Some thoughts:<p>Why did you pick a modp group instead of an EC group?<p>Why doesn't Bob send y? Y is derivable from what Bob sends. (Your zero knowledge claim is at least a bit wrong, since Bob is sending correlated numbers and, in fact, y can be derived from them.)<p>Bob's sent values can be rewritten as y<i>2^b, y</i>2^c, and y^-1 * f_1 * f_2, which makes me wonder why f_3 is sent.<p>Why does Bob prove knowledge of x+b+c? Can you clarify the spoofing attack?<p>What prevents double spending if the tracker is malicious?
Hi,<p>I have no idea if I'm doing this right because I am new to HN. But here is a very early WIP of a zero-knowledge cryptocurrency. I try to keep code terse to avoid bugs. Have at it!
Sorry for being harsh on a newcomer, but this did not live up to my expectations based on the title. It seems to be strictly worse than bitcoin, let alone zerocoin.<p>It needs a central tracker, and it needs a secure offline channel to transmit keys. The reason zerocoin uses zero-knowledge proofs is to make it impossible to trace the history of a coin. This is another property that this project does not have.