Difference between revisions of "Zerocoin"

From Bitcoin Wiki
Jump to: navigation, search
(Extensions of Zerocoin: de-wikilink Anoncoin)
m (minor edits for clarity and minor updates)
 
Line 1: Line 1:
'''Zerocoin''' is a proposed extension to the Bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Given that bitcoin transactions are stored in a public ledger (in the block chain]), the history of any transaction can be traced. Zerocoin provides for anonymity by the introduction of a separate ''zerocoin'' cryptocurrency that is stored in the Bitcoin block chain. Zerocoins are purchased with bitcoin in fixed demoninations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for bitcoin to a different bitcoin address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the bitcoin address that was used to mint the original zerocoin to the bitcoin address used to redeem the zerocoin. Though originally proposed for use with the Bitcoin network, Zerocoin could be integrated into any [[cryptocurrency]].
+
'''Zerocoin''' is a proposed extension to the Bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Given that bitcoin transactions are stored in a public ledger (in the block chain]), the history of any transaction can be traced. Zerocoin provides for anonymity by the introduction of a separate ''zerocoin'' cryptocurrency that is stored in the Bitcoin block chain. Zerocoins are purchased with the base currency in fixed demoninations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for the base currency to a different address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the address that was used to mint the original zerocoin to the address used to redeem the zerocoin. Though originally proposed for use with the Bitcoin network, Zerocoin could be integrated into any [[cryptocurrency]].
  
 
==Rationale for Zerocoin==
 
==Rationale for Zerocoin==
Bitcoin transactions are all stored, by design, in a public ledger (the block chain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the Bitcoin network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder bitcoin through a trusted third party, where the input coins are mixed in a large pool and output to a new address.<ref name="Bradbury">{{ cite news | title=How anonymous is Bitcoin? | last=Bradbury | first=Danny | date=7 June 2013 | work=CoinDesk | publisher=CoinDesk Ltd. | url=http://www.coindesk.com/how-anonymous-is-bitcoin/ | accessdate=8 February 2014 }}</ref>
+
Bitcoin transactions are all stored, by design, in a public ledger (the block chain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder coins through a trusted third party, where the input coins are mixed in a large pool and output to a new address.<ref name="Bradbury">{{ cite news | title=How anonymous is Bitcoin? | last=Bradbury | first=Danny | date=7 June 2013 | work=CoinDesk | publisher=CoinDesk Ltd. | url=http://www.coindesk.com/how-anonymous-is-bitcoin/ | accessdate=8 February 2014 }}</ref>
  
Regardless of the best precautions, by data mining of the block chain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the block chain, such as public bitcoin addresses posted on a web site, or the postal address used with a bitcoin purchase, the possibility exists that every single bitcoin transaction of a given person could be determined.
+
Regardless of the best precautions, by data mining of the block chain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the block chain, such as public addresses posted on a web site, or the postal address used with an internet purchase, the possibility exists that every single transaction of a given person could be determined.
  
 
== Zerocoin protocol==
 
== Zerocoin protocol==
  
 
The Zerocoin<ref name="Miers">I. Miers, C. Garman, M. Green, and A. D. Rubin (2013). [http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf| Zerocoin: Anonymous Distributed E-Cash from Bitcoin], 2013 IEEE Symposium on Security and Privacy, IEEE Computer Society
 
The Zerocoin<ref name="Miers">I. Miers, C. Garman, M. Green, and A. D. Rubin (2013). [http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf| Zerocoin: Anonymous Distributed E-Cash from Bitcoin], 2013 IEEE Symposium on Security and Privacy, IEEE Computer Society
Conference Publishing Services, 397–411,  doi:10.1109/SP.2013.34</ref> extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called Zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, Zerocoin would have implemented this at the protocol level, eliminatating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the Bitcoin protocol, it would have recorded the transactions within Bitcoin's existing block chain.
+
Conference Publishing Services, 397–411,  doi:10.1109/SP.2013.34</ref> extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called Zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, Zerocoin would have implemented this at the protocol level, eliminatating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the Bitcoin protocol, it would have recorded the transactions within the existing block chain.
  
The anonymity afforded by Zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions.<ref name="Miers"/> To mint a zerocoin, a person generates a random serial number ''S'', and encrypts (that is commits) this into a coin ''C'' by use of second random number ''r''. In practice, ''C'' is a Pedersen Commitment. The coin ''C'' is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
+
The anonymity afforded by Zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions.<ref name="Miers"/> To mint a zerocoin, a person generates a random serial number ''S'', and encrypts this into a coin ''C'' by use of second random number ''r''. The coin ''C'' is added to a cryptographic accumulator by miners, and at the same time, the amount of the base currency equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
  
To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin ''C'' that belongs to the set of all other minted zerocoins (''C1'', ''C2'',... ''Cn''), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number ''r'', that along with the serial number ''S'' corresponds to a zerocoin. The proof and serial number ''S'' are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number ''S'' has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin ''C'' is not linked to the serial number ''S'' used to redeem the coin.
+
To redeem the zerocoin for the base currency, the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin ''C'' that belongs to the set of all other minted zerocoins (''C1'', ''C2'',... ''Cn''), without revealing which coin it is. The second is that the person knows a number ''r'', that along with the serial number ''S'' corresponds to a zerocoin. The proof and serial number ''S'' are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number ''S'' has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of the base currency equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin ''C'' is not linked to the serial number ''S'' used to redeem the coin.
  
One criticism of Zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the block chain, this would also dramatically increase the size of the block chain.<ref name=peck2013>{{cite news | url=http://spectrum.ieee.org/computing/networks/whos-who-in-bitcoin-zerocoin-hero-matthew-green | title=Who’s who in Bitcoin: Zerocoin hero Matthew Green | work=IEEE Spectrum | last=Peck | first=Morgan E. | date=24 October 2013 | accessdate=31 January 2014 | publisher=Institute of Electrical and Electronics Engineers}}</ref> To counter criticisms that the anonymity offered by Zerocoin would facilitate illegal activity, it has been suggested that a “back door”, or other features, could be added to the Zerocoin protocol to allow police to track money laundering.<ref>{{cite news | title=Bitcoin add-on makes your virtual purchases private | date=13 March 2013 | last=Hodson | first=Hal | work=NewScientist | publisher=Reed Business Information Ltd. | url=http://www.newscientist.com/blogs/onepercent/2013/03/bitcoin-zerocoin.html | accessdate=8 February 2014 }}</ref>
+
One criticism of Zerocoin is the added computation time required by the process, which would need to have been performed primarily by miners. If the proofs were posted to the block chain, this would also dramatically increase the size of the block chain.<ref name=peck2013>{{cite news | url=http://spectrum.ieee.org/computing/networks/whos-who-in-bitcoin-zerocoin-hero-matthew-green | title=Who’s who in Bitcoin: Zerocoin hero Matthew Green | work=IEEE Spectrum | last=Peck | first=Morgan E. | date=24 October 2013 | accessdate=31 January 2014 | publisher=Institute of Electrical and Electronics Engineers}}</ref>
  
 
==Extensions of Zerocoin==
 
==Extensions of Zerocoin==
  
Recognizing that Bitcoin was unlikely to be implement Zerocoin, the authors of Zerocoin expressed hope that other cryptocurrencies would incorporate Zerocoin anonymity features.<ref name="Bradbury" /> Currently, Zerocoin is being implemented in the alternative cryptocurrency Anoncoin.<ref>{{cite web |url=http://anoncoin.net |accessdate=2014-04-03|title=AnonCoin}}</ref> In addition, Zerocoin developer Matthew Green announced that Zerocoin would be released as an independent [[cryptocurrency]], going into circulation in May 2014 “in some sort of beta program”.<ref name=greenberg2014>{{cite news|last=Greenberg | first=Andy | date=13 January 2014 | url=http://www.forbes.com/sites/andygreenberg/2014/01/13/bitcoin-anonymity-upgrade-zerocoin-to-become-its-own-cryptocurrency/ |title=Bitcoin Anonymity Upgrade Zerocoin To Become An Independent Cryptocurrency |work=Forbes|publisher=Forbes Inc. |accessdate=2014-01-30}}</ref>
+
Recognizing that Bitcoin was unlikely to be implement Zerocoin, the authors of Zerocoin expressed hope that other cryptocurrencies would incorporate Zerocoin anonymity features.<ref name="Bradbury" /> Currently, Zerocoin is being implemented in the alternative cryptocurrency Anoncoin.<ref>{{cite web |url=http://anoncoin.net |accessdate=2014-04-03|title=Anoncoin}}</ref>  
  
 
== References ==
 
== References ==

Latest revision as of 21:40, 18 August 2014

Zerocoin is a proposed extension to the Bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Given that bitcoin transactions are stored in a public ledger (in the block chain]), the history of any transaction can be traced. Zerocoin provides for anonymity by the introduction of a separate zerocoin cryptocurrency that is stored in the Bitcoin block chain. Zerocoins are purchased with the base currency in fixed demoninations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for the base currency to a different address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the address that was used to mint the original zerocoin to the address used to redeem the zerocoin. Though originally proposed for use with the Bitcoin network, Zerocoin could be integrated into any cryptocurrency.

Rationale for Zerocoin

Bitcoin transactions are all stored, by design, in a public ledger (the block chain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder coins through a trusted third party, where the input coins are mixed in a large pool and output to a new address.[1]

Regardless of the best precautions, by data mining of the block chain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the block chain, such as public addresses posted on a web site, or the postal address used with an internet purchase, the possibility exists that every single transaction of a given person could be determined.

Zerocoin protocol

The Zerocoin[2] extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called Zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, Zerocoin would have implemented this at the protocol level, eliminatating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the Bitcoin protocol, it would have recorded the transactions within the existing block chain.

The anonymity afforded by Zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions.[2] To mint a zerocoin, a person generates a random serial number S, and encrypts this into a coin C by use of second random number r. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of the base currency equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.

To redeem the zerocoin for the base currency, the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of the base currency equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.

One criticism of Zerocoin is the added computation time required by the process, which would need to have been performed primarily by miners. If the proofs were posted to the block chain, this would also dramatically increase the size of the block chain.[3]

Extensions of Zerocoin

Recognizing that Bitcoin was unlikely to be implement Zerocoin, the authors of Zerocoin expressed hope that other cryptocurrencies would incorporate Zerocoin anonymity features.[1] Currently, Zerocoin is being implemented in the alternative cryptocurrency Anoncoin.[4]

References

  1. 1.0 1.1 Bradbury, Danny (7 June 2013). "How anonymous is Bitcoin?". CoinDesk (CoinDesk Ltd.). http://www.coindesk.com/how-anonymous-is-bitcoin/. Retrieved 8 February 2014.
  2. 2.0 2.1 I. Miers, C. Garman, M. Green, and A. D. Rubin (2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin, 2013 IEEE Symposium on Security and Privacy, IEEE Computer Society Conference Publishing Services, 397–411, doi:10.1109/SP.2013.34
  3. Peck, Morgan E. (24 October 2013). "Who’s who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum (Institute of Electrical and Electronics Engineers). http://spectrum.ieee.org/computing/networks/whos-who-in-bitcoin-zerocoin-hero-matthew-green. Retrieved 31 January 2014.
  4. "Anoncoin". http://anoncoin.net. Retrieved 2014-04-03.

See also