Also without having read the article, but did read the blog post by one of
the authors as Ian G said zerocoin appears to provide payment privacy, and
public auditability while retaining distributed setting.
However payment publicly auditable payment privacy comes from ZKP of non-set
membership (from 1998 paper by Sander & Ta-Shma, and they reference that
also), plus bit coins hashcash computational concensus enforced model of
distributed. So far I dont see something new other than assembling the two
parts. I commented on this list on this combined approach few year back:
http://www.mail-archive.com/[email protected]/msg00781.html
My other comment then, which I dont know if zero coin incorporated was that
as the ZK non-set-membership proof (in set of spent coins) is itself
expensive maybe that work should be incorporated into the computational work
of the bitcoins. If one could successfully do that work incorporation, the
work would be less of an issue as the miners would do it, and the mining
network has more power than the top 100 supercomputers combined (or so I
read!) However it would be useful to have individuals easily have the power
to categorically verify from scratch that a given zerocoin is valid. Pubic
audit speed does matter.
Maybe they have some ZKP set membership optimizations and concrete protocol
plus prototype implementation is the point.
Adam
On Sat, Apr 13, 2013 at 01:40:36AM +0300, ianG wrote:
Steve Bellovin posted this on another list, hattip to him.
http://www.forbes.com/sites/andygreenberg/2013/04/12/zerocoin-add-on-for-bitcoin-could-make-it-truly-anonymous-and-untraceable/
For those following Bitcoin this is news. Matthew Green writes:
For those who just want the TL;DR, here it is:
Zerocoin is a new cryptographic extension to Bitcoin that (if
adopted) would bring true cryptographic anonymity to Bitcoin. It
works at the protocol level and doesn't require new trusted parties
or services. With some engineering, it might (someday) turn Bitcoin
into a completely untraceable, anonymous electronic currency.
http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html
(iang adds:)
Bitcoin is psuedonymous but traceable, which is to say that all
transactions are traceable from identity to identity, but those
identities are psuedonyms, being (hashes of) public keys. This is
pretty weak. In contrast, Chaumian blinding was untraceable but
typically identified according to an issuer's regime. Because
Chaumian mathematics required a mint, this devolved to
trusted/identified, so again not as strong as some hoped.
Bitcoin fixed this 'flaw' by decorporating the mint into an
algorithm. This suggests a new axis of distributed. But Bitcoin
lost the untraceability in the process, thus rendering it a rather
ridiculous attempt at privacy, as the entire graph was on display.
Bitcoin is more or less worse at privacy than Chaumian cash ever was.
The holy grail in Chaumian times was untraceable & unidentifiable, to
which Bitcoin added distributed. This paper by Miers, Garman, Green
& Rubin suggests untraceable & psuedonymous & distributed is
possible:
http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf
(I haven't as yet read the paper so there may be killer details in there.)
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
