The Zerocoin logo
Zerocoin is a cryptocurrency proposed by Matthew Green, a Johns Hopkins University Professor, and graduate students Ian Miers and Christina Garman, as an extension to the Bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Zerocoin provides anonymity by the introduction of a separate zerocoin cryptocurrency that is stored in the Bitcoin block chain. Though originally proposed for use with the Bitcoin network, zerocoin could be integrated into any cryptocurrency.
Bitcoin transactions are all stored, by design, in a public ledger (the block chain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the Bitcoin network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder bitcoin through a trusted third party, where the input coins are mixed in a large pool and output to a new address.
Regardless of the best precautions, by data mining of the block chain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the block chain, such as public bitcoin addresses posted on a web site, or the postal address used with a bitcoin purchase, the possibility exists that every single bitcoin transaction of a given person could be determined.
Zerocoins are purchased with bitcoin in fixed denominations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for bitcoin to a different bitcoin address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the bitcoin address that was used to mint the original zerocoin to the bitcoin address used to redeem the zerocoin.
The zerocoin extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, zerocoin would have implemented this at the protocol level, eliminating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the Bitcoin protocol, it would have recorded the transactions within Bitcoin's existing block chain.
The anonymity afforded by zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions. To mint a zerocoin, a person generates a random serial number S, and encrypts (that is commits) this into a coin C by use of second random number r. In practice, C is a Pedersen Commitment. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.
The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process. Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size (although not substantially).
Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins. Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem.
Recognizing that Bitcoin was unlikely to implement zerocoin, the authors of zerocoin expressed hope that other cryptocurrencies would incorporate zerocoin anonymity features.
One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the block chain, this would also dramatically increase the size of the block chain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain. To counter criticisms that the anonymity offered by zerocoin would facilitate illegal activity, it has been suggested that a backdoor, or other features, could be added to the zerocoin protocol to allow police to track money laundering, but this was not advocated in the original paper.
Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however this would increase the needed computation time since multiple zerocoins could be needed for one transaction.
Depending on the specific implementation, the zerocoin protocol would rely on one or more trusted parties to generate two large prime numbers, p and q, so n = p q. Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process. Such a setup, however, is not possible with the new Zerocash protocol.
The improved version of the protocol "...that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" was announced on 16 November 2013. The developers presented their technical paper at the 2014 IEEE Security & Privacy Symposium along with launching the site.
The new protocol was called Zerocash. It is now not an extension to the Bitcoin, but rather an independent technology with the same basic principles as blockchain and transactions, which was planned to implement in alt-coin. Zerocash utilizes a special kind of zero-knowledge proof: Succinct Non-interactive ARguments of Knowledge (zk-SNARK) systems, which is in fact a cryptographic method for proving the integrity of computations. Such proofs are less than 300 bytes long and can be verified in only a few milliseconds. The drawbacks of zk-SNARK are: large initial database for verifying (about 1.2 GB) and long time for producing a proof (spending the coin): 87 seconds to 178 seconds.
- Bradbury, Danny (7 June 2013). "How anonymous is Bitcoin?". CoinDesk (CoinDesk Ltd.). Retrieved 8 February 2014.
- Miers, Ian; Garman, Christina; Green, Matthew; Rubin, Aviel D. (May 2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin (PDF). 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Conference Publishing Services. pp. 397â€“411. doi:10.1109/SP.2013.34. ISSN 1081-6011.
- Peck, Morgan E. (24 October 2013). "Whoâ€™s who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum (Institute of Electrical and Electronics Engineers). ISSN 0018-9235. Retrieved 31 January 2014.
- Hodson, Hal (13 March 2013). "Bitcoin add-on makes your virtual purchases private". NewScientist (Reed Business Information Ltd.). ISSN 0262-4079. Retrieved 8 February 2014.
- "Matthew Green's twitter".
- "Zerocash Main Page".
- "Matthew Green's twitter".
- Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture". USENIX Security.
- "The verbatim record of M.Green's talk at Real World Cryptography Workshop".