>From what I have read, and as far as I have understood it, your zero-knowledge proofs are linked to a specific "state" of your choice. In other words, you prove that your Zerocoin mint was one of a certain set of Zerocoin mints. One can ONLY test the zero-knowledge proof against that set (since you generated the zero-knowledge proof with a specific accumulator in the blockchain). So one can't test it against each individual Zerocoin mint.
This might be incorrect, but I *think* it's how it works. 2013/5/15 Jane <th...@angels.la> > Hello, it's me again. > > Upon re-reading Zerocoin paper ( > http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf ), I've noticed > the following: > > When I mint a Zerocoin, I add my 'c' to the accumulator. > Accumulator state gets "checkpointed" at discrete intervals - possibly > every block, or so. > > Now, let's say I've minted a zerocoin at blockheight N, and an > accumulator state that includes my 'c' has been checkpointed at > blockheight N+1 > > Now, I wait for 100 blocks and spend my zerocoin, providing relevant > proofs P and adding relevant serial number to the list of numbers > spent. This happens at blockheight N+101 > > For ease of experiment, I was the only person to mint at blockheight > N+1, and the only one to spend at blockheight N+101, (there were > some other mints at N+4 though) > > Question: > Am I correct in thinking that attacker can *NOT* gain information > regarding the blockheight at which my coin was minted by repeatedly > trying my (π,S) with different accumulator state checkpoints (which > come conveniently arranged in chronological order ;-) ) ? > > Something like > "1) test this fine proof and this fine S against accumulator states > and mint set assembled from blocks from N-100 to N-50... > 2) then try same against N-100 to N... > 3) then, finally, try same against N-100 to N+1" > > Would the last step yield anything informative ? > > Hope this makes sense and please pardon my ignorance... > > Best wishes, > Jane > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography