Zerocoin: Anonymous Distributed E-Cash from Bitcoin

[caveden]

well rather than the get rich quick (...) Now thats not as strong an incentive as make-money-fast pyramid speculation on frankly long-term hopeless me-too alts

Please don't replicate the same silly attacks people tend to use to discredit Bitcoin. The financial incentive behind the technology is what brings lots of the manpower, business and infrastructure it has today. Not to acknowledge that is to be willingly blind.

If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.

technically it could be done, (bitcoin could accept coin moving in the other direction) however it imports risk into bitcoin main as a security defect in betacoin that allowed theft or forgery of coins, could then be transferred into bitcoin.

If the defect was only on the betacoin, then the damages would be restrained to those who willingly converted stable coins into beta coins. That's not an issue to me. When you do so, you accept the risks.

Hey, this very feature (allowing the redemption of arbitrary betaCoins built on top of it) could actually be the among the firsts betaCoins. If it works well, it will set up a great platform for experimentation!

Is there an easier explanation somewhere, that could help technical people without a background in cryptography research to grasp the concept?

see earlier in tis thread:

https://bitcointalk.org/index.php?topic=175156.msg2378622#msg2378622

and another few posts after it where I tried to explain it a bit.

Thank you. I've just watched this video following a recommendation of jron, and what I could get from it was the following:

So, let me see if I got the idea: it's possible to accumulate random numbers in such a way that:

• Prevents observers from knowing which individual numbers were accumulated.
• Allows the one who knows one particular number to prove he knows it without having to reveal the number itself. Or if you do have to reveal it, it's still impossible to know which particular addition to the accumulator had put that number there, thus creating no link between the addition and the revealing of the number.

Is that a reasonable and sound simplification of the magic behind Zerocoin?

Am I getting closer?
Your explanations kind of hinted me in that direction too.

Thank you!

[1713967777]

1713967777

[1713967777]

1713967777

[1713967777]

1713967777

[justusranvier]

I think so, Matthew Green mentioned that he was planning to implement Zerocoin into its own cryptocurrency. This seems like a reasonable idea me, it lets us test Zerocoin, and if it works well, we can merge it into Bitcoin (without the risk of damaging Bitcoin if something goes wrong).

That's a great idea from a purely technical perspective.

Realize that when money is at stake other factors will come into play.

Zerocoin is a highly desired feature. As soon as they release this coin, it's going to attract investment and it's exchange rate will rise quickly. People are going to put a considerable amount of money into Zerocoin.

When Bitcoin implements these features, it will threaten the value of their investment. Do you think they are going let that happen calmly? They will do everything they can to obstruct the change. They'll come over here and spread FUD, start arguments, and in general make life difficult for any developer seeking to push the change.

This happens already - If you go back to the beginning of this year and read through flamewars regarding scalability and the blocksize and pay attention to the people most fervently opposed to large transaction rates, with the most ridiculous and economically absurd arguments, and then check their posting history you'll find that in almost all cases they were heavily involved with altcoins.

[jgarzik]

It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

But engineering hurdles remain:

• 1. Requires a hard fork
• 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I would rather see automatic mixing and privacy built into every client.

[Peter Todd]

It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

But engineering hurdles remain:

• 1. Requires a hard fork
• 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I've probably thought about this issue more than almost anyone with my work on fidelity bonded banking, and even ZeroCoin can be made fully transparent if you choose too. The key thing is that a: zerocoin has a public list of all spent coins, which lets you know when a coin was spent, and b: it's still possible to prove you were the one that spent a coin. Auditing in that scenario comes down to you publishing proofs of what coins you have spent in a provable public manner, and transparency is achieved by the fact that in a well-designed system you can't get away with lying about your transactions. You can fail to publish your accounting logs, an act that is of course very suspicious, but that's actually no different from the scenario with pervasive coin mixing: either way where the money went is unknown.

When it comes to receiving money, no amount of auditing can prevent you from taking money in behind the scenes, but there is no way to do that and also hide the fact that you are doing that from your sender. In this case the solution is actually identical to the non-zerocoin solution: publish in advance what addresses you accept payment on, and anyone can scan the blockchain for payments to those addresses.

I would rather see automatic mixing and privacy built into every client.

Agree from an engineering point of view; ZeroCoin's requirement for a hard-fork and many lines of new code using complex crypto is a risk Bitcoin shouldn't take. Coin mixing done well has very close to as good privacy, and can be easily fixed if it doesn't work.

[adam3us]

It sounds like ZeroCoin v2 eliminates one major criticism, that of bloat.

I guess we have to see it first.  I hope they are going to publish the crypto before the alt, presumably because the zerocoin v1 paper came out long before the library.

But engineering hurdles remain:

• 1. Requires a hard fork
• 2. Any requirement that all transactions participate in mixing is a non-starter.  Some payment schemes bootstrap trust by intentionally being non-private, showing their bitcoin holdings and bitcoin payments with provable digital signatures.

Any forced 100% privacy scheme that prevented opt-in auditing would make life difficult for some existing users, who place value in the transparency of the system.

I think fungibility guarantee via coin anonymity is the right thing to do, as the strongest form of fungibility is cryptographically enforced fungibility.   

But I think user privacy is orthogonal to coin fungibility.  I can prove my identity while sending an anonymous fungible coin or not as I choose, if the coin is cryptographically fungible I have a choice.  As is with bitcoin I have limited choice because the coin leaks linkages.

Usually if you have anonymity as a building block users can opt to disclose and prove because the anonymity will also have keys and the user can publish their keys.  So I think it likely that opt-in public association of an identity with specific coins, or maybe with unlinkable but validatable amount of coins would be technically available, and I can see its a useful feature, so should be made an option for users.  (Eg to prove they have the bitcoins they claim to be holding for users, or disclose the amount of donations received).

About privacy in my view bitcoin is a bit too open which I think is not so much by design, but because its difficult to have privacy and the auditability SPV operation needs, because miners need to validate, and to validate they need to see amounts and transfer histories.   (Hence the interest in zerocoin and zerocoin2.)  Without needing to support SPV clients one could do committed-tx and it would be a step forward.

I think Ideally transacting parties should be able to choose the level of privacy from each other and from the public.  eg pseudonymous to each other but private to the public.  Or identified seller (because its a regulated business) and identified business (because the user need to validate the reputation of the seller), but private from the public.  In event of need to reveal more detail to selected other parties, or to the public to prove good faith, they should also be able to do that eg by publishing some keys.

In this way policing can be done by asking for information from transacting parties.  And demonstrating openness (eg for donations, charities, public companies) can be done by publishing keys.  And financial auditing can be done by a charity or company giving their accountant or auditor keys to view their transactions (but not necessarily the sender identity).

There are also privacy preserving forms of auditing.  Eg homomorphic values can still allow auditing that values add up by anyone and yet hide amounts and/or payer psueodnym is unknown (close to single use addresses but slightly stronger privacy).

So I think if we can get a cryptographic private, efficient, distributed coin with conservative security for the coin anonymity/fungibility layer then we are golden.  We can engineer/architect the selective disclosure, selective identity and different privacy concepts to dove tail with transacting party wishes.  I would say bitcoin should not make any global rule about maximum allowed privacy, because rules are different in different countries.  Rather payments should be private between the transacting parties, and it is up to the transacting parties to keep records and answer requests for information disclosure, and to provide identity to regulated businesses in their respective jurisdictions,

But its hard to do get the efficient, distributed and private ecash, thats so far proving to be another triangle thing like pick 2: efficient, distributed, private. 

So lets have a look at what we have:

- bitcoin (efficient, distributed, but taintable privacy)
- chaum or brands ecash are (efficient, cryptographic privacy, but centralized)
- coinjoin (efficient, distributed, smudged taint privacy)
- opentransactions (efficient, cryptographic private, limited redundancy)
- committed-tx (efficient, private except parties see payment history, decentralized but no SPV)
- zerocoin v1 (private, decentralized, but inefficient)
- holygrail (efficient, distributed, cryptographic privacy)

we have to see how zerocoin v2 stacks up.  Another risk point can be bleeding edge crypto that hasnt seen 10yrs of review.  Things with security proofs have been broken before.  Hardness assumptions for new things sometimes erode or slip.

Adam

[adam3us]

So, let me see if I got the idea: it's possible to accumulate random numbers in such a way that:

• Prevents observers from knowing which individual numbers were accumulated.
• Allows the one who knows one particular number to prove he knows it without having to reveal the number itself. Or if you do have to reveal it, it's still impossible to know which particular addition to the accumulator had put that number there, thus creating no link between the addition and the revealing of the number.

Is that a reasonable and sound simplification of the magic behind Zerocoin?

Am I getting closer?

Yes thats pretty much it.  Technically the coin is c=g^s*h^r and c is seen by everyone when it is added to the accumulator (though s and r are not seen by anyone).  But when it is spent s the coin serial number becomes disclosed and is stored in the doble spend db, c is hidden because of the ZKP and r is still not revealed).

Adam

[adam3us]

I would rather see automatic mixing and privacy built into every client.

You know that is a good idea, practical, can be done now, no experimental crypto risk.  Greatly reduces fungibility risks and might buy a few years.  Lets do it!

Zerocoin or equivalent can catchup when it does.

Adam

[Gyrsur]

plugged in with listen mode.

[Spekulatius]

https://twitter.com/matthew_d_green/status/401798811070107648

We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount.

Is a 98% reduction in proof size enough to overcome any existing valid reasons to not merge ZeroCoin functionality?

I think so, Matthew Green mentioned that he was planning to implement Zerocoin into its own cryptocurrency. This seems like a reasonable idea me, it lets us test Zerocoin, and if it works well, we can merge it into Bitcoin (without the risk of damaging Bitcoin if something goes wrong).

btw see also "bitcoin staging" aka betaCoin. 

http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02944.html

Its a way to one-way peg an alt-coin to bitcoin, so there is no native mining, the way you create coins in the alt-coin is my moving bitcoins into it.  And the way to trade them back to bitcoin is to swap them with someone who would otherwise move one.  If a security problem develops in the betaCoin, people stop swapping betaCoin at par for bitcoin, or market freezes until the issue is fixed.  This is the minimum necessary feature to firewall bitcoin from betaCoin security issues while allowing bitcoins to move between betacoin and bitcoin in the normal case.

This is how I would go about doing an alt (otherwise the usual me-too coin is contingent on the hope of getting in early, or early mining and selling to next stage speculators before the pyramid collapses when it becomes obvious it has no chance of competing with bitcoin for acceptance.  As this coins have no acceptance, they have no transactional value, their own value is speculative, which I think must implode at some point.)  Also even in the hypothetical that a given coin did overtake bitcoin it could be a dangerous outcome as then what happens to the value of bitcoins?  Such an untidy unravelling of bitcoin value would hurt the overall concept of digital scarcity.  Say it was litecoin.  Then if litecoin got to like 90% to bitcoins 10% BTC/LTC exchange would fall.  But then people will be looking nervously at the next runner up, and hedging in the main runner ups.  This is a net disservice to digital scarcity.  Digital scarcity is a new virtual asset class, and I think is the future of money and financial networks.  So we dont want to weaken the concept with me-too alts, even relatively well thought out ones because they define a new digital scarcity race.  I think there should only be one credible digital scarcity race or we may have a problem.  Digital scarcity becomes digital tulip, then who wants to invest in the next one.

betaCoin is also a way to do an alt that preserves the 21 million coin cap.  Fees would be paid in betacoins (or bitcoins).  Miners would mine both networks for profit maximization reasons.

Adam

The answer to what happens if 0-Coin takes off as an independent altchain is quite simple. People will invest their money in it, in order to profit from the appreciation against Bitcoin. Would that lead to a collapse of Bitcoin's value? I dont think it would in the short-medium term as like you have rightly stated many risks are associated with a new protocol such as Zerocoin. Some more risk prone investors will put some percentage of their holdings into this new currency, while others will stick with their proven and so far secure Bitoin investments. As the risks over time fade away and Zerocoin's advantages outweigh it's risks over the Bitcoin alternative we could see Zerocoin emerging as the more valuable and/or more used alternative of the two. In any way it will be a gradual process where the market balances the value transfer, processing all available information to agree on a price.

Concerning "digital scarcity": If I understand your concept of digital scarcity in this context correctly, you are afraid that the value of all finite Bitcoins+Namecoins+Litecoins+etc. will be eroded away by every new altcoin that springs up. Well, I cant see how this is not already happening and how an independant Zerocoin altchain would change that development. I think I can console your mind because not every new altchain with its added monetary base has the same effect. When a new run off the mill alt chain comes around people are reluctant to convert their assests into that coin, thus keeping the newest addition to that percived "digital scarcity" almost meaningless. The best example is Ripple with their 100 Billion XRP premined was added to that pool of digital currency units that make up the total supply of the digital scarcity. Did the advent of Ripple devalue all Bitcoins in existance instantly?

TLDR:

I think one should not worry about a sudden devaluation of Bitcoin because a new competitor comes around the corner. This market mechanic of investing your money into promising projects can be a valuable incentive for development of innovation and improvement of new ideas in the crypto zoo. And like someone else said: If you are afraid of devaluation of your Bitcoin stash, just put some into the new alt and you are good

[Spekulatius]

Are there any infos out yet regarding the initial distribution of Zerocoins? Will they be mined or created from destroyed Bitcoins o else?

Are there any plans to keep the new chain exclusively experimental, like a Testnet or are they intended to be full on usable from the beginning?

Will the new altchain be as decentralized as Bitcoin or semi-or completely centralized?

[AtlasONo]

I would not be surprised if it was released as a testnet.

[bpd]

The betaCoin model is interesting, but I'd just make one import remark though: in this model, there's no financial incentive for people to migrate from bitcoin stable to bitcoin beta, since stable coins will always be more valuable than beta coins. This means that, from a monetary point of view, this beta risks being just a testnet++. Not many people will transfer their coins into it (it is not a reasonable investment strategy), and without much aggregated value, would it really have enough manpower behind it? If Gavin and Garzik are being fully employed to work on Bitcoin right now, it's precisely because bitcoins are valuable to lots of people. If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.

Thanks

I think the thing to do would be to define an exponentially declining incentive for early adoption into the inflation schedule. For instance, first 100k coins moved each get 1 bonus betacoin. Next 100k get 0.5 bonus, etc. Similar to how bitcoin halving works, except it's coin-based, not time-based. But ideally, you'd do it in a continuous way, rather than have steep halvings. Something like N(c) = 1 + exp(-c * ln(2) / 100000), where N(c) is the number of betacoins that the c'th bitcoin destroyed results in.

[superresistant]

The betaCoin model is interesting, but I'd just make one import remark though: in this model, there's no financial incentive for people to migrate from bitcoin stable to bitcoin beta, since stable coins will always be more valuable than beta coins. This means that, from a monetary point of view, this beta risks being just a testnet++. Not many people will transfer their coins into it (it is not a reasonable investment strategy), and without much aggregated value, would it really have enough manpower behind it? If Gavin and Garzik are being fully employed to work on Bitcoin right now, it's precisely because bitcoins are valuable to lots of people. If there was a technical way to ensure people can get their beta coins converted back into stable coins at the same rate (i.e., pegging), then things could be different. But I don't see how could that be possible.
Thanks

I think the thing to do would be to define an exponentially declining incentive for early adoption into the inflation schedule. For instance, first 100k coins moved each get 1 bonus betacoin. Next 100k get 0.5 bonus, etc. Similar to how bitcoin halving works, except it's coin-based, not time-based. But ideally, you'd do it in a continuous way, rather than have steep halvings. Something like N(c) = 1 + exp(-c * ln(2) / 100000), where N(c) is the number of betacoins that the c'th bitcoin destroyed results in.

XCP did this : during the burn period, the later you burned, the less XCP you received per BTC.

[coins101]

Zerocoin will challenge Litecoin if it has fast confirmations.

[Explodicle]

Zerocoin will challenge Litecoin if it has fast confirmations.

Are there any actual examples of double-spends happening to someone who accepts 0-confirmation transactions in the wild? I've always attributed Litecoin's success to being the first Scrypt coin with a fair launch, consistent rules, and good community support.

[nonlinearboy]

what's going on about zerocoin?

[garcias]

what's going on about zerocoin?

i think still under developement
good news coming probably
If you want innovation just see: Emunie( forum.emunie.com and for beta test the EMU go to beta.emunie.com) and Ethereum 

[iddo]

FYI there's a newer ZeroCash talk by Eli Ben-Sasson at:
https://www.youtube.com/watch?v=l7LSSE0bRRo
Note: I personally neither approve nor disapprove of anything said there.

[softtissue]

what's going on about zerocoin?

i think still under developement
good news coming probably
If you want innovation just see: Emunie( forum.emunie.com and for beta test the EMU go to beta.emunie.com) and Ethereum 

The Etherum forum has a huge head start and the people there seem to have high engagement.

[benjyz]

from what I've read from the things that comes out of traditional academia on the topic of bitcoin is absolutely worthless. there is something inherently wrong with this kind of reasoning, which seems to be obsessed with adding complexity to systems, instead of designing robust and simple systems. while studying the underlying concepts might be interesting, I'm pretty sure the effort is much better spend elsewhere. after all, code of trust protocols has to be audited, and if only 5 people understand the math, nobody is going to accept it.