We should be delighted there is so much competition going on in the nascent anonymity coin arena. It can only help us attain the best possible solutions.
AnonyMint, what is your opinion on Darkcoin? Does it fulfill many / any of the true requirements of an anonymous coin? It seems to be getting a lot of attention at the moment. I would search the thread, but there doesn't seem to be a thread search facility on here...
Following statements on Darkcoin were accurate to the best of my knowledge as of about 5 days ago. Any significant changes to the design since then are not considered.
Darkcoin obscures linkability between payer and payee to the degree that the master nodes are not Sybil attacked. There is some
economic mechanism to try to achieve Sybil resistance, but
some uncertainty about that. Also the
collateral payment is used to
overcome an inherent weakness in CoinJoin (which
I was first to articulate), and there is
some uncertainty about whether these could be stolen. I would characterize that uncertainty as moderate to very mild (meaning no one is saying, "this sucks", rather just analyzing). I personally did not attempt to dig deeper into the analysis of that uncertainty (I don't have time).
I have provided a suggestion to the developer to investigate traceable ring signatures as a potential solution to eliminate both master node's need to see both payer and payee and to eliminate the collateral payment. I don't know if or when that suggestion might be fruitful for Darkcoin.
Darkcoin
does not protect the anonymity of the master node.
Darkcoin does not address
traceability of the IP address to the transaction. It like all other coins except anoncoin, thus far assumes the user uses Tor or VPN to obscure their IP address. I have pointed out with citations that many question whether Tor, VPNs, and I2P (anoncoin's mixnet choice), are honey pots. I said some might assume they are anonymous 80 - 95% of the time, and others might pull 50% out of their arse because no one really knows (except maybe the NSA). Do you want 5 - 50% of your transactions to lose anonymity?
You can run your coins through Darksends numerous times to raise the odds of being anonymous. I posted some
sample calculations in the Darkcoin thread.
So I consider it to be a legitimate effort and avoids the criticisms I made against ZeroCash. I am
not making a recommendation.
| Note I think ZeroCash is an astonishing technological achievement, and very noteworthy. It probably has applications in side-economies where absolute lack of knowledge is desired. But it doesn't seem to be the right choice for the global economy for the very serious reasons I stated upthread. Perhaps they should make a variant that simply fixes ZeroCoin's weaknesses and doesn't go for the hiding of all coins, the money supply, and all activity entirely. However, some people might decide they don't care if the money supply isn't ever knowable ("to the moon" inflation is an acceptable risk to them) and they might choose to trust a public ceremony setup and they may ignore the fact that cryptography is very new, very complex, and insufficiently vetted (this takes years in cryptanalysis land). I think that would be unwise. They would also be ignoring the likely centralization of mining that would be required to support micro payments with ZeroCash's slow 115 transaction verifications per i7 cpu core. Also I forgot to state upthread that ZeroCash adds an additional 3 minute delay to transactions. Also I forgot to mention upthread that one benefit of ZeroCash is the transaction amounts don't have to be all the same when mixing spends with the other coins in order to obscure payee and payer, because the amounts are hidden as well. |
I already have an idea how to fix the issue of not having reliability with Tor, VPN, or I2P. And I have seen cryptography for the block chain which does payer and payee mixing without the caveats I just stated about Darkcoin.
So I think Darkcoin is a legitimate effort and may even improve over time. I also think a superior altcoin may possibly come soon (and I may not even be involved since I tell you that some of the technology I am writing about was not coming from me). Please make sure you check the facts for yourself at the time such facts are well elucidated.
This post is a quick summary of my thoughts on this matter. I don't want to write an essay now.
I am trying to answer questions while I also prefer such very technical questions to be properly answered in whitepapers. It is difficult for me to give the best in depth technical answers in a forum post. Especially when you consider that I am working and trying to prove out things right now, so it is difficult to speak before it is the proper time to do so.
My prior summary:
The summary thus far of my analysis of Darksend is that Evan has put into place adequate mechanisms to disincentivize theft of the collateral payments and to disincentivize Sybil attacking the inputs to a Darksend with legitimate Darksends.
The weaknesses (w.r.t. to anonymity) are that Masternodes can be purchased and if the adversary has too many of them, they can reduce your probability of anonymity unless you send your funds through dozens of Darksends between each receipt or spend transaction. If the adversary controlled 90% of the Masternodes, it would nearly impossible to be anonymous more than say 99% of the time, i.e. 1 in 100 of your spends would lose anonymity. Evan argues that attaining a lot of Masternodes is too expensive. Well probably so for the common criminal, but I am not convinced that is so for the NSA.
1 in 100 may not sound bad, but remember that loss of anonymity tends to domino cascade (for the holistic reasons I pointed out in my reply to LimLims on this page). And that is for the person who is extremely diligent to do dozens of Darksends between each spend. Most users are not so perfectionist. So for them anonymity could drop significantly if the adversary has such huge resources.
The other weakness is that it is not yet mandatory to use an IP mixer such as Tor with Darksend, and if not all of the participants to the Darksend are obfuscating their IP, then the anonymity probability declines. Note that even if Darksend makes Tor mandatory, Tor is not the best we can do for an IP mixer. It is unknown how effective Tor is. Some might estimate 80 - 95%. Others might pull 50% out of their arse. I really don't know, but I don't trust Tor entirely. This combined with say 20% of the Masternodes compromised (and a little bit of normal human error on your part such as forgetting to send dozens of Darksends for each coin your receive) can also make it unrealistic to repeatedly sustain very military grade strength of anonymity. (But who said you wanted military grade assurance? Some do, some may not require it)
Darksend has anonymity. Darkcoin is an anonymity coin. The strength of the anonymity depends on the resources and resolve of the adversary versus the Darkcoin user.
I am still trying to think of suggestions to improve it.
I hope readers find my posts helpful?
ZeroCash is going public in a few months time ~20 May. Regardless of whether they have anything tangible or just a published paper,
I don't think they will have beta-test level code then.
This is about not being drowned out and then being considered a clone.
No way Darkcoin can be considered a clone, as Zerocash completely hides the payer, payee, and the amount of transactions. The block chain is a complete fog. Zerocoin doesn't do this.
Zerocash will have some positive spin. They will talk about e-cash and anonymity.
They will make the point I just wrote above.
What they won't talk about are the problems with the project.
The main weakness of Zerocash is it adds an additional 3 minutes between check out and completion of payment. (Add that on top of Bitcoin's 10 - 60 minutes, or Litecoins 2.5 - 15 minutes). Zerocoin doesn't have this problem.
The main weakness of Zerocash and Zerocoin are they depend on new crypto which hasn't been subjected to years of cryptanalysis, and if you put it on the block chain, then it is later cracked, the entire coin is potentially F.U.B.A.R..
Whereas Darksends are offchain! Even if you crack the crypto of Darksend (which uses very old well vetted crypto), the block chain remains uncracked!
The other weakness of Zerocash and Zerocoin is they depend on a trusted party to create the master parameters. If anyone retains that information (even if they snooped it using the NSA's air gap detection mechanisms), they in the case of Zerocash they can create unlimited coins and nobody will even know it! In other words, the coin supply becomes unknowable!! I am not exaggerating!!
Another counter point may be that each Zerocash transaction takes 9ms to verify (500ms for Zerocoin). Thus they can only put 115 transactions in a block per second per core of the CPU on the miner. Visa does 2,000 - 4,000 transactions per second, so for Zerocash to scale to global transactions needs 40 CPU cores per miner (e.g. 10 iCore i7 CPUs), not including denial-of-service transaction spam. Transaction spam could be really bad if they don't have a transaction fee or other means to control it. Any way, 40 CPU cores is not really a big problem if mining will be done only in pools.
But crypto-currencies are hoping to enable microtransactions, thus the transactions per second would explode by orders-of-magnitude.
Thus appears to me Zerocash is incompatible with microtransactions unless mining becomes very centralized among a few powerful pools.
Centralization of mining is a severe problem with Bitcoin having
onetwo or three pool with 51% of the hash power now.