Pages:
Author

Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin - page 3. (Read 37806 times)

legendary
Activity: 1176
Merit: 1015
legendary
Activity: 980
Merit: 1008
I think a totally new alt coin should be created for zerocoin because that is lowest risk and barrier is lowest.
Many of you will laugh me off as paranoid, I approach these issues as a "think of the worst case" situation and prepare for it.
I think we will waste a lot of time and resources by assuming the worst case and preparing for that. It does not seem like a rational strategy to me.

The rational strategy would be to weigh risks and benefits, and adopt the solution that best balances these two aspects.

In the case of Zerocoin we have both a lot of added risk (the protocol hasn't actually been deployed yet), and it increases the hardware requirements (CPU power, storage space, bandwidth) of running a full node.

Given that the benefit is, at best (ie. in case there are no vulnerabilities), full anonymization of all transactions, and given that this can already be achieved selectively by individuals who require this feature, I think Zerocoin should be implemented as a separate cryptocurrency, and tested out completely separate from the Bitcoin protocol.

I think a lot of people quickly forget just how unsafe Bitcoin was regarded as just two or three years ago. This would start all over again with a modification of the core protocol, and if you worry about a declining price of bitcoins, I believe modifying the existing core Bitcoin protocol would do much more harm than a separate Zerocoin taking off. At the bare minimum it will take as long as Bitcoin has existed for people to trust that protocol, and probably longer because introduces more complexity into the core protocol.

In other words, I don't think we are in a hurry. Zerocoin, as a separate cryptocurrency, will take a long time to gain confidence from users.

If you are afraid it will supercede Bitcoin then buy some "Zerocoins" for your bitcoins. It's as simple as that. Cryptocurrency-to-cryptocurrency exchanges are extremely efficient, and you could hedge your position as you see fit, instead of forcing every Bitcoin user to adapt to your worst case scenario.

If this separate Zerocoin becomes more popular than Bitcoin, I'd be very happy! It would mean that it has greater value than Bitcoin to the people using it. Bitcoin is already amazing, improving it can only be positive. If you worry you will lose out financially on this, then, again, buy some "Zerocoins" for your Bitcoins.
legendary
Activity: 1176
Merit: 1015
I think a totally new alt coin should be created for zerocoin because that is lowest risk and barrier is lowest.

Except there is risk, if this alt coin takes off and zerocoin is seen as an attractive alternative it could supersede Bitcoin.

I understand that the Bitcoin developers could add zerocoin, but it would need to be tested and all the miners and nodes would have to agree, all this whilst the new alt starts to erode Bitcoin market share[1]. The worst case scenario is many Bitcoin whales see the writing on the wall (Bitcoins developers arguing, not reacting fast enough) and exchange significant parts of their holdings over to the new coin. If this happens we might witness a runaway effect that moves most commerce over to the new coin and anyone left with Bitcoin being a loud whining bagholder.

I think testnet Bitcoins should be used as a testbed, to limit the possibility of a competitor quickly rising.

Many of you will laugh me off as paranoid, I approach these issues as a "think of the worst case" situation and prepare for it.

[1] If you think this is stupid please consider how Litecoin has an estimated 5-10% of Bitcoin hashpower whilst offering nothing in terms of real advantages, A real competitor will also attract vast amounts of people who were not original early adopters and they will fight forever tooth and nail to make their investment worth more. This is going to be a can of worms. I can see a monster being born to destroy the creator.
full member
Activity: 186
Merit: 100
I think a totally new alt coin should be created for zerocoin because that is lowest risk and barrier is lowest.
sr. member
Activity: 378
Merit: 250
Magic Staff
But it feels to me like finding an essentially zero-cost way to increase transaction privacy that everybody uses by default is the best answer.
Maybe it could be implemented on the Bitcoin testnet at some point? (with the risk of breaking it as well)

Though as you said, finding a zero-cost solution will not be Zerocoin and Zerocoin as I see it may demand 10 times the resources of the current running implementation of Bitcoin.

What do you others think? Should Zerocoin be implemented in Bitcoin or should it be tried first on a new or existing cryptocurrency? There's a libzerocoin at github. The most recent commit was at 2013-07-12 02:04 titled
Quote
Merge pull request #4 from jhasse/mingw

Rename uint to uint32_t
legendary
Activity: 1120
Merit: 1152
The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

If someone finds out the factorization, what are the implications? All the anonymous transactions become public?

No, but they can use the key to create fake zerocoins. (basically they can fake the proof that they added a zerocoin to the accumulator)
legendary
Activity: 1176
Merit: 1015
The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

If someone finds out the factorization, what are the implications? All the anonymous transactions become public?
legendary
Activity: 1708
Merit: 1020
Hal
vip
Activity: 314
Merit: 4276
I really like Adam's very creative idea earlier in this thread to have a pure-zerocoin system:

https://bitcointalksearch.org/topic/m.2420768

The zerocoin paper proposed a hybrid bitcoin-zerocoin system. Bitcoins would be temporarily exchanged for zerocoins, and then exchanged back. Adam's idea was that zerocoins would be exchanged directly for zerocoins. Zerocoins could be mined directly, too. All this is a simple modification of the zerocoin protocol. In fact, it would be simpler in terms of code size, because you wouldn't have to support bitcoin transactions. No scripting language, no bitcoin validation rules. Just pure zerocoin spend transactions.

This would also free us from the forced assumption of bitcoin-zerocoin parity. The heavy resource requirements of zerocoin might naturally break that parity. (Admittedly, zerocoin would first be implemented as an extension to an alt, so the value in terms of bitcoins would float. But the simplification is still a win.)

There are various proposals to do P2P exchanges between altcoin chains. I don't know what the status is as far as Bitcoin support in the bitcoin-qt client. You'd have to have a new client to do the P2P protocol. But even if we had to rely on an exchange, it would be an interesting experiment.

The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Anyway other than the question of whether soft forks make sense or not: what about making an all zerocoin based alt-coin (no bitcoins, nothing but zerocoins), that is either-or mined with bitcoin.  Then people can trade in and out of zerocoins by buying or selling them for bitcoin with an atomic transaction, probably p2p without some trusted exchange like mtgox.

Either-or mined (as distinct from merge-mined) I mean that each mined coin set is either a set of 25 bitcoins or a set of 25 zerocoins.  If its a zerocoin set its not a valid bitcoin set, and if its a bitcoin its not a valid zerocoin.  I'm not sure the zerocoins or bitcoins have to do much with mining events for the other network other than check they have the expected number of bits as they wont automatically know how to validate the other network.  Some miners may choose to validate both networks, but thats a choice for them.

In that way people can experiment with zerocoin, without bloating the block chain, complicating bitcoin, and without slowing validation on the bitcoin network.  And the two coins should have approximately the same cost (and maybe therefore value, though the price would be subject to demand/supply and any taint discount for bitcoins; zerocoins are taint free, or perfectly blended taint at least).

Adam


+1
sr. member
Activity: 461
Merit: 251
legendary
Activity: 1792
Merit: 1111
No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice

While true, because miners control transaction selection, there are a great many rule changes that miners cannot make, no matter how much hash power they have.


Sure, I am talking rules tightening only. Something like increasing block size must be a hardfork
legendary
Activity: 1596
Merit: 1100
No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice

While true, because miners control transaction selection, there are a great many rule changes that miners cannot make, no matter how much hash power they have.



legendary
Activity: 1526
Merit: 1134
Yeah, I agree with Adam, an alt coin with an integrated ZeroCoin would be a very interesting thing to play with. The chain-trade algorithm can be integrated to make trading bitcoins for altcoins easy and decentralised.
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
Anyway other than the question of whether soft forks make sense or not: what about making an all zerocoin based alt-coin (no bitcoins, nothing but zerocoins), that is either-or mined with bitcoin.  Then people can trade in and out of zerocoins by buying or selling them for bitcoin with an atomic transaction, probably p2p without some trusted exchange like mtgox.

Either-or mined (as distinct from merge-mined) I mean that each mined coin set is either a set of 25 bitcoins or a set of 25 zerocoins.  If its a zerocoin set its not a valid bitcoin set, and if its a bitcoin its not a valid zerocoin.  I'm not sure the zerocoins or bitcoins have to do much with mining events for the other network other than check they have the expected number of bits as they wont automatically know how to validate the other network.  Some miners may choose to validate both networks, but thats a choice for them.

In that way people can experiment with zerocoin, without bloating the block chain, complicating bitcoin, and without slowing validation on the bitcoin network.  And the two coins should have approximately the same cost (and maybe therefore value, though the price would be subject to demand/supply and any taint discount for bitcoins; zerocoins are taint free, or perfectly blended taint at least).

Adam
legendary
Activity: 1792
Merit: 1111
No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice
legendary
Activity: 1526
Merit: 1134
No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.
legendary
Activity: 1792
Merit: 1111
Rule changes could be backwards compatible, e.g. allowing homosexual marriage would not make any existing or future heterosexual marriage illegal. The opposite is true for bitcoin: tightening rules would not make existing clients obsolete

The point of a soft fork is that the rules don't tighten - from the perspective of old clients, anyone can spend any zerocoin and you will happily accept blocks that contain bogus spends written by unauthorized users. This reduces your node to SPV level security (you blindly trust whichever chain the majority of mining is done on). Silently downgrading peoples security level is not only a nasty hack, it's untrustworthy behaviour which is why I objected to it for P2SH.

Bitcoin has never been designed to "soft fork". That's something other people came up with later. Everything in Bitcoins design is intended to trigger hard forks when the protocol changes.

Hard forks are not impossible or the end of the world, they just require co-ordination and communication. It is the right way to do things and I will continue to strongly object to "upgrades" that convert full nodes into SPV nodes.

No soft-fork is possible without majority of miners agree. If they decide to tighten the rules, all users have no choice but to follow. This is a known feature (or vulnerability) of bitcoin from day one. Sometimes it is called a "soft-fork", while sometimes it is called a "51% attack". Anyway, it's the users' responsibility to keep their client up-to-date to adopt the tightened rules.

If Satoshi had never thought of possibility of soft-fork, I couldn't see why he included so many useless OP_NOP codes in the script.
legendary
Activity: 1526
Merit: 1134
Rule changes could be backwards compatible, e.g. allowing homosexual marriage would not make any existing or future heterosexual marriage illegal. The opposite is true for bitcoin: tightening rules would not make existing clients obsolete

The point of a soft fork is that the rules don't tighten - from the perspective of old clients, anyone can spend any zerocoin and you will happily accept blocks that contain bogus spends written by unauthorized users. This reduces your node to SPV level security (you blindly trust whichever chain the majority of mining is done on). Silently downgrading peoples security level is not only a nasty hack, it's untrustworthy behaviour which is why I objected to it for P2SH.

Bitcoin has never been designed to "soft fork". That's something other people came up with later. Everything in Bitcoins design is intended to trigger hard forks when the protocol changes.

Hard forks are not impossible or the end of the world, they just require co-ordination and communication. It is the right way to do things and I will continue to strongly object to "upgrades" that convert full nodes into SPV nodes.
donator
Activity: 674
Merit: 523
Wow! Looks like the Bitcoin community never stops!

This is so cool!

BTW: Where can i donate to support the project?
Pages:
Jump to: