Here is an excerpt from my fully completed white paper for my revolutionary anonymity invention.
I am proposing to release this white paper either publicly or for exclusive implementation in Monero or other coin, which ever the community prefers; and forsake my former plans to implement it first in my
Ion project. The benefit is to get this anonymity breakthrough implemented sooner for those of us in the community who desire such a feature.
Other potential benefits include enabling me to demonstrate an example of my technical capabilities, demonstrate that I am for sharing/open source, and to rebuild to my entirely depleted savings so I could for example seek proper health care for my strange autoimmune-like chronic illness which includes relapsing chronic fatigue syndrome, peripheral neuropathy, gut pain, and strange head pain/sensations which potentially implicate Multiple Sclerosis (3+ years suffering). Also it would enable me to refund my Ion project angel investors, in case due to my health I am unable to complete Ion. Note I can still code features because I am not ill every moment, but the concern is whether I have enough good hours to complete and manage an entire crypto project. I may have found a breakthrough on my health to be explained soon, but I am hedging my opportunities just in case.Forsaking the "first mover" advantage of implementing it first in Ion, I lose the strategy by which I intended to capture compensation for the following work I already completed. Thus I need to compensated via some other means, and a donation model has been suggested to me. I am interested to test a "Kickstarter" style funding threshold which is discussed below.
Zero Knowledge Transactions
Shelby Moore
15 July 2015
Abstract: Our conditional security1, autonomous transaction model conceals the origination, destination, and conveyed content from the view of third parties. For a monetary transaction, these obscured three are respectively the payer, payee, and transferred monetary value. The originator knows the destination; the payee and payer know the conveyed value, and the payer isnt revealed to the payee.
We improve upon, unify, and generalize the concepts from Cryptonote[Sab13] and Compact Confidential Transactions[Luk15]. Security remains relatively simple math and conditional on the hardness of ECDLP and the cryptographic hash in the Random Oracle model avoiding Zerocashs[SCG14] complex math, complex new cryptographic assumptions, inability to unwind orphaned transaction branches independently (because it conceals everything), and trusting trust setup process[Wil15].
1 Conditional security relies on unproven computational hardness assumptions e.g. compared to computing each possible value, the cost of factoring the elliptic curve discrete logarithm problem (ECDLP)[CPS11] is conjectured to increase exponentially with the bit width[Cor15]. Even unconditional securitys reliance on proven assumptions of prohibitive cost is not equivalent to information-theoretic security the inability to break security even with unlimited computing power, due to unavailable information.I also excerpt the section names below, without revealing all the text and math which embodies the epiphany of the invention.
1 Anonymous transactions1.1 Anonymous transaction properties
1.2 Non-autonomous strategies
1.3 Computer security2 Hiding transaction valuesConcealing the transferred values provides fungibility against discrimination by value and conceals private business data. Also the transaction values may be unequal in transactions that mix inputs and outputs from unrelated parties for the purpose of achieving an anonymity set. Zerocash[SCG14] conceals transaction values but has the tradeoffs enumerated in the Abstract. Mixing technologies such as Zerocoin[MGG13], Cryptonote[Sab13], CoinJoin[Max13], and CoinShuffle[RMK14], all suffer from the requirement of equal input values. This places a simultaneity requirement on retaining system wide consistent denominations available in each wallet at all times, so that any transaction can be performed spontaneously without the latency to split values before mixing.
For example, the wallets for the Cryptonote clone Monero, typically maintain all balances in powers-of-ten denominations, which bloats the block chain and peer network. In theory, unlinkability is potentially lost in a cascade of correlations when numerous instances of transaction change are merged in a subsequent transaction that doesnt employ an anonymity set because of the requirement for equal values. Although Cryptonote provides implicit value privacy as a side-effect of the untraceability of the payer and unlinkability of the payee, the transparent value data increases the entropy footprint for attackers to target with potentially sophisticated combinatorial and timing analysis algorithms. Concealing value data reduces the information available for analysis.
In a decentralized transaction confirmation scheme we will propose in a separate research paper, the requirement for equal values for transaction inputs would greatly complicate if not make impractical the requirement for mandatory mixing between transactions that is required to provably eliminate a combinatorial unmasking attack[MNM15] against Cryptonote.2.1 Committed valueCompact Confidential Transactions (CCT)[Luk15] introduced the committed value, which is the concealed value x made more fuzzy with sufficient random bits and multiplied by the elliptic curve cryptography (ECC) base point G:
committedValue = V = x ⋅ G
A brute force attack must enumerate every possible x to find a match to the public committedValue and G. Given 64-bit values, a brute force attack must enumerate at most 264−1 values. Berstein estimated in 2006[Ber06] that rho attacks[Cor15] might be feasible against 160-bit ECC. The entropy of Bitcoin values typically use only a small portion of the 64-bit range.
Thus in a fuzzed x some random least significant bits are prepended to the concealed value to add more entropy to the committedValue. These fuzzbits are blinding sub-satoshis.2.2 Homomorphic proof of sum
2.3 NIZKP of no overflow and positive valueA sum of concealed output values that exceeds the group order ℓ of the base point G would wrap around to G thus potentially satisfying the proof of sum for a sum of outputs that exceeds the sum of the inputs.
A negative concealed output value paid to the payer that would never be spent to a third party could satisfy the proof of sum combined with another concealed output value that exceeds the sum of the inputs.
In non-interactive zero knowledge it is proven (a.k.a. NIZKP) that each concealed output value 'x' is known, positive, and smaller than group order ℓ divided by the number of outputs. Zero knowledge means x is not revealed in the proof.
Our proof replaces CCTs proof-of-square with a more efficient method so that a computationally expensive, unvetted 768-bit ECC is not required.
[The remainder of this section is omitted since it contains the invention described in the prior sentence that even Gmaxell and others from Blockstream did not solve.]2.4 Parameter choices3 Hiding payer and payee3.1 Analysis of autonomous one-time ring signatures
3.2 Hiding payer, payee, and valueReferences[Luk15] Denis Lukianov, Compact Confidential Transactions for Bitcoin, July 3 revision. Please read the
prior discussion about the above anonymity feature, including
my recent peer review that identified/revealed the flaw in an attempt to create the same invention by someone who may be affiliated with Monero.
I have estimated that the work done would cost $112,000 at my highest-level of opportunity cost achieved in my career:
I had roughly 200 man hours (2+ weeks @ 14 hour days) in development time for that crypto breakthrough on anonymity, including the research, invention, and writing the white paper. I was able to work very intensely in some spurts during June & July and my gf can attest to that. It was August & September due to some egregious errors on diet and fasting that sent me into a tailspin on health (will be explaining this theory shortly).
My
inflation-adjusted income earning capacity was $563 per hour. Thus fair value for that work just based on the hourly compensation is $112,600. I had to risk doing my work before compensation from the market for CoolPage. Ditto for this anonymity invention. So the risk weighted hourly rate is justified. If you get offered $100-$300 per hour for guaranteed compensation that is a different category. The very high rate is to compensate for the risk of not being ever compensated.
So now you can see why very highly paid developers do not work on crypto. They have the potential to earn much more money outside of crypto and crypto is too small to afford the best developers.
But there is no way I would set a crowdfunded donations threshold that high, because I doubt it could be reached (because it isn't a
comparative equity offering) and even though it might be my opportunity cost from 2001 when I was at the top of my career, it isn't my recent opportunity cost. I am in strange situation because on the one hand if I finish a project like Ion, I could potentially earn more per hour (inflation-adjusted) than I did in 2001 but the risk of not completing such a project or the project not being successful for what ever reason is significant (how many altcoins have succeed versus how many have died even if considering what talent I bring to bear).
AltcoinUK, I am not going to set a threshold as high as $112,000 for the donation bounty on that one anonymity invention, even though I think it is a very significant feature. I am just stating what my earning opportunity cost had been inflation-adjusted from 2001. So hopefully the market will understand I am not going to give that feature away for $10,000.
Above I am referring to the work I already did, not any additional work to implement the anonymity design in a coin.
I am not against being paid to help implement this anonymity design, but I think it should be a separate funding because for one reason we don't know yet which coin wants to implement this anonymity design. As I said I will let the community decide if the crowdfunded donations will be for releasing the above design publicly or privately to one coin (such as Monero) for them to get a jumpstart on implementation before they announce and release publicly. I believe the best for the community is have the white paper released publicly so not only can it be peer reviewed by any one (not just a chosen few) and so that coins can compete to implement it first so we get this feature implemented asap. If there is another coin that wants to try to raise donations and have this design be exclusively for this coin, then make a serious post in this thread how you plan to achieve that.
So I propose to set a minimum crowdfunding, donation threshold of $21,000 to release my white paper publicly. The terms I propose is that if the threshold is not reached (and I don't opt to accept the lower threshold reached) or if the white paper is broken such that it can't do what is claimed in the above excerpted Abstract and I can't fix it, then the donations are returned.
I'd really like to receive about $75,000 total for the work already done plus assisting on implementation.
If I am not mistaken, the guy who was selected to optimize Monero's mining algorithm pocketed an alleged $150,000 worth of coins before releasing the optimization generally. I would be quite pleased (and motivated to work in crypto on the donations funding model) if the total donations for the work already done would exceed the threshold and reach roughly $35,000. Yet I propose to set the minimum threshold to $21,000 and we can see if donations exceed it. I am not even sure if we can reach the $21,000 level for this work I did?
Note the extra $1000 over $20,000 is to cover the 4
BTC we donated to Denis Lukianov after I completed my invention.
There appear to be different ways to collect the donations for a crowdfunded campaign. Kickstarter takes only fiat and about 8% fees total, but you get exposure to a wider audience of donators. Monero has
some methodology for funding improvements but the entire process isn't described in full detail and do we want to make this exclusively for Monero? I didn't find any good crypto crowdfunding platforms. Mike Hearn's
Lighthouse has some severe restrictions such as only 684 donators max and the exact donation amount has to be reached (can't be lower or higher). And
Swarm seems to be socialist.
Thus the alternative to Kickstarter appears to be having all donations go to a Bitcoin address controlled by a trusted escrow person (or persons with multi-sig). The escrow would enforce the terms I have proposed. I would nominate smooth but I have not checked with him if he is willing to do this. I would propose to offer him 1% fee for his time and effort, unless he decides to implement this in Aeon in which case he should donate his fee to the implementer or to Denis Lukianov the author of the CCT white paper from which I gained much inspiration (and some discussion) to make this invention (but the invention came only from me). He could counter-propose if he is interested and thinks my proposed terms are not suitable. I would also like to hear from the community who they would nominate to do the escrow, and your general thoughts on how best to proceed.
I also hope that any coin that successfully implements this new anonymity invention, also makes some token donation to Denis Lukianov. My angel investors already donated 4
BTC to him thus far. We would probably donate more to him if ever Ion was successfully launched with this anonymity feature.
We could perhaps have both Kickstarter and Bitcoin escrow and sum the two to reach the threshold, but I don't know how we can integrate that with Kickstarter's policies so probably this is not possible.
We could perhaps have two donation addresses, one for those who want public release and another for those who want private release to Monero's chosen few reviewers. You could donate even to both and receive a refund for the losing option.
Note I also invented an improvement to the CCT algorithm (CCT is an alternative to Blockstream's CT) as noted in the excerpted quote from the white paper, but in the unlikely event this improvement is incorrect, my anonymity invention can still be used with the original CCT algorithm, so it would still satisfy the claims of the Abstract.
It appears that my anonymity invention can also be alternatively integrated with Blockstream's CT instead of CCT, but that is not required to meet the claims of the Abstract.