The New Privacy Protocol on the Block — ZeroCT Explained

On the 15th of January 2019, NavCoin Core Engineer Alex Vazquez published his academic white paper describing ZeroCT — A new protocol for private on-chain cryptocurrency transactions. As the name suggests, ZeroCT is based on a combination of the Zerocoin protocol and Confidential Transactions, but it’s more than just the combination of two existing protocols.

ZeroCT takes the best parts of the industry’s leading private transaction protocols along with some new ideas and combines them into one of the most advanced privacy protocols ever deployed to a blockchain.

The ZeroCT white paper was released in advance for peer review and received feedback from a range of interested cryptographers — Sam Dobson (Bitcoin Core), Sarang Noether (Monero), Guy Kloss (SingleSource), the Veil development team and Jonathan Cressman. While their review shouldn’t be considered an endorsement of the protocol, it is a testament to Alex’s desire to confirm ZeroCT’s validity, and the good will of the reviewers for freely contributing their time to giving feedback on an open source academic paper.

My previous article Private Transactions — The Road to ZeroCT gave some context to the ZeroCT paper by defining what is exactly meant by a “private transaction” and walking the reader through the evolution of the technology used in this category of cryptocurrencies. This article will be focused on the ZeroCT protocol itself and comparing its features to some of the industry’s leading privacy protocols.

What Problem is ZeroCT trying to solve?

A transaction can be considered private when you are able to cryptographically conceal the sender, receiver and amount while not leaking any metadata about the transaction and also having a large anonymity set.

There are currently five main established streams of privacy protocols; CoinJoin, Zerocoin, Zerocash, CryptoNote and Mimblewimble — of which Dash, PIVX, Zcash, Monero and Grin are the leading implementations of each respectively. They are all interesting protocols that offer varying levels of anonymity, but none perfectly achieve every point raised in my previous paragraph.

It’s one of the things which has made privacy protocols such a keen area of interest for me personally. There has been a lot of great ideas with no clear winner yet, the crown is still up for contention in this hotly debated arena.

ZeroCT set out to combine best parts of the industry’s leading private transaction protocols and as a result it’s become a powerful chimera that could take the top spot.

Introducing ZeroCT

The technical details of the ZeroCT implementation can be read in the ZeroCT White Paper — ZeroCT: Improving Zerocoin with Confidential Transactions. Here I will go through some of the key takeaways of how it addresses the issues that were identified with existing private transaction protocols and what it means from a practical perspective.

Concealing Spender Identity

ZeroCT uses Zerocoin based RSA accumulators to conceal the origin of transactions. Each time coins are spent, they are effectively newly minted coins with no associated history and complete fungibility.

Concealing Receiver Identity

ZeroCT’s Anonymous Identities are generated in a similar way to Monero’s one time addresses. They are derived from a Stealth Address which doesn’t leak any metadata about the users balance or transaction history and is not susceptible to blockchain analysis.

Concealing Transaction Amount

ZeroCT uses Confidential Transactions & Bulletproofs to conceal the amount of coins spent in a transaction.

Increasing the Anonymity Set

The use of a Zerocoin accumulator means the anonymity set for the spenders identity is equal to the number of previous private transactions recorded to the accumulator. ZeroCT allows for and incentivises private staking which means this anonymity set will steadily grow making meta analysis exponentially more difficult over time.

Preventing Metadata Leakage

ZeroCT coins are able to be directly minted to a receivers derived Anonymous Identity and can be transferred directly from one Anonymous Identity to another. There is no pre-mixing required and once in the accumulator coins don’t need to leave the accumulator to be spent. This reduces the possibility of a third party inferring a linkage between transactions as they enter and exit the accumulator.

Performance

The use of Confidential Transactions removes the need for denomination based accumulators which reduces the proof size necessary when spending natural amounts. The proof size to spend 999 ZeroCT transactions is equal to the size of 4 regular proofs rather than the 27 (9x100, 9x10 and 9x1) that would be required by the original Zerocoin protocol.

Usability

All ZeroCT minted coins are recoverable by the master private key, meaning you don’t have to backup your wallet after every ZeroCT mint.

The ZeroCT protocol has provision for a “view key” which allows for your private transaction history to be audited by a third party (e.g. your accountant) without compromising your spending keys.

Minting ZeroCT coins directly to a third party reduces complexity for the sender by removing any pre-mixing step or wait time.

Key Security

The large primes used for ZeroCT’s initial parameters are recommended to be taken from the 1991 RSA Factoring Challenge for which the keys are universally accepted to have been correctly destroyed and unable to be calculated.

What does this all mean?

With all of these pieces in place, the ZeroCT protocol successfully hides the sender, receiver and amount all without leaking any important metadata. It retains scalability, makes it easier to functionally use and removes any requirement of trust from the network and development team.

Practically, Using ZeroCT is both very secure and very simple. Below is a diagram which explains how a ZeroCT transaction works in simplistic terms.

There’s a couple of important things to understand in addition to this diagram.

  1. Even though Alice can derive an accumulator identity for Bob from his Anonymous Identity, she is not able to calculate Bob’s future or past accumulator identities with this information so no transaction graph can be drawn.
  2. In step 3, Bob doesn’t have to withdraw the NAV from the accumulator. He can withdraw the NAV from the accumulator to a third party, transfer the zNAV directly to another accumulator identity without withdrawing NAV, use them as a private staking input, partially withdraw them and have the change return to the accumulator or any combination of these actions.

This flexibility greatly reduces the chance of inference by blockchain analysis based on transaction amounts or other metadata, even if Bob’s end goal is to have his NAV back on the public blockchain.

How does ZeroCT compare to other privacy protocols?

Reuben Yap has recently updated Zcoin’s article How Zcoin’s Privacy Technology Compares to the Competition to include Mimble Wimble coins such as Grin & Beam. This covers gives an in-depth look at the other protocols we’ll be covering here. I would recommend reading Reuben’s article and also my previous article in this series Private Transactions — The Road to ZeroCT for more learning and context.

Since there are quite a few privacy coins based on the same underlying protocols, to simplify matters we will pick one of the leading implementations of each protocol for comparison. Some privacy coins also implement multiple protocols so it’s more useful to look at implementation holistically rather than what each individual protocol specifically provides.

Most of the chart is pretty self explanatory but it’s worth further discussing a couple of things.

On the “Requires Trusted Setup” row, you can see that Pivx, Zcash and ZeroCT all have Yes, but Pivx and NavCoin are orange while Zcash has a red Yes.

This is because the Zerocoin, ZeroCT and Zerocash protocols require a one time trusted setup to generate the initial parameters used to spend private coins from the accumulator.

Pivx and NavCoin both use initial parameters taken from the 1991 RSA Factoring Challenge for which the keys are universally accepted to have been correctly destroyed. Where as Zcash generated their own initial parameters which means you will have to trust the Zcash engineers correctly destroyed the keys which is why it’s flagged as red.

The “Requires Pre-Anonymization” row is referring to whether or not you can immediately create a private transaction or there are some steps you need to take before it is possible to send privately. With Dash you need to pre-mix your coins with masternodes before you can spend your private balance. With Pivx you need to send your coins to the accumulators and wait some blocks before spending them privately. With the others, there is no initial step or wait time and private transactions take place immediately.

Summary

ZeroCT is a great new privacy protocol that i think has the potential to be a real challenger in the privacy coin space. It uses well studied methods to tick all the requirements for providing a high level of privacy to cryptocurrency transactions. More than providing only technical improvements it has also addressed usability issues that will make it easier than ever to protect your financial privacy. Personally I am excited about this protocol and its implementation into NavCoin.

https://navcoin.org/roadmap