Bitcoin Forum
November 15, 2024, 09:22:51 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 »  All
  Print  
Author Topic: Zerocoin: Anonymous Distributed E-Cash from Bitcoin  (Read 37798 times)
runeks (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1008



View Profile WWW
April 12, 2013, 10:41:23 PM
Merited by ABCbits (1)
 #1

Let's discuss this paper: http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf

What are your thoughts on this? I don't understand a lot of the technical stuff in the paper, so I'm interested in hearing your opinions.

Quote
Abstract—Bitcoin is the first e-cash system to see widespread
adoption. While Bitcoin offers the potential for new types of
financial interaction, it has significant limitations regarding
privacy. Specifically, because the Bitcoin transaction log is
completely public, users’ privacy is protected only through the
use of pseudonyms. In this paper we propose Zerocoin, a
cryptographic extension to Bitcoin that augments the protocol
to allow for fully anonymous currency transactions. Our system
uses standard cryptographic assumptions and does not introduce
new trusted parties or otherwise change the security model of
Bitcoin. We detail Zerocoin’s cryptographic construction, its
integration into Bitcoin, and examine its performance both in
terms of computation and impact on the Bitcoin protocol.

behindtext
Full Member
***
Offline Offline

Activity: 121
Merit: 103


View Profile WWW
April 12, 2013, 11:01:29 PM
 #2

i gave the paper a read and it is indeed interesting.

the complexity of the scheme is high and has large tx sizes. feels a bit overkill

Binford 6100
Hero Member
*****
Offline Offline

Activity: 504
Merit: 504


PGP OTC WOT: EB7FCE3D


View Profile
April 12, 2013, 11:23:14 PM
 #3

the complexity of the scheme is high and has large tx sizes. feels a bit overkill

it is targeting much smaller audience, the size is in this case not an issue.
the data of zerocoin public dashboard do not have to be preserved the same way as blockchain.

You can't build a reputation on what you are going to do.
Sergio_Demian_Lerner
Hero Member
*****
expert
Offline Offline

Activity: 555
Merit: 654


View Profile WWW
April 12, 2013, 11:24:04 PM
 #4

The most important reason why this will never be used over Bitcoin is that it requires a TRUSTED THIRD PARTY to create the initial parameters. This TTP could, in theory, trace any coin in circulation. So how the Bitcoin community will choose this TTP ?

Why not let the FDIC be this TTP? Oh, yes... this is not the Bitcoin philosophy Smiley

PS: I designed a protocol that does not have this problem (but have another less important weakness) , but well, never published, so Matthew Green deserved much credit. I hope I can publish it soon...

I will post more about Matt protocol shortly, when finish checking it...

Sergio.

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
April 12, 2013, 11:31:44 PM
 #5

The zerocoin paper doesn't indicate a trusted third party actually it indicates the exact opposite.
ByteCoin
Sr. Member
****
expert
Offline Offline

Activity: 416
Merit: 277


View Profile
April 12, 2013, 11:33:30 PM
 #6

This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin
Stampbit
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
April 12, 2013, 11:41:59 PM
 #7

Neat, so this is the replacement for mixers.
Sergio_Demian_Lerner
Hero Member
*****
expert
Offline Offline

Activity: 555
Merit: 654


View Profile WWW
April 12, 2013, 11:43:01 PM
 #8

The zerocoin paper doesn't indicate a trusted third party actually it indicates the exact opposite.

PAGE 3, first column:

" With no trusted parties, the accumulator and its associated witnesses must be publicly computable and
verifiable (though we are willing to relax this requirement to include a single, trusted setup phase in which parameters
are generated
). "

PAGE 4, second column:

"We note that the Setup routine may be executed by a trusted party"

The point is that by choosing RSA as the crypto function, they require a TTP.

Maybe it could be adapted to other crypto function, but it will change all the procedures, since they use the internal mathematical properties of RSA.


DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
April 12, 2013, 11:46:00 PM
 #9

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.
Sergio_Demian_Lerner
Hero Member
*****
expert
Offline Offline

Activity: 555
Merit: 654


View Profile WWW
April 12, 2013, 11:49:20 PM
 #10

Sorry about the Off-topic: If someone out there wants to write/implement my proposal for an anonymity layer for Bitcoin, and has in depth knowledge of crypto and math, then I'd gladly co-author the paper on APPECoin...
Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1007


View Profile
April 13, 2013, 12:29:14 AM
 #11

This is the first thing written about Bitcoin that's been worth reading in quite a while.

ByteCoin
http://jheusser.github.io/2013/02/03/satcoin.html is also an interesting read, even though it might not help much with actual Bitcoin development.

I also lover this paper here though, great that people start thinking of new ways to make Bitcoin useful for some special purposes!

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
April 13, 2013, 12:42:00 AM
 #12

Important work. Also if bitcoin does not adopt a robust privacy strategy it risks another alt-coin will gain a competitive first mover advantage for what I consider to be an extremely desirable (marketable) property for monetary instruments.

grondilu
Legendary
*
Offline Offline

Activity: 1288
Merit: 1080


View Profile
April 13, 2013, 12:55:35 AM
 #13

Seems complicated, but also looks like serious work.  I will need some time to understand it.

It seems to me they overestimate the need for full anonymity, though.

Luckybit
Hero Member
*****
Offline Offline

Activity: 714
Merit: 510



View Profile
April 13, 2013, 02:17:55 AM
 #14

Let's discuss this paper: http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf

What are your thoughts on this? I don't understand a lot of the technical stuff in the paper, so I'm interested in hearing your opinions.

Quote
Abstract—Bitcoin is the first e-cash system to see widespread
adoption. While Bitcoin offers the potential for new types of
financial interaction, it has significant limitations regarding
privacy. Specifically, because the Bitcoin transaction log is
completely public, users’ privacy is protected only through the
use of pseudonyms. In this paper we propose Zerocoin, a
cryptographic extension to Bitcoin that augments the protocol
to allow for fully anonymous currency transactions. Our system
uses standard cryptographic assumptions and does not introduce
new trusted parties or otherwise change the security model of
Bitcoin. We detail Zerocoin’s cryptographic construction, its
integration into Bitcoin, and examine its performance both in
terms of computation and impact on the Bitcoin protocol.




This already exists, it's reinventing the wheel.
zakoliverz
Hero Member
*****
Offline Offline

Activity: 536
Merit: 500


View Profile
April 13, 2013, 04:34:41 AM
 #15

Not sure how cryptocurrency is any less legitimate than actual cash, the only real difference is that it's not centralized and inflatable like a government made currency.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
April 13, 2013, 07:19:29 AM
 #16

My initial read of their paper was interesting, but it was two to three orders of magnitude more resource intensive than would be required to make it actually viable.  ... This is still impressive since 1000x too big/slow is still way better than infinite, which was the best alternative I had for something that was actually decentralized.

(The lay explanation of Bitcoin was _meh_ as it glosses over the blockchain which is the only really novel and somewhat non-obvious part of the system at large)

My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.

Something like this could be used in an external system and tied in via N of M multisig, and the authors acknowledge that but if you're going to take accept a (distributed) point of trust for that, you can use a chaum token like service can be constructed less computationally and bandwidth intensive than this.

On the plus side— approaches can only get better.
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
April 13, 2013, 02:56:08 PM
 #17

I reviewed this paper back in early March. Matthew Greens blog post more or less echos the feedback I gave them back then (in particular, their understanding of the performance requirements of verification were badly incorrect). I also mentioned difficulty of implementing in SPV clients and the overall complexity of the scheme.

Overall, I think the plan we've been working towards for privacy will work better, or at least is more deployable. But it's great to see this kind of research - as Gregory says, these algorithms only ever get better.
runeks (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1008



View Profile WWW
April 13, 2013, 03:13:09 PM
 #18

Nice to hear some opinions on this. Doesn't look very promising based on looking at your feedback.

I agree that true anonymity is nice to have, but it must be able to accommodate the space limitations of the block chain. As far as I can see, the greatest concern is transction size. Going from 200 bytes to 50 kilobytes is simply not worth it.

Overall, I think the plan we've been working towards for privacy will work better, or at least is more deployable. But it's great to see this kind of research - as Gregory says, these algorithms only ever get better.
What plan would that be?
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
April 13, 2013, 03:16:50 PM
 #19

You know ... the master plan Wink

Just kidding. It's more like how I imagine things playing out combined with the existing work that we're doing. Here's what I sent to the ZeroCoin guys when I reviewed their paper:

Quote
Anyway, from our perspective all this leads to the following question - is there a way to resolve the privacy issues inherent in a public block chain without using any cryptographic constructs invented in the last ten years?

This is obviously a topic we've discussed a lot in the dev community. Right now, we're sort of slowly evolving towards a plan that looks like this:
  • Break the one payment == one transaction relationship by introducing a notion of a payment protocol, a layer above the P2P protocol for people to request payment to multiple sets of outputs (not just one as in a regular pay to address) and then the payer to upload more than one transaction direct to the receiver.
  • Teach wallet software how to avoid combining outputs together when possible - if you have three 5-coin outputs in three different transactions, and you want to pay someone 15 coins, you should be doing that with another three transactions rather than a single transaction that combines all three.
  • Make sure address re-use is rare and discouraged, eg, possibly with a change to the default miner priority rules. Right now address re-use is more common than it should be for a bunch of reasons, deterministic wallets is our preferred solution to this.
  • Teach wallets to de/refragment outputs into coins of somewhat consistent sizes - you mention such a thing for ZeroCoins too, but if payments become multiple independent transactions that move coins of various denominations, the linkage issues become much less of an issue, especially if people can tolerate those transactions being spread out over several blocks.

Also, over time we might want to look at integrating p2p mixing protocols into the core p2p protocol, so if a bunch of users have their wallets open and online then they can rendezvous with each other and build a single transaction that has 10 inputs from the different wallets, and >10 outputs that redistribute that value back to the users, such that you don't know which inputs correspond to which outputs. If wallets are collectively trying to keep their output sizes somewhat round and there are enough users doing this, the mix transactions can add anonymity and it can be done in the background in a zero-trust way (no need to trust mixing services). But this is a long term project. There are much higher priorities right now.
passerby
Member
**
Offline Offline

Activity: 112
Merit: 11


View Profile
April 13, 2013, 06:06:07 PM
 #20

Okay, first, some specific comments I would like to make about other people's comments:

My point is that it doesn't require a trusted third party.  Yes they seem horrible naive (academics usually are).  A privacy "coin" where the govt has the backdoor key has essentially no utility.  Bitcoin's pseudo-anonymous capabilities are more that sufficient for "casual anonymity" (not wanting your wife to know where you spend your money).  Anyone interested in something stronger isn't going to be ok with backdoors.

If I understand correctly, trapdoor params during accumulator setup do not give you the ability to "denanonymize everyone forever" - it does, however, give you ability to forge as much zerocoins as you can care, which is bad.
However, the paper mentions something called RSA UFO (It's right over my head. Badum-tish) that allows the developer to set up the accumulator without learning the "sensitive numbers" and thus not gaining any kind of anonymity-destroying or coin-forging "superpowers"


My greatest concerns were: 50Kbyte transactions with 0.5 second validation time, stored in a step-2-then-a-miracle-occurs (DHT, presumably an attack resistant one created by unicorns), with a cryptographic accumulator which grows without bound and can't be pruned like the block-chain or compactly zero trust queried like the UTXO can if we add a commuted UTXO tree.

Unless I greatly misunderstand, it is not accumulator per se that is infinitely bloatable, but the "mint" and "spend" records that can't be pruned.
Which kind of sucks, unless some way to prune them without enabling double-spends is found.

As to storage, the article, if I understand correctly, specifies that the z-coin transactions can be stored anywhere, from blockchain to DHT to unicorns.

A bit of speculative commentary (IANAP/IANAC):

The article mentions that Schnorr group parameters can expire, and will have to be reset/regenerated, but states that it's not a problem since "oldtimer" zerocoins can be transformed into fresh ones.

However, I wonder if one could modify the constructs used so that old zerocoins will not be "transformable" into "new" zerocoins upon Schnorr group parameter expiration, thus unspent "oldtimer" zerocoins becoming essentially lost.

It might reduce convenience / anonymity (since you would have a limited time to spend the zerocoins) but since zerocoin is very explicitly an anonymous transaction system and not a value store, and since the "parameter expiration" can be pretty long in terms of human time and might even be leveraged to actually improve plausible deniability (script to spend all my zerocoins into bitcoins when expiration is near, as part of mainline client), it might be acceptable if it allows for pruning the z-coin DB (and why not prune records that are explicitly and irrevocably expired? )

Now, on to a more general (and more controversial Grin ) topic

At the risk of getting stoned (and not in a nice way), I would like to bring up a certain question:

Would it be wise to implement "stronger" anonymity in bitcoin ?

Bitcoin, as it stands, is strongly pseudonymous.

Under reasonably careful use, it has just enough anonymity to discourage causal peeping toms and minor LEA investigations.
Under very careful use, it can probably protect the user from a considerable investigative effort.
It is, obviously, not "absolute" though.

However, it not being "absolute" lends it properties that make it more backwards-compatible with existing monetary system, and more palatable to "average pointy-haired legislator" (and even despite not being all that untraceable, Bitcoin is catching some misguided flak as being a "criminal's currency")

Given that the seemingly apparent aspiration of the project (correct me if I am wrong) is to establish a widely accepted digital  "commodity money" that would be free from human monetary policy meddling and forced seizure (kind of like digital gold money), "hardcore no-holds-barred" anonymity might actually be counterproductive in the long term, since it would impede wide-scale merchant and institutional adoption (Many investors might choose to steer clear if you start signalling that you are, essentially, trading a "Los Zetas derivative" Smiley )

Current Bitcoin's condition of being "strongly pseudonymous" and "never forgetting" could be a sweet spot that gives average and above-average Joe just enough obfuscation to make invading their privacy too costly and time consuming while still being auditable enough to appeal to mainstream finance and large merchants.

Moving out of this sweet spot in any direction might be woeful.

Also, consider this - many investors who are currently "in BTC" (including people investing in expensive, complicated mining equipment like ASICs) have invested with their risk assessment being based upon understanding of bitcoin as "strong pseudonimity, moderate privacy" system.
By radically altering bitcoin's anonymity/privacy profile, one would be be voiding those people's assumptions regarding political, legal and regulatory risks and compromising their trust.


========

Disclosure:
I am actually a proponent of "absolutely anonymous" digital transaction mediums as a concept.

I am, however, dubious in regards to whether BTC should strive to become such a medium, given that it already has a notable investment, regulatory, and institutional infrastructure organized around a different set of privacy/anonymity assumptions.


========

Last part, ADHD version:

"Absolute" anonymity may have unforeseen regulatory, social, and financial consequences for "bitcoinomy".

Given that "bitcoinomy" is doing pretty fine with current level of "privacy/anonymity", it might be wise to avoid meddling with this property of Bitcoin.
Pages: [1] 2 3 4 5 6 7 8 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!