All these problems, like hiding the transfer amount , and anonymization, etc were solved (*) by my Appecoin protocol. Appecoin proofs are relatively small, and fast to verify.
The fact that I didn't publish it (for a year) is that I still have moral doubts of enabling a completely anonymous payment system. Somebody has to proof that the benefit of such system outweigh the costs of its illegal use.
I hope Adam you're sure that you solved that dilemma when you finally build your own protocol.
(*) This is not completely true, since my paper has received little peer review, it might contain mistakes.
I think eg if you read the original zercoin paper and I said similar things on bitcointalk that anonymity is the ideal building block. What you can build with it is many permutations of desired and useful privacy levels. It doesnt have to be full payee & payer anonymous just because the building block supports that. And there are many reasons in the real world that you dont get that privacy in practice. IP logging, IP geolocation, physical shipping address, knowledge of you by the person you are paying/receiving from, privacy mistakes etc.
Now in an ideal world how it is supposed to work is the fungibility/anonymity is secure like zerocoin. And identity is managed between people sending and receiving bitcoin. Many variants are possible:
1. public (everyone can see amount, and sender/recipient addresses - current bitcoin)
2. private (encrypted so only recipients see value and address information)
3. private but identified (encrypted between recipients, but recipient and/or sender is identified)
I prefer user choice of 2 or 3. We use SSL for web commerce for a reason, confidentiality of the transaction, and bitcoin does not encrypt transactions. It means only parties to the communication see the value and decide what level of identification they want if any. This supports buying ebooks without a dossier of what books you read. Its no ones business. And it supports AML/KYC for large for regulated businesses. And identifying the customer account so the business can account eg with repeat customers. And it supports criminal investigation also. The police go subpoena information from businesses the criminal interacted with to track him down. Same as in real life.
Usually if you have anonymity as a building block users can opt to disclose and prove because the anonymity will also have keys and the user can publish their keys. So I think it likely that opt-in public association of an identity with specific coins, or maybe with unlinkable but validatable amount of coins would be technically available, and I can see its a useful feature, so should be made an option for users. (Eg to prove they have the bitcoins they claim to be holding for users, or disclose the amount of donations received).
About privacy in my view bitcoin is a bit too open which I think is not so much by design, but because its difficult to have privacy and the auditability SPV operation needs, because miners need to validate, and to validate they need to see amounts and transfer histories. (Hence the interest in zerocoin and zerocoin2.) Without needing to support SPV clients one could do committed-tx and it would be a step forward.
I think Ideally transacting parties should be able to choose the level of privacy from each other and from the public. eg pseudonymous to each other but private to the public. Or identified seller (because its a regulated business) and identified business (because the user need to validate the reputation of the seller), but private from the public. In event of need to reveal more detail to selected other parties, or to the public to prove good faith, they should also be able to do that eg by publishing some keys.
In this way policing can be done by asking for information from transacting parties. And demonstrating openness (eg for donations, charities, public companies) can be done by publishing keys. And financial auditing can be done by a charity or company giving their accountant or auditor keys to view their transactions (but not necessarily the sender identity).
There are also privacy preserving forms of auditing. Eg homomorphic values can still allow auditing that values add up by anyone and yet hide amounts and/or payer psueodnym is unknown (close to single use addresses but slightly stronger privacy).
So I think if we can get a cryptographic private, efficient, distributed coin with conservative security for the coin anonymity/fungibility layer then we are golden. We can engineer/architect the selective disclosure, selective identity and different privacy concepts to dove tail with transacting party wishes. I would say bitcoin should not make any global rule about maximum allowed privacy, because rules are different in different countries. Rather payments should be private between the transacting parties, and it is up to the transacting parties to keep records and answer requests for information disclosure, and to provide identity to regulated businesses in their respective jurisdictions,
But its hard to do get the efficient, distributed and private ecash, thats so far proving to be another triangle thing like pick 2: efficient, distributed, private.
So lets have a look at what we have:
- bitcoin (efficient, distributed, but taintable privacy)
- chaum or brands ecash are (efficient, cryptographic privacy, but centralized)
- coinjoin (efficient, distributed, smudged taint privacy)
- opentransactions (efficient, cryptographic private, limited redundancy)
- committed-tx (efficient, private except parties see payment history, decentralized but no SPV)
- zerocoin v1 (private, decentralized, but inefficient)
- holygrail (efficient, distributed, cryptographic privacy)
we have to see how zerocoin v2 stacks up. Another risk point can be bleeding edge crypto that hasnt seen 10yrs of review. Things with security proofs have been broken before. Hardness assumptions for new things sometimes erode or slip.
Kind of odd if you are sitting on the holygrail crypto and not publishing for some kind of ethical considerations? Really? Technology is neutral and this technology can add many useful permutations of privacy to bitcoin. I'd sure publish it immediately if I had figured it out and feel I did a good thing for society.
Maybe you want also to read this post by Greg Maxwell explaining why privacy is important for society and commerce.
https://bitcointalk.org/index.php?topic=334316.msg3588908#msg3588908I think you get that also because as I understood it you explored anonymity because of your interest in card gaming to prevent collusion being used to cheat.
ps Personally I think gambling has far more ethical worries than users being able to transact privately with something approaching the analogous already existing levels of privacy in other systems. For some people gambling becomes a near ruining addiction.
Adam
