Zcoin Blog

Zcoin to implement Zero-Knowledge Proofs on Ethereum

By May 4, 2017 No Comments

What is Zcoin and how is it different?

Zcoin (XZC) was launched on in September 2016 and employs the Zerocoin protocol to enable private transactions. The coin emission curve follows that of Bitcoin and there has been no ICO or pre-mine. The underlying cryptography utilizes Zero-Knowledge Proofs (ZKP) that allow users to mint and spend coins with no transaction history.

Our current implementation of the Zerocoin protocol uses RSA 2048 parameters as a trusted set up. These are used in many aspects of internet security, such as HTTPS and SSH. At projected computing capacity, they will be safe to use for many more decades. Furthermore, we are working to implement the Sigma protocol, which completely eliminates the need for a trusted set up.

Another mitigating factor in the worst-case scenario of a compromised set up is that in Zerocoin the total coin supply and wallet balances can be audited. If there is any issue with the code or implementation resulting in double-spend or counterfeiting, it can be detected early before leading to hyperinflation. Zcoin encountered an attack earlier this year, but was able to find the bug after being alarmed by a sharp increase in minted coins.

Zcoin is also in the first coin to implement Merkle Tree Proof (MTP) as POW algorithm. MTP was developed by the same researchers that came up with Equihash. However, it is fast to verify and has the potential to revolutionize mining since you can slot in other “memory hard” proof-of-work (ASIC-hostile) into the parent algorithm. MTP is already running on our testnet and will be rolled out within the next month.

Why have Zerocoin on Ethereum?

The Zcoin team is conducting its own R&D into implementing the Zerocoin protocol on the ethereum blockchain. We believe this is in accordance with ethereum’s philosophy of redundancy and having multiple implementations, especially when it comes to cutting-edge and still highly experimental cryptography.

It can be argued that only a handful of cryptography academics fully understand zk-SNARKs. Meanwhile, the cryptography principles behind Zerocoin have been around for a longer period and the Zerocoin paper has been one of the most often cited cryptography papers in the past years, with about 200 citations.

In addition, we believe there should be a backup option to ensure basic privacy on the ethereum network in the unlikely event that the Zcash’s SNARK public parameters have been compromised. As mentioned, recent advances in Zerocoin-based research even allow for a completely trustless setup.

ZoE, Hawk, and now Zcoin?

Thre are already several projects trying to implement privacy on ethereum, most notably Zcash-on-ethereum (ZoE) and Hawk. Zcoin is looking to implement Zerocoin spending verifications on smart contracts with the goal of creating a decentralized (and in the future trustless) coin mixer for Ether.

Zerocoin breaks any transaction links and it allows for Ether transactions to be obscured with plausible deniability of up to several thousands, which compares favorably to other anonymization mechanisms that typically give you an anonymity set of less than 10 per transaction.

Unlike Coinjoin and its variants, it also does not require a central server to process such mixing, does not require you to trust any third parties and does not require other users to provide liquidity for a mixing transaction. Other features down the road could be “untraceable” tokens for anonymous voting and blind auctions and ICOs, among others.

The Zerocoin spend computation for cryptographic shielding depends on accumulator size and could be lowered enough to find a sustainable gas costs. However, when compare to Zcash, our proof-of-transaction is relatively large (25 kb) and the proposed coin mixer would in the first implementation only accept fixed denominations (e.g. 1, 10, 50, etc.).

After initial calculations and correspondence with Vitalik Buterin, we believe that implementation should be feasible with the upcoming Metropolis release. As running these operations directly in the EVM is too costly, we also are looking to implement pre-compiled contracts instead.

Smart contract outline for Zerocoin-based mixer:

  1. The smart contract allows you to deposit a fixed denomination of ETH by adding a cryptographic commitment (“serial number”) into a RSA accumulator maintained by the contract.
  2. After depositing ETH into the contract you receive a “wrapped” ERC20-compatible token with the secret serial number.
  3. In order to withdraw ETH without revealing which commitment you are spending, it uses a ZKP to prove that we know a commitment inside of the contract.
  4. After usage you redeem your ETH and the token gets destroyed. The serial number is then marked as used, so you cannot double-spend with the same proof.

If you are interested in helping Zcoin to implement the coin-mixer contract, we are looking for additional developers to join our team. This also includes talent who can write EVM code in Solidity, Serpent or Viper. Remuneration will be commensurate to skill set and experience. We are also open to starting with project-based fees.