Ian Miers Ian Miers
Christina Garman | Matthew Green | Avi Christina Garman | Matthew Green | Avi RubinRubin
Zerocoin: Anonymous Zerocoin: Anonymous Distributed E-Cash from Distributed E-Cash from BitcoinBitcoin
Digitizing moneyDigitizing money
Two ways to do it Two ways to do it
Create digital Create digital cashcash
Create digital Create digital checkschecks
Bank accountsBank accounts
Problem: privacyProblem: privacy
Bank sees every Bank sees every transaction transaction
Merchants can Merchants can track customers track customers across interactionsacross interactions
Digital cashDigital cash
Can’t make uncopyable digital Can’t make uncopyable digital currencycurrency
Can make single use currencyCan make single use currency
Get a unique serial number Get a unique serial number when you withdraw money when you withdraw money
Spend it by showing an Spend it by showing an unused serial number unused serial number
E-cash E-cash
Chaum82: blind signatures for e-cashChaum82: blind signatures for e-cash
Chaum88: retroactive double spender Chaum88: retroactive double spender identification identification
Brandis95: restricted blind signaturesBrandis95: restricted blind signatures
Camenisch05: compact offline e-cash Camenisch05: compact offline e-cash
Decentralized
Secure
An ideal digital currencyAn ideal digital currency
Ano
nym
ous
BitcoinBitcoin
A distributed digital currency systemA distributed digital currency system
Released by Satoshi Nakamoto 2008 Released by Satoshi Nakamoto 2008
Market cap of 1.2 Billion USD (as of early May Market cap of 1.2 Billion USD (as of early May 2013)2013)
Effectively a bank run by an ad hoc networkEffectively a bank run by an ad hoc network
Digital checksDigital checks
A distributed transaction log A distributed transaction log
Bitcoin: digital checksBitcoin: digital checks
Public key 0xa8fc93875a972ea
Signature 0xa87g14632d452cd
Public key 0xc7b2f68...
Bitcoin: transaction logBitcoin: transaction log
How do you maintain a transaction log?How do you maintain a transaction log?
Pick a trusted party Pick a trusted party
VoteVote
Avoiding the clone warsAvoiding the clone wars
Select a node at Select a node at random proportional to random proportional to its computational power its computational power to update the logto update the log
Nodes race to compute Nodes race to compute a partial hash collision:a partial hash collision: hash(data || nonce) hash(data || nonce) < x< x
Pick the longest chainPick the longest chain
Bitcoin calls this ledger Bitcoin calls this ledger the block chain the block chain
Decentralized
BitcoinBitcoin
BitcoinBitcoinDecentralized
Secure
BitcoinBitcoinDecentralized
Secure
Ano
nym
ous
?
BitcoinBitcoinDecentralized
Secure
Ano
nym
ous
Bitcoin: all of your Bitcoin: all of your informationinformation
is is known toknown tothe bankthe bank
the merchantsthe merchantsEVERYONEEVERYONE
Chaum’s e-cash + Chaum’s e-cash + BitcoinBitcoin
Decentralized
Secure
Ano
nym
ous
++
Ano
nym
ous
Bitcoin laundries & Bitcoin laundries & mixesmixes
Decentralized
Secure
++
ZerocoinZerocoin
A distributed approach to private electronic A distributed approach to private electronic cashcash
Extends Bitcoin by adding an anonymous Extends Bitcoin by adding an anonymous currency on top of it currency on top of it
Zerocoins are exchangeable for bitcoinsZerocoins are exchangeable for bitcoins
Similar to techniques by Sander and Ta-shmaSimilar to techniques by Sander and Ta-shma
What is a zerocoin?What is a zerocoin?
A zerocoin is:A zerocoin is:
Economically: a promissory note redeemable Economically: a promissory note redeemable for a bitcoinfor a bitcoin
Cryptographically: an opaque envelope Cryptographically: an opaque envelope containing a serial number used to prevent containing a serial number used to prevent double spendingdouble spending 82384827347
1012983
CommitmentsCommitments
Allow you to commit to and Allow you to commit to and later reveal a valuelater reveal a value
Binding: value cannot be Binding: value cannot be tampered with tampered with
Blinding: value cannot be Blinding: value cannot be read until revealedread until revealed
We use Pedersen We use Pedersen commitmentscommitments
812...812...
812..812..
Zerocoins: where do Zerocoins: where do they come from?they come from?
Anyone can make oneAnyone can make one
Choose a random serial number and commit to Choose a random serial number and commit to itit
Mint a zerocoin by putting a mint transaction in Mint a zerocoin by putting a mint transaction in the block chain which “spends” a bitcoin and the block chain which “spends” a bitcoin and includes the commitmentincludes the commitment
Spending a zerocoin gives the recipient a Spending a zerocoin gives the recipient a bitcoinbitcoin
Zerocoins: ...and where Zerocoins: ...and where do they go?do they go?
The “spent” bitcoins end up escrowedThe “spent” bitcoins end up escrowed
To spend a zerocoinTo spend a zerocoin
You reveal the serial number You reveal the serial number
Prove it is from some zerocoin in the block Prove it is from some zerocoin in the block chainchain
Put the spent serial number in the block Put the spent serial number in the block chainchain
Zero-knowledge proofsZero-knowledge proofs
Zero-knowledge [Goldwasser, Micali 1980s, and Zero-knowledge [Goldwasser, Micali 1980s, and beyond]beyond]
Prove knowledge of a witness satisfying a Prove knowledge of a witness satisfying a statementstatement
Specific variant: non-interactive proof of knowledgeSpecific variant: non-interactive proof of knowledge
Here we prove we know: Here we prove we know:
1.1. The serial number of a zerocoinThe serial number of a zerocoin
2.2. That the coin is in the block chainThat the coin is in the block chain
An inefficient approachAn inefficient approach
Inefficient proofInefficient proof
Identify all valid zerocoins in the block chainIdentify all valid zerocoins in the block chain(call them )(call them )
Prove that S is the serial number of a coin C Prove that S is the serial number of a coin C andand
This “OR” proof is O(N)This “OR” proof is O(N)
Cryptographic Cryptographic accumulatorsaccumulators
Allow constant size set membership proofsAllow constant size set membership proofs
Strong RSA accumulator originally due to Strong RSA accumulator originally due to Benaloh and de MareBenaloh and de Mare
Efficient proof for accumulation of primes Efficient proof for accumulation of primes proposed by Camenisch and Lysyanskaya ‘01proposed by Camenisch and Lysyanskaya ‘01
Zerocoin protocolZerocoin protocol
Generate a commitment to a random serial Generate a commitment to a random serial number number SS::
(Store serial number (Store serial number SS and randomness and randomness rr))
Accumulate all valid coins, compute witness wAccumulate all valid coins, compute witness w ii
Reveal Reveal SS and prove knowledge of witness to and prove knowledge of witness to commitment accumulation and its randomness commitment accumulation and its randomness rr
where is where is primeprime
PerformancePerformance
Modified Modified bitcoindbitcoind client on 3.5GZ Intel Xeon E3- client on 3.5GZ Intel Xeon E3-1270V2 1270V2
1024 bit commitments 1024 bit commitments
1024, 2048, and 3072 bit RSA moduli1024, 2048, and 3072 bit RSA moduli
Obstacles and future Obstacles and future workwork
Scale to larger networks Scale to larger networks
Reduce proof size (duh)Reduce proof size (duh)
Make divisible coins (we have a construction)Make divisible coins (we have a construction)
Get people to believe this worksGet people to believe this works
Zerocoin.orgZerocoin.orgDecentralized
Secure
Ian Miers Ian Miers @imichaelmiers@imichaelmiers
Christina Garman Christina Garman
Matthew GreenMatthew Green
Avi RubinAvi Rubin
Ano
nym
ous
Divisible coinsDivisible coins (Not in paper) (Not in paper)
Encode both a serial number and a denomination inEncode both a serial number and a denomination inthe coin commitment as the low and high order bitsthe coin commitment as the low and high order bits
To divide a coin C with balance b and serial number STo divide a coin C with balance b and serial number S
Mint two new coins c’,c’’ with balances b’ and b’’Mint two new coins c’,c’’ with balances b’ and b’’
Prove in zero knowledge that b = b’ + b’’ and those Prove in zero knowledge that b = b’ + b’’ and those are the high order bitsare the high order bits
Reveal S to prevent reuseReveal S to prevent reuse
Prime commitmentsPrime commitments
Perfectly BlindingPerfectly Blinding Binding under discrete Binding under discrete loglog
How much anonymity How much anonymity
Consider a universe where 10 coins exist and Consider a universe where 10 coins exist and one more coin is minted and then spentone more coin is minted and then spent
If all 10 original coins are already spent If all 10 original coins are already spent before minting, k =1 before minting, k =1
If only 9 of them are spent, k = 11If only 9 of them are spent, k = 11
Lower bound: All unspent coins controlled by Lower bound: All unspent coins controlled by honest partieshonest parties
Upper bound: All the coinsUpper bound: All the coins
Why so large?Why so large?
Not much slower (our code is single threaded)Not much slower (our code is single threaded)
Laptop performanceLaptop performance
In UFOs we trustIn UFOs we trust
RSA moduli of RSA moduli of UUnknown nknown FFactactOOrization rization (Sander99)(Sander99)
N is an RSA-UFO if it has at least two large N is an RSA-UFO if it has at least two large prime factors P and Q and no one can find prime factors P and Q and no one can find NN11,N,N22 such that Q divides N such that Q divides N11 and P divides N and P divides N22
Get an assumption analogous to the Strong Get an assumption analogous to the Strong RSA assumptionRSA assumption
UFOs: Impractically UFOs: Impractically LargeLargeProblem: for the security of a 1024 bit Problem: for the security of a 1024 bit RSA modulus, we need a 40k bit UFORSA modulus, we need a 40k bit UFO
Top Related