It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.
I guess we have to see it first. I hope they are going to publish the crypto before the alt, presumably because the zerocoin v1 paper came out long before the library.
But engineering hurdles remain:
- 1. Requires a hard fork
- 2. Any requirement that all transactions participate in mixing is a non-starter. Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.
Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the
transparency of the system.
I think fungibility guarantee via coin anonymity is the right thing to do, as the strongest form of fungibility is cryptographically enforced fungibility.
But I think user privacy is orthogonal to coin fungibility. I can prove my identity while sending an anonymous fungible coin or not as I choose, if the coin is cryptographically fungible I have a choice. As is with bitcoin I have limited choice because the coin leaks linkages.
Usually if you have anonymity as a building block users can opt to disclose and prove because the anonymity will also have keys and the user can publish their keys. So I think it likely that opt-in public association of an identity with specific coins, or maybe with unlinkable but validatable amount of coins would be technically available, and I can see its a useful feature, so should be made an option for users. (Eg to prove they have the bitcoins they claim to be holding for users, or disclose the amount of donations received).
About privacy in my view bitcoin is a bit too open which I think is not so much by design, but because its difficult to have privacy and the auditability SPV operation needs, because miners need to validate, and to validate they need to see amounts and transfer histories. (Hence the interest in zerocoin and zerocoin2.) Without needing to support SPV clients one could do committed-tx and it would be a step forward.
I think Ideally transacting parties should be able to choose the level of privacy from each other and from the public. eg pseudonymous to each other but private to the public. Or identified seller (because its a regulated business) and identified business (because the user need to validate the reputation of the seller), but private from the public. In event of need to reveal more detail to selected other parties, or to the public to prove good faith, they should also be able to do that eg by publishing some keys.
In this way policing can be done by asking for information from transacting parties. And demonstrating openness (eg for donations, charities, public companies) can be done by publishing keys. And financial auditing can be done by a charity or company giving their accountant or auditor keys to view their transactions (but not necessarily the sender identity).
There are also privacy preserving forms of auditing. Eg homomorphic values can still allow auditing that values add up by anyone and yet hide amounts and/or payer psueodnym is unknown (close to single use addresses but slightly stronger privacy).
So I think if we can get a cryptographic private, efficient, distributed coin with conservative security for the coin anonymity/fungibility layer then we are golden. We can engineer/architect the selective disclosure, selective identity and different privacy concepts to dove tail with transacting party wishes. I would say bitcoin should not make any global rule about maximum allowed privacy, because rules are different in different countries. Rather payments should be private between the transacting parties, and it is up to the transacting parties to keep records and answer requests for information disclosure, and to provide identity to regulated businesses in their respective jurisdictions,
But its hard to do get the efficient, distributed and private ecash, thats so far proving to be another triangle thing like pick 2: efficient, distributed, private.
So lets have a look at what we have:
- bitcoin (efficient, distributed, but taintable privacy)
- chaum or brands ecash are (efficient, cryptographic privacy, but centralized)
- coinjoin (efficient, distributed, smudged taint privacy)
- opentransactions (efficient, cryptographic private, limited redundancy)
- committed-tx (efficient, private except parties see payment history, decentralized but no SPV)
- zerocoin v1 (private, decentralized, but inefficient)
- holygrail (efficient, distributed, cryptographic privacy)
we have to see how zerocoin v2 stacks up. Another risk point can be bleeding edge crypto that hasnt seen 10yrs of review. Things with security proofs have been broken before. Hardness assumptions for new things sometimes erode or slip.
Adam