[ANN] Firo (FIRO) - Implementing ZKP privacy without trusted setup

[bit815792215]

I hate to be "that guy" - but a birdie told me Zerocoin is working on setting up a trust-less setup (possibly slated for this fall).  Can anyone confirm this?

I like ZCash except for this part.  I'm interested in the first coin to implement the Zerocoin technology that comes up with a way to do it without the trusted setup.

Also on a different note (did some digging and couldn't find the answer).  Is the current trusted setup for Zerocoin able to de-anonymize transactions or just create arbitrary inflation (like ZCash)?

Also - it looks like ZCash and ZCoin were both released in October.  And from what I understand both have bitcoins inflation schedule.  Can someone explain to me why ZCoin has 2,500,000 coins vs ZCash's 1,600,000?  30 days between releases should only result in 144,000ish coins shouldn't it?  (50 coins X 4 per hour (every 15) X 24 hours per day X 30 days = 144,000)

bitcoin block time is 10 minutes

[vsyc]

And I apologised for mentioning you by name in my Reddit post about the Zcoin hack, I didn't "take it back". I also didn't delete your post, I deleted my post which mentioned you by name, which I thought was unfair hence why I removed it. I certainly think it's probable that the hack was an inside job by one or more devs, I just think I was utterly wrong to mention your name, because I just think it was one or more Zcoin devs, no idea who. https://www.reddit.com/r/CryptoCurrency/comments/6379u9/zcoin_bug_a_deliberate_inside_job/?utm_content=title&utm_medium=user&utm_source=reddit&utm_name=frontpage

Developers are the team, I will not go what does it mean, I only say that person, who wants  "defect" to be personalise/finger-pointed is very pathetic and miserable. Period.

[zcoinofficial]

I hate to be "that guy" - but a birdie told me Zerocoin is working on setting up a trust-less setup (possibly slated for this fall).  Can anyone confirm this?

I like ZCash except for this part.  I'm interested in the first coin to implement the Zerocoin technology that comes up with a way to do it without the trusted setup.

Also on a different note (did some digging and couldn't find the answer).  Is the current trusted setup for Zerocoin able to de-anonymize transactions or just create arbitrary inflation (like ZCash)?

Also - it looks like ZCash and ZCoin were both released in October.  And from what I understand both have bitcoins inflation schedule.  Can someone explain to me why ZCoin has 2,500,000 coins vs ZCash's 1,600,000?  30 days between releases should only result in 144,000ish coins shouldn't it?  (50 coins X 4 per hour (every 15) X 24 hours per day X 30 days = 144,000).

(Edit:  10 min block times as poster below pointed out.  So 50 X 6 X 24 X 30 = 216,000 minted in a month.  Still seems like we have almost a 1,000,000 coin difference when there should only be 216,000 difference.  Even with the bug that released 200K extra coins - that's still 900,000 discrepancy when there should only be a 400,000ish supply discrepancy.)

And one more question.  I was around back when ZeroVert came out with ZeroCoin never being implemented and devs faded into the background.  It looks like Poramin was the dev of that supposed "first implementation of Zerocoin" years ago.  Until it turned out to be a scam (I think?).  Coin wasn't even around for a few months.

Can someone confirm that Poramin Insom was or was not the dev of that coin?  I'm not trying to FUD here or detract from others who are fine with the ZeroVert incident.  I would just like an explanation if there is one.  And if Paramin started it and abandoned it even with the 168K premine due to lack of funding or whatever.  I understand many will be ok with this.  I'd just like to gather more information for myself.

Hey no problems pretty good questions but dang all the most controversial ones

The Cointelegraph article is actually not correct that we would do it by the end of the year. Likely to spill over into 2018. You can read more about this here: https://zcoin.io/zcoin-moving-beyond-trusted-setup-in-zerocoin/. https://eprint.iacr.org/2014/764.pdf Roadmap is here: https://imgur.com/Vad2DG7

The current trusted setup for Zerocoin if broken, transactions are NOT de-anonymized. The privacy is guaranteed through the zero-knowledge proofs as the accumulator is not involved in the privacy part. The only security we need from the accumulator is that you can't claim that you have a coin in the accumulator which is actually not there. So that's just orthogonal to privacy. So yes arbitrary inflation is the issue though note that it would still be a serious issue but it will be detected in Zcoin at least.

ZCash had a slow release schedule if I'm not mistaken during its initial mining period. We also had a bug that allowed coins to be generated which was subsequently fixed. Not our finest moment for sure but you can read about it here. We also released in September 28.

Poramin Insom indeed was the dev of ZeroVert and was with the previous founder Gary (who is no longer with the project). You can read about our explanation on that incident here and you will notice that the premine was untouched.

[rdnkjdi]

I hate to be "that guy" - but a birdie told me Zerocoin is working on setting up a trust-less setup (possibly slated for this fall).  Can anyone confirm this?

I like ZCash except for this part.  I'm interested in the first coin to implement the Zerocoin technology that comes up with a way to do it without the trusted setup.

Also on a different note (did some digging and couldn't find the answer).  Is the current trusted setup for Zerocoin able to de-anonymize transactions or just create arbitrary inflation (like ZCash)?

Also - it looks like ZCash and ZCoin were both released in October.  And from what I understand both have bitcoins inflation schedule.  Can someone explain to me why ZCoin has 2,500,000 coins vs ZCash's 1,600,000?  30 days between releases should only result in 144,000ish coins shouldn't it?  (50 coins X 4 per hour (every 15) X 24 hours per day X 30 days = 144,000).

(Edit:  10 min block times as poster below pointed out.  So 50 X 6 X 24 X 30 = 216,000 minted in a month.  Still seems like we have almost a 1,000,000 coin difference when there should only be 216,000 difference.  Even with the bug that released 200K extra coins - that's still 900,000 discrepancy when there should only be a 400,000ish supply discrepancy.)

And one more question.  I was around back when ZeroVert came out with ZeroCoin never being implemented and devs faded into the background.  It looks like Poramin was the dev of that supposed "first implementation of Zerocoin" years ago.  Until it turned out to be a scam (I think?).  Coin wasn't even around for a few months.

Can someone confirm that Poramin Insom was or was not the dev of that coin?  I'm not trying to FUD here or detract from others who are fine with the ZeroVert incident.  I would just like an explanation if there is one.  And if Paramin started it and abandoned it even with the 168K premine due to lack of funding or whatever.  I understand many will be ok with this.  I'd just like to gather more information for myself.

Hey no problems pretty good questions but dang all the most controversial ones

The Cointelegraph article is actually not correct that we would do it by the end of the year. Likely to spill over into 2018. You can read more about this here: https://zcoin.io/zcoin-moving-beyond-trusted-setup-in-zerocoin/. https://eprint.iacr.org/2014/764.pdf Roadmap is here: https://imgur.com/Vad2DG7

The current trusted setup for Zerocoin if broken, transactions are NOT de-anonymized. The privacy is guaranteed through the zero-knowledge proofs as the accumulator is not involved in the privacy part. The only security we need from the accumulator is that you can't claim that you have a coin in the accumulator which is actually not there. So that's just orthogonal to privacy. So yes arbitrary inflation is the issue though note that it would still be a serious issue but it will be detected in Zcoin at least.

ZCash had a slow release schedule if I'm not mistaken during its initial mining period. We also had a bug that allowed coins to be generated which was subsequently fixed. Not our finest moment for sure but you can read about it here. We also released in September 28.

Poramin Insom indeed was the dev of ZeroVert and was with the previous founder Gary (who is no longer with the project). You can read about our explanation on that incident here and you will notice that the premine was untouched.

Awesome!  This is just what I needed - thank you for the info

[Prima Primat]

I hate to be "that guy" - but a birdie told me Zerocoin is working on setting up a trust-less setup (possibly slated for this fall).  Can anyone confirm this?

According to this, yes, that's the plan: https://zcoin.io/zcoin-moving-beyond-trusted-setup-in-zerocoin/
Arbitrary inflation, if you mean invisible arbitrary inflation, is impossible in Zcoin. That's one of the major advantages compared to Zcash.

And in addition to what zcoinofficial said, I think the multiple POW algo switches had a noticeable impact on the coin emission graph, as each time the difficulty had to be adjusted from zero.

And yeah, Zcash is basically missing another half a month worth of coins because they started out like this:

[rdnkjdi]

ah that's right - the slow mining start.  That's what I was missing.

[zcoinofficial]

MTP Open-source Miner Bounty Challenge

We are sponsoring a prize fund of USD 21,000 for the development of open source miners for the upcoming MTP protocol as implemented in Zcoin. There are three categories for the miner bounty: CPU miner, AMD GPU miner, and nVidia GPU miner.

The prizes shall be paid in Bitcoin equivalent (Bitstamp pricing) or Zcoin equivalent (Bittrex pricing) at the respective winner’s choice. The price will be determined on the time and date the winners are announced.

Eligibility
Anyone who can speak English and has reached the age of majority in their country of residence. Teams can be formed however one person shall be designated as the contact person and shall be the sole recipient of any prize money. All contestants must have a Github account.

Deadline: 9 August 2017 6.00PM GMT+8

For requirements, criteria and technical details, visit the bounty challenge blog post.

[rowenta01]

https://zcoin.io/mtp-open-source-miner-bounty-challenge/

[vsyc]

I can't spend my whole day here arguing. I'm just expressing my genuine belief. I am not even saying that Zcoin has no future, I'm saying that this news on MTP is massive, will massively weigh on prices, and is a very big setback and adds to reputational concerns around Zcoin.

It will not, you just need to read what is written, as you the only one who keeps pushing its own truth create in parallel reality.

[traspy]

also zcoin lose value on this couple of days bleeding from altcoins

[zcoinofficial]

Interview with Tadhg Riordan on Zcoin's Ethereum Mixer.

We have added two new interview videos to the playlist. You can follow the link above or view them individually here:

Zcoin's ZEth: Implementing Zerocoin on Eth
https://youtu.be/nS1A3VdJFmM

Zcoin's ZEth: Optimizing Zerocoin further for ZEth
https://youtu.be/8eVk7QKxtLg

[esprit577]

When will the MTP algorithm start testing?How big is the equilibrium difference between CPU and GPU?Now the mining industry uses too much power, hoping the algorithm will reduce the power consumption, so that the more stable mining.

[minersuperfish]

When will the MTP algorithm start testing?How big is the equilibrium difference between CPU and GPU?Now the mining industry uses too much power, hoping the algorithm will reduce the power consumption, so that the more stable mining.

MTP is already available in the test network.
At the moment there is a tender for miners and it's too early to talk about the ratio. But there is a miner at djm34 which gives a ratio of 1: 3

[talikila]

When will the MTP algorithm start testing?How big is the equilibrium difference between CPU and GPU?Now the mining industry uses too much power, hoping the algorithm will reduce the power consumption, so that the more stable mining.

MTP is already available in the test network.
At the moment there is a tender for miners and it's too early to talk about the ratio. But there is a miner at djm34 which gives a ratio of 1: 3

yes, I'm waiting for this MTP algo officially released and I want to see this MTP will be launched at the end of this month or early August.
I think Zcoin will have  outstanding actions to come over the heavy competitors such ZEC or Dash in the future .

[playingpoodles]

Excitement about "MTP" which has been promised for months, and was promised to make GPU/CPU competitive - see https://zcoin.io/what-is-mtp-merkle-tree-proof-and-why-it-is-important-to-zcoin/ (they're not, GPU is 3x) - might be wearing a bit thin.

A few pages back on this thread you'll see MTP was exposed as fundamentally not memory hard by disgruntled a miner developer who complained of inexplicable code changes, and Zcoin then said, 'oh yeah we changed it because it had a bug and wasn't memory hard'.

Zcoin's history unfortunately is littered with great promises, but then when the Christmas pudding is finally put on the table, it's small, burned, and strange tasting. Devs are good guys trying to make it work, but marketing gimmicks to paper over a lack of working product won't cut it, and I think there's a lack of trust in Zcoin in the investor community.

(Zcoin underperformed the altcoin market before and during the recent crash. Substantially.)

I can't spend my whole day here arguing. I'm just expressing my genuine belief. I am not even saying that Zcoin has no future, I'm saying that this news on MTP is massive, will massively weigh on prices, and is a very big setback and adds to reputational concerns around Zcoin.

It will not, you just need to read what is written, as you the only one who keeps pushing its own truth create in parallel reality.

[mjosephs]

(they're not, GPU is 3x)

Try more like 11x, dollar for dollar.  R7 370 should be above 300khash/sec.

you'll see MTP was exposed as fundamentally not memory hard by disgruntled a miner developer who complained of inexplicable code changes,

I think you're referring to me; I definitely didn't expose it -- Itai Dinur and Niv Nadler did that and they deserve 100% of the credit for their excellent paper.

I do have very serious concerns with the band-aid cooked up in response to Dinur+Nadler's paper.

[bur825143]

July 9 is not already released mtp algorithm? Why in discussing the impact on mining

[ansach]

I get what you are saying and I agree with you that there is a disconnect between expectations and progress.  Most alt coin projects are work in progress including xzc and the recent bull market has increased the expectations on everyone to perform and deliver. 

That said, the MTP is a huge undertaking and probably the most difficult project detailed on the roadmap.  It is probably compounded by the presence of sync issues which is just as important to fix and previously, our development team was perhaps over-stretched.

I think what matters over the past couple of months is honest communication from marketing and on the development side, the zcoin team has expanded the developer team and added a cryptographer to increase our capacity to deliver - you should be able to see our increasing level of activity here.

We have an ongoing miner competition and other initiatives to encourage the participation of the developer community to make sure our implementation is water-tight.

Our marketing activities revolves around getting the importance and significance of our project out to the public and we are very careful that it does not cause over expectation which ultimately leads to disappointment - this is why we have kept everyone in the loop on what's happening.

We thank you and the community for your support and we understand we can do better.  The Zcoin project remains an important project for bitcoin anonymity and decentralisation - and we are fully committed to deliver according to the roadmap.

Excitement about "MTP" which has been promised for months, and was promised to make GPU/CPU competitive - see https://zcoin.io/what-is-mtp-merkle-tree-proof-and-why-it-is-important-to-zcoin/ (they're not, GPU is 3x) - might be wearing a bit thin.

A few pages back on this thread you'll see MTP was exposed as fundamentally not memory hard by disgruntled a miner developer who complained of inexplicable code changes, and Zcoin then said, 'oh yeah we changed it because it had a bug and wasn't memory hard'.

Zcoin's history unfortunately is littered with great promises, but then when the Christmas pudding is finally put on the table, it's small, burned, and strange tasting. Devs are good guys trying to make it work, but marketing gimmicks to paper over a lack of working product won't cut it, and I think there's a lack of trust in Zcoin in the investor community.

(Zcoin underperformed the altcoin market before and during the recent crash. Substantially.)

I can't spend my whole day here arguing. I'm just expressing my genuine belief. I am not even saying that Zcoin has no future, I'm saying that this news on MTP is massive, will massively weigh on prices, and is a very big setback and adds to reputational concerns around Zcoin.

It will not, you just need to read what is written, as you the only one who keeps pushing its own truth create in parallel reality.

[Prima Primat]

Excitement about "MTP" which has been promised for months, and was promised to make GPU/CPU competitive - see https://zcoin.io/what-is-mtp-merkle-tree-proof-and-why-it-is-important-to-zcoin/ (they're not, GPU is 3x) - might be wearing a bit thin.

You misunderstood something then. The goal was never to make a single CPU and a single (similarly priced) GPU exactly equal. In fact, if I recall correctly from the Zcoin Slack, they actually aimed for a 1:3 ratio. The reason for this is that there are ways to achieve vast amounts of CPU hashpower (AWS, botnets, etc.) that don't exist for GPUs, so GPUs should always have an advantage. Just not an orders-of-magnitude advantage.

A few pages back on this thread you'll see MTP was exposed as fundamentally not memory hard by disgruntled a miner developer who complained of inexplicable code changes, and Zcoin then said, 'oh yeah we changed it because it had a bug and wasn't memory hard'.

I think you misunderstood something there, too. mjosephs was frustrated about the existence of the time-memory-tradeoff attack vector in the first place, and about the code change that was implemented in response, and uttered a suspicion that this fix is only a 'band-aid'. That's speculation though. There is no published research that indicates this. Reuben responded very fairly and admitted that, since MTP is still an extremely new development, it's possible that new weaknesses will be found that allow for new TMT attacks, but the Zcoin devs haven't remotely exhausted their options in this regard, so basically there's no need to worry.

Also, perhaps I should point out to you that literally nothing you do in computing is 'fundamentally memory hard'. You can always exchange memory usage for CPU time (because whatever you save in memory, you could also just re-calculate whenever you need it again). That's one of the basics of computer science.
So the question isn't whether an algorithm is 'fundamentally' memory-hard (a concept that doesn't exist), but whether it is memory-hard in practice, i.e. whether there is a practical method to use much less memory while using not much more CPU time. That's why it can be sufficient to remove such a practical method with a minor fix. And that's why, once such a method is fixed, we are back to square one and there is no way of reducing the memory consumption of the MTP algorithm without blowing up computation time by an unreasonable factor – too large to make ASICs feasible.

[mjosephs]

A few pages back on this thread you'll see MTP was exposed as fundamentally not memory hard by disgruntled a miner developer who complained of inexplicable code changes

I think you misunderstood something there, too. mjosephs was frustrated about the existence of the time-memory-tradeoff attack vector in the first place,

I think you misunderstood something there.  The existence of the time-memory tradeoff attack in no way frustrates me; as a matter of fact reading the Dinur+Nadler paper was quite an enjoyable experience.

I should point out to you that literally nothing you do in computing is 'fundamentally memory hard'. You can always exchange memory usage for CPU time (because whatever you save in memory, you could also just re-calculate whenever you need it again). That's one of the basics of computer science.

This is incorrect; you are confused about what "memory-hard" means.  The definition is given on page 3 of  Stronger Key Derivation Via Sequential Memory-Hard Functions by Colin Percival:

Definition 1. A memory-hard algorithm on a Random Access Machine is an algorithm which uses S(n) space and T(n) operations, where S(n) ∈  Ω(T(n)^1−𝜀).

There are plenty of functions in this class.  The fact that you can "exchange memory usage for CPU time" does not mean a function is not memory-hard.