Zerocoin is a proposed extension to the Bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Given that bitcoin transactions are stored in a public ledger (in the block chain]), the history of any transaction can be traced. Zerocoin provides for anonymity by the introduction of a separate zerocoin cryptocurrency that is stored in the Bitcoin block chain. Zerocoins are purchased with the base currency in fixed demoninations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for the base currency to a different address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the address that was used to mint the original zerocoin to the address used to redeem the zerocoin. Though originally proposed for use with the Bitcoin network, Zerocoin could be integrated into any cryptocurrency.
Rationale for Zerocoin
Bitcoin transactions are all stored, by design, in a public ledger (the block chain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder coins through a trusted third party, where the input coins are mixed in a large pool and output to a new address.
Regardless of the best precautions, by data mining of the block chain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the block chain, such as public addresses posted on a web site, or the postal address used with an internet purchase, the possibility exists that every single transaction of a given person could be determined.
The Zerocoin extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called Zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, Zerocoin would have implemented this at the protocol level, eliminatating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the Bitcoin protocol, it would have recorded the transactions within the existing block chain.
The anonymity afforded by Zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions. To mint a zerocoin, a person generates a random serial number S, and encrypts this into a coin C by use of second random number r. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of the base currency equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.
To redeem the zerocoin for the base currency, the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,... Cn), without revealing which coin it is. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of the base currency equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.
One criticism of Zerocoin is the added computation time required by the process, which would need to have been performed primarily by miners. If the proofs were posted to the block chain, this would also dramatically increase the size of the block chain.
Extensions of Zerocoin
Recognizing that Bitcoin was unlikely to be implement Zerocoin, the authors of Zerocoin expressed hope that other cryptocurrencies would incorporate Zerocoin anonymity features.
- Bradbury, Danny (7 June 2013). "How anonymous is Bitcoin?". CoinDesk (CoinDesk Ltd.). http://www.coindesk.com/how-anonymous-is-bitcoin/. Retrieved 8 February 2014.
- I. Miers, C. Garman, M. Green, and A. D. Rubin (2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin, 2013 IEEE Symposium on Security and Privacy, IEEE Computer Society Conference Publishing Services, 397–411, doi:10.1109/SP.2013.34
- Peck, Morgan E. (24 October 2013). "Who’s who in Bitcoin: Zerocoin hero Matthew Green". IEEE Spectrum (Institute of Electrical and Electronics Engineers). http://spectrum.ieee.org/computing/networks/whos-who-in-bitcoin-zerocoin-hero-matthew-green. Retrieved 31 January 2014.