Zerocoin proofs reduced by 98%, will be released as an alternative coin.

[wumpus]

Could a Bitcoin developer clarify whether these changes make Zerocoin appropriate for inclusion in Bitcoin or not? As far as I understand it the privacy provided by things like CoinJoin and CoinSwap aren't really comparable.

Until they release details (ie a paper or source code) on what they are actually going to do, that's impossible to do.

[anti-scam]

Could a Bitcoin developer clarify whether these changes make Zerocoin appropriate for inclusion in Bitcoin or not? As far as I understand it the privacy provided by things like CoinJoin and CoinSwap aren't really comparable.

Until they release details (ie a paper or source code) on what they are actually going to do, that's impossible to do.

My understanding was that the size of the proofs was the primary hurdle to implementation. Is that true?

[drawingthesun]

Could a Bitcoin developer clarify whether these changes make Zerocoin appropriate for inclusion in Bitcoin or not? As far as I understand it the privacy provided by things like CoinJoin and CoinSwap aren't really comparable.

Until they release details (ie a paper or source code) on what they are actually going to do, that's impossible to do.

My understanding was that the size of the proofs was the primary hurdle to implementation. Is that true?

Yes, when the original paper was released the main point to dismiss zerocoin was the size of the transactions and the strain that would cause on the blockchain.

[anti-scam]

Could a Bitcoin developer clarify whether these changes make Zerocoin appropriate for inclusion in Bitcoin or not? As far as I understand it the privacy provided by things like CoinJoin and CoinSwap aren't really comparable.

Until they release details (ie a paper or source code) on what they are actually going to do, that's impossible to do.

My understanding was that the size of the proofs was the primary hurdle to implementation. Is that true?

Yes, when the original paper was released the main point to dismiss zerocoin was the size of the transactions and the strain that would cause on the blockchain.

Then assuming they're not lying the prospects for implementation look good as long as certain political forces don't get involved.

[El Dude]

bitcoin and litecoin can just add the zerocoin protocol once its a altcoin .

[anti-scam]

bitcoin and litecoin can just add the zerocoin protocol once its a altcoin .

I don't know much about Litecoin's internal politics but with all of the forces surrounding Bitcoin these days it's not guaranteed that the developers would rush to implement Zerocoin. That's why it's important that the community stays on top of the situation.

[gmaxwell]

My understanding was that the size of the proofs was the primary hurdle to implementation. Is that true?

There were several other additional limitations:

* Very slow to validate (e.g. on the order of 1-2 tx per second)
* Required a trusted party to initiate the accumulator, and if they violate that trust they could steal coins
* Uses cryptography which is less well studied
* Only handled anonymized coins with one value, reducing the anonymity set size substantially
* Didn't conceal values
* Spent coins list is needed for validation and grows forever (e.g. no pruning of the critical validation state).

Of these only the first two and the last are probably real barriers, the others are more "doesn't work as well as some hypothetical future system might".

There was no way within their prior system to achieve size reductions to the currently mentioned, I'd speculated in some other threads on some technology that could make the proofs smaller and faster, but if they've gone that route there may be some other consequences. It's hard to say much of anything useful without more information being made public.

I would note that the prior ZC implementation has been made available for some time now, and no altcoin has picked it up.

[prospector1]

There are people very interested in ZC and who are watching closely. For various reasons they will not be appearing on BTCtalk

[LiteCoinGuy]

who are the Devs behind this idea?

[maaku]

* Spent coins list is needed for validation and grows forever (e.g. no pruning of the critical validation state).

I've found away around this limitation using a variant of the UTXO proof tree structure. A tree containing all spent tokens is constructible from the spend history visible in the chain history. Anyone holding an unspent token maintains an insertion-proof into this tree, which is included as part of the spend. Validating nodes need only keep the root hash for a given series, which is updated after validating each spend.

But the other two points remain as major obstacles...

[gmaxwell]

I've found away around this limitation using a variant of the UTXO proof tree structure. A tree containing all spent tokens is constructible from the spend history visible in the chain history. Anyone holding an unspent token maintains an insertion-proof into this tree, which is included as part of the spend. Validating nodes need only keep the root hash for a given series, which is updated after validating each spend.

Sounds a lot like the MMR stuff Peter Todd has been talking about, but I don't think it applies in the anonymous context.

In an anonymous system the unspent coins are blinded in some way or another and you use a proof to show that your spend is spending a coin from the set of unspent coins (without revealing which blind-unspent coin it was), and then that unblinded coin is put into a list to prevent spending it again.

Any way that avoids the storage problem by linking the spend to the particular unspent coin (e.g. removing it) isn't anonymous.

I know how to prevent it from growing forever though, but it trades off the anonymity set and the reliability of storage:. E.g. you have generations of unspent coins, and all unspent coins from a particular generation must be spent before a certain time. Once that time passes your spent list can also be purged.

At least in what Peter Todd's been thinking about there is an additional complication that when adjacent branches in this updating tree of unspent outputs you must update your proof... so it creates an interesting business opportunity for nodes that track the whole state in order to help offline spenders figure out the proof they need.

 

[maaku]

Yes, it's exactly MMR applied to the Chaum token double-spend db. This solves the problem of maintaining that ever-increasing list of unblinded, spent tokens by pushing the problem out of the validators and onto the people holding the coins. Proof size grows with log2 the number of spent tokens, but the proofs can be thrown away once validated (as they can be reconstructed from the block chain history).

It doesn't link the spend to the original coin however, as we're only dealing with revelation of the unblinded tokens. You still need some sort of ZKP that the unblinded token was out of the original set of blinded tokens.

[gmaxwell]

Got it, for some reason I was not seeing that the coin owner knows their (blinded) coin ID from the moment the coin is created, and thus can track the proof for where that coin belongs in the spent tree... or they could not do so and trust that they'll be able to find someone else who has when they need it. Makes sense.