[cryptography] an untraceability extension to Bitcoin using a combination of digital commitments, one-way accumulators and zero-knowledge proofs,

Adam Back adam at cypherspace.org
Sat Apr 13 07:01:19 EDT 2013

Also without having read the article, but did read the blog post by one of
the authors as Ian G said zerocoin appears to provide payment privacy, and
public auditability while retaining distributed setting.

However payment publicly auditable payment privacy comes from ZKP of non-set
membership (from 1998 paper by Sander & Ta-Shma, and they reference that
also), plus bit coins hashcash computational concensus enforced model of
distributed.  So far I dont see something new other than assembling the two
parts.  I commented on this list on this combined approach few year back:


My other comment then, which I dont know if zero coin incorporated was that
as the ZK non-set-membership proof (in set of spent coins) is itself
expensive maybe that work should be incorporated into the computational work
of the bitcoins.  If one could successfully do that work incorporation, the
work would be less of an issue as the miners would do it, and the mining
network has more power than the top 100 supercomputers combined (or so I
read!)  However it would be useful to have individuals easily have the power
to categorically verify from scratch that a given zerocoin is valid.  Pubic
audit speed does matter.

Maybe they have some ZKP set membership optimizations and concrete protocol
plus prototype implementation is the point.


On Sat, Apr 13, 2013 at 01:40:36AM +0300, ianG wrote:
>Steve Bellovin posted this on another list, hattip to him.
>For those following Bitcoin this is news.  Matthew Green writes:
>    For those who just want the TL;DR, here it is:
>    Zerocoin is a new cryptographic extension to Bitcoin that (if 
>adopted) would bring true cryptographic anonymity to Bitcoin. It 
>works at the protocol level and doesn't require new trusted parties 
>or services. With some engineering, it might (someday) turn Bitcoin 
>into a completely untraceable, anonymous electronic currency.
>(iang adds:)
>Bitcoin is psuedonymous but traceable, which is to say that all 
>transactions are traceable from identity to identity, but those 
>identities are psuedonyms, being (hashes of) public keys.  This is 
>pretty weak.  In contrast, Chaumian blinding was untraceable but 
>typically identified according to an issuer's regime.  Because 
>Chaumian mathematics required a mint, this devolved to 
>trusted/identified, so again not as strong as some hoped.
>Bitcoin fixed this 'flaw' by decorporating the mint into an 
>algorithm. This suggests a new axis of distributed.  But  Bitcoin 
>lost the untraceability in the process, thus rendering it a rather 
>ridiculous attempt at privacy, as the entire graph was on display.  
>Bitcoin is more or less worse at privacy than Chaumian cash ever was.
>The holy grail in Chaumian times was untraceable & unidentifiable, to 
>which Bitcoin added distributed.  This paper by Miers, Garman, Green 
>& Rubin suggests untraceable & psuedonymous & distributed is 
>(I haven't as yet read the paper so there may be killer details in there.)
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list