[im3w1l]

Sorry for being harsh on a newcomer, but this did not live up to my expectations based on the title. It seems to be strictly worse than bitcoin, let alone zerocoin.

It needs a central tracker, and it needs a secure offline channel to transmit keys. The reason zerocoin uses zero-knowledge proofs is to make it impossible to trace the history of a coin. This is another property that this project does not have.

[synapticrelease]

No reason to be sorry. well, the title was supposed to be longer :P. I was going to write the same as the github title but it didn't fit. It is clearly a toy---ahermmg---semi-serious theoretical exercise, and not a real competitor to bitcoin or zerocoin, you are right in that respect.

This (as far as I know) does make it impossible to trace the history of a coin, because there is no recorded transaction history, assuming you don't send the transaction details directly from your ip (and valid coin transfers are mathematically impossible to spoof from e.g. an exit node). You also don't need a centralized tracker, you just need a public record of all known coins which is kept in sync across several mirrors. I should clarify that in the readme; the only reason why I mention assuming a centralized tracker is for the performance estimate, because syncing trackers would induce overhead. Unless you see something I am missing...

The reason why this uses zero-knowledge proofs is twofold; first, to allow anonymization of individual transaction ids by ensuring it is impossible to spoof transactions without knowing the secret key of the corresponding coin, and second to avoid the use of a blockchain which further degrades anonymity. Again, it may be that you have discovered a reason why this does not hold, in which case I would be interested to hear it!

Regarding the matter of coin transfer, this was a design decision because of the project scope. I could have spent many days implementing a transaction system which did not depend on the secrecy of keys, but I have other commitments. That being said, there are a subset of transactions (involving money, but also authentication of physical goods in transit, for example) which can potentially be treated this way. For instance, I can use it to verify the user is in possession of a particular hardware (a physical "coin") which stores the secret key in encrypted form. Which could be useful in e.g. shipping applications, who knows.

[im3w1l]

You say that the trusted actor updates the public key of a coin. This means that it is known which former key corresponds to which following key. Thus the central actor can trace the history. If you have many trackers, then everyone can trace the history.

[synapticrelease]

Yes, but it only knows the public key. Which is not a number in any way associated publicly with the identity of the owner...it's essentially a (discrete exponent of a) random number that identifies the coin.

[lambda]

This comment does seem fairly harsh for something advertised as "a toy." Why would you expect a toy to be state of the art? When I see that phrase, I think of something that is a personal learning experience, might have an interesting idea or two but is not expected to replace anything that already exists.

[synapticrelease]

"Why would you expect a toy to be state of the art?"

http://www.8-bitcentral.com/images/nintendo/promo/virtualBoy...

Real 3d graphics, that's why!

[im3w1l]

I expect a toy example to be theoretically sound, but using shortcuts to get a practical realization.

For all the fancy cryptography this uses, I don't see how it provides any more security properties than a central actor having a databases of balances and requiring a cryptographic signature (like RSA, ECDSA etc) to authorize transactions. I don't see an extension path either.

Since the zero-knowledge proof is interactive, I am unsure how the central tracker could even be audited not to spoof transactions.

[synapticrelease]

Read the readme again. The interactive ZKP does not reveal classified information about the actual transaction to the tracker, which is required to authorize it.

In theory, yes, a tracker could be malicious. It could even simply delete its record of all the coins and then refuse all transactions. Or change every coin so it cannot be spent. Actually the one thing it couldn't do is spoof transactions, because it doesn't know the secret key of a single coin it tracks. So it would have to make up a new coin, which would be easily detectable by other trackers because there must be a public consensus on how new coins are created (i.e., their public keys must be prime). So you would, once again, have to compromise every single tracker to spoof a transaction. Then you are right that there is no way to audit, but then you have bigger problems anyway (like people stealing money from exchanges) even before you get there.

Which brings me to the /real/ problem with my implementation, the coins are not worth nearly as much as bitcoin or zerocoin yet :P.

[im3w1l]

Alice has a secret key. She wants to prove this to Tom the tracker. He issues her a number of challenges until he is convinced she has the key.

Suspicious Simon now wonders if Alice actually had they key. Maybe she didn't and Tom gave her easy challenges? How can Simon be sure Alice has the key?