Zerocoin protocol

From Wikipedia, the free encyclopedia
(Redirected from Zerocoin)

Zerocoin is a privacy protocol proposed in 2013 by Johns Hopkins University professor Matthew D. Green and his graduate students, Ian Miers and Christina Garman. It was designed as an extension to the Bitcoin protocol that would improve Bitcoin transactions' anonymity by having coin-mixing capabilities natively built into the protocol.[citation needed] Zerocoin is not currently compatible with Bitcoin.


Due to the public nature of the blockchain, users may have their privacy compromised while interacting with the network. To address this problem, third-party coin mixing service can be used to obscure the trail of cryptocurrency transactions. In May 2013, Matthew D. Green and his graduate students (Ian Miers and Christina Garman) proposed the Zerocoin protocol where cryptocurrency transactions can be anonymized without going through a trusted third-party, by which a coin is destroyed then minted again to erase its history.[1]

While a coin is spent, there is no information available which reveal exactly which coin is being spent.[2] Initially, the Zerocoin protocol was planned to be integrated into the Bitcoin network.[3] However, the proposal was not accepted by the Bitcoin community. Thus, the Zerocoin developers decided to launch the protocol into an independent cryptocurrency.[4] The project to create a standalone cryptocurrency implementing the Zerocoin protocol was named "Moneta".[5] In September 2016, Zcoin (XZC), the first cryptocurrency to implement the zerocoin protocol, was launched by Poramin Insom and team.[6] In January 2018, an academic paper partially funded by Zcoin was published on replacing Proof-of-work system with memory intensive Merkle tree proof algorithm in ensuring more equitable mining among ordinary users.[7] In April 2018, a cryptographic flaw was found in the Zerocoin protocol which allows an attacker to destroy the coins owned by honest users, create coins out of thin air, and steal users' coins.[8] The Zcoin cryptocurrency team while acknowledging the flaw, stated the high difficulty in performing such attacks and the low probability of giving economic benefit to the attacker.[9] In December 2018, Zcoin released an academic paper proposing the Lelantus protocol that removes the need for a trusted setup and hides the origin and the amount of coins in a transaction when using the Zerocoin protocol.[10][11]


Transactions which use the Zerocoin feature are drawn from an escrow pool, where each coin's transaction history is erased when it emerges.[12] Transactions are verified by zero-knowledge proofs, a mathematical way to prove a statement is true without revealing any other details about the question.[13]


On 16 November 2013, Matthew D. Green announced the Zerocash protocol, which provides additional anonymity by shielding the amount transacted.[14] Zerocash reduces transaction sizes by 98%, however was significantly more computationally expensive, taking up to 3.2 GB of memory to generate.[15][16] More recent developments into the protocol have reduced this to 40 MB.

Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations.[17] Such proofs are less than 300 bytes long and can be verified in only a few milliseconds, and contain the additional advantage of hiding the amount transacted as well. However, unlike Zerocoin, Zerocash requires an initial set up by a trusted entity.[18]

Developed by Matthew D. Green, the assistant professor behind the Zerocoin protocol, Zcash was the first Zerocash based cryptocurrency which began development in 2013.[19]


Zcoin (XZC)[edit]

In the late 2014, Poramin Insom, a student in Masters in Security Informatics from Johns Hopkins University wrote a paper on implementing the zerocoin protocol into a cryptocurrency with Matthew Green as faculty member.[20][21] Roger Ver[6] and Tim Lee were Zcoin's initial investors.[22] Poramin also set up an exchanged named "Satang" that can convert Thai Baht to Zcoin directly.[21]

On 20 February 2017, a malicious coding attack on Zerocoin protocol created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($440,000). Zcoin team announced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint".[23] Unlike Ethereum during the DAO event, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.[24]

In September 2018, Zcoin introduced the Dandelion protocol that hides the origin IP address of a sender without using a The Onion Router (Tor) or Virtual Private Network (VPN).[25][26] In November 2018, Zcoin conducted the world's first large-scale party elections in Thailand Democrat Party using InterPlanetary File System (IPFS).[27] In December 2018, Zcoin implemented Merkle tree proof, a mining algorithm that deters the usage of Application-specific integrated circuit (ASIC) in mining coins by being more memory intensive for the miners. This allows ordinary users to use central processing unit (CPU) and graphics card for mining, so as to enable egalitarianism in coin mining.[28] On 30 July 2019, Zcoin formally departed from Zerocoin protocol by adopting a new protocol called "Sigma" that prevents counterfeit privacy coins from inflating coin supply. This is achieved by removing a feature called "trusted setup" from the Zerocoin protocol.[29]


One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside the blockchain.[30]

Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.[citation needed]

Depending on the specific implementation, Zerocoin requires two very large prime numbers to generate a parameter which cannot be easily factored. As such, these values must either be generated by trusted parties, or rely on RSA unfactorable objects to avoid the requirement of a trusted party.[1] Such a setup, however, is not possible with the Zerocash protocol.


  1. ^ a b Miers, Ian; Garman, Christina; Green, Matthew; Rubin, Aviel D. (May 2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin (PDF). 2013 IEEE Symposium on Security and Privacy. Security and Privacy, 2008. Sp 2008. IEEE Symposium on. IEEE Computer Society Conference Publishing Services. pp. 397–411. doi:10.1109/SP.2013.34. ISSN 1081-6011.
  2. ^ Morgen, E Peck (24 October 2013). "Who's Who in Bitcoin: Zerocoin Hero Matthew Green". IEEE Spectrum. Archived from the original on 4 September 2014. Retrieved 6 August 2018.
  3. ^ Janus, Kopfstein (23 April 2013). "Gold 2.0: can code and competition build a better Bitcoin?". Ther Verge. Archived from the original on 20 June 2018. Retrieved 7 August 2018.
  4. ^ Carrie, Wells (1 February 2014). "Hopkins researchers are creating an alternative to Bitcoin". The Baltimore Sun. Archived from the original on 27 November 2017. Retrieved 7 August 2018.
  5. ^ "Moneta - Engineering an ideal cryptocurrency". Archived from the original on 3 February 2015. Retrieved 11 August 2018.
  6. ^ a b "Cryptocurrency Zcoin Have Just Released 'French Drop' Their Best Privacy Update Yet". Business Insider. Zcoin team. 1 March 2018. Archived from the original on 7 August 2018. Retrieved 7 August 2018.
  7. ^ Alex, Biryukov; Dmitry, Khovratovich (2016). "Egalitarian computing". arXiv:1606.03588 [cs.CR].
  8. ^ Tim, Ruffing; Sri Avavinda, Krishnan; Viktoria, Ronge; Dominique, Schröder (12 April 2018). "A Cryptographic Flaw in Zerocoin (and Two Critical Coding Issues)". Chair of Applied Cryptography. Germany: University of Erlangen-Nuremberg. Retrieved 9 September 2018.
  9. ^ Reuben, Yap. "A statement on the paper "Burning Zerocoins for fun and profit"". Archived from the original on 9 September 2018. Retrieved 9 September 2018.
  10. ^ "Lelantus: Private transactions with hidden origins and amounts based on DDH" (PDF). Zcoin. Archived from the original (PDF) on 29 December 2018. Retrieved 29 December 2018.
  11. ^ Aram, Jivanyan (7 April 2019). "Lelantus: Towards Confidentiality and Anonymity of Blockchain Transactions from Standard Assumptions". Cryptology ePrint Archive (Report 373). Retrieved 14 April 2019.
  12. ^ "What You Need To Know About Zero Knowledge". TechCrunch. 7 February 2015. Retrieved 21 December 2018.
  13. ^ "Can This Man Build a Better Bitcoin?". Fortune. Archived from the original on 18 December 2017. Retrieved 21 December 2018.
  14. ^ Matthew D. Green [@matthew_d_green] (16 November 2013). "We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" (Tweet). Retrieved 16 September 2015 – via Twitter.
  15. ^ "Zcash Integration Guide - Zcash". Zcash. Retrieved 26 November 2018.
  16. ^ Eli Ben, Sasson; Alessandro, Chiesa; Christina, Garman; Matthew, Green (18 May 2014). Zerocash: Decentralized Anonymous Payments from Bitcoin. 2014 IEEE Symphosium and Security. pp. 459–474. CiteSeerX doi:10.1109/SP.2014.36. ISBN 978-1-4799-4686-0. S2CID 5939799.
  17. ^ Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture". USENIX Security.
  18. ^ "What You Need To Know About Zero Knowledge". TechCrunch. 7 February 2015. Retrieved 19 December 2018.
  19. ^ Popper, Nathaniel (November 2016). "Zcash, a Harder-to-Trace Virtual Currency, Generates Price Frenzy". The New York Times. Retrieved 26 November 2018.
  20. ^ Reuben, Yap. "An Interview with Poramin Insom, Zcoin's lead developer and founder". Archived from the original on 24 August 2018. Retrieved 8 September 2018.
  21. ^ a b Ezra Kryill, Erker (4 April 2019). "Cyberwarfare to cryptocurrency". Elite Plus Magazine. Archived from the original on 5 May 2019. Retrieved 5 May 2019.
  22. ^ Reuben, Yap. "A message from our new investor in Zcoin, Tim Lee". Archived from the original on 29 December 2017. Retrieved 13 August 2018.
  23. ^ Osborne, Charlie. "The risky business of bitcoin: High-profile cryptocurrency catastrophes". ZDNet. Retrieved 21 December 2018.
  24. ^ Rob, Price (20 February 2017). "A single typo let hackers steal $400,000 from a bitcoin rival". Business Insider. Archived from the original on 11 August 2018. Retrieved 11 August 2018.
  25. ^ Jintana, Panyaarvudh (15 December 2018). "The distributed passion of a crypto pioneer Insom". The Nation (Thailand). Archived from the original on 15 December 2018. Retrieved 1 January 2019.
  26. ^ "Zcoin is the first cryptocurrency to implement Dandelion privacy protocol". 4 October 2018. Archived from the original on 2 January 2019. Retrieved 1 January 2019.
  27. ^ Jintana, Panyaarvudh; Kas, Chanwanpen. "Reliable voting TECHNOLOGY". The Nation (Thailand). Archived from the original on 3 December 2018. Retrieved 29 December 2018.
  28. ^ "Zcoin Moves Against ASIC Monopoly With Merkle Tree Proof". Finance Magnates. 6 December 2018. Archived from the original on 6 December 2018. Retrieved 29 December 2018.
  29. ^ Andrew, Munro (30 July 2019). "Zcoin cryptocurrency introduces zero knowledge proofs with no trusted set-up". Finder Australia. Archived from the original on 30 July 2019. Retrieved 30 July 2019.
  30. ^ Peck, Morgan E. (24 October 2013). "Who's who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum. Institute of Electrical and Electronics Engineers. ISSN 0018-9235. Retrieved 31 January 2014.

External links[edit]