Okay, first, some specific comments I would like to make about other people's comments:
My point is that it doesn't require a trusted third party. Yes they seem horrible naive (academics usually are). A privacy "coin" where the govt has the backdoor key has essentially no utility. Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money). Anyone interested in something stronger isn't going to be ok with backdoors.
If I understand correctly, trapdoor params during accumulator setup do not give you the ability to "denanonymize everyone forever" - it does, however, give you ability to forge as much zerocoins as you can care, which is bad.
However, the paper mentions something called RSA UFO (It's right over my head.
Badum-tish) that allows the developer to set up the accumulator without learning the "sensitive numbers" and thus not gaining any kind of anonymity-destroying or coin-forging "superpowers"
My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.
Unless I greatly misunderstand, it is not accumulator per se that is infinitely bloatable, but the "mint" and "spend" records that can't be pruned.
Which kind of sucks, unless some way to prune them without enabling double-spends is found.
As to storage, the article, if I understand correctly, specifies that the z-coin transactions can be stored anywhere, from blockchain to DHT to unicorns.
A bit of speculative commentary (IANAP/IANAC):The article mentions that Schnorr group parameters can expire, and will have to be reset/regenerated, but states that it's not a problem since "oldtimer" zerocoins can be transformed into fresh ones.
However, I wonder if one could modify the constructs used so that old zerocoins will
not be "transformable" into "new" zerocoins upon Schnorr group parameter expiration, thus unspent "oldtimer" zerocoins becoming essentially lost.
It might reduce convenience / anonymity (since you would have a limited time to spend the zerocoins) but since zerocoin is very explicitly an anonymous transaction system and not a value store, and since the "parameter expiration" can be pretty long in terms of human time and might even be leveraged to actually improve plausible deniability (script to spend all my zerocoins into bitcoins when expiration is near, as part of mainline client), it might be acceptable if it allows for pruning the z-coin DB (and why not prune records that are explicitly and irrevocably expired? )
Now, on to a more general (and more controversial
) topic
At the risk of getting stoned (and not in a nice way), I would like to bring up a certain question:
Would it be wise to implement "stronger" anonymity in bitcoin ?Bitcoin, as it stands, is strongly pseudonymous.
Under reasonably careful use, it has just enough anonymity to discourage causal peeping toms and minor LEA investigations.
Under very careful use, it can probably protect the user from a considerable investigative effort.
It is, obviously, not "absolute" though.
However, it not being "absolute" lends it properties that make it more backwards-compatible with existing monetary system, and more palatable to "average pointy-haired legislator" (and even despite not being all that untraceable, Bitcoin is catching some misguided flak as being a "criminal's currency")
Given that the seemingly apparent aspiration of the project (correct me if I am wrong) is to establish a widely accepted digital "commodity money" that would be free from human monetary policy meddling and forced seizure (kind of like digital gold money),
"hardcore no-holds-barred" anonymity might actually be counterproductive in the long term, since it would impede
wide-scale merchant and institutional adoption (Many investors might choose to steer clear if you start signalling that you are, essentially, trading a "Los Zetas derivative"
)
Current Bitcoin's condition of being "strongly pseudonymous" and "never forgetting" could be a sweet spot that gives average and above-average Joe just enough obfuscation to make invading their privacy too costly and time consuming while still being auditable enough to appeal to mainstream finance and large merchants.
Moving out of this sweet spot in any direction might be woeful.
Also, consider this - many investors who are currently "in BTC" (including people investing in expensive, complicated mining equipment like ASICs) have invested with their risk assessment being based upon understanding of bitcoin as "strong pseudonimity, moderate privacy" system.
By radically altering bitcoin's anonymity/privacy profile, one would be be voiding those people's assumptions regarding political, legal and regulatory risks and compromising their trust.
========
Disclosure:
I am actually a proponent of "absolutely anonymous" digital transaction mediums as a concept.
I am, however, dubious in regards to whether BTC should strive to become such a medium, given that it already has a notable investment, regulatory, and institutional infrastructure organized around a different set of privacy/anonymity assumptions.
========
Last part, ADHD version:
"Absolute" anonymity may have unforeseen regulatory, social, and financial consequences for "bitcoinomy".
Given that "bitcoinomy" is doing pretty fine with current level of "privacy/anonymity", it might be wise to avoid meddling with this property of Bitcoin.