Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: CoinJoin: Bitcoin privacy for the real world
by
AnonyMint
on 12/03/2014, 10:13:14 UTC
Quote from: AnonyMint on March 12, 2014, 08:40:14 AM
Quote from: gmaxwell on March 12, 2014, 06:57:34 AM
Quote
Zerocoin (ZC) requires a trusted party to generate the parameters, thus it is the antithesis of decentralized, so you have a logical error above.

ZC initialized with an RSA UFO has no trusted initialization, in fact— they make the updates much larger but thats harmless for data not going in the blockchain. Additionally if you do use the efficient trusted initialization the ZC accumulator approach still has perfect zero knoweldge. Compromise of the state allows someone to make false proofs (dos attacks in this context).   Though these points are not terribly relevant because I wasn't talking about the ZC approach.

I was aware of the RFC UFO claim from the ZC research paper, but Adam Back's comments seem to imply (?) it isn't a realistic option (so to save time I trusted what I interpreted to be his expert opinion). I just now skimmed this research paper:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.4015&rep=rep1&type=pdf

Efficient Accumulators Without Trapdoor Extended Abstract
Tomas Sander

There are some assumptions made when I would need to think more deeply about.

Apparently there is some reason ZC did not adopt the UFO approach by default. I suppose those assumptions have not be been sufficiently attacked by cryptanalysis yet.

Compromise of the trusted PQ in ZC allows the trusted party to double-spend coins. Thus I assume for the CoinJoin case, it would cause the number of outputs to not match inputs, so thus a form of DOS.

I'm glad you've admitted that your proposal for CoinJoin employing ZC doesn't work decentralized, unless UFOs are a valid solution (are they and why?).

On further reading, apparently UFOs are impractical because there isn't an entropy source that can be trusted to be random over such large domains. Please feel free to correct me if I am mistaken about the requirement.

We shift our unreliability of trust from unknowing if someone intercepted the computation of N = PQ to the unreliability of unknowing whether our input entropy could be attacked at any time in the future.

The research paper suggests in "2.1 On the generation of public random strings" to use stock market data, but there is hidden periodicity in the stock market data:

http://armstrongeconomics.com/2014/03/09/research-shocking-there-is-order-in-the-chaos/

Just in case you believe that guy's model is nonsense, then you can try to explain how his cyclic model has predicted (in advance, this isn't just model that fits what happened) everything accurately:

https://bitcointalk.org/index.php?topic=495527.msg5464897#msg5464897

https://bitcointalk.org/index.php?topic=365141.msg5642957#msg5642957