Zerocoin vs bitcoin value
Are there measures to avoid correlations between the amounts minted and spent? So they're all the same or there are a small number of denominations, say powers of 2 or 10, and within a denomination they're all the same.
This means there's no way to correlate Bitcoin value from Mint to Spend, because all transactions have the same value. Of course, if I see you Mint a certain number of zerocoins, then spend them all at the same time… that would be a giveaway.
It's possible to create zerocoins with variable denominations, but there are privacy risks as you point out. Does this solution rely on scanning the entire block chain to prevent a double spend? Have you considered how much load this would introduce if deployed widely? This design would work on a Bitcoin clone just as well.
Why not deploy it on one of the smaller cryptocurrencies Litecoin or Bitcoin testnet or create a new one for the purpose? You'd get to demonstrate whether it works without risk to Bitcoin. You mint zero coins in fixed denominations.
So everyone agrees that we have a 1btc zerocoin, a. The exact denominations don't matter so much and will most definitely include fractional sizes. The important thing is that everyone agrees which sizes are valid.
This is a serious flaw. All past transactions can be revealed with knowledge of p,q. How can i trust the developers to destroy the p,q? I looked the paper and noticed: How exactly can it be implemented in p2p network like bitcoin? I registered the domain zeroco. Was planning to develop a lightweight bitcoin client. Oh well, back to finding a name for my project. Maybe you said it, do the 40 kB relate to the mint or the spend, and if it is on the spend side, do the 40 kB really need to be stored in the block chain or can it purge after a safe number of blocks?
The accumulator does not have access to the per-coin trapdoor skc necessary to spend an arbitrary zerocoin. If the ledger is accurate, then it doesn't matter. The accumulator is a once-in-a-while bookkeeping exercise made to turn O N into amortized O 1 when spending zerocoins. Fortunately, these don't appear to be fatal flaws, since the action of the accumulator can be verified. I'm a little confused about the scalability of the spending side. The paper says that spending must:.
Even though accumulators can be updated incrementally, the updates for the full accumulator A and an arbitrary witness will be different, so the accumulator-checkpointers can't precompute anything of use for public use.
For an attacker able to inject a high volume but otherwise fully legitimate set of zerocoin transactions into the blockchain at arbitrary intervals, this could lead to a couple attacks against zerocoin users:.
After further reading, you're not entirely off the mark. This would then allow for forged spends, since it would be further possible to make a validly-checking spend proof based on a coin that doesn't exist.
While this would break zerocoin, I still am not convinced that it de-anonymizes previous spends. I think you have to beat the zero-knowledge proof to do that. Okay, each bitcoin is worth a fair amount. But, bitcoin is easily divisible to 8 places. For zerocoin, it can't be divisible. So, we need to fix it to a lower number. Also, it is bad to have multiple zerocoin chains. This gives you less security as a whole for each one more usage more anonymity.
For Zerocoin, it can't be too small also. Transactions will still cost transaction fees. So, the denomination can't be too small.
Also, lots of work, time, and space is needed to verify transactions. This will not be a microtx currency and it can't be too small. This will be for when you spend the zerocoin. They don't disappear from the ledger.
Zerocoins are random claims on bitcoins that breaks the transaction chain, thereby making them untraceable. That's not a great idea either. In a situation like this, some people will have processing bottlenecks, some people will have networking bottlenecks. There isn't really a correct tradeoff here. It doesn't help your cause when one of the zerocoin developers goes on record as saying that a backdoor could be added to assist governments in tracking where coins are sent.
Knowing the factorization of N does allow you to spend every minted zerocoin you could spend even more, but you'd exhaust the pool of escrowed bitcoins. There are techniques for creating accumulators that don't let anyone actually know N. Even if the factorization of N is known, the zero knowledge proof output by Spend … is still a zero knowledge proof that only reveals the serial number. You are still anonymous. Why do you need to use the complex double exponentiation in your ZKP?
I thought maybe you wanted to show some structure in S, but it's just a random value. Pedersen commitments can be proven very simply, without cut and choose. The witness can be updated incrementally, as long as the zerocoin user sees all the transactions.
He would have to keep a running update of each of all of his outstanding zerocoin transaction's witnesses. This would require one exponentiation for each outstanding zerocoin transaction, whenever a new zerocoin transaction came in.
As long as he is running a full node, in Bitcoin parlence, he sees every transaction. Are we sure additional privacy is desirable? It makes it easier to commit crimes using bitcoin… think child porn, human trafficking, contract killing, terrorism, illegal arms sales.
There are crypto schemes by which a P2P network can generate an RSA modulus such that they all would have to collude to know the factorization. If there is at least one honest participant, the secret is safe.
They aren't especially efficient, but it would only have to be run once. Of course, future generations would have to trust that their ancestors were honest. As far as the Sander paper, trust can be minimized by seeding a random number generator from a public headline. The real problem with this approach is that it generates ridiculously large RSA moduli. One example they give in their paper is 40, bits! We could do a simple proof for the spend if we could safely reveal the raw coin which is just a Pedersen commitment.
But since that's the same coin we minted, doing so would make spend trivially linkable to the mint. Instead, we prove that a commitment to a coin was accumulated. Then we have to prove we know the serial number of the committed coin. This requires the double discrete exponentiation ZPK.
Believe me, we wish it didn't. We have some ideas for more efficient techniques, but as of right now its the best we got. When you make a zerocoin, there is a trace of what btc went into it. When you spend a zerocoin, we only know that such a zerocoin existed, and that it hasn't been spent before, and so we don't know which zerocoin was just spent, even if there is a trace of the btc that come out of the spending transaction.
If it works that way, this is pretty good. Its nice to know that btc came from zerocoin because it gives you deniability if the source is persecutable, and then implicates you for aiding and abedding that source. Can you transfer a zerocoin… that is can you verify that an unspent zerocoin exists without spending it?
Hey guys, if you are in the UK and want a cheap and efficient way of transferring money to trade on the bitcoin exchanges, I made this guide. I'd be interested in a compare-and-contrast with Stefan Brands' system. It would be interesting to see how the blockchain would deal with such an increase in size. But the concept of true anonymity is very worthwhile and would add a lot of value to bitcoin by removing the need to trust individuals who run mixers.
An 'honest', open source protocol like you're proposing that does this would be great! How does this protect from checking the zerocoin withdrawals against the entire zerocoin spend history to see when it becomes valid? If zerocoin spends can't be withdrawn if the blockchain is reversed back to a previous point, before the zerocoin was spent, then doesn't that mean you can link the withdrawal to the spend?
Am I missing something important here? Haven't read the PDF yet, but I will soon. If it's discussed there, then I'm mostly wondering why this haven't been mentioned already here as well. After a second look, it seems like the published zero-knowledge proof specifically refers to a group of zerocoins, and only can be verified against that group as specified.
There's some points that aren't covered, but as for the technical information I think this may be some of the most accurate information I've read. I may use some of your information on my own blog, http: Nice article, this looks like some pretty clever work, but I'd love to know more about how the zero-proofs are performed.
The trick of it I'm missing is that she can't reveal which coin she's identifying, or the anonymity breaks down as Ian Miers posted. The commit value has to be published with my transaction so that there will be a unique coin only I can spend. Since we assume the network is mistrusted, the transaction and the commit value two are tied together forever. Other people make coins. Some magic happens here where I proove I have the key without giving away my commit value or encryption key.
If I give either one away, I can be identified. The SN will be recorded for all time in the Spend transaction block chain. So in the end, the network will never know which coin I was spending. They'll always know how many are still valid, but not which ones to remove from the valid group to simplify future validations. It might be better to build an scrypt based altcoin based on the premise of total anonymity, rather than attempting to get people to accept a modified version of one they're already running.
Bitcoin transaction chain — protect value and it becames value. You can have different addresses in order to receive payments. Why does this have to be incorparated into all bitcoin clients? Why can't it be an addon? Just create your own ledger which only refers to certain hashes in the bitcoin chain…. Actually I was going to say everyone could indeed only use Zerocoins, but now I've realised that's probably not true.
Surely if your claim to any specific Zerocoin is your knowledge of a serial number, then it would be impossible to safely sell a Zerocoin, since the buying party couldn't force you to forget the serial number. I was going to say there would be practical, technical performance reasons to only use Zerocoins when anonymity was required.
And Squeakneb is surely right! Bitcoin is also still up for manipulation like a junior penny stock. People that attack exchanges can sell their holdings only to buy them up with their attack is finished. Have just encountered your page and I guess you should be complimented for this piece. More power to you! A lot of people here are living in fantasy land. No, it will be crushed by the players or regulated out of existence by gov'ts. Anyone with enough computing power to do any serious amount of data mining can essentially read your bank statements.
Or, on a less personal level, there's plenty of humanitarian operations that can't operate publicly in this or that dictatorship — Bitcoin can no longer be used to support them because if they ever spend it their government will be able to figure out who was doing the spending. This isn't sci-fi; the tech exists to do it already. If you're okay with these consequences, then Zerocoin-style anonymity is obviously not desirable.
If you're not okay with them, though… well, then either the trust-free blockchain is an unsuitable dream and the sooner we stop bothering with it the better, or the trust-free blockchain needs to have some ability to anonymize which, like any tool, will then be available to both the just and the unjust. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
To redeem the zerocoin into bitcoin preferably to a new public address the owner of the coin needs to prove two things by way of a zero-knowledge proof.
A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true. The first is that they know a coin C that belongs to the set of all other minted zerocoins C1 , C2 , Cn , without revealing which coin it is.
In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r , that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool.
Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin. The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process.
Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size although not substantially. Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins.
Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem. Roger Ver was one of Zcoin's initial investors same as Zcash.
Zoin is a community governed digital currency that has implemented the Zerocoin Protocol. Zoin was created in November from an early fork of Zcoin. The new protocol was called Zerocash. It is now not an extension to the bitcoin, but rather an independent technology with the same basic principles as blockchain and transactions, which was planned to implement in alt-coin.
Between 5 October and 11 January , the Zerocash website started noting that "The Zerocash protocol is being developed into a full-fledged digital currency, Zcash. One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain.
Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins or few zerocoins with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.
Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process.
Zerocoin team anounced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint". In an uncommon move, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.
From Wikipedia, the free encyclopedia. This article has multiple issues. Please help improve it or discuss these issues on the talk page. Learn how and when to remove these template messages. This article possibly contains original research. Please improve it by verifying the claims made and adding inline citations. Statements consisting only of original research should be removed.
August Learn how and when to remove this template message. This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. The neutrality of this section is disputed. Relevant discussion may be found on the talk page.