The super-simplified explanation Payments would give is that it lets you encrypt the content of your transactions and prove just enough properties about the encrypted data so that the network decentralized tell that the the from as valid without actually revealing any of the private specifics. The Bytecoin approach is based on much simpler cryptography— a schnorr ring signature in the curve group. Thread starter evo Start date May 5th Tags bitcoin decentralized anonymous payments zerocash electronic cash whitepaper zcash zero knowledge zerocash. Oh btw, you're talking to Jesus. Check out [1] for a better explanation. Anonymous as evidence by the fact that no altcoins have picked it up. Zerocoin basically implemented a decenteralized 'mix' via bitcoin blind accumulator.
guia como minar bitcoins freedom В»
If you're willing to accept that much, the rest is simple. There's the potential for coin validation in regular bitcoin, and once there's technical potential, it can become mandated. I was assuming the entire time that "bytecoin" was referring to the group that literally copied the bitcoin sourcecode entirely, and left it at that. The Morning Paper delivered straight to your inbox. CoinJoin and also as good as or better than every theoretical system I've heard proposed except for Zerocash. How it works is a bit more complex; it involves zero knowledge proofs about the derivative instruments. I'm not sure if you were disagreeing with my statement.
buy bitcoins credit card australia В»
Decentralized improves the performance from the network's perspective greatly at the expense of client performance payments, so it might be easier anonymous make work. Doing so appears to have been a pretty massive success. There are two nice constructions in the paper from help to tame zerocash of the complexity. For a better experience, please enable JavaScript in your browser bitcoin proceeding. So Ben-Sasson et al.
triple-entry accounting bitcoin mineral В»
Secondly, we get a 6-step gradual build up section 1. A DAP is built on top of an underlying append-only ledger-based currency such as Bitcoin, call it the Basecoin. The ledger includes Basecoin transactions, as well as two new types of transactions: Users of the scheme generate at least one address key pair with a public key enabling others to direct payments to the user, and a secret key used to send payments.
Coins are of course just data objects. A coin c has the following attributes:. Coins may have other attributes, but these are implementation details of particular DAP instantiations. A transaction records that a coin with a given commitment and value has been minted.
More on these later. A DAP guarantees a number of security properties see section 3. The succint property means that proofs are short and easy to verify. We are interested in zk-SNARKs for arithmetic circuit satisfiability, and the most efficient ones for this language are based on quadratic arithmetic programs; such constructions provide a linear-time KeyGen, quasilinear-time Prove, and linear-time Verify.
This allows the DAP scheme implementation to be practical for deployment, as our experiments show. You can find the Zerocash project online at http: The protocol is now being developed in a full digital currency, called Zcash:. You are commenting using your WordPress. You are commenting using your Twitter account. You are commenting using your Facebook account.
Notify me of new comments via email. Notify me of new posts via email. A decentralised anonymous payment DAP scheme There are two nice constructions in the paper that help to tame some of the complexity.
A coin c has the following attributes: A coin commitment , , which is a string that appears on the ledger once the coin is minted. A coin value , , measured in basecoins. This is an integer between 0 and some system maximum. A coin serial number , , a unique string associated with the coin used to prevent double spending A coin address , , an address public key, representing the owner of c Coins may have other attributes, but these are implementation details of particular DAP instantiations.
Given this setup, a DAP scheme comprises 6 abstract operations: Setup is a one-time operation executed by a trusted party to initialise the system and publish its public parameters.
After this setup no trusted party is needed and no global secrets or trapdoors are kept. CreateAddress generates a new address key pair Mint generates a coin of a given value and a mint transaction Pour transfers value from input coins to new output coins, marking the input coins as consumed. VerifyTransaction checks the validity of a transaction: Receive scans the ledger and retrieves unspent coins paid to a particular address.
Building up an intuition Section 1. The simplest base system provides for user anonymity using fixed value e. It's certantly not the first time that I've posted about something technical where some altcoin then popped up with it as a sales feature on its whitepaper without even bothering to implement it.
If you're going to do something incompatible at the protocol much better can be done— as shown in practice by Bytecoin, or in theory in ZeroCash and ZeroCoin. CoinJoin isn't the be all end all of transaction privacy, but at least you don't have to switch currencies or convince people to deploy improvements to Bitcoin in order to make use of it.
One of them is an academic paper and the other has a website that mostly consists of "coming soon" pages. Darkcoin has actually implemented a lot of new code. They have an advanced form of decentralized coinjoin called darksend mixed with a system of masternodes which share the block reward as a sort of proof of service.
Additionally coins in masternodes are removed from circulation, allowing a sort of positive feedback loop as far as price goes. Darkcoin V2 is also adding ring signatures mixed in with the masaternode system so I'll see how that works when it gets released. Can someone explain how this works to a non-mathematician? Do you want to know what the results are, or how it works? The results are essentially that a central party can pool together an arbitrary number of bitcoins, then issue a derivative instrument against that pool.
Those derivative instruments can be constantly recreated, so they're not maintaining any history or linkability. Once you receive one, you can also redeem it, destroying it, and claim an equivalent value of bitcoin, which is removed from the pool. Except there is no "central party", except at the initiation of the system; you can build it so the central party creates parameters but doesn't save anything, so he's just a normal participant after that, and can disappear.
How it works is a bit more complex; it involves zero knowledge proofs about the derivative instruments. This is sufficiently advanced crypto that it will be a burden to anyone trying to understand it. The super-simplified explanation I would give is that it lets you encrypt the content of your transactions and prove just enough properties about the encrypted data so that the network can tell that the the transactions as valid without actually revealing any of the private specifics.
The math and crypto are fairly straight-forward, dunno why you're telling people they can't understand it. I'm curious about implementation, though. Most derivatives have a cost of carry built-in and this doesn't. It also doesn't work unless you convert your bitcoin immediately; the blockchain doesn't forget.
Check out [1] for a better explanation. Specifically, page 2 has a nice description. Its been a while since I read about it, so the method may have changed or I may be misremembering , but here is my understanding: Every zerocoin has a secret key associated with it that only the creator of said zerocoin knows.
Using a cryptographic primitive called a zero knowledge proof, it is possible for someone to prove that they know the secret without revealing the secret itself. There is another cryptographic primitive called an accumulator, which represents the set of all zerocoins that have been created.
It is possible to prove that you know the secret of some zerocoin within this set, without revealing which zerocoin it is. It is further possible to prove that the zerocoin you know is different from all of the other zerocoins which have been claimed in this manner. To 'transfer' a zerocoin from party A to B, party B generates a new zerocoin, and sends the public details to A, keeping the secret to itself.
Party A then uses the above mechanism to show that it has an unspent zerocoin, and spends that coin to insert B's coin into the accumulator. Simmilarly, A could spend a normal bitcoin to do so or do anything else that would convince the network that A has the right to insert a zerocoin into the accumulator.
You were doing so well until "crystallographic primitive"! The rest is a lot clearer. Probably, that's the first result I got when googling "crystallographic primitive", my comment problem makes more sense reading it as "cryptographic primitive": Unfortunately, primitive cells seem mathy enough to be plausibly to cryptography for that to be a confusing mistake especially given the existence of lattice based cryptography.
I haven't thoroughly read the OP, but from the little bit I have read, it looks like they refer to the currency of Zerocash as zerocoins the uppercase on Zerocash and lowercase on Zerocoin come from the paper , and the OP seems to be by the same authors. Did they just improve the underlying crypto, or is there a more high level change involved?
It's a radically different approach. Zerocoin basically implemented a decenteralized 'mix' via a blind accumulator. Zerocash uses zero knoweldge proofs of execution for general computation so that basically all properties of a coin can be completely blinded.
In ZeroCoin, coins— all of equal denomination— go into a bag one bag per denomination , and coins come out of the bag and you can't tell which was which except, of course it can't come out until after it's gone in. In Zerocash its more like everything is completely encrypted, even the values, the network knows that its all valid due to zero knoweldge proofs, but only the transaction participants know any of the details of the transactions at all.
That would be very difficult, and I'm sure will prove to be a major deterring factor in the early adoption of this new currency. Their old "zerocoin" project website had a neat infographic depicting it's simplified usage: Sure if you're willing to let me blackbox away the worst of the complexity. There exists a special execution environment where you can run a program with some inputs known to the public and other inputs that are secret and only known to you.
As a result of the properties of this execution environment the output of the program comes along with a compact constant size, regardless of the program! If you're willing to accept that much, the rest is simple. If not— well the math to make those proofs efficient is really N levels deep of really gnarly abstract algebra and cryptographic assumptions. I've never seen a strong explanation which is adequate for an ordinary mathematician as opposed to one who is expert in the relevant subfields , much less Joe-HNer.
If even the idea that someone can prove the validity of execution in zero knowledge seems incredible to you, before we start talking about small proofs, then maybe I can help there: I came up with a toy not proven secure example system for this that doesn't require more math than accepting one way functions function, and some simple statistical reasoning to follow: I created this not as something for people to use, but because if I want people to start engineering systems that makes use of this technology I must first remove it from the realm of unbelievable magic.
In any case, given that we've got this magical proof producing execution environment the rest follows naturally: To make a transaction paying to an anonymous address, I take the recipient's one time public key, a random nonce, and the value of the amount that I'm paying and hash them: You can think of this as an 'encrypted' coin.
I then have a program that checks that OUT really is the hash of the recipient's pubkey and some nonce known only to me and the value that its supposed to be.
I run the program which just runs the hash and an equivalence test in the magic ZK execution environment and it gives me a proof. I stick OUT and the proof in my transaction. After accepting my transaction the network appends OUT to a merkle hash tree over all previously created anonymous outputs. I tell the recipient the nonce and value, and he can see that the newly created coin has been added to the network's collection of coins. Later, when the recipient wants to spend that coin, he goes and extracts the log2 sized tree fragment all the hashes along the path from the root to the coin which can be used that coin is in the network's current hashtree.
He has a program that verifies that takes this fragment and verifies that it's valid, his pubkey, and the nonce it also takes a new anonymous output like my first program, a new pubkey nonce and value , and verifies that the values add up. He runs this program in the ZK proof environment with the pubkey that its spending and the new output as public inputs, and the hash tree fragment as a secret input He sticks the proof in a transaction along with the new output, and signs it with the public key he just revealed.
The network can now be convinced that he's spending a coin that exists though it doesn't know which , and that it's creating a new coin which it will add to the list with a permissible value though it doesn't know the value. The network then remembers the public key used, and never permits another transaction that uses the same pubkey— this prevents him from spending the same coin over and over again.
No one observing can tell which coin was spent, because although they can now see the pubkey they still don't know the nonce and so they can't go testing against all the previously created coins. Of course, to make a real system out of this you need several different programs that you can run in the ZK environment: A program to create a new anonymous coin from non-anonymous sources with known values e.
Perhaps you might want some other variation— though in the ZKP system used for ZeroCash each distinct circuit, since they do not use a universal circuit for efficiency reasons, requires the provers to have hundreds of megs of of 'prover key' created by the trusted initialization process, so its helpful to avoid having too many different programs The security of all this depends on the integrity of the ZKP system.
If its compromised, no privacy is lost, the succinct proofs aren't even big enough to leak the secret data Hopefully this makes it a bit more accessible? I have been thinking about fully anonymous currencies in the past, which, not a big surprise, lead me to NIZK proofs.
I was stopped there by the lack of resources on the topic. Your simple explanation the link above was really helpful. Thanks fro writing that down! Which has, in turn, potential to drive the price of the currency towards zero.
Even worse, you don't know, at any given point, whether the system was already compromised or not. Thus, no emergency measures such as the one made when bitcoin chain was forked can be applied. Any ideas how to fight the problem? Use N distinct ZK proof systems in parallel. This requires having multiple distinct systems which are sufficiently efficient. Getting one is currently hard enough, but in the long run it might be a good way to achieve adequate security. Matthew Green has carefully worded his presentation of this project in the past.
He has always claimed that such an implementation could be possible. Not that it was inherent to the coin itself. Let's hope that he gets it running sooner, rather than later. Before somebody has a chance to change his mind. So is this something that can be added on top of Bitcoin or is it a separate coin with improvements? It isn't clear to me which it is from the abstract. This is described in section 6: Here, we briefly detail integration with the Bitcoin protocol.
There are at least two possible approaches to this integration. The first approach replaces all bitcoins with zerocoins, making all transactions anonymous at the cost of losing any additional Bitcoin functionality provided by, e.
The second approach maintains this functionality, adding a parallel Zerocash currency, zerocoin, which can be converted to and from bitcoin at a one-to-one rate ". It is going to be a separate coin once released. Their attempts to merge the original Zerocoin idea into the Bitcoin blockchain were met with contempt.
The ZeroCoin stuff was just not really technically viable as it was. Also as evidence by the fact that no altcoins have picked it up. The trusted initialization requirement was also kinda lame. ZeroCash improves the performance from the network's perspective greatly at the expense of client performance , so it might be easier to make work.
It also greatly improves the anonymity by hiding the values, at the same time it makes the trusted initialization worse. That said— I don't know about 'contempt', here was my response: On the plus side— approaches can only get better" I do hope that cryptographic privacy improvements are themselves not too controversial to deploy.
Bitcoin as it is, is basically a privacy disaster which is only mitigated by the fact that Bitcoin is a niche thing that no one is forced to use. If you felt compelled to use Bitcoin in your daily personal and business life the current state of privacy there would cause a lot of harm.
I cringe a bit at people trying to promote Bitcoin to 'authorities' with the "it's not private" argument, I think that stems from a misunderstanding of what authorities should want e.
Right now the proposed privacy technology has to little maturity and too many tradeoffs to consider it in Bitcoin, but when that isn't the case I hope we can adopt them, but even without doing so the privacy techniques that can already be used in Bitcoin and cannot be stopped like CoinJoins and CoinSwaps can help a lot if they become more widely used.
Compared to the crypto used in Zerocash, Zerocoin's internals are fairly elementary. Zerocoin used one-way accumulators and discrete log based ZKPs, which are fairly approachable to anyone who has taken an undergraduate course in cryptography. Zerocash, however, uses Ben-Sasson's highly efficient zk-SNARK construct [0], the details of which are probably fully understood by a handful of people in the world.