Hacker News new | comments | show | ask | jobs | submit login
Zcash, an untraceable Bitcoin alternative, launches in alpha (wired.com)
205 points by rdl 516 days ago | hide | past | web | 143 comments | favorite



Of course, once these techniques were in place, they conclusively destroyed the ability of governments to control the flow of electronic funds, anywhere, anytime, for any purpose. As it happened, this process had pretty much destroyed any human control at all over the modern electronic economy. By the time people figured out that raging nonlinear anarchy was not exactly to the advantage of anyone concerned, the process was simply too far gone to stop. All workable standards of wealth had vaporized, digitized, and vanished into a nonstop hurricane of electronic thin air. Even physically tearing up the fiber optics couldn't stop it; governments that tried to just found that the whole encryption mess oozed swiftly into voice mail and even fax machines.

...

Alex did not find it surprising that people like the Chinese Triads and the Corsican Black Hand were electronically minting their own cash. He simply accepted it: electronic, private cash, unbacked by any government, untraceable, completely anonymous, global in reach, lightninglike in speed, ubiquitous, fungible, and usually highly volatile. Of course, such funds didn't boldly say "Sicilian Mafia" right on the transaction screen; they usually had some stuffy official-sounding alias such as "Banco Ambrosiano ATM Euro-DigiLira," but the private currency speculators would usually have a pretty good guess as to the solvency of the issuers.

- Heavy Weather


Just like the rest of the cyberlibertarian blue-skying that went on back in the '90s, it was a nice dream, seriously! But in reality it turns out that governments can just send some armed men around to beat up the people with the encrypted faxes, email, and digital cash, and that'll largely put an end to it. The extent to which a government is helpless to stop that behavior is purely the extent to which it is reluctant to send, or incapable of sending, the armed men.



Except for the fact that this hasn't happened at all. Even with Bitcoin, which isn't as anonymous as zcash claims to be, people making illicit purchases have had very little difficulty evading police or government capture. There are a few notable cases of high-profile Bitcoin users (like DPR) being arrested, but I don't know of any cases where Bitcoin was at fault.


There a lot of cases where Bitcoin transsctions are traced back to some crime. The justice system does not make a big deal about this as educating criminals only makes there job harder.


Evidence? In which cases was tracing Bitcoin transactions used?


I'm not sure how much (if any) of the investigation into the Carl Force and Shaun Bridges cases used Bitcoin transaction data, but I suspect it played some role:

http://www.justice.gov/opa/pr/former-silk-road-task-force-ag...


It turns out that there's a pretty easy fix for this. People have to start caring how the money they're accepting has flowed through the economy. You don't need a government to sanction bad actors. The people can do it on their own.

Money is power. Anonymous money prevents you from choosing which power you'd like to submit to. Decentralized money prevents governments from restricting power. Let's keep the decentralization and remove the anonymity so you can reject power you find undesirable.

The first application of this mechanism will probably be restoring our democracies by rejecting the power of money to influence them. It won't be the last application—I think we'll use it to enforce any rule that has a broad consensus behind it. The boundaries of the enforcement will be the same as the boundaries of our economy: there aren't any. We'll have global governance without a global government.

This is merit capitalism. http://meritcapitalism.com/

Zcash is cool, but if you accept it as payment, you're making yourself powerless.


It turns out that there's a pretty easy fix for this. People have to start caring how the money they're accepting has flowed through the economy.

Perhaps I'm being cynical, but that doesn't sound like an easy fix.


I appreciate the cynicism. I've never been called a pessimist, so I might have a rosy view of things. I think it's not that hard, though. Technologically, it's very straightforward. Convincing people that they should sacrifice financial privacy is the hard part. That's why I've already started it.


What's the thing you've made called, and how does it ensure identity?


This is an interesting idea, and seems worth considering.

What would you think of a system that instead tracked materials and manufacturing process?

So, each step in the manufacturing process would use proofs received from previous steps that the amount they claim to have produced is not more than they could make with only the materials that previous steps have said they supplied?

So, e.g., if there is a place that makes good(?) grain, they would include some cryptographic signature that they provided the amount of grain, and then a baker receiving it would be able to produce a signed claim that they made so many breads with only grain from there, and they wouldn't be able to fake making more by adding grain from elsewhere, because the total of all their claims of how much of the grain is used in each bread could not total more than the grain which was signed as provided?

Or something like that.

I don't remember the specifics.

Would it be better to track who owned the money before you, or to track how the product was made? Or both?

I think there are probably some advantages of anonymous money, but I don't know that they outweigh the costs that you mention. (I suspect non-anonymous money makes auctions and things more difficult, and might reduce effeciency, but that might just be the acceptable cost of influencing the world against people doing harm)


> What would you think of a system that instead tracked materials and manufacturing process?

I think it's a great idea, and people are building it.

https://medium.com/@jutta_steiner/using-the-global-trust-mac...

The decentralization renaissance is hitting full steam. If you like thinking about this sort of thing, you should find a way to make it your day job.


This would also be an excellent way to trace recalls based on defective or otherwise harmful products; though the lot numbers involved would need to be in the transactions.


> It turns out that there's a pretty easy fix for this. People have to start caring how the money they're accepting has flowed through the economy.

I don't understand how this is "easy". Money doesn't become evil because of how it was earned, that's just an overly emotional way of looking at a system of transactions.

> Money is power. Anonymous money prevents you from choosing which power you'd like to submit to. Decentralized money prevents governments from restricting power. Let's keep the decentralization and remove the anonymity so you can reject power you find undesirable.

That's ridiculous FUD. Consider people donating to WikiLeaks or similar, where the sender might not want a record of where they sent their money. If the source of the money is anonymous, there's no "power" involved. Nobody can force you to do something under the pretext of "but that's what I paid you for".


Money's power relies on its transitivity. Bob accepts Alice's payment because he can use it to pay Charlie. Charlie's decision to accept that money is what gives Alice power. If Alice runs a violent cartel in Mexico, Charlie can reject Alice's power. If he uses anonymous money like dollars or Zcash, Charlie is forced to submit to Alice's power because her power is invisible.

There are many evil ways to acquire money, and anonymous money makes us all supporters of that evil. We should stop it.

> Consider people donating to WikiLeaks or similar, where the sender might not want a record of where they sent their money.

The government knows who's donating to WikiLeaks. To state actors, money is already identifiable. People like you and me are powerless when it comes to money, so we can't stop the people who have purchased our government. Let's fix that.


It works both ways, anonymous money prevents people from choosing not to accept your own money as much as it does the other way around. It makes the transaction purely about the money, I don't think that's powerless, just reduces people's ability to mind other people's business.


Didn't you read the dystopian prophecy above? It's caused by the inability of anyone to mind other people's business. Most people find that to be an undesirable world.

Today, your business is minded by the government and large corporations. As a result, the rules that they want enforced are the ones that actually get enforced. Anonymous money is why you have no ability to prevent people from buying your government: no one with the power to mind people's business actually wants to enforce such a rule. If you give everyone the power to mind people's business, then rules that the people want enforced can actually be enforced.

There is no way to regain the ability to sanction bad behavior unless you can mind other people's business. Financial privacy feels nice, but it gives the wealthy the ability to rule over us with little recourse. Are the benefits worth the cost?


Crimes with a victim often have a witness, and thus are easy to sanction. Only victimless crime needs financial privacy eliminated in order to sanction, since all parties to such crimes are mutually consenting and thus not likely to come forward.

The destruction of individual rights for the sake of preventing individual crime either ends in extreme centralisation of power, with the party given the exclusive privilege of surveiling the population gaining power over the masses through its informational superiority, which makes institutional abuse by the political elite and the organs of the state more likely, or a morass of gridlock where no one can act without the permission of everyone else in society.


The cartels in Mexico murder lots of people. They're so difficult to stop because they have money.

The solution to gridlock is to enforce fewer laws. I'm not out to increase the number of arbitrary laws. I'm out to eliminate the tyranny of the wealthy: they manipulate our politics and buy their way out of justice.


They're difficult to stop because they kill people who try to investigate and arrest their members. Creating a law requiring them to report their financial activity will not stop them. They sell tons of cocaine, despite cocaine being illegal. They will ignore financial disclosure laws just as they ignore laws prohibiting them from operating large scale drug and murder operations.

Anonymous digital currency like bitcoin could be used to reward informants without requiring them to physically meet anyone or reveal their identity, which is extremely valuable when cartels have countless people inside law enforcement agencies.

>I'm out to eliminate the tyranny of the wealthy: they manipulate our politics and buy their way out of justice.

Destroying money (money only works when it affords its user with privacy) to stop abuse by the economically powerful is cutting off your nose to spite your face. Money does far more good than bad. The solution to abuse by the wealthy is to fix the political system, so that money cannot buy political influence, not eliminate wealth and privacy.


> They will ignore financial disclosure laws just as they ignore laws prohibiting them from operating large scale drug and murder operations.

I am not suggesting financial disclosure laws. I'm suggesting that everyone stop accepting anonymous money, then stop accepting money that funded murders because doing so would empower the murderers.

> They're difficult to stop because they kill people who try to investigate and arrest their members.

The killers are paid to do the killing. If they could no longer buy things with the proceeds, they would stop killing.

> (money only works when it affords its user with privacy)

I disagree with this. Can you explain how money would stop working without privacy?

> The solution to abuse by the wealthy is to fix the political system, so that money cannot buy political influence, not eliminate wealth and privacy.

The political system cannot be fixed unless everyone becomes a single-issue voter on campaign finance. Otherwise, those votes will be purchased away, and we can't outspend the wealthy. We should try to fix the political system, but I expect those efforts to fail.

I have no desire to eliminate wealth. I do want to eliminate financial privacy because it seems clear that it hurts us more than it helps.


>I'm suggesting that everyone stop accepting anonymous money, then stop accepting money that funded murders because doing so would empower the murderers.

Not gonna happen and should not happen.

>The killers are paid to do the killing.

This is so ridiculous. Money is not the only way to compensate someone or otherwise move them to act. The cartels would still have plenty of soldiers without people voluntarily accepting cash-like (anonymous) money.

If money was not private, armed gangs would know everything about everyone, making everyone less safe. Private money is privacy. If you eliminate private money you eliminate privacy. If you eliminate privacy you reduce human autonomy and security, not just from the armed criminal, but also from the masses.

>Otherwise, those votes will be purchased away, and we can't outspend the wealthy.

The political system needs to be fixed so that money cannot buy votes. You're focusing on the ocean instead of the leaky boat.


I didn't see anything dystopian about it. Bad behaviour just like the rest of morality is relative if it exists at all. I certainly don't think the ability to sanction behaviour is a boon.


Why do you say it makes you "powerless"? If you can buy goods with it, that's power.


You can buy goods with it, but you've sacrificed liberty to do so. Governments derive their power from the consent of the governed. Since our society is governed by money, accepting anonymous money is consenting to everyone's power, which few people actually want to do. They do it today because it's the default.


> but the private currency speculators would usually have a pretty good guess as to the solvency of the issuers

With bitcoin and other Nakamoto-consensus based crypto-currencies, the "solvency of the issuer" is irrelevant, because these currencies aren't debt based.


Government-issued money being "debt based" is a fiction used to make the accounting equations look pretty. It has been since the gold/silver/whatever standard fell into disuse.

Or are you talking about fractional-reserve banking? If so, there's nothing that prevents implementing that on top of crypto-currencies and more than it can't be implemented on top of physical currency.


Obviously there is nothing technically stopping it, but setting up the rules for a fully distributed fractional reserve system would be non-trivial. For example, if anyone can create money by lending it, then they can set up 100 wallets and lend money from one to the next to the next, amplifying their debt each time. Then once you have enough money, you spend it and abandon those wallets.

The fractional reserve system works precisely because only a few well known actors are allowed to create money -- which is a bit of antithesis for this kind of crypto currency.

However, I have to say that one of the things that bothered me (economically) about bitcoin is the lack of debt. This limits the availability of currency to either mining (which requires a large investment of hardware) or buying the currency on a market (which requires using a different currency and essentially relying on the same banking industry that you were trying to avoid). I would be very interested in seeing someone attempt some kind of monetary creation through debt in a cryto-currency.


For example, if anyone can create money by lending it

That's... not quite how it works.

I can lend $20 or $2000 to a friend, and no money is created.

Money is created by aggregating a large number of relatively small accounts into a shared pot, and pretending that pot is larger than it really is (which you generally do by making loans out of that pot without telling any of the individual accounts that their available balance has gone down). Money is created by the possibility of bank runs.

If the borrowers all run off with the money, someone will be left holding the bag (or the empty pot). If you borrowed from yourself, that someone will be you.

.

Bitcoin allows for debt exactly as much as cash allows for debt. There has to be something to make sure the borrower will (usually) pay back what's owed -- some concept of personal honor, risk of damaged friendships, legal liability and positive real-world identification, whatever. That mechanism is distinct from the currency used. That mechanism also probably can't allow for anonymity.

.

setting up the rules for a fully distributed fractional reserve system would be non-trivial

There needs to be something at stake, which (1) the borrower can lose if they don't pay back the loan, and (2) is worth at least as much (to the borrower) as what was borrowed. There needs to be a reason to believe that a rational or mostly-rational borrower will pay back the loan.

There also needs to be some reason to believe that the borrower can pay back the loan.

Both of these are ties to external systems.

...getting back to the required shared pot, what does "distributed" mean here? Lack of central control over who can create the shared pots? A "marketplace" interface for finding shared pots to contribute to / borrow from? Automated selection of the "best" shared pot given your choice of criteria? A standard API for shared pots?


>The fractional reserve system works precisely because only a few well known actors are allowed to create money -- which is a bit of antithesis for this kind of crypto currency.

You know who owns the Fed? Do tell.


"Technically" there's nothing that would prevent it except the inability of a national central bank to control/dictate the interest rate on a global, gold-like currency.

Oh, and the actual inability of the said central bank to bail out comercial banks by printing bitcoins.

Oh, and also the inability of a global superpower to manage its tremendous debt by playing with interest rates.


It's not that clear-cut, perhaps the text is referring to the support of the currency, I.e. Some measure of how likely other people will accept the currency, and how secure is its base (will the miners decide to issue new coins and fleece everyone). Both would impact its reliability as a store of value.


Tell me this Sterling guy got most other things wrong to even out being this spot on way back in 1994.


I was thinking to myself in the shower a few days ago, it must be incredibly boring to be Bruce Sterling. Where most of us can open HN and see something new and shiny and even sometimes unexpected, he saw it all clearly 20 years ago.


On the contrary, how can he be bored if he's constantly roaming his imagination 20yrs ahead of where we are now, just as vividly as he was in 1994 writing about cryptocurrency, laptops made from straw, and reconfigurable chairs governed by topological expressions.


Bruce Sterling has a whole bunch of futurist notes you can read: http://www.viridiandesign.org/NotesIndex.htm - some of it is spot on, some of it was obvious even at the time to clued in people, and some of it is way out there still.

Plus all his actual science fiction.


It's cute but it's speculative fiction that hasn't remotely come to pass. I don't get why anyone is saying this is spot on. People love good dystopian nonsense.


Paper cash is mostly untraceable, so we're not really changing that much.

BTC is much more traceable.


Which is why I made this comment on a thread about a new digital currency that according to the title is untraceable, and not a thread about BTC.


Don't rely on paper cash being around for that much longer either - http://www.zerohedge.com/news/2016-01-23/norways-biggest-ban...


I moved to Denmark a few months ago, and have been asking a few people whether they'd prefer cash.

Street food vendor: no, he preferred a card.

Taxi driver: no, but he didn't want to take a card either, only a bank transfer from my phone. My account isn't set up for that yet, so he took the cash, then didn't have the 5kr change.

Supermarket, exact change for a single item: I delayed people behind me, the machine used to count coins didn't accept mine.

Café, for a single soft drink with exact change: I didn't ask, but the man dropped the exact change into the empty coin tray.

So the result is I still have most of the coins which a foreign friend left behind after visiting in December.


You can't compare Paper Cash to Bitcoin or Crypto-Currencies.

You can't take $5million cash through Airport security. You can take $1bn bitcoin brainwallet through airport security, and nobody will ever notice.


I love the idea, but...

> Zcash is launching as a for-profit company.

That's their downfall right there. With someone visible to track they've given up the game before they started. Real people running real companies are really vulnerable. The real test of a security system is its weakest link. And that link is almost always a person. Right?

IMHO the subtle political reason Bitcoin has gotten as far as it has is because it's creator has remained anonymous, and not tried to visibly profit from it.

Why do I think that? Because governments are very territorial about their money. Banks too. The regulations for banks are pretty tough, as you may know, Know-Your-Customer edicts and such.


> That's their downfall right there. With someone visible to track they've given up the game before they started. Real people running real companies are really vulnerable. The real test of a security system is its weakest link. And that link is almost always a person. Right?

The company that is launching this consists of a team of brilliant cryptographers and security engineers.

How does "their identity is known" translate into an attack?

How does "they're a for-profit company" weaken the security guarantees of a zero-knowledge proof?


Depends. Do they live or host in a country with, say, FBI-coerced "SIGINT-enabling" or something similar? And they be held indefinitely without trial? And are the foreign nationals subject to rendition? Can their assets be frozen by tax authorities and their datacenter equipment seized like some colos? Are they creating something that's straight-up designed to piss those organizations off in many countries and/or aid their opponents?

Most proposals succeeding wouldn't bring this risk up: very specific to this project's goals given it ties in anonymity and money. We actually have no idea what they'll do outside some surveillance, court-ordered searches or seizures. Hopefully, it doesn't get popular among their targets. The closest thing is Tor but it's unusual: a tech used and funded by U.S. organizations including military, LEO's and propaganda teams (conflict of interest); anti-censorship getting it special treatment for exports; non-profit; extra smart and dedicated people. Quite a combo. The rest of the carriers and projects fell to FBI, NSA, or both when they became important enough to target with the big guns. If not immediately, then eventually. We know some were paid off but the coercive techniques are unknown.

So, yes, centralizing control of something for untraceable money into few, known hands is a huge risk depending where you're at. A risk of what I can't tell you as they won't tell me. ;) The other commenter wisely added the for-profit angle as another dimension of the risk. Most of those screw their users, get hacked, or fail for business reasons. So, that should probably be No 1.

EDIT: Conflict of interest on Tor is meant to indicate that, internal to U.S. government, there would be battling over doing something to weaken or end it. Not the Tor team or organization itself.


> How does "their identity is known" translate into an attack?

They can be coerced into actions based on threats to themselves or relatives.


Virtually everyone involved in Bitcoin's development is also well-known and presumably "coerceable." The company makes no difference as far as I can see.


When someone has a legitimate claim to be an owner, that person will have sway to do crazy things like make it closed-source or change the critical constants. Not saying it's a deal-breaker, but it's more risk than if no one can claim to own it (if bitcoiners are angry about the excessive power of the people with admin permissions to the github repo, just imagine how difficult it would be to wrench control from a company that invented the product and has copyright claims to it). I guess what I'm saying is you don't get much leverage if you convert a bitcoin dev but if you convert the owners of this company you'll get a lot of leverage.


They don't need to target Bitcoin developers to track use of Bitcoin or conversions. So, they don't. End of story?


The miners could always revert from a hard fork that was put out under coercion, right?


Good luck pulling that off.


I presume this is sarcasm, since governments have been pulling this off since time immemorial?


Couldn't reply to your child comment, so I'll put it here.

You don't seem to realize how easy it is to discredit someone that the general public doesn't recognize.

The cryptographers are one false planting of child porn away from no influential majority of people believing a word they say. You won't defend them, because you'll question the authenticity of the child porn claims and you'll have no evidence to the contrary.

Overnight these kinds of people can be taken down and made into nothing.


The problem isn't "how to coerce", it's "how to coerce without being detected".


Who is going to detect a government agency when they forcefully steal your hardware and claim it has child porn on it? They don't even have to put the child porn on the machine, nor do they need to get a conviction for child porn. It will be all over the media for as long as it needs to be in order to cause these peoples ideas to fail.


And when that happens, I'll entertain your assertions. It hasn't yet, and I don't see any reason to believe it will soon.


The problem, as with many a government agency coercion, is that the evidence proving it happened doesn't come to light until decades later.

From the CIA selling drugs to arm the Hmong in the Vietnam war to the NSA in ATT's room 641A, there are enough examples to know that it's possible.


Obviously, I don't know which stories are bogus and which ones are real, but you can do a quick google search and find all kinds of cases of people claiming government cover up.

You obviously don't entertain the idea that those could be legitimate. What makes you think you'll entertain the idea if it were to happen to a lead cryptographer that you've never met before in your life?


>https://en.wikipedia.org/wiki/Principle_of_charity

>Not when proposed by apparently paranoid HN users, I don't.


and how are you determining what is probable? Just because you believe the government doesn't make last ditch efforts to cover up with lies, doesn't mean that is necessarily the truth. How many coups need to happen before you consider me a rather typical cynic rather than a paranoid extremist?

I very much agree with you that it's not worth focusing on, but you were acting like it was never a possibility simply because the people being attacked would be well educated.


> but you were acting like it was never a possibility simply because the people being attacked would be well educated.

https://en.wikipedia.org/wiki/Principle_of_charity


> You obviously don't entertain the idea that those could be legitimate.

Not when proposed by apparently paranoid HN users, I don't.

> What makes you think you'll entertain the idea if it were to happen to a lead cryptographer that you've never met before in your life?

I happen to be involved with cryptography. I'm very familiar with three of the people on the Zcash team, one of whom I call "friend".

Instead of worrying about stopping every logically possible attack, I find it more productive to focus on stopping the 99.9999% of plausible attacks. If the government manages to pull off something theoretically possible but unbelievably improbable, they simply deserve to win that round.


> I happen to be involved with cryptography. I'm very familiar with three of the people on the Zcash team, one of whom I call "friend".

Maybe this is where your potential bias stems from. I mean, what's the point of name dropping here if it's not stemming from a bit of ego, maybe strong enough ego to believe you're out of reach for a three letter agency? You know three of them, great, but you don't know all of them and you may not know the most major contributor and it's possible there exists a key member that has an already shady past.

The hypothetical in question isn't even intended for you. It's intended for the general public. Most of whom would gladly eat up whatever story they are sold.


> The hypothetical in question isn't even intended for you. It's intended for the general public. Most of whom would gladly eat up whatever story they are sold.

When you frame the conversation that way, it makes more sense.


Pulling off a massive, international, targeted attack on several individuals of varying degrees of stubbornness to coerce them to do something unspecified and malicious to the code base of an open source software project and not get detected isn't exactly a practical goal for even intelligence agencies.


How about they just ask three payment networks (VISA/MC/Paypal) to cut off their payments then watch them wither and die? That's how Wikileaks was destroyed by Bank of America and Co when they threatened to leak on the big banks. All that OPSEC can't help without money to support it. Worked like a charm and not a single shot fired.


The code base is not the only vulnerable part.


It's a risk, but I've known the people behind this for 20 years. They are more at risk of putting the technology/principles/etc. ahead of business than the other way around. Of the set of people I'd want building this, Zooko is in the top 3.

It's open source, so even if the company fails (likely -- it's a startup, after all, although if successful it will be huge), the project lives. But a company gives them the resources to work on this which wouldn't otherwise be available.


I don't understand this complaint. If the company that is launched fails or is attacked, the currency and the code can live on without it. Its development probably wouldn't be as well-financed but that's about it.


Technically yes, the code could live on, but the thing about currency/money is that people need to believe in it to be valuable when it's not backed by precious metals or coupons for wine or meals or drinks or violence. And people are skittish and emotional and paranoid. Sure, the project could live on, but it would be more of a toy for ivory tower CS gods (like us) than a tool for world wide remittance and purchasing power and a store of value for clever people with minimal understanding of the tool.

It's late and I fear my point may be muddled. But yea, the soft squidgy part of it would die and wither away.


To me the bigger draw back is how much they are going to tax mining:

> Wilcox says that he plans for 1 percent of Zcash’s currency to ultimately go towards that non-profit, and 10 percent to be paid to the for-profit startup.

11% is allot when compared to credit card transaction rates.


I think they are counting on Open Source being the protection. Any changes to the code can be scrutinized, and the code can be forked (already has).


Also this could expose them to "they are profiting from crime" type of attacks from politicians and governments.


Oh, you mean like this giant bank which laundered money from the Mexican mafia?

http://www.theguardian.com/world/2011/apr/03/us-bank-mexico-...


For anyone interested in how Zcash (formely Zerocoin) works and who understands German, I've written my Bachelor thesis about it in 2013: http://www.math.uni-bremen.de/~jhasse/Kryptografische%20Grun... (Part IV)


Hey!

Can you help me understand something about Zcash? Do buckets need to be decrypted for the network on spend? Or is there a way to append a zk-proof that the bucket contains enough to fund follow-on buckets?

I'm probably wasting your time a little by asking, but I don't want to rely on my own reading to get a solid understanding.


"Buckets" contain cryptographic trapdoors which are necessary to witness spendable value. The sender constructs them and encrypts them with an IND-CCA2-secure key and places it inside the transaction. Only the recipient should be able to decrypt it to obtain the trapdoors which it needs in order to spend it.


I understand that. Well, I don't know what IND-CCA2 is. And presumably, therefore, my question. Does the 'spend' reveal the equivalent of a Bitcoin address? Or does the 'spend' merely provide a zero knowledge proof that the funding was legitimate?


> Or does the 'spend' merely provide a zero knowledge proof that the funding was legitimate?

This. :) (Alongside a demonstration that it wasn't spent before.)


What exactly are buckets? I think they used some other terminology back in the Zerocoin days.


The github explains that you create a transaction as follows:

1) You have 50 coins in a 'bucket' or address? 2) You send 18 to a friend 3) You send 32 t yourself.

So you create two encrypted buckets, 18 in one, and 32 in the other. They seem to be the equivalent of UTXOs. I'm not clear if they need to be 'revealed' to be spent though.


IIRC: No, they aren't "revealed". The 32 newly created coins in your bucket will be made public with a "commitment". I think this was called forging a Zerocoin. When you use them later you're using a zero-knowledge proof, which means others can't link the coins you spend with the forged coins from earlier.


Buckets are basically Coins from the original paper. It was changed because a `Coin` implies things that it actually isn't, but bucket is an even worse name, so it'll probably either be called Coin again or perhaps "pour output" or something.


This issue is mentioned in a small sub-comment and has drawn no replies but it seems to me like the Heffalump In the Room:

"For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company and a smaller portion to a non-profit he’s creating to oversee the Zcash code and community longterm. Wilcox says that he plans for 1 percent of Zcash’s currency to ultimately go towards that non-profit, and 10 percent to be paid to the for-profit startup."

Who is going to want to engage in commerce in a system that creams off a 10 percent vigorish on every transaction? Credit card companies are hated by small merchants for taking a third that much.


10% of every mined coin, not transaction. Big difference.


Credit card companies take at least that much from the transaction. They charge both the supplier and the holder.


Credit cards are more expensive than most would like them to be. We don't need another expensive system.

Besides, credit cards offer protection in that they are able to give insurance on purchases by doing charge backs.


There's an interesting property of fully untraceable currency, and that's that it's possible to perform 'perfect crimes' [1]. Often the weakness in committing, say, a kidnapping or a drug sale is handling the associated money obtained with it which can be traced back to people due to circumstances. Fully untraceable currency by definition completely avoids these circumstances.

The inevitable question "should we want this?" is moot because evidently such systems are possible (iff they provide a practical currency for such transactions) and will inevitably be used for this. Furthermore, Bitcoin already achieves something close to it in practice. It's just worth pointing out that untraceability will have nasty consequences as well as good ones.

As an interesting aside, David Chaum, who has lately been infamous for advocating ways to backdoor encryption, may be considered the father of fully untraceable (but not decentralized) digital currencies. Ironically, after [1] was published others in the cryptographic community spend a number of papers on building what they called 'fair' blind signatures, which constituted basically of varieties of Chaum's basic idea but where untraceability could be lifted by an "independent party posessing the right private key" (i.e. a public "police backdoor"). They were trying to backdoor Chaum's encryption...

[1]: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465...


Currency is merely one investigative method. There are plenty of others and like all crypto systems there will be cracks, people will make OPSEC mistakes, and ultimately law enforcement agencies have access to hacking/CNE.

Additionally, the money by itself may be anonymous, but that person will have to convert it to other currency or make purchases. Those purchases may be physical objects like cars, or rent, or any other large purchase which the person will have to demonstrate how they could afford to purchase it. The IRS would still be able to detect irregularities in consumption.

If anything it will be a boone for the information security industry, they will have to stop selling snakeoil and start selling solutions that actually prevent peoples money from being stolen.


>>[...] others in the cryptographic community [built] what they called 'fair' blind signatures [...] where untraceability could be lifted by an "independent party posessing the right private key" (i.e. a public "police backdoor"). They were trying to backdoor Chaum's encryption...

Chaum himself is advocating not just for any ol' backdoor, but for a flavour of "multi-sovereign-party public police backdoor" if you believe the Wired article that explained his proposal.[1]

[1] http://www.wired.com/2016/01/david-chaum-father-of-online-an...


Zerocash had a possible backdoor, which was its' biggest drawback. I don't see it mentioned on the web page, which seems like they're hiding it (it's cruital to know who we need to trust with the setup part, and whether anybody has the right to take part in it).

,,Security of Π relies on a trusted party running Setup to generate the public parameters (once and for all). This trust is needed for the transaction non-malleability and balance properties but not for ledger indistinguishability'' - from the zerocash paper


Zcash is planning to use a new multi-party trusted setup scheme that allows a group to securely compute the mathematical structures necessary to protect the zero-knowledge proof integrity.

(Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs, Ben-Sasson, E. ; Chiesa, A. ; Green, M. ; Tromer, E. et al.)

Only if every member of this group were compromised or dishonest will the setup fail. That is, only 1/N participants need to be honest.


Would this new "multi-party trusted setup" happen to be based on a block chain of its own?

If so, then they've introduced a new sort of meta 51% attack potential in a system that gives no economic incentive to mine (i.e., 51% attack is much easier when its not "51% of everyone trying to earn coins", but instead is "51% of those donating computing to protect zero-knowledge proof"), right?

If not so, then how? (rewind to Jan 2, 2009...)


Most zk-SNARK constructions are in the "common reference string" model, which requires a one-time trusted setup of a random string accessible to all parties: https://en.wikipedia.org/wiki/Common_reference_string_model


I haven't read the paper, so correct me if I'm wrong: I think the "multi-party trusted setup" isn't about a blockchain or something complex. It's just an algorithm to set up some initial values.


Sounds cool, it would be good to make the paper free as well, if the code is open source. Actually it would be even better to update the Zerocash paper so that people can understand the current zcash implementation. The source code maybe open, but the documentation seems far behind the source code. I'm sure that the protocol is sound, and you put lots of effort in it, but it's hard to understand for me, unlike the original Bitcoin. I loved reading BitcoinJ source code, as it is well documented and it's an easy to understand way to see that at least the BitcoinJ based wallets really do the same thing than what was present in the Bitcoin Whitepaper. Still, I guess I'm the minority, and many people will just trust the developers and use the system as long as it works. Anyways good luck, and I hope we will have fungibility in Bitcoin itself in the next few years.


> I don't see it mentioned on the web page, which seems like they're hiding it

https://github.com/Electric-Coin-Company/zcash

Not very well, if at all.


The actual setup of the parameters hasn't occured and will use a much more secure construction which isn't complete yet. The software is still in alpha.


This could be done by multiple people. The "trusted party" doesn't need to be one person, it could just be the bitcoin miners of a given time frame (without them agreeing, just use their hash values).


Shouldn't those parameters then be well known to everybody? And subject to investigation?

Can you give more detail as to why this is a backdoor?


This will be massively labor-saving for a key cryptocurrency use-case: exchange operators who "get hacked" won't have to worry about whether they sufficiently hid the outbound funds... ;)


One of the most important properties of Zcash is "selective disclosure." Effectively, you can audit and perform proofs-of-solvency with the same security as in other cryptocurrencies.

But yes, if someone on the inside "steals" the money, nobody will figure out where it went.


Excellent point! :)


I'm still a believer in a universe of huge numbers of diverse Chaumian token issuers intermediated by markets, but Zcash is an amazing system.

Zooko, btw, used to work for DigiCash long ago. The world of anonymous ecash has been...without a lot of progress, overall. Hopefully Zcash changes this.


For anyone who wants to dive headfirst into the code:

https://github.com/Electric-Coin-Company/zcash


>Zcash isn’t intended to facilitate crime, but also notes that the company isn’t liable for any criminal applications for which Zcash is used. “The people who built the first cars weren’t held responsible for car accidents or bank robberies,”

Good luck with that, especially as a registered for-profit organization.

Car manufacturers are required to report VIN numbers and allow for license plates, on top of a number of other mandatory regulations. Road access is also a priviledge, and automobiles not meeting certain standards are not allowed.


Car manufacturers can report VIN numbers without destroying their business. If zcash is compelled to then they're business will no longer exist, as the primary incentive to using it (privacy) is no longer there.

The question is whether a judge is willing to destroy a company in order to pursue law enforcement goals.

Regardless, this doesn't mean zcash will die necessarily. As it will be open-source and has the ability to continue functioning without a centralized organization.


Zcash can't get around financial institution regulations simply by disclaiming liability. If that worked, banks and other institutions would have done so by now.

But yes, a judge would be perfectly willing to destroy a company in violation of the law. See, e.g., Aereo and its ilk.


Indeed, but as consumers this doesn't affect us if an OSS version comes out as a result? Nor would it be an effective law enforcement tactic.


It would definitely affect user adoption with the majority of merchants.


I'm not really sure how Zcash's privacy features differentiate it from a Cryptonote protocol, like Monero.

Disclosure: I own Bitcoin, but do not currently own any Monero. I have no financial incentive to promote it, I'm just legitimately curious as to how Zcash is different.


Monero and other ring signature schemes can only feasibly "mix" your transactions with a small number of previous transaction outputs, opening the door to statistical attacks.

Zcash mixes your transaction with every previous transaction. In fact, it goes to great lengths to make transactions indistinguishable from each other.


Yep, also dash is privacy-oriented.


I applaud the cryptography work here, it seems like a damn cool application of ZKPs, but I think their missing what made Bitcoin work. The tech people took to BTC because it was something that they could verify worked correctly, and had no centralized party who could change it on a whim. Once it had the backing of those tech people, then it spread to everyone else. These guys might be able to get a small portion of customers who don't care about a centralized party, but that just isn't going to be enough, those aren't the people who are going to evangelize it.


There's a customer-base problem here. Bitcoin's expansion is based on who is willing to consider something different. A new alt-coin promising to do the kinds of things Bitcoin does but better (not crack new customers) can only exist by taking Bitcoin's market-share (which is not big). Being honest with ourselves, this is likely to get lost in the noise until bitcoin is large enough and this weakness of it is exploited enough that a substantial amount of people look for an alternative.


The iPhone still exists despite Android coming out.

I see no need for a single currency at a time. There may be ultimately a winner, but there is no stopping each from finding their own niche. What if Bitcoin becomes the currency of Wall St - which is better served by pseudonymous currency - while ZCash fills the more privacy oriented niche for projects like Open Bazaar?


This literally has no use case other than illicit transactions - the one and only substantial Bitcoin use case in practice. They're even asked about this directly and can't come up with any!

So the question is: can Zcash compete with Bitcoin in the darknet markets? Is there any DNM that does any substantial business in a crypto other than Bitcoin?


> This literally has no use case other than illicit transactions

My thoughts exactly. But they must have made a good case that there were other uses to their investors, they netted some pretty high-profile names.

I would imagine Dash is getting traction on darknets, but I haven't seen anything on that one lately


Various governments were not happy with BitCoins ... I'm sure this will drive them crazy x10 if it catches on.


It's kind of frustrating as a person wanting a decentralised payments system having to work with people who want the most anonymous payments system possible.

Enabling anonymous financial actions _is the very definition_ of money laundering. Though the protocol could be freely distributed, any form of business built on it will have a lot of trouble existing in any useful form. Starting from that point is going to make your life so much harder.

And of course, the irony in trying to use Bitcoin as a basis for anonymous transactions is solved with Zerocoin. But I don't know how a law-abiding business can have reasonable knowledge of the parties in the transactions (a requirement to not be money laundering) without meeting the wishes of the fanbase.


Actually, anonymous financial transactions are quite common. Every time you purchase something with cash, the seller receives payment with no knowledge of who you are or how you got the money.

And the definition of money laundering is hiding the source of illegally obtained money. An anonymous transaction isn't laundering if there's nothing dirty about the money in the first place.


Paying in cash involves turning up in person with cash. That's definitely not anonymous.


Can someone ELI5 how Zcash works?


Zero Knowledge proofs take the place of a digital signature proving ownership of an address in Bitcoin.

Well, that's explain like you're a crypto undergrad. But, it's a start.

There's quite a lot of interesting cryptography and engineering involved in making this work; the last zerocash presentation I saw in 2014 mentioned they had been working on shrinking ZK proofs from 25k down to a manageable size for a blockchain.


I haven't read the Zcash paper, but my understanding of its predecessor could be simplified to:

* To "create" zcash, you put a random number into a box that can't be opened and a proof that you spent bitcoin to a special kind of bitcoin address.

* To "spend" zcash, you reveal the random number that you put in the box (to prevent double spending), and you prove that one of the boxes contains that number (without revealing which box it is). Then you can take the same amount of bitcoin from any of the special addresses above.


I commend fryguy for trying.

People with PhD's in computer science have trouble figuring out how Zcash works. It seems to require a very strong mathematics background and it's an order of magnitude more complicated than Bitcoin. I don't think that you're going to get a good ELI5 for it for a while.

Zcash is based on Zerocash. In case you ever want to feel like a simpleton: http://zerocash-project.org/media/pdf/zerocash-extended-2014...


Does anyone know how anonymous transactions remain if e.g. law enforcement take your (unprotected) laptop from you?

I've got to say, I don't have much confidence in the company itself, specifically:

>Wilcox maintains his stealthy digital cash startup isn’t intended to facilitate crime, but also notes that the company isn’t liable for any criminal applications for which Zcash is used.

It's almost like they've never heard of https://en.wikipedia.org/wiki/E-gold or its many, many variations.


> Does anyone know how anonymous transactions remain if e.g. law enforcement take your (unprotected) laptop from you?

This is why you should do full disk encryption, and travel without your hard drive. At the end of the day, there's probably forensic methods on your laptop that would be far more damaging than just deanonymising your past transactions.


>This is why you should do full disk encryption, and travel without your hard drive. At the end of the day, there's probably forensic methods on your laptop that would be far more damaging than just deanonymising your past transactions.

While that's all very good and all, it doesn't really answer my question :)


> >This is why you should do full disk encryption, and travel without your hard drive. At the end of the day, there's probably forensic methods on your laptop that would be far more damaging than just deanonymising your past transactions.

> While that's all very good and all, it doesn't really answer my question :)

I probably should've proceeded that with "I don't know, but".


Correct me if I am wrong, but to generate a Zcash coin you need to send a bitcoin to a escrow account, and to redeem it they will send a bitcoin from the escrow account to where ever you want?

I would be much more comfortable with generation being tied to destroying bitcoins or simply running yet another blockchain and letting the market deal with exchanges from BTC to Z.

Looks like they made some very cool progress though.


But does it has the same scalability issues as Bitcoin?

If yes, I don't give crytocurrencies a single chance to replace the current currencies.


Bitcoin is already very untraceable. Yes, there's a public ledger of all transactions, but it has no identifying information. There are some public addresses whose owners are known, because they volunteered that information. Exchanges also know the owners of certain addresses. But that's about it.

Bitcoin's address space is huge, something like 10^48. I can make a thousand of them in a few seconds, along with the private keys. I can send the money to any of them, and you will never know who owns it. I can send my money between these 1000 addresses as much as I want, and all you will see in the leger is money going from A to B to C, just like the rest of it.

Bitcoin network doesn't know any difference between me buying something on Overstock, or me sending the money to my brother across the globe, or to myself.


This video should give you a better idea of how anonymous Bitcoin is.

https://www.youtube.com/watch?v=AypRF9q0llU

There are also several startups dedicated to performing Bitcoin blockchain analysis for this specific purpose.


Do you realize that this video doesn't contradict what I said? The hacker got caught, and (some of) the money got returned, and that's what they are showing in that video.

If the guy didn't get caught, they would have never found anything, unless the thief is dumb enough to send these coins to his exchange.

If it were me, I would randomly mix 40,000 coins between random addresses, random amounts, random times for like a year. Never using the same address again. I would mix them with other coins. You might end up with 10,000 addresses holding random amounts of coins, but that's not a big deal at all. You need some cash? LocalBitcoins in a neighboring town. Or create an online business and buy your own product from yourself. Or build a website, put ads on it, and buy quality traffic with bitcoin (arbitrage).


> Bitcoin is already very untraceable. Yes, there's a public ledger of all transactions, but it has no identifying information. There are some public addresses whose owners are known, because they volunteered that information. Exchanges also know the owners of certain addresses. But that's about it.

That isn't true. Bitcoin transactions can be traced like almost all other transaction types (even more so because it's a public leger), the only difference is that the end points are pseudonymous (sure, they might not have your names, but they do have unique identifiers, like account numbers). It's a mistake to consider the above as being "untraceable" or anonymous.

> Bitcoin's address space is huge, something like 10^48. I can make a thousand of them in a few seconds, along with the private keys. I can send the money to any of them, and you will never know who owns it. I can send my money between these 1000 addresses as much as I want, and all you will see in the leger is money going from A to B to C, just like the rest of it.

This principle is all about mixing to "clean" bitcoins, but it doesn't provide strong anonymity properties (if all of the addresses you use for mixing are only used for mixing your bitcoins, you haven't improved your anonymity).

> Bitcoin network doesn't know any difference between me buying something on Overstock, or me sending the money to my brother across the globe, or to myself.

Other than the globally unique addresses, which can be used to tie together groups of transactions or owners of accounts.


Oh good, Roger Ver is involved as an investor.

Steer clear, fellas. Steer clear.


Mind explaining who this is, and why this is an issue?

(I genuinely have no idea, and I figure you can probably explain better than a Google search could.)


His wikipedia page is a good place to start:

https://en.wikipedia.org/wiki/Roger_Ver

* He sold explosives on ebay back in the day, and went to prison for it.

* He renounced his US citizenship to avoid paying taxes...

* ...but was for some reason VERY annoyed when the US government wouldn't let him back in.

* Of course he funded Ross Ulbricht's defense in the Silkroad trial.

Mostly though, he is the subject of waaaay too many posts on /r/buttcoin. Who you take money from shows what kind of organization you want to build. ZCash is currently failing this test for me.


His mtgox video is emblematic[1]. Mtgox was at the time the largest bitcoin exchange in the world but it was insolvent due to stealing/misplacing customer funds. Roger made a video saying everything was fine and then mtgox went under a couple of months later. He then tried to spin that he was just talking about "liquidity" and not "solvency" but thats a really shitty excuse.

[1] https://www.youtube.com/watch?v=UP1YsMlrfF0.


Rather than recreate, they should see what Dashcoin is doing. IMHO Dash is the most progressive altcoin working to fix major issues found with Bitcoin.


Can someone explain how these "Zero Knowledge Proofs" are "untraceable"?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: