
Zcash, an untraceable Bitcoin alternative, launches in alpha - rdl
http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-launches-in-alpha/
======
ctoth
Of course, once these techniques were in place, they conclusively destroyed
the ability of governments to control the flow of electronic funds, anywhere,
anytime, for any purpose. As it happened, this process had pretty much
destroyed any human control at all over the modern electronic economy. By the
time people figured out that raging nonlinear anarchy was not exactly to the
advantage of anyone concerned, the process was simply too far gone to stop.
All workable standards of wealth had vaporized, digitized, and vanished into a
nonstop hurricane of electronic thin air. Even physically tearing up the fiber
optics couldn't stop it; governments that tried to just found that the whole
encryption mess oozed swiftly into voice mail and even fax machines.

...

Alex did not find it surprising that people like the Chinese Triads and the
Corsican Black Hand were electronically minting their own cash. He simply
accepted it: electronic, private cash, unbacked by any government,
untraceable, completely anonymous, global in reach, lightninglike in speed,
ubiquitous, fungible, and usually highly volatile. Of course, such funds
didn't boldly say "Sicilian Mafia" right on the transaction screen; they
usually had some stuffy official-sounding alias such as "Banco Ambrosiano ATM
Euro-DigiLira," but the private currency speculators would usually have a
pretty good guess as to the solvency of the issuers.

\- Heavy Weather

~~~
natrius
It turns out that there's a pretty easy fix for this. People have to start
caring how the money they're accepting has flowed through the economy. You
don't need a government to sanction bad actors. The people can do it on their
own.

Money is power. Anonymous money prevents you from choosing which power you'd
like to submit to. Decentralized money prevents governments from restricting
power. Let's keep the decentralization and remove the anonymity so you can
reject power you find undesirable.

The first application of this mechanism will probably be restoring our
democracies by rejecting the power of money to influence them. It won't be the
last application—I think we'll use it to enforce any rule that has a broad
consensus behind it. The boundaries of the enforcement will be the same as the
boundaries of our economy: there aren't any. We'll have global governance
without a global government.

This is merit capitalism.
[http://meritcapitalism.com/](http://meritcapitalism.com/)

Zcash is cool, but if you accept it as payment, you're making yourself
powerless.

~~~
drdeca
This is an interesting idea, and seems worth considering.

What would you think of a system that instead tracked materials and
manufacturing process?

So, each step in the manufacturing process would use proofs received from
previous steps that the amount they claim to have produced is not more than
they could make with only the materials that previous steps have said they
supplied?

So, e.g., if there is a place that makes good(?) grain, they would include
some cryptographic signature that they provided the amount of grain, and then
a baker receiving it would be able to produce a signed claim that they made so
many breads with only grain from there, and they wouldn't be able to fake
making more by adding grain from elsewhere, because the total of all their
claims of how much of the grain is used in each bread could not total more
than the grain which was signed as provided?

Or something like that.

I don't remember the specifics.

Would it be better to track who owned the money before you, or to track how
the product was made? Or both?

I think there are probably some advantages of anonymous money, but I don't
know that they outweigh the costs that you mention. (I suspect non-anonymous
money makes auctions and things more difficult, and might reduce effeciency,
but that might just be the acceptable cost of influencing the world against
people doing harm)

~~~
natrius
> What would you think of a system that instead tracked materials and
> manufacturing process?

I think it's a great idea, and people are building it.

[https://medium.com/@jutta_steiner/using-the-global-trust-
mac...](https://medium.com/@jutta_steiner/using-the-global-trust-machine-to-
solve-transparency-in-supply-chains-c6bdc90c3f15)

The decentralization renaissance is hitting full steam. If you like thinking
about this sort of thing, you should find a way to make it your day job.

------
kleer001
I love the idea, but...

> Zcash is launching as a for-profit company.

That's their downfall right there. With someone visible to track they've given
up the game before they started. Real people running real companies are really
vulnerable. The real test of a security system is its weakest link. And that
link is almost always a person. Right?

IMHO the subtle political reason Bitcoin has gotten as far as it has is
because it's creator has remained anonymous, and not tried to visibly profit
from it.

Why do I think that? Because governments are very territorial about their
money. Banks too. The regulations for banks are pretty tough, as you may know,
Know-Your-Customer edicts and such.

~~~
sarciszewski
> That's their downfall right there. With someone visible to track they've
> given up the game before they started. Real people running real companies
> are really vulnerable. The real test of a security system is its weakest
> link. And that link is almost always a person. Right?

The company that is launching this consists of a team of brilliant
cryptographers and security engineers.

How does "their identity is known" translate into an attack?

How does "they're a for-profit company" weaken the security guarantees of a
zero-knowledge proof?

~~~
rogerbinns
> How does "their identity is known" translate into an attack?

They can be coerced into actions based on threats to themselves or relatives.

~~~
ewillbefull
Virtually everyone involved in Bitcoin's development is also well-known and
presumably "coerceable." The company makes no difference as far as I can see.

~~~
DickingAround
When someone has a legitimate claim to be an owner, that person will have sway
to do crazy things like make it closed-source or change the critical
constants. Not saying it's a deal-breaker, but it's more risk than if no one
can claim to own it (if bitcoiners are angry about the excessive power of the
people with admin permissions to the github repo, just imagine how difficult
it would be to wrench control from a company that invented the product and has
copyright claims to it). I guess what I'm saying is you don't get much
leverage if you convert a bitcoin dev but if you convert the owners of this
company you'll get a lot of leverage.

------
jhasse
For anyone interested in how Zcash (formely Zerocoin) works and who
understands German, I've written my Bachelor thesis about it in 2013:
[http://www.math.uni-
bremen.de/~jhasse/Kryptografische%20Grun...](http://www.math.uni-
bremen.de/~jhasse/Kryptografische%20Grundlagen%20von%20Bitcoin.pdf) (Part IV)

~~~
vessenes
Hey!

Can you help me understand something about Zcash? Do buckets need to be
decrypted for the network on spend? Or is there a way to append a zk-proof
that the bucket contains enough to fund follow-on buckets?

I'm probably wasting your time a little by asking, but I don't want to rely on
my own reading to get a solid understanding.

~~~
jhasse
What exactly are buckets? I think they used some other terminology back in the
Zerocoin days.

~~~
vessenes
The github explains that you create a transaction as follows:

1) You have 50 coins in a 'bucket' or address? 2) You send 18 to a friend 3)
You send 32 t yourself.

So you create two encrypted buckets, 18 in one, and 32 in the other. They seem
to be the equivalent of UTXOs. I'm not clear if they need to be 'revealed' to
be spent though.

~~~
jhasse
IIRC: No, they aren't "revealed". The 32 newly created coins in your bucket
will be made public with a "commitment". I think this was called forging a
Zerocoin. When you use them later you're using a zero-knowledge proof, which
means others can't link the coins you spend with the forged coins from
earlier.

------
fernly
This issue is mentioned in a small sub-comment and has drawn no replies but it
seems to me like the Heffalump In the Room:

"For its first four years online, a portion of every mined Zcash coin will go
directly to Wilcox’s Zcash company and a smaller portion to a non-profit he’s
creating to oversee the Zcash code and community longterm. Wilcox says that he
plans for 1 percent of Zcash’s currency to ultimately go towards that non-
profit, and 10 percent to be paid to the for-profit startup."

Who is going to want to engage in commerce in a system that creams off a 10
percent vigorish on every transaction? Credit card companies are hated by
small merchants for taking a third that much.

~~~
x5n1
Credit card companies take at least that much from the transaction. They
charge both the supplier and the holder.

~~~
runholm
Credit cards are more expensive than most would like them to be. We don't need
another expensive system.

Besides, credit cards offer protection in that they are able to give insurance
on purchases by doing charge backs.

------
DCKing
There's an interesting property of fully untraceable currency, and that's that
it's possible to perform 'perfect crimes' [1]. Often the weakness in
committing, say, a kidnapping or a drug sale is handling the associated money
obtained with it which can be traced back to people due to circumstances.
Fully untraceable currency by definition completely avoids these
circumstances.

The inevitable question "should we want this?" is moot because evidently such
systems are possible (iff they provide a practical currency for such
transactions) and will inevitably be used for this. Furthermore, Bitcoin
already achieves something close to it in practice. It's just worth pointing
out that untraceability will have nasty consequences as well as good ones.

As an interesting aside, David Chaum, who has lately been infamous for
advocating ways to backdoor encryption, may be considered the father of fully
untraceable (but not decentralized) digital currencies. Ironically, after [1]
was published others in the cryptographic community spend a number of papers
on building what they called 'fair' blind signatures, which constituted
basically of varieties of Chaum's basic idea but where untraceability could be
lifted by an "independent party posessing the right private key" (i.e. a
public "police backdoor"). They were trying to backdoor Chaum's encryption...

[1]:
[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465...](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465.9796&rep=rep1&type=pdf)

~~~
dmix
Currency is merely one investigative method. There are plenty of others and
like all crypto systems there will be cracks, people will make OPSEC mistakes,
and ultimately law enforcement agencies have access to hacking/CNE.

Additionally, the money by itself may be anonymous, but that person will have
to convert it to other currency or make purchases. Those purchases may be
physical objects like cars, or rent, or any other large purchase which the
person will have to demonstrate how they could afford to purchase it. The IRS
would still be able to detect irregularities in consumption.

If anything it will be a boone for the information security industry, they
will have to stop selling snakeoil and start selling solutions that actually
prevent peoples money from being stolen.

------
xiphias
Zerocash had a possible backdoor, which was its' biggest drawback. I don't see
it mentioned on the web page, which seems like they're hiding it (it's cruital
to know who we need to trust with the setup part, and whether anybody has the
right to take part in it).

,,Security of Π relies on a trusted party running Setup to generate the public
parameters (once and for all). This trust is needed for the transaction non-
malleability and balance properties but not for ledger indistinguishability''
\- from the zerocash paper

~~~
ewillbefull
Zcash is planning to use a new multi-party trusted setup scheme that allows a
group to securely compute the mathematical structures necessary to protect the
zero-knowledge proof integrity.

(Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs, Ben-
Sasson, E. ; Chiesa, A. ; Green, M. ; Tromer, E. et al.)

Only if every member of this group were compromised or dishonest will the
setup fail. That is, only 1/N participants need to be honest.

~~~
mangeletti
Would this new "multi-party trusted setup" happen to be based on a block chain
of its own?

If so, then they've introduced a new sort of meta 51% attack potential in a
system that gives no economic incentive to mine (i.e., 51% attack is much
easier when its not "51% of everyone trying to earn coins", but instead is
"51% of those donating computing to protect zero-knowledge proof"), right?

If not so, then how? (rewind to Jan 2, 2009...)

~~~
swordswinger12
Most zk-SNARK constructions are in the "common reference string" model, which
requires a one-time trusted setup of a random string accessible to all
parties:
[https://en.wikipedia.org/wiki/Common_reference_string_model](https://en.wikipedia.org/wiki/Common_reference_string_model)

------
al2o3cr
This will be massively labor-saving for a key cryptocurrency use-case:
exchange operators who "get hacked" won't have to worry about whether they
sufficiently hid the outbound funds... ;)

~~~
ewillbefull
One of the most important properties of Zcash is "selective disclosure."
Effectively, you can audit and perform proofs-of-solvency with the same
security as in other cryptocurrencies.

But yes, if someone on the inside "steals" the money, nobody will figure out
where it went.

------
rdl
I'm still a believer in a universe of huge numbers of diverse Chaumian token
issuers intermediated by markets, but Zcash is an amazing system.

Zooko, btw, used to work for DigiCash long ago. The world of anonymous ecash
has been...without a lot of progress, overall. Hopefully Zcash changes this.

------
sarciszewski
For anyone who wants to dive headfirst into the code:

[https://github.com/Electric-Coin-Company/zcash](https://github.com/Electric-
Coin-Company/zcash)

------
bduerst
>Zcash isn’t intended to facilitate crime, but also notes that the company
isn’t liable for any criminal applications for which Zcash is used. “The
people who built the first cars weren’t held responsible for car accidents or
bank robberies,”

Good luck with that, especially as a registered for-profit organization.

Car manufacturers are required to report VIN numbers and allow for license
plates, on top of a number of other mandatory regulations. Road access is also
a priviledge, and automobiles not meeting certain standards are not allowed.

~~~
dmix
Car manufacturers can report VIN numbers without destroying their business. If
zcash is compelled to then they're business will no longer exist, as the
primary incentive to using it (privacy) is no longer there.

The question is whether a judge is willing to destroy a company in order to
pursue law enforcement goals.

Regardless, this doesn't mean zcash will die necessarily. As it will be open-
source and has the ability to continue functioning without a centralized
organization.

~~~
gamblor956
Zcash can't get around financial institution regulations simply by disclaiming
liability. If that worked, banks and other institutions would have done so by
now.

But yes, a judge would be perfectly willing to destroy a company in violation
of the law. See, e.g., Aereo and its ilk.

~~~
dmix
Indeed, but as consumers this doesn't affect us if an OSS version comes out as
a result? Nor would it be an effective law enforcement tactic.

~~~
bduerst
It would definitely affect user adoption with the majority of merchants.

------
droffel
I'm not really sure how Zcash's privacy features differentiate it from a
Cryptonote protocol, like Monero.

Disclosure: I own Bitcoin, but do not currently own any Monero. I have no
financial incentive to promote it, I'm just legitimately curious as to how
Zcash is different.

~~~
ewillbefull
Monero and other ring signature schemes can only feasibly "mix" your
transactions with a small number of previous transaction outputs, opening the
door to statistical attacks.

Zcash mixes your transaction with every previous transaction. In fact, it goes
to great lengths to make transactions indistinguishable from each other.

------
kedean
I applaud the cryptography work here, it seems like a damn cool application of
ZKPs, but I think their missing what made Bitcoin work. The tech people took
to BTC because it was something that they could verify worked correctly, and
had no centralized party who could change it on a whim. Once it had the
backing of those tech people, _then_ it spread to everyone else. These guys
might be able to get a small portion of customers who don't care about a
centralized party, but that just isn't going to be enough, those aren't the
people who are going to evangelize it.

------
DickingAround
There's a customer-base problem here. Bitcoin's expansion is based on who is
willing to consider something different. A new alt-coin promising to do the
kinds of things Bitcoin does but better (not crack new customers) can only
exist by taking Bitcoin's market-share (which is not big). Being honest with
ourselves, this is likely to get lost in the noise until bitcoin is large
enough and this weakness of it is exploited enough that a substantial amount
of people look for an alternative.

~~~
dmix
The iPhone still exists despite Android coming out.

I see no need for a single currency at a time. There may be ultimately a
winner, but there is no stopping each from finding their own niche. What if
Bitcoin becomes the currency of Wall St - which is better served by
pseudonymous currency - while ZCash fills the more privacy oriented niche for
projects like Open Bazaar?

------
davidgerard
This literally has no use case other than illicit transactions - the one and
only substantial Bitcoin use case in practice. They're even asked about this
directly and can't come up with any!

So the question is: can Zcash compete with Bitcoin in the darknet markets? Is
there any DNM that does _any_ substantial business in a crypto other than
Bitcoin?

~~~
ccarter84
> This literally has no use case other than illicit transactions

My thoughts exactly. But they must have made a good case that there were other
uses to their investors, they netted some pretty high-profile names.

I would imagine Dash is getting traction on darknets, but I haven't seen
anything on that one lately

------
ph33t
Various governments were not happy with BitCoins ... I'm sure this will drive
them crazy x10 if it catches on.

------
rtpg
It's kind of frustrating as a person wanting a decentralised payments system
having to work with people who want the most anonymous payments system
possible.

Enabling anonymous financial actions _is the very definition_ of money
laundering. Though the protocol could be freely distributed, any form of
business built on it will have a lot of trouble existing in any useful form.
Starting from that point is going to make your life so much harder.

And of course, the irony in trying to use Bitcoin as a basis for anonymous
transactions is solved with Zerocoin. But I don't know how a law-abiding
business can have reasonable knowledge of the parties in the transactions (a
requirement to not be money laundering) without meeting the wishes of the
fanbase.

~~~
gavazzy
Actually, anonymous financial transactions are quite common. Every time you
purchase something with cash, the seller receives payment with no knowledge of
who you are or how you got the money.

And the definition of money laundering is hiding the source of _illegally
obtained_ money. An anonymous transaction isn't laundering if there's nothing
dirty about the money in the first place.

~~~
XorNot
Paying in cash involves turning up in person with cash. That's definitely not
anonymous.

------
e40
Can someone ELI5 how Zcash works?

~~~
vessenes
Zero Knowledge proofs take the place of a digital signature proving ownership
of an address in Bitcoin.

Well, that's explain like you're a crypto undergrad. But, it's a start.

There's quite a lot of interesting cryptography and engineering involved in
making this work; the last zerocash presentation I saw in 2014 mentioned they
had been working on shrinking ZK proofs from 25k down to a manageable size for
a blockchain.

------
mootothemax
Does anyone know how anonymous transactions remain if e.g. law enforcement
take your (unprotected) laptop from you?

I've got to say, I don't have much confidence in the company itself,
specifically:

>Wilcox maintains his stealthy digital cash startup isn’t intended to
facilitate crime, but also notes that the company isn’t liable for any
criminal applications for which Zcash is used.

It's almost like they've never heard of
[https://en.wikipedia.org/wiki/E-gold](https://en.wikipedia.org/wiki/E-gold)
or its many, many variations.

~~~
cyphar
> Does anyone know how anonymous transactions remain if e.g. law enforcement
> take your (unprotected) laptop from you?

This is why you should do full disk encryption, and travel without your hard
drive. At the end of the day, there's probably forensic methods on your laptop
that would be far more damaging than just deanonymising your past
transactions.

~~~
mootothemax
>This is why you should do full disk encryption, and travel without your hard
drive. At the end of the day, there's probably forensic methods on your laptop
that would be far more damaging than just deanonymising your past
transactions.

While that's all very good and all, it doesn't really answer my question :)

~~~
cyphar
> >This is why you should do full disk encryption, and travel without your
> hard drive. At the end of the day, there's probably forensic methods on your
> laptop that would be far more damaging than just deanonymising your past
> transactions.

> While that's all very good and all, it doesn't really answer my question :)

I probably should've proceeded that with "I don't know, _but_ ".

------
placeybordeaux
Correct me if I am wrong, but to generate a Zcash coin you need to send a
bitcoin to a escrow account, and to redeem it they will send a bitcoin from
the escrow account to where ever you want?

I would be much more comfortable with generation being tied to destroying
bitcoins or simply running yet another blockchain and letting the market deal
with exchanges from BTC to Z.

Looks like they made some very cool progress though.

------
eloy
But does it has the same scalability issues as Bitcoin?

If yes, I don't give crytocurrencies a single chance to replace the current
currencies.

------
imaginenore
Bitcoin is already very untraceable. Yes, there's a public ledger of all
transactions, but it has no identifying information. There are some public
addresses whose owners are known, because they volunteered that information.
Exchanges also know the owners of certain addresses. But that's about it.

Bitcoin's address space is huge, something like 10^48. I can make a thousand
of them in a few seconds, along with the private keys. I can send the money to
any of them, and you will never know who owns it. I can send my money between
these 1000 addresses as much as I want, and all you will see in the leger is
money going from A to B to C, just like the rest of it.

Bitcoin network doesn't know any difference between me buying something on
Overstock, or me sending the money to my brother across the globe, or to
myself.

~~~
ewillbefull
This video should give you a better idea of how anonymous Bitcoin is.

[https://www.youtube.com/watch?v=AypRF9q0llU](https://www.youtube.com/watch?v=AypRF9q0llU)

There are also several startups dedicated to performing Bitcoin blockchain
analysis for this specific purpose.

~~~
imaginenore
Do you realize that this video doesn't contradict what I said? The hacker got
caught, and (some of) the money got returned, and that's what they are showing
in that video.

If the guy didn't get caught, they would have never found anything, unless the
thief is dumb enough to send these coins to his exchange.

If it were me, I would randomly mix 40,000 coins between random addresses,
random amounts, random times for like a year. Never using the same address
again. I would mix them with other coins. You might end up with 10,000
addresses holding random amounts of coins, but that's not a big deal at all.
You need some cash? LocalBitcoins in a neighboring town. Or create an online
business and buy your own product from yourself. Or build a website, put ads
on it, and buy quality traffic with bitcoin (arbitrage).

------
kchoudhu
Oh good, Roger Ver is involved as an investor.

Steer clear, fellas. Steer clear.

~~~
duskwuff
Mind explaining who this is, and why this is an issue?

(I genuinely have no idea, and I figure you can probably explain better than a
Google search could.)

~~~
kchoudhu
His wikipedia page is a good place to start:

[https://en.wikipedia.org/wiki/Roger_Ver](https://en.wikipedia.org/wiki/Roger_Ver)

* He sold explosives on ebay back in the day, and went to prison for it.

* He renounced his US citizenship to avoid paying taxes...

* ...but was for some reason VERY annoyed when the US government wouldn't let him back in.

* Of _course_ he funded Ross Ulbricht's defense in the Silkroad trial.

Mostly though, he is the subject of waaaay too many posts on /r/buttcoin. Who
you take money from shows what kind of organization you want to build. ZCash
is currently failing this test for me.

------
client4
Rather than recreate, they should see what Dashcoin is doing. IMHO Dash is the
most progressive altcoin working to fix major issues found with Bitcoin.

------
quantumpotato_
Can someone explain how these "Zero Knowledge Proofs" are "untraceable"?

