Privacy-enhancing Technology:
Zerocoin Protocol

Zero-Knowledge cryptographic proofs

In Bitcoin, all transactions are broadcasted on a public ledger. Research has shown that external information, such as publicly announced addresses, can be used to link identities and organizations to transactions. The default reuse of bitcoin addresses exacerbates this problem.

Furthermore, the same type of mechanism used to break privacy in social networks, such as the analysis of social network topology, can be used to break privacy in the Bitcoin network.

Bitcoin and preceding alternative cryptocurrencies have attempted to solve this problem through the use of transaction mixers or ring signatures. However, there are a number of drawbacks to these proposed solutions. For one, a malicious or compromised member of a mixer or ring signature can break privacy. Furthermore, the anonymity set is a key metric to understanding how private a cryptocurrency is. The anonymity set in formerly proposed solutions is limited by the size of the mixing cycle or ring signature. Each mixing cycle or ring signature is limited by the number of transactions per cycle, which is transitively limited by the the block size of the cryptocurrency. Thus, the anonymity set in previous attempts at privacy tends to only be a few hundred transactions.

With Zcoin, the anonymity set is on a dramatically higher magnitude. Instead of having an anonymity set limited to the few dozen, Zcoin has an anonymity set that encompasses all minted coins in a particular RSA accumulator that can scale to many thousands and unlike other solutions is not subject to transaction graph analysis.

Decentralized and Fair Security: MTP

Bitcoin and many other Proof of Work coins suffer from centralization of security. This mainly arises from the creation of highly specialized machines

The MTP algorithm was devised by Alex Biryukov and Dmitry Khovratovich from the University of Luxembourg in their paper published on the 11 June 2016 titled Egalitarian Computing which was subsequently improved in January 2018 (with research partially funded by Zcoin). These are the same researchers who came up with Equihash.

Egalitarian Computing

MTP was created as a way to remedy the disparity between ordinary users and adversaries/cheaters where the latter could use botnets, GPU, FPGA and ASICS to gain a significant advantage and mount a cheaper attack. The basic concept is that it should establish the same price/cost for a single computation unit on all platforms. This means that no single device should gain a significant advantage over another for the same price hence promoting egalitarian computing. With egalitarian computing, attackers would need to spend the same amount as ordinary users for equivalent ‘hashing’ power. As attackers need to use similar hardware as ordinary users, automated large-scale attacks become no longer possible. This combined with the fact hashing in MTP is highly memory intensive, users infected by trojans to participate in botnets would experience noticeable performance degradation and therefore more likely to suspect something is amiss.

Massive centralization can be seen with many existing proof of work algorithms such as SHA256 (Bitcoin), Scrypt (Litecoin, Dogecoin) and X11 (Dash) where hashing power is centralized in ASIC farms and normal users are not incentivised to participate in the security of the network. Even in newer schemes such as Ethash which is used in Ethereum, although it is deliberately designed to be GPU friendly (more than a 100x more efficient than on a CPU), this still encourages GPU farms and centralization. Equihash despite it being memory hard, is not sequentially memory hard, meaning it can be mostly parallelized which makes development of ASICs more likely.

This doesn’t mean that we discourage GPU mining, but with MTP it is foreseen that even with GPUs mining, CPU mining would still remain competitive.

Fast and lightweight Verification

MTP although it is computationally and memory intensive to find the solution, once found, its solution can be quickly and efficiently verified without requiring a lot of memory. Although our reference implementation uses 2gb of RAM making it noticeable on many CPUs thus discouraging botnets as it would be noticeable to the user, MTP is designed to even support RAM usage up to 10 gb while remaining quick to verify that is not possible with other PoW implementations.

This is important since by keeping verification quick, this makes the network more resistant to DoS attacks that target verifiers. It also allows lightweight hardware such as smartphones to perform verification which is not possible on many other hard memory hard algorithms. Verification speed of MTP is very quick.

Incentivized Infrastructure: Znodes

Improving Zerocoin