Jump to content

Zerocoin protocol

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Cerevisae (talk | contribs) at 15:26, 6 August 2018 (History: added info). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Zerocoin Project
Communication protocol
The Zerocoin logo
PurposeTo achieve true anonymity in Bitcoin transactions
Developer(s)Matthew D. Green
IntroductionMay 19, 2013; 11 years ago (2013-05-19)
Based onBitcoin network
InfluencedZcoin, PIVX, Zcash
Websitezerocoin.org

Zerocoin is a cryptographic protocol proposed by Johns Hopkins University professor Matthew D. Green and his graduate students (Ian Miers and Christina Garman) in 2013 as an extension to the bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. The protocol was first integrated into a fully functional cryptocurrency as Zcoin in 2016.

Zerocoin provides anonymity by the introduction of a separate mixing service known as zerocoin that is stored in the bitcoin blockchain. Though originally proposed for use with the bitcoin network, zerocoin could be integrated into any cryptocurrency.

History

All the bitcoin transactions are public, therefore, the transactions can be easily traced on the blockchain which can potentially compromise a user's privacy although a pseudonym is used during the transactions. To address this problem, third-party coin mixing service can be used to obscure the trail of bitcoin transactions. However, the reliability of the mixing service is dependent upon the trustworthiness of the coin mixing service operator. Therefore, Johns Hopkins University professor Matthew D. Green and his graduate students (Ian Miers and Christina Garman) proposed the zerocoin protocol in 2013 where cryptocurrency transactions can be anonymised without going through a trusted third-party.[1] Under this protocol, a coin is destroyed and then minted again to erase the past history of the coin. While a coin is spent, there is no information available which reveal exactly which coin is being spent.[2] Initially, the zerocoin protocol was planned to be integrated into the Bitcoin network.[3] However, the proposal to integrate the zerocoin protocol into Bitcoin has failed. Thus, the zerocoin developers decided to launch the protocol into an independent cryptocurrency.[4]

Zerocash protocol

The improved version of the protocol "that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" was announced on 16 November 2013.[5] The developers presented their technical paper[6] at the 2014 IEEE Security & Privacy Symposium[7] along with launching the site.[8]

Design

The zerocoin extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, zerocoin would have implemented this at the protocol level, eliminating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the bitcoin protocol, it would have recorded the transactions within bitcoin's existing blockchain.

The anonymity afforded by zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions.[1] To mint a zerocoin, a person generates a random serial number S, and encrypts (that is commits) this into a coin C by use of second random number r. In practice, C is a Pedersen Commitment. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.

To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.

The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process. Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size (although not substantially).

Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins. Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem.[1]

Zerocash protocol

The new protocol was called Zerocash. It is now not an extension to the bitcoin, but rather an independent technology with the same basic principles as blockchain and transactions, which was planned to implement in alt-coin.[9] Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations.[10] Such proofs are less than 300 bytes long and can be verified in only a few milliseconds. However, zk-SNARKs require a large initial database for verifying (about 1.2 GB) and long time for producing a proof (spending the coin): 87 seconds to 178 seconds.[11]

Cryptocurrencies

Zcoin (XZC)

Zcoin
ISO 4217
  1. ^ Unofficial.

Zerocoin was first implemented into a fully functional cryptocurrency called Zcoin (XZC), a project that went live on September 28, 2016, 12AM UTC.[12] The project's testnet software was first released to the public on December 18, 2015 under the name Moneta (not Moneta Verde (MCN)) before it was dubbed to Zcoin.[13]. Roger Ver was one of Zcoin's initial investors same as Zcash.

In February 2017, a malicious coding attack on Zerocoin created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($440,000). Zerocoin team anounced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint". In an uncommon move, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.[14]

Private Instant Verified Transaction (PIVX)

PIVX is the first Proof of Stake cryptocurrency that has implemented the Zerocoin protocol. Zerocoin went live on PIVX on October 16th, 2017[15]. The Zerocoin PIVX tokens are known as zPIV from the combination of PIV, the standard unit of PIVX, and z from Zerocoin[15]. As of May 8th, 2018, PIVX became the first Proof of Stake cryptocurrency to allow for private staking via zPoS (Zerocoin Proof of Stake)[16][17].

zPoS functions alongside PIVX's standard PoS system, with users given freedom to choose between PIV or zPiV for their funds, although storing a combination of the two is also possible. Standard PIV within the PIVX Core wallet can be either automatically or manually converted to zPIV, which are stored in denominations of 1,5,10,50,100, 500, 1000, and 5000[18]. After a period of 200 confirmations, zPIV become eligible for zPoS staking, which rewards an additional 50% to stakers at 3 zPIV to regular PIV staking's 2 PIV[16]. This larger reward was implemented as an incentive for stakers to support the zPoS ecosystem, the privacy features of which scale with user participation as the accumulators expand.

Zoin (ZOI)

Zoin
ISO 4217
  1. ^ Unofficial.

Zoin is a community governed digital currency that has implemented the Zerocoin Protocol. Zoin was created in November 2016 from an early fork of Zcoin.

Zcash (ZEC)

Between 5 October 2015 and 11 January 2016, the Zerocash website started noting that "The Zerocash protocol is being developed into a full-fledged digital currency, Zcash."[19]

On April 28, 2017, Zcash surpassed $100m in market capitalization.[20]

CredaCash

A faster implementation of zero knowledge proofs using zk-SNARKs was created for a new cryptocurrency called CredaCash. CredaCash requires only about 3 seconds and 85 KB of memory to create a transaction proof.[21] Similar to Zerocash, CredaCash is an alt-coin with its own blockchain and transaction protocol. The CredaCash developer hope they can offer CredaCash to the market in 2016.[22]

Reception

One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain.[23] To counter criticisms that the anonymity offered by zerocoin would facilitate illegal activity, it has been suggested that a backdoor, or other features, could be added to the zerocoin protocol to allow police to track money laundering, but this was not advocated in the original paper.[24]

Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.

Depending on the specific implementation, the zerocoin protocol would rely on one or more trusted parties to generate two large prime numbers, p and q, so n = p q. Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process.[1] Such a setup, however, is not possible with the new Zerocash protocol.

References

  1. ^ a b c d Miers, Ian; Garman, Christina; Green, Matthew; Rubin, Aviel D. (May 2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin (PDF). 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Conference Publishing Services. pp. 397–411. doi:10.1109/SP.2013.34. ISSN 1081-6011.
  2. ^ Reuben, Yap. "Understanding how Zerocoin in Zcoin works and how it compares to other anonymity solutions Part 1". zcoin.io. Archived from the original on 29 December 2017. Retrieved 5 August 2018. {{cite web}}: |archive-date= / |archive-url= timestamp mismatch; 15 November 2017 suggested (help)
  3. ^ Andy, Greenberg (12 April 2013). "'Zerocoin' Add-on For Bitcoin Could Make It Truly Anonymous And Untraceable". Forbes. Archived from the original on 19 July 2018. Retrieved 6 August 2018.
  4. ^ Andrew, Marshall (17 January 2014). "Zerocoin Unable to Merge with Bitcoin Goes Independent". Cointelegraph. Archived from the original on 23 July 2018. Retrieved 6 August 2018.
  5. ^ Matthew D. Green [@matthew_d_green] (16 November 2013). "We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" (Tweet). Retrieved 16 September 2015 – via Twitter.
  6. ^ "Zerocash: Decentralized Anonymous Payments from Bitcoin" (PDF). Zerocash-project.org. Retrieved 16 September 2017.
  7. ^ "IEEE Symposium on Security and Privacy 2014". Ieee-security.org. Retrieved 17 June 2016.
  8. ^ Team, The Zerocash. "Zerocash - Zerocash". zerocash-project.org. Retrieved 16 September 2017.
  9. ^ Matthew Green [@matthew_d_green] (16 November 2013). "@NateA11 @koolfy We need a few months to clean up the code. We plan to release the client and an alt-chain" (Tweet) – via Twitter.
  10. ^ Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture". USENIX Security.
  11. ^ "Untitled". Pastebin.com. 16 January 2014. Retrieved 16 September 2017.
  12. ^ "Zcoin - Private Financial Transactions enabled by the Zerocoin Protocol". Zcoin. Retrieved 16 September 2017.
  13. ^ http://moneta.cash
  14. ^ Suberg, William (21 February 2017). "Zerocoin Hacker "Creates" and Spends 370,000 Tokens Worth 410 BTC". Cointelegraph. Retrieved 6 May 2018.
  15. ^ a b "Zerocoin Protocol and POS (zPIV)". PIVX. 2 October 2017. Retrieved 10 May 2018.
  16. ^ a b "zPoS – Zerocoin Meets Proof of Stake". PIVX. 1 March 2018. Retrieved 10 May 2018.
  17. ^ "PIVX Becomes the World's First Anonymous Proof-of-Stake Cryptocurrency". NewsBTC. 8 May 2018. Retrieved 10 May 2018.
  18. ^ "PIVX Block Explorer Home". www.presstab.pw. Retrieved 10 May 2018.
  19. ^ "Mementos". Timetravel.mementoweb.org. Retrieved 16 September 2017.
  20. ^ Young, Joesph (3 May 2017). "Zcash 6-Month Anniversary Special: Milestones, $100 Mln Market Cap, Vision". Cointelegraph. Retrieved 6 May 2018.
  21. ^ "CredaCash™ – Powering the Digital Economy". credacash.com. Retrieved 16 September 2017.
  22. ^ "FAQ – CredaCash™". credacash.com. Retrieved 16 September 2017.
  23. ^ Peck, Morgan E. (24 October 2013). "Who's who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum. Institute of Electrical and Electronics Engineers. ISSN 0018-9235. Retrieved 31 January 2014.
  24. ^ Hodson, Hal (13 March 2013). "Bitcoin add-on makes your virtual purchases private". NewScientist. Reed Business Information Ltd. ISSN 0262-4079. Retrieved 8 February 2014.