
Zerocash: Decentralized Anonymous Payments from Bitcoin [pdf] - rdl
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
======
nullc
It's a little disappointing to see how much ZeroCash is hyped compared to
Bytecoin ([https://bytecoin.org/](https://bytecoin.org/)), since the former is
still vaporware while the latter is something real that you can go use right
now.

While the CRS ZK-SNARK stuff used for ZeroCash is very exciting technology,
the cryptographic assumptions are very new and kinda sketchy. The fact that
there is a trusted initialization is unfortunate, especially since compromise
of the initialization results in unbounded and undetectable inflation (well I
suppose you can detect it once a single altruist ends up with more coins than
ought to exist!). ... though it has implications which go far beyond
transaction anonymity.

The Bytecoin approach is based on much simpler cryptography— a schnorr ring
signature in the curve25519 group. The anonymity it provides is theoretically
more limited— sort of like a CoinJoin where even ofline people or even already
spent coins can be joined with you—, but because it doesn't required gigabytes
of signing keys or tens of seconds of computation to sign it might be more
anonymous in practice just due to being easier to use. (Oh yea, and did I
mention, it's already in use so at the moment it's infinitely more private! :)
)

So far all of these anonymous systems have a number of interesting limitations
in common. For example, none of them support any kind of pruning so a
verifying node has state that grows forever— as compared to Bitcoin where if
you're just verifying new blocks (as opposed to helping initialize new peers)
you can forget the old state... e.g. right now a Bitcoin full verifier
technically only needs about 300MBytes of storage. So this privacy stuff comes
at a rather extreme cost. I've suggested some ways to improve this (basically
expiring old coins), but they reduce the anonymity set and have some usability
tradeoffs.

In any case, it's certantly better to see things like ZeroCash and Bytecoin
being worked on... I'm really skeptical about the wisdom of splitting up the
crypto-currency adoption network effect just to introduce some new transaction
features. But certantly doing it with substantive new features is way better
than just-another-worthless-clone. ... especially when there is running code
and not merely a whitepaper. :)

~~~
Taek
Zerocoin was really the first of it's kind, that's where all of the hype comes
from. The promise that Zerocoin offered initially was a lot stronger than
anything around, and many people heard about Zerocoin long before they heard
about CoinSwap or CoinJoin (and subsequently Bytecoin).

>I'm really skeptical about the wisdom of splitting up the crypto-currency
adoption network effect just to introduce some new transaction features.

As someone who's been working on cryptocurrencies, I think that most of the
Internet of Tomorrow is going to be driven by a set of cryptocurrencies that
all do different things, following some of the primary principals of Unix.
Storage and computation, for example, are services that I think will
eventually find homes in cryptocurrency. Already you see things like MaidSAFE
and Ethereum attacking these problems. But you also have problems that need to
be solved like DNS routing, public random numbers, time synchronization where
the modern solution involves centralized services.

Right now, there's not much that allows cryptocurrencies to communicate, but
that's quickly changing and should move forward much more in the next 5 years.
Merge mining, colored coins, and decentralized inter-currency exchanges are
just the beginning.

There are a lot of problems that cryptocurrency has the potential to solve,
and I think it's foolish to hope that a single cryptocurrency that will
effectively solve all of them. But I also don't think that having 12 or 200
different cryptocurrencies means that any individual currency needs to be made
weaker. Merge-mining is a good start, but I think that inter-currency
cooperation and protection will continue to get better.

~~~
nullc
> Zerocoin was really the first of it's kind, that's where all of the hype
> comes from. The promise that Zerocoin offered initially was a lot stronger
> than anything around

Can you really say that Zerocoin was the first of its kind when it still
doesn't actually exist? There is a crypto library that implements the blind
accumulator but thats it. Not a usable system. Bytecoin and CoinJoins are
things you can use today.

The anonymity offered by systems that exist is inherently better than that
offered by ones that don't exist, I think. :) The Bytecoin anonymity is better
than Zerocoin's too, even ignoring the whole existence part.

(FWIW, I (and others) were posting about CoinJoin a long time before Zerocoin
was a twinkle in anyone's eye. But the suddenly popularity of Zerocoin made me
realize that I needed to attach a compact and snazzy _name_ to the idea if I
wanted people to pick it up and run with it. Doing so appears to have been a
pretty massive success. ... I worry a lot about people paying too much
intention on someday-ware and as a result not going out and building things
that we can use sooner than someday.)

> As someone who's been working on cryptocurrencies, I think that most of the
> Internet of Tomorrow is going to be driven by a set of cryptocurrencies that
> all do different things, following some of the primary principals of Unix

Well, what do I know. ::shrugs::

To me "driven by a set of cryptocurrencies that all do different things"
doesn't sound like unix it sounds like saying that "in the future computer
communications will be enabled by orthogonal networks that each do different
things".

I think currencies just like communications networks benefit from Metcalf's
law... So it seems silly to me to artificially divide up the world into
separate currencies just to get different transaction features. It's
technically unnecessary. There is, I think, an argument for dividing things up
for different economic approaches— e.g. freicoin's inflationary currency— but
for transactional purposes, it just isn't necessary. You can have one
cryptocurrency being used on many different transaction networks (including
decentralized ones). And I think that if in the future these things continue
to be used at all, we'll find ways to not create artificial friction where it
can be avoided.

~~~
Taek
>sounds like saying that "in the future computer communications will be
enabled by orthogonal networks that each do different things".

Well, if you consider ntp to be one network, and the dns system to be a
separate network, and the CA system to be a separate network, that statement
seems to hold pretty well to today's internet. I'm not sure if you were
disagreeing with my statement.

>So it seems silly to me to artificially divide up the world into separate
currencies just to get different transaction features.

Just as you can have one cryptocurrency being used on many transaction
networks, you can have one transaction network that uses many
cryptocurrencies. Just like the ntp/dns analogy, just because Bitcoin and
Ethereum are separate systems doesn't mean that I can't actively use each for
what it's most useful for. Each can still benefit from the users of the other.

------
rdl
This is, for me, the single most interesting thing in the Bitcoin/Blockchain
world.

I love the idea of Cryptocurrencies in general (and got interested in
computers, cryptography, security, and cypherpunks around the same time in
~1992), but without something which makes every transaction unlinkable, and
thus preserves fungibility of the currency, I find things like Bitcoin a step
back from Chaumian blinded tokens. There's the potential for coin validation
in regular bitcoin, and once there's technical potential, it can become
mandated. Once that happens, even if it starts for something "nice" like
preventing large thefts, it can turn into censorship.

 _With_ zerocash, I could see blockchain-based anonymous systems coexisting
for low-throughput, high-persistence systems mainly going to blockchain tech,
and high-throughput, non-inherent-decentralized systems doing their own
Chaumian blinded token currencies. And "currencies" not just being used for
human payments, but lots of forms of resource allocation.

~~~
sirdogealot
Blockchain technology would certainly make title searches on real property
easier.

Right now I have to physically drive to a land records office, pay the people
behind the desk to look through some old photocopied records; which they can't
even fully guarantee the accuracy of.

~~~
rdl
There are two main systems of managing real property -- the decentralized
common law system, and the land registry system. I think for each just regular
signatures work -- the hard part is associating a key to each property owner,
but a central timestamping service helps there.

Most of the automated systems for land title seem to be the civil law
approach, and for that a central registrar doesn't really map well to the
blockchain. There's also no real anonymity -- at best, pseudonymity for keys,
but the hard part is binding keys to legal owners.

~~~
sirdogealot
On one hand, I am glad that the transfer of property is not always 100%
absolute.

Can you imagine what might happen if the land of the U.S. federal reserve
building was somehow transferred to a random individual?

I used to get "free money" in my bank account all the time. Some banker would
make an error, depositing a check from a member of a separate branch into my
account with the same account number. The mistake was usually noticed during
an audit and the money would magically be removed from my account.

Reversible transactions do have their place, I suppose.

~~~
rdl
I think with real property (and probably with "major" capital goods),
enforcement and registry are pretty intimately collected. If there's a
specific organization I'd call to get a non-owner removed from my property,
I'd probably just let that organization maintain a database of the property,
especially if it's using some cryptographic technique to prevent forgery
(through time, if nothing else), and some replication strategy.

Where it gets really interesting is with things like cars (and eventually
cellphones and other similarly priced goods); putting effectively activation
locks and DRM into the equipment. IFF you could trust the whole system, it
would make theft much less of a concern, which is great.

~~~
darkmighty
There's nothing technical impeding having a database linking each phone to a
UID-individual that could be disabled for carriers worldwide through some DRM
scheme (iirc, law enforcement demanded it several times). What's lacking is
will/coordination from carriers and device makers. They don't see it as a
competitive advantage, apparently.

It could make phone theft a lot harder depending on the hardness of the DRM.

------
rgbrgb
Could anyone better versed in cryptocoinage tell me how this differs from
darkcoin[1]? DRK is another cryptocurrency created for anonymous transactions.

[http://www.darkcoin.io/](http://www.darkcoin.io/)

~~~
wmf
One of them is an academic paper and the other has a website that mostly
consists of "coming soon" pages. But seriously, DarkCoin appears to use
CoinJoin[1] which has a smaller anonymity set than SNARKy systems.

[1]
[https://bitcointalk.org/index.php?topic=279249.0](https://bitcointalk.org/index.php?topic=279249.0)

~~~
aaxx1503
Darkcoin has actually implemented a lot of new code. They have an advanced
form of decentralized coinjoin called darksend mixed with a system of
masternodes which share the block reward as a sort of proof of service. The
masternodes require 1000 DRK ($6600+ as of right now) to limit network chatter
and make it increasingly expensive for people to take control of a lot of
masternodes. Additionally coins in masternodes are removed from circulation,
allowing a sort of positive feedback loop as far as price goes.

Darkcoin V2 is also adding ring signatures mixed in with the masaternode
system so I'll see how that works when it gets released.

[http://www.darkcoin.io/downloads/DarkcoinWhitepaper.pdf](http://www.darkcoin.io/downloads/DarkcoinWhitepaper.pdf)

------
rrggrr
Can someone explain how this works to a non-mathematician?

~~~
rdl
Do you want to know what the results are, or how it works?

The results are essentially that a central party can pool together an
arbitrary number of bitcoins, then issue a derivative instrument against that
pool. Those derivative instruments can be constantly recreated, so they're not
maintaining any history or linkability. Once you receive one, you can also
redeem it, destroying it, and claim an equivalent value of bitcoin, which is
removed from the pool.

Except there is no "central party", except at the initiation of the system;
you can build it so the central party creates parameters but doesn't save
anything, so he's just a normal participant after that, and can disappear. So
it's almost as decentralized as Bitcoin/Satoshi.

How it works is a bit more complex; it involves zero knowledge proofs about
the derivative instruments. This is sufficiently advanced crypto that it will
be a burden to anyone trying to understand it.

~~~
jacobwcarlson
The math and crypto are fairly straight-forward, dunno why you're telling
people they can't understand it.

I'm curious about implementation, though. Most derivatives have a cost of
carry built-in and this doesn't. It also doesn't work unless you convert your
bitcoin immediately; the blockchain doesn't forget.

~~~
nullc
> The math and crypto are fairly straight-forward

Would you mind explaining the q-power knoweldge of exponent assumption and how
someone verifying the recursively constructed proof can be confident that the
prover actually knows a _specific_ satisfaction of the circuit themselves
given that the proof is much smaller possible state of different inputs? :P

------
fhinson
"The Zerocash protocol extends Bitcoin and enables users to pay one another
directly, via payment transactions that reveal neither the origin,
destination, or amount of the payment."

I can't see many governments being happy with a service like this.

~~~
sirdogealot
My thoughts exactly.

Matthew Green has carefully worded his presentation of this project in the
past.

He has always claimed that such an implementation _could be_ possible. Not
that it was inherent to the coin itself.

Let's hope that he gets it running sooner, rather than later. Before somebody
has a chance to change his mind.

------
pmorici
So is this something that can be added on top of Bitcoin or is it a separate
coin with improvements? It isn't clear to me which it is from the abstract.

~~~
sirdogealot
It is going to be a separate coin once released.

Their attempts to merge the original Zerocoin idea into the Bitcoin blockchain
were met with contempt.

~~~
kzrdude
oh. contempt from whom, and why?

~~~
rdl
The major objections are to the inherent complexity of Zerocoin (it uses
actual bleeding edge crypto); the performance/size issues (it used to be hours
per transaction, I think it's down to minutes now); and the potential for
regulatory backlash at a time where Bitcoin people were in appeasement mode,
to some extent.

~~~
hendzen
Compared to the crypto used in Zerocash, Zerocoin's internals are fairly
elementary.

Zerocoin used one-way accumulators and discrete log based ZKPs, which are
fairly approachable to anyone who has taken an undergraduate course in
cryptography. Zerocash, however, uses Ben-Sasson's highly efficient zk-SNARK
construct [0], the details of which are probably fully understood by a handful
of people in the world. There's a reason the people who geek out over this
kind of thing (#bitcoin-wizards) call it 'Moon math'.

[0] -
[https://eprint.iacr.org/2013/507.pdf](https://eprint.iacr.org/2013/507.pdf)

~~~
rdl
Sorry, I confused Zerocoin and Zerocash (which even some of the paper's
authors did when I talked to them at RWC).

~~~
sirdogealot
It's easy to do so, considering that the new zerocash protocol's whitepaper
references zerocoin and claims that its new coins will still be called
zerocoins once implemented.

------
lifeisstillgood
isn't there a legal issue here - in any contract there is _consideration_ \-
but if consideration is anonymous who can enforce a contract?

~~~
oleganza
To enforce contract you do not always need identity. Identity is needed when
enforcement is through violence. But you can use economic incentives to make
people prefer following the contract.

[http://blog.oleganza.com/post/71410377996/real-crypto-
anarch...](http://blog.oleganza.com/post/71410377996/real-crypto-anarchy-
without-anonymity)

[http://blog.oleganza.com/post/58240549599/contracts-
without-...](http://blog.oleganza.com/post/58240549599/contracts-without-
trust-or-third-parties)

------
nullz
a source of some confusion: zerocoin !== zerocash

