Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Document 17864649

advertisement 
>> Patrick Longa Pierola: Good afternoon everyone. Thanks for coming to this invited talk. It is my
pleasure to introduce Matthew Green. He is a professor at Johns Hopkins University. His main research
interests are on applied cryptography especially focusing on private to preserving cryptographic
protocols. Well, today he will be talking about Zerocoin. So please let’s welcome Matthew Green.
>> Matthew Green: Okay, thank you. So this is a talk on electronic cash. I subtitled it this sort of odd
subtitle. I think hopefully it will become clear what this is all about as I get a little deeper into the talk.
But this is some joint work with my grad students Ian Miers, and Christina Garman, as well as Avi Rubin
at Johns Hopkins. We’re going to be presenting this at Oakland in the next month, so, anyway.
There’s this really dorky intro to this talk I might skip by quickly. But I gave it to some bankers on
Monday and I wanted to have some kind of fake Econ or finance background to this, so I’m going to give
my little spiel. In the beginning of this kind of exercise you know as I was making these slides and went
and I typed into Google and then later Bing because I was going to be here, you know some basic
questions about what are, what is money? This is what Bing tells me money is. Money is basically bank
notes, dollar bills, gold. It’s sort of not a very useful definition except for the fact that it tells me that
money is referred to as dosh in greenbacks which I thought was kind of cool, but not a particularly useful
thing.
So I wanted to get a slightly better definition so I was getting ready to go to the library and find an Econ
textbook maybe and get some primary source. But then I realized the library like 15 minutes away and it
was kind of hot. So I went to Wikipedia and I got the basic definition which tells us that money is a
medium of exchange, a unit of account, and a store of value, which to me thinking about this as an
engineer tells me that it has to meet some of these basic properties. It has to be, you know there has to
be some limited quantity of money, meaning you just can’t make it arbitrarily. It has to be widely
accepted by a group of people for some reason. Then more importantly this medium of exchange idea
means it has to be easy for people to transfer from one person to another.
Okay, so this is what money looks like to most people. This is what money looks like in science fiction
where you have things like the Hitchhikers Guide to the Galaxy. I thought it was a great example of a
medium of exchange that was not easy to exchange. This is called the Ningy it’s a coin that is sixty-eight
hundred miles across and made out of rubber. So there’s all kinds of different examples of money in the
world and in the literature.
So the problem were going to address here is a little bit more concrete. We’re going to look at the
problem of building electronic money. Again, a lot of these things are probably things that you’ve all
thought about in the past. But when you think about how do you build electronic money you kind of
arriving at two possible directions. One is very difficult if you go down that direction and the other is
actually very easy. The very difficult one is to sort of take the idea that money as we think of it today is
essentially information. It’s ink written on a piece of paper with a serial number for example. The
analogy there in the computer and network world is it’s a file. So we’ll just translate this into a file and
then we’ll use computer networks to exchange it.
Of course you’ve all probably thought about this for at least a few minutes and you know that this is a
terrible idea. That all kinds of bad things will happen to you when you start trying to exchange money
like this, not least of which is that the difference between me handing you a twenty dollar bill and me
sending you a electronic twenty dollar bill is at the end of the first transaction I no longer have the
twenty dollar bill which clearly is not going to be the case with electronic money. So this turned out to
be possible but very difficult.
Much more obvious approach is just stop trying to treat things as traditional money and just do what all
modern banks do, which is create a centralized ledger that just says Alice has fifty dollars, Bob has sixty
dollars, Charlie has ten dollars. Whenever somebody wants to transfer money from one to the other
just subtract something from one account and add something to the other account. This approach
when you think about it is essentially when you move it to a digital model is the basis for all of the
money that we really use today with a few exceptions. All the way down from the Federal Reserve, to
credit cards, even to these you know little cash out tickets that you get when you go to a slot machine in
a casino. Somebody is maintaining a database somewhere that has amounts. It’s highly, highly
centralized.
So the problems with this approach are obvious. I mean they’re problems to me at least. The biggest
one is that you need to trust somebody to be your bank and that person is going to have to be
centralized. You’re going to have to have one of those people or maybe a small number of people who
work together to be your bank. There are so many different things that can happen, obviously if they’re
someone at the level of like the Federal Reserve or a currency issuer they can just go bust. So not only
are they creating the money but then they stop backing the money and it goes away. Maybe at a lower
level we’re much more use to the things like this, for example banks going out of business we don’t
panic about that very much in modern economies because we have legal and regulatory backstops to
this but it does happen and it happens actually surprisingly often. So this is kind of an issue.
Before I get to privacy, the other thing that I would mention here is that yes we’re use to things failing.
But when you think about the problem with requiring a central bank the real issue is not that it will fail
it’s that nobody will bother to set one up in the first place, because you won’t be able to find somebody
who’s going to take on that role. So for every bank that’s failed there have been a hundred people who
probably could’ve used a bank but just weren’t able to get it together to find a person to fill that role in
the first place.
The other problem that you get in these centralized account-based currency systems is a privacy issue.
Which is that of course your credit card number, credit card company sees every transaction you make,
everything you buy, everybody you interact with. All of that information gets kept. It’s available to law
enforcement, it’s available to marketing people, and who knows what goes on, you know who knows
how secure these systems are. So they could leak out later.
I was talking to Arvins Norian I think is how you pronounce his name. He suggested that there was kind
of this Zooko’s triangle of what an ideal currency should be. He was saying that well it’s kind of a
triangle and at the three points of the triangle you have the notion that a perfect electronic currency
would be completely decentralized. You wouldn’t have to have a bank. On the other point you would
have that it’s secure which encompasses all the things you need for money like you can’t counterfeit it
and you can use it properly. On the third point you would have privacy that you can use it anonymously
and you wouldn’t have to worry about people tracking your transactions. Then he said to me you know
isn’t there some folklore result that this is impossible. So I went and I looked on the internet and I
couldn’t find that folklore result but I’m just going to go ahead and put this up here anyway because I
think it’s a useful way of thinking about things.
Can we build an ideal currency that meets all three of these goals simultaneously? Which brings us to a
currency that’s gotten very popular over the past few years, and that’s Bitcoin, how many of you guys
know how Bitcoin works? Okay, so how many of you guys like could sit down right here and explain to
me how the Bitcoin block chain works?
>>: Need a bigger whiteboard.
>> Matthew Green: Okay, ha, ha.
>>: Yeah.
>> Matthew Green: So Bitcoin, before I go on this sign I found this on the front door of the University of
Maryland Computer Science Department. This is how you know you’re entering a Computer Science
Department and not say like a Political Science Department. So this was there but this was during the,
when it was two hundred and fifty dollars for a single Bitcoin phase a few weeks ago. So Bitcoin is an
electronic decentralized currency. It was proposed back in, I think, two thousand eight by a guy, or a
group of guys for all we know, or a group of girls named Satoshi Nakamoto. Nobody knows who this
Nakamoto person is because they only interacted electronically and sort of anonymously with
everybody else.
It was proposed as a paper but it was also given as a real practical implementation with software. You
can see their citations in the paper and it really is clearly an extension of some previous systems that
existed, one is b-money and the other is something called bit gold that had a lot of the features that
Bitcoin has today. But not all of them there in one package and Bitcoin kind of polished that up and got
everything together and made it all work.
So the basic notion behind Bitcoin is that it’s a way for a bunch of people to get together and without
having a single trusted party allow for the creation of currency, the exchange and transfer of currency,
and to do this all in a completely peer-to-peer setting where it all works, as long as most of the peers or
a good chunk of the peers are behaving honestly, or some definition of honestly.
The really amazing thing about Bitcoin which takes it away from just being, you know kind of a, some
goofball on the internet proposed this idea, is that people actually value this Bitcoin stuff for real
money. I don’t know why. But when I wrote this, which is a few days ago the total market
capitalization, meaning the value at least at the current price of Bitcoin of the entire economy was one
point three eight billion dollars. Now admittedly that’s down from two point two five billion dollars
which is what it was two weeks before. But it seems to have value and you can actually buy things with
Bitcoin which is pretty surprising.
So I’m going to give the world’s quickest explanation without computers of kind of how you might build
something like Bitcoin. I’m going to do through this quickly. So, yeah, I was trying to find alternative clip
art so this is our Alice. Okay, so I want you to start just from the assumption that we have some mass,
master bank. We’re going to get rid of this bank in the end but just imagine that we have some bank
that is issuing a cashier’s check and the cashier’s check belongs to Alice. Everybody trusts this bank and
so we can know that Alice really has this money just by looking at this check.
Okay, so Alice has a problem which is that Alice wants to give some money to Bob. Alice could obviously
go and cash the check or deposit it and write another check. But that would require a lot of time and
difficulty. So really what Alice wants to do is just take this check as is and transfer the money directly
over to Bob. Well, an easy way to do that for Alice is just to flip the check over and on the back do this
thing that we’ve all done at least at one point in our lives just sign the check over. Say pay this check to
the order of Bob and then put a signature on, right below that which authenticates it. Now anybody
who gets this check from Bob can look at the front, say I trust this, flip it over. Say okay this is a valid
signature therefore Bob really owns this check now. So we can move forward with this to another
person. So Bob can now pay Charlie just by appending a little bit more information and then signing it.
So now we have a mechanism by which we can transfer these kinds of files or digital tokens from one
person to another. So the question is how do we make this electronic and how do we make it secure?
Well the first thing you obviously will observe is that we shouldn’t use handwritten signatures. What
we’ll do is we will actually replace Alice’s name with Alice’s public key. We will simply use digital
signatures to authenticate these transfers. So now the check is a file, the file says Alice has this thing, if
we trust the original file then we can simply chain on ownership transfers by using digital signatures in a
pretty obvious way.
The problem is that this gets us back to this double spending problem that we originally had. Which is of
course now Alice can take that check, make two copies of it, send one to Bob, send one to Charlie, they
both think that they’ve got the same amount of money except that Alice has now doubled his or her
amount of money. If Alice really takes this to an extreme she can do this, or he can do this a thousand
times and then you end up with a currency that doesn’t work. So how do we solve this? Well the simple
answer is we go back to our centralized database idea. We have a central database that simply keeps
track of all the spending that’s occurred on the network. So every time Alice transfers to Bob that item
gets registered in the database. Bob can check that this has never been transferred before therefore
there’s no double spending and so on. We know how to do this with databases, it’s easy but the
problem is we don’t want to do it this way because we’ll lose all of our decentralized capability if we go
this way.
The way that Bitcoin addresses this is to use a kind of a distributed consensus approach. So instead of
having a central database that keeps this information we divide this database up and have many, many
different parties at a peer-to-peer network replicate the same information. So that’s at least a start.
That means that we don’t have a central database that’s trusted to store it. But now we have other
problems. How do we make sure that everybody has the same view of this database? How do we
update this database in a way that makes sense? So one thing that we can do at least to try to tie the
database together, one of the things I should mention is the database just for convenience is going to be
broken up into blocks each of which consist of a number of transactions. Now the blocks are ordered,
the transactions inside of the blocks don’t have to be. So basically what Bob can do if there’s a transfer
is he can say, okay I want to put a transfer in this block, has, you know that same money been spent in a
previous block, and that’s what allows him to detect double spending.
So the question is how do we tie these different blocks together? Well, that’s easily done too. We can
use hash chaining. We can simply put at the bottom of each block a hash of that block and all previous
blocks, which means that if I trust block N then I will know that all previous blocks are somehow
consistent with that block and everybody else, if we all agree on block N then we all agree on the
previous blocks.
Okay so a harder problem is how do we trust this distributed network to group up and add transactions
to this ledger, to this block chain? Well the way we do it is first we set up a distributed broadcast
network essentially. Where any party who wants to can broadcast out that they’re doing a transaction
that they want to put a transaction on to the block chain. Now we can simply appoint a central party to
be the one who gets to add things onto the chain and we all trust that person. But that means that
party is again another place where the system can break down because they could selectively add
transactions or do all kinds of things to hurt the network.
So instead what we want to do is distribute the ability to add blocks to the chain. The way we do that is
we have all of the different nodes compete with each other in a kind of a lottery where only one node is
going to win that lottery for each given time period. That node is the one that then gets to output a
block which will of course be chained onto the end of this. Everybody who sees that node will then trust
that to be the most recent node in the block chain and then the process repeats. So the particular
lottery that we’re going to use is called a proof of work. The proof of work that’s used in Bitcoin is a
very simple one. What we do is we hash the block which includes, you know another hash of all
previous blocks. We essentially construct a block such that the hash of that block ends with a certain
number of zero bits. Now the number of bits is adjustable, it could be one, it could be thirty, it could be
anything. That’s a dial that gets adjusted over time. But what this means is that at any given time
period you have a bunch of different nodes all in its network putting together what they think should be
the new block that’s added to the system. Then they compete to be the first one to find a proof of work
to find a block that satisfies this particular condition, which is it hashes to this structured value. The
minute that somebody finds that value that particular block they output it to the whole network.
Everybody can immediately check that that’s a consistent block, they make sure the transactions are
okay, the hash chain checks out, and if all of those conditions are met they drop whatever they were
working on and they adopt that to be their new block. So then they try to chain on the next block on
top of that and this happens every few minutes in Bitcoin.
The idea behind this is if we assume that everybody in the network has roughly the same computational
power that should, because of this process there’s essentially a notch that can be incremented inside of
these blocks. That’s what allows you to try many different values. We can assume that the person who
wins this will hop around the network. Now obviously not everybody in the network has the same
computational power. Some people will be able to hash more, compute more hashes in the given time
period so there’s going to be a bit of a race to see who can deploy more computational power. But if we
assume that hopefully a majority of the, at least the computational cycles in the network are controlled
by honest parties, a lot of big assumptions in here.
We can hope that most of the time honest nodes will be winning this competition which means that the
damage that a bad node can do is pretty limited. Because anything bad that they do will either be
detected by the honest nodes and rejected or you know if they’re just blocking transactions well, my
transaction might get blocked by this bad node but the next honest node who gets it will not be trying to
keep me out of the block chain.
So this is a very quick description of kind of how Bitcoin works, doesn’t cover all the possibilities that can
come up, and I recommend you read the paper or the papers that are on this if you want to know more.
But does this kind of make sense for the moment? Yes?
>>: Can you say a little bit about how race commissions are handled?
>> Matthew Green: Oh gosh, Oh gosh, not well.
>>: [inaudible] almost exactly the same then…
>> Matthew Green: So what will happen is that, gosh, in that case you can actually have situations with
a view of the network splits. You have one group of nodes who believes this is the most current block.
This is a very unlikely case. It could happen. This is the most current block and this other block is the
most current block. So then the network is now split. What’s going to happen now is a competition is
going to begin were each half of the network starts to try and chain a new block onto the rest. There is
a merge protocol where ultimately, hopefully the network will, doesn’t always work very well but
ultimately one of those chains will get longer. The idea is that the nodes are supposed to look at all the
chains that are out there. When they see a fork like that they will ultimately resolve on the chain that is
longest and drop the one that is shortest. I can’t tell you if it actually works but this is the…
>>: That’s what happened…
>>: About a month or two ago, right?
>> Matthew Green: Yes.
>>: Maybe a few months ago a split happened…
>> Matthew Green: Yeah…
>>: And they did resolve it, so.
>> Matthew Green: Well, yeah…
>>: I’m not saying it was awesome but I mean it was figured out.
>> Matthew Green: So there are two kinds of splits. There are the kind that happen because
everybody’s participating properly and then it’s just bad luck, right, and that just happens. The other
kind of split is where there’s a bug in one half of the software and they disagree on what makes a valid
block. That’s what happened is there was a version zero point seven and a version zero point eight of
the client and they disagreed about how many transactions could be in a block which caused a bunch of
the nodes to say well this block is totally invalid it has too many transactions because it was being made
by newer software. Then the network diverged and what actually happened was the Bitcoin people got
up and they jumped up and down and they said everybody stop using that software. Then ultimately
one of the things got, so it was not a great case. But this is a case where the protocol didn’t work
because there was actually bug, a bug in the client.
>>: [inaudible] third class [indiscernible] where an adversary finds a coin and sits on it until the first sign
of somebody broadcasting new coin and then broadcasts to [indiscernible] create a collision, a race
collision.
>> Matthew Green: Yeah, so there are definitely things that can happen like that. However, you have to
be careful about that because if you miss that timing…
>>: Yeah, but [inaudible]…
>> Matthew Green: First of all it’s hard to do it, if you miss that timing then you’re hosed and you may
not be able to get the correct block in the next time…
>>: If my goal is to upset Bitcoin…
>> Matthew Green: Yes.
>>: Rather than to just get a coin.
>> Matthew Green: Yeah, there are many ways you could probably upset Bitcoin. I’m definitely not
going to say that this is a perfect system. But the amazing thing is despite all that it’s managed to work
in a very adversarial setting for several years now, so. Yeah?
>>: What’s used as the broadcast channel?
>> Matthew Green: It’s a peer-to-peer kind of fill flood network essentially where you put stuff on there
and it gets sent out to all the other nodes. I’m not too familiar with the details of that channel. But it
goes out and then everybody gets to see it and then they decide these nodes that make the blocks
themselves are called miners. There’s a reason they’re called miners aside from doing the actual work
of solving these proofs of work there’s a reason that they do this work. I’m, I assume most of you know
when you actually solve a block you get rewards. One of the rewards is that you are entitled to mint
yourself a brand new twenty-five Bitcoins. So what happens is in addition to doing the transactions you
gathered up off the network you get to make one more transaction that says I assign myself twenty-five
Bitcoins. Then of course later on you can spend that Bitcoin. So that’s how currency is created. The
currency starts essentially at zero and then overtime you make more and more of it and you fill up the
system.
Now this reward has gone down. It started at fifty, it’s now at twenty-five, it’s going to go down to
twelve and half in a few years, and ultimately according to the protocol as written today it will go down
to zero. At that point a second mechanism of incentive is supposed to take over. Which is that nodes
can also when you send out a transaction you can include what’s essentially a tip, like a transaction fee.
You can say the node that puts us into a block will get thirty-five cents or thirty-five; you know
hundredths of a Bitcoin or something like that. Then nodes can basically look and miners can say well
you know maybe that transactions not giving me enough of a tip I’m not going to bother to put it in my
block. So you end up with this kind of market solution where I put out nodes that have low transaction
fees, nobody includes them, I put them out with higher transaction fees they get included very quickly,
and we’ll see if that works. It’s very hard there are a million game theory papers to be written on how
Bitcoin works because who knows what the incentives are right now. They’re probably all misaligned
but it works. Yes?
>>: So it’s [indiscernible] centralized [indiscernible] that he used the software or [indiscernible].
>> Matthew Green: Well, yeah, I mean there is this Bitcoin Foundation which does make some of the
clients and then they make decisions about the protocol. But there are lots of different
implementations so it’s not really completely centralized. The first version was but after that people
have made Python implementations, Java implementations. So it’s not completely centralized and you
have the ability to dump it. That leads to the software compatibility issues so that’s kind of risky. But
that part I’m not too worried about, maybe.
Okay, so let’s look at the Bitcoin, the triangle that we had before and see where Bitcoin falls into it.
Okay, so first of all it’s decentralized for some reasonable definition of decentralized, it definitely meets
that criteria. It’s secure with the exception of certain things that we might hope are not going to happen
to the block chain. It’s reasonably secure and it seems to work but is it private? Do we have any kind of
privacy guarantees in this network? Well, not really and the reason that Bitcoin is not private and kind
of very famously not private is that the block chain is, you know both its best feature and its Achilles
heel in terms of privacy. It has every single one of these transactions that has to be replicated and
available to the public. I have to be able to startup a Bitcoin client and be able to download this all from
another node, which means that the history of every single thing that’s ever happened in Bitcoin is
entombed inside of this block chain.
Now there’s some mitigating factors, one of which is that we don’t use names, it’s not Alice and Bob it’s
public key A and public key B, and moreover there’s no need to actually register these public keys with
the network you just generate them and start using them. So I could make a thousand of them, I could
make ten thousand of them. So what this really is is a pseudonym system not an anonymous system.
So is that good or bad? Can we break the privacy in these things? The answer is yeah probably because
we know how to extract information from graphs like this. There’s some really stupid things that
happen now that are just trivially bad.
So let me give you an example. I went on Twitter and I said because I’m giving this talk I want
somebody, please give me a few cents, give me a few satoshi worth, a satoshi is a Bitcoin divided by
eight decimal places or something. Just send me a few so that I can show what it looked like to get a
Bitcoin. So someone actually sent me sixty dollars which is awesome. But then this person sent me
twelve cents which was cool to. Let me show you…
[laughter]
>> Matthew Green: Let me show you what’s happening here. So Bitcoin addresses are actually the hash
of a public key so that’s what these numbers are here. I know it’s a little hard to see back there. But
this is the sender address, ends in MvM. Here we have the amount so this is a previous transaction that
was worth two dollars and forty-three cents, this has been converted into dollars. So the previous
transaction was worth two dollars and forty-three cents. This person wants to send me and I’m the guy
who ends with CkW, twelve cents of that. So that means that there’s two dollars and twenty-five cents
left over, where is that money going to go? Well the person could send it to somebody else who
happens; you know they happen to owe someone else two dollars and twenty-five cents. But most
likely they’re going to send it back to themselves.
Well the way most Bitcoin clients work today is to create privacy they automatically generate new public
keys all the time, so you may have dozens of public keys and the idea is this is good for you, you have
lots of these sorts of identities. The problem with a lot of Bitcoin clients is they don’t realize that when
you do a transaction like this where you’re sending somebody some money and you have change left
over you probably shouldn’t send the change to one of the other public keys that is supposed to be the
key that’s, you know your other pseudonym that’s protecting your identity. Because this binds those
keys together and shows me these two identities are the same person. So here I can poke and say this is
me. This person who has a totally different ID is almost certainly the person who sent me that money.
From here forevermore I know that these two identities are the same. So if the first one sends some
money to his grandmother and the other does a drug deal then I know that, you know they’re the same
people. So that‘s kind of worrisome.
Maybe we can fix that but it turns out that even if you kind of fix a paper over some of these bugs a lot
of people are now looking at this problem and saying how do we get information out of Bitcoin? There
was at least two papers in Financial Crypto two thousand thirteen and these are kind of the beginning
works, I think. There are going to be more, some people have done other work like tracing batches of
stolen Bitcoins throughout the network and done very well at figuring out what happened to them after
they were stolen.
This one is the reason that I gave a subtitle in my talk. So a few days ago somebody on the internet, this
guy Sergio Lerner went through the historical block chain data. He was not looking at transactions that
people were making, he was looking at miners and how well they were doing and making money early
on in the, in the evolution of Bitcoin. So Bitcoin really started out around January of two thousand nine.
This data goes through January of two thousand ten. Each of these dots on the screen represents one
miner making fifty Bitcoins, succeeding in getting a block in getting fifty Bitcoins. Now you notice that
some of them are red and some of them are black.
Anyone know what the black ones are? Okay, so the black ones are, well let’s see, they’re a single
mining rig and we know this because they actually each of the Bitcoin blocks includes a nonce. That
nonce field increments and so we can see that these are linked, they’re increasing at the same rate. We
can see that these are the same person succeeding and, you know mining block, each time fifty Bitcoins.
Did I mention that Bitcoins are currently worth over a hundred bucks? So this person is making fifty
Bitcoins each time they do this and they’re making a lot of them.
Much more interesting is that the, this black chain here starts at the very first Bitcoin block. So this
person is Satoshi Nakamoto. This person is the guy who authored or guys who authored Bitcoin. You
can see what they’re doing is they’re mining some Bitcoin, rebooting their computer, mining some
Bitcoin, rebooting their computer, and so on. Now how many, in dollars how many Bitcoin are
represented on this graph right now? Any guess at how rich this guy is now, at least if you believe the
current price of Bitcoin?
>>: [indiscernible] millions.
>> Matthew Green: A hundred million dollars just in this graph so far. So he’s a very rich guy but here’s
the crazy thing, none of this Bitcoin has ever been spent. This guy disappeared in two thousand eleven
or so, has never been heard from since, and if this is him he’s either dead or maybe he lost his wallet
which means he can’t spend it, or else he’s waiting out there with his hundreds of millions of dollars and
just going to see what happens. But let’s say you’re this guy and you want to spend your money, how
do you do it? The minute you go and you start to cash in some of these Bitcoins everybody’s going to
know who you are and they’re going to be at your door asking for money, or whatever it is that people
do when you have a hundred million dollars in a crazy crypto currency. So he has no really good way of
getting this money out at least without revealing himself. So that’s, you know, we need anonymity for a
whole bunch of reasons, this being a particularly extreme one.
Okay, sorry this is not too helpful. Okay, alright, so I’ve covered a lot of, sorry was there? So, I’ve
covered a lot of stuff and I haven’t actually gotten to the technical content of this talk. But let’s just give
a couple of more things you need to know before we go forward. So what privacy solutions are in
existence today for Bitcoin? Well, one solution is be careful which means get better clients that don’t,
you know link your keys together. This is the current way that the Bitcoin Foundation people are going
is just trying to avoid these trivial mistakes. But that’s not going to be enough. It’s not going to be
enough because the current attacks that we know on privacy are all passive attacks. You think about
active attacks where somebody puts marked Bitcoins into the network it’s going to be much worse.
Another solution is to use something called a laundry service. A laundry service is exactly what you guys
think it is, it’s a mix where you get a bunch of people together, they put their coins together, the laundry
service randomizes them, and then hands out the coins, and we all hope that the trail goes dead
because you can’t deanonymize the eight people who got together and did this. But in reality it’s
probably not going to work very well, at least with the trusted mixes that exist today because you don’t
know if they’re doing it right, they’re, you have to trust them. You don’t know if you’re going to get your
money back and the volume is pretty low, so not great solutions.
The other solution which is the classic solution is we all implement, you know e-Cash. Let’s, we have this
great e-Cash system. Let’s get David Chaum out here. Let’s get him to start up, you know DigiCash
again and what he’ll do is he’ll set up a server and it will issue blind signatures and, you know I know
that people here know a lot about this, and Microsoft might be in a great position to do this. Fine, so
you do all this but again this is not consistent with the Bitcoin network model because again all of these
systems are based on blind signatures, and blind signatures implies a signer, and a signer implies
something central. You might use threshold cryptography to distribute that a little bit but let’s, you
know it’s not going to work. So that’s not such a great solution either.
So again the triangle doesn’t work so well for the decentralization. So I have until about two twenty or
so and then plus questions or?
>> Patrick Longa Pierola: [inaudible] forty-five minutes.
>> Matthew Green: Okay, alright I’m shooting for forty-five minutes so if I end early that’s what it will
be. Okay so this is a new approach. So we spent a little bit of time thinking how do you add
cryptographic e-Cash, real cryptographic e-Cash to Bitcoin without adding trusted parties, or doing crazy
things? How do you just do it with the existing system? Well we came up with this thing called
Zerocoin. Zerocoin uses some actually pretty standard techniques in crypto. It’s based on a technique,
now I say it’s based on a technique that was originally introduced by Sander and Ta-shma. We did not
know this until a week before we submitted the paper. So we had never heard of this technique. We
came up with an approach and it seemed great and then we found out that there was some similarities
in an older paper by Sander and Ta-shma. But they had two problems, one of which is that they didn’t
have Bitcoin. The other one is that they actually had a very inefficient construction that would not have
been realizable.
So what we have is this new protocol which is actually implemented into Bitcoin really at the protocol
level, does not require a trusted party just changes to all the Bitcoin clients that are out there. It uses,
what it does basically is it doesn’t create a fully, full e-Cash system, instead it creates what we call a
decentralized laundry. The idea is I can take real Bitcoins, I can transfer them into the Zerocoin thing
and I can pull back Bitcoins with exactly the same property you’d expect from a laundry, except that we
don’t have to have a laundry doing that work.
The only thing that our protocol requires beyond the crypto, I’ll get to explain what that means. But the
only thing that we need as an assumption is we need the existence of a trusted, trustworthy, append
only transaction log. Wonderfully it turns out that Bitcoin gives us a transaction log essentially for free.
We can just leverage the Bitcoin block chain.
So here’s the intuition behind how Zerocoin works all using very standard components. So first of all
Zerocoins themselves are obviously just information, they’re numbers. The first thing we do to make a
Zerocoin is we pick a random serial number which is just a large number. Then we use a commitment
scheme with some parameters and I’ll come back to where those come from in a second. But we use
just a standard commitment scheme to commit to that serial number. So now we have this
commitment, there’s nothing computationally hard in making this so they’re not really worth anything
at this point. You don’t want to go spending them because anyone can make them in a fraction of a
second.
What makes these things have value is the fact that you have to put them on the block chain. You’re not
going to just be allowed to put them on the block chain for any reason at all. In order to be allowed to
put one Zerocoin on to the block chain you have to spend a Bitcoin. The denomination here is
essentially fixed; all Zerocoins are worth one Bitcoin. Could be a hundred Bitcoins just, we pick one
Bitcoin for this example. So you introduce a transaction that says it’s just like a traditional Bitcoin
transaction, it says I have some previous Bitcoins from this source and I’m going to instead of giving an
output, instead of saying it goes to this person I’m just going to attach a blob of data, pretty small blob
of data, and that goes onto the block chain.
Now I have a Zerocoin. No the information that I keep private here is two things; one is obviously the
serial number itself. It’s just a commitment that I put up and of course I also keep the randomness that I
used in making that commitment. That becomes my trap door essentially when I want to go spend that
Zerocoin again. Now how do I get these back? Well the first thing that I’m going to do is at some later
point, maybe a hundred blocks later I’m going to redeem this using a different transaction. What I’m
going to do first is I’m going to form this transaction by just including the serial number that I generated
in the, when I made the Bitcoin, so that’s simple enough.
Then I’m going to give a proof. The proof is going to tell me two things; it’s going to tell anybody who
verifies the non-interactive proof, it’s going to tell people first of all this serial number, actually, sorry.
Let’s try again, so it’s going to tell first of all I know a Zerocoin that is on the block chain. Everybody has
a consistent view of the block chain so I know one of these things, that’s easy. Then it’s going to say I
also know the randomness that causes that Zerocoin commitment to open to the serial number I just
gave you, it’s very simple.
When I give you that proof I also say, and by the way I would like you to now deliver me one Bitcoin to
an address, another Bitcoin wallet, another Bitcoin identity of my choice. Hopefully it’s a new Bitcoin
identity and not linked in any way to the previous one. So it’s a laundry, I’ve just gotten one Bitcoin
back. Now the question is where do the Bitcoins come from and where do they go? The answer to that
is actually really simple. What happens is that whenever I redeem a Zerocoin remember every time I
put one of these things in the Bitcoin that I used to create it just sits there on the block chain, it’s not
going anywhere. So I take one Bitcoin, I introduce a transaction that says this Bitcoin that I have; that I
control is now going essentially into a kind of an escrow pool. What that means is now nobody, there’s
no semantic, there’s nothing you can introduce that allows somebody else to spend it. It is now sort of
locked up in the block chain. Unless they introduce another message that allows them to take back one
of those Bitcoins that was locked up in the block chain. Of course that is the Zerocoin spend transaction
with that proof.
When they give that proof they’re allowed to go through the entire block chain, find some other
Zerocoin that was created and identify, it could be created by some other party, and they say okay I
want those Bitcoins back, and they can just pick one at random. Does all this make sense? I’m not sure
if my hand waving is helping or hurting. Okay, good, yes?
>>: What’s the complexity of randomness? I guess what I’m asking is how, what would stop someone
from brute forcing that unique randomness?
>> Matthew Green: Okay, it’s a very, it’s a long number.
>>: Oh.
>> Matthew Green: It’s an element in; you know it’s the exponent in a [indiscernible] group. It’s a big
number.
>>: Okay.
>> Matthew Green: And it’s adjustable obviously. You can make the security level higher or lower
depending on how you configure the parameters. Okay, so you have this thing and so you’re able to
take back these things. Now obviously the next step is just to take that proof, that non-interactive proof
and make it a non-interactive zero knowledge proof. Which means all we’re proving is these two
statements and there’s no actual way for me to link the specific spend transactions to the mint
transaction that created it. So now we kind of get this, you know we’re creating the equivalent of kind
of an ideal laundry. Which gives us the same guarantees, not perfect anonymity guarantees obviously,
but, yes?
>>: Doesn’t something, the proof have to have a freshness to where also that the random number is not
one of the ones in previous proof?
>> Matthew Green: So that actually is not part of the proof. Once we’ve said, you know this is the serial
number and this is a valid serial number then the semantics of the transaction do actually, I’m sorry I
should have mentioned that you would of course in verifying this check that that serial number has not
appeared in a previous spent transaction. So what we’re doing here is proving that the serial number is
a legitimate Zerocoin serial number. That’s with the zero knowledge proof proves. Then it’s just a
question of making sure that serial number has only been seen once and it’s not a double spend. So,
yes, I think you’re saying the same thing. But it’s not part of the zero knowledge proof of course.
>>: [inaudible] if it’s not zero knowledge isn’t it linkable then?
>> Matthew Green: The serial number is not because the serial number is never revealed. We have this
commitment to a serial number. We never reveal the randomness, we prove knowledge of the
randomness, and so now as long as everything works the commitment is binding and the zero
knowledge proof works. Then we know that you can’t double spend, obviously, you know with all but
negligible probability. Then you adjust how strong you want that to be.
Okay, so that’s the basic protocol. Yes?
>>: So what you’re proving is actually the, this commitment that you know of being one of, all of the
[indiscernible]?
>> Matthew Green: Yes, yes, that’s essentially it so. I’ll get to the details of that which will involve
accumulators. But that’s right, so we assume that when I do this proof I have a view of all previous
transactions including all Zerocoins thus far made. I’m proving that I know one of them and I know the
opening to that particular one. So, yeah again, you can then ask, well what is the anonymity that gives
me? That answer is more complicated because of course if you’re the only person putting a Zerocoin in
the block chain it gives you no anonymity. If there are attack scenarios where somebody malicious puts
a lot of them on but is trying to deanonymize you, but you can’t really do much better than that. These
are kind of just basic limitations of an anonymous kind of laundry system.
Okay, so zero knowledge proof. I don’t even know why I have a citation to Goldwasser; Micali for zero
knowledge, but whatever, so we do. Okay, so, I’m just think, okay so this is kind of the stuff that I just
said. So the trick is how do we do this proof efficiently? What primitives do we use, how do we actually
tackle this together? Obviously we can do this. It goes without saying that, you know we can prove
anything, but anything in MP. But how do we do this efficiently?
So what you might think of is you might think of using some kind of standard Schnorr type proof which
allows you to do ore proofs. You could do something like this. You could say go through the entire
block chain; identify all of the Zerocoins that have appeared they’re just commitments up until this
point. Then you say, okay we’ll prove knowledge that we have a C such that C is equal to C one, or C is
equal to C two. I can’t tell you how many papers I reviewed that had proofs like this in there. They’re
like it’s an efficient proof but it’s not an efficient proof. It’s linear in N which is maybe a million
Zerocoins that have been minted in the past. You’re not going to fit this proof into the block chain.
So another approach is that what you can do is something it’s, you know a pretty old technique we use,
it’s a very old technique, we use an accumulator. What we do is we go through, before we do this proof
we use a one way accumulator to just gather up all those coins, instead of doing this ore proof we stick
all of those coins, these commitments into the accumulator and now we have the single accumulator of
value, this accumulated thing, this root. Then what we do is we generate a witness for our specific, for
membership of our specific Zerocoin and it turns out that it’s much easier to do this.
Now I wasn’t sure what audience I was going to be speaking to so I’m assuming that most of you guys
know quite a lot about accumulators. But the example that was actually given in older work was the,
you know Merkle Hash Tree where you just basically, you know put the coins down at the leaves, you
hash them up into an accumulator and then you have this nice kind of log N proof of membership.
That’s great in the sense that, well it’s great for a bunch of reasons, except that it’s really terrible if you
have to do a zero knowledge proof. Because as we know with possibly some exceptions it’s very hard to
do this kind of hash tree proof efficiently. I suppose you could use something like a Peterson Hash or
something like that. Maybe that would be possible but I don’t know how to do it very efficiently.
Fortunately, we have some very efficient accumulators. So let’s just, before I get there actually let me
mention one thing. We need an accumulator and there are lots of accumulators out there. We need
one that has a particular property, which is that when I do the accumulation anybody else should be
able to verify that I’ve done that accumulation properly. There are some accumulators where you can
only do the accumulation if you know a trap door for the accumulator. That’s not going to work very
well because who’s going to hold that trap door?
So we need something that’s kind of publically computable or at very least publically verifiable. There
are a few of these Merkle trees would count but they don’t have the sufficient zero knowledge proof.
So what do we use? Well, we have the, you know, we have this Strong RSA Accumulator. There’s some
bilinear ones too but they actually are not, for other technical reasons particularly good for this
application.
So what we use in our construction is we use the Strong RSA Accumulator which was by Benaloh and de
Mare, which basically is a very simple accumulator. You pick, it does require a trusted setup. You need
this modulus, this N equals P times Q. But you never need the P and the Q again, you can throw them
away. So we can have some trusted party come and generate these things and then we can shoot them,
and then we have just N.
Okay, so now what we do to accumulate, well we just also pick this value U and accumulation is simply
just repeated exponentiation. Computing a witness is basically just doing the same thing but omitting
the value that we want to prove membership of from the list of things that we’re exponentiating, and
then verification is just, you know verifying that this thing raised to the value that we want to prove
membership of is equal to the accumulator value.
It’s a great thing. It’s great for a whole bunch of reasons. One of the reasons it’s great is that Camenisch
and Lysyanskaya in two thousand one made some small changes to the Benaloh and de Mare
accumulator and they were able to show a very efficient zero knowledge proof, which is what we use in
our protocol. The only modification that you have to make here is that you have to make each of these
C values be a prime, not a big deal, okay.
Alright, so here is Zerocoin minting and use in a nutshell. It’s pretty straightforward. What we do is we
first generate a random serial number S which is, you know sum value in ZQ or Q is the order of the
group. We do a standard Peterson commitment with sum randomness R. The only thing that we do is
once we’ve done this Peterson commitment we check to see if the result is prime, if it’s not a prime we
throw it away, we pick a new serial, new randomness, and we start over again. So ultimately this make
take a few iterations but ultimately we wind up with a commitment C that is a prime or at least with
high probability is a prime. We keep S, we keep the commitment, randomness R, and that’s our trap
door for spending this thing.
Ultimately when we want to spend this we go through and we collect all of those C values from
everybody on the block chain, including ours, and we accumulate them all, and we compute a witness,
and then we execute the standard, we reveal S, we prove knowledge of the witness using the Camenisch
and Lysyanskaya proof. Then we also do a separate proof that shows that we know the commitment
randomness. Unfortunately and this is kind of the part that stinks about this, to do this we need to do a
double discrete logarithm proof. That makes it much more expensive than other Schnorr type proofs
would normally be if we didn’t have that double discrete log. So the cost of our proof for reasonable
parameters is about forty kilobytes, which stinks. It could be better, so there are actually some
techniques to shrink that down. But this is probably the big weakness of this system.
Yes?
>>: [inaudible] accumulate all your other clients.
>>: Yeah.
>> Matthew Green: You would think it would be wouldn’t you?
>>: Yeah.
>> Matthew Green: But it’s not.
>>: Okay.
>> Matthew Green: And the reason is that, first of all it’s actually not that expensive period. But it turns
out that this accumulator is incrementally computable. So if I compute the accumulator on let’s say the
set of coins up until time one and then somebody adds another block of, you know a hundred
transactions, I can just take that check point, that accumulator from here put on those hundred
transactions, and then compute another accumulator check point which is what we call it. So essentially
we also modified the client, the miners, to as part of the protocol computer the accumulator as they go
and do it for us. So actually that work is just shunted into the network. We do have to check it, people
have to verify, multiple nodes will have to verify that the accumulator being computed is valid. But
that’s not the end of the world because; you know there’s only a few hundred transactions per block so
it’s not a ton of computational work. So actually that’s great.
So we can get rid of all the work in, not all the work, but we can amortize that work in the, in computing
the accumulator, which turned out to be fairly pricey.
>>: [inaudible]
>> Matthew Green: Yeah?
>>: This is going to be a silly question.
>> Matthew Green: Yeah.
>>: Excuse me, so the prime [indiscernible], what size are you aiming for? Does it matter, is in any
prime number…
>> Matthew Green: It’s…
>>: Or do you have [indiscernible] size?
>> Matthew Green: We’ve been shooting; we actually did different sizes. We have like thousand
twenty-four, two thousand forty-eight, three thousand seventy-two bit.
>>: Okay.
>> Matthew Green: Yeah, so you have to adjust, you have to adjust the actual security level because
since it’s, has, you’re kind of reducing the space of commitments, it weakens it a bit. But only, but not
by, you know, there’s a weakening so you have to sort of dial up your security…
>>: [inaudible], so given there’s a somewhat arbitrariness I guess to the [indiscernible] to get your prime
number C.
>> Matthew Green: U-huh.
>>: And you got, like how long does it take to get that?
>> Matthew Green: I’ll show you in a sec…
>>: Okay…
>> Matthew Green: We have real number so…
>>: Okay, I know I was curious…
>> Matthew Green: It actually is more expensive than you’d think, but, you know it’s not that bad.
>>: [inaudible]
>> Matthew Green: Yeah, no it’s not. I mean when I say more expensive I’m talking like a second or
two, not like two hours and thirty minutes, so, yeah that’s an issue.
>>: [inaudible]
>> Matthew Green: Okay, yeah, so this is the question you just asked. Obviously we have some
optimizations in here; we can do this incremental computation of the accumulator. Another thing that
we can do is because this proof happens to be one of these, it’s an iterative proof where what we have
to do is we, the more executions you do on verification the more convinced you are that this is a secure
proof of knowledge. You don’t have to do them all. If you do half of them, you know for example let’s
say the proof, the guarantee is that with, you know you can forge a proof or given an invalid proof with
one over two to the eighty probability. Well if you do half the executions you might only be assured of
one of two to the forty.
So you could do something where individual nodes will each verify different parts of the proof. There
are different kinds of optimizations you can do to kind of reduce the complexity of verifying the proof.
So things like that will work. Yes?
>>: Can you say a bit why the body of pairings are committed to, can be used…
>> Matthew Green: Yeah, no I want it to be, I want it to be. So there are two problems with the, that
accumulator, one is an efficiency problem. So the, remember that we have to be able to do the
accumulation without a trap door. So the accumulators we have in pairings are very efficient if you have
a trap door. They can be done without a trap door but then what you have to do is you have to reveal
public parameters that are essentially linear in the size of the number of elements you’re going to
accumulate. So if you’re going to accumulate a million coins the parameters are going to be essentially a
million group elements in size.
Maybe that’s not so big a deal you could do windowing where you have maybe multiple accumulators
kind of computed and overlapping windows. You could find some engineering solution to this but that’s
an efficiency issue. Whatever, it’s just; it’s just an efficiency issue there. The real problem we have is
that what we need to do is this kind of double discreet logarithm proof where I need to be able to, so
what we do here is we are essentially accumulating integers. Those integers are commitments. There’s
actually no reason we couldn’t do the same thing except that what we’d have to do is we’d have to
crank up the order of the bilinear group to make it large enough that we could commit to, you know.
So, here’s the thing. So what we ideally want to do is commit, do the Peterson commitment in an
elliptic curve. So we have a nice small or bilinear group. Then we’d want to commit, we’d want to
accumulate those group elements that are the output of the Peterson commitment. The problem is the
accumulators don’t work on group elements, they work on integers. That turned out to be a technical
problem that might be something you can get around but we could not see a, kind of an easy way to do
it.
So you can accumulate integers and then you could do maybe commitments over, you know a ring or
something like that, an integer ring and you could just deal with them that way like we do here. But
then you have to adjust the bilinear group size. So you have a bilinear group of a very large order to
avoid, you know field based solvers that would, does any of what I’m saying make sense? It all makes
sense in my head. I’m not sure that moving my hands rapidly makes it any clearer to you but, you know
we kind of went through all of these different solutions and this one seemed like the most efficient. It
can be done in bilinear groups.
What we really want is the ability to commit to a value in a bilinear group and then accumulate those
group elements. Problem is we can’t do that because as far as I know there’s actually an impossibility
result that says you can’t have an efficient accumulator over group elements. You can have an efficient,
for example hash function that takes in group elements and is, you know actually does this as a set of
algebraic operations and outputs a hash result that is smaller than the inputs. I think that also applies to
accumulators. Any of that…
>>: Roughly.
>> Matthew Green: Roughly, I know…
>>: [inaudible]
>> Matthew Green: I spent a lot of time trying to figure out those…
>>: Because I see…
>> Matthew Green: Yeah.
>>: That you commit, you actually commit the exponent.
>> Matthew Green: Yes.
>>: [indiscernible]
>> Matthew Green: Yes.
>>: And it’s the same for [indiscernible] pairings that commit that which one so commits a, not to
[indiscernible].
>> Matthew Green: Right, if we could just commit, if we could just, but then we have to accumulate,
those things are public. So we have to accumulate these public values.
>>: Yeah.
>> Matthew Green: So I’m not really sure, you know with a commitment here…
>>: Yeah, but you can also commit zero values…
>> Matthew Green: Okay…
>>: [inaudible]
>> Matthew Green: I want to talk to you after this, so…
>>: They don’t have to be public, right.
>> Matthew Green: Okay, no I really do because I’m not completely understanding and if there is a
solution I want to know about it because we have an implementation of this and if we can make it more
efficient in any way I’d like to be able to do it. So, yeah, let’s talk after this.
Okay, so there are a bunch of optimizations. I now I’m keeping you guys late so, alright. I wanted to
show you what performance looks like. So this is performance. These three algorithms, this one over
here is the minting, you can see it’s actually very expensive in the sense that it takes almost a second to
mint a coin. This is at the thousand twenty-four bit size. It’s, over here, yeah, I’m not sure why those
are the same actually but for whatever reason in our implementation it takes under a second to mint
the coins regardless of the size, that that is a little weird.
To spend them is actually very efficient because all we have to do essentially is create this proof, it’s very
efficient. To verify them takes more time depending on the size. But to verify them is actually not
terribly, terribly bad here in this one. So this is actually verifying that the proof is correct. So that’s, it’s
not a terribly inefficient thing. The problem is not computational cost on these proofs. The problem
unfortunately is really the size of the proofs. This is where you get into the, the issue that the thousand
twenty-four bit size proof ends up with being somewhere between forty and forty-five kilobytes in size
and it goes up to about fifty kilobytes as you get larger.
Now we’ve done a lot of optimization. This is not; you know you’d think that you would get like three
times the size if you went to a larger modulus. But what we’re actually doing is we are changing some of
the parameters. We’re moving over into groups that are more efficient and doing some of our work
there. So that lets us be more efficient. Yes?
>>: [inaudible] security level…
>> Matthew Green: Well, you know…
>>: It’s Strong RSA, right?
>> Matthew Green: It’s Strong RSA and also we’re making some adjustments based on the fact that it’s
prime. So I’m not actually sure what the answer is on that so. Yeah, I’m not…
>>: So what’s the size of the other group? So this ten twenty-four is the accumulator modulus?
>> Matthew Green: Yes.
>>: And then there’s the group where the commitments are?
>> Matthew Green: Right, so we use, oh god, I have to look at the paper again to remind myself. But
we use multiple groups; we use one group that is where we put the commitments that are the coin. We
use one group for the accumulator. Then we use a third group when we do the proof we actually
transition things over into another group that happens to be a little bit smaller. The groups where we
can we use Schnorr groups where we have, you know a relatively large P and a much smaller Q or order
of the group so that we can kind of make things very, very efficient that way. So, and again I don’t
remember, we have, there’s a section in the paper that talks about all the parameter details we worked
out. As I’m sitting here right now I can’t remember them all. So I don’t want to tell you something
wrong.
Alright, so this is the upshot. I can take Bitcoins, I can turn them into Zerocoins, I can redeem them, and
ideally nobody with the exception of educated guessing will be able to link them. So in the couple of
minutes that I have left I want to skip this and I want to talk about some extensions that are not in our
paper but we think are just kind of nice, maybe obvious, maybe not so obvious kind of extensions that
we think are cool.
So one thing we don’t do is we don’t have a value associated with these coins, or rather I should say
every Zerocoin is worth the same amount of money. That makes sense from a privacy perspective
because you don’t want to have somebody getting a two dollar and thirty-one cent Zerocoin and then
spending a two dollar and thirty-one cent Zeriocoin and they you have privacy problems. However, you
could if you wanted to make this an extension. These are commitments. You can put anything you want
into these commitments. They could be vector commitments, you could add, you know just an amount
in satoshi of how much this thing is worth. Then what you could do is you could make this divisible.
The way you make it divisible is you simply add new transactions to the block chain. So I have an initial
Zerocoin that I place in that’s work a dollar. Then later on I want to split this into two fifty cent
Zerocoins. I don’t need to do zero knowledge proofs for this I just insert a new transaction that
essentially creates two new commitments, and then reveals the commitment randomness. Don’t even
need to do zero knowledge proof. Just say hey this is linked to this previous Zerocoin and I want to split
it up, and here’s the commitment randomness that allows me to do it. All of a sudden now I have two
fifty cent Zerocoins and then later on when I do the proof I will have to prove value as well. But that’s
not, that’s pretty trivial to do with these proofs. So you can do lots of kind of obvious stuff like adding
parameters to these coins.
>>: [inaudible] anonymously if you want.
>> Matthew Green: Oh, absolutely you could throw zero knowledge proof that just shows that they sum
to one Zerocoin and then just show that this other thing, yeah, exactly, all that’s doable. So that’s
simple. Here’s something that we have a paper in submission we think is cool. I’m trying to convince
other people it’s cool.
E-Cash is essentially very closely related to anonymous credentials. Anonymous credential systems,
what I love anonymous credential systems, I think we can all agree that so far they’ve had a little trouble
getting off the ground. One of the reasons is that right now to run an anonymous credential system you
have the problem of creating identity in the first place. Somebody has to authorize your identity and
your attributes. But then you have to have this credential issuer which has to always be online to, you
know issue credentials and to handle. Then you have to get everybody to use this thing.
There are a lot of applications where all of that work is very heavy. You don’t want to have to deal with
all that and maybe there are peer-to-peer networks that want to do some kind of anonymous assertion,
maybe that I’m a trustworthy node or I’ve done good things in the past. Without identifying themselves
they can’t use these kinds of heavy systems.
So can we extend our existing e-Cash to do that kind of work? Well, it turns out that it’s actually
possible. What we can do is we can, and before I get to exactly how this works I should mention that
there are already systems. How many of you have heard of NameCoin? Okay, so there are already
systems that are actually, Bitcoin like systems that are not so interested in the cash but they’re more
interested in establishing identity.
So for example in NameCoin what’s happening is you have a block chain just as before. But when
somebody wants to, what somebody can do is they can establish ownership of a name, where a name is
just a string. So you can go and you can put a transaction at the block chain and say hey I have Pets.com
and if you’re the first person to claim ownership of Pets.com then you own it. You get to have that
name and bind it to your public key. Then later on you could transfer Pets.com to somebody else if
maybe they pay you some money, or you could establish a different name.
So you have this notion that you can now establish identity. That identity can be arbitrary strings or
collections of attributes and so on. You have a time that you did this so you could prove for example
right there that I have a dot com domain name for building a domain name system and that I’ve had it
for at least five years. So that kind of stuff can easily be done in a non-anonymous way.
Now imagine extending that so that some of these assertions are more interesting. Like let’s say I want
to assert that I’m a peer in some peer-to-peer network and I have a good reputation. Well the nodes
who are building this block chain could actually verify that I really am a peer who’s done good things in
the past. They could imbed some kind of assertion that says you really are into the block chain and then
later on I want to be able to prove that.
There are other things you might be able to do. So like reputation, let’s say every time I interact with a
node I want to be able to say well it’s a good interaction, maybe I gains some reputation from that. I can
update that into the block chain. Well it turns out that you can do all of these things anonymously
simply by having updates to the transaction from the block chain and then doing zero knowledge proofs,
but basically putting your attributes and your information into commitments, putting them into a block
chain and then proving knowledge and proving different statements about the contents of that
commitment.
So it could be anything from I have a dot com domain name to I have a reputation that is greater than
one hundred because I’ve done a whole bunch of transactions with people. Yet you still can’t tell who I
am. So we think this is kind of neat because now it gives you a way to build anonymous credentials
without all of that, you know stuff that’s very difficult of getting somebody to issue them. All you have
to do is have some kind of assertion that you can put into a block chain, you can prove things about it.
So we think that’s nifty. Yes?
>>: You’re still missing the [indiscernible] part, right, so…
>> Matthew Green: Well, it depends. I mean you’re right that there’s a limited amount of stuff that you
can vet and there’s stuff that you can. So let’s say the criteria for getting an identity is that I have to
solve a proof of work, or I have to pay ten Bitcoins. Right, so right there let’s say I have a peer-to-peer
network and it’s, I have a problem which is that people are running Sybil attacks. I can’t uniquely
identify nodes and anybody can create a million identities and run Sybil attacks because there’s nothing
stopping them from doing that. Well now I make it so that it costs me ten Bitcoins to establish an
identity. I’ve already put kind of an expense bound on how many identities you’re likely to create and
therefore limited the number of attacks that you can run. Or if you don’t want to use money we could
have everybody do a very complex proof of work.
So all an identity here is an assertion that I have a unique identity that cost me some amount
computation to establish, and that’s valuable in I think some peer-to-peer applications, and to be able to
do that anonymously prove that without having to have a central party kind of sitting there with who’s
going to appoint that central party. I think just that all by itself is neat. Reputation systems you can do
without any assertions about anything, just interactions between nodes.
Then, yes of course, you could build things where you have like an identity provider that maybe is doing
outside assertions. But you could still use this to do the credential issuing. So you could say that I don’t
get a credential unless the drivers license agency gives me a signature, or my TPM gives me a signature
saying that I have a valid TPM and then I can be in this network. So I think there’s a lot of neat stuff you
can do. We haven’t explored all the applications but I think they exist.
Sorry, I get excited about this. I’m going to wind up now, alright. So can we build, I’m going back to
Zerocoin. Can we build Zerocoin today? Well the answer is yes. So we actually built a version of the
clients. The Bitcoin client is called bitcoind, the C plus, plus version. My grad students Ian Miers and
Christina Garman, I did not touch this so I take no credit. They did incredibly hard work and if you’ve
seen the code quality on this thing you’ll understand why. They did incredibly hard work updating it and
inserting this capability into this client. So it actually works. We’re going to be releasing the code when
we present at Oakland with some clean up.
So it’s a real thing and you can use it. The problem is that in order to use it in a sort of coherent fashion
you need all of the Bitcoin nodes to adopt it, kind of simultaneously, so incremental adoption is hard.
There are some things that you could do along the way where you have temporary trusted parties who
could help you keep, get the system going. Then ultimately you could get rid of them. So we hope that
there’s kind of a solution that people will do it.
The other thing that we have to worry about is that there’s a lot of cost to verifying these proofs. That
has some implications for the stability of the Bitcoin network. But it’s a real system you can actually use.
It’s not just a paper. Anyway so there’s a lot of future, the last thing that I want to cover and then I’ll
stop is what are the ethics of doing this in the first place?
I mean is it, let’s say that we do it. Let’s say that people actually think it’s secure. Let’s say people
implement it. Is it a good thing that we have an electronic and a decentralized currency that is actually
sort of untraceable? Are we facilitating crime by doing this? Or are we creating a world where, you
know everybody in the world can’t see that I bought medication from my pharmacy, which is the way
things are in Bitcoin today? So I don’t really know what the answer to that is. But I do think that there’s
value in pursuing this and then seeing what people make of it.
So that’s it. I don’t think I went too far over but thank you guys.
[applause]
>> Patrick Longa Pierola: Any more questions?
>>: Yeah, so what advantage of Bitcoin as it currently stands is that it’s simple enough to implement so
there are multiple competitions out there.
>> Matthew Green: Yeah.
>>: How simple is Zerocoin to implement? Could you…
>> Matthew Green: It’s just zero knowledge proofs. It’s more complicated and that’s going to be a
problem. So you’re going to have to have libraries and you’re going to have to have people who trust
those libraries, and that’s going to be an issue. The good news is that it’s really one file. I mean all of
the crypto code is in one file. Once you have the transaction semantics and you trust that one file of
crypto that’s it, you’re kind of done, so. It’s more complicated though. The Bitcoin people are scared of
it. We talked to them and they said we understand hashes, we understand ECDSA but I don’t think we
can explain this to the people who actually use Bitcoin today, it’s too much.
>>: So as I remember from the slides the reason for decentralization is that, at the beginning there
would be like no one to set up the central body to do…
>> Matthew Green: Yeah.
>>: Yeah, but now it would be like get some kind of [indiscernible] so I think there would be people
willing to set up some kind of central authority or [indiscernible]…
>> Matthew Green: There is…
>>: [indiscernible] have like similar for the real money where there’s a central banks and...
>> Matthew Green: So the problem is there’s been one attempt to do Chaumian style e-Cash and it
crashed. Somebody started up a company and then it failed, or started up a project and it failed. I think
that in toll a company like that is running for a good deal of time. People may not trust it very much.
They might put their money into it for a little while but they won’t leave it in for very long.
Unfortunately the anonymity properties rely on you kind of letting your money circulate in this pool till
lots and lots of people are also there. So the degree of anonymity you get is based on, you know how
much do you trust this company and are willing to trust them with your money.
So I agree that it could happen. You could have a central company but I don’t see it happening in a big
way and getting widely used any time in the near, near future.
>>: And not only like company but would be on [indiscernible] from government...
>> Matthew Green: Yeah, although I don’t think the governments going to want to help out with the
untraceable currency stuff. But I agree that you are going to have problems with, there are definitely
lots of organizations that could do it. Microsoft could do it. They could build a product to do it but I
don’t think they’re going to, I mean it’s just an issue. I think that it’s, here’s the other thing, the last
thing that it’s a legal problem. Let’s say you build a centralized Chaumian e-Cash company.
Are you crazy, I mean you’re going to get, how much trouble are you going to get in if it’s used for
anything terrorism related? If it’s ever traced that that’s done your company is going to be essentially
either asked to find some way to trace it or you’re going to be shut down. With this system, with a fully
decentralized system you don’t have that problem.
>> Patrick Longa Pierola: Any other questions? So let’s thank Matthew Green again.
[applause]
>> Matthew Green: Good deal.
Related documents
“Regulation of Cryptocurrencies: Practice Nexus” The Theory- IMMACULATE D. MOTSI-OMOIJIADE
“Regulation of Cryptocurrencies: Practice Nexus” The Theory- IMMACULATE D. MOTSI-OMOIJIADE
Bitcoin will bite the dust
Bitcoin will bite the dust
BX.in.th - Bitcoin Conference Thailand 2014
BX.in.th - Bitcoin Conference Thailand 2014
Download
advertisement