Hello, it's me again. Upon re-reading Zerocoin paper ( http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf ), I've noticed the following:
When I mint a Zerocoin, I add my 'c' to the accumulator. Accumulator state gets "checkpointed" at discrete intervals - possibly every block, or so. Now, let's say I've minted a zerocoin at blockheight N, and an accumulator state that includes my 'c' has been checkpointed at blockheight N+1 Now, I wait for 100 blocks and spend my zerocoin, providing relevant proofs P and adding relevant serial number to the list of numbers spent. This happens at blockheight N+101 For ease of experiment, I was the only person to mint at blockheight N+1, and the only one to spend at blockheight N+101, (there were some other mints at N+4 though) Question: Am I correct in thinking that attacker can *NOT* gain information regarding the blockheight at which my coin was minted by repeatedly trying my (π,S) with different accumulator state checkpoints (which come conveniently arranged in chronological order ;-) ) ? Something like "1) test this fine proof and this fine S against accumulator states and mint set assembled from blocks from N-100 to N-50... 2) then try same against N-100 to N... 3) then, finally, try same against N-100 to N+1" Would the last step yield anything informative ? Hope this makes sense and please pardon my ignorance... Best wishes, Jane _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography