Topic: Zerocoin proofs reduced by 98%, will be released as an alternative coin. (Read 8024 times)

Got it, for some reason I was not seeing that the coin owner knows their (blinded) coin ID from the moment the coin is created, and thus can track the proof for where that coin belongs in the spent tree... or they could not do so and trust that they'll be able to find someone else who has when they need it. Makes sense.

Yes, it's exactly MMR applied to the Chaum token double-spend db. This solves the problem of maintaining that ever-increasing list of unblinded, spent tokens by pushing the problem out of the validators and onto the people holding the coins. Proof size grows with log2 the number of spent tokens, but the proofs can be thrown away once validated (as they can be reconstructed from the block chain history).

It doesn't link the spend to the original coin however, as we're only dealing with revelation of the unblinded tokens. You still need some sort of ZKP that the unblinded token was out of the original set of blinded tokens.

Sounds a lot like the MMR stuff Peter Todd has been talking about, but I don't think it applies in the anonymous context.

In an anonymous system the unspent coins are blinded in some way or another and you use a proof to show that your spend is spending a coin from the set of unspent coins (without revealing which blind-unspent coin it was), and then that unblinded coin is put into a list to prevent spending it again.

Any way that avoids the storage problem by linking the spend to the particular unspent coin (e.g. removing it) isn't anonymous.

I know how to prevent it from growing forever though, but it trades off the anonymity set and the reliability of storage:. E.g. you have generations of unspent coins, and all unspent coins from a particular generation must be spent before a certain time. Once that time passes your spent list can also be purged.

At least in what Peter Todd's been thinking about there is an additional complication that when adjacent branches in this updating tree of unspent outputs you must update your proof... so it creates an interesting business opportunity for nodes that track the whole state in order to help offline spenders figure out the proof they need.

 

I've found away around this limitation using a variant of the UTXO proof tree structure. A tree containing all spent tokens is constructible from the spend history visible in the chain history. Anyone holding an unspent token maintains an insertion-proof into this tree, which is included as part of the spend. Validating nodes need only keep the root hash for a given series, which is updated after validating each spend.

But the other two points remain as major obstacles...

who are the Devs behind this idea?

There are people very interested in ZC and who are watching closely. For various reasons they will not be appearing on BTCtalk

There were several other additional limitations:

* Very slow to validate (e.g. on the order of 1-2 tx per second)
* Required a trusted party to initiate the accumulator, and if they violate that trust they could steal coins
* Uses cryptography which is less well studied
* Only handled anonymized coins with one value, reducing the anonymity set size substantially
* Didn't conceal values
* Spent coins list is needed for validation and grows forever (e.g. no pruning of the critical validation state).

Of these only the first two and the last are probably real barriers, the others are more "doesn't work as well as some hypothetical future system might".

There was no way within their prior system to achieve size reductions to the currently mentioned, I'd speculated in some other threads on some technology that could make the proofs smaller and faster, but if they've gone that route there may be some other consequences. It's hard to say much of anything useful without more information being made public.

I would note that the prior ZC implementation has been made available for some time now, and no altcoin has picked it up.

I don't know much about Litecoin's internal politics but with all of the forces surrounding Bitcoin these days it's not guaranteed that the developers would rush to implement Zerocoin. That's why it's important that the community stays on top of the situation.

bitcoin and litecoin can just add the zerocoin protocol once its a altcoin .

Then assuming they're not lying the prospects for implementation look good as long as certain political forces don't get involved.

Yes, when the original paper was released the main point to dismiss zerocoin was the size of the transactions and the strain that would cause on the blockchain.

My understanding was that the size of the proofs was the primary hurdle to implementation. Is that true?

Until they release details (ie a paper or source code) on what they are actually going to do, that's impossible to do.

Could a Bitcoin developer clarify whether these changes make Zerocoin appropriate for inclusion in Bitcoin or not? As far as I understand it the privacy provided by things like CoinJoin and CoinSwap aren't really comparable.

I would not buy that argument just yet. If bitcoin dies, sure, but there is no reason why several alternative coins can't be in flux at the same time.

suffice it to say that i'm rather familiar with the fact that users rarely seek out security.

if mixing and privacy protection is a bolt-on service for BTC, you are right to call out that few people will opt in. having a coin that is private by default would be a big win imo.

As others have said, it looks like CoinJoin etc which already function through the blockchain work and are available to use now rather than later.

It just looks like the end user at this point doesn't have a lot of interest in it.

I stopped here, but I tried very hard to not stop earlier. Your guidelines thing is exactly what I mentioned in a thread where another developer is wishing for certifications, several of them.

I have no idea why you put NSA there, I'm talking about Google.

Ha, the Dark Wallet Certification thing? You are so incredibly wrong:


For the sake of argument, lets assume Mike is a android built by the NSA to infiltrate us all.

Do you think you're going to to a better job of stopping said Bitcoin-development subverting android by a: complaining, or b: getting shit done.

I'll give you a hint: someone else already did the job of complaining much better than you're doing. Lets count that: four tightly written paragraphs, one verbatim quote, cross-posted on two forums, and results? Over three main threads we've got 32k hits and 811 replies on this forum alone, including responses by people worth listening to like Adam Back and Gregory Maxwell, an article on CoinDesk, CoinJoin bounty is up +8 BTC and the Dark Wallet campaign is nearly fully funded - that's some effective complaining. Not so effective computer security, but yeah... I'm pissed off about that.

You on the other hand, you're just annoying people like myself who are actually flying halfway across the world in two weeks to go make CoinJoin happen and make Mike's misguided ideas about blacklists irrelevant. So I dunno, unless you want to surprise me by showing me that you're good at getting shit done, go away. Delete your trolling posts while you're at it.

And you know, if you want to get better at it, you can start by saying things that actually make sense.

If you'd back up your claims about certifications with a link I could actually check it. I'm not going to just take your word for it.

As for Hearn's comment, there's nothing there that hasn't been addressed.