Cross-posting...
https://bitcointalk.org/index.php?topic=362468.msg7513111#msg7513111hi friends, i dont really get this, please can anyone answer for once:
What is the diference between Zerocoin and Zerocash
What is more anonymous, Darkcoin, Zerocoin, or Zerocash, or Bytenote and its forks? what about Darkwallet?
If you were like I dont know... Julian Assange or someone like that and you had to send some money and your life depended on it, and the only way was via a cryptocurrency... what crypto would you use? thats the question. Whatever brings more anonimity wins big time in long run!
Here is the short answer (to the best of my knowledge):
Zerocoin (original paper): User 1 "buys" zerocoins, and this transaction can be seen by everyone, including the amount. When user 1 spends the zerocoins to user 2, the amount can be seen by everyone, but it is cryptographically impossible to link user 1 and 2.
Zerocash (new paper): In addition to breaking the link between user 1 and 2, as in the original zerocoin paper, this also hides the amount of money being transferred. This protocol also allows to transfer a zerocash coin directly to the second user without having to redeem it in the base currency, as well as split and merge zerocash coins. What is bound to cause confusion is that the authors are calling the coins in zerocash "zerocoins", just like in the original paper, even though they are not the same thing.
Darkcoin: They use a modification of CoinJoin, which they call "darksend". This is a simple coin mixing service. However, given the limited number of coins that are mixed, as well as other problems, such as with change and trust, it is possible to de-anonymize at least some transactions if you really tried to.
CryptoNote coins: User 1 sends user 2 money, but the transaction is signed by X users in a ring signature. User 2 receives money, which is visible on the blockchain with the amount, but all that can be said is that it came from one of the X members that participated in the "ring signature". The amount of anonymity increases as the number of members in the ring signature increases. For low values of X, it is possible to de-anonymize some types of transactions by a block chain analysis.
Darkwallets: Not sure. I think that this is just CoinJoin for Bitcoin. These exist only because Bitcoin refuses to implement suitable privacy measures.
So, if you had to rank them: Zerocash is the most anonymous, Zerocoin (original) is next, Cryptonote is close behind, and Darkcoin and Darkwallets are poor-man alternatives. All are better than nothing.
Nevertheless, you need to put this is perspective and consider some practical aspects: Darkcoin is working, CryptoNote coins are working but with no graphical interface, Zerocoin (original) does not exist now and will likely be implemented in Anoncoin in about 1 month, and the authors of Zerocash claim that it will be released in 3-6 months. It is possible that another existing coin will implement zerocash first (such as Anoncoin, after they release their implementation of Zerocoin). In terms of practicalities, Darkcoin is easy to use, whereas for the others, you either need to set up some parameters (such as the number of signatures in a ring signature), or make an intermediate step by buying zerocoins.
I should note that another aspect of anonymity is hiding the physical location (i.e., IP number) of where the transactions took place. Anoncoin allows users to send their transactions via i2p, which effectively hides your IP number, and it is the only coin that supports i2p to my knowledge. I think that most coins allow you to send transactions via TOR (which would achieve the same thing), but this is not set up by default, and I couldn't get this to work on my computer after 30 minutes, so I gave up.
There are potential problems with zerocash (the paper was just published): you need to trust someone to set up the initial, one-time, secret parameters and then forget them (there is a trick to fix this in zerocoin); you also can not count the number of zerocash coins as the amount is hidden. There is thus a scary possibility that someone could break the code (or learn the secret parameters), that would allow them to mint coins without anyone ever finding out. This would have the effect of inflation.
Finally, people tend to forget that it is extremely difficult to achieve anonymity when you convert any cryptocurrency for fiat: Banks and exchanges will always be the weakest link as long as fiat is the "default" currency.
If I made any mistakes, please correct me.
I have written some detailed information at the following linked thread, some of which is missing from your above summary:
https://bitcointalk.org/index.php?topic=557732.msg6662978#msg6662978Let is attempt the simplest summary, and readers who want to dig deeper can click the link above.
The resource requirements of the full client for Zerocoin are impractical, unless you want to centralize mining. Also all transaction amounts have to be the same, so you would run into the same issue as CryptoNote has (see below).
Zerocash hides the money supply (i.e. it is unknown), it is unvetted extremely complex new crypto (vetting takes years or a decade), and the setup parameters can not EVER be proven to not be backdoored, thus there will be no way to know if some entity (has cracked the crypto or intercepted the setup parameters and) is creating coins for free. Sorry but aren't we trying to get away from fiat central banking money where a centralized entity can print money at-will?
Many ways the NSA can get those setup parameters:
http://www.infowars.com/intel-ceo-refuses-to-answer-questions-on-whether-nsa-can-access-processors/http://www.forbes.com/sites/steveblank/2013/07/15/your-computer-may-already-be-hacked-nsa-inside/http://www.eweek.com/security/nsa-can-hack-you-even-if-you-arent-connected-to-the-internet.htmlhttp://www.gizmag.com/malware-jump-air-gap/30056/Include also if the people doing the setup have been served a national security letter gag order which compels them to do the setup and give the parameters to the NSA and not tell anyone.
The anonymity of CryptoNote (i.e. ByteCoin, Monero, and clones) requires that all transaction amounts be broken into separate transactions for standardized fragments which causes massive blockchain bloat (for any reasonable level of anonymity) and the blockchain can never be pruned. There is already a problem with Bitcoin's blockchain being too large and it doesn't have this massive bloat. In short, CryptoNote (and Zerocoin) can't scale.
Neither of the two do anything to obscure your IP address, and Tor/I2P are thought to be honey pots for national security agencies (Wikipedia says "who has the incentive to provide all this server bandwidth for free").
The need to obscure your IP address is less of an issue for Zerocash since it hides even the amount of the transaction, but this causes the money supply to be hidden as well which seems like an unacceptable tradeoff. Nevertheless, the authorities can see you are transacting to the Zerocash network even if they can't see the details, in theory the bezerk hunt for money during the coming sovereign debt collapse post-2016 will use the law to compel you to reveal secrets or face jail:
http://www.nestmann.com/could-the-government-force-you-to-tell-your-deepest-darkest-secretsCryptoNote doesn't hide the amount and the payer is mixed with a limited number of numerous other potential payers, so the IP correlation can be used to narrow the possibilities statistically and home in on identity, by observing patterns across all users. Thus the lack of IP address obfuscation in CryptoNote (assuming Tor is really a honey pots, and or most users fail to employ Tor) reduces the anonymity.
CoinJoin’s algorithm suffers from not being atomic and thus it can be repeatedly jammed by an adversary, i.e. denial-of-service. This is because first the inputs have to be collected, then the outputs have to blind signed with a group signature, and then finally all inputs have to signed. If any one of the participant senders fails to complete all the steps, the transaction is jammed and the process must start again. All proposals for throttling or blacklisting adversaries was argued to be ineffective and intractable. Darkcoin innovated CoinJoin by adding a collateral payment which is forfeited by participants who fail to complete all steps. This requires a random master node to break the unlinkability as it knows the matching output of each input. It is assumed that not all master nodes will be adversaries and thus sending multiple times through different master nodes will provide a probablistic level of unlinkability. The master nodes are purchased and it isn’t clear that a sufficiently powerful adversary couldn't sufficiently Sybil attack by acquiring a larger percentage of the master nodes. There is also concern this might also enable the adversary to steal collateral payments. Also the master nodes aren’t untraceable and thus could perhaps be held liable by governments for breaking AML and KYC laws. CoinJoin and Darkcoin suffer from the simultaneity timing problem that other spenders need to send spends of the same amount simultaneously.
None of these coins do anything to solve the centralization of mining, wherein one or two pools now control more than 50% of the Bitcoin mining hash rate.
Also many of these coins run into chaotic problems with their organization, e.g. apparently someone created a private GPU miner for Monero and is mining 50% of the coins for himself. Apparently there is no funding means or organization to rectify this.
"We're building a system that will not have a back door"... Well there's no way of knowing that the security parameters do not contain a back door, so we have to trust the people who generate them. Hopefully someone will figure out a way to generate them in a provably trustworthy fashion. I don't know if that's possible.
In fact, it is possible to generate the security parameters in a completely trustless manner for the original Zerocoin protocol of Miers et al. (Zerocoin: Anonymous Distributed E-Cash from Bitcoin). All you need to do is generate a number that contains two large prime numbers, and whose factorization is unknown. Amazingly, you can generate such numbers using RSA UFOs, and this is the approach that Anoncoin has chosen for their implementation of Zerocoin.
I read the research paper for UFOs. It is based on number theoretic assumptions and I am unaware if these assumptions have been sufficiently vetted.
Realize the NSA may have as much as the $3 trillion missing black budget at their disposal (the money former Secretary of Defense Donald Rumsfeld announced was missing the day before 9/11 and then all the records were destroyed at the Pentagon by the attack the next day).
http://www.wired.com/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/Unfortunately, you can not do the same thing with the newer Zerocash protocol of Ben-Sasson (Zerocash: Decentralized Anonymous Payments from Bitcoin).
Correct.
Lastly remember all the coins are currently based on asymmetric public key cryptography, which can be cracked with a quantum computer if the NSA ever is able to create one. As well the NSA might have cracked some of the number theoretic factoring assumptions or backdoored the constants.
http://beta.slashdot.org/story/191445https://www.schneier.com/crypto-gram-9911.html#EllipticCurvePublic-KeyCryptographyhttp://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parametersIf you really want to be sure, you need to move to Lamport signatures which are not based on number theoretic assumptions.move to Lamport signatures which are not based on number theoretic assumptions.
Tor is a very secure system...
I don't think so...
http://en.wikipedia.org/w/index.php?title=Onion_routing&oldid=592703635#Weaknesseshttps://tails.boum.org/doc/about/warning/index.en.html#index4h1https://tails.boum.org/doc/about/warning/index.en.html#index7h1http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Exit_node_eavesdroppingIf you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on. Who would pay for this and be anonymous?"
https://www.schneier.com/essays/archives/2013/10/attacking_tor_how_th.htmlhttp://armstrongeconomics.com/2014/06/22/nsa-gathers-all-communications-everywhere/
Poll
