Show HN: Logcoin – Toy crypto-currency based on a zero-knowledge protocol (opens in new tab)

(github.com)

25 pointssynapticrelease10y ago15 comments

15 comments

Some thoughts:

Why did you pick a modp group instead of an EC group?

Why doesn't Bob send y? Y is derivable from what Bob sends. (Your zero knowledge claim is at least a bit wrong, since Bob is sending correlated numbers and, in fact, y can be derived from them.)

Bob's sent values can be rewritten as y2^b, y2^c, and y^-1 * f_1 * f_2, which makes me wonder why f_3 is sent.

Why does Bob prove knowledge of x+b+c? Can you clarify the spoofing attack?

What prevents double spending if the tracker is malicious?

synapticreleaseOP10y ago

So, what I mean by zero knowledge is that there is zero knowledge of the secret key x, the discrete log of y. Y itself is supposed to be derived, that's part of the protocol. But when Bob randomly offsets the x-value before sending it, he is committing to a value of x, c, and b which he must then verify. It will be impossible for him to verify the c and b if he doesn't know x, which is important (see below).

modp groups are easier to implement, I was look into EC but I may come back to it later.

Bob doesn't want to send y directly because then another man in the middle could, before the transaction times out, forward y, spoof his own b and c, forward the verification of x and then verify his own b and c. Then he cannot spend the coin but he can make it unspendable.

If one tracker is malicious, he'll be out of sync with all the other trackers to which the transaction is also broadcast to. Every single known tracker would need to be compromised (they are all public).

synapticreleaseOP10y ago

I should also mention that the protocol to verify x is separate and is a valid ZKP.

synapticreleaseOP10y ago

Hi,

I have no idea if I'm doing this right because I am new to HN. But here is a very early WIP of a zero-knowledge cryptocurrency. I try to keep code terse to avoid bugs. Have at it!

drdeca10y ago

This looks cool!

However, if the tracker is centralized, doesn't protection against double spends basically come for free?

Or, maybe not because of the other things?

Oh, wait, ok so in this situation does the tracker have any privileged information?

It doesn't look like it, So, another party could take the place of the tracker if the tracker went down?

I don't understand the proof of stake bit in the readme. I don't see anything about staking the coin, and I generally don't understand how proof of stake applies to something like this?

synapticreleaseOP10y ago

the tracker is public and mirrored, and the idea is to reinforce your claim of ownership you send it to as many known trackers as you can within reason.

The proof of stake is essentially for free; as described above, by verifying you know the current secret key of the coin, you verify you own that coin. There is no transaction history; the coin is secret and updated randomly on every transaction.

im3w1l10y ago

Sorry for being harsh on a newcomer, but this did not live up to my expectations based on the title. It seems to be strictly worse than bitcoin, let alone zerocoin.

It needs a central tracker, and it needs a secure offline channel to transmit keys. The reason zerocoin uses zero-knowledge proofs is to make it impossible to trace the history of a coin. This is another property that this project does not have.

synapticreleaseOP10y ago

No reason to be sorry. well, the title was supposed to be longer :P. I was going to write the same as the github title but it didn't fit. It is clearly a toy---ahermmg---semi-serious theoretical exercise, and not a real competitor to bitcoin or zerocoin, you are right in that respect.

This (as far as I know) does make it impossible to trace the history of a coin, because there is no recorded transaction history, assuming you don't send the transaction details directly from your ip (and valid coin transfers are mathematically impossible to spoof from e.g. an exit node). You also don't need a centralized tracker, you just need a public record of all known coins which is kept in sync across several mirrors. I should clarify that in the readme; the only reason why I mention assuming a centralized tracker is for the performance estimate, because syncing trackers would induce overhead. Unless you see something I am missing...

The reason why this uses zero-knowledge proofs is twofold; first, to allow anonymization of individual transaction ids by ensuring it is impossible to spoof transactions without knowing the secret key of the corresponding coin, and second to avoid the use of a blockchain which further degrades anonymity. Again, it may be that you have discovered a reason why this does not hold, in which case I would be interested to hear it!

Regarding the matter of coin transfer, this was a design decision because of the project scope. I could have spent many days implementing a transaction system which did not depend on the secrecy of keys, but I have other commitments. That being said, there are a subset of transactions (involving money, but also authentication of physical goods in transit, for example) which can potentially be treated this way. For instance, I can use it to verify the user is in possession of a particular hardware (a physical "coin") which stores the secret key in encrypted form. Which could be useful in e.g. shipping applications, who knows.

im3w1l10y ago

You say that the trusted actor updates the public key of a coin. This means that it is known which former key corresponds to which following key. Thus the central actor can trace the history. If you have many trackers, then everyone can trace the history.

1 more reply

lambda10y ago

This comment does seem fairly harsh for something advertised as "a toy." Why would you expect a toy to be state of the art? When I see that phrase, I think of something that is a personal learning experience, might have an interesting idea or two but is not expected to replace anything that already exists.

synapticreleaseOP10y ago

"Why would you expect a toy to be state of the art?"

http://www.8-bitcentral.com/images/nintendo/promo/virtualBoy...

Real 3d graphics, that's why!

im3w1l10y ago

I expect a toy example to be theoretically sound, but using shortcuts to get a practical realization.

For all the fancy cryptography this uses, I don't see how it provides any more security properties than a central actor having a databases of balances and requiring a cryptographic signature (like RSA, ECDSA etc) to authorize transactions. I don't see an extension path either.

Since the zero-knowledge proof is interactive, I am unsure how the central tracker could even be audited not to spoof transactions.

1 more reply

j / k navigate · click thread line to collapse

15 comments

amluto10y ago

Some thoughts:

Why did you pick a modp group instead of an EC group?

Why doesn't Bob send y? Y is derivable from what Bob sends. (Your zero knowledge claim is at least a bit wrong, since Bob is sending correlated numbers and, in fact, y can be derived from them.)

Bob's sent values can be rewritten as y2^b, y2^c, and y^-1 * f_1 * f_2, which makes me wonder why f_3 is sent.

Why does Bob prove knowledge of x+b+c? Can you clarify the spoofing attack?

What prevents double spending if the tracker is malicious?

synapticreleaseOP10y ago

modp groups are easier to implement, I was look into EC but I may come back to it later.

synapticreleaseOP10y ago

I should also mention that the protocol to verify x is separate and is a valid ZKP.

synapticreleaseOP10y ago

Hi,

I have no idea if I'm doing this right because I am new to HN. But here is a very early WIP of a zero-knowledge cryptocurrency. I try to keep code terse to avoid bugs. Have at it!

drdeca10y ago

This looks cool!

However, if the tracker is centralized, doesn't protection against double spends basically come for free?

Or, maybe not because of the other things?

Oh, wait, ok so in this situation does the tracker have any privileged information?

It doesn't look like it, So, another party could take the place of the tracker if the tracker went down?

I don't understand the proof of stake bit in the readme. I don't see anything about staking the coin, and I generally don't understand how proof of stake applies to something like this?

synapticreleaseOP10y ago

the tracker is public and mirrored, and the idea is to reinforce your claim of ownership you send it to as many known trackers as you can within reason.

im3w1l10y ago

Sorry for being harsh on a newcomer, but this did not live up to my expectations based on the title. It seems to be strictly worse than bitcoin, let alone zerocoin.

synapticreleaseOP10y ago

im3w1l10y ago

1 more reply

lambda10y ago

synapticreleaseOP10y ago

"Why would you expect a toy to be state of the art?"

http://www.8-bitcentral.com/images/nintendo/promo/virtualBoy...

Real 3d graphics, that's why!

im3w1l10y ago

I expect a toy example to be theoretically sound, but using shortcuts to get a practical realization.

Since the zero-knowledge proof is interactive, I am unsure how the central tracker could even be audited not to spoof transactions.

1 more reply

j / k navigate · click thread line to collapse