With so many other coins focusing on privacy out there, what makes Zcoin’s implementation of Zerocoin important? We are too often confused with ZCash that uses the Zerocash protocol and it is not easy for the layman to tell the difference between the anonymity solutions out there (and especially with both protocols using the word Zero!).
Although we will be also covering anonymity solutions used in other coins, we wish to begin to say that we believe it is healthy for the ecosystem to develop multiple anonymity solutions for cryptocurrency. Each system has its own set of pros and cons and trade-offs.
We strongly believe Zcoin achieves a good balance of all of these in implementing privacy and anonymity.
Zerocoin in Zcoin
We are the first open source cryptocurrency to implement Zerocoin and as at the date of writing, all other coins using Zerocoin are clones of our code or are still in the process of coding their own Zerocoin implementation. Zerocash, which ZCash uses is a different protocol altogether.
The Zerocoin protocol can be seen as an inbuilt anonymizer where you don’t have to trust any third parties. You mint a coin by burning it up, and then at later time, redeem it for a new coin with no transaction history. The link between the old coin and its associated transaction history is broken.
Minting a Zerocoin: You begin the minting processing by destroying a coin and generating a random serial number. You take this random serial number, and cryptographically commit to it so you cannot change it at a later time and post it on the blockchain. You can visualize a cryptographic commitment by thinking of it as putting a message in a locked box and putting this locked box up for everyone to see. This box is hung up on a giant notice board with everyone else’s lock boxes (the RSA accumulator). Only you have the key to open this locked box. So everyone knows that you have posted up a random serial number but don’t know what serial number it is (as they cannot open the box) and that you have burnt up a coin.
Spending a Zerocoin: When you want to redeem your brand new coin, you do a Zerocoin spend transaction. You do this by putting on a disguise and show a proof that you have the key to open one of the locked boxes and also reveal the random serial number you cryptographically committed to previously. The proof is a zero-knowledge proof whereby people when seeing the proof can verify that you have the key to open one of the locked boxes, without revealing which box it was, merely that it is one of the many lock boxes that people have put up. Note that although you have revealed the serial number, other people still don’t know which lock box is yours since it remains locked. They still cannot see which lock box contained your serial number. This serial number is then marked as used so you cannot redeem another coin with the same cryptographic proof and the network grants you a brand new coin with no transaction history.
This means that all that someone can deduce from your Zerocoin mint and spend is that the person who spent must be one from the many people who did a Zerocoin mint without being able to tell which one it is.
Pros of the Zerocoin system
- High anonymity since your plausible deniability is of all people who have minted on a particular noticeboard (RSA accumulator)
- Transaction graph analysis cannot be done as the link between the old coin you burnt up and the new one you redeemed is broken completely
- Does not require any trusted third party to provide you anonymity
- Uses battle tested cryptography such as RSA which is used to secure much of the internet (HTTPS, SSH, etc).
- Total Zcoin supply remains auditable so if there are any issues in the coding or cryptography, this can be detected.
- The base coin can still use Bitcoin’s core code so much easier integration with the existing Bitcoin ecosystem.
Cons of the Zerocoin system
- The cryptographic proofs required to do a Zerocoin spend transaction are relatively large (25 kb) and occupy space on the blockchain. This is why we propose storing it off-chain in a later development using Znodes.
- Each Zerocoin spend transactions takes about 0.5 seconds to verify adding some computational overhead to nodes. Again we propose delegating this computation load to a separate layer in Znodes.
- Currently, Zerocoin does not hide transaction values but uses fixed denominations for minting (1, 10, 25, 50, 100).
- Uses a trusted setup which requires the generation of two large primes p and q which need to be destroyed. However, even if such primes are leaked, anonymity is not compromised and an auditable supply makes it much easier to detect such issues. It is in our roadmap to explore several promising leads to implement a trustless setup.
Our opinion is that many of the perceived cons of the Zerocoin can be fixed or mitigated and we are confident in our privacy solution. There is also promising research in replacing the RSA accumulators with other schemes such as Pinocchio that give much greater performance with smaller proof sizes. Zerocoin development is not at a standstill.
In our next post, we will look into coin mixing solutions which rely on CoinJoin, used in most Bitcoin tumblers today and also in altcoins such as Dash and see how they compare.