Two years ago I posted about a proposal of to create an anonymous cryptocurrency. This was much time before the ZeroCoin and ZeroCash protocols were proposed. I had moral concerns regarding the idea of an anonymous payment protocol: why such protocol would be needed and who would benefit from the protocol. Adam Back and Gregory Maxwell convinced me that the benefits of financial privacy outperform the problems of money laundering and terrorism financing. My current understanding is that it could be possible to modify the protocol to add ways for law enforcement to track money for certain parties requesting key shares from different independent government departments, but I can’t think of how an open source global cryptocurrency can bootstrap with tracking built-in. Other researchers may solve those technical problems better that I can do. I suspect that Know-Your-Customer laws for exchangers are the best and only defense one can get for the first years. But if an anonymous cryptocurrency succeeds and it’s widely accepted, then why should people need to exchange their digital assets into fiat currency anyway?
Key Differences between AppeCoin, ZeroCoin, ZeroCash
I cannot talk much about Appecoin as described in the draft. AppeCoin draft was not audited by any crypto expert, nor it’s complete, nor it’s fully formalized. So my draft may contain omissions and mistakes. I can talk about the AppeCoin idea (and hope that the idea survives even if a problem is found in the paper).
AppeCoin is based on simple cryptography: the Decisional Diffie-Helman in the polynomial samples setting, which was shown to be equivalent to the Decisional Diffie–Hellman (DDH) assumption, and also the Representation problem. So it should be easier to verify and trust the (finished) design and implementation of AppeCoin than of ZeroCoin or ZeroHash.
Normally AppeCoin achieves full anonymmization of a certain transaction gradually: each new confirmation block increases the output coins anonymity set size. Each miner shuffles the new coins with some coins of the block-chain, building a sequential Mixnet, and all the mixed coins are returned to the block-chain. When you pay with an unspent coin of the block-chain, the the last shuffle operation it underwent is revealed. In contrast, in ZeroCoin/ZeroCash the anonymity set is maximal immediately: a new coin looks exactly equal to any one in the block-chain when you try to pay with it. This is a trade-off AppeCoin does: it reduces the computational burden of transmitting a coin (and proving ownership of that coin) by increasing the cost of block verification. Nevertheless AppeCoin still allows you to get a user-selectable anonymity set by performing an anonymization operation yourself.
ZeroCoin has the big problem that it requires a trusted phase for bootstrapping which I think you will prevent the coin get widespread adoption. AppeCoin and ZeroCash do not have this problem.
Both AppeCoin and ZeroCash can hide the payed amounts. AppeCoin uses proofs of combinability and divisibility to combine/divide coins without revealing the amounts. ZeroCoin requires denominations, so amounts are not easily protected. It’s also trivially possible to implement AppeCoin with denominations and leave out the combination/division protocols: this reduces the protocol features but at the same time reduces considerably the complexity. As far as I know, ZeroCash can hide any computational property in a coin, which is something very powerful.
I really like the ZeroCash idea, and I hope their coin succeeds. Nevertheless I have doubts about the use of Succinct Non-interactive ARguments of Knowledge (SNARKs) as the security guarantee of the currency, because is SNARKs are too new to have withstood enough cryptography community analysis.
To summarize the key contributions of AppeCoin are:
- Uses deterministic Universal-encryption to encrypt coins.
- Uses both public and private shuffles of coins.
- Uses combinability and divisibility protocols to prepare exact payment amounts without disclosing the amounts.
- It uses a special cut-and-choose proofs of shuffles where the number of modular exponentiations is independent of the number of coins shuffled (using the Random Subset Test for each round)
- Does not require a trusted setup phase.
The paper draft (revision 0.28) can be downloaded here: AppeCoin28
One of the things that could be greatly improved in AppeCoin are the proofs of combinability and divisibility. The main reason I’m releasing the half-finished draft is that I really don’t have time to complete it. I you think you can make a real academic paper out of this draft, and you have the knowledge to do so, write me and I’d gladly co-author it with you.