AppeCoin Anonymous Cryptocurrency Draft

MixNetTwo years ago I posted  about a proposal of to create an anonymous cryptocurrency. This was much time before the ZeroCoin and ZeroCash protocols were proposed. I had moral concerns regarding the idea of an anonymous payment protocol: why such protocol would be needed and who would benefit from the protocol. Adam Back and Gregory Maxwell convinced me that the benefits of financial privacy outperform the problems of money laundering and terrorism financing. My current understanding is that it could be possible to modify the protocol to add ways for law enforcement to track money for certain parties requesting key shares from different independent government departments, but I can’t think of how an open source global cryptocurrency can bootstrap with tracking built-in.  Other researchers may solve those technical problems better that I can do. I suspect that Know-Your-Customer laws for exchangers are the best and only defense one can get for the first years. But if an anonymous cryptocurrency succeeds and it’s widely accepted, then why should people need to exchange their digital assets into fiat currency anyway?

Key Differences between AppeCoin, ZeroCoin, ZeroCash

I cannot talk much about Appecoin as described in the draft. AppeCoin draft was not audited by any crypto expert, nor it’s complete, nor it’s fully formalized. So my draft may contain omissions and mistakes. I can talk about the AppeCoin idea (and hope that the idea survives even if a problem is found in the paper).

AppeCoin is based on simple cryptography: the Decisional Diffie-Helman in the polynomial samples setting, which was shown to be equivalent to the Decisional Diffie–Hellman (DDH) assumption, and also the Representation problem. So it should be easier to verify and trust the (finished) design and implementation of AppeCoin than of ZeroCoin or ZeroHash.

Normally AppeCoin achieves full anonymmization of a certain transaction gradually: each new confirmation block increases the output coins anonymity set size. Each miner shuffles the new coins with some coins of the block-chain, building a sequential Mixnet, and all the mixed coins are returned to the block-chain. When you pay with an unspent coin of the block-chain, the the last shuffle operation it underwent is revealed. In contrast, in ZeroCoin/ZeroCash the anonymity set is maximal immediately: a new coin looks exactly equal to any one in the block-chain when you try to pay with it. This is a trade-off AppeCoin does: it reduces the computational burden of transmitting a coin (and proving ownership of that coin) by increasing the cost of block verification. Nevertheless AppeCoin still allows you to get a user-selectable anonymity set by performing an anonymization operation yourself.

ZeroCoin has the big problem that it requires a trusted phase for bootstrapping which I think you will prevent the coin get widespread adoption. AppeCoin and ZeroCash do not have this problem.

Both AppeCoin and ZeroCash can hide the payed amounts. AppeCoin uses proofs of combinability and divisibility to combine/divide coins without revealing the amounts. ZeroCoin requires denominations, so amounts are not easily protected. It’s also trivially possible to implement AppeCoin with denominations and leave out the combination/division protocols: this reduces the protocol features but at the same time reduces considerably the complexity. As far as I know, ZeroCash can hide any computational property in a coin, which is something very powerful.

I really like the ZeroCash idea, and I hope their coin succeeds. Nevertheless I have doubts about the use of Succinct Non-interactive ARguments of Knowledge (SNARKs) as the security guarantee of the currency, because is SNARKs are too new to have withstood enough cryptography community analysis.

To summarize the key contributions of AppeCoin are:

  • Uses deterministic Universal-encryption to encrypt coins.
  • Uses both public and private shuffles of coins.
  • Uses combinability and divisibility protocols to prepare exact payment amounts without disclosing the amounts.
  • It uses a special cut-and-choose proofs of shuffles where the number of modular exponentiations is independent of the number of coins shuffled (using the Random Subset Test for each round)
  •  Does not require a trusted setup phase.

The paper draft (revision 0.28) can be downloaded here: AppeCoin28

One of the things that could be greatly improved in AppeCoin are the proofs of combinability and divisibility. The main reason I’m releasing the half-finished draft is that I really don’t have time to complete it. I you think you can make a real academic paper out of this draft, and you have the knowledge to do so, write me and I’d gladly co-author it with you.

 

 

 

 

Advertisements

, ,

  1. #1 by cryptoslave on May 1, 2014 - 5:53 pm

    “ZeroCoin has the big problem that it requires a trusted phase for bootstrapping which I think you will prevent the coin get widespread adoption. AppeCoin and ZeroCash do not have this problem.”

    This is not correct AFAIK

    Zerocoin-in-Anoncoin does not have this problem as gnos1s is working on using UFO-RSA without trusted party requirement. http://www.reddit.com/r/Anoncoin/comments/21i1b4/zerocash_does_this_undermine_anoncoins_perks/

    Hence zerocoin using UFOs does not have the problem while zerocash using a secure multiparty computation for the setup has it.

  2. #2 by Adam Back (@adam3us) on February 28, 2015 - 8:47 am

    “Adam Back and Gregory Maxwell convinced me that the benefits of financial privacy outperform the problems of money laundering and terrorism financing.”

    That doesnt really capture what I said. The point is fungibility & privacy are orthogonal properties: you can have either or both properties. Privacy is also known as commercial confidentiality, and businesses will see lack of confidentiality as a barrier to adoption. You can also support investigations at the same time via subpoenas for transacting parties records or keys.

    But as a pre-requisite you need a cryptographic building block that provides unlinkability. Its typically easy to add selective or conditional disclosure.

    I talk about this common misunderstanding in this presentation:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: