NxtCash is a proposal for an anonymity solution, implemented on top of NXT.
The main goal is to allow anonymous transactions, which would make it impossible to link recipient and sender.
The key features of such solution must be:
- anonymous - it must be impossible to link sender and receiver
- trustless - no need for a trusted party
- decentralized - no need for a single party, no single point of failure
- cryptographically secure - in providing both anonymity and protecting from malicious attackers, including double-spending attempts
- efficient - handle a large number of transactions with reasonable response time, don't put a significant burden on the existing NXT infrastructure and prevent unlimited growth of its own storage
1 Zero-Knowledge Proof
To fulfill the trustless requirement the system needs to use zero-knowledge proofs. All other scenarios require a central party to hold a secret, which is unacceptable in a decentralized, trustless system.
The basic idea behind zero-knowledge proof is simple - it's an interactive protocol:
- Verifier asks prover to calculate something from a randomized input in such a way that there are two things in it and both need to be revealed to know the secret.
- Then he asks randomly to reveal either of two things. He needs both to know the secret, but he only asks to reveal or prove one in each trial, so the secret is safe.
- Prover can cheat only if he can guess in advance what verifier will ask to reveal. He can't, so probability of him cheating quickly drops to zero as the number of trials increases.
The main requirements for our system are:
- coin holder must be able to prove that he knows the secret, without revealing it
- coin holder must reveal a part of the secret to prevent double-spending
The new system, besides being much more efficient (98% smaller proofs, for example), allows other interesting features, not possible with the old version:
- Coins can have arbitrary value.
- This value only needs to be revealed when spending the coin, not minting it.
- The coins can be split and merged.
- The coins can be transferred to another owner without spending and previous owner won't be able to spend them. This is probably as close to off-line digital cash as we will ever get (you still need a blockchain transaction, but you don't have to constantly spend/mint coins to allow circulation).
This solution seems to be superior to anything that was done before in this area, that's why we should try and implement it in NXT (reminder: explain why zerocash is so superior).
Mattew Green video: http://www.youtube.com/watch?v=Uh6erfE9HYE
They plan to release the code in May 2014 as an altcoin for testing purposes.
3 NXT Integration
For NXT integration we will probably need a special account, like the Genesis account.
Technically, we can do it without such account, but it will probably be easier and better to have an account, rather than just create/destroy money on every NxtCash transaction.
We will probably need a separate, off-chain storage structure, although we can utilize AM at the cost of some efficiency.
Zerocoins are stored in a Merkle tree of height 64. Each node is a SHA256 hash. Trees and relational databases are not particularly good friends, that's why a separate storage might be required.
We will also need several new transaction type, like "mint a coin", "spend a coin", "merge coins", etc.
Since current reference implementation is Java, we should write or port our solution to Java.
3.1 Time-to-Live (TTL)
To prevent unlimited growth of coin storage we probably need to introduce a mandatory coin TTL (time-to-live) with max limit of, say, 6 months or 1 year.
We can also tie min transaction fee for minting a coin to TTL, for example: 1 month = 1 NXT, 2 months = 2 NXT, etc.
Not sure yet how purging will work technically, but probably the block forger will be able to issue "cleanOldCoin" transactions and get an additional fee if there is a surplus in the main NxtCash account. For this it might be better to store coin timestamps as max blockchain height.