While the CRS ZK-SNARK stuff used for ZeroCash is very exciting technology, the cryptographic assumptions are very new and kinda sketchy. The fact that there is a trusted initialization is unfortunate, especially since compromise of the initialization results in unbounded and undetectable inflation (well I suppose you can detect it once a single altruist ends up with more coins than ought to exist!). ... though it has implications which go far beyond transaction anonymity.
The Bytecoin approach is based on much simpler cryptography— a schnorr ring signature in the curve25519 group. The anonymity it provides is theoretically more limited— sort of like a CoinJoin where even ofline people or even already spent coins can be joined with you—, but because it doesn't required gigabytes of signing keys or tens of seconds of computation to sign it might be more anonymous in practice just due to being easier to use. (Oh yea, and did I mention, it's already in use so at the moment it's infinitely more private! :) )
So far all of these anonymous systems have a number of interesting limitations in common. For example, none of them support any kind of pruning so a verifying node has state that grows forever— as compared to Bitcoin where if you're just verifying new blocks (as opposed to helping initialize new peers) you can forget the old state... e.g. right now a Bitcoin full verifier technically only needs about 300MBytes of storage. So this privacy stuff comes at a rather extreme cost. I've suggested some ways to improve this (basically expiring old coins), but they reduce the anonymity set and have some usability tradeoffs.
In any case, it's certantly better to see things like ZeroCash and Bytecoin being worked on... I'm really skeptical about the wisdom of splitting up the crypto-currency adoption network effect just to introduce some new transaction features. But certantly doing it with substantive new features is way better than just-another-worthless-clone. ... especially when there is running code and not merely a whitepaper. :)
>I'm really skeptical about the wisdom of splitting up the crypto-currency adoption network effect just to introduce some new transaction features.
As someone who's been working on cryptocurrencies, I think that most of the Internet of Tomorrow is going to be driven by a set of cryptocurrencies that all do different things, following some of the primary principals of Unix. Storage and computation, for example, are services that I think will eventually find homes in cryptocurrency. Already you see things like MaidSAFE and Ethereum attacking these problems. But you also have problems that need to be solved like DNS routing, public random numbers, time synchronization where the modern solution involves centralized services.
Right now, there's not much that allows cryptocurrencies to communicate, but that's quickly changing and should move forward much more in the next 5 years. Merge mining, colored coins, and decentralized inter-currency exchanges are just the beginning.
There are a lot of problems that cryptocurrency has the potential to solve, and I think it's foolish to hope that a single cryptocurrency that will effectively solve all of them. But I also don't think that having 12 or 200 different cryptocurrencies means that any individual currency needs to be made weaker. Merge-mining is a good start, but I think that inter-currency cooperation and protection will continue to get better.
Can you really say that Zerocoin was the first of its kind when it still doesn't actually exist? There is a crypto library that implements the blind accumulator but thats it. Not a usable system. Bytecoin and CoinJoins are things you can use today.
The anonymity offered by systems that exist is inherently better than that offered by ones that don't exist, I think. :) The Bytecoin anonymity is better than Zerocoin's too, even ignoring the whole existence part.
(FWIW, I (and others) were posting about CoinJoin a long time before Zerocoin was a twinkle in anyone's eye. But the suddenly popularity of Zerocoin made me realize that I needed to attach a compact and snazzy _name_ to the idea if I wanted people to pick it up and run with it. Doing so appears to have been a pretty massive success. ... I worry a lot about people paying too much intention on someday-ware and as a result not going out and building things that we can use sooner than someday.)
> As someone who's been working on cryptocurrencies, I think that most of the Internet of Tomorrow is going to be driven by a set of cryptocurrencies that all do different things, following some of the primary principals of Unix
Well, what do I know. ::shrugs::
To me "driven by a set of cryptocurrencies that all do different things" doesn't sound like unix it sounds like saying that "in the future computer communications will be enabled by orthogonal networks that each do different things".
I think currencies just like communications networks benefit from Metcalf's law... So it seems silly to me to artificially divide up the world into separate currencies just to get different transaction features. It's technically unnecessary. There is, I think, an argument for dividing things up for different economic approaches— e.g. freicoin's inflationary currency— but for transactional purposes, it just isn't necessary. You can have one cryptocurrency being used on many different transaction networks (including decentralized ones). And I think that if in the future these things continue to be used at all, we'll find ways to not create artificial friction where it can be avoided.
Well, if you consider ntp to be one network, and the dns system to be a separate network, and the CA system to be a separate network, that statement seems to hold pretty well to today's internet. I'm not sure if you were disagreeing with my statement.
>So it seems silly to me to artificially divide up the world into separate currencies just to get different transaction features.
Just as you can have one cryptocurrency being used on many transaction networks, you can have one transaction network that uses many cryptocurrencies. Just like the ntp/dns analogy, just because Bitcoin and Ethereum are separate systems doesn't mean that I can't actively use each for what it's most useful for. Each can still benefit from the users of the other.
Do you realize you are talking to a Bitcoin core dev? lol...
"Least costly" here does factor in convenience.
You can have a case where there is no clear winner---e.g. one type of exchange is harder to use, BUT more private.
So in summary, there is likely to be one predominant cryptocurrency, and at best maybe one or two others that offer nice things (e.g. more privacy) but at an additional cost.
If one cryptocurrency can offer all commonly-wanted useful features, it will strictly dominate all the others and drive them out.
That said, there are many, many potential uses for _blockchain technology_, such as storage and computation.
Bytecoin is literally a direct copy of the Bitcoin code. Minus their recent change to the unproven (non peer-reviewed) curve25519 algorithm. It's basicaly a scrypt altcoin with an even lesser-tested algorithm at it's base.
Zerocash/Zerocoin is far from that reality.
Bytecoin has done literally nothing besidres change the hashing algorithm, Zerocash is an entirely new beast altogether.
See here for proof of calling out curve225519 vs scrypt http://www.google.com/trends/explore#q=curve25519%2C%20scryp... (when scrypt isn't even really an improvement upon bitcoin).
Bytecoin is a ground up rewrite (for better or worse) blockchain cryptocurrency which uses a pretty boring schnorr-like ring signature in an _very_ clever way to achieve strong privacy. The ring signature its using has been peer reviewed, though the partial uncloaking technique they use to prevent double spending is a novel application.
(And come on, I'm not usually one to lean on authority— but you ought to believe /me/ when I say it's not copying Bitcoin and that it's doing something very useful and interesting for cryptographic privacy)
The privacy achieved by Bytecoin is better than any existing-in-production privacy tools (e.g. CoinJoin) and also as good as or better than every theoretical system I've heard proposed except for Zerocash. Relative to ZeroCash, Bytecoin exists today and has simpler cryptographic assumptions, better performance for signers, and no requirement for trusted initialization. Because it doesn't mask values its anonymity set is potentially smaller, though the implementation does some clever denomination tricks to reduce the harm of value transparency.
The reason I included a hyperlink instead of just speaking comparatively was so that you wouldn't have to suffer from any confusion on the matter. :)
Kinda sad that with all the worthless clonecoin and whitepapercoin pumping people are missing the few bits of real innovation that are getting created, enh? Don't you agree, sir_doge_alot? :P
> See here for proof of calling out curve225519 vs scrypt http://www.google.com/trends/explore#q=curve25519%2C%20scryp.... (when scrypt isn't even really an improvement upon bitcoin).
I have no idea why you're comparing an elliptic curve group with a crappy proof of work algorithm, so here is a bunny with a pancake on its head: http://www.upsidedownguild.com/wp-content/uploads/2013/12/pa...
I was assuming the entire time that "bytecoin" was referring to the group that literally copied the bitcoin sourcecode entirely, and left it at that.
What is "the new bytecoin" then that you are supposedly referring to?
It seems very naive of the "new bytecoin team" to adopt a name that has been associated with fraudulant activity in the past.
I still rest behind my case.
I have not invested a single penny in bytecoin and probably never will.
Do they have professional cryptographers working on and vouching for their source code like zerocash? Please, inform me.
I beg of you to tell me the next great crypto currency to invest in. But for now, I am investing most of my diversification fund into zerocoin.
Comparing cryptographic primitives by a Google publicity count is completely nonsensical. They offer disjunct applications: curve25519 is a mathematical group for protocols like Diffie-Hellman etc. while scrypt is a guaranteed to be slow hash function.
> unproven (non peer-reviewed) curve25519 algorithm
curve25519 was published by the renowned cryptographer Dan Bernstein in "Lecture Notes in Computer Science" ( http://link.springer.com/chapter/10.1007/11745853_14 ) and according to Google Scholar it has 114 citations. On its
Wikipedia page you could have found out that it extensively used by Apple in iOS: https://www.apple.com/iphone/business/docs/iOS_Security_Feb1... . It's probably going to be one of the major groups used for ECDH (elliptic curve Diffie-Hellman - the stuff you need for fast perfect forward secrecy) in TLS 1.3 and some even argue to ditch all the NIST curves in its favor.
I'd appreciate if you would do a minimum amount of research before you dismiss widely accepted cryptographic primitives just because you haven't heard of them before.