Adapting to the release of Zerocoin

[d'aniel]

The Zerocoin people are going to release a library in a couple days that any Bitcoin protocol-based currency can implement.  The problem with Bitcoin implementing it directly is that it's very cumbersome - transactions are large and verifying them is CPU intensive.  The result would be that Bitcoin would have a much harder time staying decentralized while it scales up.  However, alt-coins will undoubtedly implement it, and compete with Bitcoin for market share.  In anticipation of this, I'd like to describe a way that a Zerocoin alt-chain could be implemented that would reinforce Bitcoin, rather than destabilize it, as well as the incentives that the existence of Zerocoin alt-chains creates for Bitcoin miners.

Symbiotic Zerocoin alt-chain:

Zerocoin could be implemented on an alt-chain that's merge-mined on the Bitcoin blockchain, where new currency units are allowed to be created (perhaps at a limited rate) by anyone who has provably destroyed an equivalent number of bitcoins (using OP_RETURN), and mining the Zerocoin chain is incentivized by transaction fees and the value that a strong symbiotic Zerocoin chain would add to Bitcoin.  The market would determine the amount of bitcoins that move over to the Zerocoin chain; if the value of a zerocoin rises much beyond that of a bitcoin, then people would tend to turn bitcoins into zerocoins and profit off of the difference.

By functioning symbiotically, the bitcoin unit of account would be reinforced instead of destabilized - the Zerocoin chain would act like "a rising tide that lifts all boats" instead of only its own at the expense of bitcoiners'.  Zerocoin mining revenues would go toward strengthening the combined mining network.  Users wouldn't have to speculate on how many of their bitcoins they need to trade for zerocoins, and at what price, in order to retain their purchasing power.  If Zerocoin turns out to have seriously damaging bugs or scalability issues, then conservative users that keep their long-term value parked on the Bitcoin chain won't have to worry about going down with the ship.  This would also set a nice precedent that new coins can be adopted without threatening the stability of their predecessors.

Incentives faced by Bitcoin miners:

If the demand for a Zerocoin chain is large, then Bitcoin miners collectively have an equally large incentive to provide one in order to avoid losing market share, and they are in a position to provide by far the most secure one.  They could mine an alt-chain that competes with Bitcoin, but I hope they see that the correct collective strategy (https://en.wikipedia.org/wiki/Nash_equilibrium) is to mine a symbiotic one like I described above, and only that one.  By mining a competing one, a miner might earn more immediate inflation revenues (though profitability will in any case be driven down to a minimum in the long run due to stiff mining competition), but they would do so by reducing the utility of Bitcoin as a store of value, and thus cryptocurrencies in general: if the flagship one can't preserve this functionality in the face of new innovations, then people will recognize that likely none of them will be able to.  In turn they would detract from the future value of their own hardware.

To get a sense of the incentive of a miner to preserve the store of value function, consider that a single person storing $100,000 in value for a year contributes to the overall valuation of the currency during that time as much as a thousand people that casually use it for transactions and only keep on average $100 stored in it at any given time.  It thus strikes me as potentially important enough of an issue in some cases for miners to actively discourage the merged-mining of alt-chains that detract from Bitcoin's store of value functionality, by refusing to build on blocks that do this, and by merged-mining symbiotic alternatives.

[1715173765]

1715173765

[1715173765]

1715173765

[1715173765]

1715173765

[d'aniel]

As a side note: this idea could also be used for a symbiotic alt-chain with large blocks next to Bitcoin's relatively small ones in the event that scalability issues limit Bitcoin's block size.  Because as I mentioned above, the total valuation of a currency is mostly due to the contribution from long-term stored value, Bitcoin could scale up its transaction rate using a symbiotic alt-chain, while keeping the majority of its total valuation from being exposed to scaling risks, e.g. from increased centralization.  Unfortunately though, the transactional alt-coin would be potentially more volatile than Bitcoin, since the guaranteed conversion rate only goes one way.

Edit: Actually, the symbiotic Zerocoin alt-chain I proposed could double as a high transaction rate alt-chain as well, since it's already given up the principle of maximal decentralization, and cheaper to transact regular coins are also part of the Zerocoin protocol.

[drawingthesun]

I'm skeptical that the Bitcoin development team will incorporate Zerocoin. Adding something like this is going to be controversial, however I see no reason why an alternative coin will not adopt Zerocoin.

Perhaps when that "Zerocoin alt" becomes more valuable than Bitcoin then the developers might add it.

Someone very smart said that if an alt coin defeats bitcoin for market share without offering any real gains then this will doom all crypto currencies forever, why invest if another will just beat that one too for no reason?

I think Hal said that and it rings true, if an alt that has no advantage beats out Bitcoin, then this destroys all the credibility in the crypto coin ecosystem.

However, adding Zerocoin is a major change, a major addition. If Zerocoin works it would present a massive advance for these currencies and if Bitcoin did not adopt it and another did that other coin would be well within its sights to overtake Bitcoin.

Full anonymity is not a setting change or other meaningless change in the Bitcoin source. If Zerocoin works it will be the largest advance in crypto currencies since the creation of Bitcoin itself. I would advise the development team to keep a very close eye on this one.

[btc4ever]

I'm skeptical that the Bitcoin development team will incorporate Zerocoin. Adding something like this is going to be controversial, however I see no reason why an alternative coin will not adopt Zerocoin.

Does merge mining require anything from the Bitcoin dev team, or can it be accomplished without their consent and participation?

Full anonymity is not a setting change or other meaningless change in the Bitcoin source. If Zerocoin works it will be the largest advance in crypto currencies since the creation of Bitcoin itself. I would advise the development team to keep a very close eye on this one.

+1.

[Tuck Fheman]

One of the Feathercoin dev's (zerodrama) has been looking into Zerocoin protocol since May. I'm hoping for an update from him soon (maybe he'll see this post).

Matthew Green has an excellent video (http://research.microsoft.com/apps/video/dl.aspx?id=192058) on Zerocoin.

[d'aniel]

I'm skeptical that the Bitcoin development team will incorporate Zerocoin. Adding something like this is going to be controversial, however I see no reason why an alternative coin will not adopt Zerocoin.

Perhaps when that "Zerocoin alt" becomes more valuable than Bitcoin then the developers might add it.

Someone very smart said that if an alt coin defeats bitcoin for market share without offering any real gains then this will doom all crypto currencies forever, why invest if another will just beat that one too for no reason?

I think Hal said that and it rings true, if an alt that has no advantage beats out Bitcoin, then this destroys all the credibility in the crypto coin ecosystem.

However, adding Zerocoin is a major change, a major addition. If Zerocoin works it would present a massive advance for these currencies and if Bitcoin did not adopt it and another did that other coin would be well within its sights to overtake Bitcoin.

Full anonymity is not a setting change or other meaningless change in the Bitcoin source. If Zerocoin works it will be the largest advance in crypto currencies since the creation of Bitcoin itself. I would advise the development team to keep a very close eye on this one.

Hal definitely said it first, and it should be carefully considered at this point due to the potential for disruption from a Zerocoin alt.  What's (rightfully) holding back Bitcoin devs from incorporating Zerocoin is the increased centralization of the network due to the significantly greater expense of running a node.  But users of an alt-coin won't necessarily care about that, and will adopt it anyway for its privacy.  That's why I proposed this way to "have our cake and eat it too".  Incidentally, the same factor is at play with the issue of scaling up transaction rates, but that's a separate topic.

I'm skeptical that the Bitcoin development team will incorporate Zerocoin. Adding something like this is going to be controversial, however I see no reason why an alternative coin will not adopt Zerocoin.

Does merge mining require anything from the Bitcoin dev team, or can it be accomplished without their consent and participation?

No, miners have full control over what they merged-mine.  That's why I went into so much detail about what the correct Zerocoin strategy is from their perspective.

[marcus_of_augustus]

Namecoin sounds like the best candidate in terms of similarity of code to bitcoin and is most widely merged mine already, in fact, vinced creator of namecoin was merged mine inventor so would have some symmetry.

Just a bit of rebasing to bring code base up to bitcoin current state but that would be the quid pro quo for using the blockchain ... worth thinking about and there might be some unexpected synergies emerging from having strongly anonymous namespace ownership possibilities also.

[d'aniel]

Namecoin sounds like the best candidate in terms of similarity of code to bitcoin and is most widely merged mine already, in fact, vinced creator of namecoin was merged mine inventor so would have some symmetry.

Just a bit of rebasing to bring code base up to bitcoin current state but that would be the quid pro quo for using the blockchain ... worth thinking about and there might be some unexpected synergies emerging from having strongly anonymous namespace ownership possibilities also.

Having new coins be created only when bitcoins are destroyed is also necessary - this is what preserves the store of value functionality of Bitcoin.  If miners could inflate the Zerocoin chain, then this would indirectly hurt this functionality.  So there's no need to incorporate it into an existing chain, as the initial distribution problem is already solved by creating new coins in this fashion.

[amincd]

This is a beautiful idea and worth doing for the blueprint it would provide to future altcoins alone.

[amincd]

So if I understand this correctly, no changes need to be made to Bitcoin for an altcoin like this to be created. If that's the case, we don't need to wait to get the agreement or cooperation of Bitcoin devs before we proceed to implement it, correct?

[🏰 TradeFortress 🏰]

So if I understand this correctly, no changes need to be made to Bitcoin for an altcoin like this to be created. If that's the case, we don't need to wait to get the agreement or cooperation of Bitcoin devs before we proceed to implement it, correct?

Yes, but you can't turn "Zerocoin Bitcoins" back into real Bitcoin unless you find someone willing to exchange them. It's a one way trip.

[d'aniel]

So if I understand this correctly, no changes need to be made to Bitcoin for an altcoin like this to be created. If that's the case, we don't need to wait to get the agreement or cooperation of Bitcoin devs before we proceed to implement it, correct?

Making OP_RETURN transactions standard would be helpful, otherwise you'd have to find a specific miner willing to mine them, and send your transactions to him directly.  These transactions are needed for creating new coins on the alt-chain.  It looks like the devs are already going to make this change for fidelity bonds in general.

Making the txs from https://en.bitcoin.it/wiki/Contracts#Example_5:_Trading_across_chains standard would also be helpful for low trust cross chain transactions, but there's no rush for this.

So no necessary changes, just some potentially helpful ones.

[Mike Hearn]

ZeroCoin is not merge-able not because it would create a much harder time staying decentralised. It's unmerge-able because the performance is so poor it would break things completely.

It's worth reading the original paper very carefully before forming any opinions on ZeroCoin. When I read it I discovered a serious error in their analysis but it was too late for the paper to be fixed. Namely that they thought that because blocks are created every 10 minutes, if it takes 10 minutes to verify a block then that's ok. Not correct! You need to be able to verify a block within seconds, not minutes. Otherwise the whole consensus algorithm just fails.

The maths behind ZeroCoin is fascinating, but unless they made dramatic improvements we're getting way ahead of ourselves talking about alt coins and implementations. This isn't some kind of finely nuanced tradeoff on which reasonable people can disagree. ZeroCoin is just not usable in its current form in any coin, alt or no.

And that's ignoring the issue of how you initialise the system in a trustworthy manner, which is still an open research problem. If you don't solve that then you're back to having a central banker which rather defeats the point of crypto-currencies.

[d'aniel]

ZeroCoin is not merge-able not because it would create a much harder time staying decentralised. It's unmerge-able because the performance is so poor it would break things completely.

It's worth reading the original paper very carefully before forming any opinions on ZeroCoin. When I read it I discovered a serious error in their analysis but it was too late for the paper to be fixed. Namely that they thought that because blocks are created every 10 minutes, if it takes 10 minutes to verify a block then that's ok. Not correct! You need to be able to verify a block within seconds, not minutes. Otherwise the whole consensus algorithm just fails.

The maths behind ZeroCoin is fascinating, but unless they made dramatic improvements we're getting way ahead of ourselves talking about alt coins and implementations. This isn't some kind of finely nuanced tradeoff on which reasonable people can disagree. ZeroCoin is just not usable in its current form in any coin, alt or no.

And that's ignoring the issue of how you initialise the system in a trustworthy manner, which is still an open research problem. If you don't solve that then you're back to having a central banker which rather defeats the point of crypto-currencies.

Thanks Mike.  I figured we might get away with the large mining pools merge mining it just based on how keen they seem to get people to start experimenting with it, but I didn't realize it was that bad.  You can only raise the block period so much before the system becomes unusable...

[biggie]

I still have to read some more about zerocoin but if it's true from what it is designed to do and being a kind of extension to bitcoin for anonymity then by all means !

[giszmo]

ZeroCoin is not merge-able not because it would create a much harder time staying decentralised. It's unmerge-able because the performance is so poor it would break things completely.

It's worth reading the original paper very carefully before forming any opinions on ZeroCoin. When I read it I discovered a serious error in their analysis but it was too late for the paper to be fixed. Namely that they thought that because blocks are created every 10 minutes, if it takes 10 minutes to verify a block then that's ok. Not correct! You need to be able to verify a block within seconds, not minutes. Otherwise the whole consensus algorithm just fails.

The maths behind ZeroCoin is fascinating, but unless they made dramatic improvements we're getting way ahead of ourselves talking about alt coins and implementations. This isn't some kind of finely nuanced tradeoff on which reasonable people can disagree. ZeroCoin is just not usable in its current form in any coin, alt or no.

And that's ignoring the issue of how you initialise the system in a trustworthy manner, which is still an open research problem. If you don't solve that then you're back to having a central banker which rather defeats the point of crypto-currencies.

Mike thank you for this info. As you can see in my sig, I'm totally fascinated by ZeroCoin. The idea, not this concrete implementation. I'm sure we will find a way and I'm not too sad if it doesn't work yet tomorrow.

[AMuppInTime]

Few Qs from watching the presentation:
How important is the original trusted authority in the establishing of the accumulator? How bad would it be if it were corrupted/breached?
Tacking on Zerocoin on top of Bitcoin seem to add a layer which can be hacked: the coin itself appear no longer backed by the block chain but by the encryption chosen (RSA XYZ) while being carried on the chain. It seems to be adding a point of failure to me: am I getting it right?

I searched and could not find a Zerocoin thread on those forums, please let me know if I should be somewhere else with those questions.

[marcus_of_augustus]

Few Qs from watching the presentation:
How important is the original trusted authority in the establishing of the accumulator? How bad would it be if it were corrupted/breached?
Tacking on Zerocoin on top of Bitcoin seem to add a layer which can be hacked: the coin itself appear no longer backed by the block chain but by the encryption chosen (RSA XYZ) while being carried on the chain. It seems to be adding a point of failure to me: am I getting it right?

I searched and could not find a Zerocoin thread on those forums, please let me know if I should be somewhere else with those questions.

https://bitcointalk.org/index.php?topic=175156.0

[MagicBit15]

I don't think it will be that much of a threat similar to BTB. Also, shouldn't this be moved to alt-currencies?

[becoin]

Yes, but you can't turn "Zerocoin Bitcoins" back into real Bitcoin unless you find someone willing to exchange them.

I fail to see why would anyone be willing to do that? What's the idea behind of turning real anonymous cash into pseudo anonymous one?