On Sun, Jul 14, 2013 at 07:22:10PM +0000, John Dillon wrote:
> Peter: I'm a bit confused by this concept of "bi-directional sacrifice" though,
> I assume there exists only a sacrifice in one direction right? Wouldn't selling
> a zerocoin be just a matter of giving zerocoin a rule so that the zerocoin tx
> moving it to the new owner only happens if a specific form of bitcoin tx
> happens too?

Exactly.

Basically you have one way of creating a Zerocoin: prove you sacrificed
a Bitcoin in a specific way. (spend to unspendable, or spend to mining
fees far into the future)

Now when you sell a Zerocoin what you do is create a Zerocoin
transaction with a txout that can only be spent if you can prove that a
Bitcoin transaction exists with specific conditions with sufficient
confirmations. The specific condition would most likely be it has a
txout of a specific value and scriptPubKey. Basically you'd have a
two-part scriptPubKey:

if <check bitcoin txout existance proof> <check zerocoin buyers signature
is correct> else <check zerocoin sellers signature is correct> <check n
blocks have passed>

Note how if the buyer screws up there is a fallback so the seller can
retrieve their funds after some reasonable amount of time.

Of course if the Bitcoin chain is re-orged Bad Things Happen(TM), but
just set the required number of confirms to something reasonable and
you're good to go. It does mean Zerocoin needs to have consensus on the
Bitcoin blockchain, but that's required to verify sacrifice proofs
anyway.

Economically the idea works because Zerocoins are gradually consumed by
the proof-of-sacrifice required to make Zerocoin transactions. If the
process by which Bitcoins are sacrificed is to fees, rather than
permanently, the overall affect is just a minor decrease in the Bitcoin
money supply. If they are sacrificed permanently, it'll result in
long-term Bitcoin deflation - potentially an issue as the blockreward
decreases.

-- 
'peter'[:-1]@petertodd.org