Zerocash Website and Paper Published

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Zerocash Website and Paper Published

Post by biolizard89 »

http://zerocash-project.org/

I find their proposed solutions for mitigating illegitimate money laundering and tax evasion quite interesting. These would probably make it much safer to implement in Namecoin, given that we don't want grumpy government agents accusing us of facilitating money laundering / tax evasion. Is it possible that's a reason why they got DARPA funding? I will run this by my lawyer friend next time I have a chance.

Zerocash has hired Peter Todd (inventor of Stealth Addresses), and will be releasing an altcoin (with full source code, based on Bitcoin 0.9.1) in (est.) a few months.

They haven't talked much about the counterfeiting backdoor... that's the one thing I'm still a bit concerned about.

Overall I'm really excited about this.

Thoughts?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: Zerocash Website and Paper Published

Post by phelix »

Let's see how that goes...
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

virtual_master
Posts: 541
Joined: Mon May 20, 2013 12:03 pm
Contact:

Re: Zerocash Website and Paper Published

Post by virtual_master »

biolizard89 wrote:http://zerocash-project.org/

I find their proposed solutions for mitigating illegitimate money laundering and tax evasion quite interesting. These would probably make it much safer to implement in Namecoin, given that we don't want grumpy government agents accusing us of facilitating money laundering / tax evasion. Is it possible that's a reason why they got DARPA funding? I will run this by my lawyer friend next time I have a chance.

Zerocash has hired Peter Todd (inventor of Stealth Addresses), and will be releasing an altcoin (with full source code, based on Bitcoin 0.9.1) in (est.) a few months.

They haven't talked much about the counterfeiting backdoor... that's the one thing I'm still a bit concerned about.

Overall I'm really excited about this.

Thoughts?
AML is not an issue at all for transactions inside of the blockchain as it is no money involved.(cryptocurrency is not a money)
Even by exchanges where fiat money is involved they are juristic interpretations in the USA that cannot occur money laundering by buying or selling cryptocurrencies against fiat as cannot occur by USD-oil trades.
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Zerocash Website and Paper Published

Post by biolizard89 »

The Zerocash team is working on a secure multiparty computation system for generating the public parameters, which mostly mitigates the trust issue.

So, question regarding Zerocash support in Namecoin... would it be a problem if name transactions had to be done via BaseNMC (address of owner is public), given that the BaseNMC that create a name can in turn be funded by ZeroNMC (address of owner not public)? The only problem I can see here is that if a name is atomically traded for NMC, the fact that a trade occurred would be public knowledge. I *think* the amount of the trade could be in ZeroNMC (but I'm not certain, since the protocol isn't public yet). If that's the case, then the default client could automatically generate an atomic trade transaction for all name_update transactions, so that would fix the issue as far as I can tell.

Thoughts?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Zerocash Website and Paper Published

Post by domob »

IMHO, it would be fine to have name transactions rely on BaseNMC. As you state, you can still be anonymous by funding the transaction with zerocash transactions.
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Zerocash Website and Paper Published

Post by biolizard89 »

biolizard89 wrote:The Zerocash team is working on a secure multiparty computation system for generating the public parameters, which mostly mitigates the trust issue.

So, question regarding Zerocash support in Namecoin... would it be a problem if name transactions had to be done via BaseNMC (address of owner is public), given that the BaseNMC that create a name can in turn be funded by ZeroNMC (address of owner not public)? The only problem I can see here is that if a name is atomically traded for NMC, the fact that a trade occurred would be public knowledge. I *think* the amount of the trade could be in ZeroNMC (but I'm not certain, since the protocol isn't public yet). If that's the case, then the default client could automatically generate an atomic trade transaction for all name_update transactions, so that would fix the issue as far as I can tell.

Thoughts?
So, I finally had a chance to fully read the Zerocash paper. Here's a snippet on how it's being integrated with an existing basecoin:
B. Integration by hybrid currency
A different approach is to extend Bitcoin with a parallel,
anonymized currency of “zerocoins,” existing alongside bit-
coins, using the same ledger, and with the ability to convert
freely between the two. The behavior and functionality of
regular bitcoins is unaltered; in particular, they may support
functionality such as scripting.
In this approach, the Bitcoin ledger consists of Bitcoin-style
transactions, containing inputs and outputs [20]. Each input is
either a pointer to an output of a previous transaction (as in plain
Bitcoin), or a Zerocash pour transaction (which contributes its
public value, v pub, of bitcoins to this transaction). Outputs
are either an amount and destination public address/script
(as in plain Bitcoin), or a Zerocash mint transaction (which
consumes the input bitcoins to produce zerocoins). The usual
invariant over bitcoins is maintained and checked in plain
view: the sum of bitcoin inputs (including pours’ v pub) must
be at least the sum of bitcoin outputs (including mints’ v),
and any difference is offered as a transaction fee. However,
the accounting for zerocoins consumed and produced is done
separately and implicitly by the DAP scheme.
So yeah, we don't even need to convert zerocoins into basecoins before creating a name transaction; the zerocoin pour operation acts as a standard transaction input, with the output being a basecoin name script.

For privacy purposes, all name_update transactions generated by the reference client should have 2 inputs: a basecoin input which corresponds to the name, and a zerocoin pour input which corresponds to an atomic payment. This makes it impossible to determine whether a name_update transaction is selling the name to a new owner (in exchange for zerocoins), or simply sending to the same owner (in which case the zerocoins are being sent to a change zerocoin address, minus the tx fee).

Also, there's an interesting section of the paper about scalability of the UTXO set:
Step 2: compressing the list of coin commitments.
In the above NP statement, CMList is specified explicitly as a list of
coin commitments. This naive representation severely limits
scalability because the time and space complexity of most
protocol algorithms (e.g., the proof verification algorithm)
grows linearly with CMList . Moreover, coin commitments
corresponding to already spent coins cannot be dropped from
CMList to reduce costs, since they cannot be identified (due to
the same zero-knowledge property that provides anonymity).
As in [3], we rely on a collision-resistant hash function CRH
to avoid an explicit representation of CMList. We maintain
an efficiently updatable append-only CRH -based Merkle tree
Tree (CMList) over the (growing) list CMList. Letting rt denote
the root of Tree (CMList), it is well-known that updating rt to
account for insertion of new leaves can be done with time and
space proportional to the tree depth. Hence, the time and space
complexity is reduced from linear in the size of CMList to
logarithmic. With this in mind, we modify the NP statement to
the following one: “I know r such that COMM r (sn) appears as
a leaf in a CRH-based Merkle tree whose root is rt”. Compared
with the naive data structure for CMList, this modification
increases exponentially the size of CMList which a given zk-SNARK
implementation can support (concretely, using trees of depth
64, Zerocash supports 2^64 coins).
So, unspent zerocoins aren't pruned by being spent, but instead the storage cost of the unspents set grows logarithmically (instead of linearly) with the number of unspents. I'm not sure how this compares to basecoins in practical terms, but it's a pretty cool setup.

As I read the Zerocash paper from beginning to end, I grew more and more impressed. These guys are awesome, they've thought of pretty much all the concerns I had.

@domob, what do you think about the above?

PS: As a sidenote, the paper is surprisingly readable. I skipped over the advanced math, but they have clear English descriptions of everything that they do, which are reasonably understandable for anyone with cursory knowledge in the subject. I would encourage everyone to read their paper, it's very cool stuff.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Zerocash Website and Paper Published

Post by domob »

biolizard89 wrote:@domob, what do you think about the above?
I haven't read the paper, either, but I think the general approach is really cool. I knew already about how the integration with a base coin works (from some Bitcointalk threads, I guess), but I didn't know about the logarithmic UTXO-set complexity. This sounds interesting, but I haven't yet thought it through fully. In any case, I think that Zerocoin will be a very valuable addition to Bitcoin and Namecoin, if everything works out and the performance is acceptable. Not sure when this will really happen, though. Are you aware of "concrete" talks about adding Zerocoin to Bitcoin proper (possibly as a sidechain)?
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Zerocash Website and Paper Published

Post by biolizard89 »

domob wrote:
biolizard89 wrote:@domob, what do you think about the above?
I haven't read the paper, either, but I think the general approach is really cool. I knew already about how the integration with a base coin works (from some Bitcointalk threads, I guess), but I didn't know about the logarithmic UTXO-set complexity. This sounds interesting, but I haven't yet thought it through fully. In any case, I think that Zerocoin will be a very valuable addition to Bitcoin and Namecoin, if everything works out and the performance is acceptable. Not sure when this will really happen, though. Are you aware of "concrete" talks about adding Zerocoin to Bitcoin proper (possibly as a sidechain)?
I don't know anything about Bitcoin supporting Zerocash. I recall Gavin Andreson saying he was "excited" about Zerocoin (back in 2013), but I haven't heard anything since then. Peter Todd is working with the Zerocash team; last I heard Luke-Jr wasn't happy about the public parameters trust situation (although I think that was before the MPC was announced; I don't know what his current stance is). I wouldn't be surprised if the Bitcoin Foundation is trying to avoid Zerocash due to lobbying interests (then again, the ability to prove tax compliance sounds like it would be viewed favorably by regulators). Have you heard anything more recently about this?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

domob
Posts: 1129
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Zerocash Website and Paper Published

Post by domob »

biolizard89 wrote:
domob wrote:
biolizard89 wrote:@domob, what do you think about the above?
I haven't read the paper, either, but I think the general approach is really cool. I knew already about how the integration with a base coin works (from some Bitcointalk threads, I guess), but I didn't know about the logarithmic UTXO-set complexity. This sounds interesting, but I haven't yet thought it through fully. In any case, I think that Zerocoin will be a very valuable addition to Bitcoin and Namecoin, if everything works out and the performance is acceptable. Not sure when this will really happen, though. Are you aware of "concrete" talks about adding Zerocoin to Bitcoin proper (possibly as a sidechain)?
I don't know anything about Bitcoin supporting Zerocash. I recall Gavin Andreson saying he was "excited" about Zerocoin (back in 2013), but I haven't heard anything since then. Peter Todd is working with the Zerocash team; last I heard Luke-Jr wasn't happy about the public parameters trust situation (although I think that was before the MPC was announced; I don't know what his current stance is). I wouldn't be surprised if the Bitcoin Foundation is trying to avoid Zerocash due to lobbying interests (then again, the ability to prove tax compliance sounds like it would be viewed favorably by regulators). Have you heard anything more recently about this?
No, I haven't either. (Except the discussions about sidechains in general - it seems to me that sidechains are somewhat a "generalisation" of the integration idea that popped up initially with Zerocash alone.)
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

indolering
Posts: 801
Joined: Sun Aug 18, 2013 8:26 pm
os: mac

Re: Zerocash Website and Paper Published

Post by indolering »

FWIW I ran the proposal past an operator of an exchange and they did not have any concerns with it. Still, I don't want to give government actors an excuse to go after us.

I haven't read the paper and I won't have time for a few weeks so I guess that I will just ask: is it possible to build the anti-money laundering controls relative to name purchases?
DNS is much more than a key->value datastore.

Post Reply