Zerocoin: Zero Knowledge for Infinite Anonymity


Many people mistakenly describe Bitcoin as an anonymous digital currency. This is not true by a long shot — Bitcoin can be best described as “pseudonymous,” meaning that is it possible to tie Bitcoin addresses and transactions to real-world identities if users are not careful about protecting their privacy.

Matthew Green is an Assistant Research Professor specializing in cryptography at Johns Hopkins University. He believes that Bitcoin is an amazing system, but that Satoshi Nakamoto cut some corners with regard to privacy. As a result, Green is developing a new cryptocurrency he has dubbed Zerocoin. Green recently gave a technical presentation about the inner workings of Zerocoin.

Green has turned to a mathematical concept known as a “zero-knowledge proof” to create what he describes as a “decentralized laundry.” Zero-knowledge proofs play an important role in facilitating this laundry because they allow you to prove a statement without revealing any other information. The use case for Zerocoin is as follows: you have bitcoins that you wish to anonymize, so you turn them into zerocoins via a zero-knowledge proof, whereby they are automatically “mixed” with all the other zerocoins in existence. You can hold your zerocoins for any period of time and convert them back to bitcoins whenever you wish by publishing another zero-knowledge proof. The bitcoins you receive are different from and not connected to your old bitcoins, thus completely anonymizing them. An additional benefit from the use of zero-knowledge proofs is that the number of zerocoins that are sent is not public information — the only public information with a zerocoin transaction is the mining fee and the serial number of the “coins” inside. Zerocoin transactions are like sealed envelopes of money that can be merged, split, or spent while simultaneously keeping the value transferred, the origination address, and the destination address a secret shared between the parties involved in the transaction. This concept was originally designed to be a new software layer on top of the Bitcoin protocol that used the Bitcoin blockchain and allowed Bitcoin users to convert betweens bitcoins and zerocoins with little effort.

Unfortunately, engineering complications resulted in Zerocoin not being implemented on top of Bitcoin. This was, in part, because the creation of transactions was computationally intensive in comparison to Bitcoin. Also, the transaction proof size was around 25 kilobytes, which would have bloated the Bitcoin blockchain. As a result, Green and his team began working on a standalone alt-coin implementation that they have dubbed “Zerocash.” They have managed to reduce the size of the zero-knowledge proofs significantly by taking advantage of a new method known as Succinct Non-interactive ARguments of Knowledge, or SNARKs. This reduced the proof size from 25 kilobytes to 288 bytes. It still takes between 1 and 3 minutes to calculate the proofs on a standard CPU, though it only takes 9 milliseconds for peer nodes on the network to verify the proofs. Having to wait a few minutes to send a transaction may very well be acceptable in certain cases considering the level of anonymity being offered. Zerocash sounds like a promising alt-coin that has many of the features of Zerocoin with the exception of offering a programmatic way to launder bitcoins. If Green delivers on his promises, it wouldn’t surprise me if we see next-generation cryptocurrency laundering services that use Zerocash as an anonymization mechanism.

One lingering concern with Zerocash is that the generation of its initial public parameters must be performed by a group of “trusted people.” This may not be acceptable to some users, though the idea is that the creators would only need to generate the parameters one time and then destroy them so that the system would remain secure. At the 2015 MIT Bitcoin Expo it was announced that an MPC protocol was being developed that would make the trusted setup a distributed calculation where only one participant needs to be honest. Also, Green has yet to announce any of the runtime parameters of this alt-coin such as the mining algorithm, block times, and block rewards. The Zerocash v2 whitepaper was published for the IEEE Security and Privacy Conference, but we are still waiting for the runtime parameters to be announced.