Lelantus is Zcoin’s next generation privacy protocol which improves on Sigma by removing the requirement of fixed denominations allowing people to burn arbitrary amounts and redeem partial amounts without revealing values or the source. Lelantus doesn’t require any trusted setup and uses only DDH assumptions. It also supports untraceable direct anonymous payments by allowing people to pass the right to redeem to someone else. Lelantus is Zcoin’s own innovation.
In this work, we introduce a new method of instantiating one-out-of-many proofs which reduces the proof generation time by an order of magnitude. In certain practical applications our method also helps to fasten the verification process of multiple simultaneously generated proofs. Our approach still results in shorter proofs comprised of only a logarithmic number of commitments and does not compromise the highly efficient batch verification properties endemic to the original construction. We believe this work can also foster further research towards building more efficient one-out-of-many proofs which are extremely useful constructions in the blockchain privacy space and beyond.
One out of Many Proofs forms the foundation of Sigma which improves on Zerocoin by removing trusted setup and reducing proof sizes. Zcoin is also applying some further efficiency modifications to the original paper. Sigma is in development and is slated to be released in Q1 2019.
MTP is the Proof of Work algorithm that Zcoin uses that promotes egalitarian mining while maintaining quick verification. The original paper had flaws as identified by Dinur and Nadler. Zcoin organized a bounty to harden MTP and also funded research to solve these issues as reflected in the linked paper. MTP was coded from the ground up by Zcoin and switched to the MTP algorithm in December 2018.
Dandelion++ was originally developed for Bitcoin as a way to obscure the origin of transactions by changing the way transactions propagate through the network. Dandelion++ is slated to go live on Bitcoin Core 0.18. Zcoin was the first project to go live with Dandelion++ on mainnet in September 2018.
Zero-Knowledge cryptographic proofs
In Bitcoin, all transactions are broadcasted on a public ledger. Research has shown that external information, such as publicly announced addresses, can be used to link identities and organizations to transactions. The default reuse of bitcoin addresses exacerbates this problem.
Furthermore, the same type of mechanism used to break privacy in social networks, such as the analysis of social network topology, can be used to break privacy in the Bitcoin network.
Bitcoin and preceding alternative cryptocurrencies have attempted to solve this problem through the use of transaction mixers or ring signatures. However, there are a number of drawbacks to these proposed solutions. For one, a malicious or compromised member of a mixer or ring signature can break privacy. Furthermore, the anonymity set is a key metric to understanding how private a cryptocurrency is. The anonymity set in formerly proposed solutions is limited by the size of the mixing cycle or ring signature. Each mixing cycle or ring signature is limited by the number of transactions per cycle, which is transitively limited by the the block size of the cryptocurrency. Thus, the anonymity set in previous attempts at privacy tends to only be a few hundred transactions.
With Zcoin, the anonymity set is on a dramatically higher magnitude. Instead of having an anonymity set limited to the few dozen, Zcoin has an anonymity set that encompasses all minted coins in a particular denomination that can scale to many thousands and unlike other solutions is not subject to transaction graph analysis.
Also unlike other zero knowledge proof systems such as zkSNARKs, Sigma doesn’t require any trusted setup has a relatively simple cryptographic construction and only relies on well established cryptographic assumptions such as DDH.
Decentralized and Fair Security: MTP
Bitcoin and many other Proof of Work coins suffer from centralization of security. This mainly arises from the creation of highly specialized machines
The MTP algorithm was devised by Alex Biryukov and Dmitry Khovratovich from the University of Luxembourg in their paper published on the 11 June 2016 titled Egalitarian Computing which was subsequently improved in January 2018 (with research partially funded by Zcoin). These are the same researchers who came up with Equihash.
MTP was created as a way to remedy the disparity between ordinary users and adversaries/cheaters where the latter could use botnets, GPU, FPGA and ASICS to gain a significant advantage and mount a cheaper attack. The basic concept is that it should establish the same price/cost for a single computation unit on all platforms. This means that no single device should gain a significant advantage over another for the same price hence promoting egalitarian computing. With egalitarian computing, attackers would need to spend the same amount as ordinary users for equivalent ‘hashing’ power. As attackers need to use similar hardware as ordinary users, automated large-scale attacks become no longer possible. This combined with the fact hashing in MTP is highly memory intensive, users infected by trojans to participate in botnets would experience noticeable performance degradation and therefore more likely to suspect something is amiss.
Massive centralization can be seen with many existing proof of work algorithms such as SHA256 (Bitcoin), Scrypt (Litecoin, Dogecoin) and X11 (Dash) where hashing power is centralized in ASIC farms and normal users are not incentivised to participate in the security of the network. Even in newer schemes such as Ethash which is used in Ethereum, although it is deliberately designed to be GPU friendly (more than a 100x more efficient than on a CPU), this still encourages GPU farms and centralization. Equihash despite it being memory hard, is not sequentially memory hard, meaning it can be mostly parallelized which makes development of ASICs more likely.
This doesn’t mean that we discourage GPU mining, but with MTP it is foreseen that even with GPUs mining, CPU mining would still remain competitive.
Fast and lightweight Verification
MTP although it is computationally and memory intensive to find the solution, once found, its solution can be quickly and efficiently verified without requiring a lot of memory. Although our reference implementation uses 2gb of RAM making it noticeable on many CPUs thus discouraging botnets as it would be noticeable to the user, MTP is designed to even support RAM usage up to 10 gb while remaining quick to verify that is not possible with other PoW implementations.
This is important since by keeping verification quick, this makes the network more resistant to DoS attacks that target verifiers. It also allows lightweight hardware such as smartphones to perform verification which is not possible on many other hard memory hard algorithms. Verification speed of MTP is very quick.