[choffman]

This technology already exists today in the form of the Cryptonote based coins - of which Monero is the leading example.

Cryptonote, by default, is an opaque blockchain - your transactions are not visible to the world. But, let's say you're a non-profit organization and you do wish for your donations to be public. Cryptonote allows for that using a "view key".

In this way, you get the best of both worlds - privacy by default, and openness when you need it.

The cryptonote wallets are still in their early stages, but the various coins are available and trading on exchanges today. And you can even use them to pay bitcoin based merchants using a service like ShapeShift or xmr.to .

[ianmiers]

All anonymity is not created equal: you're better off if we can only figure out that one out of 6 billion people bought a Nickelback album, then if we know it was either you or one guy in Tristan da Cunha. The size of you're anonymity set matters and Cryptonote provides a rather small one in comparison to Zerocash. This is not to say Cryptonote is worthless, there are tradeoffs between the two, but Zerocash has a distinct advantage in terms of anonymity and I think it matters.

Cryptonote's ring signatures scale linearly in the number of people your transactions are mixed with. As a result, you can't mix an individual transaction with that many people without it getting too big and too computationally costly(chaining transactions doesn't solve this). In contrast, Zerocash mixes every transaction with every other transaction ever[1].

If you are worried about maintaining privacy given repeated interactions with merchants or others who already have some partial information about you, the size of the anonymity set matters considerably. Longterm intersectional attacks are a major problem with anonymity systems. The smaller the set you mix with on any given transaction, the easier it is for some third party to use outside information to eliminate everyone else in the mixing set (e.g because she knows no one else in the set was online at the time of the transaction or was in your approximate geographic area), and determine the true spender. One of the few effective defenses we have for this is to simply include as many people as possible in the anonymity set. If you want to avoid companies building financial profiles of users from the blockchain, this is precisely the type of attack you need to thwart.

[1] Technically, up to 2^64 transactions and the networks ability to handle the spent serial number list. So there is a limit, but it's rather large.

[plasticmachine]

The point you're actually trying to make is "every privacy scheme has trade-offs".

Zerocoin's trade-offs are massive: untested / unreviewed cryptography, a trusted initial accumulator that can ruin the anonymity for everyone forever, a significantly larger transaction size, and a blockchain so opaque that double-spends and false coin creation cannot be seen.

Those are the issues that matter, and Monero suffers from none of those problems.

[madars]

> a trusted initial accumulator that can ruin the anonymity for everyone forever

This is false: even if somebody compromises the initial setup (which, if implemented using the proposed MPC protocol, would require compromising every single participant; compromising n-1 parties doesn't do anything), the system continues to enjoy the same zero-knowledge guarantees. Compromised setup or not, in Zerocash the anonymity set is all participants of the system.

[plasticmachine]

On further consideration I agree with you. Knowledge of the accumulator would merely allow for the arbitrary creation of forged spends that appear valid, but the rest of the system would still remain opaque (much to its detriment in this instance).

Also there is nothing so suggest that a clever MPC will solve the collusion problem. Of course the participants will make claims about their honesty, but if ZeroCoin is worth massive amounts of money the temptation to seek collusion will be there.

Of course, whilst it's true that some participants might stick to their proverbial guns, what is going to prevent a motivated state-level attacker from monitoring as many participants as they can during the computation? Then they only need to compromise the handful that they couldn't monitor, and for that they have rubberhose cryptanalysis.

[ewillbefull]

The way you phrase it makes it seem like the parties involved are perpetually at risk of being compromised, as though they must retain and store the secrets necessary for parameter generation forever. When in fact it will be done once, and well in advance of any significant value in the currency which would incentivize crazy government yatta yatta.

[undefined0]

What would happen to transactions on Monero in a post-quantum world? Would all of the transactions become transparent to the 3/4 letter agencies?

Does the 'mixing' of coins happen on a server (so you trust the server not to log anything) or does it happen p2p so said agencies can analyze the network?

[choffman]

I'm not sure that anyone can speak to what happens to crypto in a post quantum world.

Mixing does not happen on a server - that would be an atrocious violation of privacy. Monero (and other cryptonote coins ) use ring signatures - https://lab.getmonero.org/pubs/MRL-0004.pdf

There is also work being done to employ gmaxwell's Confidential Transactions: https://github.com/ShenNoether/MiniNero/blob/master/RingCT0....