undefined | Better HN

0 pointsim3w1l10y ago0 comments

I expect a toy example to be theoretically sound, but using shortcuts to get a practical realization.

For all the fancy cryptography this uses, I don't see how it provides any more security properties than a central actor having a databases of balances and requiring a cryptographic signature (like RSA, ECDSA etc) to authorize transactions. I don't see an extension path either.

Since the zero-knowledge proof is interactive, I am unsure how the central tracker could even be audited not to spoof transactions.

0 comments

synapticrelease10y ago

Read the readme again. The interactive ZKP does not reveal classified information about the actual transaction to the tracker, which is required to authorize it.

In theory, yes, a tracker could be malicious. It could even simply delete its record of all the coins and then refuse all transactions. Or change every coin so it cannot be spent. Actually the one thing it couldn't do is spoof transactions, because it doesn't know the secret key of a single coin it tracks. So it would have to make up a new coin, which would be easily detectable by other trackers because there must be a public consensus on how new coins are created (i.e., their public keys must be prime). So you would, once again, have to compromise every single tracker to spoof a transaction. Then you are right that there is no way to audit, but then you have bigger problems anyway (like people stealing money from exchanges) even before you get there.

Which brings me to the /real/ problem with my implementation, the coins are not worth nearly as much as bitcoin or zerocoin yet :P.

im3w1lOP10y ago

Alice has a secret key. She wants to prove this to Tom the tracker. He issues her a number of challenges until he is convinced she has the key.

Suspicious Simon now wonders if Alice actually had they key. Maybe she didn't and Tom gave her easy challenges? How can Simon be sure Alice has the key?

j / k navigate · click thread line to collapse