Cryptonote/Monero vs. Sumcoin/Blockstream's Confidential TransactionsIn any case, the concept is sort of inane. Who ever receives a payment can trace all the way back through the chain of payment history of obscured amounts. So afaics the anonymity breaks down over time to eventually 0. Please correct me if I am mistaken.
Afaics, the anonymity does degenerate in a way that it doesn't in Cyptonote (Monero), which is conceptually relevant to my initial objection above regarding the fact that the recipients must be able to prove the amount they received (i.e. the Sumcoin viewkey).
Let's consider the more intelligible summary in the claimed Sumcoin improvement to Blockstream's Confidential Transactions as follows.
I remember watching Adam Back's talk about this concept when he was in Israel at a meeting I think sponsored by Meni Rosenfeld.
Request for comments
http://voxelsoft.com/dev/sumcoin.pdfyou sure were very quick to include Blockstream's Elements and Confidential txs in your work.
(sorry no time to read the paper right now)
Let me quote from that Sumcoin white paper as follows.
5.2 Comparison to alternatives
...
A Sumcoin user needs not mix coins of relatedequal denominations, she can simply
spend to multiple addresses. A hidden satoshi will mix as well as a hidden [non-fraction of a] coin [e.g. 1 Bitcoin].
5.3 Social
Sumcoin is more like cash than Bitcoin. Users of cash, and Sumcoins, tend not
to discover the value of other users transactions. Bitcoin nodes see the value of
all unrelated transactions on the global network.
With cash transactions, if a party chooses to publicly disclose a transaction
amount, their claim would initially stand unproven. They would need additional
evidence, such as a confirmation from the counterparty (or intermediary)
to prove the claim. With Sumcoin, such disclosure is immediately and forever
provable on the blockchain. This permanent and undeniable record should discourage
the use of this technology for nerfarious purposes.
Properly kept, crypto-currencies such as Bitcoin are the least practical asset
class to take from an owner without consent. This process reduces to probabilistic
rubber hose cryptanalysis in extremis, which may only be feasible on a small
scale. Unfortunately, not all owners can be assumed to make sufficient effort to
protect their coins...
The author apparently thinks that users won't reveal their view keys in public. But the recipients viewkey can also be hacked or pressured with rubber hoses. The author doesn't state the holistic problem (
conceptually analogous to holistic issue I had pointed out to the Monero devs during the BCX debacle), that as values are revealed where the coin histories are not untraceable and unlinkable, then solving for other unknown values in the system is a system of simultaneous equations (
then there was the discussion about practical computability and complexity classes P and NP).
So mixing is still required.
Also compared to Cryptonote where the values (denominations) of mixes have been forced to be equal, unmasking some values will reduce (unmasking) the anonymity set of mixing that was done by any external protocol if unequal values were used for the inputs and outputs. If I am not mistaken, hacking the private key of the recipient in Cryptonote does not weaken the anonymity set of the ring of outputs serving as inputs to the transaction. In other words, in Monero the viewkey is controlled by the sender; whereas in these new homomorphic (not homocoin, lol) encryption schemes the recipient gets the viewkey.
However this new homomorphic encryption of sums does appear to add some value where it is not reasonable to mix with equal denominations, e.g. such as merging outputs of Cryptonote ring (i.e. might be useful to combine both types of onchain anonymity?). I find it very interesting and I am impressed with the work of the author of Sumcoin. Adam Back outlined how it might be feasible to simulate ring signatures by mixing zero and non-zero denominations as follows which I presume is an analogous special case of what Sumcoin mentioned about mixing unequal inputs and outputs in a transaction.
Lets call the homomorphic coin for short morphcoin (and not homocoin;) Or ringcoin from the additional implication of the below extended protocol.
One more proof which allows a ringcoin (ring signature analog of Greg Maxwell's coinjoin) is to create a ring input R=g^v'*h^x' and change C' and then prove that with respect to someone else's coin where it can be publicly audited that C=R*C' (ie the coin adds up) and C' is the change left for the original owner. The proof you need to make that an acceptable proposition for the original owner (subtracting random amounts from his coin!) is that either R=g^(v'=0)*h^x' OR RP(C') and RP(R) such that C=R*C') where RP is the range proof construction from parent post.
That proves either you have a coin with 0 value (so its safe to subtract it without someone else's permission or cooperation from their coin) OR that you know the coin private key, so you can subtract whatever you want because you're its owner. The way the subtraction is proven not to underflow, is you split the coin into two or more outputs range proofs that add up to the original coin, proving you are the owner. The coin private keys for C is x, for R is x' and C' is x" and x' is random and x"=x-x' mod n, so final validation is simply EC addition of the split proceeds (which could be spent to other person and change address eg.)
The OR construction is standard and the same technique as in parent post to allow to prove v_i=0 or v_i=1 (namely you intentionally allow a maximum of one forgery, by adding one degree of freedom to the choice of the challenge).
Now a ringcoin is like coinjoin, but more powerful because you dont need the cooperation of the other coins! That makes sense because you are provably not removing any value from them (as you dont know their private keys). The additional cost for the "v'=0 OR "clause should be small, about 3 or 4 values (96-128bytes) on top of the two range-proof encrypted values.
...
Again to summarize:
Ringcoin is like coinjoin except you the spender choose who to mix your inputs with, and you take 0 from each input, but because the value is homorphically encrypted no one but you can tell that, and you dont need to mix other people's outputs.
Ringcoin seems likely to outperform zerocoin in anonymity, certainly in performance (coins can have flexible value unlike zerocoin which is one denomination, or dilutes the anonymity set if you have multiple denominations and 2 output coins are 10x smaller and much CPU cheaper to create and verify). You can mix with 10 ringcoin inputs per 40kB zerocoin proof, and you dont have the competing anonymity-set issues from having to balance number of denominations (for efficiency of payments eg $1000 coins = 1000x $1 coin payment) against anonymity set (introduce $1, $10, $100, $1000 coins and now you can infer possible sources from handling of coins of required value and so reduces the anonymity-set). Unlike zerocoin there is no unwanted trapdoor (the n=p*q issue where p, q is a global trap door allowing coin forgery that you cant prove you destroyed).
5.1 Features
...
In addition to standing on its own, Sumcoin can be
implemented as a sidechain[42] or integrated into the Monero (or Bitcoin) protocol
as a hard fork with a new transaction version. Spent transaction pruning[43]
is possible in Sumcoin.
Everyone can stop caring about block chain size once my radical redesign of PoW is realized.