Pages:
Author

Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin - page 7. (Read 37796 times)

legendary
Activity: 2324
Merit: 1125
I've watched the presentation of the paper http://research.microsoft.com/apps/video/dl.aspx?id=192058 and I have one important question. First off, I'm actually an academic in computer science, but the zero-proof subject matter is all rather new to me.

So the question:

If I make a zerocoin and later want to to redeem the zerocoin back to a bitcoin what is the reason this cannot be traced back to the specific zerocoin I'm converting back to Bitcoin (and in effect my previous Bitcoin transactions)? In the talk Matthew Green mentions that proof is required to show you own the zerocoin. Why doesn't this imply this whole system isn't anonymous at all?

If anyone can explain this, thanks a lot Smiley

PS: As the first half hour was really slow and simple to follow for the uneducated I hoped he would continue with this when he reached the difficult cryptographic portion of the talk but then he went into overdrive not even introducing the concept of an accumulator. He could have skipped the first half an hour for me and took twice as long for the second part for me, but it must have been on a cryptography conference or something.
legendary
Activity: 1526
Merit: 1134
You don't have any idea how Google works, do you?

Firstly, Eric Schmidt isn't my boss and hasn't been for years. The CEO is Larry Page these days. But even if he was, a throwaway "prediction" intended to provoke discussion from 3 years ago is not very compelling evidence for your point of view.

Secondly, my job for the past few years has been anti spam and nothing to do with Bitcoin. I've been allowed to work on it under the 20% time policy which is very hands-off. My management have never told me what to do or what positions to take on anything with respect to Bitcoin. My compensation isn't affected by anything I do here.

Thirdly, I don't have a "vested interest in convincing people they don't need anonymity". Why would I spend so much time working on a project created by an anonymous founder if I had a problem with anonymity? But I'm also a realist. Go talk to people in the world outside this forum echo chamber for a while. There are a LOT of people, especially older people, who are immediately very suspicious of anyone who is anonymous or uses a pseudonym. You can see similar concerns come up in the media coverage - trusting mathematics instead of people is just a totally alien way of thinking for most people. Whenever I've explained Bitcoin to my parents the thing they fixate on is "Why is the guy who made this anonymous? Why do you trust this thing he made?". They eventually came to understand that it didn't matter who he was, but even after I explained that for the Nth time, they still have an allergic reaction to it. Why? Because the most common reason for people to hide their identity is to avoid the justice system.

Anyway, you haven't got my point at all - privacy and anonymity are linked but are not the same. Satoshi's paper says as much:

Quote
The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous.

Neither banking nor Bitcoin provides perfect privacy or anonymity. Banks give users privacy from each other but obviously the banks and governments still know what you're doing. Bitcoin users have no authority that knows everything but routinely leak private data to each other by misusing the block chain (re-using keys, etc).
full member
Activity: 129
Merit: 100
Privacy and anonymity are absolutely different thing. It is possible to be anonymous and yet lack privacy. For example, if Satoshi cashed out all at once, we'd know this immediately even though we do not know anything about him.

Your boss doesn't seem to think so.  He keeps telling people that if they don't like it they can just change their name, which is basically saying that anonymity (or pseudonymity) is the only route to privacy.

So maybe this is why you have a vested interest in convincing people they don't need anonymity or pseudonymity?  I mean, obviously if you said people don't need privacy nobody would take you seriously.  But it's a lot easier to tell people that privacy is okay as long as they don't have the means to establish it.
full member
Activity: 129
Merit: 100
Could you guys stop bringing Google up?

As soon as you stop accepting money from them, sure.

Nothing wrong with that, by the way.

But there is something wrong with trying to claim that you aren't influenced by your source of income.  Gavin and most of The Bitcoin Foundation explicitly disagree with that, citing it as one of the major reasons why TBF needs to exist -- to provide Gavin with a income source that isn't controlled by the profit motives of a single organization.

Look, I don't think you're going to get very far with "employers don't influence peoples' views" around here.  Try something else.
jml
full member
Activity: 238
Merit: 100
This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin

I actually did find the Bitcoin summary (Section 2) easier to understand than the original bitcoin paper by Nakamoto.
jml
full member
Activity: 238
Merit: 100
I have read the papers on Satoshi (Bitcoin) and Miers (Zerocoin) but they don't seem to be published in any reputable conference. Is there any reason why or is it that there are no conferences for this type of research?
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Quote
In any system where anonymity is achieved along the lines of
[classic BTC-style TX -> classic BTC-style TX -> "weird" high-anonTX ->  Lips sealed ->  Huh -> classic BTC-style TX]

fungibility may start failing same way it could start  failing in BTC now.

Merchfolk could begin refusing to accept coins which appear directly related to the "weird high-anonTX"

Yep this is correct.

It is not an easy problem ... excellent material for JH in other words.
member
Activity: 112
Merit: 10
Why not ? Bitcoin is cryptographically interesting, and so is the challenge of "distributed anonymity" - I say prime JH material.
legendary
Activity: 1680
Merit: 1035
So, when should we start to prepare for another hard-fork? (please please please make something like this happen?)

I'm actually surprised that something as prestigious as Johns Hopkins would even consider Bitcoin as an interesting idea, let alone have a research project to actively try to improve it. (they're a direct rival to my alma mater, too)
member
Activity: 112
Merit: 10
Quote
2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

I think you are confusing fungibility with divisibility.

gmaxwell's points about enhanced fungibility due to strong anonymity are correct ... and are not widely appreciated.

You are correct that fixed-denomination tokens are not as divisible, but this is a simple technical matter of choosing the smallest denomination that makes sense in terms of value. Eg. if we had system that dealt with strongly anonymous satoshis as the fundamental unit it would be functionally equivalent as a money to bitcoin as it is now.

Ah indeed, my bad - that's what I get for posting w/o caffeine  Grin

However, I do believe that part of my point still stands.

In any system where anonymity is achieved along the lines of
[classic BTC-style TX -> classic BTC-style TX -> "weird" high-anonTX ->  Lips sealed ->  Huh -> classic BTC-style TX]

fungibility may start failing same way it could start  failing in BTC now.

Merchfolk could begin refusing to accept coins which appear directly related to the "weird high-anonTX"
sr. member
Activity: 280
Merit: 252
http://www.reddit.com/r/ZeroCoin is up and running for any interested redditors.

Are you involved with ZeroCoin directly?

Just to be clear, ZeroCoin is not going to be implemented in Bitcoin in its current form - it's just too inefficient right now. Don't get me wrong, it's a great idea and some great crypto, but it's a proof-of-concept and they still have a lot more work to do in making it efficient enough to be practical. It could easily be years before it can become a part of Bitcoin proper, if ever.

Creating a sub-reddit now is premature and just makes ZeroCoin look like vaporware to the general public.

It's never to early to start a conversation.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

You guys need to read between the lines.  The authors are in the awkward position of explaining a way to make Bitcoin anonymous. They need a way to say, "see this could be set up so that the government could audit it" because this provides the "moral cover" to prepare the research in the first place.

But if you read between the lines, they've released the method for making this without such a backdoor, and that's all that matters.

That's what it looked like to me also. It is a sad state of affairs when researchers cannot investigate new ways of doing things without the chilling effect of "what will the fed/govt think?" It seems even freedom of thought is under threat.
legendary
Activity: 1008
Merit: 1023
Democracy is the original 51% attack
My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

You guys need to read between the lines.  The authors are in the awkward position of explaining a way to make Bitcoin anonymous. They need a way to say, "see this could be set up so that the government could audit it" because this provides the "moral cover" to prepare the research in the first place.

But if you read between the lines, they've released the method for making this without such a backdoor, and that's all that matters.
legendary
Activity: 1120
Merit: 1152
http://www.reddit.com/r/ZeroCoin is up and running for any interested redditors.

Are you involved with ZeroCoin directly?

Just to be clear, ZeroCoin is not going to be implemented in Bitcoin in its current form - it's just too inefficient right now. Don't get me wrong, it's a great idea and some great crypto, but it's a proof-of-concept and they still have a lot more work to do in making it efficient enough to be practical. It could easily be years before it can become a part of Bitcoin proper, if ever.

Creating a sub-reddit now is premature and just makes ZeroCoin look like vaporware to the general public.
sr. member
Activity: 280
Merit: 252
http://www.reddit.com/r/ZeroCoin is up and running for any interested redditors.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Quote
2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

I think you are confusing fungibility with divisibility.

gmaxwell's points about enhanced fungibility due to strong anonymity are correct ... and are not widely appreciated.

You are correct that fixed-denomination tokens are not as divisible, but this is a simple technical matter of choosing the smallest denomination that makes sense in terms of value. Eg. if we had system that dealt with strongly anonymous satoshis as the fundamental unit it would be functionally equivalent as a money to bitcoin as it is now.
legendary
Activity: 1526
Merit: 1134
Could you guys stop bringing Google up? It's both irrelevant and offensive - as if I don't have or don't speak my own mind.

Privacy and anonymity are absolutely different thing. It is possible to be anonymous and yet lack privacy. For example, if Satoshi cashed out all at once, we'd know this immediately even though we do not know anything about him.
member
Activity: 112
Merit: 10
Would it be wise to implement "stronger" anonymity in bitcoin ?
This has been asked before— and I think it's an important question. We shouldn't just assume that any feature is good.

After extensive consideration, I think I can answer this with an emphatic "Yes".  Without good anonymity the fungibility of Bitcoin can be substantially degraded.  The road to fungibility loss is paved with good intentions, but the end result makes Bitcoin less useful as money.   "We're really sure that _this_ bitcoin was stolen" ... "We're quite confident that this person is bad" ...  but if Bitcoin is to be trustworthy you must never have reason to feel that you'll wake up on the wrong side of a kafkaesq heuristic, or that you'll have to fight for what is rightfully yours even if there is due process, having to defend yourself means you already lost.

I believe that the ultimate social good that comes out of weaker anonymity for Bitcoin like activity is fairly limited: Bad-guys will generally figure out good ways around the lack of transaction anonymity, but still get caught based on their other activities even when transactions are strongly private. The harms from not having good anonymity— the losses of privacy, the danger to fungibility— hurt everyone.

Then there is the question of should it be in the system or outside of it.  If we ignore the implementation cost, I think here again the answer is emphatically that it should be inside the system:  Putting it outside greatly reduces its effectiveness.   But right now implementation costs are non-trivial and so I don't think there is much of a question of including it in the system—  and, if people build it outside of the system: we can't stop them even if we were to agree that it were a bad thing.
 

1) I think that in vivo experiment known as the Silk Road demonstrates, convincingly, that "properly used Bitcoin" has very strong anonymity.

Yes, it is not perfect, but so far, a motivated and resourceful attacker appears to be unable to "dox" a major, publicly known pseudonymous player.

2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

Besides, any system that involves special "anonymize me this 1.00 BTC" transaction types could hurt fungibility along the same lines as you describe (a cautious vendor might not accept a coin that is less than N transactions away from an obvious "anonymizing event")

Me?
I think that the problem of "banned coins" is more of a legal and social issue rather than a technological one.
And so far, bitcoin "ecosystem" has been handling this problem rather well, so perhaps it would be wise to refrain from fixing something that is, from available evidence, not broken.

So far, bitcoin has been choosing its fights fairly well, and gained a modicum of mainstream acceptance, including acceptance by regulatory authorities.

I am not convinced a "100% hardcore anon-coin" could enjoy such (even cash is relatively traceable, one doesn't even have to be a government to track a paper note)

Also, there is the issue of  current investors and supporters  (miners, merchants, service providers) - many of them may suffer various degrees of inconvenience if bitcoin announces a "full anonymity protocol extension" since that might prompt their local authorities to take a much closer look at their business, which is something they might not entirely appreciate.

I am all for the world having a "full-anon decentralized cryptographic payment system".
But since I think such a system would have a harder time gaining mainstream acceptance, I am not convinced that bitcoin should be this system.
Perhaps bitcoin should stay strongly pseudonymous, to facilitate... how to put it... backwards compatibility with various regulatory bodies ? Smiley

legendary
Activity: 1120
Merit: 1152
people have very different emotional reactions to privacy (good!) vs anonymity (scary!).
You're confusing your employer with humankind in general.

There isn't really a difference between privacy and anonymity. Rather the difference is between the weaker privacy from individuals spying on you, and stronger privacy from corporations and governments spying on you. Google's services tend to provide the former, but almost never provide the latter, and if anything usually make obtaining the latter much more difficult than it could be.

tl;dr: Anonymity is simply the strongest form of privacy.
full member
Activity: 129
Merit: 100
people have very different emotional reactions to privacy (good!) vs anonymity (scary!).

You're confusing your employer with humankind in general.
Pages:
Jump to: