PreprintPDF Available

ZeroCT: Improving Zerocoin with Confidential Transactions and more

Preprints and early-stage research may not have been peer reviewed yet.


The Zerocoin protocol is a set of cryptographic algorithms which embedded in a cryptocurrency provide anonymous swap of tokens in a mathematically provable way by using cryptographic accumulators. Functionally it can be described as a black box where an actor can introduce an arbitrary number of coins, and later withdraw them without leaving evidence of connection between both actions. The withdrawing step admits a destination for the coins different from the original minter, but unconditionally requires a previous mint action and does not accept the transfer of coins without leaving the accumulator, thus exposing the traceability of the coins. We propose an alternative design which for the first time combines the virtues of Zerocoin with those of Confidential Transactions offering fully-featured anonymous transactions between individuals with private amounts.
ZeroCT: Improving Zerocoin with Confidential
Transactions and more
Alex Vazquez
January 17, 2019
The Zerocoin protocol [4] is a set of cryptographic algorithms which
embedded in a cryptocurrency provide anonymous swap of tokens in a
mathematically provable way by using cryptographic accumulators. Func-
tionally it can be described as a black box where an actor can introduce an
arbitrary number of coins, and later withdraw them without leaving evi-
dence of connection between both actions. The withdrawing step admits
a destination for the coins dierent from the original minter, but uncondi-
tionally requires a previous mint action and does not accept the transfer
of coins without leaving the accumulator, thus exposing the traceability of
the coins. We propose an alternative design which for the first time com-
bines the virtues of Zerocoin [4] with those of Confidential Transactions
[17] oering fully-featured anonymous transactions between individuals
with private amounts.
1 Introduction
We can find implementations of Zerocoin in a “production” environment in
active projects like ZCoin [1] or PIVX [2]. Those stick to the original protocol [4]
where the set of actions a user can execute are limited to minting and spending
coins, working the system as a simple on-chain mixer where a previous step of
coin laundering is necessary before the transfer of value is anonymously possible.
Other alternative variations of the protocol [6] operate in a similar way, while
some newer variations [8] introduce the concept of sending Zerocoins to an
external party but still require an initial interactive setup step and only allow
one deposit per key. Although the system satisfies the necessary conditions to
consider it functionally anonymous, we would like to point out some drawbacks
from the original implementation for which we propose a solution in this paper.
Because only transparent addresses exist, it promotes the use of the Ze-
rocoin accumulators as purely transitional for the laundering of coins be-
tween transparent addresses, being transaction traceability and address
linkability through chain analysis moderately plausible. Even if a mecha-
nism consisting of rewarding users for keeping coins in the Zerocoin pool
[7] is an example of good action to increase the anonymity set, it does not
prevent the fact that coins need to leave the anonymity pool in order to be
transferred, which is the final utility of a currency, to be transferred and
used. The anonymity of the Zerocoin protocol is upper-bounded by the
size of the pool of coins, while the size of the anonymity pool is linearly
related to the amount of coins sitting in the accumulators but inversely
correlated to the number of transactions between users.
We introduce the use of Anonymous Identities, similar to the concept of
Stealth Addresses existent in other cryptocurrencies, allowing the private
transfer of coins between dierent entities without the requirement of us-
ing transparent addresses and incorporating the size of the transactional
ledger to the anonymity pool.
Privacy concerns aside, the use of clear-text denominations reduces the
usability of the system, by increasing the number of required coins and
therefore the total size of the necessary proofs. Let e0,··· , ezthe set
of dierent denominations supported by a Zerocoin implementation, the
transaction amount can be decomposed as 󰁓z
i=0 aiei. For a single spend
proof message size W, the full communication cost for the spend proofs
of a transaction is a function of its value and can be expressed as
By applying variations of known methods inspired by [17], our implemen-
tation allows the transfer of divisible amounts to be expressed as a secret
value only known to the participants of the transaction with the use of
just two Accumulators.
2 Notation
Let us define some notation and variables that will be used through this paper.
Let lktwo security parameters determining the security of the zero knowledge
proofs and u(log2q)2 the number of bits necessary to have enough precision
for transaction amounts. The concatenation of two bit arrays of arbitrary length
αand βis denoted by α||β. The binary operation XOR will be denoted with
the operator . Let H : {0,1}∗ → {0,1}la one-way cryptographic function
taking a bit array of arbitrary length as input and outputting a bit array of
length l. The function Hstakes an EC point as input and outputs the result of
feeding its binary representation into H. The bit in the position iof a bit array
ais denoted a[i], considering a[0] the bit in the left-most position of the array.
When describing Zero Knowledge proofs we will use the notation of Camenisch
and Stadler [15]. For instance, ZKSoK[m]{(x) : h=gx}denotes a signature
of knowledge on message m of the element x that satisfies h=gx, where all
values not enclosed in () are assumed to be known to the verifier. If Ais a
set, aAmeans that ais chosen at random from Aaccording to the uniform
distribution. If Ais a function, aA(···) means ais assigned the value
returned from executing Awith the given parameters.
3 A mathematical introduction to the Mint op-
The Zerocoin protocol [4] defines the Mint operation as the operation of minting
new private tokens (Zerocoins in the original definition). As in a regular Bitcoin
transaction [3], it requires that the amount of inputs used to feed the transaction
is equal to the value of the minted private tokens plus any fees defined by the
network policies.
“To mint a zerocoin cof denomination d, Alice runs Mint(params)(c,skc)
and stores skc securely. She then embeds cin the output of a Bitcoin transac-
tion that spends d+ fees classical bitcoins. Once a mint transaction has been
accepted into the block chain, cis included in the global accumulator A, and
the currency cannot be accessed except through a Zerocoin spend” [4]
Mathematically minting a coin means calculating a Pedersen Commitment
[12] which value will be later accumulated in the accumulator of the correspond-
ing denomination. A Pedersen Commitment is a one-way function where you
can commit to a value vunder a blinding factor swithout revealing the value
vuntil a later time:
c=gvhs(mod p)
Additionally this structure admits commitments to ndierent values at the
same time in the form c=hs󰁔n
i=0 gvi
i. Each additional generator gican be
calculated as gi= H(gi1) (mod p) for i1. For simplicity, we will denote v0
and g0as simply vand g.
Given c, finding sand vifor 0 inis known as the Discrete Loga-
rithm Problem, it’s “hard” to solve and there isn’t currently any known ecient
method for computing the solution in reasonable time even if some but not all of
the values of the set (s,v1, . . . , vn) are known. Because of the hardness of find-
ing suitable values for viand s, a Pedersen Commitment cC(v,s,v1,...,vn)
is both hiding (the Commitment cdoes not reveal the value it commits to) and
binding (having made the Commitment cit’s not possible to open it with dif-
ferent values for vior s) as long as loggigiis unknown with g= (h, gi,...,gn)
for 0 inand 0 i′ ≤ n.
Pedersen Commitments also have homomorphic properties: The product of
two commitments is equal to the commitment to the sum of its values as in
C(va, sa)·C(vb, sb) = C(va+vb, sa+sb) = gvahsagvbhsb=gva+vbhsa+sb
In the same fashion, the division of two commitments equals the commitment
to the subtraction of its values as in
C(va, sa)
C(vb, sb)= C(vavb, sasb) = gvahsa
The original Zerocoin protocol [4] uses a RNG to generate dierent values
for SZ
q(serial number of the minted coin) and rZ
q(randomness used
as a blind factor) to be used in the computation of cC(S, r) until {cprime
c[A, B]}[14]. The future spender of the minted coin is required to prove
knowledge of both values Sand rconstraining the spending action to the original
minter. Our contribution allows an actor to commit in zero knowledge to secret
values only known to an external party, even if those are publicly disclosed later.
4 Constructing a transaction
We will start defining how an anonymous identity is constructed. Let Bthe
public part of a Elliptic Curve key B=bG,j1Z
q,z1C(j1, k1) and z2C(j2, k2). The triplet (B, z1, z2) is known as
the anonymous identity I, which can be publicly shared and used as an address
where users can receive private coins. The tuple (b, j1, j2, z1, z2) is considered
a private view key P Kv iew and allows the wallet to identify which outputs
contain spendable private coins and when those coins are spent. P Kv iew can
be handed to an accountant to prove an account’s history of private transac-
tions without compromising the spending rights exclusivity of funds. The tuple
(b, j1, j2, k1, k2) is considered a private spend key P Kspend and allows to con-
struct the cryptographic proofs necessary to spend private coins. Anonymous
identities admit receiving as a single output an arbitrary and divisible amount
in the range [0,2u) denoted as w.
We redefine the Mint algorithm as Mint(params, I,w), so when Alice wants
to send coins to Bob’s Private Identity IBO B she:
1. Extracts B,z1and z2from IBO B .
2. Generates a new EC key A=aG and calculates a Die-Helman secret χ
using Bob’s EC public key B.
χ= Hs(aB) (mod q)
3. Uses H as a Pseudorandom Number Generator to compute σand 󰂄taking
the shared secret χas the initial seed.
σ= H(χ) (mod q)
󰂄= H(σ) (mod 2u1)
4. Lets c=zχ
1z2(mod p) and 󰂃C(w,c,σ) .
5. Verifies cand 󰂃are prime numbers and within the allowed range required
in the accumulator proof [14]. If the test fails, she repeats the process
going back to the second step. If it passes, she continues with the next
6. Includes a zero knowledge range proof that the value committed in 󰂃is a
positive number and lies in the range [0,2u).
NIZKPoK{(v, σ) : 󰂃=gwhcgσ
Methods like Bulletproofs [16] allow provers to bundle many range proofs
in one of compressed size, making it possible to compute one proof per
transaction instead of using the more expensive model of one-proof-per-
7. Lets W=w󰂄the amount obfuscated with 󰂄.
8. Reveals (A, c, 󰂃,W) in the output of a transaction.
Considering the following equality is satisfied
1z2= (gj1)χ(hk1)χgj2hk2=g(j1χ+j2)h(k1χ+k2)(mod p)
we can claim c is equivalent to a Pedersen Commitment with one secret and one
randomness value. Alice knows z1,z2and χbut she does not have knowledge of
j1,j2,k1or k2because of the properties of the Pedersen Commitment and under
the assumption of the hardness of the Discrete Log Problem, thus she would be
committing without retaining the ability of later opening the commitment by
using the serial number S=j1χ+j2or the randomness r=k1χ+k2in the
construction of the proofs that are necessary to spend the coins. This scheme
retains the perfectly hidden property from the Pedersen Commitment construc-
tion as j1,j2,k1and k2are uniformly drawn from Z
qwhile χis calculated mod
q, being the distribution of the resulting j1χ+j2and k1χ+k2equally uniform.
An actor observing the chain and acting as a validator would accumulate c
and 󰂃in dierent accumulators Aand Vrespectively.
The private key awill be stored by Alice and used to prove the minting of
specific coins without revealing Alice’s whole transaction history or identity.
Due to the use of only one anonymous identity to receive coins, this scheme
does not facilitate the use of short-lived addresses to identify individual pay-
ments, which is a common use case for merchants in other cryptocurrencies
like Bitcoin. To solve this we propose the calculation of an extra parameter
o= H(󰂄) used to obfuscate a Payment ID/Message Mas in M=Mo, being
the maximum admitted length for |M|the bit length of the output from the
chosen hash function H. Mcan be attached to an extra metadata parameter of
a transaction, as an additional byte array in the output’s scriptPubKey or as
an OP RETURN OP PAYID script in a 0-value output from the transaction.
If Alice wants to anonymously spend private coins to fund the transaction,
she will need to construct and attach as inputs a set of spend proofs for each of
the outputs she wants to spend.
Tim Rung, Sri Aravinda Thyagarajan, Viktoria Ronge and Dominique
Schrder published a paper [5] describing a cryptographic denial-of-spending at-
tack against the original Zerocoin protocol where it would be possible to block a
transaction from being propagated in blocks and reusing its serial number Sto
create a new Zerocoin mint. If this new Zerocoin mint is spent earlier than the
honest coin, the honest coin’s serial number would be marked as spent making
the honest coin thus unspendable.
They propose to “use (as a serial number) a fresh verification key of an
ordinary signature scheme, which is strongly existentially unforgeable under
chosen message attacks. The spender will additionally sign spend transactions
under this verification key, and verifiers will additionally verify these signatures
using the verification key revealed as serial number.” [5]
This solution, already implemented in other cryptocurrencies, is not com-
pletely compatible as it is with the changes in the Zerocoin protocol proposed
in this paper, as the coin’s serial number is calculated by the sender in zero
As an alternative we propose the following scheme to achieve serial number
When computing a coin spend proof for a transaction’s input, we consider
Sa private key and provide the serial number’s public key Sinstead as in
S=gS(mod p)
Alice will also include an extra zero knowledge proof of knowledge based
on a Schnorr identification protocol [9] transformed in a non-interactive
signature of knowledge using the Fiat-Shamir heuristic [10]:
ZKSoK[m]{(S) : S=gS}
This scheme removes an attacker’s ability to reuse a serial number to mint
a new coin and later proceed with a Denial-Of-Spending attack, as even if he
could mint a new coin with the serial number public key S, he’d be unable to
spend it without knowledge of the serial number private key S.
Further modification of the Spend algorithm is required to accommodate a
new transaction’s value commitment W.
1(mod p)
The description of the original algorithm in [4, Appendix B] defines πas a
signature of knowledge “composed of two proofs that (1) a committed value
cis accumulated and (2) that cis a commitment to S”. A prover using our
implementation will need to extend (1) with an extra proof of the accumulation
of 󰂃in Vusing the accumulation witness w, and substitute (2) with a new
proof to prove in zero knowledge that he knows the secrets of both cand 󰂃,
that 󰂃commits to cas an exponent of hand that Wand 󰂃commit to the same
transaction amount w:
π=ZK S oK [m]{(c, w, S, r, v, σ) :
AccVerify((N , u), A, c, w) = 1 AccVerify((N, u), V, 󰂃, w) = 1
As a quick draft, we propose the following protocol in order to produce a
proof to mathematically convince a verifier of the aforementioned statement.
Taken y=ϑcβv=ϑ(gShr)βvand Y=ϑ󰂃βς=ϑ(gwhσgc
1)βςfrom the transcripts
of the AccVerify algorithm (used to prove the accumulation of cand 󰂃in the
accumulators Aand Vas described in [14]), let aand bbe generators of a group
whose order equals the modulus of the group used for the Pedersen Commitment
c. Let v′ ← Z
n,ς′ ← Z
n,y=a(gShr)bvand Y=a(gwhσgc
1)bς. Using standard
and well known techniques, Alice will first prove with a discrete log equality
proof that both yand y, and Yand Y, open to the same values.
Then, inspired by the double discrete log proof described in [4, Appendix
B], Alice will prove she knows how to open y,Yand Wand will reuse the
challenges from the zero knowledge proof to argue for the fulfilment of the rest
of conditions:
She will compute for each 1 il:
ω= H(m||y||y||a||b||g||h||g1||W||S||t1|| ...||tl
||υ1|| ...||υl||µ1|| ...||µl||κ1|| ...||κl)
For every bit ω[i], when its value equals 0, let
If ω[i] equals 1, let
The proof
is sent to the verifier.
For every ω[i] he will check if it equals 0. In that case, let
He can now compute
ω= H(m||y||y||a||b||g||h||g1||W||S||t1|| ...||tl
||υ1|| ...||υl||µ|| ...||µ||κ1|| ...||κl)
The proof is valid iωω.
We point the interested reader to [13, Appendix A] in order to find a full
security proof of the original zero knowledge proof which served as an inspiration
to construct this.
This proof clearly increases the communication overhead compared with the
original proof. Considering Athe size of an accumulation proof, Ethe size
of a discrete logarithm equality proof and Cthe size of a challenge used in the
double logarithm proof, a transaction’s input communication cost of the original
protocol can be approximately denoted as
W=A+E+ 2lC
while the cost of the cryptographic proofs for an input in our proposal would be
W= 2A+ 2E+ 7lC
For a default l= 80, let e=2+2l
564 1
4the eciency of our implementation,
we can use
= True
to determine if this protocol has a communicational cost advantage for a con-
crete transaction. Even if our proposal oers better anonymity properties and
shows itself more ecient than Zerocoin transactions with 4 or more inputs,
we strongly encourage research in the direction of designing more ecient zero
knowledge proofs.
The following table shows the count of single- and multi-exponentiation op-
erations needed to construct and verify the dierent cryptographic proofs which
are part of the coin spend algorithm. Count of scalar arithmetic operations,
multiplicative inverse calculations, hash functions or other operations out of the
exponentiation realm are intentionally excluded from the scope of the table for
simplicity, as their computational cost is considered marginally low.
Table 1: Count of operations of exponentiations of n powers
n=1 n=2 n=3
Accumulation Proof Prove 1 8 2
Verify 0 0 7
DL Equality Proof Prove 0 2 0
Verify 0 0 2
Ext. Double DL Proof Prove 2l 4l 2l
Verify l 4l l
Coin Serial Signature Prove 2 0 0
Verify 2 0 0
5 A transaction’s amount signature
We substitute the public amounts from transactions with secret values hidden in
the coin and spend proof commitments. The amounts being publicly verifiable
is a key part of how traditional blockchains work to confirm all value transfers
occur inside of a constrained money supply limit and that no user is able to
spend more coins than those he proved ownership of.
For a transaction Twith minputs and noutputs we will also require the
transaction fee (following strict network policies) to appear explicit as the last
output at index nwith transparent amount f. This output can be denoted with
a special un-spendable script like OP RETURN OP FEE.
Once the explicit-fee output is added to the output’s array of the transaction,
Alice will be able to sign the transaction using the public key Nas in
i=0 Wi
i=0 󰂃ihci
(mod p)
only if the committed amounts in Wiand the committed amounts in 󰂃i+f
match m
= 0
by using
σi(mod q)
as a private key.
6 Validating transactions
Bob will scan all the incoming new transactions (as he already does) and for
every output containing a Zerocoin mint, he will:
1. Reject the transaction if:
The range proof for the outputs’ amount is not valid or
The fee is not explicitly included or does not strictly meet the network
policies or
Broadcasted values cand 󰂃are not prime numbers or in the required
range or
The transaction is not signed by N.
2. Extract b,z1and z2from his own P Kview .
3. Calculate a Die-Helman secret χusing his own EC private key band
Alice’s EC public key A.
χ= Hs(bA) (mod q)
4. Derive σand 󰂄from χ.
σ= H(χ) (mod q)
󰂄= H(σ) (mod 2u1)
5. Decode the transaction amount into w.
w=W′ ⊕ 󰂄
6. Reconstruct 󰂃and c.
1z2(mod p)
1(mod p)
7. Icand 󰂃equals the values of cand 󰂃submitted by Alice, Bob recognises
the output as spendable and securely stores it, so he can later calculate
the spend proofs.
As an improvement to the original specification, Bob or an accountant will be
able to reconstruct his whole transaction history of private coins by simply using
his private view key PKv iew with very low computing costs. He will need to
keep P Kview on memory to verify outputs and calculate an unspendable private
coin pc. This is considered safe, as an adversary accessing the memory resources
of Bob’s system won’t be able to steal the funds. Only when a Spend action
is performed, the private spend key P Kspend is unencrypted and temporarily
stored in memory while the proofs are constructed, reducing the likeliness of an
unauthorised access to the coins in the same manner as in the regular spending
of Bitcoin occurs.
However compromising P Kv iew from the memory space of the wallet, or
compromising access to the wallet’s database local file, would entirely compro-
mise the privacy and act as a source of evidence for an adversary as he would
be able to undoubtedly identify previous and future transactions. We encour-
age to implement full encryption for the whole wallet database to prevent those
We would like to specially thank Samuel Dobson, Guy Kloss, the Veil develop-
ment team, Jonathan Cressman and Sarang Noether for reviewing the soundness
of this paper and providing their constructive input. Marcus Chan for reviewing
the copywriting of this paper. Craig MacGregor for coordinating reviews and
overseeing the production of this paper. Please note that reviewers of this paper
have not been commercially engaged, nor should their review of this paper be
considered an endorsement of the papers content or imply any liability what-
soever regarding the application of the private transaction methods the paper
[1] Zcoin.
[2] PIVX.
[3] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2009. 2012. bitcoin.pdf
[4] Ian Miers, Christina Garman, Matthew Green, Aviel D. Ru-
bin: Zerocoin: Anonymous Distributed E-Cash from Bitcoin.
[5] Tim Rung, Sri Aravinda Thyagarajan, Viktoria Ronge, Do-
minique Schrder: Burning Zerocoins for Fun and for Profit A
Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol.
[6] Jens Groth, Markulf Kohlweiss. One-out-of-Many Proofs: Or How to Leak
a Secret and Spend a Coin
[7] zPOS / zPIV Staking Rewards
[8] The NIX Developer Team: Pedersen Anonymous De-
posits: Commitment Key Packs
content/uploads/2018/10/Commitment Key Packs v1-0-1.pdf
[9] Claus P. Schnorr. Ecient signature generation for smart cards. Journal
of Cryptology, 4(3):239252, 1991.
[10] Amos Fiat and Adi Shamir. How to Prove Yourself: Practical Solutions
to Identification and Signature Problems. CRYPTO 1986: pp. 186-194
[11] Christina Garman, Matthew Green, Ian Miers, and Aviel D. Rubin Ra-
tional Zero: Economic Security for Zerocoin with Everlasting Anonymity. submission 12.pdf
[12] Pedersen T.P. (1992) Non-Interactive and Information-Theoretic Secure
Verifiable Secret Sharing. In: Feigenbaum J. (eds) Advances in Cryptology
CRYPTO 91. CRYPTO 1991. Lecture Notes in Computer Science, vol 576.
Springer, Berlin, Heidelberg
[13] Ian Miers. Decentralized Anonymous Payments. 2017
[14] J. Camenisch and A. Lysyanskaya, Dynamic accumulators and application
to ecient revocation of anonymous credentials. in CRYPTO 02, 2002, pp.
[15] J. Camenisch and M. Stadler, Ecient group signature schemes for large
groups. in CRYPTO 97, vol. 1296 of LNCS, 1997, pp. 410424.
[16] Bunz, B., Bootle, J., Boneh, D., Poelstra, A., Maxwell, G.: Bulletproofs:
short proofs for confidential transactions and more. Cryptology ePrint
Archive, Report 2017/1066 (2017).
[17] Greg Maxwell, Confidential Transactions˜greg/confidential values.txt
ResearchGate has not been able to resolve any citations for this publication.
Full-text available
We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in p where p is a sufficiently large prime, e.g., p 2512. A key idea is to use for the base of the discrete logarithm an integer in p such that the order of is a sufficiently large prime q, e.g., q 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
Conference Paper
Full-text available
In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys. The schemes are provably secure against any known or chosen message attack ff factoring is difficult, and typical implementations require only 1% to 4% of the number of modular multiplications required by the RSA scheme. Due to their simplicity, security and speed, these schemes are ideally suited for microprocessor-based devices such as smart cards, personal computers, and remote control system.q.
Conference Paper
We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commitments having at least one commitment that opens to 0. It is not required for the prover to know openings of the other commitments. The proof system is efficient, in particular in terms of communication requiring only the transmission of a logarithmic number of commitments. We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin. Our ring signatures are very small compared to other ring signature schemes and we only assume the users’ secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Similarly, compared with the original zerocoin protocol we only rely on a weak cryptographic assumption and do not require a trusted setup. A third application of our Sigma protocol is an efficient proof of membership of a secret committed value belonging to a public list of values.
Conference Paper
Bitcoin is the first e-cash system to see widespread adoption. While Bitcoin offers the potential for new types of financial interaction, it has significant limitations regarding privacy. Specifically, because the Bitcoin transaction log is completely public, users' privacy is protected only through the use of pseudonyms. In this paper we propose Zerocoin, a cryptographic extension to Bitcoin that augments the protocol to allow for fully anonymous currency transactions. Our system uses standard cryptographic assumptions and does not introduce new trusted parties or otherwise change the security model of Bitcoin. We detail Zerocoin's cryptographic construction, its integration into Bitcoin, and examine its performance both in terms of computation and impact on the Bitcoin protocol.
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
Conference Paper
We introduce the notion of a dynamic accumulator .A n ac- cumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dy- namic accumulator and an efficient zero-knowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA as- sumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.