Does the ZeroCoin protocol fulfill its promise of anonymity?

16

2

Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin.

Has anyone seriously analyzed the protocol and verified it works as advertised?

ripper234

Posted 2013-04-13T16:44:15.707

Reputation: 25 192

Answers

6

I hope so. I'm going to look pretty stupid if it isn't actually anonymous. The paper contains a sketch of a proof that the system is in fact anonymous. That is verifiable. Indeed to get published, other academics had to look at it. Now that the paper is public, even more will. If there is a problem with the proof, someone will point it out.

As others have said, the main question is efficiency and that is probably fixable with further research and engineering.

imichaelmiers

Posted 2013-04-13T16:44:15.707

Reputation: 266

2You're one of the paper's authors, correct? Am I correct that there isn't a public release of source code?Nick ODell 2013-04-14T16:42:22.860

2Yes I am. No there is not yet. We have to clean up the prototype code we wrote before we release it.imichaelmiers 2013-04-14T17:17:23.613

If this is true, and the implementation is "scalable enough", then this is great news for Bitcoin. Looking forward to seeing it adopted, and using it myself.ripper234 2013-04-14T23:24:06.067

6

This is the zerocoin paper, but as far as I can tell, they haven't released source code yet, so all we can really do is speculate.

The single largest problem it has is that a zerocoin spend requires about 100x more disk space/bandwidth/cpu than a normal bitcoin transaction. However, the intended use case is that you use normal bitcoin transactions most of the time, then run through zerocoin when you want more anonymity.

Second, because all zerocoins are indistinguishable, they must either

  1. all be the same denomination, which sucks for people making very large transactions and for people making very small transactions, or
  2. Have a handful of predefined denominations, like 1-zerocoins, 10-zerocoins, etc. The problem with this is that it reduces your anonymity set.

As far as security/anonymity goes, I believe that they have a workable system unless there's some problem with their zero-knowledge proof, which I've repeated below.

zerocoin proof

Nick ODell

Posted 2013-04-13T16:44:15.707

Reputation: 26 536