Bitcoin Forum
November 05, 2024, 10:33:29 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 »  All
  Print  
Author Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin  (Read 37795 times)
Stampbit
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
April 13, 2013, 09:25:25 PM
 #21

It wont be anonymous once you start pulling it out
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
April 13, 2013, 11:37:12 PM
 #22

Would it be wise to implement "stronger" anonymity in bitcoin ?
This has been asked before— and I think it's an important question. We shouldn't just assume that any feature is good.

After extensive consideration, I think I can answer this with an emphatic "Yes".  Without good anonymity the fungibility of Bitcoin can be substantially degraded.  The road to fungibility loss is paved with good intentions, but the end result makes Bitcoin less useful as money.   "We're really sure that _this_ bitcoin was stolen" ... "We're quite confident that this person is bad" ...  but if Bitcoin is to be trustworthy you must never have reason to feel that you'll wake up on the wrong side of a kafkaesq heuristic, or that you'll have to fight for what is rightfully yours even if there is due process, having to defend yourself means you already lost.

I believe that the ultimate social good that comes out of weaker anonymity for Bitcoin like activity is fairly limited: Bad-guys will generally figure out good ways around the lack of transaction anonymity, but still get caught based on their other activities even when transactions are strongly private. The harms from not having good anonymity— the losses of privacy, the danger to fungibility— hurt everyone.

Then there is the question of should it be in the system or outside of it.  If we ignore the implementation cost, I think here again the answer is emphatically that it should be inside the system:  Putting it outside greatly reduces its effectiveness.   But right now implementation costs are non-trivial and so I don't think there is much of a question of including it in the system—  and, if people build it outside of the system: we can't stop them even if we were to agree that it were a bad thing.
 
Stampbit
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
April 13, 2013, 11:57:00 PM
Last edit: April 14, 2013, 12:26:52 AM by Stampbit
 #23

Bitcoin is only accountable because you typically have to put money into it to use it. Are the miners accountable? Could a miner be traced to his IP if he used his mined coin to commit a crime?
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
April 14, 2013, 08:43:29 PM
 #24

Yeah, this is definitely an important and interesting question. The not totally invincible nature of Bitcoin's privacy certainly makes conversations with LE a bit easier (I've had a couple of conversations with UK LE already and want to have more at the conference).

I think it's really important to understand that privacy and anonymity are not really the same thing. If I send money to or from Mt Gox, then I've probably had to go through KYC and I'm not anonymous to them (or you), but that transaction is still private - you can't find out I did it from the block chain. It might seem like an academic point but people have very different emotional reactions to privacy (good!) vs anonymity (scary!).

Bitcoin should seek to provide privacy. It's unacceptable that someone might earn their salary in Bitcoins and then have a colleague discover their income by analysing the block chain. That's actually the kind of privacy leak that tends to bother people most in their every day life, most people aren't trying to make an enemy of their own governments. But at the same time, we should make it easy for people to prove their identities to each other, mostly because this can help grease the wheels of trade. Zero trust protocols are great when you can make them work, but it's often quite tricky and taking personal legal responsibility for your actions is a model everyone is already familiar with.

The payment protocol takes us one step in that direction, it lets merchants identify themselves to customers if they want to and that's very useful for hardware wallets like Trezor that assume a compromised host. For person-to-person trades it's harder. Unfortunately governments have largely let us down here. Most governments don't issue convenient personal certificates/keypairs. Estonia being one country that's ahead of the curve. One of the things I want to explore is whether the RFID passports that have been issued over the last 10 years can be re-used outside of the border control system, I rather suspect the answer is no but it's worth checking out. I'd like to be able to sign my own payment requests with my identity so if the entity paying me has a malware infected host and a hardware wallet, they can still pay me successfully. I think this is a good point to bring up with governments - they insist on AML and strong ID verification but then insist on archaic standards like "scan of passport + utility bill", which is shoddy. If they're going to complain about Bitcoin then I think we have a right to complain about their lack of a real citizen PKI Smiley

Right now bitcoinj has woeful privacy, we've spent our time optimising performance and reliability of backups rather than that. But in future I'd hope we can make some of the improvements I listed above. It will help ordinary people a lot, and I don't think it'd make much difference to LE investigations. The thing that'd help them the most is people knowing who they're trading with, so they can try and "follow the money" by getting the relevant warrants for each step in the chain.
mjosephs
Full Member
***
Offline Offline

Activity: 129
Merit: 100


View Profile
April 15, 2013, 12:24:35 PM
 #25

people have very different emotional reactions to privacy (good!) vs anonymity (scary!).

You're confusing your employer with humankind in general.

Peter Todd
Legendary
*
expert
Offline Offline

Activity: 1120
Merit: 1160


View Profile
April 15, 2013, 01:06:04 PM
 #26

people have very different emotional reactions to privacy (good!) vs anonymity (scary!).
You're confusing your employer with humankind in general.

There isn't really a difference between privacy and anonymity. Rather the difference is between the weaker privacy from individuals spying on you, and stronger privacy from corporations and governments spying on you. Google's services tend to provide the former, but almost never provide the latter, and if anything usually make obtaining the latter much more difficult than it could be.

tl;dr: Anonymity is simply the strongest form of privacy.

passerby
Member
**
Offline Offline

Activity: 112
Merit: 11


View Profile
April 15, 2013, 04:45:19 PM
 #27

Would it be wise to implement "stronger" anonymity in bitcoin ?
This has been asked before— and I think it's an important question. We shouldn't just assume that any feature is good.

After extensive consideration, I think I can answer this with an emphatic "Yes".  Without good anonymity the fungibility of Bitcoin can be substantially degraded.  The road to fungibility loss is paved with good intentions, but the end result makes Bitcoin less useful as money.   "We're really sure that _this_ bitcoin was stolen" ... "We're quite confident that this person is bad" ...  but if Bitcoin is to be trustworthy you must never have reason to feel that you'll wake up on the wrong side of a kafkaesq heuristic, or that you'll have to fight for what is rightfully yours even if there is due process, having to defend yourself means you already lost.

I believe that the ultimate social good that comes out of weaker anonymity for Bitcoin like activity is fairly limited: Bad-guys will generally figure out good ways around the lack of transaction anonymity, but still get caught based on their other activities even when transactions are strongly private. The harms from not having good anonymity— the losses of privacy, the danger to fungibility— hurt everyone.

Then there is the question of should it be in the system or outside of it.  If we ignore the implementation cost, I think here again the answer is emphatically that it should be inside the system:  Putting it outside greatly reduces its effectiveness.   But right now implementation costs are non-trivial and so I don't think there is much of a question of including it in the system—  and, if people build it outside of the system: we can't stop them even if we were to agree that it were a bad thing.
 

1) I think that in vivo experiment known as the Silk Road demonstrates, convincingly, that "properly used Bitcoin" has very strong anonymity.

Yes, it is not perfect, but so far, a motivated and resourceful attacker appears to be unable to "dox" a major, publicly known pseudonymous player.

2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

Besides, any system that involves special "anonymize me this 1.00 BTC" transaction types could hurt fungibility along the same lines as you describe (a cautious vendor might not accept a coin that is less than N transactions away from an obvious "anonymizing event")

Me?
I think that the problem of "banned coins" is more of a legal and social issue rather than a technological one.
And so far, bitcoin "ecosystem" has been handling this problem rather well, so perhaps it would be wise to refrain from fixing something that is, from available evidence, not broken.

So far, bitcoin has been choosing its fights fairly well, and gained a modicum of mainstream acceptance, including acceptance by regulatory authorities.

I am not convinced a "100% hardcore anon-coin" could enjoy such (even cash is relatively traceable, one doesn't even have to be a government to track a paper note)

Also, there is the issue of  current investors and supporters  (miners, merchants, service providers) - many of them may suffer various degrees of inconvenience if bitcoin announces a "full anonymity protocol extension" since that might prompt their local authorities to take a much closer look at their business, which is something they might not entirely appreciate.

I am all for the world having a "full-anon decentralized cryptographic payment system".
But since I think such a system would have a harder time gaining mainstream acceptance, I am not convinced that bitcoin should be this system.
Perhaps bitcoin should stay strongly pseudonymous, to facilitate... how to put it... backwards compatibility with various regulatory bodies ? Smiley

Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
April 15, 2013, 05:02:02 PM
 #28

Could you guys stop bringing Google up? It's both irrelevant and offensive - as if I don't have or don't speak my own mind.

Privacy and anonymity are absolutely different thing. It is possible to be anonymous and yet lack privacy. For example, if Satoshi cashed out all at once, we'd know this immediately even though we do not know anything about him.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
April 15, 2013, 10:33:53 PM
 #29

Quote
2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

I think you are confusing fungibility with divisibility.

gmaxwell's points about enhanced fungibility due to strong anonymity are correct ... and are not widely appreciated.

You are correct that fixed-denomination tokens are not as divisible, but this is a simple technical matter of choosing the smallest denomination that makes sense in terms of value. Eg. if we had system that dealt with strongly anonymous satoshis as the fundamental unit it would be functionally equivalent as a money to bitcoin as it is now.

gigabytecoin
Sr. Member
****
Offline Offline

Activity: 280
Merit: 252


View Profile
April 15, 2013, 10:40:57 PM
 #30

http://www.reddit.com/r/ZeroCoin is up and running for any interested redditors.
Peter Todd
Legendary
*
expert
Offline Offline

Activity: 1120
Merit: 1160


View Profile
April 15, 2013, 11:08:56 PM
 #31

http://www.reddit.com/r/ZeroCoin is up and running for any interested redditors.

Are you involved with ZeroCoin directly?

Just to be clear, ZeroCoin is not going to be implemented in Bitcoin in its current form - it's just too inefficient right now. Don't get me wrong, it's a great idea and some great crypto, but it's a proof-of-concept and they still have a lot more work to do in making it efficient enough to be practical. It could easily be years before it can become a part of Bitcoin proper, if ever.

Creating a sub-reddit now is premature and just makes ZeroCoin look like vaporware to the general public.

evoorhees
Legendary
*
Offline Offline

Activity: 1008
Merit: 1023


Democracy is the original 51% attack


View Profile
April 16, 2013, 12:05:06 AM
 #32

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

You guys need to read between the lines.  The authors are in the awkward position of explaining a way to make Bitcoin anonymous. They need a way to say, "see this could be set up so that the government could audit it" because this provides the "moral cover" to prepare the research in the first place.

But if you read between the lines, they've released the method for making this without such a backdoor, and that's all that matters.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
April 16, 2013, 12:42:24 AM
 #33

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

You guys need to read between the lines.  The authors are in the awkward position of explaining a way to make Bitcoin anonymous. They need a way to say, "see this could be set up so that the government could audit it" because this provides the "moral cover" to prepare the research in the first place.

But if you read between the lines, they've released the method for making this without such a backdoor, and that's all that matters.

That's what it looked like to me also. It is a sad state of affairs when researchers cannot investigate new ways of doing things without the chilling effect of "what will the fed/govt think?" It seems even freedom of thought is under threat.

gigabytecoin
Sr. Member
****
Offline Offline

Activity: 280
Merit: 252


View Profile
April 16, 2013, 03:33:38 PM
 #34

http://www.reddit.com/r/ZeroCoin is up and running for any interested redditors.

Are you involved with ZeroCoin directly?

Just to be clear, ZeroCoin is not going to be implemented in Bitcoin in its current form - it's just too inefficient right now. Don't get me wrong, it's a great idea and some great crypto, but it's a proof-of-concept and they still have a lot more work to do in making it efficient enough to be practical. It could easily be years before it can become a part of Bitcoin proper, if ever.

Creating a sub-reddit now is premature and just makes ZeroCoin look like vaporware to the general public.

It's never to early to start a conversation.
passerby
Member
**
Offline Offline

Activity: 112
Merit: 11


View Profile
April 16, 2013, 07:39:43 PM
 #35

Quote
2) If your concern is fungibility, then Zerocoin-like systems - not just this particular implementation with massive proofs and pruning issues, but basically any system that requires formation of "fixed-denomination" non-fungible "tokens" with fixed BTC value - would not appear to be acceptable solutions.
Since they outright break fungibility

I think you are confusing fungibility with divisibility.

gmaxwell's points about enhanced fungibility due to strong anonymity are correct ... and are not widely appreciated.

You are correct that fixed-denomination tokens are not as divisible, but this is a simple technical matter of choosing the smallest denomination that makes sense in terms of value. Eg. if we had system that dealt with strongly anonymous satoshis as the fundamental unit it would be functionally equivalent as a money to bitcoin as it is now.

Ah indeed, my bad - that's what I get for posting w/o caffeine  Grin

However, I do believe that part of my point still stands.

In any system where anonymity is achieved along the lines of
[classic BTC-style TX -> classic BTC-style TX -> "weird" high-anonTX ->  Lips sealed ->  Huh -> classic BTC-style TX]

fungibility may start failing same way it could start  failing in BTC now.

Merchfolk could begin refusing to accept coins which appear directly related to the "weird high-anonTX"
Rassah
Legendary
*
Offline Offline

Activity: 1680
Merit: 1035



View Profile WWW
April 16, 2013, 08:22:10 PM
 #36

So, when should we start to prepare for another hard-fork? (please please please make something like this happen?)

I'm actually surprised that something as prestigious as Johns Hopkins would even consider Bitcoin as an interesting idea, let alone have a research project to actively try to improve it. (they're a direct rival to my alma mater, too)
passerby
Member
**
Offline Offline

Activity: 112
Merit: 11


View Profile
April 16, 2013, 08:52:24 PM
 #37

Why not ? Bitcoin is cryptographically interesting, and so is the challenge of "distributed anonymity" - I say prime JH material.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
April 16, 2013, 10:29:13 PM
 #38

Quote
In any system where anonymity is achieved along the lines of
[classic BTC-style TX -> classic BTC-style TX -> "weird" high-anonTX ->  Lips sealed ->  Huh -> classic BTC-style TX]

fungibility may start failing same way it could start  failing in BTC now.

Merchfolk could begin refusing to accept coins which appear directly related to the "weird high-anonTX"

Yep this is correct.

It is not an easy problem ... excellent material for JH in other words.

jml
Full Member
***
Offline Offline

Activity: 238
Merit: 100



View Profile
April 16, 2013, 11:26:33 PM
 #39

I have read the papers on Satoshi (Bitcoin) and Miers (Zerocoin) but they don't seem to be published in any reputable conference. Is there any reason why or is it that there are no conferences for this type of research?

"Everything is a matter of degree"
jml
Full Member
***
Offline Offline

Activity: 238
Merit: 100



View Profile
April 16, 2013, 11:49:18 PM
 #40

This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin

I actually did find the Bitcoin summary (Section 2) easier to understand than the original bitcoin paper by Nakamoto.

"Everything is a matter of degree"
Pages: « 1 [2] 3 4 5 6 7 8 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!