Zerocoin and Zerocash and ultimately Zcash

This lecture discusses alternatives to Bitcoin. These coin protocols are not backward compatible with Bitcoin. Zerocoin was initially developed by JHU. From there, Zerocash was created. Zcash is the implementation which is also a fully-fledged currency. Zcoin is similar but based off of Zerocoin. Both protocols provider privacy-preserving version of Bitcoin as part of the protocol. I personally have had experience learning about zero knowledge proofs and Zcash. I was surprised that much of that seems to have been glossed over during the lecture. It’s not an easy topic so hopefully the lecturers maybe spend more time if they decide to expand the series.

Questions answered in this Post:

What is Zerocoin?
What is a zero knowledge proof?
How is a Zerocoin minted versus redeemed?
What is Zerocash?

ZeroCoin

ZeroCoin is a protocol-level mixing. The mixing capability is baked into the protocol. A first version of the paper was released in 2013. Within their abstract they mentioned that Zerocoin, is a cryptographic extension to Bitcoin that augments the protocol to allow for fully anonymous currency transactions. This means that one does not need to trust any user for anonymity, one just needs to trust the underlying protocol. The lecturer brings up another term called BaseCoin to use in the discussion.

Basecoin is defined to be a Bitcoin-like altcoin. Zerocoin is just an extension of Basecoin. So Basecoins can be converted into Zerocoins and back. When they become converted, the link between the old and new coin is broken. This adds that extra layer of anonymity.

Per the lecture, Zerocoin is a cryptographic proof where it relies on you owning an unspendable BaseCoin. Miners can verify that. By having this unspendable coin, you have the right to redeem a new BaseCoin.

Challenges of ZeroCoin addressed

There are two main challenges that the lecturer addresses. The first is who constructs these proofs that guarantees that someone with an unspendable coin can redeem it for a new coin. Also, how do you ensure that it only gets redeemed once. If it got redeemed more than once then you are vulnerable to double spend attacks.

Zero-knowledge proofs (ZKP) are the savior of the day. They provide a way to prove a statement without revealing any other information. Yes, I highlighted most the the sentence because it is that important. You now have the ability to say “I know an input that hashes to some hash in the following set.” You’re able to make these claims without explicitly sharing the input addresses. The talk gets a bit more hand wavy at this point.

Walk through of minting and redeeming ZeroCoin

With ZKP, we can say that ZeroCoins get minted. They come into existence by minting and they come in standard denominations 1 Basecoin == 1 ZeroCoin. Minting a ZeroCoin doesn’t have value. Values results when it gets added to the blockchain. Minting a ZeroCoin is called a “cryptographic commitment”. Intuitively, you’re taking a serial number S that will be put into an envelope. In addition, you generate a random secret r which is never public. From there a hash is generated composed of S (public) and r (private). This sounds very similar to public and private keys being used to generate hashed messages.

With the commitment, you put it onto the blockchain and now it’s part of a transaction. Thus a BaseCoin becomes burned (Minted transaction) and the output has the Hashed serial number and r.

To spend a ZeroCoin S, you now do the reverse. S has to be revealed and miners can verify whether S has been spent before. Next, a zero-knowledge proof is created ie “I know a number r such that H(S, r) is one of the ZeroCoins in the blockchain.” After this crypto-magic, one can pick an arbitrary ZeroCoin in the blockchain and use it as input for the next transaction. Thus, r is not revealed but you can solve this puzzle by knowing of its existence. Someone can look at this and confirm that you have the right to redeem a BaseCoin. The anonymity property is maintained because r is secret and no one can determine which Zerocoin gets linked to the serial number S. Thus ZeroCoin is “efficient” since there is a giant disjunction over all ZeroCoins and yet the time is not linear. They may be slower than Bitcoin but relatively fast. Now we just move towards ZeroCash. It is more efficient using snarks and is not reliant on an intermediary coin like BaseCoin.

ZeroCash

All the transactions can be done in the zero knowledge proof manner because the efficiency has been increased. Zero-cash means untraceable e-cash. All transactions are zero coins and splitting and merging is fully supported. Thus the ledger has a record of the existence of the transaction but only the people who partook in the transaction would know this. Mining fees are kept standard which means very little information is shared. The one issue of the system is that random secret inputs are required to generate public parameters. Thus the secret inputs must be securely destroyed because if anyone knows of them, the system can break. Thus the public keys are like 1 GB in size. There has been coverage regarding this private ceremony. I’ve shared Zcash’s ceremony for some context.
<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

Here’s NPR’s Radiolab coverage of the same ceremony.

Zcash and Selective Disclosure

I have a few more notes regarding Zcash. I was fortunate to listen to Paige Peterson of the Zcash project speak. As mentioned above, Zcash a fork of Bitcoin. Zcash can be seen as another cryptocurrency that protect the privacy of transactions by using zero knowledge cyptography (ZKP). Zcash has extensions which I thought was interesting like “selective disclosure”. This is the ability that one can authorize 3rd parties to see some pieces of information by giving permissions to it. For me, that allows for a situation where regulators would be more “OK” with the introduction of Zcash because they had the control of the content. the way this occurs is that there is this items called shielded transactions.

I stumbled upon this Zchain blockviewer. This viewer allows you to look at all transaction and there is a section of it that says whether it was Shielded or not. Zcash makes it such that you can remove all input from a transaction and the only piece of information that you would see if the fee. Since the Zcash fee is the same for all, this is really not helpful. However if you are the recipient, Zcash has a mechanism of having viewing keys where it’s a channel so that only intended people can have view access. That’s really neat!

Wrap Up

I’m going to finish this article off with a nice chart that was presented in the lecture titled “5 Levels of Anonymity”.

System	Type	Anonymity Attacks	Deploying
Bitcoin	Pseudo	Tx graph analysis	Default
Single Mix	Mix	Tx graph analysis, bad mix	Usable
Mix Chain	Mix	side channels, bad mix	Bitcoin compatible
Zerocoin	Cryptographic mix	Possible side channels	Altcoin
Zerocash	Untraceable	None	Altcoin