Pages:
Author

Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin - page 2. (Read 37806 times)

legendary
Activity: 1120
Merit: 1152
It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

But engineering hurdles remain:
  • 1. Requires a hard fork
  • 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I've probably thought about this issue more than almost anyone with my work on fidelity bonded banking, and even ZeroCoin can be made fully transparent if you choose too. The key thing is that a: zerocoin has a public list of all spent coins, which lets you know when a coin was spent, and b: it's still possible to prove you were the one that spent a coin. Auditing in that scenario comes down to you publishing proofs of what coins you have spent in a provable public manner, and transparency is achieved by the fact that in a well-designed system you can't get away with lying about your transactions. You can fail to publish your accounting logs, an act that is of course very suspicious, but that's actually no different from the scenario with pervasive coin mixing: either way where the money went is unknown.

When it comes to receiving money, no amount of auditing can prevent you from taking money in behind the scenes, but there is no way to do that and also hide the fact that you are doing that from your sender. In this case the solution is actually identical to the non-zerocoin solution: publish in advance what addresses you accept payment on, and anyone can scan the blockchain for payments to those addresses.

I would rather see automatic mixing and privacy built into every client.

Agree from an engineering point of view; ZeroCoin's requirement for a hard-fork and many lines of new code using complex crypto is a risk Bitcoin shouldn't take. Coin mixing done well has very close to as good privacy, and can be easily fixed if it doesn't work.
legendary
Activity: 1596
Merit: 1100
It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

But engineering hurdles remain:
  • 1. Requires a hard fork
  • 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I would rather see automatic mixing and privacy built into every client.


legendary
Activity: 1400
Merit: 1013
I think so, Matthew Green mentioned that he was planning to implement Zerocoin into its own cryptocurrency. This seems like a reasonable idea me, it lets us test Zerocoin, and if it works well, we can merge it into Bitcoin (without the risk of damaging Bitcoin if something goes wrong).
That's a great idea from a purely technical perspective.

Realize that when money is at stake other factors will come into play.

Zerocoin is a highly desired feature. As soon as they release this coin, it's going to attract investment and it's exchange rate will rise quickly. People are going to put a considerable amount of money into Zerocoin.

When Bitcoin implements these features, it will threaten the value of their investment. Do you think they are going let that happen calmly? They will do everything they can to obstruct the change. They'll come over here and spread FUD, start arguments, and in general make life difficult for any developer seeking to push the change.

This happens already - If you go back to the beginning of this year and read through flamewars regarding scalability and the blocksize and pay attention to the people most fervently opposed to large transaction rates, with the most ridiculous and economically absurd arguments, and then check their posting history you'll find that in almost all cases they were heavily involved with altcoins.
legendary
Activity: 1106
Merit: 1004
well rather than the get rich quick (...) Now thats not as strong an incentive as make-money-fast pyramid speculation on frankly long-term hopeless me-too alts

Please don't replicate the same silly attacks people tend to use to discredit Bitcoin. The financial incentive behind the technology is what brings lots of the manpower, business and infrastructure it has today. Not to acknowledge that is to be willingly blind.

Quote
If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.

technically it could be done, (bitcoin could accept coin moving in the other direction) however it imports risk into bitcoin main as a security defect in betacoin that allowed theft or forgery of coins, could then be transferred into bitcoin.

If the defect was only on the betacoin, then the damages would be restrained to those who willingly converted stable coins into beta coins. That's not an issue to me. When you do so, you accept the risks.

Hey, this very feature (allowing the redemption of arbitrary betaCoins built on top of it) could actually be the among the firsts betaCoins. Wink If it works well, it will set up a great platform for experimentation!

Quote
Is there an easier explanation somewhere, that could help technical people without a background in cryptography research to grasp the concept?

see earlier in tis thread:

https://bitcointalksearch.org/topic/m.2378622

and another few posts after it where I tried to explain it a bit.

Thank you. I've just watched this video following a recommendation of jron, and what I could get from it was the following:

Quote
So, let me see if I got the idea: it's possible to accumulate random numbers in such a way that:
  • Prevents observers from knowing which individual numbers were accumulated.
  • Allows the one who knows one particular number to prove he knows it without having to reveal the number itself. Or if you do have to reveal it, it's still impossible to know which particular addition to the accumulator had put that number there, thus creating no link between the addition and the revealing of the number.
Is that a reasonable and sound simplification of the magic behind Zerocoin?

Am I getting closer? Huh
Your explanations kind of hinted me in that direction too.

Thank you!
hero member
Activity: 772
Merit: 501
I agree with adam3us, a betaCoin implementation of Zerocoin would be excellent. It would help Bitcoin, the preservation of the credibility of digital scarcity - particularly of Bitcoin-based cryptocurrency - and the adoption rate of Zerocoin by making its acquisition as easy as that of bitcoin (which can be purchased at a far greater number of places than an altcoin can ever hope to be in its first couple of years).

A person who wants to try Zerocoin would simply download the client, which stores both bitcoin and zerocoin, send some bitcoin to a bitcoin address linked to that client, enter how many bitcoins they want to convert to zerocoins, and then click a button that says 'convert bitcoin to X zerocoins', with X being a multiple of whatever conversion rate is decided between the two.

See for further discussion on the betaCoin concept:

https://bitcointalksearch.org/topic/adapting-to-the-release-of-zerocoin-248865

Quote from: caveden
The betaCoin model is interesting, but I'd just make one import remark though: in this model, there's no financial incentive for people to migrate from bitcoin stable to bitcoin beta, since stable coins will always be more valuable than beta coins.

The pricing of betaCoins would behave similarly to that of bonds, which are capped to the sum of the principal at maturation date and all future interest payments. There is still a market for bonds, and opportunity for their appreciation, despite their value being capped relative to the currency of payment, because the present value of their future payments fluctuates according to the perceived risk of the bond defaulting on its future payments, and the borrowing cost of money.
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
[...] this beta risks being just a testnet++. Not many people will transfer their coins into it (it is not a reasonable investment strategy), and without much aggregated value, would it really have enough manpower behind it?

well rather than the get rich quick, get in early motivation for the me-too alts, the idea is that you get into it because you want the features it provides.  eg if zerocoin used the model.

Now thats not as strong an incentive as make-money-fast pyramid speculation on frankly long-term hopeless me-too alts.  But if the idea is that it is going to become the new bitcoin in say 1 year, once the features are well validated.  Then it would help reduce concern of being stuck.

The reverse swap depends on demand.  If people dont care about the new features they wont use it.

I would think something like maaku & jtimon's freimarkets would be a good candidate for doing this way.  Freimarket is not related to frecoin - its a native coloring and smart contract proposal.

Quote
If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.

technically it could be done, (bitcoin could accept coin moving in the other direction) however it imports risk into bitcoin main as a security defect in betacoin that allowed theft or forgery of coins, could then be transferred into bitcoin.

Once the beta is over, the remaining coins would be bulk oved in a hard fork and beta wold become main, and a new beta started.  eg on a yearly cycle.  like fedora and redhat enterprise linux or linux kernel stable and latest etc.

Quote
Is there an easier explanation somewhere, that could help technical people without a background in cryptography research to grasp the concept?

see earlier in tis thread:

https://bitcointalksearch.org/topic/m.2378622

and another few posts after it where I tried to explain it a bit.

Adam
legendary
Activity: 1106
Merit: 1004
The betaCoin model is interesting, but I'd just make one import remark though: in this model, there's no financial incentive for people to migrate from bitcoin stable to bitcoin beta, since stable coins will always be more valuable than beta coins. This means that, from a monetary point of view, this beta risks being just a testnet++. Not many people will transfer their coins into it (it is not a reasonable investment strategy), and without much aggregated value, would it really have enough manpower behind it? If Gavin and Garzik are being fully employed to work on Bitcoin right now, it's precisely because bitcoins are valuable to lots of people. If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.

Anyways, I came here for another reason. I'm really interested in Zerocoin and I'd like to understand how it works. I can understand the basics of public key cryptography, and blind signature - although the math behind these algorithms are things I simply "trust to be true". Smiley But Zerocoin... damn, is that complicated! I tried reading the paper once it got out, and I couldn't understand a thing.

Is there an easier explanation somewhere, that could help technical people without a background in cryptography research to grasp the concept?

Thanks
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
https://twitter.com/matthew_d_green/status/401798811070107648

Quote
We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.

Is a 98% reduction in proof size enough to overcome any existing valid reasons to not merge ZeroCoin functionality?

I think so, Matthew Green mentioned that he was planning to implement Zerocoin into its own cryptocurrency. This seems like a reasonable idea me, it lets us test Zerocoin, and if it works well, we can merge it into Bitcoin (without the risk of damaging Bitcoin if something goes wrong).

btw see also "bitcoin staging" aka betaCoin. 

http://www.mail-archive.com/[email protected]/msg02944.html

Its a way to one-way peg an alt-coin to bitcoin, so there is no native mining, the way you create coins in the alt-coin is my moving bitcoins into it.  And the way to trade them back to bitcoin is to swap them with someone who would otherwise move one.  If a security problem develops in the betaCoin, people stop swapping betaCoin at par for bitcoin, or market freezes until the issue is fixed.  This is the minimum necessary feature to firewall bitcoin from betaCoin security issues while allowing bitcoins to move between betacoin and bitcoin in the normal case.

This is how I would go about doing an alt (otherwise the usual me-too coin is contingent on the hope of getting in early, or early mining and selling to next stage speculators before the pyramid collapses when it becomes obvious it has no chance of competing with bitcoin for acceptance.  As this coins have no acceptance, they have no transactional value, their own value is speculative, which I think must implode at some point.)  Also even in the hypothetical that a given coin did overtake bitcoin it could be a dangerous outcome as then what happens to the value of bitcoins?  Such an untidy unravelling of bitcoin value would hurt the overall concept of digital scarcity.  Say it was litecoin.  Then if litecoin got to like 90% to bitcoins 10% BTC/LTC exchange would fall.  But then people will be looking nervously at the next runner up, and hedging in the main runner ups.  This is a net disservice to digital scarcity.  Digital scarcity is a new virtual asset class, and I think is the future of money and financial networks.  So we dont want to weaken the concept with me-too alts, even relatively well thought out ones because they define a new digital scarcity race.  I think there should only be one credible digital scarcity race or we may have a problem.  Digital scarcity becomes digital tulip, then who wants to invest in the next one.

betaCoin is also a way to do an alt that preserves the 21 million coin cap.  Fees would be paid in betacoins (or bitcoins).  Miners would mine both networks for profit maximization reasons.

Adam
newbie
Activity: 49
Merit: 0
https://twitter.com/matthew_d_green/status/401798811070107648

Quote
We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.

Is a 98% reduction in proof size enough to overcome any existing valid reasons to not merge ZeroCoin functionality?

I think so, Matthew Green mentioned that he was planning to implement Zerocoin into its own cryptocurrency. This seems like a reasonable idea me, it lets us test Zerocoin, and if it works well, we can merge it into Bitcoin (without the risk of damaging Bitcoin if something goes wrong).
legendary
Activity: 1400
Merit: 1013
https://twitter.com/matthew_d_green/status/401798811070107648

Quote
We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.

Is a 98% reduction in proof size enough to overcome any existing valid reasons to not merge ZeroCoin functionality?
staff
Activity: 4270
Merit: 1209
I support freedom of choice
https://twitter.com/matthew_d_green/status/401797786347114496
Quote
We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.
legendary
Activity: 3108
Merit: 1359
Did the author of that look at how script works at all?
Yep. Smiley

There shouldn't be additional script pushes for this. This should use the existing push opcodes and add new CHECKSIG operators. :-/
There is no plan to start anything like this in the main net, of course. That's ugly hack for the testnet, and it will be replaced with an appropriate implementation later.
staff
Activity: 4284
Merit: 8808
uh wtf is with that novacoin page?  Did the author of that look at how script works at all?

There shouldn't be additional script pushes for this. This should use the existing push opcodes and add new CHECKSIG operators. :-/
legendary
Activity: 1176
Merit: 1015
I thought coinjoin was a better way to do this? As a natural mixer I really like the idea of coinjoin.
legendary
Activity: 3108
Merit: 1359
sr. member
Activity: 378
Merit: 250
Magic Staff
https://anoncoin.net/ mentions as of August 30, 2013 that they will begin implementing Zerocoin.
...if it works.

I guess it will make it first into some Anoncoin testnet, maybe a testnet specifically for zero-knowledge proofs.(learnt about this from the Zerocoin subreddit)
staff
Activity: 4284
Merit: 8808
or do you maybe trade Bitcoin testnet coins already? Grin
People have, and we've had to reset the testnet multiple times and make some minor changes to undermine the security of it.

But even if you do this, someone will just copy the code into FooNinjaRealUltimateCoin... so you can't get what you want there.

This has resulted in several occasions of altcoins cropping up 'competing' with Bitcoin by copying code from the Bitcoin core team which was just not mature enough yet to deploy in Bitcoin... greenfields are much easier and faster to deploy into. It's like the Microsoft "Embrace, Extend, Extinguish" business model but supercharged since you can just extend by copying code written by your competition!

But hey, if something based on Bitcoin that has ZC is preferred over Bitcoin by the public— then perhaps thats what should happen.  The costs of ZC, especially without network-pseudo-interactive cut-and-choose to make the proofs smaller, make this seem unlikely to me.  Certainly introducing non-consensus features via an alternative coin is improved in terms of obtaining consent then just merging it in an existing coin.
sr. member
Activity: 378
Merit: 250
Magic Staff
Launch a Zerocoin testnet. A Zerocoin testnet would say "Here's how it works in practice" with 0 price.

...
or do you maybe trade Bitcoin testnet coins already? Grin

...that's why I assume that Zerocoin testnet coins would never be traded but just show if it is stable or how much processing power it requires.(is it hackable? Maybe it is hackable? Great introducing new security to Bitcoin, NO THANK YOU! ...and then making us a point of ridicule among the worldwide community)

If we assume that enabling Zerocoin as an extension to Bitcoin causes a 200% slowdown. So that instead of taking 300 seconds to validate 80000 blocks, it now takes 900 seconds to validate them, on some specific hardware setup, then it would again be a "no, thanks".

The reason there is not even a testnet of Zerocoin as something to compare to I would say that Zerocoin is today 2013 in September 0% likely to get implemented in Bitcoin(not even close to the Bitcoin testnet), even my speculation says it is 0% likely.
full member
Activity: 186
Merit: 100
Pages:
Jump to: