Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin - page 3. (Read 37806 times)

I think we will waste a lot of time and resources by assuming the worst case and preparing for that. It does not seem like a rational strategy to me.

The rational strategy would be to weigh risks and benefits, and adopt the solution that best balances these two aspects.

In the case of Zerocoin we have both a lot of added risk (the protocol hasn't actually been deployed yet), and it increases the hardware requirements (CPU power, storage space, bandwidth) of running a full node.

Given that the benefit is, at best (ie. in case there are no vulnerabilities), full anonymization of all transactions, and given that this can already be achieved selectively by individuals who require this feature, I think Zerocoin should be implemented as a separate cryptocurrency, and tested out completely separate from the Bitcoin protocol.

I think a lot of people quickly forget just how unsafe Bitcoin was regarded as just two or three years ago. This would start all over again with a modification of the core protocol, and if you worry about a declining price of bitcoins, I believe modifying the existing core Bitcoin protocol would do much more harm than a separate Zerocoin taking off. At the bare minimum it will take as long as Bitcoin has existed for people to trust that protocol, and probably longer because introduces more complexity into the core protocol.

In other words, I don't think we are in a hurry. Zerocoin, as a separate cryptocurrency, will take a long time to gain confidence from users.

If you are afraid it will supercede Bitcoin then buy some "Zerocoins" for your bitcoins. It's as simple as that. Cryptocurrency-to-cryptocurrency exchanges are extremely efficient, and you could hedge your position as you see fit, instead of forcing every Bitcoin user to adapt to your worst case scenario.

If this separate Zerocoin becomes more popular than Bitcoin, I'd be very happy! It would mean that it has greater value than Bitcoin to the people using it. Bitcoin is already amazing, improving it can only be positive. If you worry you will lose out financially on this, then, again, buy some "Zerocoins" for your Bitcoins.

Except there is risk, if this alt coin takes off and zerocoin is seen as an attractive alternative it could supersede Bitcoin.

I understand that the Bitcoin developers could add zerocoin, but it would need to be tested and all the miners and nodes would have to agree, all this whilst the new alt starts to erode Bitcoin market share[1]. The worst case scenario is many Bitcoin whales see the writing on the wall (Bitcoins developers arguing, not reacting fast enough) and exchange significant parts of their holdings over to the new coin. If this happens we might witness a runaway effect that moves most commerce over to the new coin and anyone left with Bitcoin being a loud whining bagholder.

I think testnet Bitcoins should be used as a testbed, to limit the possibility of a competitor quickly rising.

Many of you will laugh me off as paranoid, I approach these issues as a "think of the worst case" situation and prepare for it.

[1] If you think this is stupid please consider how Litecoin has an estimated 5-10% of Bitcoin hashpower whilst offering nothing in terms of real advantages, A real competitor will also attract vast amounts of people who were not original early adopters and they will fight forever tooth and nail to make their investment worth more. This is going to be a can of worms. I can see a monster being born to destroy the creator.

I think a totally new alt coin should be created for zerocoin because that is lowest risk and barrier is lowest.

Maybe it could be implemented on the Bitcoin testnet at some point? (with the risk of breaking it as well)

Though as you said, finding a zero-cost solution will not be Zerocoin and Zerocoin as I see it may demand 10 times the resources of the current running implementation of Bitcoin.

What do you others think? Should Zerocoin be implemented in Bitcoin or should it be tried first on a new or existing cryptocurrency? There's a libzerocoin at github. The most recent commit was at 2013-07-12 02:04 titled

No, but they can use the key to create fake zerocoins. (basically they can fake the proof that they added a zerocoin to the accumulator)

If someone finds out the factorization, what are the implications? All the anonymous transactions become public?

You are welcome to vote for Zerocoin as Bitcoin Project of the Quarter:
https://bitcointalksearch.org/topic/bps-bitcoin-project-of-the-season-winter-2014-winner-bitwasp-251087

I really like Adam's very creative idea earlier in this thread to have a pure-zerocoin system:

https://bitcointalksearch.org/topic/m.2420768

The zerocoin paper proposed a hybrid bitcoin-zerocoin system. Bitcoins would be temporarily exchanged for zerocoins, and then exchanged back. Adam's idea was that zerocoins would be exchanged directly for zerocoins. Zerocoins could be mined directly, too. All this is a simple modification of the zerocoin protocol. In fact, it would be simpler in terms of code size, because you wouldn't have to support bitcoin transactions. No scripting language, no bitcoin validation rules. Just pure zerocoin spend transactions.

This would also free us from the forced assumption of bitcoin-zerocoin parity. The heavy resource requirements of zerocoin might naturally break that parity. (Admittedly, zerocoin would first be implemented as an extension to an alt, so the value in terms of bitcoins would float. But the simplification is still a win.)

There are various proposals to do P2P exchanges between altcoin chains. I don't know what the status is as far as Bitcoin support in the bitcoin-qt client. You'd have to have a new client to do the P2P protocol. But even if we had to rely on an exchange, it would be an interesting experiment.

The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

+1

Sure, I am talking rules tightening only. Something like increasing block size must be a hardfork

While true, because miners control transaction selection, there are a great many rule changes that miners cannot make, no matter how much hash power they have.

Yeah, I agree with Adam, an alt coin with an integrated ZeroCoin would be a very interesting thing to play with. The chain-trade algorithm can be integrated to make trading bitcoins for altcoins easy and decentralised.

Anyway other than the question of whether soft forks make sense or not: what about making an all zerocoin based alt-coin (no bitcoins, nothing but zerocoins), that is either-or mined with bitcoin.  Then people can trade in and out of zerocoins by buying or selling them for bitcoin with an atomic transaction, probably p2p without some trusted exchange like mtgox.

Either-or mined (as distinct from merge-mined) I mean that each mined coin set is either a set of 25 bitcoins or a set of 25 zerocoins.  If its a zerocoin set its not a valid bitcoin set, and if its a bitcoin its not a valid zerocoin.  I'm not sure the zerocoins or bitcoins have to do much with mining events for the other network other than check they have the expected number of bits as they wont automatically know how to validate the other network.  Some miners may choose to validate both networks, but thats a choice for them.

In that way people can experiment with zerocoin, without bloating the block chain, complicating bitcoin, and without slowing validation on the bitcoin network.  And the two coins should have approximately the same cost (and maybe therefore value, though the price would be subject to demand/supply and any taint discount for bitcoins; zerocoins are taint free, or perfectly blended taint at least).

Adam

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice

No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

No soft-fork is possible without majority of miners agree. If they decide to tighten the rules, all users have no choice but to follow. This is a known feature (or vulnerability) of bitcoin from day one. Sometimes it is called a "soft-fork", while sometimes it is called a "51% attack". Anyway, it's the users' responsibility to keep their client up-to-date to adopt the tightened rules.

If Satoshi had never thought of possibility of soft-fork, I couldn't see why he included so many useless OP_NOP codes in the script.

The point of a soft fork is that the rules don't tighten - from the perspective of old clients, anyone can spend any zerocoin and you will happily accept blocks that contain bogus spends written by unauthorized users. This reduces your node to SPV level security (you blindly trust whichever chain the majority of mining is done on). Silently downgrading peoples security level is not only a nasty hack, it's untrustworthy behaviour which is why I objected to it for P2SH.

Bitcoin has never been designed to "soft fork". That's something other people came up with later. Everything in Bitcoins design is intended to trigger hard forks when the protocol changes.

Hard forks are not impossible or the end of the world, they just require co-ordination and communication. It is the right way to do things and I will continue to strongly object to "upgrades" that convert full nodes into SPV nodes.

Wow! Looks like the Bitcoin community never stops!

This is so cool!

BTW: Where can i donate to support the project?