Zerocoin protocol

Due to the public nature of the blockchain, users may have their privacy compromised while interacting with the network. To address this problem, third-party coin mixing service can be used to obscure the trail of cryptocurrency transactions. In May 2013, Matthew D. Green and his graduate students (Ian Miers and Christina Garman) proposed the Zerocoin protocol where cryptocurrency transactions can be anonymized without going through a trusted third-party, by which a coin is destroyed then minted again to erase its history.{{cite conference|last1=Miers|first1=Ian |last2=Garman|first2=Christina |last3=Green|first3=Matthew| last4=Rubin|first4=Aviel D. | url=http://spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf| title=Zerocoin: Anonymous Distributed E-Cash from Bitcoin|journal=Security and Privacy, 2008. Sp 2008. IEEE Symposium on |conference=2013 IEEE Symposium on Security and Privacy|publisher=IEEE Computer Society Conference Publishing Services | date=May 2013 | pages=397–411 | doi=10.1109/SP.2013.34 | issn=1081-6011 }}

While a coin is spent, there is no information available which reveal exactly which coin is being spent.{{cite web |last1=Morgen |first1=E Peck |title=Who's Who in Bitcoin: Zerocoin Hero Matthew Green |url=https://spectrum.ieee.org/whos-who-in-bitcoin-zerocoin-hero-matthew-green |publisher=IEEE Spectrum |access-date=6 August 2018 |archive-url=https://web.archive.org/web/20140904194941/https://spectrum.ieee.org/computing/networks/whos-who-in-bitcoin-zerocoin-hero-matthew-green/ |archive-date=4 September 2014 |url-status=live |date=24 October 2013}} Initially, the Zerocoin protocol was planned to be integrated into the Bitcoin network.{{cite news |last1=Janus |first1=Kopfstein |title=Gold 2.0: can code and competition build a better Bitcoin? |url=https://www.theverge.com/2013/4/23/4252808/can-zerocoin-and-ripple-build-a-better-bitcoin |access-date=7 August 2018 |publisher=Ther Verge |date=23 April 2013 |archive-url=https://web.archive.org/web/20180620001124/https://www.theverge.com/2013/4/23/4252808/can-zerocoin-and-ripple-build-a-better-bitcoin |archive-date=20 June 2018}} However, the proposal was not accepted by the Bitcoin community. Thus, the Zerocoin developers decided to launch the protocol into an independent cryptocurrency.{{cite news |last1=Carrie |first1=Wells |title=Hopkins researchers are creating an alternative to Bitcoin |url=http://www.baltimoresun.com/news/maryland/bs-md-hopkins-bitcoin-20140201-story.html |access-date=7 August 2018 |work=The Baltimore Sun |date=1 February 2014 |archive-url=https://web.archive.org/web/20171127102931/http://www.baltimoresun.com/news/maryland/bs-md-hopkins-bitcoin-20140201-story.html |archive-date=27 November 2017}} The project to create a standalone cryptocurrency implementing the Zerocoin protocol was named "Moneta".{{cite web |title=Moneta - Engineering an ideal cryptocurrency |url=https://moneta.cash/about.html |archive-url=https://web.archive.org/web/20150203221850/https://moneta.cash/about.html |url-status=dead |archive-date=3 February 2015 |publisher=Moneta.cash |access-date=11 August 2018}} In September 2016, Zcoin (XZC), the first cryptocurrency to implement the zerocoin protocol, was launched by Poramin Insom and team.{{cite news |title=Cryptocurrency Zcoin Have Just Released 'French Drop' Their Best Privacy Update Yet |url=https://markets.businessinsider.com/news/stocks/cryptocurrency-zcoin-have-just-released-french-drop-their-best-privacy-update-yet-1017654907 |access-date=7 August 2018 |agency=Zcoin team |publisher=Business Insider |date=1 March 2018 |archive-url=https://web.archive.org/web/20180807132934/https://markets.businessinsider.com/news/stocks/cryptocurrency-zcoin-have-just-released-french-drop-their-best-privacy-update-yet-1017654907 |archive-date=7 August 2018}} In January 2018, an academic paper partially funded by Zcoin was published on replacing Proof-of-work system with memory intensive Merkle tree proof algorithm in ensuring more equitable mining among ordinary users.{{cite arXiv |last1=Alex |first1=Biryukov |last2=Dmitry |first2=Khovratovich |title=Egalitarian computing|eprint=1606.03588 |class=cs.CR |year=2016 }} In April 2018, a cryptographic flaw was found in the Zerocoin protocol which allows an attacker to destroy the coins owned by honest users, create coins out of thin air, and steal users' coins.{{cite journal |last1=Tim |first1=Ruffing |last2=Sri Avavinda |first2=Krishnan |last3=Viktoria |first3=Ronge |last4=Dominique |first4=Schröder |title=A Cryptographic Flaw in Zerocoin (and Two Critical Coding Issues) |journal=Chair of Applied Cryptography |date=12 April 2018 |url=https://www.chaac.tf.fau.eu/2018/04/12/zerocoinzcoinpivxzoinsmartcashhexxcoin-attack/ |access-date=9 September 2018 |publisher=University of Erlangen-Nuremberg |location=Germany}} The Zcoin cryptocurrency team while acknowledging the flaw, stated the high difficulty in performing such attacks and the low probability of giving economic benefit to the attacker.{{cite web |last1=Reuben |first1=Yap |title=A statement on the paper "Burning Zerocoins for fun and profit" |url=https://zcoin.io/statement-paper-burning-zerocoins-fun-profit/ |publisher=Zcoin.io |access-date=9 September 2018 |archive-url=https://web.archive.org/web/20180909001327/https://zcoin.io/statement-paper-burning-zerocoins-fun-profit/ |archive-date=9 September 2018}} In December 2018, Zcoin released an academic paper proposing the Lelantus protocol that removes the need for a trusted setup and hides the origin and the amount of coins in a transaction when using the Zerocoin protocol.{{cite web |title=Lelantus: Private transactions with hidden origins and amounts based on DDH |url=https://lelantus.io/lelantus.pdf |publisher=Zcoin |access-date=29 December 2018 |archive-url=https://web.archive.org/web/20181220061130if_/https://lelantus.io/lelantus.pdf |archive-date=20 December 2018}}{{cite journal |last1=Aram |first1=Jivanyan |title=Lelantus: Towards Confidentiality and Anonymity of Blockchain Transactions from Standard Assumptions |journal=Cryptology ePrint Archive |date=7 April 2019 |issue=Report 373 |url=https://eprint.iacr.org/2019/373 |access-date=14 April 2019}}

Transactions which use the Zerocoin feature are drawn from an escrow pool, where each coin's transaction history is erased when it emerges.{{Cite web|url=https://techcrunch.com/2015/02/07/what-you-need-to-know-about-zero-knowledge/|title=What You Need To Know About Zero Knowledge|website=TechCrunch|date=7 February 2015 |language=en-US|access-date=2018-12-21}} Transactions are verified by zero-knowledge proofs, a mathematical way to prove a statement is true without revealing any other details about the question.{{Cite web|url=http://fortune.com/2017/12/18/jp-morgan-bitcoin-zcash-wilcox/|title=Can This Man Build a Better Bitcoin?|website=Fortune|language=en|access-date=2018-12-21|archive-date=18 December 2017|archive-url=https://web.archive.org/web/20171218044751/http://fortune.com/2017/12/18/jp-morgan-bitcoin-zcash-wilcox/|url-status=dead}}

On 16 November 2013, Matthew D. Green announced the Zerocash protocol, which provides additional anonymity by shielding the amount transacted.{{cite tweet|number=401797786347114496|user=matthew_d_green|title=We designed a new version of Zerocoin that reduces proof sizes by 98% and allows for direct anonymous payments that hide payment amount|author=Matthew D. Green|author-link=Matthew D. Green|date=November 16, 2013|access-date=September 16, 2015|website=Twitter.com}} Zerocash reduces transaction sizes by 98%, however was significantly more computationally expensive, taking up to 3.2 GB of memory to generate.{{Cite news|url=https://z.cash/support/zig/|title=Zcash Integration Guide - Zcash|work=Zcash|access-date=2018-11-26|language=en-US}}{{cite book|last1=Eli Ben|first1=Sasson|last2=Alessandro|first2=Chiesa|last3=Christina|first3=Garman|last4=Matthew|first4=Green|title=2014 IEEE Symposium on Security and Privacy |chapter=Zerocash: Decentralized Anonymous Payments from Bitcoin |date=18 May 2014|publisher=2014 IEEE Symphosium and Security|pages=459–474|doi=10.1109/SP.2014.36|isbn=978-1-4799-4686-0|citeseerx=10.1.1.649.4389|s2cid=5939799}} More recent developments into the protocol have reduced this to 40 MB.

Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations.{{cite journal|last1=Ben-Sasson|first1=Eli|last2=Chiesa|first2=Alessandro|last3=Tromer|first3=Eran|last4=Virza|first4=Madars|title=Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture|journal=USENIX Security|date=2014|url=http://eprint.iacr.org/2013/879}} Such proofs are less than 300 bytes long and can be verified in only a few milliseconds, and contain the additional advantage of hiding the amount transacted as well. However, unlike Zerocoin, Zerocash requires an initial set up by a trusted entity.{{Cite web|url=https://techcrunch.com/2015/02/07/what-you-need-to-know-about-zero-knowledge/|title=What You Need To Know About Zero Knowledge|website=TechCrunch|date=7 February 2015 |language=en-US|access-date=2018-12-19}}

Developed by Matthew D. Green, the assistant professor behind the Zerocoin protocol, Zcash was the first Zerocash based cryptocurrency which began development in 2013.{{Cite news|url=https://www.nytimes.com/2016/11/01/business/dealbook/zcash-a-harder-to-trace-virtual-currency-generates-price-frenzy.html|title=Zcash, a Harder-to-Trace Virtual Currency, Generates Price Frenzy|work=The New York Times |date=November 2016 |access-date=2018-11-26|language=en|last1=Popper |first1=Nathaniel }}

{{Main|Zcoin}}

In the late 2014, Poramin Insom, a student in Masters in Security Informatics from Johns Hopkins University wrote a paper on implementing the zerocoin protocol into a cryptocurrency with Matthew Green as faculty member.{{cite web |last1=Reuben |first1=Yap |title=An Interview with Poramin Insom, Zcoin's lead developer and founder |url=https://zcoin.io/interview-poramin-insom-zcoins-lead-developer-founder/ |publisher=zcoin.io |access-date=8 September 2018 |archive-url=https://web.archive.org/web/20180824135136/https://zcoin.io/interview-poramin-insom-zcoins-lead-developer-founder/ |archive-date=24 August 2018}}{{cite news |last1=Ezra Kryill |first1=Erker |title=Cyberwarfare to cryptocurrency |url=http://www.eliteplusmagazine.com/home/content/654/8 |access-date=5 May 2019 |publisher=Elite Plus Magazine |date=4 April 2019 |archive-url=https://web.archive.org/web/20190505035629/http://www.eliteplusmagazine.com/home/content/654/8 |archive-date=5 May 2019}} Roger Ver and Tim Lee were Zcoin's initial investors.{{cite web |last1=Reuben |first1=Yap |title=A message from our new investor in Zcoin, Tim Lee |url=https://zcoin.io/a-message-from-our-new-investor-in-zcoin-tim-lee/ |access-date=13 August 2018 |archive-url=https://web.archive.org/web/20171229084146/https://zcoin.io/a-message-from-our-new-investor-in-zcoin-tim-lee/ |archive-date=29 December 2017}} Poramin also set up an exchanged named "Satang" that can convert Thai Baht to Zcoin directly.

On 20 February 2017, a malicious coding attack on Zerocoin protocol created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($440,000). Zcoin team announced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint".{{Cite web|url=https://www.zdnet.com/article/the-most-high-profile-cryptocurrency-data-breaches-vulnerabilities-and-disasters-in-2017/|title=The risky business of bitcoin: High-profile cryptocurrency catastrophes|last=Osborne|first=Charlie|website=ZDNet|language=en|access-date=2018-12-21}} Unlike Ethereum during the DAO event, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.{{cite news |last1=Rob |first1=Price |title=A single typo let hackers steal $400,000 from a bitcoin rival |url=https://www.businessinsider.com/typo-bitcoin-rival-zcoin-attacker-steals-400000-2017-2?IR=T |access-date=11 August 2018 |publisher=Business Insider |date=20 February 2017 |url-status=live |archive-url=https://web.archive.org/web/20180811023625/http://uk.businessinsider.com/typo-bitcoin-rival-zcoin-attacker-steals-400000-2017-2/?IR=T |archive-date=11 August 2018}}

In September 2018, Zcoin introduced the Dandelion protocol that hides the origin IP address of a sender without using a The Onion Router (Tor) or Virtual Private Network (VPN).{{cite news |last1=Jintana |first1=Panyaarvudh |title=The distributed passion of a crypto pioneer Insom |url=https://www.nationthailand.com/detail/Startup_and_IT/30360447 |access-date=1 January 2019 |publisher=The Nation (Thailand) |date=15 December 2018 |url-status=live |archive-url=https://web.archive.org/web/20181215014022/http://www.nationmultimedia.com/detail/Startup_and_IT/30360447 |archive-date=15 December 2018}}{{cite web |title=Zcoin is the first cryptocurrency to implement Dandelion privacy protocol |date=4 October 2018 |url=https://www.finder.com.au/zcoin-is-the-first-cryptocurrency-to-implement-dandelion-privacy-protocol |publisher=finder.com.au |access-date=1 January 2019|archive-url=https://web.archive.org/web/20190102100202/https://www.finder.com.au/zcoin-is-the-first-cryptocurrency-to-implement-dandelion-privacy-protocol|archive-date=2 January 2019}} In November 2018, Zcoin conducted the world's first large-scale party elections in Thailand Democrat Party using InterPlanetary File System (IPFS).{{cite news |last1=Jintana |first1=Panyaarvudh |last2=Kas |first2=Chanwanpen |title=Reliable voting TECHNOLOGY |url=https://www.nationthailand.com/detail/Startup_and_IT/30359633 |access-date=29 December 2018 |publisher=The Nation (Thailand) |url-status=live |archive-url=https://web.archive.org/web/20181203194030/http://www.nationmultimedia.com/detail/Startup_and_IT/30359633 |archive-date=3 December 2018}} In December 2018, Zcoin implemented Merkle tree proof, a mining algorithm that deters the usage of Application-specific integrated circuit (ASIC) in mining coins by being more memory intensive for the miners. This allows ordinary users to use central processing unit (CPU) and graphics card for mining, so as to enable egalitarianism in coin mining.{{cite news |title=Zcoin Moves Against ASIC Monopoly With Merkle Tree Proof |url=https://www.financemagnates.com/cryptocurrency/news/zcoin-moves-against-asic-monopoly-with-merkle-tree-proof/ |access-date=29 December 2018 |publisher=Finance Magnates |date=6 December 2018 |archive-url=https://web.archive.org/web/20181206222208/https://www.financemagnates.com/cryptocurrency/news/zcoin-moves-against-asic-monopoly-with-merkle-tree-proof/ |archive-date=6 December 2018}} On 30 July 2019, Zcoin formally departed from Zerocoin protocol by adopting a new protocol called "Sigma" that prevents counterfeit privacy coins from inflating coin supply. This is achieved by removing a feature called "trusted setup" from the Zerocoin protocol.{{cite news |last1=Andrew |first1=Munro |title=Zcoin cryptocurrency introduces zero knowledge proofs with no trusted set-up |url=https://www.finder.com.au/zcoin-cryptocurrency-introduces-zero-knowledge-proofs-with-no-trusted-setup |access-date=30 July 2019 |publisher=Finder Australia |date=30 July 2019 |archive-url=https://web.archive.org/web/20190730210721/https://www.finder.com.au/zcoin-cryptocurrency-introduces-zero-knowledge-proofs-with-no-trusted-setup |archive-date=30 July 2019}}

One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside the blockchain.{{cite news | url=https://spectrum.ieee.org/whos-who-in-bitcoin-zerocoin-hero-matthew-green | issn=0018-9235 | title=Who's who in Bitcoin: Zerocoin hero Matthew Green | work=IEEE Spectrum | last=Peck | first=Morgan E. | date=24 October 2013 | access-date=31 January 2014 | publisher=Institute of Electrical and Electronics Engineers }}

Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.{{Citation needed|date=August 2022}}

Depending on the specific implementation, Zerocoin requires two very large prime numbers to generate a parameter which cannot be easily factored. As such, these values must either be generated by trusted parties, or rely on RSA unfactorable objects to avoid the requirement of a trusted party. Such a setup, however, is not possible with the Zerocash protocol.

{{reflist|30em}}

• {{Official website|http://zerocoin.org}}

{{Portal bar|Economics|Internet}}

{{Bitcoin}}

{{Cryptocurrencies}}

Category:Cryptocurrency in the United States

Category:Application layer protocols

Category:2013 software

Category:Internet properties established in 2013

Category:Private currencies

Category:Johns Hopkins University