Anyone know the Zerocash proposal (see youtube link below) enough to know how easy this sub-currency would be to implement or even if it is possible? Would it be easy to implement the zkSNARKs that Matthew Green describes? Is Zerocash more efficiently done as an independent currency, or is it so easy to do that it can easily go in Ethereum?
It seems like anonymity is a very useful tool, and would be useful to have in Ethereum right from the start.
Comments
As for implementing as an independent currency, Mathew touches this in his talk, this is very new and advanced crypto and it's probably better having it field tested in an alternative chain or testnet before implementing into a currency with sizable investments. Also, current implementations of zkSNARKs need an initial computation by a trusted party, it's yet unclear whether people will put their trust in a currency which requires this.
Disclaimer: I'm one of the developers on the SCIPR team.
The first two minutes of this talk indicate that the entire blockchain is not required for a node to have full blockchain functionality if SCIP is used. The speaker (Ben-Sasson) talks about signatures of sizes 1MB or 10kb, depending on the application. Do you have any update on this? How are these related to the 288-byte proofs that are discussed in this SKIPR paper?
You talked about this being very new and advanced; is it so advanced and new that it would not be appropriate as a candidate for the Ethereum mining alg?
When I have some more time I'll look into how one could build a "zerocoin contract" on Ethereum. I'm sure this can be achieved theoretically but the real question is how long would the computation be (or in other words how much fees would we pay for the computation of this contract).
Regarding the Ben-Sasson talk and the paper you referenced, the paper is later work and the proof (signature) size has been reduced. In prior works the proof size was highly dependent (multiplicative) on the length of the program code being executed (and proven). In the later work cited in the paper, SCIP has advanced to use a Von Neumann architecture in which the program being proven is a hardcoded universal program which fetches and executes code from memory, and so the size is additively dependent on code length.
Regarding mining, it is premature to consider any of this for mining on Ethereum, maybe in future currencies. Mining as it is used today has very simple requirements (hard to produce, easy to verify, hard to hardware optimize) and using universal verifiable computation for this seems a bit of an overshoot when current memory intensive hashing algorithms get the job done.
The contract could would be open-source and readable by anyone: nobody would need to be trusted, as in the current case of Bitcoin Fog. More interesting, as it is an autonomous contract doing the work, who could be held accountable for its "actions" (e.g. laundering?)
Coinswap can do transactions anonymous too. Probably some way to do it automatically, but i dont see it yet, and it would probably require an anonymous encrypted network alongside the client to find other people.
https://github.com/scipr-lab/libsnark
Haven't dug in yet, but excited to investigate