The Zerocoin logo
Zerocoin is a cryptocurrency proposed by Johns Hopkins University professor Matthew D. Green and graduate students Ian Miers and Christina Garman as an extension to the bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Zerocoin was first implemented into a fully functional cryptocurrency released to the public by Poramin Insom, as the Zcoin. Zerocoin provides anonymity by the introduction of a separate mixing service known as zerocoin that is stored in the bitcoin blockchain. Though originally proposed for use with the bitcoin network, zerocoin could be integrated into any cryptocurrency.
Bitcoin transactions are all stored, by design, in a public ledger (the blockchain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the bitcoin network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder bitcoin through a trusted third party, where the input coins are mixed in a large pool and output to a new address.
Regardless of the best precautions, by data mining of the blockchain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the blockchain, such as public bitcoin addresses posted on a web site, or the postal address used with a bitcoin purchase, the possibility exists that every single bitcoin transaction of a given person could be determined.
Zerocoins are purchased with bitcoin in fixed denominations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for bitcoin to a different bitcoin address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the bitcoin address that was used to mint the original zerocoin to the bitcoin address used to redeem the zerocoin.
The zerocoin extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, zerocoin would have implemented this at the protocol level, eliminating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the bitcoin protocol, it would have recorded the transactions within bitcoin's existing blockchain.
The anonymity afforded by zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions. To mint a zerocoin, a person generates a random serial number S, and encrypts (that is commits) this into a coin C by use of second random number r. In practice, C is a Pedersen Commitment. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.
The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process. Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size (although not substantially).
Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins. Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem.
SmartCash (SMART) is a Keccak SHA-3 algorithm, mineable coin that uses Zero-knowledge proofs from the zerocoin extension.
ZeroVert (ZER) is a Scrypt-N algorithm coin, merge-mineable on the VTC chain with a total circulation of 8.4 million ZER.
||The neutrality of this section is disputed. (April 2017) (Learn how and when to remove this template message)|
|ISO 4217 code||XZC[lower-alpha 1]|
Note that paragraphs below extolling the benefits of Zcoin are directly copied from the Zcoin official website zcoin.io and appear to be an advert by someone associated with Zcoin.
Zerocoin was first implemented into a fully functional cryptocurrency called Zcoin (XZC), a project that went live on September 28, 2016, 12AM UTC. The project's testnet software was first released to the public on December 18, 2015 under the name Moneta (not Moneta Verde (MCN)) before it was dubbed to Zcoin.
Three major differences between Zcoin (Zerocoin Protocol) and Zcash (Zerocash Protocol) are as follows:
- Zcash conceals the amount of money sent in each transaction, whereas Zcoin does not. So Zcash is less prone to privacy timing attacks than Zcoin. On the other hand, this comes with a big tradeoff for Zcash, in the form of potentially undetected hyper-inflation in Zerocash’s money supply.
- Parameter generation:
- Zcash requires a higher use of memory with significantly longer time needed to send a private transaction than Zcoin. On the other hand, Zcoin currently requires significantly more storage space than Zcash.
||The neutrality of this section is disputed. (April 2017) (Learn how and when to remove this template message)|
The improved version of the protocol "that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount" was announced on 16 November 2013. The developers presented their technical paper at the 2014 IEEE Security & Privacy Symposium along with launching the site.
The new protocol was called Zerocash. It is now not an extension to the bitcoin, but rather an independent technology with the same basic principles as blockchain and transactions, which was planned to implement in alt-coin. Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations. Such proofs are less than 300 bytes long and can be verified in only a few milliseconds. However, zk-SNARKs require a large initial database for verifying (about 1.2 GB) and long time for producing a proof (spending the coin): 87 seconds to 178 seconds.
A faster implementation of zero knowledge proofs using zk-SNARKs was created for a new cryptocurrency called CredaCash. CredaCash requires only about 3 seconds and 85 KB of memory to create a transaction proof. Similar to Zerocash, CredaCash is an alt-coin with its own blockchain and transaction protocol. The CredaCash developer hope they can offer CredaCash to the market in 2016.
One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain. To counter criticisms that the anonymity offered by zerocoin would facilitate illegal activity, it has been suggested that a backdoor, or other features, could be added to the zerocoin protocol to allow police to track money laundering, but this was not advocated in the original paper.
Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however this would increase the needed computation time since multiple zerocoins could be needed for one transaction.
Depending on the specific implementation, the zerocoin protocol would rely on one or more trusted parties to generate two large prime numbers, p and q, so n = p q. Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process. Such a setup, however, is not possible with the new Zerocash protocol.
- "Zcoin (XZC) Private financial transactions enabled by the Zerocoin Protocol - Zcoin". Zcoin. Retrieved 2017-03-16.
- Bradbury, Danny (7 June 2013). "How anonymous is Bitcoin?". CoinDesk. CoinDesk Ltd. Retrieved 8 February 2014.
- Miers, Ian; Garman, Christina; Green, Matthew; Rubin, Aviel D. (May 2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin (PDF). 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Conference Publishing Services. pp. 397–411. ISSN 1081-6011. doi:10.1109/SP.2013.34.
- "Zcoin". Retrieved 2016-10-01.
- "Zcoin and Zcash: Similarities and Differences - Zcoin". Zcoin. 2016-10-05. Retrieved 2017-03-16.
- Matthew D. Green [matthew_d_green] (November 16, 2013). "We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount." (Tweet). Retrieved September 16, 2015.
- "IEEE Symposium on Security and Privacy 2014". Ieee-security.org. Retrieved 2016-06-17.
- "Zerocash Main Page".
- "Matthew Green's twitter".
- Ben-Sasson, Eli; Chiesa, Alessandro; Tromer, Eran; Virza, Madars (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture". USENIX Security.
- "The verbatim record of M.Green's talk at Real World Cryptography Workshop".
- "Mementos for http://zerocash-project.org/ around 2016-01-11: http://mementoweb.org/list/20160111093041/http://zerocash-project.org/ #memento". Timetravel.mementoweb.org. Retrieved 2016-06-17. External link in
- "CredaCash Whitepaper".
- Peck, Morgan E. (24 October 2013). "Who’s who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum. Institute of Electrical and Electronics Engineers. ISSN 0018-9235. Retrieved 31 January 2014.
- Hodson, Hal (13 March 2013). "Bitcoin add-on makes your virtual purchases private". NewScientist. Reed Business Information Ltd. ISSN 0262-4079. Retrieved 8 February 2014.