Ian MiersIan Miers, Christina Garman, , Christina Garman,

Matthew Green, Avi RubinMatthew Green, Avi Rubin

Zerocoin: Anonymous Zerocoin: Anonymous Distributed E-Cash from Distributed E-Cash from BitcoinBitcoin

What is money?What is money?

Digitizing moneyDigitizing money

Two ways to do it Two ways to do it

Create digital Create digital cashcash

Create digital Create digital checkschecks

Bank accountsBank accounts

Problem: privacyProblem: privacy

Bank sees every Bank sees every transaction transaction

Merchants can Merchants can track customers track customers across interactionsacross interactions

Digital cashDigital cash

Can’t make uncopyable digital Can’t make uncopyable digital goodsgoods

Can make single use currencyCan make single use currency

Get a unique serial number Get a unique serial number when you withdraw money when you withdraw money

Spend it by showing an Spend it by showing an unused serial number unused serial number

E-cash schemesE-cash schemes

Chaum82: blind signatures for e-cashChaum82: blind signatures for e-cash

Chaum88: offline e-cash with double spender Chaum88: offline e-cash with double spender identification identification

Brandis95: restricted blind signaturesBrandis95: restricted blind signatures

Camenisch05: compact offline e-cash Camenisch05: compact offline e-cash

Decentralized

SecurePr

ivat

e

An ideal digital currencyAn ideal digital currency

BitcoinBitcoinA distributed digital currency systemA distributed digital currency system

Released by Satoshi Nakamoto 2008 Released by Satoshi Nakamoto 2008

Market cap of 1.2 Billion USD (as of early May Market cap of 1.2 Billion USD (as of early May 2013)2013)

Effectively a bank run by an ad hoc networkEffectively a bank run by an ad hoc network

Digital checksDigital checks

A distributed transaction log A distributed transaction log

Decentralized

BitcoinBitcoin

BitcoinBitcoinDecentralized

Secure

BitcoinBitcoinDecentralized

Secure

Priv

ate?

BitcoinBitcoinDecentralized

SecurePr

ivat

e

Bitcoin: all of your Bitcoin: all of your informationinformation

is is known toknown tothe bankthe bank

the merchantsthe merchantsEVERYONEEVERYONE

Data mining and privacyData mining and privacy

Target used data mining on customer Target used data mining on customer purchases to identify pregnant women and purchases to identify pregnant women and target ads at themtarget ads at them(NYT 2012) (NYT 2012)

Ended up informing a woman’s father that Ended up informing a woman’s father that his teenage daughter was pregnant his teenage daughter was pregnant

Imagine what credit card companies could do Imagine what credit card companies could do with the datawith the data

Chaum’s e-cash + Chaum’s e-cash + BitcoinBitcoin

Decentralized

SecurePr

ivat

e

Bitcoin laundriesBitcoin laundriesDecentralized

SecurePr

ivat

e

ZerocoinZerocoin

A distributed approach to private electronic A distributed approach to private electronic cashcash

Extends Bitcoin by adding an anonymous Extends Bitcoin by adding an anonymous currency on top of it currency on top of it

Zerocoins are exchangeable for bitcoinsZerocoins are exchangeable for bitcoins

What is a zerocoin?What is a zerocoin?

A zerocoin is:A zerocoin is:

Economically: a promissory note redeemable Economically: a promissory note redeemable for a bitcoinfor a bitcoin

Cryptographically: an opaque envelope Cryptographically: an opaque envelope containing a serial number used to prevent containing a serial number used to prevent double spendingdouble spending 82384827347

1012983

Zerocoins: where do Zerocoins: where do they come from?they come from?

Anyone can make oneAnyone can make one

Create an envelope containing a random serial Create an envelope containing a random serial numbernumber

Mint a zerocoin by putting a mint transaction in Mint a zerocoin by putting a mint transaction in the block chain which “spends” a bitcointhe block chain which “spends” a bitcoin

Spending a zerocoin gets you back a bitcoinSpending a zerocoin gets you back a bitcoin

Zerocoins: ...and where Zerocoins: ...and where do they go?do they go?

The “spent” bitcoins end up escrowedThe “spent” bitcoins end up escrowed

To spend a zerocoin, you reveal the serial To spend a zerocoin, you reveal the serial number and prove it is from some zerocoin in number and prove it is from some zerocoin in the block chainthe block chain

The serial number is marked as spent in the The serial number is marked as spent in the block chainblock chain

The recipient gets back a random bitcoin from The recipient gets back a random bitcoin from the escrow poolthe escrow pool

Zero-knowledge proofsZero-knowledge proofs

Zero-knowledge [Goldwasser, Micali 1980s, and Zero-knowledge [Goldwasser, Micali 1980s, and beyond]beyond]

Prove knowledge of a witness satisfying a Prove knowledge of a witness satisfying a statementstatement

Specific variant: non-interactive proof of knowledgeSpecific variant: non-interactive proof of knowledge

Here we prove we know: Here we prove we know:

1.1. The serial number of a zerocoinThe serial number of a zerocoin

2.2. That the coin is in the block chainThat the coin is in the block chain

PerformancePerformance

Modified Modified bitcoindbitcoind client on 3.5GZ Intel Xeon E3- client on 3.5GZ Intel Xeon E3-1270V2 1270V2

1024 bit commitments 1024 bit commitments

1024, 2048, and 3072 bit RSA moduli1024, 2048, and 3072 bit RSA moduli

Obstacles and future Obstacles and future workwork

Scale to larger networks Scale to larger networks

Reduce proof size (duh)Reduce proof size (duh)

Make divisible coins (we have a construction)Make divisible coins (we have a construction)

Get people to believe this worksGet people to believe this works

How does this get How does this get adopted? adopted?

How does this get adopted?How does this get adopted?

As part of Bitcoin?As part of Bitcoin?

As part of an alternative currency?As part of an alternative currency?

Where do we store the proofs?Where do we store the proofs?

Do people care if they go away?Do people care if they go away?

Can you meaningfully verify anonymous Can you meaningfully verify anonymous transactions?transactions?

How to explain Zerocoin to people? How to explain Zerocoin to people?

ZerocoinZerocoinDecentralized

Secure

Priv

ate

zerocoin.org

Ian MiersIan Miers|Christina Garman|Matthew Green|Avi |Christina Garman|Matthew Green|Avi RubinRubin