Alex did not find it surprising that people like the Chinese Triads and the Corsican Black Hand were electronically minting their own cash. He simply accepted it: electronic, private cash, unbacked by any government, untraceable, completely anonymous, global in reach, lightninglike in speed, ubiquitous, fungible, and usually highly volatile. Of course, such funds didn't boldly say "Sicilian Mafia" right on the transaction screen; they usually had some stuffy official-sounding alias such as "Banco Ambrosiano ATM Euro-DigiLira," but the private currency speculators would usually have a pretty good guess as to the solvency of the issuers.
- Heavy Weather
Money is power. Anonymous money prevents you from choosing which power you'd like to submit to. Decentralized money prevents governments from restricting power. Let's keep the decentralization and remove the anonymity so you can reject power you find undesirable.
The first application of this mechanism will probably be restoring our democracies by rejecting the power of money to influence them. It won't be the last application—I think we'll use it to enforce any rule that has a broad consensus behind it. The boundaries of the enforcement will be the same as the boundaries of our economy: there aren't any. We'll have global governance without a global government.
This is merit capitalism. http://meritcapitalism.com/
Zcash is cool, but if you accept it as payment, you're making yourself powerless.
Perhaps I'm being cynical, but that doesn't sound like an easy fix.
What would you think of a system that instead tracked materials and manufacturing process?
So, each step in the manufacturing process would use proofs received from previous steps that the amount they claim to have produced is not more than they could make with only the materials that previous steps have said they supplied?
So, e.g., if there is a place that makes good(?) grain, they would include some cryptographic signature that they provided the amount of grain, and then a baker receiving it would be able to produce a signed claim that they made so many breads with only grain from there, and they wouldn't be able to fake making more by adding grain from elsewhere, because the total of all their claims of how much of the grain is used in each bread could not total more than the grain which was signed as provided?
Or something like that.
I don't remember the specifics.
Would it be better to track who owned the money before you, or to track how the product was made? Or both?
I think there are probably some advantages of anonymous money, but I don't know that they outweigh the costs that you mention. (I suspect non-anonymous money makes auctions and things more difficult, and might reduce effeciency, but that might just be the acceptable cost of influencing the world against people doing harm)
I think it's a great idea, and people are building it.
The decentralization renaissance is hitting full steam. If you like thinking about this sort of thing, you should find a way to make it your day job.
I don't understand how this is "easy". Money doesn't become evil because of how it was earned, that's just an overly emotional way of looking at a system of transactions.
> Money is power. Anonymous money prevents you from choosing which power you'd like to submit to. Decentralized money prevents governments from restricting power. Let's keep the decentralization and remove the anonymity so you can reject power you find undesirable.
That's ridiculous FUD. Consider people donating to WikiLeaks or similar, where the sender might not want a record of where they sent their money. If the source of the money is anonymous, there's no "power" involved. Nobody can force you to do something under the pretext of "but that's what I paid you for".
There are many evil ways to acquire money, and anonymous money makes us all supporters of that evil. We should stop it.
> Consider people donating to WikiLeaks or similar, where the sender might not want a record of where they sent their money.
The government knows who's donating to WikiLeaks. To state actors, money is already identifiable. People like you and me are powerless when it comes to money, so we can't stop the people who have purchased our government. Let's fix that.
Today, your business is minded by the government and large corporations. As a result, the rules that they want enforced are the ones that actually get enforced. Anonymous money is why you have no ability to prevent people from buying your government: no one with the power to mind people's business actually wants to enforce such a rule. If you give everyone the power to mind people's business, then rules that the people want enforced can actually be enforced.
There is no way to regain the ability to sanction bad behavior unless you can mind other people's business. Financial privacy feels nice, but it gives the wealthy the ability to rule over us with little recourse. Are the benefits worth the cost?
The destruction of individual rights for the sake of preventing individual crime either ends in extreme centralisation of power, with the party given the exclusive privilege of surveiling the population gaining power over the masses through its informational superiority, which makes institutional abuse by the political elite and the organs of the state more likely, or a morass of gridlock where no one can act without the permission of everyone else in society.
The solution to gridlock is to enforce fewer laws. I'm not out to increase the number of arbitrary laws. I'm out to eliminate the tyranny of the wealthy: they manipulate our politics and buy their way out of justice.
Anonymous digital currency like bitcoin could be used to reward informants without requiring them to physically meet anyone or reveal their identity, which is extremely valuable when cartels have countless people inside law enforcement agencies.
>I'm out to eliminate the tyranny of the wealthy: they manipulate our politics and buy their way out of justice.
Destroying money (money only works when it affords its user with privacy) to stop abuse by the economically powerful is cutting off your nose to spite your face. Money does far more good than bad. The solution to abuse by the wealthy is to fix the political system, so that money cannot buy political influence, not eliminate wealth and privacy.
I am not suggesting financial disclosure laws. I'm suggesting that everyone stop accepting anonymous money, then stop accepting money that funded murders because doing so would empower the murderers.
> They're difficult to stop because they kill people who try to investigate and arrest their members.
The killers are paid to do the killing. If they could no longer buy things with the proceeds, they would stop killing.
> (money only works when it affords its user with privacy)
I disagree with this. Can you explain how money would stop working without privacy?
> The solution to abuse by the wealthy is to fix the political system, so that money cannot buy political influence, not eliminate wealth and privacy.
The political system cannot be fixed unless everyone becomes a single-issue voter on campaign finance. Otherwise, those votes will be purchased away, and we can't outspend the wealthy. We should try to fix the political system, but I expect those efforts to fail.
I have no desire to eliminate wealth. I do want to eliminate financial privacy because it seems clear that it hurts us more than it helps.
Not gonna happen and should not happen.
>The killers are paid to do the killing.
This is so ridiculous. Money is not the only way to compensate someone or otherwise move them to act. The cartels would still have plenty of soldiers without people voluntarily accepting cash-like (anonymous) money.
If money was not private, armed gangs would know everything about everyone, making everyone less safe. Private money is privacy. If you eliminate private money you eliminate privacy. If you eliminate privacy you reduce human autonomy and security, not just from the armed criminal, but also from the masses.
>Otherwise, those votes will be purchased away, and we can't outspend the wealthy.
The political system needs to be fixed so that money cannot buy votes. You're focusing on the ocean instead of the leaky boat.
With bitcoin and other Nakamoto-consensus based crypto-currencies, the "solvency of the issuer" is irrelevant, because these currencies aren't debt based.
Or are you talking about fractional-reserve banking? If so, there's nothing that prevents implementing that on top of crypto-currencies and more than it can't be implemented on top of physical currency.
The fractional reserve system works precisely because only a few well known actors are allowed to create money -- which is a bit of antithesis for this kind of crypto currency.
However, I have to say that one of the things that bothered me (economically) about bitcoin is the lack of debt. This limits the availability of currency to either mining (which requires a large investment of hardware) or buying the currency on a market (which requires using a different currency and essentially relying on the same banking industry that you were trying to avoid). I would be very interested in seeing someone attempt some kind of monetary creation through debt in a cryto-currency.
That's... not quite how it works.
I can lend $20 or $2000 to a friend, and no money is created.
Money is created by aggregating a large number of relatively small accounts into a shared pot, and pretending that pot is larger than it really is (which you generally do by making loans out of that pot without telling any of the individual accounts that their available balance has gone down). Money is created by the possibility of bank runs.
If the borrowers all run off with the money, someone will be left holding the bag (or the empty pot). If you borrowed from yourself, that someone will be you.
Bitcoin allows for debt exactly as much as cash allows for debt. There has to be something to make sure the borrower will (usually) pay back what's owed -- some concept of personal honor, risk of damaged friendships, legal liability and positive real-world identification, whatever. That mechanism is distinct from the currency used. That mechanism also probably can't allow for anonymity.
setting up the rules for a fully distributed fractional reserve system would be non-trivial
There needs to be something at stake, which (1) the borrower can lose if they don't pay back the loan, and (2) is worth at least as much (to the borrower) as what was borrowed. There needs to be a reason to believe that a rational or mostly-rational borrower will pay back the loan.
There also needs to be some reason to believe that the borrower can pay back the loan.
Both of these are ties to external systems.
...getting back to the required shared pot, what does "distributed" mean here? Lack of central control over who can create the shared pots? A "marketplace" interface for finding shared pots to contribute to / borrow from? Automated selection of the "best" shared pot given your choice of criteria? A standard API for shared pots?
You know who owns the Fed? Do tell.
Oh, and the actual inability of the said central bank to bail out comercial banks by printing bitcoins.
Oh, and also the inability of a global superpower to manage its tremendous debt by playing with interest rates.
Plus all his actual science fiction.
BTC is much more traceable.
Street food vendor: no, he preferred a card.
Taxi driver: no, but he didn't want to take a card either, only a bank transfer from my phone. My account isn't set up for that yet, so he took the cash, then didn't have the 5kr change.
Supermarket, exact change for a single item: I delayed people behind me, the machine used to count coins didn't accept mine.
Café, for a single soft drink with exact change: I didn't ask, but the man dropped the exact change into the empty coin tray.
So the result is I still have most of the coins which a foreign friend left behind after visiting in December.
You can't take $5million cash through Airport security. You can take $1bn bitcoin brainwallet through airport security, and nobody will ever notice.
> Zcash is launching as a for-profit company.
That's their downfall right there. With someone visible to track they've given up the game before they started. Real people running real companies are really vulnerable. The real test of a security system is its weakest link. And that link is almost always a person. Right?
IMHO the subtle political reason Bitcoin has gotten as far as it has is because it's creator has remained anonymous, and not tried to visibly profit from it.
Why do I think that? Because governments are very territorial about their money. Banks too. The regulations for banks are pretty tough, as you may know, Know-Your-Customer edicts and such.
The company that is launching this consists of a team of brilliant cryptographers and security engineers.
How does "their identity is known" translate into an attack?
How does "they're a for-profit company" weaken the security guarantees of a zero-knowledge proof?
Most proposals succeeding wouldn't bring this risk up: very specific to this project's goals given it ties in anonymity and money. We actually have no idea what they'll do outside some surveillance, court-ordered searches or seizures. Hopefully, it doesn't get popular among their targets. The closest thing is Tor but it's unusual: a tech used and funded by U.S. organizations including military, LEO's and propaganda teams (conflict of interest); anti-censorship getting it special treatment for exports; non-profit; extra smart and dedicated people. Quite a combo. The rest of the carriers and projects fell to FBI, NSA, or both when they became important enough to target with the big guns. If not immediately, then eventually. We know some were paid off but the coercive techniques are unknown.
So, yes, centralizing control of something for untraceable money into few, known hands is a huge risk depending where you're at. A risk of what I can't tell you as they won't tell me. ;) The other commenter wisely added the for-profit angle as another dimension of the risk. Most of those screw their users, get hacked, or fail for business reasons. So, that should probably be No 1.
EDIT: Conflict of interest on Tor is meant to indicate that, internal to U.S. government, there would be battling over doing something to weaken or end it. Not the Tor team or organization itself.
They can be coerced into actions based on threats to themselves or relatives.
You don't seem to realize how easy it is to discredit someone that the general public doesn't recognize.
The cryptographers are one false planting of child porn away from no influential majority of people believing a word they say. You won't defend them, because you'll question the authenticity of the child porn claims and you'll have no evidence to the contrary.
Overnight these kinds of people can be taken down and made into nothing.
From the CIA selling drugs to arm the Hmong in the Vietnam war to the NSA in ATT's room 641A, there are enough examples to know that it's possible.
You obviously don't entertain the idea that those could be legitimate. What makes you think you'll entertain the idea if it were to happen to a lead cryptographer that you've never met before in your life?
>Not when proposed by apparently paranoid HN users, I don't.
I very much agree with you that it's not worth focusing on, but you were acting like it was never a possibility simply because the people being attacked would be well educated.
Not when proposed by apparently paranoid HN users, I don't.
> What makes you think you'll entertain the idea if it were to happen to a lead cryptographer that you've never met before in your life?
I happen to be involved with cryptography. I'm very familiar with three of the people on the Zcash team, one of whom I call "friend".
Instead of worrying about stopping every logically possible attack, I find it more productive to focus on stopping the 99.9999% of plausible attacks. If the government manages to pull off something theoretically possible but unbelievably improbable, they simply deserve to win that round.
Maybe this is where your potential bias stems from. I mean, what's the point of name dropping here if it's not stemming from a bit of ego, maybe strong enough ego to believe you're out of reach for a three letter agency? You know three of them, great, but you don't know all of them and you may not know the most major contributor and it's possible there exists a key member that has an already shady past.
The hypothetical in question isn't even intended for you. It's intended for the general public. Most of whom would gladly eat up whatever story they are sold.
When you frame the conversation that way, it makes more sense.
It's open source, so even if the company fails (likely -- it's a startup, after all, although if successful it will be huge), the project lives. But a company gives them the resources to work on this which wouldn't otherwise be available.
It's late and I fear my point may be muddled. But yea, the soft squidgy part of it would die and wither away.
> Wilcox says that he plans for 1 percent of Zcash’s currency to ultimately go towards that non-profit, and 10 percent to be paid to the for-profit startup.
11% is allot when compared to credit card transaction rates.
Can you help me understand something about Zcash? Do buckets need to be decrypted for the network on spend? Or is there a way to append a zk-proof that the bucket contains enough to fund follow-on buckets?
I'm probably wasting your time a little by asking, but I don't want to rely on my own reading to get a solid understanding.
This. :) (Alongside a demonstration that it wasn't spent before.)
1) You have 50 coins in a 'bucket' or address?
2) You send 18 to a friend
3) You send 32 t yourself.
So you create two encrypted buckets, 18 in one, and 32 in the other. They seem to be the equivalent of UTXOs. I'm not clear if they need to be 'revealed' to be spent though.
"For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company and a smaller portion to a non-profit he’s creating to oversee the Zcash code and community longterm. Wilcox says that he plans for 1 percent of Zcash’s currency to ultimately go towards that non-profit, and 10 percent to be paid to the for-profit startup."
Who is going to want to engage in commerce in a system that creams off a 10 percent vigorish on every transaction? Credit card companies are hated by small merchants for taking a third that much.
Besides, credit cards offer protection in that they are able to give insurance on purchases by doing charge backs.
The inevitable question "should we want this?" is moot because evidently such systems are possible (iff they provide a practical currency for such transactions) and will inevitably be used for this. Furthermore, Bitcoin already achieves something close to it in practice. It's just worth pointing out that untraceability will have nasty consequences as well as good ones.
As an interesting aside, David Chaum, who has lately been infamous for advocating ways to backdoor encryption, may be considered the father of fully untraceable (but not decentralized) digital currencies. Ironically, after  was published others in the cryptographic community spend a number of papers on building what they called 'fair' blind signatures, which constituted basically of varieties of Chaum's basic idea but where untraceability could be lifted by an "independent party posessing the right private key" (i.e. a public "police backdoor"). They were trying to backdoor Chaum's encryption...
Additionally, the money by itself may be anonymous, but that person will have to convert it to other currency or make purchases. Those purchases may be physical objects like cars, or rent, or any other large purchase which the person will have to demonstrate how they could afford to purchase it. The IRS would still be able to detect irregularities in consumption.
If anything it will be a boone for the information security industry, they will have to stop selling snakeoil and start selling solutions that actually prevent peoples money from being stolen.
Chaum himself is advocating not just for any ol' backdoor, but for a flavour of "multi-sovereign-party public police backdoor" if you believe the Wired article that explained his proposal.
,,Security of Π relies on a trusted party running Setup to generate the public parameters (once and for
all). This trust is needed for the transaction non-malleability
and balance properties but not for ledger indistinguishability'' - from the zerocash paper
(Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs, Ben-Sasson, E. ; Chiesa, A. ; Green, M. ; Tromer, E. et al.)
Only if every member of this group were compromised or dishonest will the setup fail. That is, only 1/N participants need to be honest.
If so, then they've introduced a new sort of meta 51% attack potential in a system that gives no economic incentive to mine (i.e., 51% attack is much easier when its not "51% of everyone trying to earn coins", but instead is "51% of those donating computing to protect zero-knowledge proof"), right?
If not so, then how? (rewind to Jan 2, 2009...)
Not very well, if at all.
Can you give more detail as to why this is a backdoor?
But yes, if someone on the inside "steals" the money, nobody will figure out where it went.
Zooko, btw, used to work for DigiCash long ago. The world of anonymous ecash has been...without a lot of progress, overall. Hopefully Zcash changes this.
Good luck with that, especially as a registered for-profit organization.
Car manufacturers are required to report VIN numbers and allow for license plates, on top of a number of other mandatory regulations. Road access is also a priviledge, and automobiles not meeting certain standards are not allowed.
The question is whether a judge is willing to destroy a company in order to pursue law enforcement goals.
Regardless, this doesn't mean zcash will die necessarily. As it will be open-source and has the ability to continue functioning without a centralized organization.
But yes, a judge would be perfectly willing to destroy a company in violation of the law. See, e.g., Aereo and its ilk.
Disclosure: I own Bitcoin, but do not currently own any Monero. I have no financial incentive to promote it, I'm just legitimately curious as to how Zcash is different.
Zcash mixes your transaction with every previous transaction. In fact, it goes to great lengths to make transactions indistinguishable from each other.
I see no need for a single currency at a time. There may be ultimately a winner, but there is no stopping each from finding their own niche. What if Bitcoin becomes the currency of Wall St - which is better served by pseudonymous currency - while ZCash fills the more privacy oriented niche for projects like Open Bazaar?
So the question is: can Zcash compete with Bitcoin in the darknet markets? Is there any DNM that does any substantial business in a crypto other than Bitcoin?
My thoughts exactly. But they must have made a good case that there were other uses to their investors, they netted some pretty high-profile names.
I would imagine Dash is getting traction on darknets, but I haven't seen anything on that one lately
Enabling anonymous financial actions _is the very definition_ of money laundering. Though the protocol could be freely distributed, any form of business built on it will have a lot of trouble existing in any useful form. Starting from that point is going to make your life so much harder.
And of course, the irony in trying to use Bitcoin as a basis for anonymous transactions is solved with Zerocoin. But I don't know how a law-abiding business can have reasonable knowledge of the parties in the transactions (a requirement to not be money laundering) without meeting the wishes of the fanbase.
And the definition of money laundering is hiding the source of illegally obtained money. An anonymous transaction isn't laundering if there's nothing dirty about the money in the first place.
Well, that's explain like you're a crypto undergrad. But, it's a start.
There's quite a lot of interesting cryptography and engineering involved in making this work; the last zerocash presentation I saw in 2014 mentioned they had been working on shrinking ZK proofs from 25k down to a manageable size for a blockchain.
* To "create" zcash, you put a random number into a box that can't be opened and a proof that you spent bitcoin to a special kind of bitcoin address.
* To "spend" zcash, you reveal the random number that you put in the box (to prevent double spending), and you prove that one of the boxes contains that number (without revealing which box it is). Then you can take the same amount of bitcoin from any of the special addresses above.
People with PhD's in computer science have trouble figuring out how Zcash works. It seems to require a very strong mathematics background and it's an order of magnitude more complicated than Bitcoin. I don't think that you're going to get a good ELI5 for it for a while.
Zcash is based on Zerocash. In case you ever want to feel like a simpleton:
I've got to say, I don't have much confidence in the company itself, specifically:
>Wilcox maintains his stealthy digital cash startup isn’t intended to facilitate crime, but also notes that the company isn’t liable for any criminal applications for which Zcash is used.
It's almost like they've never heard of https://en.wikipedia.org/wiki/E-gold or its many, many variations.
This is why you should do full disk encryption, and travel without your hard drive. At the end of the day, there's probably forensic methods on your laptop that would be far more damaging than just deanonymising your past transactions.
While that's all very good and all, it doesn't really answer my question :)
> While that's all very good and all, it doesn't really answer my question :)
I probably should've proceeded that with "I don't know, but".
I would be much more comfortable with generation being tied to destroying bitcoins or simply running yet another blockchain and letting the market deal with exchanges from BTC to Z.
Looks like they made some very cool progress though.
If yes, I don't give crytocurrencies a single chance to replace the current currencies.
Bitcoin's address space is huge, something like 10^48. I can make a thousand of them in a few seconds, along with the private keys. I can send the money to any of them, and you will never know who owns it. I can send my money between these 1000 addresses as much as I want, and all you will see in the leger is money going from A to B to C, just like the rest of it.
Bitcoin network doesn't know any difference between me buying something on Overstock, or me sending the money to my brother across the globe, or to myself.
There are also several startups dedicated to performing Bitcoin blockchain analysis for this specific purpose.
If the guy didn't get caught, they would have never found anything, unless the thief is dumb enough to send these coins to his exchange.
If it were me, I would randomly mix 40,000 coins between random addresses, random amounts, random times for like a year. Never using the same address again. I would mix them with other coins. You might end up with 10,000 addresses holding random amounts of coins, but that's not a big deal at all. You need some cash? LocalBitcoins in a neighboring town. Or create an online business and buy your own product from yourself. Or build a website, put ads on it, and buy quality traffic with bitcoin (arbitrage).
That isn't true. Bitcoin transactions can be traced like almost all other transaction types (even more so because it's a public leger), the only difference is that the end points are pseudonymous (sure, they might not have your names, but they do have unique identifiers, like account numbers). It's a mistake to consider the above as being "untraceable" or anonymous.
> Bitcoin's address space is huge, something like 10^48. I can make a thousand of them in a few seconds, along with the private keys. I can send the money to any of them, and you will never know who owns it. I can send my money between these 1000 addresses as much as I want, and all you will see in the leger is money going from A to B to C, just like the rest of it.
This principle is all about mixing to "clean" bitcoins, but it doesn't provide strong anonymity properties (if all of the addresses you use for mixing are only used for mixing your bitcoins, you haven't improved your anonymity).
> Bitcoin network doesn't know any difference between me buying something on Overstock, or me sending the money to my brother across the globe, or to myself.
Other than the globally unique addresses, which can be used to tie together groups of transactions or owners of accounts.
Steer clear, fellas. Steer clear.
(I genuinely have no idea, and I figure you can probably explain better than a Google search could.)
* He sold explosives on ebay back in the day, and went to prison for it.
* He renounced his US citizenship to avoid paying taxes...
* ...but was for some reason VERY annoyed when the US government wouldn't let him back in.
* Of course he funded Ross Ulbricht's defense in the Silkroad trial.
Mostly though, he is the subject of waaaay too many posts on /r/buttcoin. Who you take money from shows what kind of organization you want to build. ZCash is currently failing this test for me.