Looking for thought on Zerocoin

Tuck Fheman

[quote name=“Kevlar” post=“29402” timestamp=“1380317462”]
I’d be surprised if it was Zerocoin, but anything is possible. Much more likely is that it’s a built in coin mixer, since that’s pretty trivial to implement (see my github page, the BitMixr project) compared to Zerocoin.
[/quote]

I’m feeling lazy lately so I haven’t even read up on his coins that much, but I do enjoy trading them during the hyper-pumps on his exchange. I think he would be bragging about implementing zc (since he apparently likes to advertise) and since he’s not (from what I can tell), I’m going to have to agree with you.

If anyone knows what he’s using for “anonymity” please speak up. It could be he’s just using the word and doing nothing, since most assume you’re anonymous when using cryptocoins (as I did previously) not many would question his use of the word.

If I can drag myself away from trading tonight I’m going to try to find some more info.

Edit : Doh, thought this was in another thread. I did not mean to hijack this into a sc anon discussion. But, it is sort of relevant … so, yeah.

[b]So Kevlar, is the mixing solution just as good/better/worse than going with zerocoin?[/b]

Kevlar

[quote name=“Tuck Fheman” post=“29407” timestamp=“1380321480”]
[b]So Kevlar, is the mixing solution just as good/better/worse than going with zerocoin?[/b]
[/quote]

It depends on your goal, and what you’re trying to achieve. Mixing introduces reasonable doubt and makes forensic analysis extremely difficult. It’s better than Zerocoin because it doesn’t require a protocol change, and a hard fork. It’s worse, because it doesn’t actually ELIMINATE taint and make forensic analysis impossible like Zerocoin does. If the mixer service gets hacked/compromised/raided, it’s still theoretically possible that some taint could be reconstructed. ‘Extremely difficult forensic analysis’ and ‘greatly diluted taint’ can be sufficient for anonymity, but it’s not the holy grail of perfect anonymity that Zerocoin is.

Kevlar

[quote name=“unkunku” post=“29414” timestamp=“1380325044”]
I don’t mean to fish for information, but just recently noticed the fine pumps in solidcoin.

Would you maybe be willing to share some information regarding the price-movements? A simple comment as to where you feel a “cheap” price-tag of solidcoin would be greatly appreciated :)
[/quote]

Can we take this to another thread please? This is supposed to be about Zerocoin.

Tuck Fheman

[quote name=“Kevlar” post=“29415” timestamp=“1380325535”]
It depends on your goal, and what you’re trying to achieve.
[/quote]

World domination of course.

[quote author=Kevlar link=topic=3136.msg29415#msg29415 date=1380325535]
‘Extremely difficult forensic analysis’ and ‘greatly diluted taint’ can be sufficient for anonymity, but it’s not the holy grail of perfect anonymity that Zerocoin is.
[/quote]

It’s never easy. :-\

Tuck Fheman

[img]http://b-i.forbesimg.com/andygreenberg/files/2013/04/Screen-Shot-2013-04-12-at-2.16.44-AM.png[/img]

Old article to re-bring up some points on ZC …

[quote]“You can feel like you’re private using Bitcoin, but there are going to be companies like Google and Facebook and [Google-owned ad firm] DoubleClick looking at the data and pulling personal information out of it. There may be already,” says Green. “It’s not wrong to be paranoid about privacy when it comes to Bitcoin.”[/quote]
[quote]Zerocoin is designed to offer the same privacy and untraceability properties as one of those laundry services, but without the need to trust any potentially shady entity; As with Bitcoin, the user would only have to trust the currency system itself.[/quote]
[quote]In fact, you can think of Zerocoin like the world’s biggest laundry â€" one that can handle millions of users, has no trusted party, and can’t be compromised,”
[/quote]
[quote]But until it’s integrated into the Bitcoin protocol, Zerocoin would require third-party services to act as issuers of its anonymizing tokens, introducing some of the same trust problems that currently exist with laundry services.[/quote]
^ Can anyone elaborate? (or if you have previously, please link me to the post).

[quote]If Zerocoin is implemented, it could lead to questions about the ethical and societal implications of truly untraceable digital payments. Anarchists and libertarians have long dreamed of perfect payment privacy as a means to avoid taxes, thwart laws and even destroy the government.[/quote]

[quote]“But privacy is important. And people have a right to it.”[/quote]

[url=http://www.forbes.com/sites/andygreenberg/2013/04/12/zerocoin-add-on-for-bitcoin-could-make-it-truly-anonymous-and-untraceable/]http://www.forbes.com/sites/andygreenberg/2013/04/12/zerocoin-add-on-for-bitcoin-could-make-it-truly-anonymous-and-untraceable/[/url]

Kevlar

[quote name=“Tuck Fheman” post=“29420” timestamp=“1380330099”]
[quote]But until it’s integrated into the Bitcoin protocol, Zerocoin would require third-party services to act as issuers of its anonymizing tokens, introducing some of the same trust problems that currently exist with laundry services.[/quote]
^ Can anyone elaborate? (or if you have previously, please link me to the post).
[/quote]

Because an in-blockchain implementation would require a hard fork, one proposed solution is to run a mixing service that issues Zerocoin claim checks, thus allowing for anonymization when using the service, so if the mixing service got hacked/raided by the police/compromised, they still couldn’t tie anything back to it’s users.

This is just an upgraded mixing service, and still suffers from the same problem as all other mixing services as I mentioned before including centralization, but it does so while guarantee anonymity for it’s customers, which is at least a step in the right direction.

Tuck Fheman

Sorry if this has been brought up previously and I missed it. I just came across this on the ANC thread since Kevlar mentioned them awhile back.

[quote]Zerocoin as currently implemented requires configuration with a trusted non-secret integer of 1,026 bits in length generated by multiplying together two factors p and q. That means you need a “trusted party” to configure Zerocoin; more importantly, if this trusted party decides to hold on to the p and q factors they used (rather than destroying them) or shares them with anybody, then they will be able to double spend any zerocoins. This is a fatal flaw if we wish Zerocoin to operate in a zero-trust manner.[/quote]

[url=https://bitcointalk.org/index.php?topic=227287.msg3194770#msg3194770]https://bitcointalk.org/index.php?topic=227287.msg3194770#msg3194770[/url]

So, it’s going to be awhile I assume before this issue is solved and until then there’s no point moving forward with zerocoin outside of research(?).

Kevlar

[quote name=“Tuck Fheman” post=“29569” timestamp=“1380420857”]
Sorry if this has been brought up previously and I missed it. I just came across this on the ANC thread since Kevlar mentioned them awhile back.

[quote]Zerocoin as currently implemented requires configuration with a trusted non-secret integer of 1,026 bits in length generated by multiplying together two factors p and q. That means you need a “trusted party” to configure Zerocoin; more importantly, if this trusted party decides to hold on to the p and q factors they used (rather than destroying them) or shares them with anybody, then they will be able to double spend any zerocoins. This is a fatal flaw if we wish Zerocoin to operate in a zero-trust manner.[/quote]

[url=https://bitcointalk.org/index.php?topic=227287.msg3194770#msg3194770]https://bitcointalk.org/index.php?topic=227287.msg3194770#msg3194770[/url]

So, it’s going to be awhile I assume before this issue is solved and until then there’s no point moving forward with zerocoin outside of research(?).
[/quote]

No, there’s solutions in existence for this now. You can do a secure multi-party computation to set this up correctly and prove that it was done so using a deterministic computation proof. The much more troubling part is the size of the ZKP since it goes in the blockchain, and the time it takes to compute it (hint: it’s not trivial). We’re still working on that one.

Tuck Fheman

[quote name=“Kevlar” post=“29574” timestamp=“1380426315”]
and the time it takes to compute it (hint: it’s not trivial).
[/quote]

How long does it take currently?

Kevlar

[quote name=“Tuck Fheman” post=“29731” timestamp=“1380482222”]
[quote author=Kevlar link=topic=3136.msg29574#msg29574 date=1380426315]
and the time it takes to compute it (hint: it’s not trivial).
[/quote]

How long does it take currently?
[/quote]

On my pathetic i5? About 10 seconds. Per proof. This is compared to the milliseconds it takes to verify a block in the blockchain. This isn’t so bad when I just want to verify my own coins, but when it’s everyone elses too… this doesn’t scale at all.

ghostlander

[quote name=“coblee” post=“30475” timestamp=“1381035043”]
[quote author=ghostlander link=topic=3136.msg29002#msg29002 date=1380002553]
By the way, the tool Coblee uses for sending network alerts seems proprietary. I don’t see you very upset about that.
[/quote]

Here’s the tool if you are interested: https://gist.github.com/gavinandresen/1481736
Some modification was need for 0.8. Let me know if anyone needs help with it.
[/quote]

Thanks. We have merged Sunny’s code as it’s more flexible.

[url=https://github.com/FeatherCoin/FeatherCoin/commit/249d5b765bf9a2b560beadf884482c634dff13b2]sendalert command added[/url]
[url=https://github.com/FeatherCoin/FeatherCoin/commit/2e89b327a4518e2fd32ca80cc444fb3747f9c6e4]Updated Sendalert - Kudos to Sunny King[/url]