This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)(Learn how and when to remove this template message)
The Zerocoin logo
Zerocoin is a cryptocurrency proposed by Johns Hopkins University professor Matthew D. Green and graduate students Ian Miers and Christina Garman as an extension to the bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Zerocoin was first implemented into a fully functional cryptocurrency released to the public by Poramin Insom, as the Zcoin. Zerocoin provides anonymity by the introduction of a separate mixing service known as zerocoin that is stored in the bitcoin blockchain. Though originally proposed for use with the bitcoin network, zerocoin could be integrated into any cryptocurrency.
Bitcoin transactions are all stored, by design, in a public ledger (the blockchain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the bitcoin network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder bitcoin through a trusted third party, where the input coins are mixed in a large pool and output to a new address.
Regardless of the best precautions, by data mining of the blockchain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the blockchain, such as public bitcoin addresses posted on a web site, or the postal address used with a bitcoin purchase, the possibility exists that every single bitcoin transaction of a given person could be determined.
Zerocoins are purchased with bitcoin in fixed denominations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for bitcoin to a different bitcoin address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the bitcoin address that was used to mint the original zerocoin to the bitcoin address used to redeem the zerocoin.
The zerocoin extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, zerocoin would have implemented this at the protocol level, eliminating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the bitcoin protocol, it would have recorded the transactions within bitcoin's existing blockchain.
The anonymity afforded by zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions. To mint a zerocoin, a person generates a random serial number S, and encrypts (that is commits) this into a coin C by use of second random number r. In practice, C is a Pedersen Commitment. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.
The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process. Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size (although not substantially).
Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins. Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem.
The neutrality of this section is disputed. (April 2017) (Learn how and when to remove this template message)
Zerocoin was first implemented into a fully functional cryptocurrency called Zcoin (XZC), a project that went live on September 28, 2016, 12AM UTC. The project's testnet software was first released to the public on December 18, 2015 under the name Moneta (not Moneta Verde (MCN)) before it was dubbed to Zcoin.. Roger Ver was one of Zcoin's initial investors same as Zcash.
Private Instant Verified Transaction (PIVX)
PIVX is the first Proof of Stake cryptocurrency that has implemented the Zerocoin protocol. Zerocoin went live on PIVX on October 16th, 2017. The Zerocoin PIVX tokens are known as zPIV from the combination of PIV, the standard unit of PIVX, and z from Zerocoin. As of May 8th, 2018, PIVX became the first Proof of Stake cryptocurrency to allow for private staking via zPoS (Zerocoin Proof of Stake).
zPoS functions alongside PIVX's standard PoS system, with users given freedom to choose between PIV or zPiV for their funds, although storing a combination of the two is also possible. Standard PIV within the PIVX Core wallet can be either automatically or manually converted to zPIV, which are stored in denominations of 1,5,10,50,100, 500, 1000, and 5000. After a period of 200 confirmations, zPIV become eligible for zPoS staking, which rewards an additional 50% to stakers at 3 zPIV to regular PIV staking's 2 PIV. This larger reward was implemented as an incentive for stakers to support the zPoS ecosystem, the privacy features of which scale with user participation as the accumulators expand.
The neutrality of this section is disputed. (October 2017) (Learn how and when to remove this template message)
Zoin is a community governed digital currency that has implemented the Zerocoin Protocol. Zoin was created in November 2016 from an early fork of Zcoin.
The neutrality of this section is disputed. (April 2017) (Learn how and when to remove this template message)
The improved version of the protocol "that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" was announced on 16 November 2013. The developers presented their technical paper at the 2014 IEEE Security & Privacy Symposium along with launching the site.
The new protocol was called Zerocash. It is now not an extension to the bitcoin, but rather an independent technology with the same basic principles as blockchain and transactions, which was planned to implement in alt-coin. Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations. Such proofs are less than 300 bytes long and can be verified in only a few milliseconds. However, zk-SNARKs require a large initial database for verifying (about 1.2 GB) and long time for producing a proof (spending the coin): 87 seconds to 178 seconds.
One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain. To counter criticisms that the anonymity offered by zerocoin would facilitate illegal activity, it has been suggested that a backdoor, or other features, could be added to the zerocoin protocol to allow police to track money laundering, but this was not advocated in the original paper.
Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.
Depending on the specific implementation, the zerocoin protocol would rely on one or more trusted parties to generate two large prime numbers, p and q, so n = p q. Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process. Such a setup, however, is not possible with the new Zerocash protocol.
In February 2017, a malicious coding attack on Zerocoin created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($440,000). Zerocoin team anounced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint". In an uncommon move, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.
On April 28, 2017, Zcash surpassed $100m in market capitalization.
- "Zcoin (XZC) Private financial transactions enabled by the Zerocoin Protocol - Zcoin". Zcoin. Retrieved 2017-03-16.
- Bradbury, Danny (7 June 2013). "How anonymous is Bitcoin?". CoinDesk. CoinDesk Ltd. Retrieved 8 February 2014.
- Miers, Ian; Garman, Christina; Green, Matthew; Rubin, Aviel D. (May 2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin (PDF). 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Conference Publishing Services. pp. 397–411. doi:10.1109/SP.2013.34. ISSN 1081-6011.
- "Zcoin - Private Financial Transactions enabled by the Zerocoin Protocol". Zcoin. Retrieved 16 September 2017.
- "Zerocoin Protocol and POS (zPIV)". PIVX. 2017-10-02. Retrieved 2018-05-10.
- "zPoS – Zerocoin Meets Proof of Stake". PIVX. 2018-03-01. Retrieved 2018-05-10.
- "PIVX Becomes the World's First Anonymous Proof-of-Stake Cryptocurrency". NewsBTC. 2018-05-08. Retrieved 2018-05-10.
- "PIVX Block Explorer Home". www.presstab.pw. Retrieved 2018-05-10.
- Matthew D. Green [@matthew_d_green] (November 16, 2013). "We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" (Tweet). Retrieved September 16, 2015 – via Twitter.
- "Zerocash: Decentralized Anonymous Payments from Bitcoin" (PDF). Zerocash-project.org. Retrieved 2017-09-16.
- "IEEE Symposium on Security and Privacy 2014". Ieee-security.org. Retrieved 2016-06-17.
- Team, The Zerocash. "Zerocash - Zerocash". zerocash-project.org. Retrieved 16 September 2017.
- Matthew Green [@matthew_d_green] (16 November 2013). "@NateA11 @koolfy We need a few months to clean up the code. We plan to release the client and an alt-chain" (Tweet) – via Twitter.
- Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture". USENIX Security.
- "Untitled". Pastebin.com. 16 January 2014. Retrieved 16 September 2017.
- "Mementos". Timetravel.mementoweb.org. Retrieved 16 September 2017.
- Peck, Morgan E. (24 October 2013). "Who's who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum. Institute of Electrical and Electronics Engineers. ISSN 0018-9235. Retrieved 31 January 2014.
- Hodson, Hal (13 March 2013). "Bitcoin add-on makes your virtual purchases private". NewScientist. Reed Business Information Ltd. ISSN 0262-4079. Retrieved 8 February 2014.
- Suberg, William (February 21, 2017). "Zerocoin Hacker "Creates" and Spends 370,000 Tokens Worth 410 BTC". Cointelegraph. Retrieved May 6, 2018.
- Young, Joesph (May 3, 2017). "Zcash 6-Month Anniversary Special: Milestones, $100 Mln Market Cap, Vision". Cointelegraph. Retrieved May 6, 2018.