DOCSLIB.ORG

Zerocash: Decentralized Anonymous Payments from Bitcoin

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Zerocash: Decentralized Anonymous Payments from Bitcoin Zerocash: Decentralized Anonymous Payments from Bitcoin Eli Ben-Sasson∗, Alessandro Chiesa†, Christina Garman‡, Matthew Green‡, Ian Miers‡, Eran Tromer§, Madars Virza† ∗Technion, [email protected] †MIT, {alexch, madars}@mit.edu ‡Johns Hopkins University, {cgarman, imiers, mgreen}@cs.jhu.edu §Tel Aviv University, [email protected] Abstract—Bitcoin is the first digital currency to see widespread party and then, after some interval, retrieve different coins adoption. While payments are conducted between pseudonyms, (with the same total value) from the pool. Yet, mixes suffer Bitcoin cannot offer strong privacy guarantees: payment trans- from three limitations: (i) the delay to reclaim coins must be actions are recorded in a public decentralized ledger, from which much information can be deduced. Zerocoin (Miers et large to allow enough coins to be mixed in; (ii) the mix can 1 al., IEEE S&P 2013) tackles some of these privacy issues by trace coins; and (iii) the mix may steal coins. For users with unlinking transactions from the payment’s origin. Yet, it still “something to hide,” these risks may be acceptable. But typical reveals payments’ destinations and amounts, and is limited in legitimate users (1) wish to keep their spending habits private functionality. from their peers, (2) are risk-averse and do not wish to expend In this paper, we construct a full-fledged ledger-based digital currency with strong privacy guarantees. Our results leverage continual effort in protecting their privacy, and (3) are often recent advances in zero-knowledge Succinct Non-interactive AR- not sufficiently aware of their compromised privacy. guments of Knowledge (zk-SNARKs). To protect their privacy, users thus need an instant, risk-free, First, we formulate and construct decentralized anonymous and, most importantly, automatic guarantee that data revealing payment schemes (DAP schemes). A DAP scheme enables users to their spending habits and account balances is not publicly directly pay each other privately: the corresponding transaction hides the payment’s origin, destination, and transferred amount. accessible by their neighbors, co-workers, and merchants. We provide formal definitions and proofs of the construction’s Anonymous transactions also guarantee that the market value security. of a coin is independent of its history, thus ensuring legitimate Second, we build Zerocash, a practical instantiation of our users’ coins remain fungible.2 DAP scheme construction. In Zerocash, transactions are less than 1 kB and take under 6 ms to verify — orders of magnitude more Zerocoin: a decentralized mix. Miers et al. [8] proposed efficient than the less-anonymous Zerocoin and competitive with Zerocoin, which extends Bitcoin to provide strong anonymity plain Bitcoin. guarantees. Like many e-cash protocols (e.g., [2]), Zerocoin employs zero-knowledge proofs to prevent transaction graph Keywords: Bitcoin, decentralized electronic cash, zero knowledge analyses. Unlike earlier practical e-cash protocols, however, Zerocoin does not rely on digital signatures to validate coins, I. INTRODUCTION nor does it require a central bank to prevent double spending. Instead, Zerocoin authenticates coins by proving, in zero- Bitcoin is the first digital currency to achieve widespread knowledge, that they belong to a public list of valid coins adoption. The currency owes its rise in part to the fact that, (which can be maintained on the block chain). Yet, rather than unlike traditional e-cash schemes [1, 2, 3], it requires no trusted a full-fledged anonymous currency, Zerocoin is a decentralized parties. Instead of appointing a central bank, Bitcoin leverages a mix, where users may periodically “wash” their bitcoins via distributed ledger known as the block chain to store transactions the Zerocoin protocol. Routine day-to-day transactions must made between users. Because the block chain is massively be conducted via Bitcoin, due to reasons that we now review. replicated by mutually-distrustful peers, the information it The first reason is performance. Redeeming zerocoins contains is public. requires double-discrete-logarithm proofs of knowledge, which While users may employ many identities (or pseudonyms) have size that exceeds 45 kB and require 450 ms to verify (at to enhance their privacy, an increasing body of research shows the 128-bit security level).3 These proofs must be broadcast that anyone can de-anonymize Bitcoin by using information in the block chain [4, 5, 6], such as the structure of the transaction 1CoinJoin [7], an alternative proposal, replaces the central party of a mix graph as well as the value and dates of transactions. As a result, with multi-signature transactions that involve many collaborating Bitcoin users. Bitcoin fails to offer even a modicum of the privacy provided CoinJoin can thus only mix small volumes of coins amongst users who are currently online, is prone to denial-of-service attacks by third parties, and by traditional payment systems, let alone the robust privacy of requires effort to find mixing partners. anonymous e-cash schemes. 2While the methods we detail in this paper accomplish this, the same While Bitcoin is not anonymous itself, those with sufficient techniques open the door for privacy preserving accountability and oversight motivation can obfuscate their transaction history with the help (see Section X). 3These published numbers [8] actually use a mix of parameters at both of mixes (also known as laundries or tumblers). A mix allows 128-bit and 80-bit security for different components of the construction. The users to entrust a set of coins to a pool operated by a central cost is higher if all parameters are instantiated at the 128-bit security level. through the network, verified by every node, and permanently is succinct, i.e., for which proofs are very short and easy to stored in the ledger. The entailed costs are higher, by orders verify. More precisely, let L be an NP language, and let C be a of magnitude, than those in Bitcoin and can seriously tax a nondeterministic decision circuit for L on a given instance size Bitcoin network operating at normal scale. n.Azk-SNARK can be used to prove and verify membership The second reason is functionality. While Zerocoin consti- in L, for instances of size n, as follows. After taking C as tutes a basic e-cash scheme, it lacks critical features required input, a trusted party conducts a one-time setup phase that of full-fledged anonymous payments. First, Zerocoin uses results in two public keys: a proving key pk and a verification coins of fixed denomination: it does not support payments key vk. The proving key pk enables any (untrusted) prover of exact values, nor does it provide a means to make change to produce a proof π attesting to the fact that x ∈L, for an following a transaction (i.e., divide coins). Second, Zerocoin instance x (of size n) of his choice. The non-interactive proof has no mechanism for one user to pay another one directly π is zero knowledge and a proof of knowledge. Anyone can in “zerocoins.” And third, while Zerocoin provides anonymity use the verification key vk to verify the proof π; in particular by unlinking a payment transaction from its origin address, it zk-SNARK proofs are publicly verifiable: anyone can verify π, does not hide the amount or other metadata about transactions without ever having to interact with the prover that generated occurring on the network. π. Succinctness requires that (for a given security level) π has Our contribution. In this work we address the aforemen- constant size and can be verified in time that is linear in |x| tioned issues via two main contributions. (rather than linear in |C|). (1) We introduce the notion of a decentralized anonymous B. Decentralized anonymous payment schemes payment scheme, which formally captures the functionality and We construct a decentralized anonymous payment (DAP) security guarantees of a full-fledged decentralized electronic scheme, which is a decentralized e-cash scheme that allows currency with strong anonymity guarantees. We provide a con- direct anonymous payments of any amount. See Section III for struction of this primitive and prove its security under specific a formal definition. Here, we outline our construction in six cryptographic assumptions. The construction leverages recent incremental steps; the construction details are in Section IV. advances in the area of zero-knowledge proofs. Specifically, it Our construction functions on top of any ledger-based base uses zero-knowledge Succinct Non-interactive ARguments of currency, such as Bitcoin. At any given time, a unique valid Knowledge (zk-SNARKs) [9, 10, 11, 12, 13, 14, 15, 16]. snapshot of the currency’s ledger is available to all users. (2) We achieve an implementation of the above primitive, via The ledger is a sequence of transactions and is append- a system that we call Zerocash. Compared to Zerocoin, our only. Transactions include both the underlying currency’s system (at 128 bits of security): transactions, as well as new transactions introduced by our • Reduces the size of transactions spending a coin by 97.7%. construction. For concreteness, we focus the discussion below • Reduces the spend-transaction verification time by 98.6%. on Bitcoin (though later definitions and constructions are • Allows for anonymous transactions of variable amounts. stated abstractly). We assume familiarity with Bitcoin [20] • Hides transaction amounts and the values of coins held by and Zerocoin [8]. users. Step 1: user anonymity with fixed-value coins. We first • Allows for payments to be made directly to a user’s fixed describe a simplified construction, in which all coins have address (without user interaction). the same value of, e.g., 1 BTC. This construction, similar To validate our system, we measured its performance and to the Zerocoin protocol, shows how to hide a payment’s established feasibility by conducting experiments in a test origin.
Load more

Recommended publications
  • American Bar Association Business Law Section Committee on Derivatives and Futures Law
    American Bar Association Business Law Section Committee on Derivatives and Futures Law Winter Meeting 2018 Naples, Florida Friday, January 19, 2018 10:15 a.m. to 11:30 a.m. NEW PRODUCTS / FINANCIAL TECHNOLOGY Moderator for the Program: Conrad G. Bahlke, Willkie Farr &Gallagher LLP Speakers: Geoffrey F. Aronow, Sidley Austin LLP Debra W. Cook, Depository Trust & Clearing Corporation Katherine Cooper, Law Office of Katherine Cooper Isabelle Corbett, R3 David Lucking, Allen & Overy LLP Brian D. Quintenz, Commissioner, U.S. Commodity Futures Trading Commission ABA BUSINESS LAW SECTION DERIVATIVES & FUTURES LAW COMMITTEE 2018 WINTER MEETING NEW PRODUCTS / FIN TECH PANEL 2017 Developments in US Regulation of Virtual Currencies and Related Products: Yin and Yang January 5, 2018 By Katherine Cooper1 2017 was a year during which virtual currencies began to move into the mainstream financial markets. This generated significant legal and regulatory developments as U.S. regulators faced numerous novel products attempting to blend the old with the new. Although facing so many novel issues, the regulators’ responses tell a familiar story of the struggle to balance the yin of customer protection with the yang of encouraging financial innovation and competition. Below is a summary of 2017 developments from the SEC, CFTC, OCC, FinCEN and the States. I. Securities and Exchange Commission a. Bitcoin Exchange-Traded Products A number of sponsors of proposed Bitcoin exchange traded products had applications for approval pending before the Securities and Exchange Commission at the beginning of 2017. In March 2017, the SEC rejected a proposal backed by Tyler and Cameron Winklevoss.2 The Bats Exchange proposed a rule amendment which would list the shares of the Winklevoss Bitcoin Trust for trading.
    [Show full text]
  • Rev. Rul. 2019-24 ISSUES (1) Does a Taxpayer Have Gross Income Under
    26 CFR 1.61-1: Gross income. (Also §§ 61, 451, 1011.) Rev. Rul. 2019-24 ISSUES (1) Does a taxpayer have gross income under § 61 of the Internal Revenue Code (Code) as a result of a hard fork of a cryptocurrency the taxpayer owns if the taxpayer does not receive units of a new cryptocurrency? (2) Does a taxpayer have gross income under § 61 as a result of an airdrop of a new cryptocurrency following a hard fork if the taxpayer receives units of new cryptocurrency? BACKGROUND Virtual currency is a digital representation of value that functions as a medium of exchange, a unit of account, and a store of value other than a representation of the United States dollar or a foreign currency. Foreign currency is the coin and paper money of a country other than the United States that is designated as legal tender, circulates, and is customarily used and accepted as a medium of exchange in the country of issuance. See 31 C.F.R. § 1010.100(m). - 2 - Cryptocurrency is a type of virtual currency that utilizes cryptography to secure transactions that are digitally recorded on a distributed ledger, such as a blockchain. Units of cryptocurrency are generally referred to as coins or tokens. Distributed ledger technology uses independent digital systems to record, share, and synchronize transactions, the details of which are recorded in multiple places at the same time with no central data store or administration functionality. A hard fork is unique to distributed ledger technology and occurs when a cryptocurrency on a distributed ledger undergoes a protocol change resulting in a permanent diversion from the legacy or existing distributed ledger.
    [Show full text]
  • White Paper of Bitcoin Ultimatum Introduction
    White Paper of Bitcoin Ultimatum Introduction 1. Problematic of the Blockchain 4. Bitcoin Ultimatum Architecture industry 4.1. Network working principle 1.1. Transactions Anonymity 4.1.1. Main Transaction Types 1.2. Insufficient Development of Key Aspects of the 4.1.1.1. Public transactions Technology 4.1.1.2. Private transactions 1.3. Centralization 4.1.2. Masternode Network 1.4. Mining pools and commission manipulation 4.2. How to become a validator or masternode in 1.5. Decrease in Transaction Speeds BTCU 4.3. Network Scaling Principle 2. BTCU main solutions and concepts 4.4. Masternodes and Validators Ranking System 4.5. Smart Contracts 2.1. Consensus algorithm basis 4.6. Anonymization principle 2.2. Leasing and Staking 4.7. Staking and Leasing 2.3. Projects tokenization and DeFi 4.7.1. Staking 2.4. Transactions Privacy 4.7.2. Leasing 2.5. Atomic Swaps 4.7.2 Multileasing 4.8. BTCU Technical Specifications 3. Executive Summary 4.8.1. Project Stack 4.8.2. Private key generation algorithm 5. Bitcoin Ultimatum Economy 5.1. Initial Supply and Airdrop 5.2. Leasing Economy 5.3. Masternodes and Validators Commission 5.4. Transactions Fee 6. Project Roadmap 7. Legal Introduction The cryptocurrency market is inextricably tied to the blockchain – its fundamental and underlying technology. The modern market is brimming with an abundance of blockchain protocols, algorithms, and concepts, all of which have fostered the development of a wide variety of services and applications. The modern blockchain market offers users an alternative to both established financial systems and ecosystems/infrastructures of applications and services.
    [Show full text]
  • Crypto-Asset Markets: Potential Channels for Future Financial Stability
    Crypto-asset markets Potential channels for future financial stability implications 10 October 2018 The Financial Stability Board (FSB) is established to coordinate at the international level the work of national financial authorities and international standard-setting bodies in order to develop and promote the implementation of effective regulatory, supervisory and other financial sector policies. Its mandate is set out in the FSB Charter, which governs the policymaking and related activities of the FSB. These activities, including any decisions reached in their context, shall not be binding or give rise to any legal rights or obligations under the FSB’s Articles of Association. Contacting the Financial Stability Board Sign up for e-mail alerts: www.fsb.org/emailalert Follow the FSB on Twitter: @FinStbBoard E-mail the FSB at: [email protected] Copyright © 2018 Financial Stability Board. Please refer to: www.fsb.org/terms_conditions/ Contents Executive Summary ................................................................................................................... 1 1. Introduction ......................................................................................................................... 3 2. Primary risks in crypto-asset markets ................................................................................. 5 2.1 Market liquidity risks ............................................................................................... 5 2.2 Volatility risks .........................................................................................................
    [Show full text]
  • Blockchain Law: the Fork Not Taken
    Blockchain Law The fork not taken Robert A. Schwinger, New York Law Journal — November 24, 2020 I shall be telling this with a sigh Somewhere ages and ages hence: Two roads diverged in a wood, and I— I took the one less traveled by, And that has made all the difference. — Robert Frost Is the token holder — often the holder of some form of digital currency — always free to choose which branch of the fork to take? A blockchain is often envisioned as a record of a single continuous Background: ‘Two roads diverged in a sequential series of transactions, like the links of the metaphorical chain from which the term “blockchain” derives. But sometimes yellow wood’ the chain turns out to be not so single or continuous. Sometimes situations can arise where a portion of the chain can branch off A blockchain fork occurs when someone seeks to divide a into a new direction from the original chain, while the original chain blockchain into two branches by changing its source code, which also continues to move forward separately. This presents a choice is possible to do because the code is open. For those users who for the current holders of the digital tokens on that blockchain choose to upgrade their software, the software then “rejects about which direction they wish to follow going forward. In the all transactions from older software, effectively creating a new world of blockchain, this scenario is termed a “fork.” branch of the blockchain. However, those users who retain the old software continue to process transactions, meaning that But is the tokenholder—often the holder of some form of digital there is a parallel set of transactions taking place across two currency—always free to choose which branch of the fork to different chains.” See generally N.
    [Show full text]
  • Aggregate Cash System: a Cryptographic Investigation Of
    Aggregate Cash Systems: A Cryptographic Investigation of Mimblewimble Georg Fuchsbauer1,2, Michele Orrù2,1, and Yannick Seurin3 1 Inria 2 École normale supérieure, CNRS, PSL University, Paris, France 3 ANSSI, Paris, France {georg.fuchsbauer, michele.orru}@ens.fr [email protected] Abstract. Mimblewimble is an electronic cash system proposed by an anonymous author in 2016. It combines several privacy-enhancing techniques initially envisioned for Bitcoin, such as Confidential Transactions (Maxwell, 2015), non-interactive merging of transactions (Saxena, Misra, Dhar, 2014), and cut-through of transaction inputs and outputs (Maxwell, 2013). As a remarkable consequence, coins can be deleted once they have been spent while maintaining public verifiability of the ledger, which is not possible in Bitcoin. This results in tremendous space savings for the ledger and efficiency gains for new users, who must verify their view of the system. In this paper, we provide a provable-security analysis for Mimblewimble. We give a precise syntax and formal security definitions for an abstraction of Mimblewimble that we call an aggregate cash system. We then formally prove the security of Mimblewimble in this definitional framework. Our results imply in particular that two natural instantiations (with Pedersen commitments and Schnorr or BLS signatures) are provably secure against inflation and coin theft under standard assumptions. Keywords: Mimblewimble, Bitcoin, commitments, aggregate signatures. 1 Introduction Bitcoin and the UTXO model. Proposed in 2008 and launched early 2009, Bitcoin [Nak08] is a decentralized payment system in which transactions are registered in a distributed and publicly verifiable ledger called a blockchain. Bitcoin departs from traditional account-based payment systems where transactions specify an amount moving from one account to another.
    [Show full text]
  • Review Articles
    review articles DOI:10.1145/3372115 system is designed to achieve common Software weaknesses in cryptocurrencies security goals: transaction integrity and availability in a highly distributed sys- create unique challenges in responsible tem whose participants are incentiv- revelations. ized to cooperate.38 Users interact with the cryptocurrency system via software BY RAINER BÖHME, LISA ECKEY, TYLER MOORE, “wallets” that manage the cryptograph- NEHA NARULA, TIM RUFFING, AND AVIV ZOHAR ic keys associated with the coins of the user. These wallets can reside on a local client machine or be managed by an online service provider. In these appli- cations, authenticating users and Responsible maintaining confidentiality of crypto- graphic key material are the central se- curity goals. Exchanges facilitate trade Vulnerability between cryptocurrencies and between cryptocurrencies and traditional forms of money. Wallets broadcast cryptocur- Disclosure in rency transactions to a network of nodes, which then relay transactions to miners, who in turn validate and group Cryptocurrencies them together into blocks that are ap- pended to the blockchain. Not all cryptocurrency applications revolve around payments. Some crypto- currencies, most notably Ethereum, support “smart contracts” in which general-purpose code can be executed with integrity assurances and recorded DESPITE THE FOCUS on operating in adversarial on the distributed ledger. An explosion of token systems has appeared, in environments, cryptocurrencies have suffered a litany which particular functionality is ex- of security and privacy problems. Sometimes, these pressed and run on top of a cryptocur- rency.12 Here, the promise is that busi- issues are resolved without much fanfare following ness logic can be specified in the smart a disclosure by the individual who found the hole.
    [Show full text]
  • Segwit2x –
    SegWit2x – A New Statement The Overwhelming power of SegWit2x In order to safeguard the community from an undesired chain split, the upgrade should be overwhelming, but it’s not enough. It should also ‘appear’ as overwhelming. People, businesses and services needs to be certain about what is going to happen and the risks if they won’t follow. My impression is that still too many speaking english people in the western world think the upgrade will be abandoned before or immediately after block 494784 is mined, thus they are going to simply ignore it. That could lead to unprepared patch up and confusion, while naïve users risk to harm themselves. For this reason and for the sake of the Bitcoin community as a whole, we need to show again, clearly and publicly the extent of the support to SegWit2x. We also need to commit ourselves in a widespread communication campaign. I know this is not a strict technical matter, but it could help a lot avoiding technical issues in the future. What we have to do First, we need a new statement from the original NYA signers and all the business, firms and individuals who joined the cause later. That statement should be slightly different from the original NYA though, and I am explaining why. We all know that what Bitcoin is will be ultimately determined by market forces, comprehensive of all the stakeholders involved: businesses, miners, users, developers, traders, investors, holders etc. Each category has its own weight in the process, and everybody has incentives in following the market.
    [Show full text]
  • Electronic Cash, Decentralized Exchange, and the Constitution
    Electronic Cash, Decentralized Exchange, and the Constitution Peter Van Valkenburgh March 2019 coincenter.org Peter Van Valkenburgh, Electronic Cash, Decentralized Exchange, and the Constitution, ​ ​ Coin Center Report, Mar. 2019, available at https://coincenter.org/entry/e-cash-dex-constitution Abstract Regulators, law enforcement, and the general public have come to expect that cryptocurrency transactions will leave a public record on a blockchain, and that most cryptocurrency exchanges will take place using centralized businesses that are regulated and surveilled through the Bank Secrecy Act. The emergence of electronic cash and decentralized exchange software challenges these expectations. Transactions need not leave any public record and exchanges can be accomplished peer to peer without using a regulated third party in between. Faced with diminished visibility into cryptocurrency transactions, policymakers may propose new approaches to financial surveillance. Regulating cryptocurrency software developers and individual users of that software under the Bank Secrecy Act would be unconstitutional under the Fourth Amendment because it would be a warrantless search and seizure of information private to cryptocurrency users. Furthermore, any law or regulation attempting to ban, require licensing for, or compel the altered publication (e.g. backdoors) of cryptocurrency software ​ ​ would be unconstitutional under First Amendment protections for speech. Author Peter Van Valkenburgh Coin Center [email protected] About Coin Center Coin Center is a non-profit research and advocacy center focused on the public policy issues facing open blockchain technologies such as Bitcoin. Our mission is to build a better understanding of these technologies and to promote a regulatory climate that preserves the freedom to innovate using blockchain technologies.
    [Show full text]
  • MYBTGWALLET SCAM the Dark Side of the Fork
    MYBTGWALLET SCAM The dark side of the fork Intro After Bitcoin Cash fork on Aug. 1st, Bitcoin was involved in two other forks between October and November: before the so disputed Segwit2x announced fork, on Oct. 24th a new crypto was launched. Bitcoin Gold was a new greedy chance for Bitcoin owners to earn some free money: importing mnemonic seeds or private keys belonging to a BTC wallet in a BTG one they had the opportunity to redeem their free BTG. This was possible through local BTG clients or through some web services such as MyBTGWallet.com, a website listed directly on BTG official webpage. This particular case turned in a scam that stole an impressive number of Bitcoin from “unexperienced” users. The Scam Site MyBTGWallet scam worked in a very simple way: users imported the mnemonic seed of their BTC wallet on the scam page providing in this way the scammer with the private keys needed to steal the balance of bitcoin still on the wallet and any other cryptocurrencies stored on the same wallet (e.g. Ethereum or Litecoin in case it was a multicurrency wallet). MyBTGWallet page The site used a clever trick to save the mnemonic seed into the cookies of the browser and then siphoned the cookies via a google tracking javascript having this way access to all seeds checked on the website. 2 The numbers The website was used by many bitcoin holders after the fork happened. The scammers progressively moved the stolen funds to other bitcoin addresses. Thanks to open source intelligence activities, we were able to create the clusters of the stolen bitcoin and determine that the number of compromised addresses is almost 4500.
    [Show full text]
  • Transparent and Collaborative Proof-Of-Work Consensus
    StrongChain: Transparent and Collaborative Proof-of-Work Consensus Pawel Szalachowski, Daniël Reijsbergen, and Ivan Homoliak, Singapore University of Technology and Design (SUTD); Siwei Sun, Institute of Information Engineering and DCS Center, Chinese Academy of Sciences https://www.usenix.org/conference/usenixsecurity19/presentation/szalachowski This paper is included in the Proceedings of the 28th USENIX Security Symposium. August 14–16, 2019 • Santa Clara, CA, USA 978-1-939133-06-9 Open access to the Proceedings of the 28th USENIX Security Symposium is sponsored by USENIX. StrongChain: Transparent and Collaborative Proof-of-Work Consensus Pawel Szalachowski1 Daniel¨ Reijsbergen1 Ivan Homoliak1 Siwei Sun2;∗ 1Singapore University of Technology and Design (SUTD) 2Institute of Information Engineering and DCS Center, Chinese Academy of Sciences Abstract a cryptographically-protected append-only list [2] is intro- duced. This list consists of transactions grouped into blocks Bitcoin is the most successful cryptocurrency so far. This and is usually referred to as a blockchain. Every active pro- is mainly due to its novel consensus algorithm, which is tocol participant (called a miner) collects transactions sent based on proof-of-work combined with a cryptographically- by users and tries to solve a computationally-hard puzzle in protected data structure and a rewarding scheme that incen- order to be able to write to the blockchain (the process of tivizes nodes to participate. However, despite its unprece- solving the puzzle is called mining). When a valid solution dented success Bitcoin suffers from many inefficiencies. For is found, it is disseminated along with the transactions that instance, Bitcoin’s consensus mechanism has been proved to the miner wishes to append.
    [Show full text]
  • One-Out-Of-Many Proofs: Or How to Leak a Secret and Spend a Coin
    One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth1? and Markulf Kohlweiss2 1 University College London 2 Microsoft Research Abstract. We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commit- ments having at least one commitment that opens to 0. It is not required for the prover to know openings of the other commitments. The proof system is efficient, in particular in terms of communication requiring only the transmission of a logarithmic number of commitments. We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin. Our ring signatures are very small compared to other ring signature schemes and we only assume the users' secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Sim- ilarly, compared with the original zerocoin protocol we only rely on a weak cryptographic assumption and do not require a trusted setup. A third application of our Sigma protocol is an efficient proof of mem- bership of a secret committed value belonging to a public list of values.
    [Show full text]