Private Transactions — The Road to ZeroCT

On the 15th of January 2019, NavCoin Core Engineer Alex Vazquez published his academic white paper describing ZeroCT — A new protocol for private on-chain cryptocurrency transactions. As the name suggests, ZeroCT is based on a combination of the Zerocoin protocol and Confidential Transactions. But it’s more than just the combination of two existing protocols. ZeroCT expands on the Zerocoin protocol, increasing privacy and improving usability.

The fundamentals of both Zerocoin and Confidential Transactions have been well researched and peer reviewed in the cryptocurrency & cryptography communities. The methods described to extend Zerocoin are also widely accepted as secure mathematically. This makes the ZeroCT protocol a real contender in the privacy space without introducing any experimental math which requires years of public scrutiny before it’s considered secure by academic standards.

In this two part article series, I will firstly give some context to the ZeroCT paper by defining what exactly is meant by a “private transaction” and walking you through the evolution of the technology used in this category of cryptocurrencies. The second article will be focused on the ZeroCT protocol and comparing its features to some of the industry leading privacy protocols.

Anatomy of a Private Transaction

In a traditional blockchain implementation like Bitcoin’s, every transaction publicly shows the address of the sender, the address of the receiver and the amount which was transacted. This is done so the whole network can validate the transaction, proving the sender has ownership of the coins, the amount being sent is not inflated and the recipient is able to spend the coins in the future. It is these three key pieces of information which need to be hidden if we’re going to consider a transaction private.

Another important and sometimes overlooked aspect of private transactions in cryptocurrency is metadata. Even if the sender and receiver are cryptographically concealed, it could be possible to indirectly infer the sender and receiver’s addresses by analysing the blockchain. For example if I sent 1.38217745 BTC to a Bitcoin mixer and then in the next block the mixer sent a different 1.38217745 BTC to my intended recipient, although these coins are not directly linked to my original outputs sent to the mixer, the correlating amounts give a strong case for them being related transactions. This is obviously an overly simplistic example, but with the sophistication of blockchain analysis tools advancing all the time, it is important to prevent leakage of all possible metadata that could compromise the privacy of a transaction.

A Brief History of Private Transactions

Creating a private transaction might sound like an impossible situation, how can we have our cake and eat it too? We need to hide the same values which we need to prove! Over the years there have been many different approaches to hiding this information, some better than others. All of them have attempted to disconnect, obscure or encrypt some or all of these three key pieces of information in various ways with varying success. The earlier attempts usually required some type of trusted third party to process transactions while the next generation was trustless but used heavy obfuscation rather than encryption.

In this article I’m not going to explain these earlier methods since the technology is not used in ZeroCT.

The next generation of private transactions have been based on mathematical proofs which have provided ways to keep the explicit values of a transaction secret, while allowing anyone to prove the transaction complies with the rules of the network. These cryptographic functions are referred to as Zero Knowledge Proofs, named for the fact they can prove a value is correct with no knowledge of the value itself.

Zerocoin was first described in 2013 as a method for using Zero Knowledge Proofs as an extension on top of the Bitcoin network to provide private Bitcoin transactions.

The inventors of the Zerocoin protocol went on to create their own cryptographic proofs called ZK-SNARKS which were subsequently implemented into ZCash. Some commentators criticise ZCash for deploying experimental cryptography (which usually takes years of peer review to have it’s integrity validated) and for performing their own initial parameter generation ceremony which opens the cryptocurrency to a potential “toxic waste attack” if the keys were not destroyed correctly.

Zerocoin in its original form was subsequently deployed to Zcoin and it is this implementation I will discuss further in this article.

The Evolution of Zerocoin Implementations

The Zcoin implementation of the Zerocoin protocol stays true to the original design specification — it uses widely accepted cryptographic functions and it’s initial parameters are taken from the 1991 RSA Factoring Challenge for which the keys are universally accepted to have been correctly destroyed. There are comprehensive explanations of how Zcoin works on the Zerocoin website, which I will try to summarise here.

In its essence, the Zerocoin protocol is a series of RSA accumulators which exist in parallel to a regular blockchain protocol. Each accumulator represents a specific denomination of coins, usually rounded into powers of 10 (eg. 1, 10, 100, 1000 etc). Users can burn their coins to one of these accumulators which effectively destroys them. The spender receives a receipt for the coins which were burned and can use the receipt to generate new coins at a later date. When the spender decides they want to generate the new coins, the network can prove the receipt is valid and has not already been redeemed, but the network can’t prove which coins were burned to create the receipt. The owner of the receipt generates the new coins to a public address which they own, and these coins are then able to be spent on the public blockchain without anyone knowing the coin’s history from before the new coins were minted.

In even more simplistic terms, imagine if there were a room full of blindfolded people with pockets full of $1 coins. Everyone threw their $1 coins into a bucket in the middle of the room and got a nondescript but unforgeable ticket for each coin they put in. All the coins were melted down and minted into new coins to fill the bucket. Each person was then able to grab a brand new coin from the bucket for each ticket they had in their possession. Everyone then leaves the room, takes off their blindfold and goes to the shop to spend their coins. It would be impossible for the shop owner to know the history about the coins from before they were grabbed from the bucket, the link between the new and old coins is permanently severed.

Inherent issues with Zcoin

While this is an ingenious protocol based on solid cryptography, there are some issues with this implementation.

1. The mint receipt is randomly generated and stored in your wallet.dat. This means you have to backup your wallet after each Zerocoin mint and if you lose or corrupt your wallet file your receipts are destroyed you lose access to your Zerocoins.
2. The transaction amount is not private since the accumulators rely on using fixed denominations of coins. If the anonymity set is small and/or the transaction volume was low, it could be possible to perform some level of analysis on transaction values and try to draw inference from the leaked metadata.
3. Because fixed denominations are required spending specific amounts can be difficult or costly to the network. If i wanted to spend 999 Zerocoins I would need to mint 9x100, 9x10 and 9x1 coins and decimals are not possible.
4. Each transaction takes approximately 0.5 seconds to verify which is difficult to scale especially due to the accumulator denominations requiring multiple proofs for most natural transactions.
5. All Zerocoins need to be minted into the accumulator and then spent out of the accumulator before they can be spent on the public blockchain. This introduces a pre-mixing requirement for the user, complicating the process and adding a wait time before they can transact.

The Next Generation of Zerocoin

The next major advancement of Zerocoin’s implementation was done by the PIVX team when they stopped using DASH’s CoinJoin based masternode mixing and switched to the Zerocoin protocol instead.

The PIVX team identified and fixed some of the problems which I’ve outlined above and also made some of their own improvements. Their zPIV implementation derives the generated mint receipt from the wallet’s master private key. This means that you don’t need to backup your wallet after every zPIV mint and if you’re able to regain access to your zPIV coins as long as you have your master private key backed up.

They implemented zPIV staking which allows Zerocoins to be used as staking inputs when minting a new block. This means all the zPIV staking coins are included in the accumulator which greatly increases the anonymity set and reduces the chance of metadata inference by blockchain analysis.

They also introduced the ability to spend to a specific address so a user can spend their minted Zerocoins directly to third party without needing to withdraw them to their own address first.

Their additions successfully solved point 1 on our issues list and partially solved points 2 and 5 by increasing the number of coins in the accumulators with zPIV staking and allowing zPIV spending directly to third party addresses respectively.

Enough about Zerocoin, What About CryptoNote?

Another major inspiration for the ZeroCT protocol alongside Zerocoin is the CryptoNote protocol and specifically Monero’s implementation and improvements. CryptoNote is another very well-researched branch of private cryptocurrency transactions which achieves privacy through a different set of mechanisms to Zerocoin but the intention is the same.

Instead of using accumulators to hide the origin of the coins in a transaction, CryptNote uses Ring Signatures. Usually a transaction has a single signature created by the sender but in a ring signature scheme, multiple parties sign the transaction (including the spender) and the network can calculate the transaction is valid but is unable to know which signer is the spender thus hiding the spenders true identity.

CryptoNote also introduces the concept of one time derived addresses where each address is used only once and can not be linked to other addresses on the blockchain. The one time addresses are also derived from a Stealth Address which means no metadata about someone’s balance or transaction history is leaked when given as a payment address.

Monero was not the first, but has been the most popular implementation of the CryptoNote protocol. They have included several updates to their protocol which enhances the privacy of their CryptoNote based transactions which we will discuss further in this article.

Inherent issues with CryptoNote

As with Zerocoin, CryptoNote is an ingenious protocol based on solid cryptography, however there are some issues with the implementation.

1. The transaction amount is not private which means it could be possible to perform some level of analysis on transaction values and try to draw inference from the leaked metadata.
2. Each signature in the Ring Signature takes up valuable block space as part of the transaction proof and is therefore a limiting factor when it comes to trying to achieve large anonymity sets. Production applications of CryptoNote generally have a ring size of only 7 signatures.

What has Monero Improved?

Monero has an active research team and is constantly improving their privacy protocol. One of the most important updates they have performed is the implementation of Confidential Transactions and Bulletproofs which successfully hide a transaction’s values on the blockchain.

Confidential Transactions provide a cryptographic method to prove that the input amounts are equal to the output amounts for any transaction without revealing the values inside.

In basic terms, if we look at any transaction on the blockchain we can take the sum of the outputs and minus the sum of the inputs and we will always be left with zero. Confidential Transactions is a Zero Knowledge proof to verify that the sum of the inputs and outputs equals zero without revealing what the input and output values are.

Bulletproofs fix an important issues with Confidential Transactions where a transaction could contain a negative output and issue more coins than was input while still summing to zero.

Using Confidential Transactions to hide the amounts, Ring Signatures to hide the sender’s identity and Stealth Addresses to hide the receiver’s identity, Monero successfully hides all three key values without leaking any metadata.

The only remaining criticism of Monero’s private transaction implementation is the limited size of the anonymity set in the Ring Signature which could be improved by reducing the proof size or with some other engineering solution.

What’s this got to do with ZeroCT?

ZeroCT’s protocol design sets out to solve a comprehensive list of privacy, usability, scalability and metadata leakage issues faced in one form or another by all of todays leading privacy protocols.

To achieve this ZeroCT takes the best parts of the leading Zerocoin and CryptoNote implementations as well as some new ideas and combines them into one of the most advanced privacy protocols ever deployed on a blockchain.

Continue to the second part of this article series to learn more about the ZeroCT protocol and see how it compares to some of the industry’s leading privacy protocols.

Part 2: The New Privacy Protocol on the Block — ZeroCT Explained