Zero Knowledge Transactions

[TPTB_need_war]

Sir
You can hold a crowdfunding of your coin, it's very easy to raise 1000 BTC, there is a shitcoin named "小蚁“ in China, they got 2100 BTC easily from crowdfunding recently.

I am no longer seeking to raise money to implement or release my white paper. I am not just commenting in this thread about the technology in that white paper.

Thus the poll is already irrelevant at this point, except to be a record of an expression of the value voters assigned to my research.

It is possible my technology might be implemented in another Cryptonote or other coin (although this seemed to not have progressed beyond an initial coordination so far), and at this point it appears the mostly likely coin where it will first appear will be my own coin. But anonymity is somewhat of a lower priority for me at the moment, although I continue to make sure that my designs are compatible with the Zero Knowledge Transactions (for future integration with it).

I am not closely tracking what Monero and Æon are implementing. Appears at least Monero may be fast tracking on Shen-Noether's design, but I haven't verified that.

[1715628383]

1715628383

[1715628383]

1715628383

[1715628383]

1715628383

[TPTB_need_war]

I've been busy doing 1) math; and 2) designing how micro-transactions scale and the impacts of value hiding of (Compact or just) Confidential Transactions (which also pertains to my derivative Zero Knowledge Transactions):

1. https://bitcointalk.org/index.php?topic=1085436.msg12964946#msg12964946

2. https://bitcointalk.org/index.php?topic=1249015.0

[TPTB_need_war]

Critically important discovery regarding anonymity for crypto-currency, which renders my Zero Knowledge Transactions white paper (and as well Shen-Noether's both) worthless:

...

Thus this requirement for anti-DDoS would introduce a form of simultaneity requirement on CN one-time rings that could be jammed (spammed) as is the case for CoinJoin (and even the CoinShuffle improvement). As I had argued to gmaxwell in his CoinJoin thread in 2013, that blacklisting offenders is unworkable if there is no reference point, because precisely the point of adding anonymity is to destroy any reference point (other than an orthogonal one such as IP addresses, which as I have explained in this thread is also untenable at scale).

Thus I worried that anonymity might be untenable.

...

The only solution I have been able to conjure is to use CoinShuffle to produce a group of hashes where every public key participating corresponds to some UTXO that can be confiscated.

So while I believe I have refuted my worry that anonymity is entirely untenable, I now believe that purely on chain anonymity is untenable. Which I think was also obvious from that fact that CN one-time rings can be unmasked if an adversary can correlate IP addresses to persistent identities. So if we have to do the CoinShuffle any way (which also mixes the spenders' IP addresses so we don't have to rely on the unreliable anonymity offered by Tor of I2P), then there is no reason to do the CN one-time ring signtures. Just use CoinShuffle with either CT or CCT.

Thus note that Zerocash will always be (and Monero is until they replace CN with CoinShuffle) untenable.

[bitsire]

Critically important discovery regarding anonymity for crypto-currency, which renders my Zero Knowledge Transactions white paper (and as well Shen-Noether's both) worthless

[TPTB_need_war]

Critically important discovery regarding anonymity for crypto-currency, which renders my Zero Knowledge Transactions white paper (and as well Shen-Noether's both) worthless

The details on this are a bit mind-twisting, so I did find an error in my prior post as follows. And it means we apparently do still need Ring Confidential Transactions and/or my Zero Knowledge Transactions:

[...]The only solution I have been able to conjure is to use CoinShuffle to produce a group of hashes where every public key participating corresponds to some UTXO that can be confiscated.

[...]

So if we have to do the CoinShuffle any way (which also mixes the spenders' IP addresses so we don't have to rely on the unreliable anonymity offered by Tor of I2P), then there is no reason to do the CN one-time ring signtures. Just use CoinShuffle with either CT or CCT.[...]

So we need a non-autonomous mixnet such as CoinShuffle to create an uncorrelated (to the input participants) set of hashes that can't be jammed or spammed (as I had previously explained these hashes being the anti-DDoS keys in the UTXO due to the orders-of-magnitude faster speed of verifying a Lamport/Merkel cryptographic hash signature than elliptic curve ECDSA or EdDSA and especially compared to the slow speed of confirming Confidential Transactions) as well as the additional benefit of obfuscating the correlation of IP addresses of the input participants to the outputs datums of the protocol, and the CoinShuffle can associate each transaction output with a specific hash in the grouping since it is passed along as another record in each output datum in the protocol, but although CoinShuffle can unmask the input public keys (associated with a UTXO resource that can be banned if DoS) which jam or corrupt the protocol, it can't insure the homomorphic sum of the outputs equals the sum of the inputs. I am not sure if it is possible to construct a homomorphic groupwise sum of inputs and outputs without jamming (DoS). I remember seeing some vague (not fully thought out w.r.t. to jamming?) discussion of this in the Confidential Transactions thread, but at least in the case of Compact Confidential Transactions, it doesn't seem as it would be possible because each the inputs' and outputs' fuzz has to coordinated for the entire transaction by someone who knows all the private values.

Thus it seems that we will still need Shen-Noether's Ring Confidential Transactions (or my claimed yet not yet published Zero Knowledge Transactions which integrates one-time rings with Compact Confidential Transactions). So Merkel tree (not Lamport because you may need to sign again else where if instance of protocol fails) sign the hash(es) for your transaction input(s) to enter the CoinShuffle protocol, then release your Ring Confidential Transactions (or Zero Knowledge Transactions) transaction (along with a new output hash) uncorrelated to IP addresses and transaction inputs via the CoinShuffle protocol. In the case where all the inputs and outputs are the same (which may often be the case with micro-transactions), then no need to use homomorphic sums and one-time ring signatures, and just release the uncommitted (not hidden values) outputs uncorrelated to the hash signature via the CoinShuffle (or any mixnet which defines an input set and can identify those who jam it) protocol.

So to correct my prior post, I still assert that "purely on chain anonymity is untenable" w.r.t. potential scenarios for DDoS at micro-transactions scale, i.e. neither Ring Confidential Transactions nor Zero Knowledge Transactions can scale to micro-transactions and remain entirely autonomous, as they will require some integration with a non-autonomous mixnet such as CoinShuffle. I reiterate the implied point from the upthread, that afaics it is not possible to mix hashes autonomously.

Edit: note the one-time rings must mix the transaction inputs of the participants of the CoinShuffle protocol (and not a systemic mixnet such as Tor or I2P which doesn't define an input set). Thus it enforces the rule that a group of UTXO must always mix with each other. That rule should normally be enforced so that rings can't be combinatorially unmasked, which is something I explained in detail in my Reddit discussion with Shen-Noether. Also since all the inputs can be thus marked as spent, they can be pruned from UTXO and thus enforced not be mixable again, and thus the combinatorial unmasking is prevented.

Edit#2: a flawed design which has better separation-of-concerns (could be used with any IP obfuscation mixnet such as Tor or I2P) is in round 1 for all participants to sign the hash(es) for their input(s) to the set of ECC public keys of the participants. Those who don't sign won't be included in the next round and if not enough sign, then round 1 is restarted with additional participants replacing those who failed to sign. Then in round 2 all participants who signed release their Ring Confidential Transactions or Zero Knowledge Transactions. The flaw is that round 2 can be spammed, because there is no correlation between those who participate in round 2 with those who signed in round 1.

I have been trying to think of some way to avoid CoinShuffle for micro-transaction anonymity because it is so slow due to multiple rounds of network communication. The only other solution I've thought of is to use the CoinShuffle method above to anonymously break your outputs into small morsels, then spend these morsels without homomorphic value hiding and via an IP obfuscation mixnet such as Tor or I2P. The untraceability and unlinkability is mostly retained as the CoinShuffle method will be employed to merge balances again (and then again to redistribute to anonymous output morsels).

I could explain the math for Shen's Ring Confidential Transactions in layman's terms (it really isn't that difficult at all once you think about it in terms of the properties of a modulo operation in math), but I don't have time right now to organize the prose.

Edit: after writing the following it caused me to realize I had overlooked (or conflated) a detail which changed the conclusion of my analysis as follows. Thus I will eventually be explaining the math in layman's terms for (Compact or just) Confidential Transactions and how to combine them with one-time rings of Cryptonote.

Also this is a lower priority right now for me, I now think (recently discovered) that one-time ring signatures are not tenable (against DDoS) for micro-transactions scaling level (regardless whether alone as for Cryptonote, combined with Blockstream's Confidential Transactions as Shen has published, or combined with an improved version of Denis's Compact Confidential Transactions as I claimed to have accomplished but haven't yet published).

Also one-time ring signatures do not obfuscate IP address which means correlation by IP can unmask the rings, so I now view them as a waste of time, because to obfuscate the IP addresses requires a non-autonomous form of mixing (e.g. CoinShuffle) which also provides the same function as a ringa ring function but apparently not in the presence of homomorphic sums.

[TPTB_need_war]

The inability to verify the number of coins in circulation with ZeroCoin scares me.  At least if something goes wrong with the money supply system with RingCT we would be able to tell.

Ring Confidential Transactions built on top of Blockstream's Confidential Transactions (or my roughly equivalent but apparently more efficient Zero Knowledge Transactions built on top of Denis' Compact Confidential Transactions) does not absolutely prevent undetectable abuse of the money supply.

The relevant (to your stated concern) distinction from Zerocash (and a friendly reminder to not conflate Zerocoin with Zerocash because the former requires equal revealed values and doesn't integrate with hiding values) is that there isn't a global trusted master key (generated once at setup of the sytem) to be potentially abused (if the trusted setup was gamed some how). Yet in both systems, if you can muster enough computing resources even just once (and/or break/weaken the number-theoretic cryptographic assumptions security), you can create unlimited money out-of-thin-air and this can't be detected (unless detection means everyone has the same level of breakage capability and all values can be globally unmasked rendering value hiding useless).

Homomorphic values and ring signatures come with potentially huge anti-DDoS costs as I have been explaining in a thread I started in the Bitcoin Discussion forum. In that thread, I have alluded to we might be better off to just eliminate homomorphic (hiding) values and also eliminate Cryptonote's one-time ring signatures and move to something like CoinShuffle, because we are going to need to do a CoinShuffle any way. The details on this tradeoff need to be further mulled over and elucidated.

So in summary, it is possible that Monero and Cryptonote (including Confident Transactions and the attempts to combine them with one-time rings) is one grand waste of time and effort, but that determination is not yet entirely clear to me. I need to spend some time writing down all the details so I can convince myself what are key determinants on this issue. It is possible that the conclusion may be a multifurcation.

Anonymity is very difficult to accomplish holistically especially at-scale (Monero is no where near accomplishing that at-scale) and it doesn't come for free.

[TPTB_need_war]

If peer review supports the soundness of RingCT cryptography interest could expand exponentially. There are more potential uses than I can count and this is the most promising privacy technology I have seen so far. The inability to verify the number of coins in circulation with ZeroCoin scares me.  At least if something goes wrong with the money supply system with RingCT we would be able to tell.

I am quite confident that blockchain privacy is not a huge topic anymore. Of course RingCT may draw some extra attention to Monero. However, in my opinion that still would not be relevant.

The fintech is finally converging on the markets and real business issues. However, real business that has money doesn't care about privacy, it's simply of out scope. There is no huge ass real world problem in it that could be backed by corporate money that will stimulate adoption and attention.

This still maybe a great update and it serves privacy goals well. However, privacy protection issue is still a small niche, not a mass phenomenon.

Disagree. Real business and corporate money will struggle greatly with transparent blockchains. They don't have the same exact privacy goals as individuals and freedom advocates, but they have their own. In particular, not wanting to be spied on by competitors nor front run in markets. That's why, for example, CT is critically important even in Blockstream's closed blockchain Liquid.

Privacy from the NSA, when the NSA means the largest globalist corporations (politically connected with the global police state) have asymmetric access to secrets?

Making anonymity that is immune to the global police state is an immense challenge especially for businesses, because they can't just go hop on another anonymous WiFi connection every time they want to interact with the block chain (and that won't even help you individually with a low scale coin like Monero, because you are the only person hopping on anonymous WiFi in your geographical area so your transactions can still be correlated!). Making an IP address mixnet that is immune to a party which can see all traffic over the internet is an extremely challenging if not implausible statistically. I have been thinking deeply for a long time about the sort of attacks that are possible on mixnets and nothing (that I've analyzed) seems to entirely immune.

A generative essence realization is there is no possible way to obfuscate your IP address with an autonomous cryptographic protocol (such as RIngCT or Cryptonote). The only way to obfuscate IP addresses is with an interactive mixnet, which then either incurs a simultaneity requirement or the mixnet must generalize to many forms of internet traffic so a sufficient mix set always available. But especially generalized mixnets suffer from Sybil attacks because of the cost of scaling relaying nodes scales with traffic and DDoS. As smooth knows from our past private discussions (afair last year), my only idea on how to attack the Sybil problem of Tor and I2P is to pay the nodes you are want to relay through for an onion routing. But this comes with another set of holistic issues. So far, I haven't been able to design the system that is immune to the NSA. I am still working on this problem, but have deprioritized it, because to my consternation it is such an intractable quagmire (a.k.a. clusterfuck).

So let's say we only want privacy against other smaller corporations that don't have special access to NSA analysis. Yet now we must assume the NSA can't be hacked or individual employees bribed. And the NSA is not the only national security agency doing this. We have at least the 5 Eyes nations plus Russia and China with sophisticated, well funded national security agencies.

Can you know understand better why Martin Armstrong (and I reguritated) that a Dark Age is possible?

The world is in a pickle. I am doing my best to try to find a way out. I am now thinking perhaps anonymity is not the ticket (yet continuing to develop and consider it, as an option) and instead massive volume of micro-transactions might be more liberating. In short, to pursue my Knowledge Age theory of breaking the Theory of the Firm down to individualized production. In short, death the corporation as being too slow to even effectively use the data it is accumulating. If you read my 2010 thesis linked from the OP of the Economic Devastation thread (in the Economics forum), you can gain insight into what I am referring to where I explained that top-down access to information is not knowledge creation. Knowledge creation is accretive, spontaneous, and highly individualized.

Paradigm shift. I am apparently good at creating those, not so much at the intricate patterns of chess (too many intricacies are burdensome to the degrees-of-freedom to see over the forest). In short, I prefer deforestation paradigms.

If peer review supports the soundness of RingCT cryptography interest could expand exponentially. There are more potential uses than I can count and this is the most promising privacy technology I have seen so far. The inability to verify the number of coins in circulation with ZeroCoin scares me.  At least if something goes wrong with the money supply system with RingCT we would be able to tell.

I am quite confident that blockchain privacy is not a huge topic anymore. Of course RingCT may draw some extra attention to Monero. However, in my opinion that still would not be relevant.

The fintech is finally converging on the markets and real business issues. However, real business that has money doesn't care about privacy, it's simply of out scope. There is no huge ass real world problem in it that could be backed by corporate money that will stimulate adoption and attention.

This still maybe a great update and it serves privacy goals well. However, privacy protection issue is still a small niche, not a mass phenomenon.

Disagree. Real business and corporate money will struggle greatly with transparent blockchains. They don't have the same exact privacy goals as individuals and freedom advocates, but they have their own. In particular, not wanting to be spied on by competitors nor front run in markets. That's why, for example, CT is critically important even in Blockstream's closed blockchain Liquid.

Privacy from the NSA, when the NSA means the largest globalist corporations (politically connected with the global police state) have asymmetric access to secrets?

Making anonymity that is immune to the global police state is an immense challenge especially for businesses, because they can't just go hop on another anonymous WiFi connection every time they want to interact with the block chain (and that won't even help you individually with a low scale coin like Monero, because you are the only person hopping on anonymous WiFi in your geographical area so your transactions can still be correlated!). Making an IP address mixnet that is immune to a party which can see all traffic over the internet is an extremely challenging if not implausible statistically. I have been thinking deeply for a long time about the sort of attacks that are possible on mixnets and nothing (that I've analyzed) seems to entirely immune.

A generative essence realization is there is no possible way to obfuscate your IP address with an autonomous cryptographic protocol (such as RIngCT or Cryptonote). The only way to obfuscate IP addresses is with an interactive mixnet, which then either incurs a simultaneity requirement or the mixnet must generalize to many forms of internet traffic so a sufficient mix set always available. But especially generalized mixnets suffer from Sybil attacks because of the cost of scaling relaying nodes scales with traffic and DDoS. As smooth knows from our past private discussions (afair last year), my only idea on how to attack the Sybil problem of Tor and I2P is to pay the nodes you are want to relay through for an onion routing. But this comes with another set of holistic issues. So far, I haven't been able to design the system that is immune to the NSA. I am still working on this problem, but have deprioritized it, because to my consternation it is such an intractable quagmire (a.k.a. clusterfuck).

So let's say we only want privacy against other smaller corporations that don't have special access to NSA analysis. Yet now we must assume the NSA can't be hacked or individual employees bribed. And the NSA is not the only national security agency doing this. We have at least the 5 Eyes nations plus Russia and China with sophisticated, well funded national security agencies.

Can you know understand better why Martin Armstrong (and I reguritated) that a Dark Age is possible?

The world is in a pickle. I am doing my best to try to find a way out. I am now thinking perhaps anonymity is not the ticket (yet continuing to develop and consider it, as an option) and instead massive volume of micro-transactions might be more liberating. In short, to pursue my Knowledge Age theory of breaking the Theory of the Firm down to individualized production. In short, death the corporation as being too slow to even effectively use the data it is accumulating. If you read my 2010 thesis linked from the OP of the Economic Devastation thread (in the Economics forum), you can gain insight into what I am referring to where I explained that top-down access to information is not knowledge creation. Knowledge creation is accretive, spontaneous, and highly individualized.

Paradigm shift. I am apparently good at creating those, not so much at the intricate patterns of chess (too many intricacies are burdensome to the degrees-of-freedom to see over the forest). In short, I prefer deforestation paradigms.

Privacy from the NSA, when the NSA means the largest globalist corporations (politically connected with the global police state) have asymmetric access to secrets?

No, privacy from every idiot who wants to front-run you, or play amateur detective and figure out a lot of private things about your business or personal affairs and publish them. I've seen both happen on this forum.

Most businesses and people are just too obscure and unimportant to warrant much interest from the NSA or from the largest globalist corporations. But they all have nosy neighbors, with varying degrees of sophistication.

Though if the global police state does evolve to the point where everyone is a person-of-interest, then indeed it will be a dark age, and it isn't clear whether cryptography and cryptocurrencies can help with that at all. Maybe.

Don't know if you read the edit I did on my prior post.

Problem is that if anyone is collecting that data (even if the NSA has no desire to analyze it or retain it forever), they can be potentially hacked or individual employees bribed. The prize is so valuable, it nearly insures another Edward Snowden will surface yet with a profit motive to exploit that dataset. The problem is that even to collect that data means they have peeping routers all over the major backbones and these are thus vulnerable to hacking and bribes, etc..

When we live in a world where it is possible to collect all data, then the defense against bad outcomes with your data (and the greater threat than the NSA w.r.t. to data aggregation may be Google, Ad Sense, and Facebook Likes) is perhaps not to depend on the implausibility of statistical correlation (which may not be so implausible as the naive assumption, e.g. per my examples above and in the general paradigmatic category), rather perhaps to depend on keeping your assets stored in micro-granular Knowledge Creation paradigms instead of stored monetary calls on labor (which I claim is a dying paradigm). The data aggregator can't do anything with aggregated data against a micro-granular asset with attributes perhaps orthogonal to the flows of popularity. I mean everyone can see which ventures are popular and trending by numerous means such as Google metrics. Transparency aids competition which accelerates knowledge creation. The government can't tax to death a populous activity without declaring a global Dark Age (which has never occurred, i.e. even during the Dark Age in Western Europe the prosperity trended up else where).

As for being vulnerable to haters, I am surely vulnerable by posting on this forum and not being anonymous. This seems to go along with any action on the internet. I read where some teenager in the Philippines shot another teenager because of some insulting remark about a girl friend on Facebook. I am not so sure that anonymity can be holistically ubiquitous to protect me from all the potential ways the internet spreads the opportunities to be hated and not anonymous. It seems anonymity for money is mostly focused on the concept of obscuring large monetary wealth, but I am arguing that perhaps that paradigm is dying and instead store wealth in knowledge creation ventures (ongoing and active wealth). Other than the risk of large wealth (and the obvious issues that raises) and being outspoken on the internet (and the conflicts that raises), my personal life story is a prime example of how risk to life and limb comes from chaotic, unexpected directions, so I don't know if focused on the very difficult issue of anonymous money transfer stands out as the greatest risk in most people's lives.

Any way I am not sure. So as I wrote, I am hedging my bets by still pursuing anonymity, but I have deprioritized it somewhat (not entirely) to focus more on micro-transactions.

Edit: I am contemplating whether it is possible that fungibility could be orthogonal to anonymity. Fungibility could first be defined as the ability to get your transactions into the majority consensus of the block chain, instead of a stricter definition that would require that anyone who accepts such a transaction can't be coerced nor hassled by the government nor whom ever. As long as you can get your transactions on the block chain, then if you spend them to parties that careless about coercion (e.g. in small morsels in social interactions where the government can't possibly go after every person who received a microtransaction). So instead of just anonymity designs, I have also been thinking a lot about how to insure block chain inclusion remains permissionless.

[TPTB_need_war]

The inability to verify the number of coins in circulation with ZeroCoin scares me.  At least if something goes wrong with the money supply system with RingCT we would be able to tell.

[...8<...]

The relevant (to your stated concern) distinction from Zerocash (and a friendly reminder to not conflate Zerocoin with Zerocash because the former requires equal revealed values and doesn't integrate with hiding values) is that there isn't a global trusted master key (generated once at setup of the sytem) to be potentially abused (if the trusted setup was gamed some how). Yet in both systems, if you can muster enough computing resources even just once (and/or break/weaken the number-theoretic cryptographic assumptions security), you can create unlimited money out-of-thin-air and this can't be detected (unless detection means everyone has the same level of breakage capability and all values can be globally unmasked rendering value hiding useless).

Homomorphic values and ring signatures come with potentially huge anti-DDoS costs as I have been explaining in a thread I started in the Bitcoin Discussion forum. In that thread, I have alluded to we might be better off to just eliminate homomorphic (hiding) values and also eliminate Cryptonote's one-time ring signatures and move to something like CoinShuffle, because we are going to need to do a CoinShuffle any way. The details on this tradeoff need to be further mulled over and elucidated.

[...8<...]

Anonymity is very difficult to accomplish holistically especially at-scale (Monero is no where near accomplishing that at-scale) and it doesn't come for free.

[...8<...]

A generative essence realization is there is no possible way to obfuscate your IP address with an autonomous cryptographic protocol (such as RIngCT or Cryptonote). The only way to obfuscate IP addresses is with an interactive mixnet, which then either incurs a simultaneity requirement or the mixnet must generalize to many forms of internet traffic so a sufficient mix set always available. But especially generalized mixnets suffer from Sybil attacks because of the cost of scaling relaying nodes scales with traffic and DDoS. As smooth knows from our past private discussions (afair last year), my only idea on how to attack the Sybil problem of Tor and I2P is to pay the nodes you are want to relay through for an onion routing. But this comes with another set of holistic issues. So far, I haven't been able to design the system that is immune to the NSA. I am still working on this problem, but have deprioritized it, because to my consternation it is such an intractable quagmire (a.k.a. clusterfuck).

[...8<...]

[...8<...]

Well that is the sort of statistical pattern that I think it implausible to hide if the person who needs to know thus can afford the resources to know.

I don't think in this Technocracy age of Big Data, one can't hope to obscure patterns on large data sets. The generative essence of the implausibility is that the statistical patterns hidden at one layer, leak into the next layer, so it becomes a requirement for a globally leak-proof synergy of activity in cyberspace. It seems futile from that high-level perspective. And I stubbornly didn't want to accept that, but having really looked deeply at the technical issues, I now lean to that being the hard reality.

That is why I posit that the paradigm of wealth stored in forms that others can easily emulate, tax, and expropriate is dying.

[...8<...]

Zerocash does hide your identity on the block chain even if your IP address is correlated across multiple transactions that you send to the block chain, because in Zerocash the payer(s) and payee(s) are obscured and proven in a non-interactive zero knowledge proof (NIZKP). This is accomplished by proving that the machine ran a certain program (and no other program) on the inputs and that result was "true" (i.e. verified), rather than proving something algebraically about the variables to the program. This computational witness requires the global master key setup.

Whereas, Cryptonote one-time rings mix the payer amongst a group of payers with the requirement that it is publicly verifiable that each payer can only be spent one-time. The one-time key is manufactured by the Diffie-Hellman (ECDH) like exchange that creates a new stealth payee address on each spend and that stealth address can only be spent once. So the problem is that if your IP address is correlated across spends, it becomes possible to link stealth addresses together as the same payee and then start to unmask the anonymity set of the payer rings.

So it would seem that Zerocash is the solution, except read my discussion at the quoted link about anti-DDoS protection. The problem is the huge verification cost for each Zerocash transaction and thus giving the attacker a huge asymmetric advantage when sending invalid transactions, i.e. unprotected Zerocash can be DDoS'ed to death.

And if using my suggested technique to create a hash-based signature as a first line of verification of incoming transactions sent to the block chain, then you've got to incorporate a simultaneity mixnet such as CoinShuffle to detach these hash signatures (and the payee's IP address) from the Zerocash transaction being submitted to the block chain. But then your anonymity is reduced back to the mixnet again so you've lost the benefits Zerocash provides. Perhaps Zerocash could devise a quick check on invalid signatures. I don't enough about the "moon math" in the white paper to deduce whether that is possible, but I 95% doubt it based on my understanding that such NIZKPs are a holistic math affair.

Perhaps instead of my hash suggestion (and as suggested by Gregory Maxwell at the aforementioned linked thread), each Zerocash (or RingCT) could require some PoW be attached to every transaction to rate limit spam, but the problem is the attacker has an asymmetric advantage by being able to place his hashing resources in venues with the cheapest electricity (e.g. 3 - 4 cents per kWh in WA State or China near hydropower) and leverage the latest ASIC efficiencies whereas the legitimate payer is running on retail electricity that costs 4 times more and non-optimum hardware that is at at least an order-of-magnitude disadvantage in power and speed. So the delay (or the transaction fees if the full nodes speed more on hardware to increase their spam bandwidth) will increase for legitimate payers asymmetrically to the attacker's costs. And that asymmetry will be amplified by the systemic ratio of the resources of the legitimate payers to the attacker's resources, thus if the anonymous system is only used infrequently then the cost of using it will be radically amplified (perhaps too high to be of practical use, although I haven't done some sample calculations yet). And for the system to be widely used (e.g. for microtransactions) the extra costs imposed by the attacker disincentivize its use when the legitimate participants don't value anonymity as a concern. Also the PoW required could vary per full node and vary in time (even in real time!) depending which nodes are receiving the most incoming DDoS spam, which complicates the determination where to submit a transaction and how much PoW is required to be submitted with it. So then it appears any any such Zerocash + PoW anti-DDoS system is going to be used only for anonymous mixing and not all transactions, but then the problem is the anonymity leaks as these anonymous mixes are then traded for coins in a system that is used in everyday commerce (e.g. microtransactions).

Even though I haven't thoroughly understood every technical aspect of it, the other problem with Zerocash appears to be that it can't merge the entirely opaque block chains, e.g. if there are two major chains fork due to a network split. Transparent block chains can be re-merged to the extent that double-spends are not intertwined. The major fault for Zerocash (that is not present for transparent block chains) being that I believe it is not possible to prove which coins were double-spent on both of the block chains. Normally this isn't a problem for an orphaned chain because you just throw away the orphans, but this is perhaps a problem in a major network split.

[TPTB_need_war]

Disagree. Real business and corporate money will struggle greatly with transparent blockchains. They don't have the same exact privacy goals as individuals and freedom advocates, but they have their own. In particular, not wanting to be spied on by competitors nor front run in markets. That's why, for example, CT is critically important even in Blockstream's closed blockchain Liquid.

I believe you're saying that under an assumption that corporations will adopt a form of blockchain that is already available on the market. I'm not so sure. Banks and certain IT companies do express their interest in blockchain, but judging from what I've heard them talk, it's more about permissioned blockchains.

It is a entirely different paradigm of privacy. You still have blockchain, which is easily auditable and verifiable for any party that might have such rights, but a competitor would not be able to even connect to the blockchain.

I assume this may prove to be more efficient for corporate goals than using permissionless anonymous blockchains, or even permissioned anonymous blockchains. I don't see big urge for the companies to be adopting open blockchains or particular cryptocurrencies, at least for now. There are of course certain cases when that can still be beneficial (e.g. on-chain bonds for smaller companies).

To say it in another way, the technology has converged on the market, but its tested application seems to be diverging from the original libertarian/anarchistic/openness ideas proposed by free-thinkers. Well, the time will say.

However, a real huge problem is parallel to what we might be discussing here. I bet nobody can point to a company or a particular painful use case that CryptoNote or Monero can be serving. The real market I mean, not our dreams of such. We've all been involved in creating a new better economy, while the course of history shows that we rather need the traditional economy upgraded instead.

I am not trying to say that privacy is an irrelevant issue. It surely is. I'd agree with TPTB_need_war. The big data and surveillance may actually drag us into techodark ages. However, I don't see how private cryptocurrencies can be incorporated into real markets. There's no decabillion market value here. And unfortunately, I would remain pessimistic on the perspectives: I doubt that there will ever be such a market.

Your point about private block chains (which I don't think will work well for similar concerns that corporations are learning not to depend on closed source), ties back into another distinction I want to make about public block chains.

Hide Data, Not IP

If we accept my studied intuition (which I detailed over my past few posts in this thread) that anonymity is untenable (because leakage is catastrophic to the point of doing anonymity, i.e. anonymity assumes 100% perfection otherwise don't bother with the flimsy/undetectable assurance of it), this doesn't mean that for example Confidential Transactions (CT) hiding of value is untenable.

So in general the privacy we want, may be to hide the data and not who is doing it. This data can also leak into layers where it is not hidden, but that would be the same as what we have now in the current world.

So I have been thinking to give up on anonymity of IP addresses (and thus Cryptonote, RingCT, and the ring aspect of my Zero Knowledge Transactions are not needed), but retain end-to-end encryption of the data. CT enables hiding of the values that are being traded.

So the government can still identify who is making those transactions and compel you to reveal your private keys or face the gulag, but in the normal use of the public block chain privacy is retained (to the extent it doesn't leak into non-hidden layers but that is the current world situation any way, so no worse).

Governments and police agencies will feel less threatened, yet some of the NSA-gone-amok indiscriminate big data collection will be foiled (which is a good thing since that crap has been argued to be entirely ineffective and puts the data at-risk of abuse ... remember the stories of TSA agents masturbating to nude airport scanner images and also I believe I read about GHCQ collecting Yahoo Messenger videochats and perhaps some agents were growing hair on their palms as well).

I believe this epiphany (separation-of-concerns) is foundational and very important.

So next we try to find ways to hide the data of smart contracts on the block chain. Actually my Zero Knowledge Transactions white paper also has innovations on hiding value that are not present in CT nor CCT, so if those are correct, I am already making progress on this paradigm.

Mix Data, Not Identity

Perhaps if it is possible to somehow mix currency data with smart contract data, it would make each more fungible in the sense that one can't construct a blacklist based on IP address of who is sending to the block chain if they don't even know which class of data they are black listing.

Also in general, I explained in the thread I linked to (and my coming research writeup will explain in more detail) why blacklisting by IP address in untenable any way. Thus I think the argument that anonymity of IP is essential for fungibility is being vacated.

I need to write up all this in a more technically detailed exposition so I can see how it all fits together in detail. I may have holes in this high-level overview. For example, need to work through the details of how identity of payer and payee on a block chain differs from the notion of IP address identity.

[TPTB_need_war]

A ha! End-to-end identity anonymity is possible!

The reason identity anonymity can't be done end-to-end principle (Zerocash almost does it, but as I pointed out there is a DDoS weakness incurred), is because our IP address is an identity that we can't easily detach from ourselves. For all other forms of data privacy, the IP address problem is irrelevant.

So it would seem that Zerocash is the solution, except read my discussion at the quoted link about anti-DDoS protection. The problem is the huge verification cost for each Zerocash transaction and thus giving the attacker a huge asymmetric advantage when sending invalid transactions, i.e. unprotected Zerocash can be DDoS'ed to death.

And if using my suggested technique to create a hash-based signature as a first line of verification of incoming transactions sent to the block chain, then you've got to incorporate a simultaneity mixnet such as CoinShuffle to detach these hash signatures (and the payee's IP address) from the Zerocash transaction being submitted to the block chain. But then your anonymity is reduced back to the mixnet again so you've lost the benefits Zerocash provides. Perhaps Zerocash could devise a quick check on invalid signatures. I don't enough about the "moon math" in the white paper to deduce whether that is possible, but I 95% doubt it based on my understanding that such NIZKPs are a holistic math affair.

There is a simple solution for DDoS with Zerocash. Use my hash-based signature suggestion on a non-anonymous basecoin, when sending the anonymous zerocash (the Zerocash paper names these zerocoins, not to be confused with Zerocoin) transaction. Since on a spend transaction (aka pour) the anonymous coins are entirely mixed with all anonymous coins, then your IP address and your non-anonymous transactions do nothing to help anyone trace the anonymous coins. And putting the non-anonymous funds at-risk with the fast to verify hash-based signature (3 million verifications per second on an 8 core CPU!), solves the DDoS attack issue.

Alternatively it may be possible to mint the hash signatures in such a way that the anonymous coins are forfeited when doing a DDoS attack, but are still not non-anonymously linked to the hash based public key, instead of needing to use a separate non-anonymous basecoin. This would be preferred for permissionless commerce.

So thus unlike RingCT, no CoinShuffle (mixnet) would be needed. Unlike Cryptonote (and RingCT), Zerocash hides everything because the inputs to the NIZKP are never revealed! This is the advantage zk-SNARKs because it proves that a program compared the inputs in the desired way, without revealing what the inputs were. Whereas in CN and RingCT, we all see the input public key addresses and the proof of which public address is spending is obscured by the mix, but correlating the IP address across mixes can correlate which of those addresses were in both mixes. For CN and RingCT to be as anonymous as Zerocash would require they mix with all known (and future!) public key addresses.

Note that zk-SNARKs are very slow to verify (roughly 300ms for a Zerocash transaction) and consume more bandwidth so this can't be used for all transactions. It would be a mixer that you mint non-anonymous coins into when the slow verification and its higher fees are justified.

Even though I haven't thoroughly understood every technical aspect of it, the other problem with Zerocash appears to be that it can't merge the entirely opaque block chains, e.g. if there are two major chains fork due to a network split. Transparent block chains can be re-merged to the extent that double-spends are not intertwined. The major fault for Zerocash (that is not present for transparent block chains) being that I believe it is not possible to prove which coins were double-spent on both of the block chains. Normally this isn't a problem for an orphaned chain because you just throw away the orphans, but this is perhaps a problem in a major network split.

Apparently I am mistaken. Zerocash coins have serial numbers, so it should be possible to know which serial numbers have been double spent on both forks.

[TPTB_need_war]

As for a potential solution to the IP address obfuscation issue, there is a white paper that I was first introduced to by jl777 this year and now someone else has asked me about it in a PM:

http://dedis.cs.yale.edu/dissent/

http://bford.info/pub/net/panopticon-cacm.pdf

Section 3 explains very well some of the major attacks against the onion routing (OR) in Tor and I2P.

The problems with this Dissent protocol some of which they admit in the section "5. Challenges and Future Work":

• It requires N² communication for N participants. If the entire network isn't included in one grouping, then next problem results. They offer a federated server "solution" but this I believe puts jamming (and anonymity?) at risk of collusion of the servers?
• Same as for any mixnet (incluring OR and Cryptonote), if there are multiple groupings (or rings) then users can be unmasked by (a form of an intersection attack whereby) correlating which groups they participated in. This same problem results from one grouping and the fact that different users are participating at different times. This is a fundamental problem for mixnets  (including on chain mixes such as Cryptonote) that caused me to realize the problem was unsolvable.
• Anti-jamming is based on an identity. Per the criticism I made against CoinJoin in 2013, we are creating anonymity so identity can't be insured. Perhaps we could tie identities to specific UTXO and confiscate those who jam. I would need to look into the details of that change to their design, as to whether this would violate the anonymity (and I assume yes it would until shown otherwise because of what I've learned over the past 2 years).
• It has a simultaneity requirement (similar to Dash's mixing), more so than Tor or I2P.

Why use this complex mixnet stuff (that won't really work well) when Zerocash elegantly solves the problem and is entirely autononomous. To quote smooth (he was referring to Cryptonote but he should have been referring to Zerocash), "a pidgeon could carry your transaction to the block chain and it wouldn't matter". Let me rephrase that, "a truck with your name painted on the side could carry your transaction to the block chain and it wouldn't matter". With Zerocash, everything is hidden so even if you put your name in the transaction packets, it wouldn't affect your anonymity because no one can see any of the details of the transaction. All they will see is you put your name on this encrypted blob of data. So you are worried about the compromised key of Zerocash leading to a hidden inflation of the money supply (I was too), but it doesn't affect the anonymity in any case. Well even that has solutions, e.g. make multiple sets of keys and sign all transactions with more than one signature so you have more assurance that all of the keys weren't fraudulently generated. Or run Zerocash only as a mixer and net out all the coins in/out periodically to be sure it is not creating coins out-of-thin-air.

[LongAndShort]

My advice to you is to perhaps try less to narrow your views by thinking about block chains. I encourage you to think more about trees.

[TPTB_need_war]

My advice to you is to perhaps try less to narrow your views by thinking about block chains. I encourage you to think more about trees.

By placing that comment in this thread about anonymity, that exhibits to me you don't have a very good grasp of the technologies of crypto since block chain consensus algorithms are orthogonal to anonymity algorithms.

Trees and DAGs are not a solution for block chain consensus (and they have nothing to do with anonymity). They fork uncontrollably. This will all be explained. Just let Iota, Railblocks, etc. go forth, then at the appropriate time it will be explained they are technically flawed. We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period. Proof-of-stake is discussed else where and I don't to repeat what I have already written in my archives (someday I will summarize it all in a paper).

[smooth]

We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period.

I'd love to see a proof of that. Not meant as a challenge and I don't necessarily disagree at this point. It just seems hard to say that because we don't know of a way there can't be a way, and such a proof would be interesting.

In fact I have a vague notion of idea that may be possible, but I haven't reduced it to a usable form. (Not at all related to PoS or other such techniques, and my idea may too devolve to PoW in some unseen way.)

[TPTB_need_war]

We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period.

I'd love to see a proof of that. Not meant as a challenge and I don't necessarily disagree at this point. It just seems hard to say that because we don't know of a way there can't be a way, and such a proof would be interesting.

In fact I have a vague notion of idea that may be possible, but I haven't reduced it to a usable form. (Not at all related to PoS or other such techniques, and my idea may too devolve to PoW in some unseen way.)

Let's start with the refutations I did in the past couple of months to some old quotes from jl777 about the ability to game stake and shorting together. I think the insight was there. I need to get back to that when attempting to prove it and write a paper. I didn't want to dig right now as it is a lower priority tangent for me at the moment. Hey that is no attack on jl777 as he has said he is agnostic to the choice of PoW or PoS, so he will adjust as to what is proved. To prove that assertion will be more difficult than just having a single insight, similar to proving P ≠ NP.

[smooth]

My comment may have been unclear. I have a vague notion of a (maybe) non-PoW method that might actually work.

I have no idea whether it is possible to prove that no non-PoW method is possible. I don't think showing that PoS is impossible (not sure if we are even there yet, but as you say, refutations of claimed PoS methods always seem reasonably easy, if tedious) is sufficient.

[monsterer]

I'd love to see a proof of that. Not meant as a challenge and I don't necessarily disagree at this point. It just seems hard to say that because we don't know of a way there can't be a way, and such a proof would be interesting.

This is no proof, but you can say for certain that the cost of executing a double spend in any POS system is a simple constant proportional to the amount of stake you control. In POW, the cost is super linear in the number of blocks, which is far better security.

[LongAndShort]

My advice to you is to perhaps try less to narrow your views by thinking about block chains. I encourage you to think more about trees.

By placing that comment in this thread about anonymity, that exhibits to me you don't have a very good grasp of the technologies of crypto since block chain consensus algorithms are orthogonal to anonymity algorithms.

Trees and DAGs are not a solution for block chain consensus (and they have nothing to do with anonymity). They fork uncontrollably. This will all be explained. Just let Iota, Railblocks, etc. go forth, then at the appropriate time it will be explained they are technically flawed. We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period. Proof-of-stake is discussed else where and I don't to repeat what I have already written in my archives (someday I will summarize it all in a paper).

Then of course there is no reason for me to elaborate. You seem to have cured cancer here as well and think you have it all under control.

If i'm to be honest though. I don't think you have even brushed the surface of zk-snarks and its ability to do away with the blockchain. I don't think you understand how it even functions or can potentially function. I'm sure one day we can chat, when your head is not so far up your ass that all you can see is what you are digesting.

[smooth]

My advice to you is to perhaps try less to narrow your views by thinking about block chains. I encourage you to think more about trees.

By placing that comment in this thread about anonymity, that exhibits to me you don't have a very good grasp of the technologies of crypto since block chain consensus algorithms are orthogonal to anonymity algorithms.

Trees and DAGs are not a solution for block chain consensus (and they have nothing to do with anonymity). They fork uncontrollably. This will all be explained. Just let Iota, Railblocks, etc. go forth, then at the appropriate time it will be explained they are technically flawed. We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period. Proof-of-stake is discussed else where and I don't to repeat what I have already written in my archives (someday I will summarize it all in a paper).

Then of course there is no reason for me to elaborate. You seem to have cured cancer here as well and think you have it all under control.

If i'm to be honest though. I don't think you have even brushed the surface of zk-snarks and its ability to do away with the blockchain. I don't think you understand how it even functions or can potentially function. I'm sure one day we can chat, when your head is not so far up your ass that all you can see is what you are digesting.

Please explain the relationship between zk-snarks and trees.

[TPTB_need_war]

I have continued this off-topic discussion about block chain consensus in a more appropriate thread. This thread has nothing to do with block chain consensus. LongAndShort, please when starting a new line of discussion, find an appropriate thread to introduce your thread jack.

Please explain the relationship between zk-snarks and trees.

If it pertains to block chain consensus, please in another thread. I have an idea what he is referring to. His SNARKy attitude will be dealt with in a humbling manner.