
Zerocoin: making Bitcoin anonymous - anologwintermut
http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html
======
A1kmm
<http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf>, which is the
fundamental piece of new cryptography which enables it to work, doesn't make
any sense to me.

At the very least, the authors have made the formulation so unclear that you
could start to suspect the authors were deliberately trying to obfuscate it.
They define a function ZKSoK(c, w, r), and it would make sense not to use c,
w, and r to mean anything else in the short definition of the construction.
However, the authors chose to also use c for the hash used to make it non-
interactive, and r_i for a series of random numbers. Using the same variable
name for two different things makes it hard to work out what they mean, but as
far as I can tell, the c that is the function parameter is public knowledge, w
can be computed from public information, and ZKSoK does actually depend on the
r that is the function parameter, and the validation of the proof does not
actually check that S is correct (c is computed as c <\- g^S * h^r mod p, but
it is useless if you can spend a zerocoin using any arbitrary S that doesn't
actually correspond to any real c) as it claims.

In the 15 page version, they claim that the proof of the soundness of the
ZKSoK proof can be found in "the full version of this paper" - perhaps that
text makes things clearer, but they don't seem to provide a reference to it.

------
vessenes
I like seeing proposals like this that use Bitcoin as essentially a protocol
layer (and in this case value store).

40KB anything is not going anywhere near the blockchain soon; this is going to
be a no-go for the dev team and miners.

There are also a bunch of ancillary questions, like can these zero knowledge
proofs (presumably non-interactive ones) be combined up with the rest of the
blockchain to be turing-complete? Also a no-go.

Anyway, this is cool. Given current Bitcoin decision making processes, I would
expect it would need a solid year of great adoption in some sort of side-car
process before it had a shot at main blockchain integration, and even then, it
would have to get drilled down to 1 or 2k of data max.

~~~
brianberns
I know what Turing-complete means, but can you explain how the blockchain
could become Turing-complete, and why that would be a bad thing?

~~~
jlgreco
I'm not sure how it would happen, but if you could get miners to perform
arbitrary computation for you, as a consequence of processing zerocoin
transactions, then people might decide to abuse that and generate tons of
otherwise unnecessary transactions.

~~~
nanofortnight
The transaction verification language[1] is not turing complete, and only
provides one bit of information (accept/reject transaction).

Currently almost all transactions scripts just do public-key verification.

[1]: <https://en.bitcoin.it/wiki/Script>

------
ezyang
Here is a puzzle for HNers. Suppose that I am a user who wants to anonymize
some Bitcoins, and I am willing to wait expected time N before redeeming my
Zerocoins. What is the correct probability distribution for me to pick my wait
time from?

~~~
lmgftp
U[0,∞]

~~~
jerf
No such thing: [http://math.stackexchange.com/questions/14777/why-isnt-
there...](http://math.stackexchange.com/questions/14777/why-isnt-there-a-
uniform-probability-distribution-over-the-positive-real-number)

Get far enough into Reflection on Relativity and the author makes some
interesting observations based on this tidbit:
<http://www.mathpages.com/rr/rrtoc.htm> (But it is quite a ways in there.)

~~~
anonymoushn
Could you point out the problem with such a distribution? It isn't immediately
obvious that I cannot satisfy both axioms.

Edit: The helpful explanation linked in a comment on the question you linked
is defective because it applies to all continuous probability distributions.

~~~
jerf
The key is the restriction that in the uniform distribution the probability
density must be the same at all points, and if it covers infinity, it can be
neither 0 nor anything greater than 0 if it's going to sum to 1. It's
perfectly legal to have a probability distribution across all the reals. In
fact most if not all of the well-known ones are; the Gaussian/normal
distribution is defined on all reals, for instance. But it varies, and the
integration from negative infinity to positive infinity sums to 1.

In fact everything that we refer to as "normal" distributions in the real
world technically aren't, as the finite nature of the universe means the
probability of the extremes is simply zero (give or take being totally wrong
about the nature of the universe in which case all bets are off anyhow) rather
than very, very small, and in many cases there's a sharp cutoff at 0, or some
other arbitrary boundary, which a true normal distribution doesn't have. But
it's often still the best mathematical approximation, with negligible error.
(... until it isn't.... _caveat emptor_.)

~~~
waps
Why isn't the answer P = { Inf -> 1, otherwise 0 } ?

Axiom 1: P(E) elem N => P(E) >= 0, for all E

Trivially satisfied

Axiom 2: P(Omega) = 1

Satisfied: Omega = N { Inf } elem N

Axiom 3: Sigma additivity. Trivially satisfied since it either includes { Inf
} or it doesn't, making the outcome 0 or 1.

Where is the problem ?

I think it's pretty clear that this is the only possible solution, because
since N is not closed, there is no way to keep a uniform density other than 0.

This does not seem like it's a very useful solution, but it does seem to
satisfy the axioms.

~~~
anonymoushn
Infinity isn't a positive real :(

~~~
waps
In most definitions I've seen of it, it is. In fact, it's a natural number.

------
tptacek
Projects like this are the one hard-to-deny good thing about Bitcoin: it's a
very cool toy to play with.

------
speeder
I think that politically this is a awful time for that.

Bitcoin is still largely unregulated, and this allow for all sorts of
innovation, yet the media is already scaremongering around because it is
"anonymous" and used for laundering and drug dealing.

If Zerocoin attracts true media attention, then you will get a political
firestorm of people claiming that someone is making Bitcoin even worse for
nefarious purposes. And of course, the paper mention of drug deal does not
help with that.

~~~
dmix
Cryptography driven anonymity or subversion is not in need of PR sensitivity
or timing. It is a technological progression that has been happening for
decades and will continue on it's own rapid pace.

In this context of Zerocoin, they released a technology research paper. It
should be treated as such. Not a company PR dept.

~~~
corin_
Agree or disagree with peoples reactions, agree or disagree with the idea that
research papers should be delayed for these reasons, but don't just pretend
like research, press and progress are unrelated.

------
emin_gun_sirer
Technically, this is very cool work. But one thing the paper overlooks is
divisibility. How does one make change with zerocoin? It appears that the
trapdoors allow only a whole coin to be spent, with no recourse for spending a
partial coin. Needless to say, non-divisibility will make a practical
deployment difficult.

~~~
deepblueocean
Why? Why not simply set a minimum quantum for transactions in Zerocoin, like
the penny or the satoshi? Or why not redeem the Zerocoin for a Bitcoin, which
is divisible and which would be free of (traceable) history.

~~~
emin_gun_sirer
Because each coin transaction entails a 40KB zero knowledge proof. So a
Satoshi will require 40*10^8 KB transferred for a 1BTC transaction.

------
dragontamer
Since BTC is expected to be regulated like a currency, wouldn't participating
in Zerocoin be basically money laundering?

If that is the case, participating in the Zerocoin network itself would be a
crime. I don't think this is going to go anywhere. And if it does, then hope
that the Secret Service doesn't catch you even touching this stuff...

~~~
jasonlingx
> Since BTC is expected to be regulated like a currency Huh? I thought it's
> the opposite?

~~~
dragontamer
If you live in America, you are subject to American law, regardless of the
technicalities of the technologies you employ. You are expected to follow the
law and the spirit of the law.

------
joelrunyon
Link to the article (not the comments section) -
[http://blog.cryptographyengineering.com/2013/04/zerocoin-
mak...](http://blog.cryptographyengineering.com/2013/04/zerocoin-making-
bitcoin-anonymous.html)

------
jasonlingx
Can't we just open a mtgox account, deposit and then withdraw?

~~~
gojomo
MtGox knows who you are, and is not a secret underground operation thumbing
its nose at The Man. Over the long run, you should consider them as
transparent as any major, bailed-out bank.

~~~
jevinskie
Correct. Zerocoin is a way to make it _mathematically_ difficult (read: likely
infeasible in practice) to de-anonymize instead of trusting a central party.
Cool stuff!

~~~
gizmo686
Mathematically difficult does not mean infeasible in practice. Not even
mathematically impossible means infeasible in practice. Having a solid theory
is a good start, but a minor oversight in the implemantation could doom the
system.

------
rb2k_
Another option would be to just use an existing mixing service:
<https://en.bitcoin.it/wiki/Mixing_service>

Those services always reminded me of David Chaum's Mix Networks:
<http://en.wikipedia.org/wiki/Mix_network>)

~~~
TazeTSchnitzel
They're the same as the "laundering" services the article mentions.

------
stephan83
Total coincidence: I registered zeroco.in last week. I was planning to use it
for a lightweight bitcoin client I'm developing. What should I do?

------
felipelalli
I did not like it.

------
DannoHung
The only reason that you need anonymous financial transactions is because you
believe that money is free speech.

I disagree.

~~~
cheez
Absolutely not. I don't want my future employees knowing how much money I
spend down at the strip club, for example.

~~~
DannoHung
I'd like to see you tip a stripper with bitcoins.

~~~
cheez
Maybe only a matter of time.

------
drakaal
In order for this scheme to work ZeroCoins would have to have the same
computational creation requirements as a bit coin. This would mean that there
would always be fewer zero coins than bit coins and those coins would have to
be mined.

If the zero coins were not the same difficulty to create then you could just
create zero coins and trade them for bit coins anytime you wanted.

This seems like a huge flaw in the system.

~~~
gizmo686
No, ZeroCoins are computationally easy to create. The concept is that you
easily create a zerocoin, and then 'buy' it using bitcoins. When you buy the
zerocoin, you create a bitcoin transaction, so you have to spend the
corrosponding amount of bitcoins. When you want to redeem a zerocoin, you have
to prove that you bought one. In this way, zerocoins are a lot like gold
notes. They are cheap to create, but have value becuase they can be exchanged
with gold/bitcoins, which have value and are hard to create. Unlike goldnotes
however, zerocoins should be impossible to forge.

~~~
drakaal
So you counterfeit the Zero Coin and trade them for Bit Coins and the system
breaks.

I am not buying that they are impossible to forge. Especially if they are
computationally easy to create.

~~~
judofyr
On what basis are you claiming that they are not impossible to forge? You can
check the crypto yourself:

<http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf>

~~~
drakaal
Things which are computationally easy to create are possible to brute force.
Bit Coin only works because it is computationally hard to create them. At some
point (50 years from now) Bit coins will not be as impossible to compute as
they are now, but the exponential increase in difficulty to compute new ones
will limit the likelihood that the advances in technology will catch the
computational requirement.

