Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin - page 8. (Read 37718 times)

Yeah, this is definitely an important and interesting question. The not totally invincible nature of Bitcoin's privacy certainly makes conversations with LE a bit easier (I've had a couple of conversations with UK LE already and want to have more at the conference).

I think it's really important to understand that privacy and anonymity are not really the same thing. If I send money to or from Mt Gox, then I've probably had to go through KYC and I'm not anonymous to them (or you), but that transaction is still private - you can't find out I did it from the block chain. It might seem like an academic point but people have very different emotional reactions to privacy (good!) vs anonymity (scary!).

Bitcoin should seek to provide privacy. It's unacceptable that someone might earn their salary in Bitcoins and then have a colleague discover their income by analysing the block chain. That's actually the kind of privacy leak that tends to bother people most in their every day life, most people aren't trying to make an enemy of their own governments. But at the same time, we should make it easy for people to prove their identities to each other, mostly because this can help grease the wheels of trade. Zero trust protocols are great when you can make them work, but it's often quite tricky and taking personal legal responsibility for your actions is a model everyone is already familiar with.

The payment protocol takes us one step in that direction, it lets merchants identify themselves to customers if they want to and that's very useful for hardware wallets like Trezor that assume a compromised host. For person-to-person trades it's harder. Unfortunately governments have largely let us down here. Most governments don't issue convenient personal certificates/keypairs. Estonia being one country that's ahead of the curve. One of the things I want to explore is whether the RFID passports that have been issued over the last 10 years can be re-used outside of the border control system, I rather suspect the answer is no but it's worth checking out. I'd like to be able to sign my own payment requests with my identity so if the entity paying me has a malware infected host and a hardware wallet, they can still pay me successfully. I think this is a good point to bring up with governments - they insist on AML and strong ID verification but then insist on archaic standards like "scan of passport + utility bill", which is shoddy. If they're going to complain about Bitcoin then I think we have a right to complain about their lack of a real citizen PKI

Right now bitcoinj has woeful privacy, we've spent our time optimising performance and reliability of backups rather than that. But in future I'd hope we can make some of the improvements I listed above. It will help ordinary people a lot, and I don't think it'd make much difference to LE investigations. The thing that'd help them the most is people knowing who they're trading with, so they can try and "follow the money" by getting the relevant warrants for each step in the chain.

Bitcoin is only accountable because you typically have to put money into it to use it. Are the miners accountable? Could a miner be traced to his IP if he used his mined coin to commit a crime?

This has been asked before— and I think it's an important question. We shouldn't just assume that any feature is good.

After extensive consideration, I think I can answer this with an emphatic "Yes".  Without good anonymity the fungibility of Bitcoin can be substantially degraded.  The road to fungibility loss is paved with good intentions, but the end result makes Bitcoin less useful as money.   "We're really sure that _this_ bitcoin was stolen" ... "We're quite confident that this person is bad" ...  but if Bitcoin is to be trustworthy you must never have reason to feel that you'll wake up on the wrong side of a kafkaesq heuristic, or that you'll have to fight for what is rightfully yours even if there is due process, having to defend yourself means you already lost.

I believe that the ultimate social good that comes out of weaker anonymity for Bitcoin like activity is fairly limited: Bad-guys will generally figure out good ways around the lack of transaction anonymity, but still get caught based on their other activities even when transactions are strongly private. The harms from not having good anonymity— the losses of privacy, the danger to fungibility— hurt everyone.

Then there is the question of should it be in the system or outside of it.  If we ignore the implementation cost, I think here again the answer is emphatically that it should be inside the system:  Putting it outside greatly reduces its effectiveness.   But right now implementation costs are non-trivial and so I don't think there is much of a question of including it in the system—  and, if people build it outside of the system: we can't stop them even if we were to agree that it were a bad thing.
 

It wont be anonymous once you start pulling it out

Okay, first, some specific comments I would like to make about other people's comments:


If I understand correctly, trapdoor params during accumulator setup do not give you the ability to "denanonymize everyone forever" - it does, however, give you ability to forge as much zerocoins as you can care, which is bad.
However, the paper mentions something called RSA UFO (It's right over my head. Badum-tish) that allows the developer to set up the accumulator without learning the "sensitive numbers" and thus not gaining any kind of anonymity-destroying or coin-forging "superpowers"



Unless I greatly misunderstand, it is not accumulator per se that is infinitely bloatable, but the "mint" and "spend" records that can't be pruned.
Which kind of sucks, unless some way to prune them without enabling double-spends is found.

As to storage, the article, if I understand correctly, specifies that the z-coin transactions can be stored anywhere, from blockchain to DHT to unicorns.

A bit of speculative commentary (IANAP/IANAC):

The article mentions that Schnorr group parameters can expire, and will have to be reset/regenerated, but states that it's not a problem since "oldtimer" zerocoins can be transformed into fresh ones.

However, I wonder if one could modify the constructs used so that old zerocoins will not be "transformable" into "new" zerocoins upon Schnorr group parameter expiration, thus unspent "oldtimer" zerocoins becoming essentially lost.

It might reduce convenience / anonymity (since you would have a limited time to spend the zerocoins) but since zerocoin is very explicitly an anonymous transaction system and not a value store, and since the "parameter expiration" can be pretty long in terms of human time and might even be leveraged to actually improve plausible deniability (script to spend all my zerocoins into bitcoins when expiration is near, as part of mainline client), it might be acceptable if it allows for pruning the z-coin DB (and why not prune records that are explicitly and irrevocably expired? )

Now, on to a more general (and more controversial ) topic

At the risk of getting stoned (and not in a nice way), I would like to bring up a certain question:

Would it be wise to implement "stronger" anonymity in bitcoin ?

Bitcoin, as it stands, is strongly pseudonymous.

Under reasonably careful use, it has just enough anonymity to discourage causal peeping toms and minor LEA investigations.
Under very careful use, it can probably protect the user from a considerable investigative effort.
It is, obviously, not "absolute" though.

However, it not being "absolute" lends it properties that make it more backwards-compatible with existing monetary system, and more palatable to "average pointy-haired legislator" (and even despite not being all that untraceable, Bitcoin is catching some misguided flak as being a "criminal's currency")

Given that the seemingly apparent aspiration of the project (correct me if I am wrong) is to establish a widely accepted digital  "commodity money" that would be free from human monetary policy meddling and forced seizure (kind of like digital gold money), "hardcore no-holds-barred" anonymity might actually be counterproductive in the long term, since it would impede wide-scale merchant and institutional adoption (Many investors might choose to steer clear if you start signalling that you are, essentially, trading a "Los Zetas derivative" )

Current Bitcoin's condition of being "strongly pseudonymous" and "never forgetting" could be a sweet spot that gives average and above-average Joe just enough obfuscation to make invading their privacy too costly and time consuming while still being auditable enough to appeal to mainstream finance and large merchants.

Moving out of this sweet spot in any direction might be woeful.

Also, consider this - many investors who are currently "in BTC" (including people investing in expensive, complicated mining equipment like ASICs) have invested with their risk assessment being based upon understanding of bitcoin as "strong pseudonimity, moderate privacy" system.
By radically altering bitcoin's anonymity/privacy profile, one would be be voiding those people's assumptions regarding political, legal and regulatory risks and compromising their trust.


========

Disclosure:
I am actually a proponent of "absolutely anonymous" digital transaction mediums as a concept.

I am, however, dubious in regards to whether BTC should strive to become such a medium, given that it already has a notable investment, regulatory, and institutional infrastructure organized around a different set of privacy/anonymity assumptions.


========

Last part, ADHD version:

"Absolute" anonymity may have unforeseen regulatory, social, and financial consequences for "bitcoinomy".

Given that "bitcoinomy" is doing pretty fine with current level of "privacy/anonymity", it might be wise to avoid meddling with this property of Bitcoin.

You know ... the master plan

Just kidding. It's more like how I imagine things playing out combined with the existing work that we're doing. Here's what I sent to the ZeroCoin guys when I reviewed their paper:

Nice to hear some opinions on this. Doesn't look very promising based on looking at your feedback.

I agree that true anonymity is nice to have, but it must be able to accommodate the space limitations of the block chain. As far as I can see, the greatest concern is transction size. Going from 200 bytes to 50 kilobytes is simply not worth it.

What plan would that be?

I reviewed this paper back in early March. Matthew Greens blog post more or less echos the feedback I gave them back then (in particular, their understanding of the performance requirements of verification were badly incorrect). I also mentioned difficulty of implementing in SPV clients and the overall complexity of the scheme.

Overall, I think the plan we've been working towards for privacy will work better, or at least is more deployable. But it's great to see this kind of research - as Gregory says, these algorithms only ever get better.

My initial read of their paper was interesting, but it was two to three orders of magnitude more resource intensive than would be required to make it actually viable.  ... This is still impressive since 1000x too big/slow is still way better than infinite, which was the best alternative I had for something that was actually decentralized.

(The lay explanation of Bitcoin was _meh_ as it glosses over the blockchain which is the only really novel and somewhat non-obvious part of the system at large)

My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.

Something like this could be used in an external system and tied in via N of M multisig, and the authors acknowledge that but if you're going to take accept a (distributed) point of trust for that, you can use a chaum token like service can be constructed less computationally and bandwidth intensive than this.

On the plus side— approaches can only get better.

Not sure how cryptocurrency is any less legitimate than actual cash, the only real difference is that it's not centralized and inflatable like a government made currency.

This already exists, it's reinventing the wheel.

Seems complicated, but also looks like serious work.  I will need some time to understand it.

It seems to me they overestimate the need for full anonymity, though.

Important work. Also if bitcoin does not adopt a robust privacy strategy it risks another alt-coin will gain a competitive first mover advantage for what I consider to be an extremely desirable (marketable) property for monetary instruments.

http://jheusser.github.io/2013/02/03/satcoin.html is also an interesting read, even though it might not help much with actual Bitcoin development.

I also lover this paper here though, great that people start thinking of new ways to make Bitcoin useful for some special purposes!

Sorry about the Off-topic: If someone out there wants to write/implement my proposal for an anonymity layer for Bitcoin, and has in depth knowledge of crypto and math, then I'd gladly co-author the paper on APPECoin...

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

PAGE 3, first column:

" With no trusted parties, the accumulator and its associated witnesses must be publicly computable and
verifiable (though we are willing to relax this requirement to include a single, trusted setup phase in which parameters
are generated). "

PAGE 4, second column:

"We note that the Setup routine may be executed by a trusted party"

The point is that by choosing RSA as the crypto function, they require a TTP.

Maybe it could be adapted to other crypto function, but it will change all the procedures, since they use the internal mathematical properties of RSA.

Neat, so this is the replacement for mixers.

This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin

The zerocoin paper doesn't indicate a trusted third party actually it indicates the exact opposite.