ChristianPeelChristianPeel Member Posts: 26
edited January 2014 in Watercooler
Anyone know the Zerocash proposal (see youtube link below) enough to know how easy this sub-currency would be to implement or even if it is possible? Would it be easy to implement the zkSNARKs that Matthew Green describes? Is Zerocash more efficiently done as an independent currency, or is it so easy to do that it can easily go in Ethereum?

It seems like anonymity is a very useful tool, and would be useful to have in Ethereum right from the start.


  • skfirskfir Member Posts: 2

    Would it be easy to implement the zkSNARKs that Matthew Green describes? Is Zerocash more efficiently done as an independent currency, or is it so easy to do that it can easily go in Ethereum?
    'Easy' isn't the word I'd use, but the zkSNARK part is already implemented. See SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge for the most recent paper on the zkSNARK (by the same team Mathew talked about), future publications on SNARK implementation by the same team will be posted at
    As for implementing as an independent currency, Mathew touches this in his talk, this is very new and advanced crypto and it's probably better having it field tested in an alternative chain or testnet before implementing into a currency with sizable investments. Also, current implementations of zkSNARKs need an initial computation by a trusted party, it's yet unclear whether people will put their trust in a currency which requires this.

    Disclaimer: I'm one of the developers on the SCIPR team.
  • ChristianPeelChristianPeel Member Posts: 26
    edited January 2014
    skfir, thanks for the information. My main question above is whether an anonymous currency using (e.g.) zkSNARKs can be implemented on top of Ethereum using its current cryptographic tools. My impression from your answer and elsewhere is no, it cannot. I'd love to learn more about SCIP; I'll start with the paper you cite above unless you have another suggestion.

    The first two minutes of this talk indicate that the entire blockchain is not required for a node to have full blockchain functionality if SCIP is used. The speaker (Ben-Sasson) talks about signatures of sizes 1MB or 10kb, depending on the application. Do you have any update on this? How are these related to the 288-byte proofs that are discussed in this SKIPR paper?

    You talked about this being very new and advanced; is it so advanced and new that it would not be appropriate as a candidate for the Ethereum mining alg?
    Post edited by ChristianPeel on
  • skfirskfir Member Posts: 2
    I haven't looked to deep into the Ethereum protocol, but it would seem there's it can definitely be implemented. From a theoretical standpoint, as Ethereum computation is Turing complete, it should be able to run any computation including any needed for zkSNARKs.

    When I have some more time I'll look into how one could build a "zerocoin contract" on Ethereum. I'm sure this can be achieved theoretically but the real question is how long would the computation be (or in other words how much fees would we pay for the computation of this contract).

    Regarding the Ben-Sasson talk and the paper you referenced, the paper is later work and the proof (signature) size has been reduced. In prior works the proof size was highly dependent (multiplicative) on the length of the program code being executed (and proven). In the later work cited in the paper, SCIP has advanced to use a Von Neumann architecture in which the program being proven is a hardcoded universal program which fetches and executes code from memory, and so the size is additively dependent on code length.

    Regarding mining, it is premature to consider any of this for mining on Ethereum, maybe in future currencies. Mining as it is used today has very simple requirements (hard to produce, easy to verify, hard to hardware optimize) and using universal verifiable computation for this seems a bit of an overshoot when current memory intensive hashing algorithms get the job done.
  • sneurlaxsneurlax Member Posts: 17
    My preliminary stance is that it's definitely possible. Just author a contract that accepts ether inputs and holds them for a certain period -- if, during that period, other people send enough ether to mix the coins satisfactorily, then that process is carried out; if not, the ether is simply returned.

    The contract could would be open-source and readable by anyone: nobody would need to be trusted, as in the current case of Bitcoin Fog. More interesting, as it is an autonomous contract doing the work, who could be held accountable for its "actions" (e.g. laundering?)
  • ChristianPeelChristianPeel Member Posts: 26
    sneurlax, I like this idea; is this mixing? I'm curious to know if one puts in 10 ether and takes out 10 ether, will that be known to others? One of the advantages of the technology mentioned above (SCIP, zkSNARKs) as I understand it is that the transaction sender, recipient, and transaction value are all anonymous. I think this is fundamentally different than a mixing pool; please educate me if I'm wrong.
  • SirAlanSirAlan Member Posts: 7
    Where can i buy zerocoin, any idea?
  • ChristianPeelChristianPeel Member Posts: 26
    It's not released.
  • cobracobra Member Posts: 18
    edited January 2014
    do u have any idea of their timing to start?
  • ChristianPeelChristianPeel Member Posts: 26
    edited January 2014
    I don't know. I recall something like summer or fall 2014.
    Post edited by ChristianPeel on
  • HammerHammer Member Posts: 20
    it was supposed to be Q1 but then it got delayed towards summer - end 2014. I think it might be sometime till we see zerocoin. Meanwhile AnonCoin is back in development and it will have a lot of the features zerocoin proposes.
  • earonestyearonesty Member Posts: 8
    you could probably develop an anonymous coin in ethereum by coding in the anonymity into your contract code.
  • cobracobra Member Posts: 18
    hmm i m no coder such difficult more interesting wow
  • hillhill Member Posts: 3
    zerocoin is cool?
  • JasperJasper Eindhoven, the NetherlandsMember Posts: 514 ✭✭✭
    Cool to see developpers from SCIPR.. Cool technology btw.. I currently have nearly only have a 'black box' understanding of crypto... At best SCIPR goes way over my head for the forseeable future.

    Coinswap can do transactions anonymous too. Probably some way to do it automatically, but i dont see it yet, and it would probably require an anonymous encrypted network alongside the client to find other people.
  • patconpatcon Member Posts: 16
    For anyone interested, SCIPR released their C++ zkSNARK implementation:

    Haven't dug in yet, but excited to investigate :)
Sign In or Register to comment.