Although we recently learned that Zerocoin will not be implemented in Vertcoin, there are still a few other cryptocurrency developers out there who want to make their particular coins as anonymous as possible. One of the cryptocoins with the longest standing traditions of protecting the privacy and anonymity of its users is Anoncoin. The cryptocurrency was made specificlaly for the dark web, which means allowing anonymous transactions is the most important feature for this coin. Many people have been trying to get the Bitcoin developers to look at the Zerocoin Project for quite some time now, but it seems that this experiment in anonymity will need to be tried out on an altcoin before it will be used on the most popular cryptocurrency in the world. I had a chance to ask Gnosis, one of the developers of Anoncoin, about what Zerocoin implementation means for Anoncoin and the cryptocurrency community as a whole:
Could you give us the simplest breakdown of how Zerocoin will enhance privacy for users of Anoncoin?
In crypto-currencies such as Anoncoin (and Bitcoin, Litecoin, etc.), there is a write-only ledger of transactions called a blockchain. The blockchain gets its name from the fact that it is a series of blocks of transactions which are linked together. Each transaction expresses information like “address A signs over 3 ANC (anoncoins) to address B”. By looking at this ledger, you can see which addresses receive money from certain addresses and when those funds were received. Even though there are no names attached to any of the addresses (this is called “pseudonymity” because the addresses act as pseudonyms), a powerful entity such as the NSA can leverage the information they know about some addresses to gain information about other addresses that have some relationship with them in the blockchain. It is extremely difficult to prevent these connections.
In other words, all your Bitcoins, Anoncoins, etc. have a history, and that history can be used to reveal your identity. Zerocoin allows you to erase that history.
In simplest terms: say you have 1 ANC whose history you want to erase. Using Zerocoin, you put that 1 ANC into a hat full of many other peoples’ 1 ANCs; at some later time, you can pull that 1 ANC out of the hat without its previous history (actually, you prove that you previously put in 1 ANC, and so you are allowed to pull out someone else’s 1 ANC). Someone who sees your new 1 ANC can only know that its previous history is one of perhaps millions of equally likely histories. If instead you had 12 ANC whose history you wanted to erase, you would have to put 10 ANC into the hat full of other peoples’ 10 ANC Zerocoins, and two 1 ANC coins into the hat full of other peoples’ 1 ANC coins. This means that Zerocoins are much more like actual coins than are Anoncoin, Bitcoin, etc. which are basically a collection of unnamed bank accounts.
See also: https://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html
What made you want to implement Zerocoin instead of waiting for Zerocash?
The world needs a truly anonymous electronic currency sooner rather than later, and the more independent teams there are working on this, the sooner we can expect one to be finished and come online.
There is also the issue of parameter generation. Both Zerocoin and Zerocash require someone to first perform certain computations and throw away some of the intermediate results; if they hold onto the intermediate data, then the system is compromised. This obviously goes against the decentralized nature of crypto-currencies: how can we trust some random stranger to have faithfully destroyed these intermediate results, when there is a huge incentive to hold onto it?
By an incredible stroke of luck, Zerocoin has a work-around for this problem: RSA UFOs, which I am working on. It is very unlikely that a work-around exists for Zerocash.
How far away are you from implementing Zerocoin in Anoncoin?
I am reluctant to give estimates, but in about a month, I expect to have something early adopters can test. A lot of testing will be needed before we can trust that our implementation of Zerocoin will work correctly.
How does Anoncoin’s Zerocoin implementation compare with Darkcoin’s usage of CoinJoin?
After a brief exchange with one of the Darkcoin developers, I understand that Darkcoin plans to have the miners somehow take turns facilitating CoinJoin. The CoinJoin participants would have all their inputs mixed with each other into one large transaction; if done correctly, an outside party would only be able to see that the output came from one of potentially dozens of inputs. This is a more limited form of anonymity than Zerocoin provides. When the number of participants is low, the anonymity is low or nonexistant since each user’s money is not being mixed with many other users’ money. When the number of participants is high, a malicious participant can execute a denial of service attack by refusing to sign the transaction.
As I understand it, the developer is keeping this closed source for now, so I cannot speak with certainty as to how he will overcome the various problems with CoinJoin.
Do you think mixing will ever be implemented in Bitcoin at the protocol level?
Probably not for years, if ever. This is partly because the Bitcoin developers are reluctant to make large changes to Bitcoin (as are the miners to use those changes), and partly because they are trying to gain acceptance from governments, and making it more difficult for governments to trace the moment of money would make acceptance more difficult. It is worth pointing out, though, that appeasement strategies usually only embolden the enemy and lead to more concessions.
What do you think about Anoncoin’s decision to implement Zerocoin? Is anonymity important to you when it comes to cryptocurrencies? Let us know what you think in the comments below.
Last modified: February 24, 2014 14:21 UTC