Zerocash: Decentralized Anonymous Payments from Bitcoin Eli Ben-Sasson∗, Alessandro Chiesa†, Christina Garman‡, Matthew Green‡, Ian Miers‡, Eran Tromer§, Madars Virza† ∗Technion, [email protected] †MIT, {alexch, madars}@mit.edu ‡Johns Hopkins University, {cgarman, imiers, mgreen}@cs.jhu.edu §Tel Aviv University, [email protected] Abstract—Bitcoin is the first digital currency to see widespread party and then, after some interval, retrieve different coins adoption. While payments are conducted between pseudonyms, (with the same total value) from the pool. Yet, mixes suffer Bitcoin cannot offer strong privacy guarantees: payment trans- from three limitations: (i) the delay to reclaim coins must be actions are recorded in a public decentralized ledger, from which much information can be deduced. Zerocoin (Miers et large to allow enough coins to be mixed in; (ii) the mix can 1 al., IEEE S&P 2013) tackles some of these privacy issues by trace coins; and (iii) the mix may steal coins. For users with unlinking transactions from the payment’s origin. Yet, it still “something to hide,” these risks may be acceptable. But typical reveals payments’ destinations and amounts, and is limited in legitimate users (1) wish to keep their spending habits private functionality. from their peers, (2) are risk-averse and do not wish to expend In this paper, we construct a full-fledged ledger-based digital currency with strong privacy guarantees. Our results leverage continual effort in protecting their privacy, and (3) are often recent advances in zero-knowledge Succinct Non-interactive AR- not sufficiently aware of their compromised privacy. guments of Knowledge (zk-SNARKs). To protect their privacy, users thus need an instant, risk-free, First, we formulate and construct decentralized anonymous and, most importantly, automatic guarantee that data revealing payment schemes (DAP schemes). A DAP scheme enables users to their spending habits and account balances is not publicly directly pay each other privately: the corresponding transaction hides the payment’s origin, destination, and transferred amount. accessible by their neighbors, co-workers, and merchants. We provide formal definitions and proofs of the construction’s Anonymous transactions also guarantee that the market value security. of a coin is independent of its history, thus ensuring legitimate Second, we build Zerocash, a practical instantiation of our users’ coins remain fungible.2 DAP scheme construction. In Zerocash, transactions are less than 1 kB and take under 6 ms to verify — orders of magnitude more Zerocoin: a decentralized mix. Miers et al. [8] proposed efficient than the less-anonymous Zerocoin and competitive with Zerocoin, which extends Bitcoin to provide strong anonymity plain Bitcoin. guarantees. Like many e-cash protocols (e.g., [2]), Zerocoin employs zero-knowledge proofs to prevent transaction graph Keywords: Bitcoin, decentralized electronic cash, zero knowledge analyses. Unlike earlier practical e-cash protocols, however, Zerocoin does not rely on digital signatures to validate coins, I. INTRODUCTION nor does it require a central bank to prevent double spending. Instead, Zerocoin authenticates coins by proving, in zero- Bitcoin is the first digital currency to achieve widespread knowledge, that they belong to a public list of valid coins adoption. The currency owes its rise in part to the fact that, (which can be maintained on the block chain). Yet, rather than unlike traditional e-cash schemes [1, 2, 3], it requires no trusted a full-fledged anonymous currency, Zerocoin is a decentralized parties. Instead of appointing a central bank, Bitcoin leverages a mix, where users may periodically “wash” their bitcoins via distributed ledger known as the block chain to store transactions the Zerocoin protocol. Routine day-to-day transactions must made between users. Because the block chain is massively be conducted via Bitcoin, due to reasons that we now review. replicated by mutually-distrustful peers, the information it The first reason is performance. Redeeming zerocoins contains is public. requires double-discrete-logarithm proofs of knowledge, which While users may employ many identities (or pseudonyms) have size that exceeds 45 kB and require 450 ms to verify (at to enhance their privacy, an increasing body of research shows the 128-bit security level).3 These proofs must be broadcast that anyone can de-anonymize Bitcoin by using information in the block chain [4, 5, 6], such as the structure of the transaction 1CoinJoin [7], an alternative proposal, replaces the central party of a mix graph as well as the value and dates of transactions. As a result, with multi-signature transactions that involve many collaborating Bitcoin users. Bitcoin fails to offer even a modicum of the privacy provided CoinJoin can thus only mix small volumes of coins amongst users who are currently online, is prone to denial-of-service attacks by third parties, and by traditional payment systems, let alone the robust privacy of requires effort to find mixing partners. anonymous e-cash schemes. 2While the methods we detail in this paper accomplish this, the same While Bitcoin is not anonymous itself, those with sufficient techniques open the door for privacy preserving accountability and oversight motivation can obfuscate their transaction history with the help (see Section X). 3These published numbers [8] actually use a mix of parameters at both of mixes (also known as laundries or tumblers). A mix allows 128-bit and 80-bit security for different components of the construction. The users to entrust a set of coins to a pool operated by a central cost is higher if all parameters are instantiated at the 128-bit security level. through the network, verified by every node, and permanently is succinct, i.e., for which proofs are very short and easy to stored in the ledger. The entailed costs are higher, by orders verify. More precisely, let L be an NP language, and let C be a of magnitude, than those in Bitcoin and can seriously tax a nondeterministic decision circuit for L on a given instance size Bitcoin network operating at normal scale. n.Azk-SNARK can be used to prove and verify membership The second reason is functionality. While Zerocoin consti- in L, for instances of size n, as follows. After taking C as tutes a basic e-cash scheme, it lacks critical features required input, a trusted party conducts a one-time setup phase that of full-fledged anonymous payments. First, Zerocoin uses results in two public keys: a proving key pk and a verification coins of fixed denomination: it does not support payments key vk. The proving key pk enables any (untrusted) prover of exact values, nor does it provide a means to make change to produce a proof π attesting to the fact that x ∈L, for an following a transaction (i.e., divide coins). Second, Zerocoin instance x (of size n) of his choice. The non-interactive proof has no mechanism for one user to pay another one directly π is zero knowledge and a proof of knowledge. Anyone can in “zerocoins.” And third, while Zerocoin provides anonymity use the verification key vk to verify the proof π; in particular by unlinking a payment transaction from its origin address, it zk-SNARK proofs are publicly verifiable: anyone can verify π, does not hide the amount or other metadata about transactions without ever having to interact with the prover that generated occurring on the network. π. Succinctness requires that (for a given security level) π has Our contribution. In this work we address the aforemen- constant size and can be verified in time that is linear in |x| tioned issues via two main contributions. (rather than linear in |C|). (1) We introduce the notion of a decentralized anonymous B. Decentralized anonymous payment schemes payment scheme, which formally captures the functionality and We construct a decentralized anonymous payment (DAP) security guarantees of a full-fledged decentralized electronic scheme, which is a decentralized e-cash scheme that allows currency with strong anonymity guarantees. We provide a con- direct anonymous payments of any amount. See Section III for struction of this primitive and prove its security under specific a formal definition. Here, we outline our construction in six cryptographic assumptions. The construction leverages recent incremental steps; the construction details are in Section IV. advances in the area of zero-knowledge proofs. Specifically, it Our construction functions on top of any ledger-based base uses zero-knowledge Succinct Non-interactive ARguments of currency, such as Bitcoin. At any given time, a unique valid Knowledge (zk-SNARKs) [9, 10, 11, 12, 13, 14, 15, 16]. snapshot of the currency’s ledger is available to all users. (2) We achieve an implementation of the above primitive, via The ledger is a sequence of transactions and is append- a system that we call Zerocash. Compared to Zerocoin, our only. Transactions include both the underlying currency’s system (at 128 bits of security): transactions, as well as new transactions introduced by our • Reduces the size of transactions spending a coin by 97.7%. construction. For concreteness, we focus the discussion below • Reduces the spend-transaction verification time by 98.6%. on Bitcoin (though later definitions and constructions are • Allows for anonymous transactions of variable amounts. stated abstractly). We assume familiarity with Bitcoin [20] • Hides transaction amounts and the values of coins held by and Zerocoin [8]. users. Step 1: user anonymity with fixed-value coins. We first • Allows for payments to be made directly to a user’s fixed describe a simplified construction, in which all coins have address (without user interaction). the same value of, e.g., 1 BTC. This construction, similar To validate our system, we measured its performance and to the Zerocoin protocol, shows how to hide a payment’s established feasibility by conducting experiments in a test origin.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-