Is there a difference between privacy use here vs zerocoin? Is this implementation better for exchange and market type transactions and zerocoin is better for uniform type currency transacting? I guess the root of my question is why are we going for this, rather than zerocoin?
Zerocoin hides sender/receiver but does not hide amounts. The ring signatures of CryptoNote also hide sender/receiver but not amounts. (Technically, when I say doesn't hide amounts, I mean that these work on fixed-denomination assets. You could have a collection of related assets of different denominations, e.g. a $1 bill, $5 bill, $10 bill, etc., and send an appropriate combination of them privately to the receiver to effectively hide the amount. There is then the added complication of converting one asset to a combination of other ones and vice versa to implement "getting change".)
The ring signatures of CryptoNote grow in size proportional to the number of balances the user wants to hide in. (Technically, Chandran signatures can be used to have the signature grow with the square root of the number of balances. However, their applicability for cryptocurrency has been
contested. And apparently they require a trusted setup, so that makes me immediately consider it a non-starter.) For that reason, users need to compromise privacy a little and choose a small set of balances to hide in for the sake of reducing transaction size. (This compromise is also beneficial in making it easier on lightweight clients. But they would still need to request from a full node the balances of a few candidate blocks, one of which holds the balance they want to spend, to then filter down to the handful of balances, one of which must include their spending balance, that they wish to generate the ring signature on.)
On the other hand, I believe Zerocoin's spend signatures (really just the serial number and the zero-knowledge proof) are fixed size regardless of the privacy level wanted. (Zerocoin uses a one-way accumulator that needs to be computed by all nodes in the network. This can be done incrementally by the nodes for each new stealth transfer transaction. However, to generate a signature, the spender needs access to the accumulator by the end of the block just prior to the block in which their spending balance exists and the commitments of all balances in blocks that come after the block just prior to the block containing the spending balance, which seems to me to be a major problem for lightweight clients.) Despite being fixed size, the zero-knowledge proofs of Zerocoin are pretty large and take a while to verify.
Besides not hiding the amounts, the CryptoNote and Zerocoin methods suffer from the fact that they make full blockchain pruning impossible. (Actually, I may be wrong about this. Blockchain pruning might be possible, I just haven't yet figured out the details of how it would work. In any case, I would imagine blockchain pruning would require some time limit for users to redeem/update their balances before they are lost forever.) The blockchain needs to store all serial numbers that have been used to redeem the tokens to prevent double-spends. So it grows in size without bound over time.
Zerocash hides both the sender/receiver and the amounts. It uses a special zero-knowledge proof called Succinct Non-interactive ARguments of Knowledge (zk-SNARK), which allows for a much smaller proof than Zerocoin. It would seem to be the ideal system, but the problem is that zk-SNARK are very new cryptography so there is some uncertainty regarding whether it is appropriate to trust it yet for this purpose, and more importantly it requires a trusted entity to setup the initial parameters needed to make the proofs work. If this entity cannot be trusted, they could produce free tokens out of thin air. I also don't know what limitations it poses on lightweight clients.
Confidential transactions allows the amount to be blinded but by itself not the sender/receiver. This blinding process is really efficient: it is easy to compute the blinded values and to verify that sums add up, and even the range proof construction/verification isn't too bad; since it doesn't hide metadata of sender and receiver, it is easy on the lightweight clients since they don't need any other information from the blockchain that isn't relevant to their balances/transactions; the cryptography is mostly straightforward and better understood than zk-SNARKs, and doesn't require any trusted setup; and even though the size of the range proofs are somewhat large, they aren't too bad (an order of magnitude better than size of Zerocoin's zero-knowledge proofs) and with this new
Compact Confidential Transactions, the size of the range proofs become very small (approximately the same size of zk-SNARKs of Zerocash and smaller than a CryptoNote ring signature that hides within at least 8 balances). Adding stealth transfers on top of blinded amounts allows both the amount and the recipient to be hidden from the public (although for the recipient to remain hidden they need to not do things with the received balance that links it to their real account). Tumblers and CoinJoin (which have augmented privacy because of blinded amounts) can then provide users with the added privacy they need to move tokens from one account to another without linking the together.
Finally, I should mention that all of these techniques are to provide privacy for simple transfer operations. Market operations and smart contracts (generally) require knowing the plain-text amounts.
Topic: Confidential / Stealth Transfer Support Implemented and Passing Tests (Read 15489 times)
