Zerocash: Decentralized Anonymous Payments from Bitcoin (extended version)

Bitcoin is the rst digital currency to see widespread adoption. Although payments are conducted between pseudonyms, Bitcoin cannot oer strong privacy guarantees: payment transactions are recorded in a public decentralized ledger, from which much information can be deduced. Zerocoin (Miers et al., IEEE S&P 2013) tackles some of these privacy issues by unlinking transactions from the payment’s origin. Yet it still reveals payment destinations and amounts, and is limited in functionality. In this paper, we construct a full-edged ledger-based digital currency with strong privacy guarantees. Our results leverage recent advances in zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs). We formulate and construct decentralized anonymous payment schemes (DAP schemes). A DAP scheme lets users pay each other directly and privately: the corresponding transaction hides the payment’s origin, destination, and amount. We provide formal denitions and proofs of the construction’s security. We then build Zerocash, a practical instantiation of our DAP scheme construction. In Zerocash, transactions are less than 1 kB and take under 6 ms to verify | orders of magnitude more ecient than the less-anonymous Zerocoin and competitive with plain Bitcoin.

[1]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[2]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[3]  Helger Lipmaa,et al.  Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes , 2013, IACR Cryptol. ePrint Arch..

[4]  George Danezis,et al.  Pinocchio coin: building zerocoin from a succinct pairing-based proof system , 2013, PETShop '13.

[5]  Emin Gün Sirer,et al.  Majority is not enough , 2013, Financial Cryptography.

[6]  Stefan Savage,et al.  A fistful of bitcoins: characterizing payments among men with no names , 2013, Internet Measurement Conference.

[7]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[8]  Eli Ben-Sasson,et al.  On the concrete efficiency of probabilistically-checkable proofs , 2013, STOC '13.

[9]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[10]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[11]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Adi Shamir,et al.  Quantitative Analysis of the Full Bitcoin Transaction Graph , 2013, Financial Cryptography.

[14]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[15]  Elaine Shi,et al.  Bitter to Better - How to Make Bitcoin a Better Currency , 2012, Financial Cryptography.

[16]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[17]  Fergal Reid,et al.  An Analysis of Anonymity in the Bitcoin System , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[18]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[19]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[20]  V. Kapoor,et al.  Elliptic curve cryptography , 2008, UBIQ.

[21]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[22]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[23]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[24]  Eli Ben-Sasson,et al.  Short PCPs verifiable in polylogarithmic time , 2005, 20th Annual IEEE Conference on Computational Complexity (CCC'05).

[25]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[26]  Dan Boneh,et al.  Secure Identity Based Encryption Without Random Oracles , 2004, CRYPTO.

[27]  Rosario Gennaro,et al.  Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks , 2004, CRYPTO.

[28]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[29]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[30]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[31]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[32]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[33]  Amnon Ta-Shma,et al.  Auditable, Anonymous Electronic Cash Extended Abstract , 1999, CRYPTO.

[34]  A. D. Santis,et al.  Non-Interactive Zero-Knowledge: A Low-Randomness Characterization of NP , 1999 .

[35]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[36]  S. Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[37]  Eli Ben-Sasson,et al.  Fast Reductions from RAMs to Delegatable Succinct Constraint Satisfaction Problems (full version) , 2012 .

[38]  Luca Trevisan,et al.  Introduction to Modern Cryptography , 2000 .

[39]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[40]  13-th IEEE International Conference on Peer-to-Peer Computing Information Propagation in the Bitcoin Network , 2022 .