1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <peter@coinlab.com>) id 1Uy5bn-0003oI-G8
for bitcoin-development@lists.sourceforge.net;
Sat, 13 Jul 2013 19:35:55 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of coinlab.com
designates 209.85.220.174 as permitted sender)
client-ip=209.85.220.174; envelope-from=peter@coinlab.com;
helo=mail-vc0-f174.google.com;
Received: from mail-vc0-f174.google.com ([209.85.220.174])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1Uy5bl-0002gu-Cd
for bitcoin-development@lists.sourceforge.net;
Sat, 13 Jul 2013 19:35:55 +0000
Received: by mail-vc0-f174.google.com with SMTP id kw10so8488306vcb.19
for <bitcoin-development@lists.sourceforge.net>;
Sat, 13 Jul 2013 12:35:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc:content-type:x-gm-message-state;
bh=aiXnuSund+JmXqdSdpD1ce25U0q+ufCCky7HiFFj/kc=;
b=RLkuIW9GqZUZ7bwF5YS3Sy4XkIVkeJ0prk4FrPWFXnfIEQATIb1oJRBLURwmuUVggo
yThvysD81zC5a6YeyBHWG7498JYLty++b0KjTl4hKZM2Hn4Qehc68+yD6goiJE6+4kCt
CQ2yrGmd1zphJxuVBke6Y0s3TztiXg+FDTTcuMHduWpwAJ/HqM3NuJKWwL5m/vTKZTvi
LsikFypp+QVrmI7jihF7yCYw/vv5+yVOoUtsPtGZUnjJWLVJP55IMJF8Ve0fKb6pnZXP
OtD8BU1okqQ0Yb3tMZeG5lfDzc1CmV7g9wCYRDgGy4hMDadlQfd5g2zQJcDEw+WCKF/v
ncOA==
X-Received: by 10.220.88.68 with SMTP id z4mr26666583vcl.10.1373740379662;
Sat, 13 Jul 2013 11:32:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.166.20 with HTTP; Sat, 13 Jul 2013 11:32:39 -0700 (PDT)
In-Reply-To: <CAC1+kJN9G_OcX8+Vr6gLgM+KRNDzYtijjWxwmcA=yrKhU_fWkQ@mail.gmail.com>
References: <20130705140140.GA23949@netbook.cypherspace.org>
<20130712131815.GA18716@petertodd.org>
<CAC1+kJOerE75+rtMHiy27aDLwWC9juAYva4u_iMVihnePTOYig@mail.gmail.com>
<CAC1+kJN9G_OcX8+Vr6gLgM+KRNDzYtijjWxwmcA=yrKhU_fWkQ@mail.gmail.com>
From: Peter Vessenes <peter@coinlab.com>
Date: Sat, 13 Jul 2013 11:32:39 -0700
Message-ID: <CAMGNxUtnYy0qtdRw3Pz2xV9xztEg317MRs0_mNMEWGE5oAxnig@mail.gmail.com>
To: =?ISO-8859-1?Q?Jorge_Tim=F3n?= <jtimon@monetize.io>
Content-Type: multipart/alternative; boundary=047d7b3a89c658005b04e168dbb0
X-Gm-Message-State: ALoCoQkdMhwOftNUpKQs5fnVl1r3TcdLkNy659Z5R72cOjw/77i6FP3/V316lQR4jPR9QZxiXVen
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1Uy5bl-0002gu-Cd
Cc: Bitcoin-Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] libzerocoin released,
what about a zerocoin-only alt-coin with either-or mining
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 13 Jul 2013 19:35:55 -0000
--047d7b3a89c658005b04e168dbb0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
One very real issue for alt-currencies that don't peg to Bitcoin is that
market liquidity is a bitch. By almost all standards current global Bitcoin
liquidity is already very, very low. Too low for many transactions that
come across my desk at least.
There are a lot of reasons for that low liquidity, but to try and float a
new pair for which the likely initial counter-asset is going to be Bitcoin
means minuscule liquidity.
Peter
On Sat, Jul 13, 2013 at 2:53 AM, Jorge Tim=F3n <jtimon@monetize.io> wrote:
> Sorry about that.
> Maybe more important, what's wrong with bitcoin and zerocoin being
> different currencies with an exchange rate completely decided by the
> market instead of trying to force 1:1 ???
>
>
> On 7/13/13, Jorge Tim=F3n <jtimon@monetize.io> wrote:
> > I'm not sure I understand the whole proposal, but it seems to me that
> > having different characteristics, bitcoins and zerocoins would be
> > different currencies.
> > I don't see the need to peg zerocoins to bitcoins.
> > It is great to have an anonymous p2p currency, maybe some bitcoin
> > users that use bitcoin because of the transparency they allow (public
> > funds expenditures could be more transparent than they have ever been)
> > don't like this hard-fork. Well, maybe this is not the main reason,
> > but I think this could be highly controversial.
> > Maybe everybody likes it, but can you expand more on the
> > justifications to peg the two currencies?
> > If you're requiring one chain look at the othe for validations (miners
> > will have to validate both to mine btc) you don't need the cross-chain
> > contract, you can do it better.
> >
> > Instead of doing this:
> >
> > https://en.bitcoin.it/wiki/Contracts#Example_5:_Trading_across_chains
> >
> > You could do something like this:
> >
> > https://bitcointalk.org/index.php?topic=3D31643.0
> >
> > This very idea has been proposed recently by othe people, but I can't
> > find where.
> >
> > The problem with this is of course scalabilty. Once you do it for what
> > chain, why not the others?
> > You can't validate 100 chains to mine bitcoin even if they're all
> > merged mined: that's asking miners too much.
> > If zerocoin enjoys this privilege why not, for example?
> >
> > As some of you may know, Mark Friedenbach and I are working on a
> > protocol modification to support issuance of arbitrary assets. Would
> > be something like colored coins but better, we're calling it
> > FreiMarkets. Of course these assets are not p2p like bitcoin or
> > freicoin themselves: they have a centralized issuer.
> > But if you allowed to sacrifice real bitcoins (as opposed to IOUs
> > denominated in BTC like you have, for example, in ripple) so they
> > appear in Freicoin's chain and turn them back, you could have p2p
> > bitcoins inside Freicoin's chain.
> > Maybe ripplers want that too. If FreiMarkets prove to work well on
> > freicoin and be scalable enough, maybe a lot of scamcoins apply the
> > hardfork too and they want to have p2p btc in their chain as well.
> >
> > Maybe I could have explained this without even mentioning FreiMarkets,
> > but my point is that you're asking for a lot like it was nothing.
> > Zerocoin-bitcoin fungibility hardfork is opening a little pandora's
> > box. Are we ready?
> >
> > I was waiting for others to comment and I'm surprised that no one else
> > has made any objection yet. But if no one's going to point out the
> > controvery that is so obvious to me, I feel almost like a
> > responsability to act like a Devil's advocate here.
> > So if you make bitcoin and zerocoin fungible, I want bitcoins to be
> > transferrable to freicoin's chain. And I warn you there will be many
> > more people asking for the same thing on other chains. What criteria
> > will we have to say yes or no?
> > More
> >
> >
> >
> > On 7/12/13, Peter Todd <pete@petertodd.org> wrote:
> >> On Fri, Jul 05, 2013 at 04:01:40PM +0200, Adam Back wrote:
> >>> Do people think that should work? It seems to me it should with
> >>> minimal,
> >>> bitcoin changes. I think the rule for either-or mining should be as
> >>> simple
> >>> as skipping the value / double-spend validation of the blocks that ar=
e
> >>> zerocoin mining blocks. Obviously zerocoin blocks can themselves end
> up
> >>> on
> >>> forks, that get resolved, but that fork resolution can perhaps be
> >>> shared?
> >>>
> >>> (Because the fork resolution is simply to accept the longest fork).
> >>
> >> Yeah, there's been a lot of doom and gloom about zerocoin that is
> >> frankly unwarrented. For instance people seem to think it's impossible
> >> to make a blockchain with zerocoin due to the long time it takes to
> >> verify transactions, about 1.5 seconds, and never realize that
> >> verification can be parallelized.
> >>
> >> Anyway the way to do it is to get out of the model of large blocks and
> >> think about individual transactions. Make each transaction into its ow=
n
> >> block, and have each transaction refer to the previous one in history.
> >> (zerocoin is inherently linear due to the anonymity)
> >>
> >> Verification does *not* need to be done by every node on every
> >> transaction. Make the act of creating a transaction cost something and
> >> include the previous state of the accumulator as part of a transaction=
.
> >> Participants verify some subset of all transactions, and should they
> >> find fraud they broadcast a proof. Optionally, but highly recomended,
> >> make it profitable to find fraud, being careful to ensure that it's
> >> never profitable to create fraud then find it yourself.
> >>
> >> Anyway Bitcoin is limited to 7tx/s average so even without probabalist=
ic
> >> verification it'd be perfectly acceptable to just limit transactions t=
o
> >> one every few seconds provided you keep your "blocksize" down to one
> >> transaction so the rate isn't bursty. You're going to want to be
> >> cautious about bandwidth requirements anyway to make sure participants
> >> can stay anonymous.
> >>
> >> As you suggest creating zerocoins from provably sacrificing bitcoins i=
s
> >> the correct approach. The consensus algorithm should be that you
> >> sacrifice zerocoins (specifically fractions there-of - note how I'm
> >> assuming support for non-single-zerocoin amounts) and whatever chain h=
as
> >> the highest total sacrifice wins. One way to think about
> >> proof-of-sacrifice is it's really proof-of-work, transferred. It also
> >> has the *big* advantage that to double-spend, or for that matter 51% t=
he
> >> chain, you have to outspend everyone with a stake in the viability of
> >> the blockchain: they can sacrifice their zerocoins to combat you. In t=
he
> >> case of a double-spend to rip off an online merchant the total amount
> >> you could profit is the same as the total amount they would rationally
> >> spend to stop you, and soon there will be collateral damage too
> >> increasing the amount third-parties are willing to sacrifice to stop
> >> you. You can't win.
> >>
> >> Of course, this does mean that even unsuccesful sacrifices need to be
> >> costly. You can make this acceptable to users by allowing a sacrifice =
to
> >> be reused, but only for the exact same transaction it was originally
> >> committed to.
> >>
> >> Sacrifices in this manner are *not* proof of stake. You really are
> >> giving up something by publishing the information that proves you made
> >> the sacrifice as that information can always be included in the
> >> consensus thereby taking away a limited resource. (your zerocoins) It'=
s
> >> more heavily dependent on jam-free networks, and doesn't play nice wit=
h
> >> SPV, but zero-knowledge proofs will may help the latter. (you've got
> >> Bitcoin itself to act as a random beacon remember)
> >>
> >> Speaking of, another similar approach is to take advantage of how a
> >> Bitcoin sacrifice can be made publicly visible. Create a txout of some
> >> value like the following:
> >>
> >> OP_RETURN <prev-ztc-blockhash> <blockhash> <ztc-created>
> >>
> >> Now even if you fail to publish your blocks, at least the whole world
> >> knows how much they need to outspend to be sure you can't 51% attack t=
he
> >> network. This approach and not-btc sacrifices can go hand in hand too,
> >> especially if nodes follow rules where they consider btc txout
> >> sacrifices as "fixed" and only subject to change by the bitcoin
> >> blockchain re-organizing. Advantages and disadvantages to both
> >> approaches. (remember that visible tx's can be censored by miners)
> >>
> >> Sacrifice to mining fees may be acceptable in the future too, but only
> >> if OP_DEPTH is implemented so as to not give Bitcoin miners bad
> >> incentives. (the sacrificed coins should go to fees *months* or even
> >> *years* after they have been sacrificed)
> >>
> >> Turning zerocoins back into Bitcoins is just supply and demand: sell
> >> them. You'll always lose a bit given by definition the maximum exchang=
e
> >> rate is 1:1, but anonymity may be worth it. Others have written about
> >> cross-chain trading protocols, and I'll point out they are easier to
> >> implement if one chain has full visibility into what's happening on th=
e
> >> other; zerocoin is most likely to be implemented as an extension to th=
e
> >> bitcoin client itself.
> >>
> >> Finally if the transaction rate is too slow there's nothing wrong with
> >> running multiple parallel zerocoin blockchains, although given the
> >> usecase of moving your funds through zerocoin for anonymity, and using
> >> the clean coins that come out the other side, there's no reason to thi=
nk
> >> the zerocoin chain transaction rate needs to be especially high anyway=
.
> >>
> >> --
> >> 'peter'[:-1]@petertodd.org
> >> 0000000000000013b2f7ee77027f583b765ad9811dfe3d0adc801e295fd9acdf
> >>
> >
> >
> > --
> > Jorge Tim=F3n
> >
> > http://freico.in/
> >
>
>
> --
> Jorge Tim=F3n
>
> http://freico.in/
>
>
> -------------------------------------------------------------------------=
-----
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=3D48808831&iu=3D/4140/ostg.=
clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--=20
------------------------------
[image: CoinLab Logo]PETER VESSENES
CEO
*peter@coinlab.com * / 206.486.6856 / SKYPE: vessenes
900 Winslow Way East / SUITE 100 / Bainbridge Island, WA 98110
--047d7b3a89c658005b04e168dbb0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">One very real issue for alt-currencies that don't peg =
to Bitcoin is that market liquidity is a bitch. By almost all standards cur=
rent global Bitcoin liquidity is already very, very low. Too low for many t=
ransactions that come across my desk at least.<div>
<br></div><div>There are a lot of reasons for that low liquidity, but to tr=
y and float a new pair for which the likely initial counter-asset is going =
to be Bitcoin means minuscule liquidity.=A0</div><div><br></div><div>Peter<=
/div>
<div><br></div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Sat, Jul 13, 2013 at 2:53 AM, Jorge Tim=F3n <span dir=3D"ltr">&l=
t;<a href=3D"mailto:jtimon@monetize.io" target=3D"_blank">jtimon@monetize.i=
o</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Sorry about that.<br>
Maybe more important, what's wrong with bitcoin and zerocoin being<br>
different currencies with an exchange rate completely decided by the<br>
market instead of trying to force 1:1 ???<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
<br>
On 7/13/13, Jorge Tim=F3n <<a href=3D"mailto:jtimon@monetize.io">jtimon@=
monetize.io</a>> wrote:<br>
> I'm not sure I understand the whole proposal, but it seems to me t=
hat<br>
> having different characteristics, bitcoins and zerocoins would be<br>
> different currencies.<br>
> I don't see the need to peg zerocoins to bitcoins.<br>
> It is great to have an anonymous p2p currency, maybe some bitcoin<br>
> users that use bitcoin because of the transparency they allow (public<=
br>
> funds expenditures could be more transparent than they have ever been)=
<br>
> don't like this hard-fork. Well, maybe this is not the main reason=
,<br>
> but I think this could be highly controversial.<br>
> Maybe everybody likes it, but can you expand more on the<br>
> justifications to peg the two currencies?<br>
> If you're requiring one chain look at the othe for validations (mi=
ners<br>
> will have to validate both to mine btc) you don't need the cross-c=
hain<br>
> contract, you can do it better.<br>
><br>
> Instead of doing this:<br>
><br>
> <a href=3D"https://en.bitcoin.it/wiki/Contracts#Example_5:_Trading_acr=
oss_chains" target=3D"_blank">https://en.bitcoin.it/wiki/Contracts#Example_=
5:_Trading_across_chains</a><br>
><br>
> You could do something like this:<br>
><br>
> <a href=3D"https://bitcointalk.org/index.php?topic=3D31643.0" target=
=3D"_blank">https://bitcointalk.org/index.php?topic=3D31643.0</a><br>
><br>
> This very idea has been proposed recently by othe people, but I can=
9;t<br>
> find where.<br>
><br>
> The problem with this is of course scalabilty. Once you do it for what=
<br>
> chain, why not the others?<br>
> You can't validate 100 chains to mine bitcoin even if they're =
all<br>
> merged mined: that's asking miners too much.<br>
> If zerocoin enjoys this privilege why not, for example?<br>
><br>
> As some of you may know, Mark Friedenbach and I are working on a<br>
> protocol modification to support issuance of arbitrary assets. Would<b=
r>
> be something like colored coins but better, we're calling it<br>
> FreiMarkets. Of course these assets are not p2p like bitcoin or<br>
> freicoin themselves: they have a centralized issuer.<br>
> But if you allowed to sacrifice real bitcoins (as opposed to IOUs<br>
> denominated in BTC like you have, for example, in ripple) so they<br>
> appear in Freicoin's chain and turn them back, you could have p2p<=
br>
> bitcoins inside Freicoin's chain.<br>
> Maybe ripplers want that too. If FreiMarkets prove to work well on<br>
> freicoin and be scalable enough, maybe a lot of scamcoins apply the<br=
>
> hardfork too and they want to have p2p btc in their chain as well.<br>
><br>
> Maybe I could have explained this without even mentioning FreiMarkets,=
<br>
> but my point is that you're asking for a lot like it was nothing.<=
br>
> Zerocoin-bitcoin fungibility hardfork is opening a little pandora'=
s<br>
> box. Are we ready?<br>
><br>
> I was waiting for others to comment and I'm surprised that no one =
else<br>
> has made any objection yet. But if no one's going to point out the=
<br>
> controvery that is so obvious to me, I feel almost like a<br>
> responsability to act like a Devil's advocate here.<br>
> So if you make bitcoin and zerocoin fungible, I want bitcoins to be<br=
>
> transferrable to freicoin's chain. And I warn you there will be ma=
ny<br>
> more people asking for the same thing on other chains. What criteria<b=
r>
> will we have to say yes or no?<br>
> More<br>
><br>
><br>
><br>
> On 7/12/13, Peter Todd <<a href=3D"mailto:pete@petertodd.org">pete@=
petertodd.org</a>> wrote:<br>
>> On Fri, Jul 05, 2013 at 04:01:40PM +0200, Adam Back wrote:<br>
>>> Do people think that should work? =A0It seems to me it should =
with<br>
>>> minimal,<br>
>>> bitcoin changes. =A0I think the rule for either-or mining shou=
ld be as<br>
>>> simple<br>
>>> as skipping the value / double-spend validation of the blocks =
that are<br>
>>> zerocoin mining blocks. =A0Obviously zerocoin blocks can thems=
elves end up<br>
>>> on<br>
>>> forks, that get resolved, but that fork resolution can perhaps=
be<br>
>>> shared?<br>
>>><br>
>>> (Because the fork resolution is simply to accept the longest f=
ork).<br>
>><br>
>> Yeah, there's been a lot of doom and gloom about zerocoin that=
is<br>
>> frankly unwarrented. For instance people seem to think it's im=
possible<br>
>> to make a blockchain with zerocoin due to the long time it takes t=
o<br>
>> verify transactions, about 1.5 seconds, and never realize that<br>
>> verification can be parallelized.<br>
>><br>
>> Anyway the way to do it is to get out of the model of large blocks=
and<br>
>> think about individual transactions. Make each transaction into it=
s own<br>
>> block, and have each transaction refer to the previous one in hist=
ory.<br>
>> (zerocoin is inherently linear due to the anonymity)<br>
>><br>
>> Verification does *not* need to be done by every node on every<br>
>> transaction. Make the act of creating a transaction cost something=
and<br>
>> include the previous state of the accumulator as part of a transac=
tion.<br>
>> Participants verify some subset of all transactions, and should th=
ey<br>
>> find fraud they broadcast a proof. Optionally, but highly recomend=
ed,<br>
>> make it profitable to find fraud, being careful to ensure that it&=
#39;s<br>
>> never profitable to create fraud then find it yourself.<br>
>><br>
>> Anyway Bitcoin is limited to 7tx/s average so even without probaba=
listic<br>
>> verification it'd be perfectly acceptable to just limit transa=
ctions to<br>
>> one every few seconds provided you keep your "blocksize"=
down to one<br>
>> transaction so the rate isn't bursty. You're going to want=
to be<br>
>> cautious about bandwidth requirements anyway to make sure particip=
ants<br>
>> can stay anonymous.<br>
>><br>
>> As you suggest creating zerocoins from provably sacrificing bitcoi=
ns is<br>
>> the correct approach. The consensus algorithm should be that you<b=
r>
>> sacrifice zerocoins (specifically fractions there-of - note how I&=
#39;m<br>
>> assuming support for non-single-zerocoin amounts) and whatever cha=
in has<br>
>> the highest total sacrifice wins. One way to think about<br>
>> proof-of-sacrifice is it's really proof-of-work, transferred. =
It also<br>
>> has the *big* advantage that to double-spend, or for that matter 5=
1% the<br>
>> chain, you have to outspend everyone with a stake in the viability=
of<br>
>> the blockchain: they can sacrifice their zerocoins to combat you. =
In the<br>
>> case of a double-spend to rip off an online merchant the total amo=
unt<br>
>> you could profit is the same as the total amount they would ration=
ally<br>
>> spend to stop you, and soon there will be collateral damage too<br=
>
>> increasing the amount third-parties are willing to sacrifice to st=
op<br>
>> you. You can't win.<br>
>><br>
>> Of course, this does mean that even unsuccesful sacrifices need to=
be<br>
>> costly. You can make this acceptable to users by allowing a sacrif=
ice to<br>
>> be reused, but only for the exact same transaction it was original=
ly<br>
>> committed to.<br>
>><br>
>> Sacrifices in this manner are *not* proof of stake. You really are=
<br>
>> giving up something by publishing the information that proves you =
made<br>
>> the sacrifice as that information can always be included in the<br=
>
>> consensus thereby taking away a limited resource. (your zerocoins)=
It's<br>
>> more heavily dependent on jam-free networks, and doesn't play =
nice with<br>
>> SPV, but zero-knowledge proofs will may help the latter. (you'=
ve got<br>
>> Bitcoin itself to act as a random beacon remember)<br>
>><br>
>> Speaking of, another similar approach is to take advantage of how =
a<br>
>> Bitcoin sacrifice can be made publicly visible. Create a txout of =
some<br>
>> value like the following:<br>
>><br>
>> =A0 =A0 OP_RETURN <prev-ztc-blockhash> <blockhash> <=
;ztc-created><br>
>><br>
>> Now even if you fail to publish your blocks, at least the whole wo=
rld<br>
>> knows how much they need to outspend to be sure you can't 51% =
attack the<br>
>> network. This approach and not-btc sacrifices can go hand in hand =
too,<br>
>> especially if nodes follow rules where they consider btc txout<br>
>> sacrifices as "fixed" and only subject to change by the =
bitcoin<br>
>> blockchain re-organizing. Advantages and disadvantages to both<br>
>> approaches. (remember that visible tx's can be censored by min=
ers)<br>
>><br>
>> Sacrifice to mining fees may be acceptable in the future too, but =
only<br>
>> if OP_DEPTH is implemented so as to not give Bitcoin miners bad<br=
>
>> incentives. (the sacrificed coins should go to fees *months* or ev=
en<br>
>> *years* after they have been sacrificed)<br>
>><br>
>> Turning zerocoins back into Bitcoins is just supply and demand: se=
ll<br>
>> them. You'll always lose a bit given by definition the maximum=
exchange<br>
>> rate is 1:1, but anonymity may be worth it. Others have written ab=
out<br>
>> cross-chain trading protocols, and I'll point out they are eas=
ier to<br>
>> implement if one chain has full visibility into what's happeni=
ng on the<br>
>> other; zerocoin is most likely to be implemented as an extension t=
o the<br>
>> bitcoin client itself.<br>
>><br>
>> Finally if the transaction rate is too slow there's nothing wr=
ong with<br>
>> running multiple parallel zerocoin blockchains, although given the=
<br>
>> usecase of moving your funds through zerocoin for anonymity, and u=
sing<br>
>> the clean coins that come out the other side, there's no reaso=
n to think<br>
>> the zerocoin chain transaction rate needs to be especially high an=
yway.<br>
>><br>
>> --<br>
>> 'peter'[:-1]@<a href=3D"http://petertodd.org" target=3D"_b=
lank">petertodd.org</a><br>
>> 0000000000000013b2f7ee77027f583b765ad9811dfe3d0adc801e295fd9acdf<b=
r>
>><br>
><br>
><br>
> --<br>
> Jorge Tim=F3n<br>
><br>
> <a href=3D"http://freico.in/" target=3D"_blank">http://freico.in/</a><=
br>
><br>
<br>
<br>
--<br>
Jorge Tim=F3n<br>
<br>
<a href=3D"http://freico.in/" target=3D"_blank">http://freico.in/</a><br>
<br>
---------------------------------------------------------------------------=
---<br>
See everything from the browser to the database with AppDynamics<br>
Get end-to-end visibility with application monitoring from AppDynamics<br>
Isolate bottlenecks and diagnose root cause in seconds.<br>
Start your free trial of AppDynamics Pro today!<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D48808831&iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D48808831&iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>=
<div dir=3D"ltr"><br><hr style=3D"font-family:Times;font-size:medium;border=
-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-top-s=
tyle:solid;border-top-color:rgb(204,204,204);margin:10px 0px">
<p style=3D"font-size:medium;font-family:Helvetica,sans-serif;line-height:1=
em"><span style=3D"color:rgb(50,90,135);text-transform:uppercase"><img src=
=3D"http://coinlab.com/static/images/email_logo.jpg" align=3D"right" alt=3D=
"CoinLab Logo" width=3D"130">PETER=A0<span style=3D"font-weight:bold">VESSE=
NES=A0</span><br>
<span style=3D"color:rgb(96,58,23);font-size:0.8em">CEO</span></span></p><p=
style=3D"font-size:medium;font-family:Helvetica,sans-serif;line-height:1em=
"><span style=3D"color:rgb(96,58,23);font-size:0.9em"><strong><a href=3D"ma=
ilto:peter@coinlab.com" style=3D"text-decoration:none;color:rgb(96,58,23)" =
target=3D"_blank">peter@coinlab.com</a>=A0</strong>=A0/=A0=A0206.486.6856 =
=A0/=A0<span style=3D"font-size:0.7em;text-transform:uppercase">SKYPE:</spa=
n>=A0vessenes=A0</span><br>
<span style=3D"color:rgb(96,58,23);font-size:0.7em;text-transform:uppercase=
">900 Winslow Way East / SUITE 100 =A0/ =A0Bainbridge Island, WA 98110</spa=
n></p></div>
</div>
--047d7b3a89c658005b04e168dbb0--
|