Zerocoin: Anonymous Distributed E-Cash from Bitcoin

[Mike Hearn]

Rule changes are, by definition, not "backwards compatible". That is the whole point of Bitcoin. You are SUPPOSED to get hard forked off if the rules change and the fact that blocks stop being processed at that point is deliberate.

Yes, if you were to introduce something like ZeroCoin, ordinary users would expect it to be a hard fork. Soft forks are a nasty hack that violates peoples expectations of how their nodes will behave in the face of rule changes.

[jl2012]

Rule changes are, by definition, not "backwards compatible". That is the whole point of Bitcoin. You are SUPPOSED to get hard forked off if the rules change and the fact that blocks stop being processed at that point is deliberate.

Yes, if you were to introduce something like ZeroCoin, ordinary users would expect it to be a hard fork. Soft forks are a nasty hack that violates peoples expectations of how their nodes will behave in the face of rule changes.

Rule changes could be backwards compatible, e.g. allowing homosexual marriage would not make any existing or future heterosexual marriage illegal. The opposite is true for bitcoin: tightening rules would not make existing clients obsolete

The ability to soft-fork is one of the most visionary design in bitcoin

[dillpicklechips]

I saw this: https://github.com/Zerocoin/libzerocoin

[klee]

I saw this: https://github.com/Zerocoin/libzerocoin

It has begun!

[minimalB]

Wow! Looks like the Bitcoin community never stops!

This is so cool!

BTW: Where can i donate to support the project?

[Mike Hearn]

Rule changes could be backwards compatible, e.g. allowing homosexual marriage would not make any existing or future heterosexual marriage illegal. The opposite is true for bitcoin: tightening rules would not make existing clients obsolete

The point of a soft fork is that the rules don't tighten - from the perspective of old clients, anyone can spend any zerocoin and you will happily accept blocks that contain bogus spends written by unauthorized users. This reduces your node to SPV level security (you blindly trust whichever chain the majority of mining is done on). Silently downgrading peoples security level is not only a nasty hack, it's untrustworthy behaviour which is why I objected to it for P2SH.

Bitcoin has never been designed to "soft fork". That's something other people came up with later. Everything in Bitcoins design is intended to trigger hard forks when the protocol changes.

Hard forks are not impossible or the end of the world, they just require co-ordination and communication. It is the right way to do things and I will continue to strongly object to "upgrades" that convert full nodes into SPV nodes.

[jl2012]

Rule changes could be backwards compatible, e.g. allowing homosexual marriage would not make any existing or future heterosexual marriage illegal. The opposite is true for bitcoin: tightening rules would not make existing clients obsolete

The point of a soft fork is that the rules don't tighten - from the perspective of old clients, anyone can spend any zerocoin and you will happily accept blocks that contain bogus spends written by unauthorized users. This reduces your node to SPV level security (you blindly trust whichever chain the majority of mining is done on). Silently downgrading peoples security level is not only a nasty hack, it's untrustworthy behaviour which is why I objected to it for P2SH.

Bitcoin has never been designed to "soft fork". That's something other people came up with later. Everything in Bitcoins design is intended to trigger hard forks when the protocol changes.

Hard forks are not impossible or the end of the world, they just require co-ordination and communication. It is the right way to do things and I will continue to strongly object to "upgrades" that convert full nodes into SPV nodes.

No soft-fork is possible without majority of miners agree. If they decide to tighten the rules, all users have no choice but to follow. This is a known feature (or vulnerability) of bitcoin from day one. Sometimes it is called a "soft-fork", while sometimes it is called a "51% attack". Anyway, it's the users' responsibility to keep their client up-to-date to adopt the tightened rules.

If Satoshi had never thought of possibility of soft-fork, I couldn't see why he included so many useless OP_NOP codes in the script.

[Mike Hearn]

No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

[jl2012]

No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice

[adam3us]

Anyway other than the question of whether soft forks make sense or not: what about making an all zerocoin based alt-coin (no bitcoins, nothing but zerocoins), that is either-or mined with bitcoin.  Then people can trade in and out of zerocoins by buying or selling them for bitcoin with an atomic transaction, probably p2p without some trusted exchange like mtgox.

Either-or mined (as distinct from merge-mined) I mean that each mined coin set is either a set of 25 bitcoins or a set of 25 zerocoins.  If its a zerocoin set its not a valid bitcoin set, and if its a bitcoin its not a valid zerocoin.  I'm not sure the zerocoins or bitcoins have to do much with mining events for the other network other than check they have the expected number of bits as they wont automatically know how to validate the other network.  Some miners may choose to validate both networks, but thats a choice for them.

In that way people can experiment with zerocoin, without bloating the block chain, complicating bitcoin, and without slowing validation on the bitcoin network.  And the two coins should have approximately the same cost (and maybe therefore value, though the price would be subject to demand/supply and any taint discount for bitcoins; zerocoins are taint free, or perfectly blended taint at least).

Adam

[Mike Hearn]

Yeah, I agree with Adam, an alt coin with an integrated ZeroCoin would be a very interesting thing to play with. The chain-trade algorithm can be integrated to make trading bitcoins for altcoins easy and decentralised.

[jgarzik]

No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice

While true, because miners control transaction selection, there are a great many rule changes that miners cannot make, no matter how much hash power they have.

[jl2012]

No, that's not true at all. The whole point of running a Bitcoin full node is that you do NOT blindly follow any rule changes miners agree on. That's fundamental. If you do blindly follow them then you're using simplified payment verification.

If the majority of miners decide to restrict block size to 100kbytes, what non-mining full node could do? They could either follow, or join a shorter fork with bigger block size (i.e. hardfork ). Non-mining nodes don't really have much choice

While true, because miners control transaction selection, there are a great many rule changes that miners cannot make, no matter how much hash power they have.

Sure, I am talking rules tightening only. Something like increasing block size must be a hardfork

[d'aniel]

Anyway other than the question of whether soft forks make sense or not: what about making an all zerocoin based alt-coin (no bitcoins, nothing but zerocoins), that is either-or mined with bitcoin.  Then people can trade in and out of zerocoins by buying or selling them for bitcoin with an atomic transaction, probably p2p without some trusted exchange like mtgox.

Either-or mined (as distinct from merge-mined) I mean that each mined coin set is either a set of 25 bitcoins or a set of 25 zerocoins.  If its a zerocoin set its not a valid bitcoin set, and if its a bitcoin its not a valid zerocoin.  I'm not sure the zerocoins or bitcoins have to do much with mining events for the other network other than check they have the expected number of bits as they wont automatically know how to validate the other network.  Some miners may choose to validate both networks, but thats a choice for them.

In that way people can experiment with zerocoin, without bloating the block chain, complicating bitcoin, and without slowing validation on the bitcoin network.  And the two coins should have approximately the same cost (and maybe therefore value, though the price would be subject to demand/supply and any taint discount for bitcoins; zerocoins are taint free, or perfectly blended taint at least).

Adam

I posted a zerocoin based alt-coin strategy as well if you're interested:

The Zerocoin people are going to release a library in a couple days that any Bitcoin protocol-based currency can implement.  The problem with Bitcoin implementing it directly is that it's very cumbersome - transactions are large and verifying them is CPU intensive.  The result would be that Bitcoin would have a much harder time staying decentralized while it scales up.  However, alt-coins will undoubtedly implement it, and compete with Bitcoin for market share.  In anticipation of this, I'd like to describe a way that a Zerocoin alt-chain could be implemented that would reinforce Bitcoin, rather than destabilize it, as well as the incentives that the existence of Zerocoin alt-chains creates for Bitcoin miners.

Symbiotic Zerocoin alt-chain:

Zerocoin could be implemented on an alt-chain that's merge-mined on the Bitcoin blockchain, where new currency units are allowed to be created (perhaps at a limited rate) by anyone who has provably destroyed an equivalent number of bitcoins (using OP_RETURN), and mining the Zerocoin chain is incentivized by transaction fees and the value that a strong symbiotic Zerocoin chain would add to Bitcoin.  The market would determine the amount of bitcoins that move over to the Zerocoin chain; if the value of a zerocoin rises much beyond that of a bitcoin, then people would tend to turn bitcoins into zerocoins and profit off of the difference.

By functioning symbiotically, the bitcoin unit of account would be reinforced instead of destabilized - the Zerocoin chain would act like "a rising tide that lifts all boats" instead of only its own at the expense of bitcoiners'.  Zerocoin mining revenues would go toward strengthening the combined mining network.  Users wouldn't have to speculate on how many of their bitcoins they need to trade for zerocoins, and at what price, in order to retain their purchasing power.  If Zerocoin turns out to have seriously damaging bugs or scalability issues, then conservative users that keep their long-term value parked on the Bitcoin chain won't have to worry about going down with the ship.  This would also set a nice precedent that new coins can be adopted without threatening the stability of their predecessors.

Incentives faced by Bitcoin miners:

If the demand for a Zerocoin chain is large, then Bitcoin miners collectively have an equally large incentive to provide one in order to avoid losing market share, and they are in a position to provide by far the most secure one.  They could mine an alt-chain that competes with Bitcoin, but I hope they see that the correct collective strategy (https://en.wikipedia.org/wiki/Nash_equilibrium) is to mine a symbiotic one like I described above, and only that one.  By mining a competing one, a miner might earn more immediate inflation revenues (though profitability will in any case be driven down to a minimum in the long run due to stiff mining competition), but they would do so by reducing the utility of Bitcoin as a store of value, and thus cryptocurrencies in general: if the flagship one can't preserve this functionality in the face of new innovations, then people will recognize that likely none of them will be able to.  In turn they would detract from the future value of their own hardware.

To get a sense of the incentive of a miner to preserve the store of value function, consider that a single person storing $100,000 in value for a year contributes to the overall valuation of the currency during that time as much as a thousand people that casually use it for transactions and only keep on average $100 stored in it at any given time.  It thus strikes me as potentially important enough of an issue in some cases for miners to actively discourage the merged-mining of alt-chains that detract from Bitcoin's store of value functionality, by refusing to build on blocks that do this, and by merged-mining symbiotic alternatives.

[marcus_of_augustus]

Anyway other than the question of whether soft forks make sense or not: what about making an all zerocoin based alt-coin (no bitcoins, nothing but zerocoins), that is either-or mined with bitcoin.  Then people can trade in and out of zerocoins by buying or selling them for bitcoin with an atomic transaction, probably p2p without some trusted exchange like mtgox.

Either-or mined (as distinct from merge-mined) I mean that each mined coin set is either a set of 25 bitcoins or a set of 25 zerocoins.  If its a zerocoin set its not a valid bitcoin set, and if its a bitcoin its not a valid zerocoin.  I'm not sure the zerocoins or bitcoins have to do much with mining events for the other network other than check they have the expected number of bits as they wont automatically know how to validate the other network.  Some miners may choose to validate both networks, but thats a choice for them.

In that way people can experiment with zerocoin, without bloating the block chain, complicating bitcoin, and without slowing validation on the bitcoin network.  And the two coins should have approximately the same cost (and maybe therefore value, though the price would be subject to demand/supply and any taint discount for bitcoins; zerocoins are taint free, or perfectly blended taint at least).

Adam

+1

[Hal]

I really like Adam's very creative idea earlier in this thread to have a pure-zerocoin system:

https://bitcointalk.org/index.php?topic=175156.msg2420768#msg2420768

The zerocoin paper proposed a hybrid bitcoin-zerocoin system. Bitcoins would be temporarily exchanged for zerocoins, and then exchanged back. Adam's idea was that zerocoins would be exchanged directly for zerocoins. Zerocoins could be mined directly, too. All this is a simple modification of the zerocoin protocol. In fact, it would be simpler in terms of code size, because you wouldn't have to support bitcoin transactions. No scripting language, no bitcoin validation rules. Just pure zerocoin spend transactions.

This would also free us from the forced assumption of bitcoin-zerocoin parity. The heavy resource requirements of zerocoin might naturally break that parity. (Admittedly, zerocoin would first be implemented as an extension to an alt, so the value in terms of bitcoins would float. But the simplification is still a win.)

There are various proposals to do P2P exchanges between altcoin chains. I don't know what the status is as far as Bitcoin support in the bitcoin-qt client. You'd have to have a new client to do the P2P protocol. But even if we had to rely on an exchange, it would be an interesting experiment.

The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

[phelix]

You are welcome to vote for Zerocoin as Bitcoin Project of the Quarter:
https://bitcointalk.org/index.php?topic=251087.0

[drawingthesun]

The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

If someone finds out the factorization, what are the implications? All the anonymous transactions become public?

[Peter Todd]

The last problem for a zerocoin implementation is the generation of an RSA modulus for which no one knows the factorization. This is hard, and deserves more analysis.

If someone finds out the factorization, what are the implications? All the anonymous transactions become public?

No, but they can use the key to create fake zerocoins. (basically they can fake the proof that they added a zerocoin to the accumulator)

[tjohej]

But it feels to me like finding an essentially zero-cost way to increase transaction privacy that everybody uses by default is the best answer.

Maybe it could be implemented on the Bitcoin testnet at some point? (with the risk of breaking it as well)

Though as you said, finding a zero-cost solution will not be Zerocoin and Zerocoin as I see it may demand 10 times the resources of the current running implementation of Bitcoin.

What do you others think? Should Zerocoin be implemented in Bitcoin or should it be tried first on a new or existing cryptocurrency? There's a libzerocoin at github. The most recent commit was at 2013-07-12 02:04 titled

Merge pull request #4 from jhasse/mingw

Rename uint to uint32_t