ZeroCash:
ZeroCoin meets SCIPR-lab
www.zerocoin.org
www.SCIPR-lab.org
Eli Ben-Sasson (Technion),
Joint work with
Alessandro Chiesa (MIT),
Christina Garman (JHU),
Matthew Green (JHU),
Ian Miers (JHU),
Eran Tromer (TAU),
Madars Virza (MIT)
Bitcoin’s Anonimity Problem
(BAP)
• BAP:
– If Alice pays Bob in Bitcoins, she gains information about his
spending of those coins …
– … And Bob gains information about Alice’s spending of her
other Bitcoins
• How? Analyze transaction-graph [Reid, Harrigan`11; …]
• Solution: Use a bitcoin mix/laundry/tumbler
– give Bitcoins to trusted pool, retrieve later
– Problems: (1) every tx must go thru mix, (2) trust mix?
– Acceptable if have much to hide, not so for average
honest user
• ZeroCash practically solves Bitcoin’s anonymity problem
Should we solve Bitcoin’s Anonymity
Problem?
• Is ZeroCash good or evil?
• To answer that, first answer
– Is Bitcoin good? Is a decentralized payment system good? Yes!
– (Is a decentralized info./comm. system – Internet – good?) Yes!
– Is it good for such a system to leak (part of) your spending
information to every one of your payers and payees?
No
Ergo, ZeroCash is good
• But what about regulation?
– It is up to society to agree on the acceptable regulation of
Bitcoin and similar decentralized payment systems
– Jury still out (ditto for Internet)
– When decisions are made, the “engine” under ZeroCash’s
hood (Zero Knowledge Proofs) can help implement!
Talk outline
• Anonymous electronic payments
– Pre-bitcoin – e-cash and beyond
– Post-bitcoin – Zerocoin, PinnochioCoin
– Introducing ZeroCash
• Zero Knowledge (ZK)
– SNARKs
– SCIPR-lab
• ZeroCash: a peek under the hood
Pre-bitcoin anonymous e-cash
(BAP: Blockchain structure leaks information to payer and payee)
• E-cash [Chaum `82,…]
– Anonymous
– Blind signatures by bank’s secret key used to mint
coins
– Problems: (1) central secret, (2) central trusted party
• [Sander, Ta-Shma `99] removed need for secret
– Bank mints coins using Zero-Knowledge (ZK)
arguments and Merkle trees (more on these later)
– Anonymous, secret-less, efficient* e-cash system
– Problems: (2) central trusted party, (3) divisibility
*
Assuming efficient non-interactive ZK arguments of knowledge.
Post-bitcoin anonymous e-cash
• Zerocash: divisible anonymous e-cash
on ofSander
• [based
Solves the problems
zerocoin andTa-Shma
pinnochio-coin: `99]
•
– Efficiency
ZeroCoin
Garman,
Green,
Rubin
`13]
* at 128-bit
• 288 [Miers,
bytes/spend
security
level,
–
–
––
–
•
Uses
efficient* ZK9ms/spend
proofs and* RSA-accumulator
• Verification:
Extends
Bitcoin3min./spend
with `decentralized
laundry’
* on single
• Tx created
core i7 @ 2.7 GHz
No Bank, only trusted ledger (e.g., Blockchain)
Tx-generation scales logarithmically with #coins
Implemented as Bitcoin extension!
Fine print
–
–
–
–
Relatively new crypto assumptions –
pairing-based cryptography, knowledgeof-exponent, … -- can use more
cryptanalysis
To spend, need (public) key of size 0.9Gb
(downloaded only once)
Public key must be set up (only once) by
trusted party using a random trapdoor
which must be destroyed (no secrets
afterwards)
… otherwise party with trapdoor can
forge tx, but cannot break anonymity
(up to 264 coins)
– Fungible and divisible, hides payer, payee, and denomination
• Usual restrictions and disclaimers, read fine print
Problems
•• Fine
print
– Efficiency: 25Kb/spend, must appear on blockchain
Non-fungible,
non-divisible,
single-denomination
system (allowing
–– Relatively
new
crypto assumptions
– pairing-based
fungibility/divisibility
compromises
anonymity)
cryptography, knowledge-of-exponent, … -- can use more
cryptanalysis
• Pinocchio-Coin [Danezis, Fournet, Kohlweiss, Parno ‘13]
–– To
spend, need (public) key of size 0.9Gb (downloaded only
Done concurrently to, and independently of, ZeroCash
– once)
Solves efficiency problem: 344 bytes/spend* !
based on
“Pinnochio”
[Parno
et al. `13]
–– Public
key
must beZKset
up (only
once) by trusted party using a
– random
Scalabilitytrapdoor
problem: tx-generation
time
linearly with
which must
begrows
destroyed
(no#coins
secrets
– afterwards)
Non-fungible/divisble, single-denomination (same as Zerocoin)
– … otherwise party with trapdoor can forge tx, but cannot
* Size of
break
anonymity
the ZK-proof
part of a spend-tx; actual spend-tx size is larger
Talk outline
• Anonymous electronic payments
– Pre-bitcoin – e-cash and beyond
– Post-bitcoin – Zerocoin, PinnochioCoin
– Introducing ZeroCash
• Zero Knowledge (ZK)
– SNARKs
– SCIPR-lab
• ZeroCash: a peek under the hood
Zero Knowledge
[Goldwasser, Micali, Rackoff ‘89]
•
Concrete bitcoin-based statement+proofs
•
ZK-proof of knowledge: cryptographic proof that
– Statement: “I own 30 bitcoins with total value 123.5 BTC”
Ownership means knowledge of coin-keys.
– proof: point to 30 coins on blockchain, use each coin-key to encrypt a
message
– Problem: proof leaks knowledge about coin-ownership!
–
–
–
–
•
cannot be (efficiently) generated without knowing keys
can be efficiently generated with keys
can be easily verified
reveals no information about coins
ZK-proofs exist for any statement that can be efficiently computable
with auxiliary secrets/trapdoors (NP-statement)
– How? Magic! (2009 Godel award; 2012 Turing Award to Goldwasser+Micali)
•
Efficiency of ZK-proofs is a huge research topic,
•
ZeroCash uses cutting-edge techniques from SCIPR-lab
Academic pedigree of
ZeroCash’s “ZK engine”
• Theory
– We use a ZK preprocessing Succinct Noninteractive
ARgument of Knowledge (SNARK for short), aka
succinct NIZK, succinct CS proof, ZKA, …
– Construction relies on pairings over elliptic curves,
quadratic span programs, linear PCPs, FFTs,
quasilinear PCPs, …
[…; Groth; Lipmaa; Ishai, Kushilevitz, Ostrovsky; Gennaro, Gentry, Parno,
Raykova; Bitansky, Chiesa, Ishai, Ostrovsky, Paneth; Ben-Sasson, Chiesa,
Genkin, Tromer; … 2010-14]
• Implementations (for general purpose programs)
– Pinnochio [Parno, Gentry, Howell, Raykova `13]
– “SNARKs for C” [B, Chiesa, Genkin, Tromer, Virza `13] by SCIPR-lab
www.SCIPR-lab.org
“… is an academic collaboration of researchers from MIT,
Technion, and Tel Aviv University, seeking to bring to
practice cryptographic proof systems that provide
Succinct Computational Integrity and PRrivacy.”
• Started in summer 2009 with Eran Tromer (co-PI),
Alessandro Chiesa, Daniel Genkin. Madars Virza joined
2012
• Initial funding: European Research Council (grant #
240258), major source of support for programming team:
Ohad Barta*, Lior Greenblat, Shaul Kfir, Michael Riabzev, Gil
Timnat, Arnon Yogev*
(* emeritus)
[Ad: seeking superb crypto+math programmer!]
SCIPR-lab meets ZeroCoin
• Both presented at Bitcoin 2013, San Jose
ZeroCoin video
SCIPR-lab video
– SCIPR-lab builds general-purpose programs
(“Turing complete”) CRYPTO`13 video
Powerful, yet cumbersome systems
– ZeroCoin needs specific optimized program
• … ZeroCash
Talk outline
• Anonymous electronic payments
– Pre-bitcoin – e-cash and beyond
– Post-bitcoin – Zerocoin, PinnochioCoin
– Introducing ZeroCash
• Zero Knowledge (ZK)
– SNARKs
– SCIPR-lab
• ZeroCash: a peek under the hood
ZeroCash and Base-currency
• ZeroCash works over any base-currency with
– public ledger and consensus mechanism (like PoW)
– Like BitCoin and its offspring
• ZeroCash supports
– Transactions of base-currency
– Converting coins to ZeroCash and vice versa
– Fully anonymous ZeroCash transactions …
• Fungible and divisible,
• Splitting and merging of coins,
• Hidden coin-owner and coin values
– … with public transaction fees (and other payments)
on them
ZeroCash transactions
• Mint: (no ZK-SNARK)
– Converts a base-currency coin with value
v into new ZeroCash coin c with value v
• Pour: (uses ZK-SNARK)
– Takes the sum value v of (up to) 2
ZeroCash coins and
– Pours v into (up to)
• 2 new ZeroCash coins (hidden values),
• 1 public payment (public value)
Disclaimer: Simplified ZeroCash protocol, real one to appear in paper
Pour-tx, viewed by Full-node
(verifier)
•
•
–
–
•
Full-nodes (verifiers) maintain
– Merkle tree of all previous coins
– List of all previously exposed serial numbers
– Crucial: observer cannot link sn to c !
a1= H(c1, c2)
a2= H(c3, c4)
Pour-tx is (sn, sn’, r, vpub, c’’,c’’’, π,…)
–
–
–
–
–
•
addrpub = f(addrsec), f is pseudorandom function (PRF)
Serial number is sn = f(addrsec, rserial), “destroys” coin when displayed on ledger
…
•
r= H(z1, z2)
Coin is commitment c:= hash(val, rserial , addrpub),
controlled by secret address addrsec
sn, sn’ destroy 2 old coins (preventing double-spend)
c1
r is root of (current) Merkle tree
vpub is public value (used, e.g., for tx-fee)
c’’, c’’’ new coins
π is a 288-byte long ZK-SNARK for a statement described later
c2
c3
c4 …
L={sn1, sn2, … }
When full-node sees new pour-tx:
1.
2.
3.
Verifies π (9 ms)
Checks that sn, sn’ haven’t appeared and adds them to L
If 1,2 pass, then adds c’’, c’’’ to tree, updates root r, and collects vpub 
Disclaimer: Simplified ZeroCash protocol, real one to appear in paper
Constructing Pour-tx (prover)
•
Coin is commitment c:= hash(val, rserial , addrpub)
r= H(z1, z2)
• controlled by secret address addrsec
– addrpub = f(addrsec), f is pseudorandom function (PRF)
– Serial number is sn = f(addrsec, rserial), “destroys” coin when displayed on ledger
• Inputs
…
– 2 coins c, c’, hidden information, and location in tree
– Information for new coins:
• values v’’,v’’’,vpub
• Public addresses of payees addr’’pub, addr’’’pub
– Proving key (0.9 Gb long)
• Pour-tx is (sn, sn’, r, vpub, c’’,c’’’, π, …)
π is a ZK-SNARK proof of statement:
• What about Bitcoin/ZeroCash regulation?
c1
c2
c3
c4 …
L={sn1, sn2, … }
– When society decides on appropriate measures, efficient ZKproofs can help implement them
“know location of coins c, c’ in tree with root r, know coin values v, v’ and
computed correctly serial numbers as sn, sn’, know hidden values v’’, v’’’
of c’’, c’’’ and sum of old coins (v+v’) equals that of new ones
paid
(v’’+v’’’+vpub) and …
“ due taxes and contributed 10% to charity …“
Disclaimer: Simplified ZeroCash protocol, real one to appear in paper
ZeroCash: SCIPR-lab meets ZeroCoin
• First fungible, divisible, anonymous payment system
based on decentralized ledger (like Bitcoin), with
implementation,
• which solves Bitcoin’s Anonymity Problem,
• using cutting-edge constructions of ZK-proofs
When will ZeroCash be ready?
– Paper published May 18 @ “Oakland Security” conference
(hopefully earlier online)
– Code to be open-sourced when ready
– No further comments on deployment 
[Ad: SCIPR-lab needs superb crypto+math programmer]