
Zerocoin startup revives the dream of truly anonymous money - rdl
http://www.wired.com/2015/11/zerocoin-startup-revives-the-dream-of-truly-anonymous-money/
======
lisper
I really don't understand why anyone thinks that anonymous money is a good
idea. I'm as big a fan of freedom as the next person, but it seems to me that
the _primary_ purpose of anonymous money is to do an end-run around the law.

[UPDATE] Let me try to make this a little more precise: I don't understand the
appeal of anonymous _digital_ money. Physical cash is very useful, and I would
not want it to go away. But even physical cash is not completely anonymous
because you have to be physically present to exchange it, which entails a
certain amount of risk, and that puts some checks-and-balances on potential
abuses. Anonymous _digital_ money does away with those checks-and-balances and
makes a lot of activities with questionable societal value like crypto-
extortion much more lucrative than they were before. For example, malware that
encrypts your hard drive for ransom was unheard of before the advent of
Bitcoin.

~~~
nfoz
I typically agree with that sentiment..... but then I think about all the
information that Amazon has about me: e.g. political and religious views,
cosmetic and OTC pharmaceuticals....... I'd really rather I could buy things
anonymously online. I'm ok with the _government_ seeing these things with a
warrant; I just don't want the stores I'm interacting with to have such a
thorough profile.

~~~
vox_mollis
Strange, we have entirely opposite views on this.

One thing Jeff Bezos can't do is trump up "structuring" charges, arrest me,
prevent access to decent legal representation by freezing my assets, and then
use the threat of decades in prison to extort me into accepting a plea deal of
being locked in a cage with violent people for just a few years.

I'd be FAR more accepting of Amazon having full detailed knowledge of my
financial life than an entity with the real power to destroy my life on a
whim.

~~~
bko
Also it's easier to switch vendor than it is to switch governments

------
choffman
This technology already exists today in the form of the Cryptonote based coins
- of which Monero is the leading example.

Cryptonote, by default, is an opaque blockchain - your transactions are not
visible to the world. But, let's say you're a non-profit organization and you
_do_ wish for your donations to be public. Cryptonote allows for that using a
"view key".

In this way, you get the best of both worlds - privacy by default, and
openness when you need it.

The cryptonote wallets are still in their early stages, but the various coins
are available and trading on exchanges today. And you can even use them to pay
bitcoin based merchants using a service like ShapeShift or xmr.to .

~~~
ianmiers
All anonymity is not created equal: you're better off if we can only figure
out that one out of 6 billion people bought a Nickelback album, then if we
know it was either you or one guy in Tristan da Cunha. The size of you're
anonymity set matters and Cryptonote provides a rather small one in comparison
to Zerocash. This is not to say Cryptonote is worthless, there are tradeoffs
between the two, but Zerocash has a distinct advantage in terms of anonymity
and I think it matters.

Cryptonote's ring signatures scale linearly in the number of people your
transactions are mixed with. As a result, you can't mix an individual
transaction with that many people without it getting too big and too
computationally costly(chaining transactions doesn't solve this). In contrast,
Zerocash mixes every transaction with every other transaction ever[1].

If you are worried about maintaining privacy given repeated interactions with
merchants or others who already have some partial information about you, the
size of the anonymity set matters considerably. Longterm intersectional
attacks are a major problem with anonymity systems. The smaller the set you
mix with on any given transaction, the easier it is for some third party to
use outside information to eliminate everyone else in the mixing set (e.g
because she knows no one else in the set was online at the time of the
transaction or was in your approximate geographic area), and determine the
true spender. One of the few effective defenses we have for this is to simply
include as many people as possible in the anonymity set. If you want to avoid
companies building financial profiles of users from the blockchain, this is
precisely the type of attack you need to thwart.

[1] Technically, up to 2^64 transactions and the networks ability to handle
the spent serial number list. So there is a limit, but it's rather large.

~~~
plasticmachine
The point you're actually trying to make is "every privacy scheme has trade-
offs".

Zerocoin's trade-offs are massive: untested / unreviewed cryptography, a
trusted initial accumulator that can ruin the anonymity for everyone forever,
a significantly larger transaction size, and a blockchain so opaque that
double-spends and false coin creation cannot be seen.

Those are the issues that matter, and Monero suffers from none of those
problems.

~~~
madars
> a trusted initial accumulator that can ruin the anonymity for everyone
> forever

This is false: even if somebody compromises the initial setup (which, if
implemented using the proposed MPC protocol, would require compromising every
single participant; compromising n-1 parties doesn't do anything), the system
continues to enjoy the same zero-knowledge guarantees. Compromised setup or
not, in Zerocash the anonymity set is all participants of the system.

~~~
plasticmachine
On further consideration I agree with you. Knowledge of the accumulator would
merely allow for the arbitrary creation of forged spends that appear valid,
but the rest of the system would still remain opaque (much to its detriment in
this instance).

Also there is nothing so suggest that a clever MPC will solve the collusion
problem. Of course the participants will make claims about their honesty, but
if ZeroCoin is worth massive amounts of money the temptation to seek collusion
will be there.

Of course, whilst it's true that some participants might stick to their
proverbial guns, what is going to prevent a motivated state-level attacker
from monitoring as many participants as they can during the computation? Then
they only need to compromise the handful that they couldn't monitor, and for
that they have rubberhose cryptanalysis.

~~~
ewillbefull
The way you phrase it makes it seem like the parties involved are perpetually
at risk of being compromised, as though they must retain and store the secrets
necessary for parameter generation forever. When in fact it will be done once,
and well in advance of any significant value in the currency which would
incentivize crazy government yatta yatta.

------
sarciszewski
I wonder how it will stack up against Bitcoin. Zero-knowledge proofs (zk-
SNARKs) should eliminate the need to store gigabytes of data on everyone's
computer that wishes to participate in the network, which is a win in and of
itself.

------
iamleppert
Sending money is a PITA because there's so much risk, because there's so much
incentive if you can game the system.

That said, I'm not sure how they will ever be able to scale their product and
comply with all the reporting requirements of the feds. Traditionally, the
primary users of anonymous money transfer systems have been those trying to
evade either the law man or the law (or both).

------
grubles
Relevant thread about Coinjoin, with a section comparing it to Zerocoin (I am
not sure how up-to-date the thread is, since it is from 2013):

[https://bitcointalk.org/index.php?topic=279249.0](https://bitcointalk.org/index.php?topic=279249.0)

