Author Topic: ZeroShares: Solving the Zerocoin Problem with a Market for Public Secrets  (Read 1290 times)

0 Members and 1 Guest are viewing this topic.

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
I just had a thought... what if you always put your coin into TWO accumulators and had to pull it out of TWO accumulators.   Now you are not trusting one person, but two people not to collude. 

I have some good plans for zero-coin tech for voting systems... I would strongly support development efforts in this direction.

The only thing you are trusting them (the zerocoin acc) with is not to leak the secret. The main network can enforce the rules that protect your ownership of ZRS no matter what happens to that particular ZRC accumulator. The failure mode for information leaking is like "or" - the NSA needs to crack the secret of one OR the other to know the transaction history of the zerocoins.
What information can you hide with your scheme?
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline bytemaster

I just had a thought... what if you always put your coin into TWO accumulators and had to pull it out of TWO accumulators.   Now you are not trusting one person, but two people not to collude. 

I have some good plans for zero-coin tech for voting systems... I would strongly support development efforts in this direction.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
ZeroShares: Solving the Zerocoin Problem with a Market for Public Secrets
toast


This is a work in a progress and will eventually become a paper properly describing the protocol. Best case scenario, people are interested and there is a funding round a la angelshares, then I would work full-time on this during the summer and switch to part time once it's off the ground. By that time hopefully I3 will have made some parts of the DAC toolkit available to utilize and so this should be of interest to AGS/PTS holders as well.



Zerocoin is a proposed extension to bitcoin (and also an altcoin proposal) which allows for fully anonymous transactions by using zero-knowledge proofs to connect transaction outputs to transaction inputs.

http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf

The short, inaccurate version is that it just extends bitcoin with two operations:
OP_MINT_ZEROCOIN which pins your bitcoin to a "bulletin board" along with a serial number, and gives you a secret serial number.
OP_UNMINT_ZEROCOIN which lets you prove that you pinned a bitcoin to the board in the past *without revealing which one it was*, and lets you unpin *any* bitcoin from the board.


The "Zerocoin Problem" is the fact that, using known crypto, you either have to use O(n^2) space w.r.t. number of transactions (not scalable), or:

Quote
Our application requires specific properties from the
accumulator. With no trusted parties, the accumulator and
its associated witnesses must be publicly computable and
verifiable (though we are willing to relax this requirement
to include a single, trusted setup phase in which parameters
are generated).


That is, there must be some secret, but it can't be known by anyone. You have to trust someone initialize the accumulator and not save the starting secret. This kills any zerocoin implementation's network effect because no individual will be trusted by everyone.


The solution is ZeroShares: Crypto-equity in any and all future zerocoin "accumulators". Any individual can pay some ZRS to the network and embed an accumulator into the ZeroShares blockchain. Any individual who owns zeroshares can mint zerocoin at a fixed 1:1 using any accumulator. Thus, until someone who is trusted by all comes along, there will be some equilibrium between individuals moving to larger boards for the network effect and moving to smaller boards they can personally trust more.

Note that zerocoin is only fungible across different accumulators in the form of zeroshares, which does not happen using "disconnected" transactions. However, when individuals transfer zeroshares from one "secret bank" to another, they can make the transaction show that it is coming from the sending bank to the receiving bank. Zerocoin banks can fix fees like entry/exit/transaction when they are launched.

"Secret-keepers" want to use ZRS to launch good secrets with attractive parameters instead of launching a new alt so the masses of people with zeroshares will use this secret and the secret keeper can collect fees.
Zerocoin users want to only hold zerocoins inside a zeroshares accumulator so they have the freedom to move their zerocoins.

Ideally, there would be a way for the parent network to add new accumulator types - perhaps someone would be willing to pay a premium for the truly anonymous but expensive one, or someone invents totally new crypto and launches a 0% fee provably secret bank.


I will be posting in this thread and revising the OP as I think of important details and as discussion evolves.

Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.