ZeroShares: Solving the Zerocoin Problem with a Market for Public Secretstoast
This is a work in a progress and will eventually become a paper properly describing the protocol. Best case scenario, people are interested and there is a funding round a la angelshares, then I would work full-time on this during the summer and switch to part time once it's off the ground. By that time hopefully I3 will have made some parts of the DAC toolkit available to utilize and so this should be of interest to AGS/PTS holders as well.
Zerocoin is a proposed extension to bitcoin (and also an altcoin proposal) which allows for fully anonymous transactions by using zero-knowledge proofs to connect transaction outputs to transaction inputs.
http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdfThe short, inaccurate version is that it just extends bitcoin with two operations:
OP_MINT_ZEROCOIN which pins your bitcoin to a "bulletin board" along with a serial number, and gives you a secret serial number.
OP_UNMINT_ZEROCOIN which lets you prove that you pinned a bitcoin to the board in the past *without revealing which one it was*, and lets you unpin *any* bitcoin from the board.
The "Zerocoin Problem" is the fact that, using known crypto, you either have to use O(n^2) space w.r.t. number of transactions (not scalable), or:
Our application requires specific properties from the
accumulator. With no trusted parties, the accumulator and
its associated witnesses must be publicly computable and
verifiable (though we are willing to relax this requirement
to include a single, trusted setup phase in which parameters
are generated).
That is, there must be some secret, but it can't be known by anyone. You have to trust someone initialize the accumulator and not save the starting secret. This kills any zerocoin implementation's network effect because no individual will be trusted by everyone.
The solution is ZeroShares: Crypto-equity in any and all future zerocoin "accumulators". Any individual can pay some ZRS to the network and embed an accumulator into the ZeroShares blockchain. Any individual who owns zeroshares can mint zerocoin at a fixed 1:1 using any accumulator. Thus, until someone who is trusted by all comes along, there will be some equilibrium between individuals moving to larger boards for the network effect and moving to smaller boards they can personally trust more.
Note that zerocoin is only fungible across different accumulators in the form of zeroshares, which does not happen using "disconnected" transactions. However, when individuals transfer zeroshares from one "secret bank" to another, they can make the transaction show that it is coming from the sending bank to the receiving bank. Zerocoin banks can fix fees like entry/exit/transaction when they are launched.
"Secret-keepers" want to use ZRS to launch good secrets with attractive parameters instead of launching a new alt so the masses of people with zeroshares will use this secret and the secret keeper can collect fees.
Zerocoin users want to only hold zerocoins inside a zeroshares accumulator so they have the freedom to move their zerocoins.
Ideally, there would be a way for the parent network to add new accumulator types - perhaps someone would be willing to pay a premium for the truly anonymous but expensive one, or someone invents totally new crypto and launches a 0% fee provably secret bank.
I will be posting in this thread and revising the OP as I think of important details and as discussion evolves.