Silk Road forums
Discussion => Security => Topic started by: lukeuser on April 26, 2013, 10:59 pm
-
http://www.forbes.com/sites/andygreenberg/2013/04/12/zerocoin-add-on-for-bitcoin-could-make-it-truly-anonymous-and-untraceable/
Discuss
-
It has been discussed before. I can't find all the threads due to the broken search engine. I remember someone saying it sounds like a LE trying to catch people. I personally have no interest in buying another coin that is traded for bitcoin.
dkn255hz262ypmii.onion/index.php?topic=146828
-
It has been discussed before. I can't find all the threads due to the broken search engine. I remember someone saying it sounds like a LE trying to catch people. I personally have no interest in buying another coin that is traded for bitcoin.
dkn255hz262ypmii.onion/index.php?topic=146828
Thanks
-
It says this about it on the Bitcoin wiki
Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin. It works at the protocol level and doesn't require new trusted parties or services. With some engineering, it might (someday) turn Bitcoin into a completely untraceable, anonymous electronic currency.
Surely all Silkroad users and anyone who uses Bitcoin for anonymity would welcome this standard with open arms. The code it perfectly public and open to inspection as far as I am aware.
Here's another article that explains it much better http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html from someone who has a lot of knowledge of how Bitcoin works. Zerocoin is like a single, perfect Bitcoin laundry service, which in addition removes any requirement of trust, as it is just as decentralized as Bitcoin itself.
-
It says this about it on the Bitcoin wiki
Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin. It works at the protocol level and doesn't require new trusted parties or services. With some engineering, it might (someday) turn Bitcoin into a completely untraceable, anonymous electronic currency.
Surely all Silkroad users and anyone who uses Bitcoin for anonymity would welcome this standard with open arms. The code it perfectly public and open to inspection as far as I am aware.
Here's another article that explains it much better http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html from someone who has a lot of knowledge of how Bitcoin works. Zerocoin is like a single, perfect Bitcoin laundry service, which in addition removes any requirement of trust, as it is just as decentralized as Bitcoin itself.
The argument that was brought up before is this. What better way to catch people trying to do illegal activities or hide assets than to create a service catered to anonymity.
-
Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.
Sounds just like what Silk Road needs..... NOT!
-
It says this about it on the Bitcoin wiki
Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin. It works at the protocol level and doesn't require new trusted parties or services. With some engineering, it might (someday) turn Bitcoin into a completely untraceable, anonymous electronic currency.
Surely all Silkroad users and anyone who uses Bitcoin for anonymity would welcome this standard with open arms. The code it perfectly public and open to inspection as far as I am aware.
Here's another article that explains it much better http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html from someone who has a lot of knowledge of how Bitcoin works. Zerocoin is like a single, perfect Bitcoin laundry service, which in addition removes any requirement of trust, as it is just as decentralized as Bitcoin itself.
The argument that was brought up before is this. What better way to catch people trying to do illegal activities or hide assets than to create a service catered to anonymity.
But it's *not* a service, it's a standard, a protocol, an extension of the Bitcoin code. And it is publicly available here http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf. So that any Bitcoin/cryptography expert is able to inspect it to confirm it is completely what the creators say it is, just like anyone can inspect any open-source software or Bitcoin itself.
And it has been specifically designed by the academics who created it, to make it untraceable, so even if it were designed by the government, the reality of how it works makes any tracing/tracking impossible. To think this could possibly be a conspiracy by any government or security agency is simply to misunderstand what it is and how it works.
-
It says this about it on the Bitcoin wiki
Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin. It works at the protocol level and doesn't require new trusted parties or services. With some engineering, it might (someday) turn Bitcoin into a completely untraceable, anonymous electronic currency.
Surely all Silkroad users and anyone who uses Bitcoin for anonymity would welcome this standard with open arms. The code it perfectly public and open to inspection as far as I am aware.
Here's another article that explains it much better http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html from someone who has a lot of knowledge of how Bitcoin works. Zerocoin is like a single, perfect Bitcoin laundry service, which in addition removes any requirement of trust, as it is just as decentralized as Bitcoin itself.
The argument that was brought up before is this. What better way to catch people trying to do illegal activities or hide assets than to create a service catered to anonymity.
But it's *not* a service, it's a standard, a protocol, an extension of the Bitcoin code. And it is publicly available here http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf. So that any Bitcoin/cryptography expert is able to inspect it to confirm it is completely what the creators say it is, just like anyone can inspect any open-source software or Bitcoin itself.
And it has been specifically designed by the academics who created it, to make it untraceable, so even if it were designed by the government, the reality of how it works makes any tracing/tracking impossible. To think this could possibly be a conspiracy by any government or security agency is simply to misunderstand what it is and how it works.
Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.
Sounds just like what Silk Road needs..... NOT!
-
I do understand how it works. Everyone's coins are in a big pool and when someone needs coins they get them from that pool. I really don't like the fact that they state "we could add on some features which let the police, for instance, to be able to track money laundering. A back door."
-
Where did you read that?
-
Green says that he and his fellow researchers are not interested in facilitating criminal activity with Zerocoin. "Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door." The paper is due to be presented at the IEEE Symposium on Security & Privacy in Oakland, California, in May.
http://www.newscientist.com/blogs/onepercent/2013/03/bitcoin-zerocoin.html
http://beforeitsnews.com/alternative/2013/03/bitcoin-privacy-extension-to-have-back-door-for-government-snooping-2602114.html
http://www.activistpost.com/2013/03/bitcoin-zerocoin-privacy-extension-to.html
-
I do understand how it works. Everyone's coins are in a big pool and when someone needs coins they get them from that pool. I really don't like the fact that they state "we could add on some features which let the police, for instance, to be able to track money laundering. A back door."
Then you don't understand what it is :P
Regarding what you quoted, it doesn't make sense, since all you need to do to guarantee against that is download your Zerocoin client source code, check the code for a back door, and then compile it and use.
UPDATE: Even if the creator said that, the above still applies.
UPDATE: Sorry if I'm sounding rude, I try not to but can get caught up in my point of view in an argument. I still think any 'back door' 'feature' is not something that could feasibly be put in without our knowledge, for the above reason that any Zerocoin client code could be inspected providing it is opensource (which it would be).
-
I'm too lazy to actually sift through this protocol change proposal... but I don't see how it's possible to do this. I mean possible at all: the whole idea behind Bitcoin is that the entire transaction history is available for public verification in the blockchain. Every transaction ever made. Remove that, and you're trusting a central authority to keep their records straight: that places all the power in their hands, and that's one of the things Bitcoin is specifically designed to avoid.
Again, I haven't looked at the specification or anything, but I don't see how it could possibly work.
-
The Green says that he and his fellow researchers are not interested in facilitating criminal activity with Zerocoin. "Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door." The paper is due to be presented at the IEEE Symposium on Security & Privacy in Oakland, California, in May.
Thanks for the links by the way, very useful.
But Zerocoin is not a service, and is not in any way centralised. It seems ridiculous that you would add a backdoor to an anonymising protocol, but I guess he might have said because he was only creating Zerocoin as proof of concept and doesn't want to facilitate crime.
I'm too lazy to actually sift through this protocol change proposal... but I don't see how it's possible to do this. I mean possible at all: the whole idea behind Bitcoin is that the entire transaction history is available for public verification in the blockchain. Every transaction ever made. Remove that, and you're trusting a central authority to keep their records straight: that places all the power in their hands, and that's one of the things Bitcoin is specifically designed to avoid.
Again, I haven't looked at the specification or anything, but I don't see how it could possibly work.
Then look at the proposal. It is not centralised.
-
The 'too good to be true' attitude seems to be dominating here. Unfortunate ;)
In fact, one of the biggest barriers to adoption is human beings themselves. As complicated as Bitcoin is, you can explain the crypto even to non-experts. This makes people happy. Unfortunately Zerocoin is a different animal. It will take time to convince people that these new techniques are safe. We hope to be there when it happens.
-
I'm too lazy to actually sift through this protocol change proposal... but I don't see how it's possible to do this. I mean possible at all: the whole idea behind Bitcoin is that the entire transaction history is available for public verification in the blockchain. Every transaction ever made. Remove that, and you're trusting a central authority to keep their records straight: that places all the power in their hands, and that's one of the things Bitcoin is specifically designed to avoid.
Again, I haven't looked at the specification or anything, but I don't see how it could possibly work.
I also have not read the specification, but it is apparent that they have created a distributed blind mix, probably based on similar principles to Bitcoin itself. The technical details of how they managed to securely distribute the blind mixing will be very interesting as I do not believe anyone has ever made a distributed blind mix before. However it is certainly not that far fetched sounding. There are already algorithms for centralized semi-trusted blind mixes. The current systems allow for perfect unlinkability of coins (or any other currency token of any sort) passing through the blind mix, even the operator of the blind mix can not link people depositing coins into the mix to people withdrawing coins from it. Essentially Alice sends bitcoins to the blind mix and gets blinded cryptographic tokens, she can then send those blinded cryptographic tokens to Bob, who can send them to the blind mix and withdraw the coins Alice has deposited. There are at least a dozen cryptographically sound systems for doing this, and they have existed (mostly as mathematical formulas in theoretic whitepapers) for decades.
A traditional non-blind mix needs to be fully trusted because the coin value going into and out of the mix can be linked by the operator of the mix, but not by a passive observer (in this case someone looking at the block chain). Blind mixing only requires a semi-trusted mix operator because even the mix operator cannot link the coin value going into and out of a blind mix, nor can a passive adversary. However, traditionally the operator of the blind mix can still steal all of the coins they hold. I have not read the technical specification for Zerocoin yet, but they claim to have taken the concept of blind mixing a step further, creating a fully untrusted blind mixing *network*, that has the same unlinkability properties as a traditional centralized blind mix, in addition to protecting from the mix operator(s) stealing the coins they hold. It is a giant step forward for anonymous cryptocurrency if they have really managed to do it, on the same level of a technological achievement as Bitcoin itself imo. It will be interesting to see how they did it.
-
Actually this article deals with the back-door thing quite well http://beforeitsnews.com/alternative/2013/03/bitcoin-privacy-extension-to-have-back-door-for-government-snooping-2602114.html
The reality is a back door is entirely speculative, and impossible to add in with us knowing. I think he just said that because some of his team didn't feel comfortable with possibly facilitating crime (one of them apparently was hesitant about working on it, I read in one of the aforementioned articles).
-
Actually this article deals with the back-door thing quite well http://beforeitsnews.com/alternative/2013/03/bitcoin-privacy-extension-to-have-back-door-for-government-snooping-2602114.html
The reality is a back door is entirely speculative, and impossible to add in with us knowing. I think he just said that because some of his team didn't feel comfortable with possibly facilitating crime (one of them apparently was hesitant about working on it, I read in one of the aforementioned articles).
That is definitely the impression I get as well.
-
I'm too lazy to actually sift through this protocol change proposal... but I don't see how it's possible to do this. I mean possible at all: the whole idea behind Bitcoin is that the entire transaction history is available for public verification in the blockchain. Every transaction ever made. Remove that, and you're trusting a central authority to keep their records straight: that places all the power in their hands, and that's one of the things Bitcoin is specifically designed to avoid.
Again, I haven't looked at the specification or anything, but I don't see how it could possibly work.
I also have not read the specification, but it is apparent that they have created a distributed blind mix, probably based on similar principles to Bitcoin itself. The technical details of how they managed to securely distribute the blind mixing will be very interesting as I do not believe anyone has ever made a distributed blind mix before. However it is certainly not that far fetched sounding. There are already algorithms for centralized semi-trusted blind mixes. The current systems allow for perfect unlinkability of coins (or any other currency token of any sort) passing through the blind mix, even the operator of the blind mix can not link people depositing coins into the mix to people withdrawing coins from it. Essentially Alice sends bitcoins to the blind mix and gets blinded cryptographic tokens, she can then send those blinded cryptographic tokens to Bob, who can send them to the blind mix and withdraw the coins Alice has deposited. There are at least a dozen cryptographically sound systems for doing this, and they have existed (mostly as mathematical formulas in theoretic whitepapers) for decades.
A traditional non-blind mix needs to be fully trusted because the coin value going into and out of the mix can be linked by the operator of the mix, but not by a passive observer (in this case someone looking at the block chain). Blind mixing only requires a semi-trusted mix operator because even the mix operator cannot link the coin value going into and out of a blind mix, nor can a passive adversary. However, traditionally the operator of the blind mix can still steal all of the coins they hold. I have not read the technical specification for Zerocoin yet, but they claim to have taken the concept of blind mixing a step further, creating a fully untrusted blind mixing *network*, that has the same unlinkability properties as a traditional centralized blind mix, in addition to protecting from the mix operator(s) stealing the coins they hold. It is a giant step forward for anonymous cryptocurrency if they have really managed to do it, on the same level of a technological achievement as Bitcoin itself imo. It will be interesting to see how they did it.
Much of that goes over my head as I'm not an expert, but thank-you for taking it seriously! If it reaches a critical mass in interest, it can be a reality, just like Bitcoin itself.
-
Probably my last post on this tonight (it's 3 in the morning)
This link I found on the Bitcoin wiki http://bitcoin.stackexchange.com/questions/9716/does-the-zerocoin-protocol-fulfill-its-promise-of-anonymity
Not much new, but it features input from one of the authors.
And I've just realised that this article I've already mentioned is actually written by the creator himself (Matthew Green). He says his code and client will be released in May.
http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html
-
Traditional blind mixes are based off of blind cryptographic signatures. These algorithms allow someone to sign something that is blinded, and the person who receives the blind signed item to unblind it. The signer does not know what the thing they signed will look like when it is unblinded, but they can verify that they have signed it. This can be used in several different ways to create a blind mix.
https://en.wikipedia.org/wiki/Blind_signature
An often-used analogy to the cryptographic blind signature is the physical act of enclosing a ballot in a special carbon paper lined envelope. The ballot can be marked through the envelope by the carbon paper. It is then sealed by the voter and handed to an official which signs the envelope. Once signed, the package can be given back to the voter, who transfers the now signed ballot to a new unmarked normal envelope. Thus, the signer does not view the message content, but a third party can later verify the signature and know that the signature is valid within the limitations of the underlying signature scheme.
Blind signatures can also be used to provide unlinkability, which prevents the signer from linking the blinded message it signs to a later un-blinded version that it may be called upon to verify. In this case, the signer's response is first "un-blinded" prior to verification in such a way that the signature remains valid for the un-blinded message. This can be useful in schemes where anonymity is required.
This explains one implementation of blind mixing, although I think it is not a particularly interesting one. The most interesting implementations allow Alice to obtain blind tokens that can be used for paying anybody, without Bob first needing to get a 'deposit slip' to give to Alice. I don't know if this is what Zerocoin is based on, but blind signature schemes like this are what all of the traditional blind mixes are based on.
https://en.wikipedia.org/wiki/Anonymous_Internet_banking
Anonymous internet banking depends on the mathematics of public key cryptography and blind signature algorithms. In this simple example we have Alice and Bob and a banker. The banker generates an RSA public key with modulus n= P Q, where P and Q are large primes, making n a semiprime. As described in RSA operation, the bank also generates public key exponent e and private key exponent d.
Bob asks the banker for a $100 deposit slip in anticipation of Alice wanting to transfer money to him. To generate a deposit slip the bank selects a large, globally unique random number R and encrypts it using the bank's public key; this means that it can only be decrypted with the bank's secret key:
R' = R^e mod n
This encrypted value R' is sent to Bob with the promise to deposit $100 into his account when Bob sends the value R back to the bank. The bank is confident that Bob won't be able to break RSA to generate R from R' within the heat death of the universe without knowledge of d, so it does not worry about handing out the deposit slips without receiving anything from Bob.
When Alice wants to pay Bob $100 she asks for the deposit slip and Bob sends her R'. Alice selects a large random value w coprime with n (so as to have an inverse modulo n) and uses it to blind R''=w^e*R' and sends it to the bank to be blind signed. The Bank charges Alice $100 for this operation and returns the blind signed value R'''. Due to the symmetric properties of RSA, this provides her with R:
R''' = (w^e*R')^d mod n = (w^e*R^e)^d mod n = (w*R)^ed mod n = w * R mod n
Because of the blinding process, the Bank is not able to associate R'' or R''' with R' or R. The only possible way for the bank to do this is to trial divide R'' by all the values of R' that it gave out or R''' by all values of R. This means is unable to determine that Bob and Alice are doing business together, preserving the anonymity of the transaction. Alice unblinds R''' (by dividing it by w) to generate the original value R, which she sends to Bob. Bob verifies that R can be encrypted with the bank's public key by computing R' = R^e mod n, which means that Alice has deposited $100 into the bank. Bob then sends this value to the bank and the bank checks its records to be sure that R has not been already used. If it has not, it deposits $100 into his account and updates its database that the unique value R has been redeemed.
Different public keys can be used for different denominations of currency so this system doesn't take appreciably longer for large transactions.
Note that if neither Alice nor Bob wishes the bank to know that they performed a transaction with each other, then it is hard for the bank to find out. However, in order to ensure this is the case many people need to be making transactions at the same time. Otherwise the bank can figure it out by the timing of the transactions, using traffic analysis.
-
Zerocoin, assuming it is a cryptographically secure decentralized blind mix, would have really big implications if it is merged into Bitcoin. Even blind mixes are weak to traffic analysis attacks, but if ALL bitcoins are automatically mixed, the risk of traffic analysis being used to link users will be lower than for any other currency system out there. Volume of coins mixed and number of users is what protects a blind mix from traffic analysis, and you couldn't dream of a better crowd size than all of the bitcoin users and all of the bitcoins. The only blind mix I have heard of being implemented and used in the past was Ecache (I seem to recall it was blind) for Pecunix, which was centralized, weak to seizure, and had a tiny user base as well as fairly small amounts of currency going through it.
I have never really thought of Bitcoin as an anonymous currency, despite the way the media reported on it. Rather , I thought of it as being a currency resistant to censorship (because it is distributed and not owned by any single company), and resistant to seizure (because the keys that control it can be encrypted, and even stored entirely in a users memory with braincoin). I definitely see the potential for a system like zerocoin to add "actually extremely anonymous" to the list of characteristics of bitcoin.
-
Which is actually somewhat unfortunate for me because I had plans to implement a traditional centralized blind mix and charge a fee for its use :P. Way to advance the entire field out from under my feet , assholes ;).
-
I didn't mean to sound as though I'm not taking it seriously. That was the entire reason for stating twice in no uncertain terms that I've done no research whatsoever -- to illustrate clearly that I'm in a position that very easily could be wrong. As it seems, that's the case after all. If I didn't take it seriously, I wouldn't have bothered answering you. As it was, I found it interesting enough at the moment to contemplate and write a sentence or two about.
Later I'll find it interesting enough to read a white paper on. Just not right now... :)
-
I didn't mean to sound as though I'm not taking it seriously. That was the entire reason for stating twice in no uncertain terms that I've done no research whatsoever -- to illustrate clearly that I'm in a position that very easily could be wrong. As it seems, that's the case after all. If I didn't take it seriously, I wouldn't have bothered answering you. As it was, I found it interesting enough at the moment to contemplate and write a sentence or two about.
Later I'll find it interesting enough to read a white paper on. Just not right now... :)
Sorry about that! I thought you meant you had decided it wan't worth reading because you had already concluded it wasn't possible.
kmfkewm, maybe you could incorperate Zerocoins. The blog post I am just after mentioning by the author of the white paper says
Another problem with Zerocoin is the difficulty of incrementally deploying it. Supporting the new Mint and Spend functionality requires changes to every Bitcoin client. That's a big deal, and it's unlikely that the Bitcoin folks are going to accept a unilateral protocol change without some serious pushback. But even this isn't a dealbreaker: it should be possible to start Zerocoin off using some training wheels -- using a trusted central party to assist with the process, until enough Bitcoin clients trust it and are willing to support it natively.
You could be one of the trusted central parties involved in kickstarting it maybe?! You could possibly implement a way to ask for small fees from using your server, while it is still needed, leading eventually to purely decentralised zerocoins later on when the infrastructure is there. Just a hopeful suggestion from someone who doesn't really even understand Bitcoins, nevermind Zerocoins...
-
Green told the New Scientist, “Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.”
In an attempt to put the issue to rest, Green claimed that a backdoor was impossible, anyway; “If someone did try to build a back door for any reason, the open source Zerocoin would quickly become Zero-adoption.”
This is priceless. If we were Gotham City this guy could play the Joker.
https://errantsubjects.files.wordpress.com/2011/02/not_sure_if_serious.jpg
-
Green told the New Scientist, “Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.”
In an attempt to put the issue to rest, Green claimed that a backdoor was impossible, anyway; “If someone did try to build a back door for any reason, the open source Zerocoin would quickly become Zero-adoption.”
This is priceless. If we were Gotham City this guy could play the Joker.
notsureifserious.jpg
Hahahaha!
-
In all seriousness (haha), Zerocoin has the same problem as BitMessage. Sales! But it's selling an idea, not a product, which is more difficult since it's less tangible.
People only use things like Liberte and Tails and GPG and Tor and so on, because they assume that somebody else has done their homework. In reality, doing this kind of homework can often be an immensely specialized task and relatively few people do it in practice. Software in general is immensely complicated and invisible to boot. It's not that there isn't enough geeks, it's that its a division of labor thing, you need very specific geeks.
It's comparable to constructing a bridge.
You build the most awesome bridge. It is feather light but infinitely strong. But without it being signed off on by other bridge experts, you're stuck (unless you get a cult following, which sometimes happens but this is exceptional). Uninformed people will just grouch about it with vague and ill formed ideas and call it a Folly. It's not just in cryptography, lots of inventions have come close to failing because of this problem. Without a supportive community, you're lost. To get people to spend their cognition on something that is not of immediate use to them is a generally hard problem, ask the environmentalists, they practically gripe about nothing else, and this is a much worse special case of that problem.
So I am saying that Zerocoin could very easily just fall flat on its face, no matter how clever a cryptographic product it is, it needs users. If users see no reason to use it, it dies. PGP could very easily have suffered the same fate. If some guy not connected to the cipherpunks made PGP, it would have died on the vine. Political and social capital matter. So does business acumen.
The concept of public key cryptography was first developed by a guy who everybody has forgotten the name of working for British signals intelligence. He did that that, and it got nowhere. His people thought it was a waste of time, mere esoterica. The people associated with the development of public key cryptography are: RSA and Diffie-Hellman, who developed it years later, but with support from a small number of obsessives that eventually mutated into the cipherpunks. That is what really injected crypto onto Main Street, having that cipherpunk vanguard. It was a water cooler revolution, it definitely didn't come from managerial types. Without that, I am sure those algorithms would be obscure pieces of intellectual property in a handful of corporations and government departments, relegated to the same circle of hell as the One Time Pad. If you're away ahead of the curve and can't communicate the utility of your concepts to others then you get stuck in the Ivory tower and nobody will ever hear of you (like Tesla!). Ironically, being a bit dumber might be to your advantage sometimes.
It's funny in the non-funny way, because Green has effectively just completely blown the exact kind of credibility he needs to make this work. We are his stakeholders. In fact we're the perfect stakeholders. Since he's referred to LE agents, he's blown it. Sorry. You'll probably only get the one chance. It really puts a handful of nails on the road when you suck the dick of the exact people the stakeholders want to avoid by use of your tech. It's parallel to releasing a superior version of Bittorrent, and saying you can always install a backdoor for the RIAA. Suddenly filesharers everywhere, including those who aren't sharing illegal files are thinking: "Huh. How about no."
There is only one way to recover from this situation, and it's going to be difficult. My duck-bill intuition tells me that people reading this thread may be either associated with the article or the inventors of the Zerocoin protocol, so here goes:
You need people like Bruce Schneider and Roger Dingledine to review your code and design. A dozen PhD people are not going to help you, for all we know they are shills. You need people who are ideological about security, people with an actual spine, and that means hackers. That's it.
While we're on the subject, the Silk Road is actually a huge coup for the Tor Project, because it validates the use of Hidden Services as a real workable concept. Corporations and other organizations now trust hidden services largely because the Silk Road exists, reasoning that if it's anonymous enough for law breakers, then surely it's anonymous enough for them. Intelligence agents and others study the technical details of how LE agents find data evidence on child pornographers, in order that they may build better protocols for the anonymous exchange of information.
See, people can carp about how "privacy" isn't the same as "anonymity" as much as they like. The fact of the matter is that this is utter bullshit, because actually that sort of logic applies exclusively to the non-digital world. In the digital world privacy and anonymity are the same thing, the entire thing is a semantic argument. Nobody with two braincells to rub together deliberately chooses an inferior product so *some* higher-ups can break it! It's like a reverse version of Godwin's Law but for cryptography, good cryptography drives out the bad (albeit with the major caveat I mentioned about political/social capital and business sense).
Right now, if kmfkewm built his centralized bitcoin blind signature system, he would have more real users than any implementation of Zerocoin. That's because he has more credibility than Matthew Green right now by a very long fucking shot.
tldr; Pine is not a believer in technological determinism. People who think BTC can succeed without the black market are delusional. Bitcoin has no real advantage to the average consumer over a credit card or Paypal if it is regulated by the government. In the anonymity "market", people who suck the governments dick have their projects die. I just can't be more polite than that.
tldr2; *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab*
-
In all seriousness (haha), Zerocoin has the same problem as BitMessage. Sales! But it's selling an idea, not a product, which is more difficult since it's less tangible.
People only use things like Liberte and Tails and GPG and Tor and so on, because they assume that somebody else has done their homework. In reality, doing this kind of homework can often be an immensely specialized task and relatively few people do it in practice. Software in general is immensely complicated and invisible to boot. It's not that there isn't enough geeks, it's that its a division of labor thing, you need very specific geeks.
It's comparable to constructing a bridge.
You build the most awesome bridge. It is feather light but infinitely strong. But without it being signed off on by other bridge experts, you're stuck (unless you get a cult following, which sometimes happens but this is exceptional). Uninformed people will just grouch about it with vague and ill formed ideas and call it a Folly. It's not just in cryptography, lots of inventions have come close to failing because of this problem. Without a supportive community, you're lost. To get people to spend their cognition on something that is not of immediate use to them is a generally hard problem, ask the environmentalists, they practically gripe about nothing else, and this is a much worse special case of that problem.
So I am saying that Zerocoin could very easily just fall flat on its face, no matter how clever a cryptographic product it is, it needs users. If users see no reason to use it, it dies. PGP could very easily have suffered the same fate. If some guy not connected to the cipherpunks made PGP, it would have died on the vine. Political and social capital matter. So does business acumen.
The concept of public key cryptography was first developed by a guy who everybody has forgotten the name of working for British signals intelligence. He did that that, and it got nowhere. His people thought it was a waste of time, mere esoterica. The people associated with the development of public key cryptography are: RSA and Diffie-Hellman, who developed it years later, but with support from a small number of obsessives that eventually mutated into the cipherpunks. That is what really injected crypto onto Main Street, having that cipherpunk vanguard. It was a water cooler revolution, it definitely didn't come from managerial types. Without that, I am sure those algorithms would be obscure pieces of intellectual property in a handful of corporations and government departments, relegated to the same circle of hell as the One Time Pad. If you're away ahead of the curve and can't communicate the utility of your concepts to others then you get stuck in the Ivory tower and nobody will ever hear of you (like Tesla!). Ironically, being a bit dumber might be to your advantage sometimes.
It's funny in the non-funny way, because Green has effectively just completely blown the exact kind of credibility he needs to make this work. We are his stakeholders. In fact we're the perfect stakeholders. Since he's referred to LE agents, he's blown it. Sorry. You'll probably only get the one chance. It really puts a handful of nails on the road when you suck the dick of the exact people the stakeholders want to avoid by use of your tech. It's parallel to releasing a superior version of Bittorrent, and saying you can always install a backdoor for the RIAA. Suddenly filesharers everywhere, including those who aren't sharing illegal files are thinking: "Huh. How about no."
There is only one way to recover from this situation, and it's going to be difficult. My duck-bill intuition tells me that people reading this thread may be either associated with the article or the inventors of the Zerocoin protocol, so here goes:
You need people like Bruce Schneider and Roger Dingledine to review your code and design. A dozen PhD people are not going to help you, for all we know they are shills. You need people who are ideological about security, people with an actual spine, and that means hackers. That's it.
While we're on the subject, the Silk Road is actually a huge coup for the Tor Project, because it validates the use of Hidden Services as a real workable concept. Corporations and other organizations now trust hidden services largely because the Silk Road exists, reasoning that if it's anonymous enough for law breakers, then surely it's anonymous enough for them. Intelligence agents and others study the technical details of how LE agents find data evidence on child pornographers, in order that they may build better protocols for the anonymous exchange of information.
See, people can carp about how "privacy" isn't the same as "anonymity" as much as they like. The fact of the matter is that this is utter bullshit, because actually that sort of logic applies exclusively to the non-digital world. In the digital world privacy and anonymity are the same thing, the entire thing is a semantic argument. Nobody with two braincells to rub together deliberately chooses an inferior product so *some* higher-ups can break it! It's like a reverse version of Godwin's Law but for cryptography, good cryptography drives out the bad (albeit with the major caveat I mentioned about political/social capital and business sense).
Right now, if kmfkewm built his centralized bitcoin blind signature system, he would have more real users than any implementation of Zerocoin. That's because he has more credibility than Matthew Green right now by a very long fucking shot.
tldr; Pine is not a believer in technological determinism. People who think BTC can succeed without the black market are delusional. Bitcoin has no real advantage to the average consumer over a credit card or Paypal if it is regulated by the government. In the anonymity "market", people who suck the governments dick have their projects die. I just can't be more polite than that.
tldr2; *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab* *stab*
cool :)
Well the code I don't believe has even been released yet by Green, and we don't know what will happen once it is, I prefer to be hopeful.
And I think Green's statement was for more personal reasons than you suggest, as I've said. The wording itself, talking about a 'back door', wasn't exactly tactful if he was being serious.
Also, I don't think Zerocoin requires as big a leap in confidence as PGP, because Bitcoin is already a thing and anonymity is already a major driving force of it. It could only take a few prominent members of the Bitcoin community, who know what they are talking about, to trigger wide adoption of any Zerocoin standard, as I see it. But I understand your point of view.
In the meantime, I think I'm going to try to get my head around some of this stuff, I'd love to be able to look at it more objectively (when I've got time...).
-
It's funny in the non-funny way, because Green has effectively just completely blown the exact kind of credibility he needs to make this work. We are his stakeholders. In fact we're the perfect stakeholders. Since he's referred to LE agents, he's blown it. Sorry. You'll probably only get the one chance. It really puts a handful of nails on the road when you suck the dick of the exact people the stakeholders want to avoid by use of your tech. It's parallel to releasing a superior version of Bittorrent, and saying you can always install a backdoor for the RIAA. Suddenly filesharers everywhere, including those who aren't sharing illegal files are thinking: "Huh. How about no."
There is only one way to recover from this situation, and it's going to be difficult. My duck-bill intuition tells me that people reading this thread may be either associated with the article or the inventors of the Zerocoin protocol, so here goes:
You need people like Bruce Schneider and Roger Dingledine to review your code and design. A dozen PhD people are not going to help you, for all we know they are shills. You need people who are ideological about security, people with an actual spine, and that means hackers. That's it.
The thing you need to keep in mind is that people in these researchers positions need to keep up appearances. It is against their interests to say that their software should be used for circumventing law enforcement. He shouldn't need any credibility to make this work, because if the math and design are sound and the code is open source, then he can be a DEA agent himself for all it matters. Some academic researcher is not likely to come out and say that they have just invented the most secure money laundering system in the world. Bitcoin is a bit of an exception, it was designed by an anonymous person with strong ties to anarchist ideology. I2P is another exception for the same reason. Freenet was not made by a pseudonymous person, and Tor is primarily maintained by a group of academic researchers. The Tor and Freenet people stress that their software has uses for people in totalitarian countries, to bypass government censorship, etc. Look at the list of people who use Tor from the Tor project for Christs sake, Law Enforcement in sting operations, the military, etc. They sure don't say Tor is used by pedophiles and drug dealers! Freenet points out that it is used primarily by people trying to get around government censorship, whistleblowers etc. They don't say that it is the biggest cache of child pornography in the world. On the other hand I2P folks say that their network is for Anarchists and militants, and Bitcoin, especially before it started becoming mainstream, was openly discussed as an anarchist revolution against the state.
The Zerocoin researchers are obviously in a precarious situation. It is obvious that the main use of their system is for criminal financial activity. Freenet can say it is to avoid censorship, Tor can say it is to avoid censorship, hell even Bitcoin can say it is just an alternative currency. But a blind mixes sole purpose is criminal money transfer / money laundering. But I also agree with you that they should have handled it a bit better. They should have said it is a system to keep finances private etc etc, without mentioning the possibility of a backdoor for the police. However it also appears that they mentioned a backdoor will not be realistically possible in an open source project. Who wants to be the known university researcher who designed the biggest money laundering system in the world? Hell, for all they know they could be charged with conspiracy or something, so it is all about appearances. I guess I just can understand where they are coming from in trying to down play the threat of their system to the police and intelligence agencies.
PS: Dingledine has a Ph.D , not sure about Schneier but he probably does as well.
-
See, people can carp about how "privacy" isn't the same as "anonymity" as much as they like. The fact of the matter is that this is utter bullshit, because actually that sort of logic applies exclusively to the non-digital world. In the digital world privacy and anonymity are the same thing, the entire thing is a semantic argument. Nobody with two braincells to rub together deliberately chooses an inferior product so *some* higher-ups can break it! It's like a reverse version of Godwin's Law but for cryptography, good cryptography drives out the bad (albeit with the major caveat I mentioned about political/social capital and business sense).
Privacy protects the content of your communications, anonymity protects your identity. If you use Tor to clearnet you maintain your anonymity, but your privacy can be compromised by the exit node.
-
What they really should have said is that Zerocoin can be used by law enforcement and intelligence agents to pay for information from informants, and that they would never backdoor it because doing so could compromise the law enforcement users.
-
Also , if I did make a centralized blind mix (which I probably wont as I imagine Zerocoin will become a standard), I would certainly not do it as kmfkewm. Nobody wants their project to be linked to international drug smuggling, and nobody wants to advertise their project to criminals. There is a bit of a disconnect between the communities that are widely adopting these programs and technologies , and the communities that are developing them (with a few exceptions, I2P and Bitcoin being the first that I think of). If PGP was advertised as a way for drug smugglers to secure their communications, it would not be good. And if the creator of RSA said that an implementation of it could be bugged, and then released the mathematical formulas behind it, it would be a big mistake to avoid using those formulas simply because of the fact that they could be used in a bugged implementation. At the core of the matter, what the Zerocoin guy said really should be obvious to anybody. Of course they can put a backdoor in for law enforcement. The second half of what he said is equally as true: of course if they put a backdoor in an open source project, nobody is going to use it. If they release the specification and it is good, but the code they release is backdoored, somebody will make Blindcoin , something that is identical to Zerocoin but without the backdoor.
I really do hope that it is widely added to Bitcoin clients, of course providing that they have managed to create a cryptographically secure design. If their design is good and it is not integrated into all of the major Bitcoin clients, I will be really disappointed, and the Bitcoin developers community will have pissed away an opportunity to actually add strong anonymity to Bitcoin, something that it is currently lacking in and which needs to be glued onto it via third party services. Actually integrating that anonymity into the base protocol would be great for everybody, and a huge victory for us especially (although don't count on any of the people trying to get it implemented to mention this last point).
-
Thought I'd add a wee poll, folks. Please vote.
-
I don't know about zerocoin. It sounds too sketchy/fishy. I really am not interested in trading more coins. Thanks for showing us about zerocoin though.
-
I don't know about zerocoin. It sounds too sketchy/fishy. I really am not interested in trading more coins. Thanks for showing us about zerocoin though.
It's worth realising that the creator's remark regarding a back door wasn't ever feasible as discussed above.
Anyway, the way it would work is, as I understand it (please anyone correct me it wrong), everyone (in an ideal world) would update their open source Bitcoin client. It now has Zerocoin support. This has only required some new code to be added to the client, no centralised server or anything else. You have some BTC in your wallet, so you 'mint' a new 1BTC Zerocoin. This 1BTC disappears from your wallet. You are given a serial number, which is now your only claim to your Bitcoin (but to no *specific* Bitcoin anymore). So if you want to buy something now and it costs 1BTC, you give the vendor your serial number, he 'spends' the Zerocoin to get 1BTC in his wallet. There is no connection between your serial number and the original bitcoin used to mint it (it's impossible to link). So the transaction is untraceable. The only connection is that you minted a Zerocoin, and the vendor spent one, but provided you aren't the only Zerocoin user, there is no link.
The Zerocoins are literally more like coins, in that they would have to be single 1BTC denominations or something similar (possibly 0.25 or 0.1, these would all need to be implemented specifically). Although this appears to be something of a technical limitation, if a Zerocoin could be any size then it's size would be a huge identifier for authorities, so it's really a necessary feature.
-
Wait, wait! There's more!
Brainflash!
This is my new, improved way of understanding Zerocoins:
They *AREN'T A NEW COIN*! Zerocoin is a protocol which enables a new way of possessing Bitcoins. Instead of using the current 'address' system which is currently integral to the Bitcoin infrastructure, it uses serial numbers. Any serial number is used instead of an address to store Bitcoin value, but unlike an address, it cannot technically be traced to either any Bitcoin transaction (not even the one that created it), or any specific Bitcoin. It is only accociated with any transaction/address when it is eventually 'spent', i.e. converted into an address-stored Bitcoin.
8)
-
Wait, wait! There's more!
Brainflash!
This is my new, improved way of understanding Zerocoins:
They *AREN'T A NEW COIN*! Zerocoin is a protocol which enables a new way of possessing Bitcoins. Instead of using the current 'address' system which is currently integral to the Bitcoin infrastructure, it uses serial numbers. Any serial number is used instead of an address to store Bitcoin value, but unlike an address, it cannot technically be traced to either any Bitcoin transaction (not even the one that created it), or any specific Bitcoin. It is only accociated with any transaction/address when it is eventually 'spent', i.e. converted into an address-stored Bitcoin.
8)
Pardon me: I still haven't gotten to that white paper... and honestly I probably never will -- there's always something that comes first, ya know -- but what exactly is the difference between a serial number and an address?
To be clear, I'm asking for clarification, not hating on you or something: all I'm hearing is "the quantity 2 should be referred to as the binary representation 10, it's brilliant!" But you haven't changed anything? Or at least not enough to accomplish anything? Unless of course you mean instead of coins associated with addresses, you have serial numbers associated with... nothing. But then you have... a list of serial numbers. Which is useless: how do you recover the ownership and quantity of coins from that?
-
Wait, wait! There's more!
Brainflash!
This is my new, improved way of understanding Zerocoins:
They *AREN'T A NEW COIN*! Zerocoin is a protocol which enables a new way of possessing Bitcoins. Instead of using the current 'address' system which is currently integral to the Bitcoin infrastructure, it uses serial numbers. Any serial number is used instead of an address to store Bitcoin value, but unlike an address, it cannot technically be traced to either any Bitcoin transaction (not even the one that created it), or any specific Bitcoin. It is only accociated with any transaction/address when it is eventually 'spent', i.e. converted into an address-stored Bitcoin.
8)
This would require some type of central authority or blockchain to verify legitimacy of serial numbers and such correct?
-
Wait, wait! There's more!
Brainflash!
This is my new, improved way of understanding Zerocoins:
They *AREN'T A NEW COIN*! Zerocoin is a protocol which enables a new way of possessing Bitcoins. Instead of using the current 'address' system which is currently integral to the Bitcoin infrastructure, it uses serial numbers. Any serial number is used instead of an address to store Bitcoin value, but unlike an address, it cannot technically be traced to either any Bitcoin transaction (not even the one that created it), or any specific Bitcoin. It is only accociated with any transaction/address when it is eventually 'spent', i.e. converted into an address-stored Bitcoin.
8)
This would require some type of central authority or blockchain to verify legitimacy of serial numbers and such correct?
Well not necessarily: you could generate private keys and compute the corresponding public keys from the private one using a one-way hash function, and require that anyone wishing to spend the coins listed as "at that address" be able to prove they have the private key... the thing is, that's basically what Bitcoin does now.
That's what a bitcoin address is, the public key. The private key allows you to spend the coins at that address. A wallet is a collection of public and private keys. The blockchain is a record of who has what coins, and you can't spend the ones at an address without the private key -- otherwise nobody will pay any attention to you. That's my understanding of it, anyway.
They also *have* to be the same coins, just with a layer of obfuscation -- the details of which I can't picture, but at some level they must reduce to the current Bitcoin blockchain. Otherwise they'd be a competing crypto currency, not an extension of Bitcoin.
-
Wait, wait! There's more!
Brainflash!
This is my new, improved way of understanding Zerocoins:
They *AREN'T A NEW COIN*! Zerocoin is a protocol which enables a new way of possessing Bitcoins. Instead of using the current 'address' system which is currently integral to the Bitcoin infrastructure, it uses serial numbers. Any serial number is used instead of an address to store Bitcoin value, but unlike an address, it cannot technically be traced to either any Bitcoin transaction (not even the one that created it), or any specific Bitcoin. It is only accociated with any transaction/address when it is eventually 'spent', i.e. converted into an address-stored Bitcoin.
8)
This would require some type of central authority or blockchain to verify legitimacy of serial numbers and such correct?
Wait, first I'm going to say that what I was saying was based on how the author explained it on his blog, but that was his simplification of it, I've started to read the actual paper and I don't think it's the serial number you use to own the Zerocoin, though the principle is still the same. I think the actual information you keep does identify you, but when you go to 'cash out' you Zerocoin, that information is used to create a proof which is anonymous, and it is only the proof that is submitted to the network.
No central authority is required. It's called a zero-knowledge proof apparently (hence Zerocoin), meaning you can prove to the network that you have a Zerocoin, without telling them anything else such as any information about the original Bitcoin from which the Zercoin was created. It's the magic of cryptography!
I'd recommend reading the actual paper http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf just skip over the really technical stuff like I am.
-
Wait, wait! There's more!
Brainflash!
This is my new, improved way of understanding Zerocoins:
They *AREN'T A NEW COIN*! Zerocoin is a protocol which enables a new way of possessing Bitcoins. Instead of using the current 'address' system which is currently integral to the Bitcoin infrastructure, it uses serial numbers. Any serial number is used instead of an address to store Bitcoin value, but unlike an address, it cannot technically be traced to either any Bitcoin transaction (not even the one that created it), or any specific Bitcoin. It is only accociated with any transaction/address when it is eventually 'spent', i.e. converted into an address-stored Bitcoin.
8)
Pardon me: I still haven't gotten to that white paper... and honestly I probably never will -- there's always something that comes first, ya know -- but what exactly is the difference between a serial number and an address?
To be clear, I'm asking for clarification, not hating on you or something: all I'm hearing is "the quantity 2 should be referred to as the binary representation 10, it's brilliant!" But you haven't changed anything? Or at least not enough to accomplish anything? Unless of course you mean instead of coins associated with addresses, you have serial numbers associated with... nothing. But then you have... a list of serial numbers. Which is useless: how do you recover the ownership and quantity of coins from that?
This was on over simplification, partly by me and partly by the author on his blog. I'm happy to address it, if you pardon the pun. The difference is, the serial number is a unique identifier of each Zerocoin, so that someone can't cash out the same Zerocoin twice. That is all it is.
Basically, when a new Zerocoin is minted, the Zerocoin is generated randomly with an encoded serial number, and the 'minter' know the encryption. At this point the coin isn't accociated with any actual Bitcoin, but a Bitcoin has been left without an address. Then, an algorithm uses the transaction data of said Bitcoin, and said random coin, to create a proof. The proof is the central tenet here (it's a zero-proof). the proof is then submitted to the Bitcoin network, which enables the network to agree that the Zerocoin is valid (i.e. has a real attatched Bitcoin), but the proof does not let the network know which Bitcoin that is. It is at this point that any available Bitcoin which has proviously been associated with a Zerocoin, to be given to the address of the former Zerocoin owner, the Zerocoin's serial number is also given by the Zerocoin owner to the network at this point.
Simples!
-
I don't intend to, have the knowledge to, or feel I need to, explain the mechanism of the zero-proof. But I *think* I gave you what you (quite rightly) asked for. Feel free to query that explanation, in fact, I welcome any queries. This is only based on a recent read of the paper from someone who almost certainly knows much less about cryptography then you.
-
Intriguing. In your opinion, would this be as easy as using bitcoins for a new user?
-
... I don't get it. LOL. That's okay, I'm not saying it's your explanation or something: my brain isn't exactly firing on all cylinders tonight, frankly. I am familiar with zero-knowledge proofs though; they don't actually prove anything 100%, they prove it to within a specified acceptable rate of certainty.
Like say you have a keycode, and you want to prove to somebody that you have this keycode -- but you don't want to have to show it to them, because then they would know the keycode too. You can have the person you want to prove this to keep asking you perform a task that requires you have the keycode. He can ask this of you as many times as he desires to achieve a given confidence (99% chance, 99.9% chance, whatever). If you ever screw up and get it wrong, it can be assumed all prior successes were just dumb luck.
I don't really understand how that applies here though... well, anyway, enough rambing.
Basically, when a new Zerocoin is minted, the Zerocoin is generated randomly with an encoded serial number, and the 'minter' know the encryption. At this point the coin isn't accociated with any actual Bitcoin, but a Bitcoin has been left without an address.
You've lost me here. A bitcoin is left without an address? Are we talking a standard Bitcoin address, or a Zerocoin address -- because really, coins don't exist at all. I mean there aren't any. They "exist" by virtue of being held by a given address, so... I have no idea what this means, to be honest.
Then, an algorithm uses the transaction data of said Bitcoin, and said random coin, to create a proof. The proof is the central tenet here (it's a zero-proof). the proof is then submitted to the Bitcoin network, which enables the network to agree that the Zerocoin is valid (i.e. has a real attatched Bitcoin), but the proof does not let the network know which Bitcoin that is.
I don't get it: how does this allow the network to validate anything at all? Where are they getting the information making this determination possible?
It is at this point that any available Bitcoin which has proviously been associated with a Zerocoin, to be given to the address of the former Zerocoin owner, the Zerocoin's serial number is also given by the Zerocoin owner to the network at this point.
So you can only ever spend a "zerocoin" once? Because otherwise, once you give the serial over... um... why can't anybody spend it?
Simples!
Sure. We can call this simple if you really want to :P
... damn you. You just posted saying you don't understand it fully either. Well, I just spent this bloody time typing this rubbish out... maybe you can answer some of it. If not, no harm done I guess.
-
edit: Well I finished reading the entire paper, and a lot of it is above my head. Regardless, I will share the thoughts and limited insights I have obtained from the paper. Chances are if I read it several dozen more times, in addition to the cited papers included in it, that I can come to a pretty good understanding of it. I have decoded and come to understand complex technical papers such as this in the past, but only with great effort and much time.
So I am reading through the Zerocoin spec after having skimmed it. I can tell you right now that a lot of the cryptography goes over my head, but I am familiar with a lot of the terms used, if not the details of the math behind them. I will post my thoughts in this message, which I am constructing as I read through the paper, in the hopes that I can shed some (likely limited) light on the details of zerocoin.
The first thing I will do is clarify some of the technical terminology that I see.
One thing I see is 'commitment'. An example of commitment in a cryptographic sense would be if you and I play a game of heads or tails. I flip the coin. First I take the string heads-ewijfifjw89hj83429f89342fuejgueju and hash it with sha256 to get the following hash value:
500ec7db996ec36ef30bb7b2881cd6c99f3347e3785edb3bce5cfb3a78977b6a
Now I send you that value, and in doing so I have committed to heads. I ask you to select heads or tails. After you make your selection, I show you the string that I used to generate the hash value, and you hash it to confirm if I have been honest. If I cannot show you a string starting with the correct answer that SHA256 hashes to what I showed you before you selected heads or tails, then you know I am cheating. So by sending you the hash value I did, I have cryptographically committed to heads.
Another terminology I see is zero knowledge proof of knowledge. These schemes are generally used for identity authentication, in a way that is more secure than passwords. With traditional password authentication, I register with a server and give the server my password, it hashes the password and stores it associated with my name. With zero knowledge proof of knowledge, I send the server a zero knowledge public key. The server can use the public key to craft challenge questions that can only be consistently correctly answered by someone with the corresponding private key, but the answers are easy to verify as true or false. The server then sends me a bunch of challenge questions crafted from the public key, I derive answers with the private key and send them to the server, and the server verifies that all of the answers are correct. It is called a zero knowledge proof of knowledge because unlike with passwords, where the server gets knowledge of my password in order for me to prove that I know the password, the server does NOT get knowledge of my private key to determine that I have my private key. A naive and insecure implementation, but one which is easy to explain, would be if I send the server my public RSA key, and to authenticate with the server it generates a random timestamped string, sends it to me, has me sign it with my RSA private key, and then verifies that the signature is valid after I send it back the signed timestamped string.
Another technical term I see is cryptographic accumulator. I have read about accumulators a little bit in the past, but I never really fully wrapped my head around them. I believe that bloom filters qualify as accumulators though, and I understand how bloom filters work. Bloom filters are used to check for the presence of an object in constant time, while taking up little storage space. Essentially a blank bloom filter consists of a ton of zero bits at various positions from 0 to whatever. When you add an item to a bloom filter, you hash it and use the hash to derive a series of numbers. The derived numbers then correlate with positions in the bloom filter, and you set all of the positions to 1 to add the item. When you check for the presence of the item, you hash it and derive bit positions as before, but now you check that all of the bit positions are set to 1. This is much faster than keeping a list of hashes of seen objects and going through the entire list looking for a match. If you have a database of ten thousand item hashes, you may need to search through all ten thousand of them before determining if the item has been seen before or not. With a bloom filter, you always only need to hash the item and check the bit values at each of the positions in the filter, so the time to check for the presence of the item is constant time and doesn't grow with the number of items added (although the accuracy of the bloom filter drops with the number of items added, and increases with the bit size of the filter).
Anyway, on to the paper.
One thing I note is that they are indeed making a new type of coin, so to speak. However, their goal is for its value to be inherently tied to the value of Bitcoin, and for it to piggy back on top of the current Bitcoin network. Whereas in the past blind mixes have been used to achieve what they are trying to achieve, the primary challenge they claim to have addressed is creating a blind mix that doesn't have a central authority for minting blind tokens. They claim to address this by letting any user mint their own blind token, but the challenge then is to make it so users can only mint valid blind tokens if they spend an equivalent amount of Bitcoins.
ntuition behind our construction. To understand the intuition
behind Zerocoin, consider the following “pencil and paper”
protocol example. Imagine that all users share access to
a physical bulletin board. To mint a zerocoin of fixed
denomination $1, a user Alice first generates a random coin
serial number S, then commits to S using a secure digital
commitment scheme. The resulting commitment is a coin,
denoted C, which can only be opened by a random number
r to reveal the serial number S. Alice pins C to the public
bulletin board, along with $1 of physical currency. All users
will accept C provided it is correctly structured and carries
the correct sum of currency.
To redeem her coin C, Alice first scans the bulletin board
to obtain the set of valid commitments (C1 , . . . , CN ) that
have thus far been posted by all users in the system. She next
produces a non-interactive zero-knowledge proof π for the
following two statements: (1) she knows a C ∈ (C1 , . . . , CN )
and (2) she knows a hidden value r such that the commitment
C opens to S. In full view of the others, Alice, using a
disguise to hide her identity,1 posts a “spend” transaction
containing (S, π). The remaining users verify the proof π
and check that S has not previously appeared in any other
spend transaction. If these conditions are met, the users allow
In this case we need a secret number R that unlocks the commitment C to obtain S.
The Zerocoin C = fc4b5fd6816f75a7c81fc8eaa9499d6a299bd803397166e8c4cf9280b801d62c
The Random Number R = 0283da60063abfb3a87f1aed845d17fe2d9ba8c780b478dc4ae048f5ee97a6d5
The coin serial number S = efdf88c3315309fa0d4245389d79e035cd761813b85a954f2b924f81ee6bb248
because sha256sum(C concatenated with R) == efdf88c3315309fa0d4245389d79e035cd761813b85a954f2b924f81ee6bb248 == S
We also need a zero knowledge proof π , demonstrating that she has the secret random number R, and that she knows a published C that is unlocked by R into S. I will need to keep reading to see how they achieve this, the basic sketch up on page 2 is interesting but it says the what without saying the how. Maybe they cannot even use the hashing commitment that I use in the above example, I will need to see...
Of course, even when integrated with the Bitcoin block
chain, the protocol above has another practical challenge.
Specifically, it is difficult to efficiently prove that a commit-
ment C is in the set (C1 , . . . , CN ). The naive solution is to
prove the disjunction (C = C1 ) ∨ (C = C2 ) ∨ . . . ∨ (C =
CN ). Unfortunately such “OR proofs” have size O(N ),
which renders them impractical for all but small values of
N.
The complicated seeming naive solution they posted simply means going through the entire list of commitments and seeing if there is a match, because bitwise OR gets stuck on 1 which is true. 1 is true, 0 is false.
(a = = b) OR (a == c)
is the same as saying 0 OR 0 which evaluates to 0.
(a == a) OR (a == b) OR (a == c)
evaluates to 1 OR 0 OR 0 which evaluates to 1 because anything OR 1 is 1.
This is a computationally expensive operation to carry out for large sets of N, because they would exhaustively search the entire list of commitments. One of the contributions they claim to have made is an accumulator that solves this problem.
Our second contribution is to solve this problem, producing
a new construction with proofs that do not grow linearly as
N increases. Rather than specifying an expensive OR proof,
we employ a “public” one-way accumulator to reduce the
size of this proof. One-way accumulators [10, 11, 12, 13, 14],
first proposed by Benaloh and de Mare [10], allow parties to
combine many elements into a constant-sized data structure,
while efficiently proving that one specific value is contained
within the set. In our construction, the Bitcoin network com-
putes an accumulator A over the commitments (C1 , . . . , CN ),
along with the appropriate membership witnesses for each
item in the set. The spender need only prove knowledge of
one such witness. In practice, this can reduce the cost of the
spender’s proof to O(log N ) or even constant size.
Although I don't know what their accumulator (A) is like, I am currently conceptualizing it as a bloom filter because that is the only sort of accumulator I know the technical details of. So rather than doing an exhaustive search for the Zerocoin C, they are creating something like a bloom filter and adding each of the values of C to it, I think that the hash value of C is a witness (what is used to determine the presence of C in the filter), however I am not totally clear on this terminology (despite seeing it in papers on cryptographic accumulators that I have skimmed yet failed to fully comprehend).
Our application requires specific properties from the
accumulator. With no trusted parties, the accumulator and
its associated witnesses must be publicly computable and
verifiable (though we are willing to relax this requirement
to include a single, trusted setup phase in which parameters
are generated). Moreover, the accumulator must bind even
the computing party to the values in the set. Lastly, the
accumulator must support an efficient non-interactive witness-
indistinguishable or zero-knowledge proof of set membership.
Fortunately such accumulators do exist. In our concrete
proposal of Section IV we use a construction based on the
Strong RSA accumulator of Camenisch and Lysyanskaya [12],
which is in turn based on an accumulator of Baric and
Pfitzmann [11] and Benaloh and de Mare [10].
Okay, bloom filters to the extent that I understand them are out. They meet the requirement of being publicly computable and verifiable, but I don't know of a way to query them with a zero knowledge proof. I assume this means that it must be possible for a user to prove knowledge of a member in the set without revealing the specific member in the set that they have knowledge of to the verifier. With a bloom filter you would need to reveal the value C, or the witness computed from it, to the verifier, in order for them to determine the presence of C in the filter.
One illustration of this is the existence of
laundries that (for a fee) will mix together different users’
funds in the hopes that shuffling makes them difficult to
trace [2, 6, 7]. Because such systems require the users to trust
the laundry to both (a) not record how the mixing is done
and (b) give the users back the money they put in to the pot,
use of these systems involves a fair amount of risk.
Although the current bitcoin "laundry" (mixing) services require the user to trust a and b, there are centralized blind mixing schemes that do not require the user to trust a. b is the problem that remained for blind mixing systems, and hopefully this is the issue that Zerocoin will have solved.
Additionally, they
describe an efficient zero-knowledge proof of knowledge that
a committed value is in an accumulator. We convert this into
a non-interactive proof using the Fiat-Shamir transform and
refer to the resulting proof using the following notation:
NIZKPoK{(v, ω) : AccVerify((N, u), A, v, ω) = 1}.
So essentially they are using a zero knowledge proof of knowledge to determine if something exists in the accumulator. This would be like a verifier determining if an element is in a bloom filter without being given the element they are checking for. I don't understand most of the math they have demonstrated up to this point, but I can understand the "what" and the "why" or their writings so far, just not the "how". Although it is not accurate, I am going to continue conceptualizing this as a bloom filter that can be queried with a blinded witness to determine the presence of an element. A non-interactive proof simply means that there does not need to be back and forth between the verifier and the client (ie: instead of the server generating a random timestamped string and sending it to the client to sign, the client simply signs anything with their key and sends it to the server to verify the signature of. Both of these examples are horrible authentication systems, but I just use them to try to demonstrate the difference between an interactive and a non-interactive zero knowledge proof of knowledge).
We now describe the algorithms:
λ
• Setup(1 ) → params. On input a security parameter,
run AccumSetup(1λ ) to obtain the values (N, u). Next
generate primes p, q such that p = 2w q + 1 for w ≥ 1.
Select random generators g, h such that G = g =
h and G is a subgroup of Z∗ . Output params =
q
(N, u, p, q, g, h).
∗
• Mint(params) → (c, skc). Select S, r ← Zq and
S r
compute c ← g h mod p such that {c prime | c ∈
[A , B ]}.11 Set skc = (S, r) and output (c, skc).
• Spend(params, c, skc, R, C) → (π, S). If c ∈ C
/
output ⊥. Compute A ← Accumulate((N, u), C) and
ω ← GenWitness((N, u), c, C). Output (π, S) where π
comprises the following signature of knowledge:12
π = ZKSoK[R]{(c, w, r) :
AccVerify((N, u), A, c, w) = 1 ∧ c = g S hr }
•
Verify(params, π, S, R, C) → {0, 1}. Given a proof π,
a serial number S, and a set of coins C, first compute
A ← Accumulate((N, u), C). Next verify that π is the
aforementioned signature of knowledge on R using the
known public values. If the proof verifies successfully,
output 1, otherwise output 0.
Sorry but I can not immediately make sense of this math. I am sure if I spent some time on it I could wrap my head around it much better, but I am not skilled enough to read this and immediately decode what is going on. I can see they are using RSA though :D.
We now consider the security of our construction.
Theorem 4.1: If the zero-knowledge signature of knowl-
edge is computationally zero-knowledge in the random oracle
model, then Π = (Setup, Mint, Spend, Verify) satisfies the
Anonymity property.
We provide a proof sketch for Theorem 4.1 in Appendix A.
Intuitively, the security of our construction stems from the fact
that the coin commitment C is a perfectly-hiding commitment
and the signature proof π is at least computationally zero-
knowledge. These two facts ensure that the adversary has at
most negligible advantage in guessing which coin was spent.
So the summary is that they have created a decentralized blind mix using zero knowledge proof of knowledge combined with a special cryptographic accumulator.
While the construction of the previous section gives an
overview of our approach, we have yet to describe how our
techniques integrate with Bitcoin. In this section we address
the specific challenges that come up when we combine a
decentralized e-cash scheme with the Bitcoin protocol.
The general overview of our approach is straightfor-
ward. To mint a zerocoin c of denomination d, Alice runs
Mint(params) → (c, skc) and stores skc securely.13 She
then embeds c in the output of a Bitcoin transaction that
spends d + fees classical bitcoins. Once a mint transaction
has been accepted into the block chain, c is included in the
global accumulator A, and the currency cannot be accessed
except through a Zerocoin spend, i.e., it is essentially placed
into escrow.
Whew hopefully away from the "Makes my head hurt" section of the paper now. As you can see from the above paragraph, Zerocoin is a separate currency system, but the value of a Zerocoin is inherently tied to the value of a Bitcoin, and it piggy backs on the network. In order to get a Zerocoin, Alice must spend a Bitcoin, apparently the Bitcoin does not go to anybodies actual wallet but rather is associated with the Zerocoin C that Alice has minted.
So in summary I do not fully understand the "how" of what is happening here, but I do have a pretty decent grasp on the "why" and the "what". Zerocoin is a decentralized blind mixing scheme that they propose be integrated with Bitcoin, although it can also run separately of it. It is the first decentralized blind mix in the literature, and is bleeding edge if it lives up to its claims (I certainly am not capable of verifying its security). It is based off of a special sort of cryptographic accumulator that is compatible with blinded witnesses, zero knowledge proofs of knowledge for computing blinded witnesses and cryptographic commitment schemes. It is a separate currency from Bitcoin, but they propose that it be merged into the Bitcoin network in such a way that the value of a Zerocoin is inherently linked to the value of Bitcoin it can be redeemed for. They want to piggy back on top of the established Bitcoin network for many of the components required for their system. In essence, their goal is to cryptographically obfuscate the transaction history of Bitcoin, which is currently public knowledge. They claim to have addressed several issues, primarily they remove the need to trust a traditional laundering service from linking input and output coins, and more importantly they give the security assurances of blind mixing while removing the ability of a centralized authority (the blind mix) to steal the bitcoins sent through them.
I can say that I am actually very excited about Zerocoin and that I think it will be a massive improvement for Bitcoin. People who can read that paper once and understand it fully will need to verify that the math and logic are sound though.
-
Wow. I wish I could understand and write things like that. Stuff like this makes me feel stupid...
-
I find that one of the biggest barriers to understanding papers like this is decoding their notation. Very frequently simple things are expressed in a way that looks really complex. For example, saying something like
(A == A1)|(A == A2)|(A == A3)|(A == A4) | ... | (A == An)
instead of "Searching through the entire set of objects looking to see if there are any matches"
Now I can appreciate that there are probably advantages to using such a mathematical notation to express this, but it really makes it hard for lay people and non-experts to understand what the fuck is being said in the paper. If they explained things in English, a lot of things wouldn't seem so advanced. Once you recognize the basic notations like this and can convert them into English quickly, these papers quickly become a lot less mystifying.
Another problem is that they tend to have fifty different variables that you essentially must commit to memory to read the paper. On the first twenty pages, dispersed through out the paragraphs and not in any key, they may describe a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u ,v, q, x, y, z, Alpha, Beta, Gamma, Pi, A, B and C. But after that point they will use the variable by itself in huge strings. When you get to page 30 and see that D = (a ^ b mod Gamma) - q * f, it looks like fucking alphabet soup. You need to keep going back to see what all the variables reference, until you commit all the variables to memory and can fluidly exchange them with the English concept that they represent. Again, I can understand the benefits of using such mathematical notation, but once again I find that it also makes it harder to quickly wrap your head around what is happening (it certainly does for me anyway, I do not think in symbols, I think in English, and I hate having to commit all of these symbols to English).
Another problem is that the notation tends to be very overloaded and contextual. Mathematical operators that you THOUGHT you knew may be used in completely different ways from how you have seen them used as a not-a-math-Ph.D , and the people writing papers like this are not going to take the time to explain the meaning of the operators in the context of their paper, because they assume that if you are reading their paper you already can infer the meaning of the operators based on the context of the sorts of things they are doing. This can be very confusing.
You also need to learn notations such as || which is frequently used to mean concatenation, and also pseudo-code is frequently mixed in as well (which is quickly understood if you are a programmer) , so they may say blind(a, b, pi) instead of "The blinding algorithm uses the parameters a b and pi.
Anyway to make a long story short, yes these papers deal with really complex math and fully understanding the how will require you to really know your shit regarding math, and having a firm understanding of the basic elements of cryptography and anonymity is certainly very helpful/required as well. But a LOT of understanding papers like this is simply being able to convert the complex seeming notations into English, understanding the operators they are using in the context of the paper, and committing the dozens of variables to memory. After you have done that, there are still things you will not understand without being really good at math / understanding the fundamentals of crypto-anonymity, but the paper will not seem quite so impossible anymore.
-
[The forum went down for me just before I tried posting this...]
I have a very...holistic understanding of things, you could say ;)
I read all you said, I will like to answer all your confusions if possible.
Subnote: A new analogy has fallen out of my brain: you know those cards you buy for money at shops, then use for other services online, it's a bit like that for Bitcoins, except more 'pure'. And obviously decentralised. In other words, completely different implementation, but similar effect.
Intriguing. In your opinion, would this be as easy as using bitcoins for a new user?
I think so, but I suppose that really depends on the code and modified client being released next month by the Prof. So maybe, you will click 'mint Zerocoin' on your traceable client cointaining traceable bitcoins, you will get (as explained sort of below) the Zerocoin c and skc, and then you could use Tor with another client, input these 2 pieces of info into it (probably by QR code if you wanted), to redeem you 1BTC, and then send that straight to wherever you want, the IP address of the redeeming and final transaction is the only thing needing masking. Or maybe sites like Silkroad could accept Zerocoin directly (so you give them your c and skc data, and they redeem it).
SS, when you say "Are we talking a standard Bitcoin address, or a Zerocoin address -- because really, coins don't exist at all" that is where my lack of Bitcoin knowledge kicks in. I think that I was wrong here anyway. After reading more, I see that what happens is that just after creating the random new Zerocoin, you do a transaction which sends the Bitcoin to the Zerocoin as such, so it seem to be acting like a traditional address to some extent. As explaiined below:
The general overview of our approach is straightforward. To mint a zerocoin c of denomination d, Alice runs Mint(params)->(c; skc) and stores skc securely. She then embeds c in the output of a Bitcoin transaction that spends d + fees classical bitcoins.
Then, when creating the proof, the only things that are needed are (along with a few other things not terribly important to understand right now), the Zerocoin and it's 'trapdoor', or skc, which I *think* is the encryption I mentioned (which would reveal the serial of the Zerocoin). So c, the Zerocoin 'address' as such, is public, but skc is like your private key. But creating the proof doesn't guarentee that the proof is valid- it is only valid if the Bitcoin was actually sent to the Zerocoin, and the network is able to check this when the proof is submitted to it to be validated, which is also when, as mentioned before, the 'spender' submits their address to send the Bitcoin to, and also the serial number of the Zerocoin. The mechanics of this proof is what I don't understand, but is based on the 'accummulator' as far as I understand, which I think basically keeps a reccord of all existing Zerocoins and Bitcoins sent to them, but that's an educated guess.
You talk about, can a Zerocoin can only be used once. Well, I was going from creation, 'minting', to what I would call melting, or 'spending'. I believe that if you intended to hold on to the Zerocin for a while, you would stop after having sent the Bitcoin to the Zerocoin. But yes, it's like a disposable voucher I think, or an anonymous bitcoin address. In fact it really sort of is an anonymous Bitcoin address, albeit with only specific and permanant value (1BTC at the minute). But Zerocoin sounds way better than 'anonymous and restrictive bitcoin address protocol'. On a side note, the paper also suggests trading could be made possible of Zerocoins, which would probably be more complicated that it sounds.
All this is how I understand it, sorry if I've made (another) mistake. Do you understand better now? :)
I've refered to how I don't understand the proof bit, I read a thing on wikipedia about it and understand it's a statistical thing, but I've yet to get though the harder stuff of this paper, so I'll get back to y'all if I get a better understanding of that specific element (abviously it's the most important and commendable part of the whole protocol).
Further detail from the paper explaining what happens when someone wants to cash out their Zerocoin. This is obiously referring to a more 'complete' implementation than above, but still follows all the same steps (S is the serial number)
To spend c with Bob, Alice first constructs a partial transaction ptx that references an unclaimed mint transaction as input and includes Bob’s public key as output. She then traverses all valid mint transactions in the block chain, assembles the set of minted coins C, and runs Spend(params; c; skc; hash(ptx);C)->(proof; S). Finally, she completes the transaction by embedding (proof; S) in the scriptSig of the input of ptx. The output of this transaction could also be a further Zerocoin mint transaction — a feature that may be useful to transfer value between multiple Zerocoin instances (i.e., of different denomination) running in the same block chain. When this transaction appears on the network, nodes check that Verify(params; proof; S; hash(ptx);C) = 1 and check that S does not appear in any previous transaction. If these condition hold and the referenced mint transaction is not claimed as an input into a different transaction, the network accepts the spend as valid and allows Alice to redeem d bitcoins.
-
Thanks kmfkewm I haven't read all that yet but will. Maybe you could comment on my last post, is what I've said right about the implementation?
-
While the construction of the previous section gives an
overview of our approach, we have yet to describe how our
techniques integrate with Bitcoin. In this section we address
the specific challenges that come up when we combine a
decentralized e-cash scheme with the Bitcoin protocol.
The general overview of our approach is straightfor-
ward. To mint a zerocoin c of denomination d, Alice runs
Mint(params) → (c, skc) and stores skc securely.13 She
then embeds c in the output of a Bitcoin transaction that
spends d + fees classical bitcoins. Once a mint transaction
has been accepted into the block chain, c is included in the
global accumulator A, and the currency cannot be accessed
except through a Zerocoin spend, i.e., it is essentially placed
into escrow.
Whew hopefully away from the "Makes my head hurt" section of the paper now. As you can see from the above paragraph, Zerocoin is a separate currency system, but the value of a Zerocoin is inherently tied to the value of a Bitcoin, and it piggy backs on the network. In order to get a Zerocoin, Alice must spend a Bitcoin, apparently the Bitcoin does not go to anybodies actual wallet but rather is associated with the Zerocoin C that Alice has minted.
So in summary I do not fully understand the "how" of what is happening here, but I do have a pretty decent grasp on the "why" and the "what". Zerocoin is a decentralized blind mixing scheme that they propose be integrated with Bitcoin, although it can also run separately of it. It is the first decentralized blind mix in the literature, and is bleeding edge if it lives up to its claims (I certainly am not capable of verifying its security). It is based off of a special sort of cryptographic accumulator that is compatible with blinded witnesses, zero knowledge proofs of knowledge for computing blinded witnesses and cryptographic commitment schemes. It is a separate currency from Bitcoin, but they propose that it be merged into the Bitcoin network in such a way that the value of a Zerocoin is inherently linked to the value of Bitcoin it can be redeemed for. They want to piggy back on top of the established Bitcoin network for many of the components required for their system. In essence, their goal is to cryptographically obfuscate the transaction history of Bitcoin, which is currently public knowledge. They claim to have addressed several issues, primarily they remove the need to trust a traditional laundering service from linking input and output coins, and more importantly they give the security assurances of blind mixing while removing the ability of a centralized authority (the blind mix) to steal the bitcoins sent through them.
I can say that I am actually very excited about Zerocoin and that I think it will be a massive improvement for Bitcoin. People who can read that paper once and understand it fully will need to verify that the math and logic are sound though.
I concur! That quote helps me as well, and sort of confirms my assumption that the accumulator is what stores the information of which Zerocoins have an associated Bitcoin, i.e. are valid.
-
One thing I note is that they are indeed making a new type of coin, so to speak. However, their goal is for its value to be inherently tied to the value of Bitcoin, and for it to piggy back on top of the current Bitcoin network. Whereas in the past blind mixes have been used to achieve what they are trying to achieve, the primary challenge they claim to have addressed is creating a blind mix that doesn't have a central authority for minting blind tokens. They claim to address this by letting any user mint their own blind token, but the challenge then is to make it so users can only mint valid blind tokens if they spend an equivalent amount of Bitcoins.
Well that's fair enough. But is it really any more a coin than say a Bitcoin address? The way in which knowledge of which address contains which Bitcoins is updated by the Bitcoin network works in a similar way to the way the accumulator does the corresponding task for Zerocoins, except in an anonymous way. But I think this is really something which could be argued either way, and I'm happy to accept it both is and isn't a coin. In my previous posts, I wasn't so much saying that it wasn't a coin, as saying that to think of it as a special type of address was possibly easier for some.
-
+1, excellent posts, kmf.
The biggest criticism I heard of Zerocoin is that the transactions are large (40 KB compared to normal transactions which are < 1 KB) and must be logged in the block chain. This greatly increases the computational power needed to confirm them. I believe the authors mentioned the sizes of the transactions could be reduced. Any idea by how much?
-
+1, excellent posts, kmf.
The biggest criticism I heard of Zerocoin is that the transactions are large (40 KB compared to normal transactions which are < 1 KB) and must be logged in the block chain. This greatly increases the computational power needed to confirm them. I believe the authors mentioned the sizes of the transactions could be reduced. Any idea by how much?
Yes well that does seem to be one of the main concerns. There's a whole section on the paper on performance and how this affects the Bitcoin network. Here's some of it.
How Zerocoin affects network transaction processing determines its practicality and scalability. Like all transactions,Zerocoin spends must be verified first by the miner to makesure he is not including invalid transactions in a block and then again by the network to make sure it is not including an invalid block in the block chain. In both cases, this entails checking that Verify(...) = 1 for each Zerocoin transaction and computing the accumulator checkpoint.We need to know the impact of this for two reasons. First, the Bitcoin protocol specifies that a new block should be created on average once every 10 minutes.20 If verification takes longer than 10 minutes for blocks with a reasonable number of zerocoins, then the network cannot function. Second, while the cost of generating these blocks and verifying their transactions can be offset by transaction fees and coin mining, the cost of verifying blocks prior to appending them to the block chain is only offset for mining nodes (who can view it as part of the cost of mining a new block). This leaves anyone else verifying the block chain with an uncompensated computational cost.
Experimental setup
To measure the effect of Zerocoin onblock verification time, we measure how long it takes our modified bitcoind client to verify externally loaded testblocks containing 200, 400, and 800 transactions where 0,10, 25, 75, or 100 percent of the transactions are Zerocoin transactions (half of which are mints and half are spends).We repeat this experiment for all three security parameters.Our test data consists of two blocks. The first contains z Zerocoin mints that must exist for any spends to occur. The second block is our actual test vector. It contains, in a randomorder, z Zerocoin spends of the coins in the previous block, z Zerocoin mints, and s standard Bitcoin sendToAddress transactions. We measure how long the processblock call of the bitcoind client takes to verify the second block containing the mix of Zerocoin and classical Bitcoin transactions. For accuracy, we repeat these measurements 100 times and average the results. The results are presented in Figure 3d.C.
Discussion
Our results show that Zerocoin scales beyond current Bitcoin transaction volumes. Though we require significant computational effort, verification does not fundamentally threaten the operation of the network: even with a blockcontaining 800 Zerocoin transactions — roughly double the average size of a Bitcoin block currently — verification takes less than five minutes. This is under the unreasonable assumption that all Bitcoin transactions are supplanted by Zerocoin transactions. In fact, we can scale well beyond Bitcoin’s current average of between 200 and 400 transactions per block if Zerocoin transactions are not the majority of transactions on the network. If, as the graph suggests, we assume that verification scales linearly, then we can support a 50% transaction mix out to 350 transactions per minute(3,500 transactions per block) and a 10% mixture out to 800 transactions per minute (8,000 per block).
This suggests it should be OK, though I think it is the storage that Green is worrying about most:
First of all, Zerocoin is not cheap. Our current zero-knowledge proof averages around 40KB, and take nearly two seconds to verify. By the standards of advanced crypto primitives this is fantastic. At the same time, it poses some pretty serious engineering challenges -- not least of which is: where do you store all these proofs?
This probably isn't the end of the world. For one thing, it seems likely that we'll be able to reduce the size and cost of verifying the proof, and we think that even the current proof could be made to work with some careful engineering. Still, Zerocoin as currently construed is probably not going to go online anytime soon. But some version of Zerocoin might be ready in the near future.
-
I genuinely think this is properly exciting, like, truly anonymous money. Admittedly, it's only achieving what cash can already do, but this has the advantage of being digital, which brings with it countless advantages. 8)
Actually, real cash can be traced if the resources are there...so it's better
-
Thank you for your time, kmfkewm. You as well lukeuser. I can't seem to figure out exactly what it is, but I've got a nagging feeling that there's something... that just doesn't work here... particularly with this spending of a bitcoin that's for all intents and purposes locked into escrow... I just can't quite -- well. This is going nowhere at the moment, no sense in rambling.
It wouldn't be the first time intuition failed a person, heh... at any rate, I wanted to say thank you for your time. I'm sure lots of people couldn't care less, but like astor, I certainly appreciate your efforts :)
-
I'm just trying to distract myself from the exam revision I should be doing haha... :(
Here's another super-simplified way of looking at it, now I have better knowledge of the accumulator:
1.When you create a Zerocoin, two randomly created private keys (call one of these the serial number) are combined to create a public identifier. You send your bitcoin to this identifier. When you do this, the identifier is added to the accumulator (a public, global object), which you can think of as keeping a record of the identifiers of all valid Zerocoins.
2.Then, at some later date, to redeem the coin, you do a special mathematical operation on the three components of your Zerocoin, creating another 'object', the proof. You then submit this object along with the serial number to the network. At the same time, you also submit a proposed transaction- you choose any Bitcoin which has been sent to a any Zerocoin in the past and hasn't yet left it, and have that sent to a Bitcoin address of your choice.
3.Since the serial number doesn't appear in any previous 'Zerocoin spend' transaction, the network knows that your Zerocoin has not been spent before. But they still need to decide if it is a valid Zerocoin, i.e. if it is in the accumulator. They use the proof and serial number you gave, and the public accumulator, and do a special mathematical operation on them. This results in them concluding that the serial number you gave is indeed of a Zerocoin whose identifier is in the accumulator, but without them being able to infer which identifier that is. Hence, your proposed transaction is allowed to go ahead.
......now, that revision........... :-\
-
Green says that he and his fellow researchers are not interested in facilitating criminal activity with Zerocoin. "Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door." The paper is due to be presented at the IEEE Symposium on Security & Privacy in Oakland, California, in May.
http://www.newscientist.com/blogs/onepercent/2013/03/bitcoin-zerocoin.html
http://beforeitsnews.com/alternative/2013/03/bitcoin-privacy-extension-to-have-back-door-for-government-snooping-2602114.html
http://www.activistpost.com/2013/03/bitcoin-zerocoin-privacy-extension-to.html
I think this sums up the thread nicely. On the other hand if it's open source then adopters could choose to only use the version without the back door.
Anonymity is helpful for bitcoins to take over the world, but just like a greenback bill's serial number it's traceable but mostly anonymous already.
Modzi
-
edit: to the above poster, bitcoin is not mostly anonymous, in fact it is entirely non anonymous and totally public record.
I think it is going to be hard to really understand Zerocoin at a low level if you can't figure out what the set of formulas in appendix B means. It explains their zero knowledge proof of knowledge algorithm. I tried to paste it here, but it cannot be displayed correctly. Needless to say, it looks like it is pretty advanced.
[edit: removed formulas because pasting them fucked up all formatting and some characters cannot be displayed]
One of the reasons why it is hard to figure out what is going on in this paper is because it is actually discussing at least three different things: a system to prevent double spending, a system to allow for anonymous spending and a way to integrate all of this with the current Bitcoin network. Also they are describing the systems that they use briefly, to really have a good chance of understanding this you should also read the cited papers , for example there is an entire paper dedicated to the accumulator and blind witness technique that they are using, but they summarize it in a few paragraphs.
So, the user generates a zerocoin (C) which is a commitment to the coin serial number (S). C is unlocked with a random number (R) into S. At the risk of being repetitive, I will repost the example of such a mechanism that I showed previously:
The Commitment (coin) C = fc4b5fd6816f75a7c81fc8eaa9499d6a299bd803397166e8c4cf9280b801d62c
The Random Number R = 0283da60063abfb3a87f1aed845d17fe2d9ba8c780b478dc4ae048f5ee97a6d5
The coin serial number S = efdf88c3315309fa0d4245389d79e035cd761813b85a954f2b924f81ee6bb248
because SHA256(C || R) == S
Now the user needs to add the value C to a public accumulator. As I mentioned before, accumulators are constructs such as bloom filters, they are for checking for set membership of an object. It is probably even correct to consider a list of items as an accumulator, which can be checked to see if it contains element A with the algorithm (A == A1) OR (A == A2) OR ... OR (A == An). This OR based example is actually about the worst possible performing accumulator possible, but I just am trying to show that all an accumulator is , is something that can be queried with some data (a witness, the object itself in the previous example) to determine if the queried for item is present.
Now one of the most tricky things to wrap your head around is how the Zerocoin accumulator is queried for element C, and this is really the heart of Zerocoin. Now in the OR based example I just now wrote about, the verifier is given the actual item to check for its presence in the accumulator. In a bloom filter, they are given the item itself as well in some cases, or in others just the items hash. Regardless, the point is that in both of these examples the verifier can determine which element the client is checking for the presence of , if the verifier knows all the items that have been accumulated. The Zerocoin scheme allows for the client to prove to the verifier that it knows an element in the accumulator, without the verifier being able to determine anything about which of the elements in the accumulator the client is proving that it knows about. Put another way, the Zerocoin accumulator scheme allows the client to prove to the verifier that it has a Zerocoin in the accumulator, without revealing which of the Zerocoins it is (this mechanism is where the anonymity comes from). Even more impressively, it allows the client to prove that the element (C) which is present in the accumulator (ie: the Zerocoin the client has in the accumulator), opens up to serial number S (something that would only be known by the person who created the element C in the first place), without the verifier being able to determine which of the C's in the accumulator open up to S, and without the verifier learning the secret number R (this mechanism protects from double spending, and keeps the person who put the Zerocoin into the accumulator in charge of it)!
The anonymity of Zerocoin is derived from the fact that the verifier cannot determine which element C the client proves knowledge of (ie: the client can prove that it has a Zerocoin in the accumulator without revealing which of the Zerocoins it is). So Alice adds an element C to the accumulator (ie: Alice gets a Zerocoin). Of course, she also needs to be charged some bitcoins to add the element to the accumulator (ie: She needs to buy the Zerocoin from the Bitcoin network with Bitcoins), and I believe this is where the full Bitcoin integration request comes from. They want the current Bitcoin network to be modified so that Alice can essentially return X Bitcoins to the entire network, so that they are not under the control of anybody anymore, and in return for doing this Alice can add an element C worth that value of Bitcoins to the accumulator, which they also want to be run distributed over the Bitcoin network. After sending X Bitcoins back to the network and then adding element C to the accumulator, Alice can use the Zerocoin proof of knowledge formula to create what I will call a blinded witness (and what the paper calls a zero knowledge signature of knowledge). The blinded witness is the information that allows Alice to prove to the verifier that she knows of an element C in the accumulator (ie: it lets her prove that she has a Zerocoin in the accumulator), and to prove that the element C opens up to the never before used serial number S (ie: it lets her prove that she has not spent the Zerocoin before). I actually would prefer calling the (Blinded Witness, Serial Number) pair a Zerocoin, rather than the value C in the accumulator. However, in order to not go against the terminology defined in the paper, I will instead call the (Blinded Witness, Serial Number) pair a "Bitcoin Redemption Slip", or BRS for brevity. Alice could very well send her BRS to Bob, who she is doing business with. However, it makes a bit more sense for Alice to merely use her BRS to have coins sent to Bobs Bitcoin address. There are actually a lot of different ways in which it can be used. Assume that Alice actually does send her BRS to Bob.
Now after Bob obtains the BRS from Alice, he can send it to the Bitcoin network, where the blinded witness is used with the Zerocoin zero knowledge system to prove that:
A. Bob put a value C (aka: Zerocoin) into the accumulator (or, in this case, Bob was sent a BRS by somebody who did)
and
B. Bob knows a unique value S which C opens up to (which means that the BRS has never been used before)
Thanks to the cryptographic properties of the Zerocoin accumulator and zero knowledge proof of knowledge scheme (blinded witness) , the verifier cannot link Bob to any specific C in the accumulator, despite being able to tell that Bob (or somebody who did business with Bob) put a C into the accumulator. This means that the verifier cannot link Bob to Alice. Now that Bob has proven he has a Zerocoin in the accumulator, the Bitcoin network releases a Bitcoin to whatever Bitcoin address Bob tells it to, and it takes the released Bitcoin from the no mans land that Alice put them into, in order to put a C of equivalent value into the accumulator and get a BRS in the first place. Additionally, the network keeps track of serial number S, so that nobody can ever redeem the associated BRS for a Bitcoin again (ie: nobody can double spend).
Now a passive adversary who observes the blockchain can determine that Alice put some Bitcoins into no mans land, and that Bob took some Bitcoins out of no mans land, but that is all of the information that they can get. If enough people are using the Zerocoin system, and the C values are standardized denominations, then the sheer volume of traffic will prevent traffic analysis from being carried out to link Bob and Alice. Additionally, because of the Zerocoin accumulator and ZKPOK properties, even the Bitcoin network / verifier itself cannot link Alice to Bob.
If Alice redeems the BRS herself, in order to send Bitcoins to Bobs Bitcoin Address, rather than sending Bob the BRS for him to exchange for bitcoins himself, Alice will still learn one of Bobs bitcoin addresses. Since Bob doesn't trust Alice, he will be smart to then spend this Bitcoin on yet another BRS , and then redeem his new BRS for Bitcoins sent to another Bitcoin address that Alice is unaware of. By Bob taking this final step, Alice and Bob will not only be protected from being linked together by any third parties, but additionally Alice will be prevented from determining the Bitcoin address that Bob cashes out from.
-
great thread guys! thoroughly enjoying the discussion and trying to understand content a bit over my head. :)
-
Much appreciated further elaboration on the central 'crux' of the Zerocoin system from kmfkewm.
There's something I'm not quite sure of though, it's not really related to the zero knowledge proof, but I just thought it would be interesting to mention, maybe someone could clarify it for me. From the paper:
To spend c with Bob, Alice first constructs a partial transaction ptx that references an unclaimed mint transaction as input and includes Bob’s public key as output. She then traverses all valid mint transactions in the block chain, assembles the set of minted coins C, and runs Spend(params; c; skc; hash(ptx);C) -> (proof; S). Finally,she completes the transaction by embedding (proof; S) in the scriptSig of the input of ptx.
Now, the problem is relevant in this example, but also more significant due to this later suggestion. It is referring to the problem that the origin of a Zerocoin would be revealed if the owner's computer was assessed. An attacker could use the random number R, along with the serial S, which would both need to be stored, to find c, identifying the Bitcoin used to mint the Zerocoin.
One solution is to generate the spend transaction immediately (or shortly after) the coin is minted, possibly using an earlier checkpoint for calculating C. This greatly reduces the user’s anonymity by decreasing the number of coins in C and leaking some information about when the coin was minted. However, no attacker who compromises the wallet can link any zerocoins in it to their mint transactions.
So the Zerocoin owner could destroy the c value from their computer, and will only need the proof and serial number to redeem their Zerocoin at a later date (the BRS), neither of which identify the original Bitcoin.
My problem is that the first quote suggests that hash(ptx) is used to generate the proof, so that that proof can only be used with the transation ptx. This is verified here, where R is hash(ptx):
Spend(params; c; skc; R;C) ! (proof; S). If c =2 C output ?. Compute A Accumulate((N; u);C) and ! GenWitness((N; u); c;C). Output (proof; S) where proof comprises the following signature of knowledge:
proof = ZKSoK[R]{(c; w; r) : AccVerify((N; u); A; c; w)=1 ^ c=g^S*h^r}
ptx specifies which Bitcoin in the set C (pool of all 'escrowed' Bitcoins) is being transferred to the Zerocoin spender's address of choice. But if this is done first, then when the transaction ptx is submitted, that Bitcoin might have already left the pool, so can't be used. Hence the proof, or the BRS, can't be used. If the transaction was submitted very soon after the 'Spend' operation then this might not be a problem.
Maybe I'm misunderstanding what actually happens when the 'Spend' operation is carried out. Does it place some 'mark' of it's Bitcoin of choice?
On the other hand, if the hash wasn't included in the 'Spend' operation, i.e. R didn't include this information then it would have better anonymity- the BRS can be passed to a recipient without the creator needing to know the reciepient's address, for example. And it means that if the BRS was created as soon as the Zerocoin was minted, there wouldn't be any problem of this reducing the size of the pool as suggested in the above quote.
Again, maybe I'm misunderstanding the 'spend' operation. But from what I see, it isn't actually communicating with the network, so can't place any mark of it's 'Bitcoin of choice'. Maybe the ptx doesn't actually specify which Bitcoin it wants, though it certainly seems to, "...partial transaction ptx that references an unclaimed mint transaction...".
How does running 'Spend' immediately after 'Mint', "greatly reduces the user’s anonymity by decreasing the number of coins in C and leaking some information about when the coin was minted" if 'Spend' doesn't broadcast something to the network, and if it does, why is this not detailed in the paper?
-
Apologies for pulling this old thread out of the grave, but rather than start a new one, I figured I'd tack some news onto the best one related to Zerocoin.
I just checked their web site and it says that prototype software should be available in mid-to-late June: http://zerocoin.org/software
Pretty excited! I want to play with it.
Hopefully it will be in production use on the bitcoin network by the end of the year.
-
Apologies for pulling this old thread out of the grave, but rather than start a new one, I figured I'd tack some news onto the best one related to Zerocoin.
I just checked their web site and it says that prototype software should be available in mid-to-late June: http://zerocoin.org/software
Pretty excited! I want to play with it.
Hopefully it will be in production use on the bitcoin network by the end of the year.
VERY exciting! They better not have implemented that backdoor though! >:(
-
I must agree with the ones who thinks this sounds sketchy.
-
Zerocoin will be fucking amazing..
We study it since day 1
also have a look @ *CLEARNET WARNING* http://qixcoin.com/
we cant wait until they release the code ..
-
After actually reading through this thread and the articles about zerocoin I will revoke my previous statement, and replace sketchy with interesting!
-
How does running 'Spend' immediately after 'Mint', "greatly reduces the user’s anonymity by decreasing the number of coins in C and leaking some information about when the coin was minted" if 'Spend' doesn't broadcast something to the network, and if it does, why is this not detailed in the paper?
Even blind mixes are vulnerable to traffic analysis. If someone obtains 1000 zerocoins and immediately after that somebody gets 1000 bitcoins for zerocoins, there is a correlation there.
-
It's like any mixing service, put in more than you need and split it out, or submit it in smaller increments and take it out as one lump sum, or some combination of the two. You can do 3 in and 3 out, but make them different amounts coming out and don't send them to the same address.
I don't trust mixing services like blockchain.info, where they charge a flat fee of 0.5%. So you send them 1 BTC and a few minutes later there are (always) exactly two transactions to the same address that total 99.5% of the other one. Anyone looking at the block chain can figure that out, especially since the transactions are so close to each other.
-
A contact of ours said he knew a programer who could program it & customize it for 100BTC and he needs 2 months time ..
as soon as the whitepaper is released it could be started...
lets kickstart that for real !
--
will talk to my boss about this...maybe we will finance it ..
all we want is our nym in the credits and the help of you guys to perfect it and get the code checked by large audience .. 8)
-
A contact of ours said he knew a programer who could program it & customize it for 100BTC and he needs 2 months time ..
as soon as the whitepaper is released it could be started...
lets kickstart that for real !
--
will talk to my boss about this...maybe we will finance it ..
all we want is our nym in the credits and the help of you guys to perfect it and get the code checked by large audience .. 8)
1. The white paper has already been released
2. The people who released the whitepaper already implemented it
3. It is worthless unless it is integrated into a network like Bitcoin (or a separate network is made for it, a fork of the Bitcoin software would do)
-
4. Knowing how to program isn't going to be enough to implement Zerocoin anyway, you will most likely need to find somebody with education in cryptography. It is possible to implement some cryptographic systems with hard work, even if you lack formal education in the matter, but Zerocoin looks pretty advanced to me. It needs a specific sort of cryptographic accumulator and cryptographic zero knowledge proof of knowledge algorithm, in addition to some other things.
-
A contact of ours said he knew a programer who could program it & customize it for 100BTC and he needs 2 months time ..
as soon as the whitepaper is released it could be started...
lets kickstart that for real !
--
will talk to my boss about this...maybe we will finance it ..
all we want is our nym in the credits and the help of you guys to perfect it and get the code checked by large audience .. 8)
1. The white paper has already been released
2. The people who released the whitepaper already implemented it
3. It is worthless unless it is integrated into a network like Bitcoin (or a separate network is made for it, a fork of the Bitcoin software would do)
1. really ? link please :)
2. where?
3. yes we talk about a fork
4. He ( she) has an advanced education in cryptography..any way we as a community and other crypto experts ( how will analyse it simply because they love their job) none the less should be able to perfect it.
We personally of course would never be able to to this...
But we thought the price sounds good and why not try it 8)
-
I bet zerocoin is some scandal to track bitcoins more easily.
-
I bet zerocoin is some scandal to track bitcoins more easily.
I bet you didn't read the zerocoin specification. Or the Bitcoin specification, for that matter.
-
The specification is here, the link is on the first page of posts
http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf
I don't think they released the code publicly yet but they already have it all implemented.
-
Apologies for pulling this old thread out of the grave, but rather than start a new one, I figured I'd tack some news onto the best one related to Zerocoin.
I just checked their web site and it says that prototype software should be available in mid-to-late June: http://zerocoin.org/software
Pretty excited! I want to play with it.
Hopefully it will be in production use on the bitcoin network by the end of the year.
VERY exciting! They better not have implemented that backdoor though! >:(
:)
-
Looks like an alpha client has been released. It's operating on testnet or their own testing network.
-
subbing for when I have the available attention to learn more about this.
-
Subbing.
Does anyone know if the code will include a backdoor? Or is it too early to tell? I'm getting bad vibes from Zerocoin; sounds like a trap for the government to monitor all BTC transactions.
-
Subbing.
Does anyone know if the code will include a backdoor? Or is it too early to tell? I'm getting bad vibes from Zerocoin; sounds like a trap for the government to monitor all BTC transactions.
The government already can monitor all BTC transactions, that is why we need Zerocoin.
-
I think he's referring to when one of the Zerocoin developers mentioned that a backdoor could be added for government surveillance (ie, they would know what your redemption code is or something like that). They probably said that so they wouldn't be arrested for violating AML laws. :)
Their FAQ says it's open source so nobody can add a backdoor without everyone noticing.
http://zerocoin.org/q_and_a#could-you-put-a-backdoor-in-it
Also, since it's open source, if they were forced to add a backdoor, others could fork libzerocoin and remove it.