for early adoption into the inflation schedule. For instance, first 100k coins moved each get 1 bonus betacoin. Next 100k get 0.5 bonus, etc. Similar to how bitcoin halving works, except it's coin-based, not time-based. But ideally, you'd do it in a continuous way, rather than have steep halvings. Something like N(c) = 1 + exp(-c * ln(2) / 100000), where N(c) is the number of betacoins that the c'th bitcoin destroyed results in.
hero member
Activity: 551
Merit: 500
I would not be surprised if it was released as a testnet.
legendary
Activity: 1022
Merit: 1000
Are there any infos out yet regarding the initial distribution of Zerocoins? Will they be mined or created from destroyed Bitcoins o else?

Are there any plans to keep the new chain exclusively experimental, like a Testnet or are they intended to be full on usable from the beginning?

Will the new altchain be as decentralized as Bitcoin or semi-or completely centralized?
legendary
Activity: 1022
Merit: 1000
https://twitter.com/matthew_d_green/status/401798811070107648

Quote
We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.

Is a 98% reduction in proof size enough to overcome any existing valid reasons to not merge ZeroCoin functionality?

I think so, Matthew Green mentioned that he was planning to implement Zerocoin into its own cryptocurrency. This seems like a reasonable idea me, it lets us test Zerocoin, and if it works well, we can merge it into Bitcoin (without the risk of damaging Bitcoin if something goes wrong).

btw see also "bitcoin staging" aka betaCoin. 

http://www.mail-archive.com/[email protected]/msg02944.html

Its a way to one-way peg an alt-coin to bitcoin, so there is no native mining, the way you create coins in the alt-coin is my moving bitcoins into it.  And the way to trade them back to bitcoin is to swap them with someone who would otherwise move one.  If a security problem develops in the betaCoin, people stop swapping betaCoin at par for bitcoin, or market freezes until the issue is fixed.  This is the minimum necessary feature to firewall bitcoin from betaCoin security issues while allowing bitcoins to move between betacoin and bitcoin in the normal case.

This is how I would go about doing an alt (otherwise the usual me-too coin is contingent on the hope of getting in early, or early mining and selling to next stage speculators before the pyramid collapses when it becomes obvious it has no chance of competing with bitcoin for acceptance.  As this coins have no acceptance, they have no transactional value, their own value is speculative, which I think must implode at some point.)  Also even in the hypothetical that a given coin did overtake bitcoin it could be a dangerous outcome as then what happens to the value of bitcoins?  Such an untidy unravelling of bitcoin value would hurt the overall concept of digital scarcity.  Say it was litecoin.  Then if litecoin got to like 90% to bitcoins 10% BTC/LTC exchange would fall.  But then people will be looking nervously at the next runner up, and hedging in the main runner ups.  This is a net disservice to digital scarcity.  Digital scarcity is a new virtual asset class, and I think is the future of money and financial networks.  So we dont want to weaken the concept with me-too alts, even relatively well thought out ones because they define a new digital scarcity race.  I think there should only be one credible digital scarcity race or we may have a problem.  Digital scarcity becomes digital tulip, then who wants to invest in the next one.

betaCoin is also a way to do an alt that preserves the 21 million coin cap.  Fees would be paid in betacoins (or bitcoins).  Miners would mine both networks for profit maximization reasons.

Adam


The answer to what happens if 0-Coin takes off as an independent altchain is quite simple. People will invest their money in it, in order to profit from the appreciation against Bitcoin. Would that lead to a collapse of Bitcoin's value? I dont think it would in the short-medium term as like you have rightly stated many risks are associated with a new protocol such as Zerocoin. Some more risk prone investors will put some percentage of their holdings into this new currency, while others will stick with their proven and so far secure Bitoin investments. As the risks over time fade away and Zerocoin's advantages outweigh it's risks over the Bitcoin alternative we could see Zerocoin emerging as the more valuable and/or more used alternative of the two. In any way it will be a gradual process where the market balances the value transfer, processing all available information to agree on a price.

Concerning "digital scarcity": If I understand your concept of digital scarcity in this context correctly, you are afraid that the value of all finite Bitcoins+Namecoins+Litecoins+etc. will be eroded away by every new altcoin that springs up. Well, I cant see how this is not already happening and how an independant Zerocoin altchain would change that development. I think I can console your mind because not every new altchain with its added monetary base has the same effect. When a new run off the mill alt chain comes around people are reluctant to convert their assests into that coin, thus keeping the newest addition to that percived "digital scarcity" almost meaningless. The best example is Ripple with their 100 Billion XRP premined was added to that pool of digital currency units that make up the total supply of the digital scarcity. Did the advent of Ripple devalue all Bitcoins in existance instantly?

TLDR:

I think one should not worry about a sudden devaluation of Bitcoin because a new competitor comes around the corner. This market mechanic of investing your money into promising projects can be a valuable incentive for development of innovation and improvement of new ideas in the crypto zoo. And like someone else said: If you are afraid of devaluation of your Bitcoin stash, just put some into the new alt and you are good Smiley
legendary
Activity: 2856
Merit: 1520
Bitcoin Legal Tender Countries: 2 of 206
plugged in with listen mode.
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
I would rather see automatic mixing and privacy built into every client.

You know that is a good idea, practical, can be done now, no experimental crypto risk.  Greatly reduces fungibility risks and might buy a few years.  Lets do it!

Zerocoin or equivalent can catchup when it does.

Adam
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
So, let me see if I got the idea: it's possible to accumulate random numbers in such a way that:
  • Prevents observers from knowing which individual numbers were accumulated.
  • Allows the one who knows one particular number to prove he knows it without having to reveal the number itself. Or if you do have to reveal it, it's still impossible to know which particular addition to the accumulator had put that number there, thus creating no link between the addition and the revealing of the number.
Is that a reasonable and sound simplification of the magic behind Zerocoin?

Am I getting closer? Huh

Yes thats pretty much it.  Technically the coin is c=g^s*h^r and c is seen by everyone when it is added to the accumulator (though s and r are not seen by anyone).  But when it is spent s the coin serial number becomes disclosed and is stored in the doble spend db, c is hidden because of the ZKP and r is still not revealed).

Adam
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

I guess we have to see it first.  I hope they are going to publish the crypto before the alt, presumably because the zerocoin v1 paper came out long before the library.

Quote
But engineering hurdles remain:
  • 1. Requires a hard fork
  • 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I think fungibility guarantee via coin anonymity is the right thing to do, as the strongest form of fungibility is cryptographically enforced fungibility.   

But I think user privacy is orthogonal to coin fungibility.  I can prove my identity while sending an anonymous fungible coin or not as I choose, if the coin is cryptographically fungible I have a choice.  As is with bitcoin I have limited choice because the coin leaks linkages.

Usually if you have anonymity as a building block users can opt to disclose and prove because the anonymity will also have keys and the user can publish their keys.  So I think it likely that opt-in public association of an identity with specific coins, or maybe with unlinkable but validatable amount of coins would be technically available, and I can see its a useful feature, so should be made an option for users.  (Eg to prove they have the bitcoins they claim to be holding for users, or disclose the amount of donations received).

About privacy in my view bitcoin is a bit too open which I think is not so much by design, but because its difficult to have privacy and the auditability SPV operation needs, because miners need to validate, and to validate they need to see amounts and transfer histories.   (Hence the interest in zerocoin and zerocoin2.)  Without needing to support SPV clients one could do committed-tx and it would be a step forward.

I think Ideally transacting parties should be able to choose the level of privacy from each other and from the public.  eg pseudonymous to each other but private to the public.  Or identified seller (because its a regulated business) and identified business (because the user need to validate the reputation of the seller), but private from the public.  In event of need to reveal more detail to selected other parties, or to the public to prove good faith, they should also be able to do that eg by publishing some keys.

In this way policing can be done by asking for information from transacting parties.  And demonstrating openness (eg for donations, charities, public companies) can be done by publishing keys.  And financial auditing can be done by a charity or company giving their accountant or auditor keys to view their transactions (but not necessarily the sender identity).

There are also privacy preserving forms of auditing.  Eg homomorphic values can still allow auditing that values add up by anyone and yet hide amounts and/or payer psueodnym is unknown (close to single use addresses but slightly stronger privacy).

So I think if we can get a cryptographic private, efficient, distributed coin with conservative security for the coin anonymity/fungibility layer then we are golden.  We can engineer/architect the selective disclosure, selective identity and different privacy concepts to dove tail with transacting party wishes.  I would say bitcoin should not make any global rule about maximum allowed privacy, because rules are different in different countries.  Rather payments should be private between the transacting parties, and it is up to the transacting parties to keep records and answer requests for information disclosure, and to provide identity to regulated businesses in their respective jurisdictions,

But its hard to do get the efficient, distributed and private ecash, thats so far proving to be another triangle thing like pick 2: efficient, distributed, private. 

So lets have a look at what we have:

- bitcoin (efficient, distributed, but taintable privacy)
- chaum or brands ecash are (efficient, cryptographic privacy, but centralized)
- coinjoin (efficient, distributed, smudged taint privacy)
- opentransactions (efficient, cryptographic private, limited redundancy)
- committed-tx (efficient, private except parties see payment history, decentralized but no SPV)
- zerocoin v1 (private, decentralized, but inefficient)
- holygrail (efficient, distributed, cryptographic privacy)

we have to see how zerocoin v2 stacks up.  Another risk point can be bleeding edge crypto that hasnt seen 10yrs of review.  Things with security proofs have been broken before.  Hardness assumptions for new things sometimes erode or slip.

Adam
Pages:
Jump to: