Hello, it's me again.
Upon re-reading Zerocoin paper (
http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf ), I've noticed
the following:
When I mint a Zerocoin, I add my 'c' to the accumulator.
Accumulator state gets "checkpointed" at discrete intervals - possibly
every block, or so.
Now, let's say I've minted a zerocoin at blockheight N, and an
accumulator state that includes my 'c' has been checkpointed at
blockheight N+1
Now, I wait for 100 blocks and spend my zerocoin, providing relevant
proofs P and adding relevant serial number to the list of numbers
spent. This happens at blockheight N+101
For ease of experiment, I was the only person to mint at blockheight
N+1, and the only one to spend at blockheight N+101, (there were
some other mints at N+4 though)
Question:
Am I correct in thinking that attacker can *NOT* gain information
regarding the blockheight at which my coin was minted by repeatedly
trying my (π,S) with different accumulator state checkpoints (which
come conveniently arranged in chronological order ;-) ) ?
Something like
"1) test this fine proof and this fine S against accumulator states
and mint set assembled from blocks from N-100 to N-50...
2) then try same against N-100 to N...
3) then, finally, try same against N-100 to N+1"
Would the last step yield anything informative ?
Hope this makes sense and please pardon my ignorance...
Best wishes,
Jane
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
