Zerocoin: Anonymous Distributed E-Cash from Bitcoin

Ian Miers Ian Miers

Christina Garman | Matthew Green | Avi Christina Garman | Matthew Green | Avi RubinRubin

Zerocoin: Anonymous Zerocoin: Anonymous Distributed E-Cash from Distributed E-Cash from BitcoinBitcoin

Digitizing moneyDigitizing money

Two ways to do it Two ways to do it

Create digital Create digital cashcash

Create digital Create digital checkschecks

Bank accountsBank accounts

Problem: privacyProblem: privacy

Bank sees every Bank sees every transaction transaction

Merchants can Merchants can track customers track customers across interactionsacross interactions

Digital cashDigital cash

Can’t make uncopyable digital Can’t make uncopyable digital currencycurrency

Can make single use currencyCan make single use currency

Get a unique serial number Get a unique serial number when you withdraw money when you withdraw money

Spend it by showing an Spend it by showing an unused serial number unused serial number

E-cash E-cash

Chaum82: blind signatures for e-cashChaum82: blind signatures for e-cash

Chaum88: retroactive double spender Chaum88: retroactive double spender identification identification

Brandis95: restricted blind signaturesBrandis95: restricted blind signatures

Camenisch05: compact offline e-cash Camenisch05: compact offline e-cash

Decentralized

Secure

An ideal digital currencyAn ideal digital currency

Ano

nym

ous

BitcoinBitcoin

A distributed digital currency systemA distributed digital currency system

Released by Satoshi Nakamoto 2008 Released by Satoshi Nakamoto 2008

Market cap of 1.2 Billion USD (as of early May Market cap of 1.2 Billion USD (as of early May 2013)2013)

Effectively a bank run by an ad hoc networkEffectively a bank run by an ad hoc network

Digital checksDigital checks

A distributed transaction log A distributed transaction log

Bitcoin: digital checksBitcoin: digital checks

Public key 0xa8fc93875a972ea

Signature 0xa87g14632d452cd

Public key 0xc7b2f68...

Bitcoin: transaction logBitcoin: transaction log

How do you maintain a transaction log?How do you maintain a transaction log?

Pick a trusted party Pick a trusted party

VoteVote

Avoiding the clone warsAvoiding the clone wars

Select a node at Select a node at random proportional to random proportional to its computational power its computational power to update the logto update the log

Nodes race to compute Nodes race to compute a partial hash collision:a partial hash collision: hash(data || nonce) hash(data || nonce) < x< x

Pick the longest chainPick the longest chain

Bitcoin calls this ledger Bitcoin calls this ledger the block chain the block chain

Decentralized

BitcoinBitcoin

BitcoinBitcoinDecentralized

Secure

BitcoinBitcoinDecentralized

Secure

Ano

nym

ous

?

BitcoinBitcoinDecentralized

Secure

Ano

nym

ous

Bitcoin: all of your Bitcoin: all of your informationinformation

is is known toknown tothe bankthe bank

the merchantsthe merchantsEVERYONEEVERYONE

Chaum’s e-cash + Chaum’s e-cash + BitcoinBitcoin

Decentralized

Secure

Ano

nym

ous

++

Ano

nym

ous

Bitcoin laundries & Bitcoin laundries & mixesmixes

Decentralized

Secure

++

ZerocoinZerocoin

A distributed approach to private electronic A distributed approach to private electronic cashcash

Extends Bitcoin by adding an anonymous Extends Bitcoin by adding an anonymous currency on top of it currency on top of it

Zerocoins are exchangeable for bitcoinsZerocoins are exchangeable for bitcoins

Similar to techniques by Sander and Ta-shmaSimilar to techniques by Sander and Ta-shma

What is a zerocoin?What is a zerocoin?

A zerocoin is:A zerocoin is:

Economically: a promissory note redeemable Economically: a promissory note redeemable for a bitcoinfor a bitcoin

Cryptographically: an opaque envelope Cryptographically: an opaque envelope containing a serial number used to prevent containing a serial number used to prevent double spendingdouble spending 82384827347

1012983

CommitmentsCommitments

Allow you to commit to and Allow you to commit to and later reveal a valuelater reveal a value

Binding: value cannot be Binding: value cannot be tampered with tampered with

Blinding: value cannot be Blinding: value cannot be read until revealedread until revealed

We use Pedersen We use Pedersen commitmentscommitments

812...812...

812..812..

Zerocoins: where do Zerocoins: where do they come from?they come from?

Anyone can make oneAnyone can make one

Choose a random serial number and commit to Choose a random serial number and commit to itit

Mint a zerocoin by putting a mint transaction in Mint a zerocoin by putting a mint transaction in the block chain which “spends” a bitcoin and the block chain which “spends” a bitcoin and includes the commitmentincludes the commitment

Spending a zerocoin gives the recipient a Spending a zerocoin gives the recipient a bitcoinbitcoin

Zerocoins: ...and where Zerocoins: ...and where do they go?do they go?

The “spent” bitcoins end up escrowedThe “spent” bitcoins end up escrowed

To spend a zerocoinTo spend a zerocoin

You reveal the serial number You reveal the serial number

Prove it is from some zerocoin in the block Prove it is from some zerocoin in the block chainchain

Put the spent serial number in the block Put the spent serial number in the block chainchain

Zero-knowledge proofsZero-knowledge proofs

Zero-knowledge [Goldwasser, Micali 1980s, and Zero-knowledge [Goldwasser, Micali 1980s, and beyond]beyond]

Prove knowledge of a witness satisfying a Prove knowledge of a witness satisfying a statementstatement

Specific variant: non-interactive proof of knowledgeSpecific variant: non-interactive proof of knowledge

Here we prove we know: Here we prove we know:

1.1. The serial number of a zerocoinThe serial number of a zerocoin

2.2. That the coin is in the block chainThat the coin is in the block chain

An inefficient approachAn inefficient approach

Inefficient proofInefficient proof

Identify all valid zerocoins in the block chainIdentify all valid zerocoins in the block chain(call them )(call them )

Prove that S is the serial number of a coin C Prove that S is the serial number of a coin C andand

This “OR” proof is O(N)This “OR” proof is O(N)

Cryptographic Cryptographic accumulatorsaccumulators

Allow constant size set membership proofsAllow constant size set membership proofs

Strong RSA accumulator originally due to Strong RSA accumulator originally due to Benaloh and de MareBenaloh and de Mare

Efficient proof for accumulation of primes Efficient proof for accumulation of primes proposed by Camenisch and Lysyanskaya ‘01proposed by Camenisch and Lysyanskaya ‘01

Zerocoin protocolZerocoin protocol

Generate a commitment to a random serial Generate a commitment to a random serial number number SS::

(Store serial number (Store serial number SS and randomness and randomness rr))

Accumulate all valid coins, compute witness wAccumulate all valid coins, compute witness w ii

Reveal Reveal SS and prove knowledge of witness to and prove knowledge of witness to commitment accumulation and its randomness commitment accumulation and its randomness rr

where is where is primeprime

PerformancePerformance

Modified Modified bitcoindbitcoind client on 3.5GZ Intel Xeon E3- client on 3.5GZ Intel Xeon E3-1270V2 1270V2

1024 bit commitments 1024 bit commitments

1024, 2048, and 3072 bit RSA moduli1024, 2048, and 3072 bit RSA moduli

Obstacles and future Obstacles and future workwork

Scale to larger networks Scale to larger networks

Reduce proof size (duh)Reduce proof size (duh)

Make divisible coins (we have a construction)Make divisible coins (we have a construction)

Get people to believe this worksGet people to believe this works

Zerocoin.orgZerocoin.orgDecentralized

Secure

Ian Miers Ian Miers @imichaelmiers@imichaelmiers

Christina Garman Christina Garman

Matthew GreenMatthew Green

Avi RubinAvi Rubin

Ano

nym

ous

Divisible coinsDivisible coins (Not in paper) (Not in paper)

Encode both a serial number and a denomination inEncode both a serial number and a denomination inthe coin commitment as the low and high order bitsthe coin commitment as the low and high order bits

To divide a coin C with balance b and serial number STo divide a coin C with balance b and serial number S

Mint two new coins c’,c’’ with balances b’ and b’’Mint two new coins c’,c’’ with balances b’ and b’’

Prove in zero knowledge that b = b’ + b’’ and those Prove in zero knowledge that b = b’ + b’’ and those are the high order bitsare the high order bits

Reveal S to prevent reuseReveal S to prevent reuse

Prime commitmentsPrime commitments

Perfectly BlindingPerfectly Blinding Binding under discrete Binding under discrete loglog

How much anonymity How much anonymity

Consider a universe where 10 coins exist and Consider a universe where 10 coins exist and one more coin is minted and then spentone more coin is minted and then spent

If all 10 original coins are already spent If all 10 original coins are already spent before minting, k =1 before minting, k =1

If only 9 of them are spent, k = 11If only 9 of them are spent, k = 11

Lower bound: All unspent coins controlled by Lower bound: All unspent coins controlled by honest partieshonest parties

Upper bound: All the coinsUpper bound: All the coins

Why so large?Why so large?

Not much slower (our code is single threaded)Not much slower (our code is single threaded)

Laptop performanceLaptop performance

In UFOs we trustIn UFOs we trust

RSA moduli of RSA moduli of UUnknown nknown FFactactOOrization rization (Sander99)(Sander99)

N is an RSA-UFO if it has at least two large N is an RSA-UFO if it has at least two large prime factors P and Q and no one can find prime factors P and Q and no one can find NN11,N,N22 such that Q divides N such that Q divides N11 and P divides N and P divides N22

Get an assumption analogous to the Strong Get an assumption analogous to the Strong RSA assumptionRSA assumption

UFOs: Impractically UFOs: Impractically LargeLargeProblem: for the security of a 1024 bit Problem: for the security of a 1024 bit RSA modulus, we need a 40k bit UFORSA modulus, we need a 40k bit UFO