Pages:
Author

Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin - page 8. (Read 37718 times)

legendary
Activity: 1526
Merit: 1129
Yeah, this is definitely an important and interesting question. The not totally invincible nature of Bitcoin's privacy certainly makes conversations with LE a bit easier (I've had a couple of conversations with UK LE already and want to have more at the conference).

I think it's really important to understand that privacy and anonymity are not really the same thing. If I send money to or from Mt Gox, then I've probably had to go through KYC and I'm not anonymous to them (or you), but that transaction is still private - you can't find out I did it from the block chain. It might seem like an academic point but people have very different emotional reactions to privacy (good!) vs anonymity (scary!).

Bitcoin should seek to provide privacy. It's unacceptable that someone might earn their salary in Bitcoins and then have a colleague discover their income by analysing the block chain. That's actually the kind of privacy leak that tends to bother people most in their every day life, most people aren't trying to make an enemy of their own governments. But at the same time, we should make it easy for people to prove their identities to each other, mostly because this can help grease the wheels of trade. Zero trust protocols are great when you can make them work, but it's often quite tricky and taking personal legal responsibility for your actions is a model everyone is already familiar with.

The payment protocol takes us one step in that direction, it lets merchants identify themselves to customers if they want to and that's very useful for hardware wallets like Trezor that assume a compromised host. For person-to-person trades it's harder. Unfortunately governments have largely let us down here. Most governments don't issue convenient personal certificates/keypairs. Estonia being one country that's ahead of the curve. One of the things I want to explore is whether the RFID passports that have been issued over the last 10 years can be re-used outside of the border control system, I rather suspect the answer is no but it's worth checking out. I'd like to be able to sign my own payment requests with my identity so if the entity paying me has a malware infected host and a hardware wallet, they can still pay me successfully. I think this is a good point to bring up with governments - they insist on AML and strong ID verification but then insist on archaic standards like "scan of passport + utility bill", which is shoddy. If they're going to complain about Bitcoin then I think we have a right to complain about their lack of a real citizen PKI Smiley

Right now bitcoinj has woeful privacy, we've spent our time optimising performance and reliability of backups rather than that. But in future I'd hope we can make some of the improvements I listed above. It will help ordinary people a lot, and I don't think it'd make much difference to LE investigations. The thing that'd help them the most is people knowing who they're trading with, so they can try and "follow the money" by getting the relevant warrants for each step in the chain.
full member
Activity: 182
Merit: 100
Bitcoin is only accountable because you typically have to put money into it to use it. Are the miners accountable? Could a miner be traced to his IP if he used his mined coin to commit a crime?
staff
Activity: 4172
Merit: 8419
Would it be wise to implement "stronger" anonymity in bitcoin ?
This has been asked before— and I think it's an important question. We shouldn't just assume that any feature is good.

After extensive consideration, I think I can answer this with an emphatic "Yes".  Without good anonymity the fungibility of Bitcoin can be substantially degraded.  The road to fungibility loss is paved with good intentions, but the end result makes Bitcoin less useful as money.   "We're really sure that _this_ bitcoin was stolen" ... "We're quite confident that this person is bad" ...  but if Bitcoin is to be trustworthy you must never have reason to feel that you'll wake up on the wrong side of a kafkaesq heuristic, or that you'll have to fight for what is rightfully yours even if there is due process, having to defend yourself means you already lost.

I believe that the ultimate social good that comes out of weaker anonymity for Bitcoin like activity is fairly limited: Bad-guys will generally figure out good ways around the lack of transaction anonymity, but still get caught based on their other activities even when transactions are strongly private. The harms from not having good anonymity— the losses of privacy, the danger to fungibility— hurt everyone.

Then there is the question of should it be in the system or outside of it.  If we ignore the implementation cost, I think here again the answer is emphatically that it should be inside the system:  Putting it outside greatly reduces its effectiveness.   But right now implementation costs are non-trivial and so I don't think there is much of a question of including it in the system—  and, if people build it outside of the system: we can't stop them even if we were to agree that it were a bad thing.
 
full member
Activity: 182
Merit: 100
It wont be anonymous once you start pulling it out
member
Activity: 112
Merit: 10
Okay, first, some specific comments I would like to make about other people's comments:

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

If I understand correctly, trapdoor params during accumulator setup do not give you the ability to "denanonymize everyone forever" - it does, however, give you ability to forge as much zerocoins as you can care, which is bad.
However, the paper mentions something called RSA UFO (It's right over my head. Badum-tish) that allows the developer to set up the accumulator without learning the "sensitive numbers" and thus not gaining any kind of anonymity-destroying or coin-forging "superpowers"


My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.

Unless I greatly misunderstand, it is not accumulator per se that is infinitely bloatable, but the "mint" and "spend" records that can't be pruned.
Which kind of sucks, unless some way to prune them without enabling double-spends is found.

As to storage, the article, if I understand correctly, specifies that the z-coin transactions can be stored anywhere, from blockchain to DHT to unicorns.

A bit of speculative commentary (IANAP/IANAC):

The article mentions that Schnorr group parameters can expire, and will have to be reset/regenerated, but states that it's not a problem since "oldtimer" zerocoins can be transformed into fresh ones.

However, I wonder if one could modify the constructs used so that old zerocoins will not be "transformable" into "new" zerocoins upon Schnorr group parameter expiration, thus unspent "oldtimer" zerocoins becoming essentially lost.

It might reduce convenience / anonymity (since you would have a limited time to spend the zerocoins) but since zerocoin is very explicitly an anonymous transaction system and not a value store, and since the "parameter expiration" can be pretty long in terms of human time and might even be leveraged to actually improve plausible deniability (script to spend all my zerocoins into bitcoins when expiration is near, as part of mainline client), it might be acceptable if it allows for pruning the z-coin DB (and why not prune records that are explicitly and irrevocably expired? )

Now, on to a more general (and more controversial Grin ) topic

At the risk of getting stoned (and not in a nice way), I would like to bring up a certain question:

Would it be wise to implement "stronger" anonymity in bitcoin ?

Bitcoin, as it stands, is strongly pseudonymous.

Under reasonably careful use, it has just enough anonymity to discourage causal peeping toms and minor LEA investigations.
Under very careful use, it can probably protect the user from a considerable investigative effort.
It is, obviously, not "absolute" though.

However, it not being "absolute" lends it properties that make it more backwards-compatible with existing monetary system, and more palatable to "average pointy-haired legislator" (and even despite not being all that untraceable, Bitcoin is catching some misguided flak as being a "criminal's currency")

Given that the seemingly apparent aspiration of the project (correct me if I am wrong) is to establish a widely accepted digital  "commodity money" that would be free from human monetary policy meddling and forced seizure (kind of like digital gold money), "hardcore no-holds-barred" anonymity might actually be counterproductive in the long term, since it would impede wide-scale merchant and institutional adoption (Many investors might choose to steer clear if you start signalling that you are, essentially, trading a "Los Zetas derivative" Smiley )

Current Bitcoin's condition of being "strongly pseudonymous" and "never forgetting" could be a sweet spot that gives average and above-average Joe just enough obfuscation to make invading their privacy too costly and time consuming while still being auditable enough to appeal to mainstream finance and large merchants.

Moving out of this sweet spot in any direction might be woeful.

Also, consider this - many investors who are currently "in BTC" (including people investing in expensive, complicated mining equipment like ASICs) have invested with their risk assessment being based upon understanding of bitcoin as "strong pseudonimity, moderate privacy" system.
By radically altering bitcoin's anonymity/privacy profile, one would be be voiding those people's assumptions regarding political, legal and regulatory risks and compromising their trust.


========

Disclosure:
I am actually a proponent of "absolutely anonymous" digital transaction mediums as a concept.

I am, however, dubious in regards to whether BTC should strive to become such a medium, given that it already has a notable investment, regulatory, and institutional infrastructure organized around a different set of privacy/anonymity assumptions.


========

Last part, ADHD version:

"Absolute" anonymity may have unforeseen regulatory, social, and financial consequences for "bitcoinomy".

Given that "bitcoinomy" is doing pretty fine with current level of "privacy/anonymity", it might be wise to avoid meddling with this property of Bitcoin.
legendary
Activity: 1526
Merit: 1129
You know ... the master plan Wink

Just kidding. It's more like how I imagine things playing out combined with the existing work that we're doing. Here's what I sent to the ZeroCoin guys when I reviewed their paper:

Quote
Anyway, from our perspective all this leads to the following question - is there a way to resolve the privacy issues inherent in a public block chain without using any cryptographic constructs invented in the last ten years?

This is obviously a topic we've discussed a lot in the dev community. Right now, we're sort of slowly evolving towards a plan that looks like this:
  • Break the one payment == one transaction relationship by introducing a notion of a payment protocol, a layer above the P2P protocol for people to request payment to multiple sets of outputs (not just one as in a regular pay to address) and then the payer to upload more than one transaction direct to the receiver.
  • Teach wallet software how to avoid combining outputs together when possible - if you have three 5-coin outputs in three different transactions, and you want to pay someone 15 coins, you should be doing that with another three transactions rather than a single transaction that combines all three.
  • Make sure address re-use is rare and discouraged, eg, possibly with a change to the default miner priority rules. Right now address re-use is more common than it should be for a bunch of reasons, deterministic wallets is our preferred solution to this.
  • Teach wallets to de/refragment outputs into coins of somewhat consistent sizes - you mention such a thing for ZeroCoins too, but if payments become multiple independent transactions that move coins of various denominations, the linkage issues become much less of an issue, especially if people can tolerate those transactions being spread out over several blocks.

Also, over time we might want to look at integrating p2p mixing protocols into the core p2p protocol, so if a bunch of users have their wallets open and online then they can rendezvous with each other and build a single transaction that has 10 inputs from the different wallets, and >10 outputs that redistribute that value back to the users, such that you don't know which inputs correspond to which outputs. If wallets are collectively trying to keep their output sizes somewhat round and there are enough users doing this, the mix transactions can add anonymity and it can be done in the background in a zero-trust way (no need to trust mixing services). But this is a long term project. There are much higher priorities right now.
legendary
Activity: 980
Merit: 1008
Nice to hear some opinions on this. Doesn't look very promising based on looking at your feedback.

I agree that true anonymity is nice to have, but it must be able to accommodate the space limitations of the block chain. As far as I can see, the greatest concern is transction size. Going from 200 bytes to 50 kilobytes is simply not worth it.

Overall, I think the plan we've been working towards for privacy will work better, or at least is more deployable. But it's great to see this kind of research - as Gregory says, these algorithms only ever get better.
What plan would that be?
legendary
Activity: 1526
Merit: 1129
I reviewed this paper back in early March. Matthew Greens blog post more or less echos the feedback I gave them back then (in particular, their understanding of the performance requirements of verification were badly incorrect). I also mentioned difficulty of implementing in SPV clients and the overall complexity of the scheme.

Overall, I think the plan we've been working towards for privacy will work better, or at least is more deployable. But it's great to see this kind of research - as Gregory says, these algorithms only ever get better.
staff
Activity: 4172
Merit: 8419
My initial read of their paper was interesting, but it was two to three orders of magnitude more resource intensive than would be required to make it actually viable.  ... This is still impressive since 1000x too big/slow is still way better than infinite, which was the best alternative I had for something that was actually decentralized.

(The lay explanation of Bitcoin was _meh_ as it glosses over the blockchain which is the only really novel and somewhat non-obvious part of the system at large)

My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.

Something like this could be used in an external system and tied in via N of M multisig, and the authors acknowledge that but if you're going to take accept a (distributed) point of trust for that, you can use a chaum token like service can be constructed less computationally and bandwidth intensive than this.

On the plus side— approaches can only get better.
hero member
Activity: 536
Merit: 500
Not sure how cryptocurrency is any less legitimate than actual cash, the only real difference is that it's not centralized and inflatable like a government made currency.
hero member
Activity: 714
Merit: 510
Let's discuss this paper: http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf

What are your thoughts on this? I don't understand a lot of the technical stuff in the paper, so I'm interested in hearing your opinions.

Quote
Abstract—Bitcoin is the first e-cash system to see widespread
adoption. While Bitcoin offers the potential for new types of
financial interaction, it has significant limitations regarding
privacy. Specifically, because the Bitcoin transaction log is
completely public, users’ privacy is protected only through the
use of pseudonyms. In this paper we propose Zerocoin, a
cryptographic extension to Bitcoin that augments the protocol
to allow for fully anonymous currency transactions. Our system
uses standard cryptographic assumptions and does not introduce
new trusted parties or otherwise change the security model of
Bitcoin. We detail Zerocoin’s cryptographic construction, its
integration into Bitcoin, and examine its performance both in
terms of computation and impact on the Bitcoin protocol.




This already exists, it's reinventing the wheel.
legendary
Activity: 1288
Merit: 1076
Seems complicated, but also looks like serious work.  I will need some time to understand it.

It seems to me they overestimate the need for full anonymity, though.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Important work. Also if bitcoin does not adopt a robust privacy strategy it risks another alt-coin will gain a competitive first mover advantage for what I consider to be an extremely desirable (marketable) property for monetary instruments.
legendary
Activity: 2618
Merit: 1006
This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin
http://jheusser.github.io/2013/02/03/satcoin.html is also an interesting read, even though it might not help much with actual Bitcoin development.

I also lover this paper here though, great that people start thinking of new ways to make Bitcoin useful for some special purposes!
hero member
Activity: 552
Merit: 622
Sorry about the Off-topic: If someone out there wants to write/implement my proposal for an anonymity layer for Bitcoin, and has in depth knowledge of crypto and math, then I'd gladly co-author the paper on APPECoin...
donator
Activity: 1218
Merit: 1079
Gerald Davis
My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.
hero member
Activity: 552
Merit: 622
The zerocoin paper doesn't indicate a trusted third party actually it indicates the exact opposite.

PAGE 3, first column:

" With no trusted parties, the accumulator and its associated witnesses must be publicly computable and
verifiable (though we are willing to relax this requirement to include a single, trusted setup phase in which parameters
are generated
). "

PAGE 4, second column:

"We note that the Setup routine may be executed by a trusted party"

The point is that by choosing RSA as the crypto function, they require a TTP.

Maybe it could be adapted to other crypto function, but it will change all the procedures, since they use the internal mathematical properties of RSA.


full member
Activity: 182
Merit: 100
Neat, so this is the replacement for mixers.
sr. member
Activity: 416
Merit: 277
This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin
donator
Activity: 1218
Merit: 1079
Gerald Davis
The zerocoin paper doesn't indicate a trusted third party actually it indicates the exact opposite.
Pages:
Jump to: