Zerocoin protocol

Zerocoin is a privacy protocol proposed by Johns Hopkins University professor Matthew D. Green and his graduate students (Ian Miers and Christina Garman) in 2013 as an extension to the bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. The protocol was first integrated into a fully functional cryptocurrency as Zcoin in 2016.

Zerocoin provides anonymity by the introduction of a separate mixing service known as zerocoin that is stored in the bitcoin blockchain. Though originally proposed for use with the bitcoin network, zerocoin could be integrated into any cryptocurrency.

History

All the bitcoin transactions are public, therefore, the transactions can be easily traced on the blockchain which can potentially compromise a user's privacy although a pseudonym is used during the transactions. To address this problem, third-party coin mixing service can be used to obscure the trail of bitcoin transactions. However, the reliability of the mixing service is dependent upon the trustworthiness of the coin mixing service operator. Therefore, Johns Hopkins University professor Matthew D. Green and his graduate students (Ian Miers and Christina Garman) proposed the zerocoin protocol in May 2013 where cryptocurrency transactions can be anonymised without going through a trusted third-party.[1] Under this protocol, a coin is destroyed and then minted again to erase the past history of the coin. While a coin is spent, there is no information available which reveal exactly which coin is being spent.[2][3] Initially, the zerocoin protocol was planned to be integrated into the Bitcoin network.[4] However, the proposal was not accepted by the Bitcoin community. Thus, the zerocoin developers decided to launch the protocol into an independent cryptocurrency.[5] The project to create a standalone cryptocurrency implementing the zerocoin protocol was named "Moneta".[6] In September 2016, Zcoin (XZC), the first cryptocurrency to implement the zerocoin protocol, was launched by Poramin Insom and team.[7] In April 2018, a cryptographic flaw was found in the Zerocoin protocol which allows an attacker to destroy the coins owned by honest users, create coins out of thin air, and steal users' coins.[8] The Zcoin cryptocurrency team while acknowledging the flaw, stated the high difficulty in performing such attacks and the low probability of giving economic benefit to the attacker.[9]

On 16 November 2013, Matthew D. Green announced the Zerocash protocol.[10] The Zerocash protocol provides more anonymity when compared to zerocoin. Zerocash can reduce the size of trasactions by 98% and hides the amount of coins being transacted.[11] A new website dedicated to the Zerocash project was launched.[12] On 28 October 2016, the Zcash cryptocurrency was launched.[13]

Design

The zerocoin extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, zerocoin would have implemented this at the protocol level, eliminating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the bitcoin protocol, it would have recorded the transactions within bitcoin's existing blockchain.

The anonymity afforded by zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions.[1] To mint a zerocoin, a person generates a random serial number S, and encrypts (that is commits) this into a coin C by use of second random number r. In practice, C is a Pedersen Commitment. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.

To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.

The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process. Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size (although not substantially).

Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins. Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem.[1]

Zerocash protocol

The new protocol was called Zerocash. It is now not an extension to the bitcoin, but rather an independent technology with the same basic principles as blockchain and transactions, which was planned to implement in alt-coin.[14] Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations.[15] Such proofs are less than 300 bytes long and can be verified in only a few milliseconds. However, zk-SNARKs require a large initial database for verifying (about 1.2 GB) and long time for producing a proof (spending the coin): 87 seconds to 178 seconds.[16]

Cryptocurrencies

Zcoin (XZC)

Zcoin
ISO 4217
Code XZC[lower-alpha 1]
Demographics
  1. Unofficial.

In the late 2014, Poramin Insom, a student in Masters in Security Informatics from Johns Hopkins University wrote a paper on implementing the zerocoin protocol into a cryptocurrency with Matthew Green as faculty member.[17] Zerocoin was first integrated into a fully functional cryptocurrency as Zcoin (XZC) on 28 September 2016, 12AM UTC.[18] Roger Ver[7] and Tim Lee were Zcoin's initial investors.[19] Poramin Insom is the lead developer of Zcoin.[20]

On 11 February 2017, Zcoin switched its proof-of-work system algorithm from Lyra2 to Lyr2z in order to provide a balanced computational difficulty amongst the CPU and GPU miners.[21] On 20 February 2017, a malicious coding attack on Zerocoin created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($440,000). Zerocoin team announced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint". In an uncommon move, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.[22] In November 2017, Zcoin released its masternode feature.[23] In March 2018, Zcoin was integrated into the Tor network. In the same month, Zcoin light wallet was released.[21]

Private Instant Verified Transaction (PIVX)

PIVX is the first Proof of Stake cryptocurrency that has implemented the Zerocoin protocol. Zerocoin went live on PIVX on October 16, 2017.[24] The Zerocoin PIVX tokens are known as zPIV from the combination of PIV, the standard unit of PIVX, and z from Zerocoin.[24] As of May 8, 2018, PIVX became the first Proof of Stake cryptocurrency to allow for private staking via zPoS (Zerocoin Proof of Stake).[25][26]

zPoS functions alongside PIVX's standard PoS system, with users given freedom to choose between PIV or zPiV for their funds, although storing a combination of the two is also possible. Standard PIV within the PIVX Core wallet can be either automatically or manually converted to zPIV, which are stored in denominations of 1,5,10,50,100, 500, 1000, and 5000.[27] After a period of 200 confirmations, zPIV become eligible for zPoS staking, which rewards an additional 50% to stakers at 3 zPIV to regular PIV staking's 2 PIV.[25] This larger reward was implemented as an incentive for stakers to support the zPoS ecosystem, the privacy features of which scale with user participation as the accumulators expand.

Zcash (ZEC)

On April 28, 2017, Zcash surpassed $100m in market capitalization.[28]

Reception

One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain.[29] To counter criticisms that the anonymity offered by zerocoin would facilitate illegal activity, it has been suggested that a backdoor, or other features, could be added to the zerocoin protocol to allow police to track money laundering, but this was not advocated in the original paper.[30]

Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.

Depending on the specific implementation, the zerocoin protocol would rely on one or more trusted parties to generate two large prime numbers, p and q, so n = p q. Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process.[1] Such a setup, however, is not possible with the new Zerocash protocol.

References

  1. 1 2 3 4 Miers, Ian; Garman, Christina; Green, Matthew; Rubin, Aviel D. (May 2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin (PDF). 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Conference Publishing Services. pp. 397–411. doi:10.1109/SP.2013.34. ISSN 1081-6011.
  2. Morgen, E Peck (24 October 2013). "Who's Who in Bitcoin: Zerocoin Hero Matthew Green". IEEE Spectrum. Archived from the original on 4 September 2014. Retrieved 6 August 2018.
  3. Reuben, Yap. "Understanding how Zerocoin in Zcoin works and how it compares to other anonymity solutions Part 1". zcoin.io. Archived from the original on 15 November 2017. Retrieved 5 August 2018.
  4. Janus, Kopfstein (23 April 2013). "Gold 2.0: can code and competition build a better Bitcoin?". Ther Verge. Archived from the original on 20 June 2018. Retrieved 7 August 2018.
  5. Carrie, Wells (1 February 2014). "Hopkins researchers are creating an alternative to Bitcoin". The Baltimore Sun. Archived from the original on 27 November 2017. Retrieved 7 August 2018.
  6. "Moneta - Engineering an ideal cryptocurrency". Moneta.cash. Archived from the original on 3 February 2015. Retrieved 11 August 2018.
  7. 1 2 "Cryptocurrency Zcoin Have Just Released 'French Drop' Their Best Privacy Update Yet". Business Insider. Zcoin team. 1 March 2018. Archived from the original on 7 August 2018. Retrieved 7 August 2018.
  8. Tim, Ruffing; Sri Avavinda, Krishnan; Viktoria, Ronge; Dominique, Schröder (12 April 2018). "A Cryptographic Flaw in Zerocoin (and Two Critical Coding Issues)". Chair of Applied Cryptography. Germany: University of Erlangen-Nuremberg. Retrieved 9 September 2018.
  9. Reuben, Yap. "A statement on the paper "Burning Zerocoins for fun and profit"". Zcoin.io. Archived from the original on 9 September 2018. Retrieved 9 September 2018.
  10. Matthew D. Green [@matthew_d_green] (November 16, 2013). "We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" (Tweet). Retrieved September 16, 2015 via Twitter.
  11. Eli Ben, Sasson; Alessandro, Chiesa; Christina, Garman; Matthew, Green (18 May 2014). "Zerocash: Decentralized Anonymous Payments from Bitcoin". 2014 IEEE Symphosium and Security. doi:10.1109/SP.2014.36.
  12. Team, The Zerocash. "Zerocash - Zerocash". zerocash-project.org. Retrieved 16 September 2017.
  13. "Zcash begins". Zcash blog. Archived from the original on 10 August 2018. Retrieved 10 August 2018.
  14. Matthew Green [@matthew_d_green] (16 November 2013). "@NateA11 @koolfy We need a few months to clean up the code. We plan to release the client and an alt-chain" (Tweet) via Twitter.
  15. Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture". USENIX Security.
  16. "Untitled". Pastebin.com. 16 January 2014. Retrieved 16 September 2017.
  17. Reuben, Yap. "An Interview with Poramin Insom, Zcoin's lead developer and founder". zcoin.io. Archived from the original on 24 August 2018. Retrieved 8 September 2018.
  18. "Zcoin - Private Financial Transactions enabled by the Zerocoin Protocol". Zcoin. Retrieved 16 September 2017.
  19. Reuben, Yap. "A message from our new investor in Zcoin, Tim Lee". Archived from the original on 29 December 2017. Retrieved 13 August 2018.
  20. Reuben, Yap. "An Interview with Poramin Insom, Zcoin's lead developer and founder". zcoin.io. Archived from the original on 29 December 2017. Retrieved 24 August 2018.
  21. 1 2 Reuben, Yap. "Zcoin roadmap". Zcoin.io. Archived from the original on 24 August 2018. Retrieved 24 August 2018.
  22. Rob, Price (20 February 2017). "A single typo let hackers steal $400,000 from a bitcoin rival". Business Insider. Archived from the original on 11 August 2018. Retrieved 11 August 2018.
  23. Reuben, Yap. "Znodes Specifications Release and Founders' Rewards Reduction". zcoin.io. Archived from the original on 18 January 2018. Retrieved 14 August 2018.
  24. 1 2 "Zerocoin Protocol and POS (zPIV)". PIVX. 2017-10-02. Retrieved 2018-05-10.
  25. 1 2 "zPoS – Zerocoin Meets Proof of Stake". PIVX. 2018-03-01. Retrieved 2018-05-10.
  26. "PIVX Becomes the World's First Anonymous Proof-of-Stake Cryptocurrency". NewsBTC. 2018-05-08. Retrieved 2018-05-10.
  27. "PIVX Block Explorer Home". www.presstab.pw. Retrieved 2018-05-10.
  28. Young, Joesph (May 3, 2017). "Zcash 6-Month Anniversary Special: Milestones, $100 Mln Market Cap, Vision". Cointelegraph. Retrieved May 6, 2018.
  29. Peck, Morgan E. (24 October 2013). "Who's who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum. Institute of Electrical and Electronics Engineers. ISSN 0018-9235. Retrieved 31 January 2014.
  30. Hodson, Hal (13 March 2013). "Bitcoin add-on makes your virtual purchases private". NewScientist. Reed Business Information Ltd. ISSN 0262-4079. Retrieved 8 February 2014.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.