Bitcoin Forum

http://zerocash-project.org/
Presented today at IEEE Security & Privacy conference.

tl;dr

Essentially you can encrypt transactions using zero knowledge proofs so the system can verify they are valid without knowing any details about them. It's an add on to existing cryptocurrencies to create a cash like function to thwart metadata/tracking.

Also "We plan to release an altcoin that uses the Zerocash protocol." so you can mine this new coin to try the cash feature, or devs can drop it in an existing altcoin to get anonymous cash feature. No idea if Bitcoin devs will include it but I imagine most altcoins will from now on once they release their client.

Trusted crypto engineers developed it, like Matthew Green http://zerocash-project.org/about_us
He has more info on his site http://blog.cryptographyengineering.com/

Edit: remember Zerocash != Zerocoin

http://zerocash-project.org/q_and_a
"Zerocash requires a trusted entity to conduct a one-time setup of the parameters of the system. During the setup procedure, secret random bits are drawn and used to compute the public parameters; the random bits are then destroyed, and the parameters are broadcast. "

http://zerocash-project.org/media/pdf/zerocash-oakland2014.pdf
"This work was supported by: ; the U.S. Defense
Advanced Research Projects Agency (DARPA) and the Air
Force Research Laboratory (AFRL) under contract FA8750-
11-2-0211;"

If you held the key to something which could be worth alot of money or sell later on - would you destroy it.....Would you trust that process or if the key is sold to the highest bidder/NSA, unmasking the entire block chain only for them...

Not to mention massive single point of failure! - Crack the "random bits" used during setup...the entire currency becomes worthless...


No Thanks....

https://forum.cryptonote.org/viewtopic.php?f=2&t=18

"Another important note is about trusted setup in Zerocoin. In easy words the whole system is based on some secret values nobody should know (for example, this secret allows to make a double spend). How to acquire these values? ZC devs says: we can generate them and then "forget" OR we can implement the special algorithm to do in a distributed way at the system start (everybody know only his own part of the secret). The second option, of course, is preferable, but the problem of trust still remains: there is no way for new users to be sure they are not fooled by the early adopters, who has generated the secret values. As you guess, our system has no such trapdoors: every parameter is public, as in original Bitcoin. We consider this as a major advantage over ZC."

Essentially this means Israel/USA may control Zerocash completely. I'm tempted to say screw Zerocash.

Why should we entrust Zerocash?

There is no private key. There is a one-time setup where random bits are pulled, and you have to trust that entity isn't storing them just like you have to trust your CPU manufacturer hasn't left in backdoors to remotely flip your CPU to Ring 0, that Gavin won't sell the alert key to the highest bidder to spam the system, that whatever altcoin you're using isn't built with backdoored curves, that all miners won't conspire for an attack on the system ect ect.

This uses zero knowledge proofs which allows the system to do valid transactions without knowing the details of who transferred to who. You integrate it with an existing cryptocurrency, Litecoin or anybody else could add Zerocash as a feature.

Apologies - I meant if someone cracks the "random bits" that are used as part of the initial setup...then its worthless.....updated my original post.

The coin is still worth whatever it's value, all Zerocash does is add a feature where you can now trade coins like cash with no trace on the blockchain. So if Zerocash fails then people can read the blockchain like normal and see transactions going to various addresses, which they can already see now. It's unlikely the developers of say, Litecoin would copy /dev/urandom during setup so you can likely trust them. Or trust yourself, if you decided to release your own altcoin and add this feature in.

I can see the value proposition of adding on top of the coin but imagine if LiteCoin implemented ZeroCash, its value went up as people used it more....The coin dev secretly kept the setup key or someone cracked it...everyone's hidden transactions were broadcast.

I dont think people would a) want to use the currency anymore b) sell off as fast as possible....worthless...

Exactly, it sounds like an NSA/GCHQ/Israeli backdoor or a disaster waiting to happen.
Darkcoin will be implementing Cryptonote ring signatures in version 2, so Zerocash is practically pointless as long the Darkcoin team keeps working.

Does anyone know what happened to the zerocoin project? Where can I purchase it?

Thankx!  :)

Why wait for darkcoin v2? I mean if its just copying stuff in bytecoin then you can already use that.

I made a number of technical comments on it on Hacker news, along with some comparisons with some of the alternatives, https://news.ycombinator.com/item?id=7765455

What is your username in Hacker news, so I can read it correctly.

Or use Monero.

Because it wasn't 80% premined on the dark web?

You'd have to be an idiot to use Zerocash, considering who funded the research.

NullC.

Gregory, can you please your full opinion or even better an analysis of ZeroCash and the new ZeroCash paper?
Many people would be intrested in reading this, because they trust you very much.

He did on HN
https://news.ycombinator.com/threads?id=nullc

Thank you.

This^^, Zerocash has too many flaws. Rather use Darkcoin.

Have you read the paper ?

Zerocoin and Darkcoin have flaws.

Monero on the other hand...

The accumulator creation event is the flaw.

It can never be trusted.

Darkcoin will be implementing Ring Signatures and I2P, plus it's existing masternodes which is better anonymity than Monero/Bytecoin I'm sorry to say, we also don't know that much about the CryptoNite protocol.

This^^^^^
Zerocash requires a level of trust that Darkcoin doesn't need, and that level of trust is it's biggest failure..

Masternodes can be traced and DDoS'd, Monero's technology is safer. By the time Darkcoin adds Ring Signatures, Monero will take the lead as the to-go anon route of the crypto world.

Darkcoin isn't just implementing Ring Signatures, but I2P as well...those two combined with Masternodes gives a much superior anonymity than just Ring Signatures alone like in Monero....

"will be implementing" vs. "already in use"

Yeah, I think I'll stick to what works.

I2P is far from the holy grail for anonymity.

Also please don't talk about masternodes like they're a good thing, it's trivially easy to take out a significant portion (if not all) masternodes through a simple DDoS and keep a set of malicious masternodes online, giving someone like the NSA effective control of the path the coins take. So not only does it not provide "better anonymity" in actuality, but it provides an attacker with a neat way of controlling the flow of currency whilst still retaining the veil of anonymity.

I just info-dumped to you on IRC, I'll repeat here:

[20:29:58]  fluffypony:    just fyi in case you weren't aware
[20:30:04]  fluffypony:    we forked Bytecoin to Monero nearly a month ago
[20:30:07]  fluffypony:    and gave it a fair launch
[20:30:19]  fluffypony:    because there is much fishiness about the "2 years in hiding on the darkweb"
[20:30:38]  fluffypony:    they also released a purposely crippled miner, with crazy amounts of obfuscation
[20:30:54]  fluffypony:    took very little unravelling to get it performing at 12x the levels it shipped at
[20:32:05]  fluffypony:    lastly, even if it genuinely has been around for 2 years "in sekrit on the darkwebz" and that isn't just a massive excuse for a premine over a few months with falsified blockchain dates and then a release of a crippled miner to inflate the timescale, how on earth did it exist for 2 years and the RPC API is thoroughly broken?
[20:32:34]  fluffypony:    we've had to do so much fixing, and the documentation on their wiki is wrong (eg. a trailing slash on the JSON RPC API URL when there is none, the slash causes a 404)
[20:33:18]  fluffypony:    I can't possibly imagine that developers of a cryptocurrency in use and development for 2 years can't be bothered to make sure the transfer method of the API works

Let's sing the technical praises for what Bytecoin has brought to the table, but let's use the variant without the 80% premine k?

Bytecoin's chain is already 1.8 years old. How crazy, I thought it was only released 9 weeks ago!

Lol 2yr premine. I also don't like the one time 'trusted entity' part about ZeroCash though I'm still going to mine their altcoin to check it out. Regardless you can just launder/tumble coins after using Zerocash if whatever you were doing required complete transaction history obfuscation

Zerocash: made by serious scientists, strongest privacy but totally new, untested technology. It might have exploits we don't know yet. Even Matthew Green himself adviced people not to invest too much hope and money into his design.

Monero: less privacy than Zerocash but appear to be 'more safe' because it utilize an existing technology.

Darkcoin: worst privacy because of inferior CoinJoin technique, instamined coin. Its anonymity is centralized on a small group of 'masternodes', which is not good for 'decentralized currency'.

Well Zerocash is forever trusted, that might be an issue especially for people looking for private trustless transactions.

Don't act like Monero doesn't have flaws. Refer to Anonymint's posts in the Monero thread.

Interesting, I haven't read the entire thread, can you link me please. :)

lol AnonyMint again, he even said Bitcoin is flawed many times. Should we listen to him, abandon all crypto and back to use fiat ?

But somehow he's right, All crypto coins is not perfect at the moment. Bitcoin once has deadly loophole that can be exploited to create infinite amount of coins.

https://bitcointalk.org/index.php?topic=583449.1340

"So we can see as it is currently structured, CryptoNote doesn't really support anonymity much.

Sorry to blow holes in your enthusiasm. Reality sucks if you haven't taken the time to do some serious work before launching."

Bitcoin will become susceptible to attack if a quantum computer is ever invented.

Every coin is vulnerable to quantum computers.

Right. That doesn't mean we shouldn't use them, but it is something to be aware of.

Thanks Brilliant.

His main point seems to be IP address tracking and blockchain pruning.

I think that both Zerocash/coin and Monero have the pruning issue, however how can they not? It's apart of the design and perhaps some super genius can one day work it out.

The negatives are not too bad. Monero is meant to be splitting payments into different amounts already.

Zerocash is still trusted and therefore unacceptable and AnonyMint also said that CoinJoin/DarkCoin is so far removed from the capabilities of Zero and Monero that it's not even in the same ball park.

So we are left with two current contenders, Monero and Zero.

Zero is somewhat trusted, so that is out.

All that is left is Monero.

Monero is broken if the NSA can crack the cryptography, the same cryptography that protects every bitcoin address.

LOL. That text contains gems such as:

coupled with constant use of elliptical curve cryptography which is known to be broken under quantum computing, as well is suspect to broken by the NSA[1] or could be broken since it is number theoretic public key cryptography.

I am struggling not to laugh while typing this, but it's too hysterical. If quantum computing exists in any usable form (it doesn't) or if elliptic curve crypto is broken by the NSA (unlikely) we are in WAY bigger trouble than "oh noez, can't spend magical Internet moneyz". Seriously. It's the equivalent of saying "it is suspected that the NSA can screendump every monitor in real time and capture mouse and keyboard movements, so the best thing to do is move to your own hardware you've built from scratch and your own operating system you've written from scratch." It's such an extreme case that it either doesn't exist, or if it does we've got bigger problems.

And the use of one-time ring signatures mucks up the pruning of the block chain of spent addresses. There is a tweak to improve this over the current CryptoNote (one of the tweaks I alluded to upthread).

Which makes SPV and thin clients difficult, but certainly does not affect anonymity on any level.

Bottom line is most of your anonymity will come from obfuscating your IP address with something more reliable than Tor and I2P, not from the block chain mixing of CryptoNote or Zerocash/coin, i.e. if your IP is correlated to your identity, then the one-time ring signature doesn't obscure your identity when you spend.

Monero and other CryptoNote coins can already use Tor.

The case where the one-time ring signature is really useful is a transaction with multiple inputs wherein the spender is merging his coins, thus enabling tracing of those coins to the same entity (the current spender). And it is very unfortunate the one-time ring signature is optional in this case, because it is the identity of the upchain spenders who suffer from this action by the current spender, thus the motivation is not there.

Those upchain spenders are the ones that either need to flush their inputs using a high mixin count, or they need to insist those sending funds to them do. This is not a technical issue, and is the equivalent of "I use WhateverAnonymousCoin but someone forgot to send coins anonymously to me".

So we can see as it is currently structured, CryptoNote doesn't really support anonymity much.

Agree to disagree.

Sorry to blow holes in your enthusiasm. Reality sucks if you haven't taken the time to do some serious work before launching.

Just to be clear: Monero supports all this joyful anonymity from today, not from "V2 guize!!!1111". Any problems, holes, and bugs will be ironed out over time. Any coin implementing ring signatures later will have the added disadvantage of still running in to issues later on. For me, personally, I'll stick to the software that will reach ring signature maturity faster.

Note that the use of a separate payee address for each transaction is a very useful strategy. This is a positive aspect of CryptoNote that adds anonymity, but again it is not so effective without reliable IP obfuscation, as the payee will reveal himself on spending.

Hence: Tor.

No matter what is better, Monero or Zerocash, just don't think they will be something very big like 'the next Bitcoin'.

The real demands for privacy and anonymity is actually small. For many people, Bitcoin's privacy is enough.

I talked to the son of a billionaire about using Bitcoin personally and for the business he is in (Oil).

He is smart and young and did his own research and in the end had to advise his fathers company against it and also decided it's not good for personal use. I asked him to explain. He said that he can't see any real business accepting the system because it's far too transparent.

Imagine we are in a Bitcoin centric world. You can easily get bitcoin into a company or to a friend (buying or gifting) and then you can watch their wallets. Bitcoin gives real time information into things like what investments you're buying, when and where you bought your local coffee and so much more.

The transparency provided by Bitcoin is creepy and invasive. I remember explaining this reality to my Dad when I was getting him into Bitcoin just a few weeks ago, he was amazed it had grown this much with such a massive hole.

Bitcoin is less private than using paypal, VISA, MasterCard or your bank. Because in those situations a trusted third party knows your business but the world at large doesn't.

My friend said his company can never use it, the competitive advantage it would give to other companies would be too much, they would be able to tell how much cash flow they had, where they send their money, what contractors they were using.

I personally have always been a little bit into the "we must have privacy! Bitcoin isn't enough!" line, but since talking with real world people it became obvious how bad it really is.

I doubt you are right.

How many bitcoin millionaires think twice before sending $10 for a pizza from their wallet, so much of this can be traced and it'll get worse in the future. Companies are popping up to put as many company and individual names to addresses as possible.

This technology is needed.

I posted this in the Nxt.org forum privacy discussion and user Eadeqa replies that a person could use a third party like bitpay or coinbase to maintain anonymity. -https://nxtforum.org/general-discussion/%28poll-by-post%29-does-nxt-need-anonymity/msg24596/?topicseen#msg24596

The way I see it is, Monero is just a prototype, eventually, give it a year or two this tech is going to mature and the norm. I would like to see Crypto move towards a more cash like system, no trace back. I would not prefer to see it go to a more bank like system.

Anyway, it'll happen and Crypto's will have to be developed to adapt. (including both Bitcoin and Monero, because better things will come)

Will these coins sit on the sidelines and say "use coinbase" or instead embrace this tech?

This is why sidechains could be perfect for bitcoin, allowing this additional ability.

:)

Thank you for the response.

Zerocash has a GCHQ/Israel/NSA backdoor.
Anoncoin devs consist of one fat neckbeard trying to do all the work (or claiming too, the commits I've seen consist of "changed namespace name")
Darkcoin is rumored to have a 5% pre-mine http://www.devtome.com/doku.php?id=a_massive_investigation_of_instamines_and_fastmines_for_the_top_alt_coins#darkcoin
Bytecoin has bad software that is undocumented with no GUI wallet, and the devs aren't transparent enough to say "we're working on it goys!"
Bitmonero is a shitty clonecoin made by a brazilian/paki/indian who claimed to be Ukrainian, just a source copy of Bytecoin with no real dev team or plans to actually make the software more usable.
Bytecoin also has an 80% premine.
Bitmonero probably won't have a GUI wallet until the Bytecoin devs make them one.

I'm not too interested in Zerocash at the moment, the developers would really have to go out of their way to practically livestream them starting the network and "forgetting" the master key.
Darksend will hopefully be finalized soon and on the way to decent ring sig software.

Bytecoin devs could improve too, Bitmonero devs (what devs?) could put forth more effort than changing a few variables and releasing a clone-coin, Anoncoin could implement the same Zerocash as the Israeli researchers and "destroy" the master key...  Darkcoin devs could address the "premine" allegations again.

Still a gamble.

Edit: it is documented, and there is a 3rd party GUI wallet now

I don't know a single Brazilian, Pakistani, Indian, or Ukranian involved, and who cares even if there is?

I also contend your claim that there is "no real dev team" - are you in #monero-dev on Freenode? There is a very solid, concrete dev team that consists of developers from multiple continents including a handful who choose to remain anonymous.

"Plans to make the software more usable" is also nonsense - thus far we have not only found massive issues in the RPC API and either patched them or provided more correct documentation to those using Monero, but we have made our short-term and long-term plans clear. More specifically, you realise and understand that Bytecoin is so fundamentally flawed that their JSON RPC API documentation (such as it is) claims that the URL to use ends in a trailing slash, but this results in a 404 from the RPC API daemons? I mean, such a fundamental error for a coin that is apparently in existence for two years...

Finally, thus far we have improved the miner to 12x its original efficiency. To thank us for our hard work the Bytecoin devs merged our changes.

In other words, thus far only the Monero dev team have made any strides in improving and advancing the coin, and the others are merely inheriting the work we're doing.

Please glance at the github repos and merges / commits before making yourself look completely daft.

I know how to fix the no pruning problem but it comes with (your choice of) costs. PeterTodd does too— as we'd talked about it before, so it's possible ZeroCash will implement one of those solutions. (Either you make old coins unspendable or expensive (very large) to spend (and then perhaps economically unspendable).. in both cases your anonymity set is somewhat reduced. Then you can have some form of pruning.).

It's not true. Zerocash will be open-source project which mean everyone can analyze its source code. No backdoor can be hidden.

Also Zerocash dev team appear to be "anti-NSA" people on their twitter.

They intend to keep it closed source according to twitter.

I would suggest you to learn more about a coin before bashing it. This page say different:
http://zerocash-project.org/q_and_a


Prior to Zerocash, their Zerocoin project is already an open-source project.

Yeah, lol. Like in OpenSSL or twenty year old window manager code.

Code and mathematics that the NSA / Dept Defence has most likely had input into.....If they find a back door - they wont announce it.

Add on the secret key that needs to be properly "destroyed" in order for this to work...I dont see this as a viable anonymity solution.

I believe the NSA had built insecurity into major implementations of elliptic curve crypto software, which may be the cause of their confusion.

+1, neither do I.

Isn't TOR cracked? I think I heard something about it (maybe Dawden, maybe not)?

TOR isn't cracked, don't spread bullshit.

I was just asking. Glad I was wrong. Case closed.

You did hear something about it, apparently it's mostly FUD from the FBI and NSA.

From twitter:

Anything new about zerocash?

zeronews

Any news yet? Has the project died?

Where do I put the .conf?