Fundamental challenges?


I am Shelby Moore III, also known as "AnonyMint" at the (BCT) forum where I was an early proponent of anonymity in 2013. My analysis is watched by many 100s if not 1000s of readers at the BCT forum. My current username there is "TPTB_need_war". I have invented some zero knowledge cryptography (combining Cryptonote one-time ring signatures with the Compact Confidential Transactions for homomorphic value hiding). Roughly a couple of months ago, I abandoned that invention and proclaimed that all anonymity designs were futile except for Zerocash, because the meta-data correlation problem was insoluble (impractical for mere mortals to work around on a regular basis).

However, I still see fundamental problems in the Zerocash direction and I am proposing at least one solution. I would urge the developers to read the following threads (especially from the linked posts forward) and please respond here or there to the major issues discussed.

I presume you know how to click the quotes in posts to venture off to the source threads from whence they originated in order to find all the discussion that has transpired today.

Note there are even legal criticims of the conjectured ROI model of Zerocash ( Hopefully you can address those as well.

Be forewarned you are will descend into a hornet's nest of ad hominem and speculator turf battles noise interleaved with attempts to stay on technical focus.


I'm curious what specific issues you identify in Zcash? That thread is hard to follow.


Technical debates are hard to follow, yet they reward the reader with valuable insight and information. Asking me to retype everything here is I think disrespecful of my time. There are serious issues discussed there. Ignore them at your own peril. Please don't ask me to do the work for the reader.


could you summarize for us a little bit ? im sure many will venture into the thread, but an executive summary provided by yourself could prove useful as a tldr :wink:



First you all banned me, deleted many of my posts, block me from posting links, and deleted my thread, then restore the thread without informing me (but not my deleted post). And then the usual idiots come in and try to attack someone's reputation. So unprofessional these crypto currency communities. Any way, if you want to get back on topic:

(sorry I was blocked from posting the links to which you need to refer because you are still blocking me from posting links. What kind of forum is this???!)

#7 (read entire thread) (read entire thread)

Censor my posts again and I will never come back.

Zcash VS Bytecoin

You are a trouble maker. Elbows and acrimony trying to sow discord instead of understanding and appreciation. And you will bring nothing but trouble where ever you go. Stay on point. And you will eat your passive aggressive attack on my reputation when I release my Zero Knowledge Transactions white paper and show that I did indeed remove the need to prove the square in Compact Confidential Transactions and I did combine it with Cryptonote.

The toxic environment people like you create is destroying the well from which we all drink.

Funding: The Founders Reward


Your posts were not being deliberately hidden. Posting too many links after initially signing up triggers Discourse anti-spam features. I unhid your posts and marked them as not spam last week. Are there any posts still being hidden?


Posts are gone. And initially my posts appeared after you accepted them. Then after some hours or so, they were all recensored again, as if someone was complaining to you or as if you were offended by my reply. I am not accusing you, but it just seemed very odd.

Any way, all that ends well is okay for me. So let's forget it ever happened. Cheers.


I looked into this, and it seems like your posts initially got automatically hidden by the forum software (which is named "Discourse"), which was triggered by how many links you had posted to other sites. Sean (ebfull) noticed and un-hid all your posts, except maybe he missed one or something, but now they are all un-hidden. Nobody complained to anyone, to my knowledge, and none of your posts were deliberately hidden by anyone.


Thank you and apology for my paranoia. Zooko, if you have time, please review the logic I presented in the links especially my latest post in this Fundamental challenges thread. I am actually arguing that Zcash and zk-snarks are the way forward and present my logic as to why RingCT is not comparable, but I also think you should be more focused on the corporate market. Perhaps I have an error in my understanding of Zcash, so I'd appreciate if someone of your knowledge set reviews my logic. I am also concerned about your 11% royalty plan, as it seems to violate FinCEN regulations which would thus require all miners to register as MSBs. Additionally it seems to motivate a fork. You have a very high reputation (even I have admired the Blake2 work!), and I am thinking you'd be much better off with a legal ICO (no unregistered illegal securities please per the Howey test or refuse to market it to USA investors). I hope someone like you can raise the quality of the appreciation and teamwork in the crypto block chain scene. I am also very concerned that we are increasingly viewed by serious businesses and even mainstream masses as being a hornet's nest of bad attributes, such as theft, gambling, untrustworthy, deceitful, renegade uncooperative, unrealistic, non-pragmatic, etc.. Although it may seem like I am confrontational, this is evolved from a lot of egotistical crap endured over 3 years at Bitcointalk. I actually would love to see our community work as a team, be inclusive, and appreciative. Not every person is as knowledgeable about the higher maths involved, but that doesn't they won't bring insights. Cheers. And apologies for the noise level.

Sean my apology to you then. It was perplexing and I have been apt to jump to a negative conclusion, given the level of discord and time wasting fighting over at Bitcointalk.

Add: I think it is important to have your marketing strategy well formulated so that you don't depend on Bitcointalk because this seems to end up in endless turf battles as different altcoins vy for reputation amongst the gullible speculators (who do not understand well all the technical issues and are apt to flock to half-truths and slogans).


A public block chain with provable privacy is superior for interoperability, network effects, availability, and trustless commerce for corporations than a private intranet (as Stuxnet showed this doesn't mean a firewall is secure).

See slide # 86. I don't think that should be either/or. I think zk-snarks can possibly combine the two needs:

See also slide #87 that there is transition from currency only block chain tech to mixed application tech.

And slide #96 for those who say smart contracts have no practical economic application.


I would like to find out more about the 11%, is that on mining or transactions?


@Jason-1978 there's a blog post that went up today that might help give you some more info:


Will check it out thank you


Hi shelby3, rest assured we're not ignoring your ideas and criticisms! (We're just very busy.)

Anywho, I want to talk a little bit about your idea here:

The zerocoin mixer can be periodically reset, forcing all anonymous
zerocoins to cash out periodically to basecoins which can be re-minted
into the next instance of the zerocoin mixer. In this way, it can be
proven that no zerocoins were created out-of-thin-air. All the anonymous
mixing that occurs in the zerocoins can remain fully masked because the
zerocoins balance can be merged before un-minting back to a basecoin.

This is a neat idea. Let's explore this by understanding the impact it may have on the anonymity set.

Here's how I imagine your proposal playing out: At pre-determined times, or at particular thresholds, a new accumulator is started and users are either invited or mandated to publicly move their coins between the accumulators. At a certain point, the mandate is enforced.

I see this as having some negative consequences for the anonymity set. If there is a "grace period" to seed the anonymity set of the new accumulator, what immediate incentives would users have to switch until the anonymity set grows large enough? How large of an anonymity set is large enough?

Also, point-of-sale transactions will be at risk of leaking (due to timing attacks) the value of your coins, as you would have transferred them in another transaction to avoid indistinguishability issues. This routine maintenance of your coins also would come at a cost for the users.


I agree there are impacts, including the risk that if the masterkey was compromised then users can fear to lose their coins (versus the undetectable debasement in the non-ephemeral case). But in that case, the issuers of the masterkey (even if multi-party) are no longer trusted.

I haven't thought this through deeply. Perhaps corporations can join together to produce a Zcash block chain in which all of them participated in the multi-party setup/computation of the masterkey, so this could be a non-emphemeral mixer because if ALL of the corporations collude to cheat (or they are ALL served with a national security gag order), they cheat themselves (although persumably customers would also use this currency so I guess the corporations could form an oligarchy to steal via inflation from the masses).

Would it be possible for thousands of anonymous individuals to participate in the multi-party key setup? My assumption is that if even one person doesn't reveal their private key, then no one can cheat. So there is no reason to prevent a Sybil attack on the setup. So why not let everyone join in? (note I haven't studied the white paper for the multi-party setup)

Otherwise, for the Zcash for the masses (and again I think there will need to be some viewkey added else anonymity seems destined to be banned by the State but that is an orthogonal discussion), perhaps the ephemeral mixer might alleviate the concerns some have about the masterkey setup. However it seems it would only be effective in a free market of many such mixers, so that dishonest parties could be identified by the market via a plurality of experiments. So perhaps you'd want a master block chain with unbounded number of distinct mixers but only one basecoin.

The implications on the anonymity set have to be studied. I haven't done that.

P.S. yeah I know. I am very busy too (probably heading into combining social networking with crypto currency). Such is our exciting juncture in history. Cheers.


Apparently my statements at the AMA on the issue of the viewkey were not entirely clear. It is not clear to me whether Zcash's decryption key is sufficient or correct.


If you cannot provide a succinct synopsis for your argument, how valid is it? That thread has so much noise and extraneous text that it is hard to follow the road... I'm sure the revelations hidden therein must be grand...