Content uploaded by Alex Vazquez
Author content
All content in this area was uploaded by Alex Vazquez on Jan 17, 2019
Content may be subject to copyright.
ZeroCT: Improving Zerocoin with Confidential
Transactions and more
Alex Vazquez
alex@encrypt-s.com
January 17, 2019
Abstract
The Zerocoin protocol [4] is a set of cryptographic algorithms which
embedded in a cryptocurrency provide anonymous swap of tokens in a
mathematically provable way by using cryptographic accumulators. Func-
tionally it can be described as a black box where an actor can introduce an
arbitrary number of coins, and later withdraw them without leaving evi-
dence of connection between both actions. The withdrawing step admits
a destination for the coins different from the original minter, but uncondi-
tionally requires a previous mint action and does not accept the transfer
of coins without leaving the accumulator, thus exposing the traceability of
the coins. We propose an alternative design which for the first time com-
bines the virtues of Zerocoin [4] with those of Confidential Transactions
[17] offering fully-featured anonymous transactions between individuals
with private amounts.
1 Introduction
We can find implementations of Zerocoin in a “production” environment in
active projects like ZCoin [1] or PIVX [2]. Those stick to the original protocol [4]
where the set of actions a user can execute are limited to minting and spending
coins, working the system as a simple on-chain mixer where a previous step of
coin laundering is necessary before the transfer of value is anonymously possible.
Other alternative variations of the protocol [6] operate in a similar way, while
some newer variations [8] introduce the concept of sending Zerocoins to an
external party but still require an initial interactive setup step and only allow
one deposit per key. Although the system satisfies the necessary conditions to
consider it functionally anonymous, we would like to point out some drawbacks
from the original implementation for which we propose a solution in this paper.
1
•Because only transparent addresses exist, it promotes the use of the Ze-
rocoin accumulators as purely transitional for the laundering of coins be-
tween transparent addresses, being transaction traceability and address
linkability through chain analysis moderately plausible. Even if a mecha-
nism consisting of rewarding users for keeping coins in the Zerocoin pool
[7] is an example of good action to increase the anonymity set, it does not
prevent the fact that coins need to leave the anonymity pool in order to be
transferred, which is the final utility of a currency, to be transferred and
used. The anonymity of the Zerocoin protocol is upper-bounded by the
size of the pool of coins, while the size of the anonymity pool is linearly
related to the amount of coins sitting in the accumulators but inversely
correlated to the number of transactions between users.
We introduce the use of Anonymous Identities, similar to the concept of
Stealth Addresses existent in other cryptocurrencies, allowing the private
transfer of coins between different entities without the requirement of us-
ing transparent addresses and incorporating the size of the transactional
ledger to the anonymity pool.
•Privacy concerns aside, the use of clear-text denominations reduces the
usability of the system, by increasing the number of required coins and
therefore the total size of the necessary proofs. Let e0,··· , ezthe set
of different denominations supported by a Zerocoin implementation, the
transaction amount can be decomposed as z
i=0 aiei. For a single spend
proof message size W, the full communication cost for the spend proofs
of a transaction is a function of its value and can be expressed as
W
z
i=0
ai
By applying variations of known methods inspired by [17], our implemen-
tation allows the transfer of divisible amounts to be expressed as a secret
value only known to the participants of the transaction with the use of
just two Accumulators.
2 Notation
Let us define some notation and variables that will be used through this paper.
Let l≤ktwo security parameters determining the security of the zero knowledge
proofs and u≤(log2q)−2 the number of bits necessary to have enough precision
for transaction amounts. The concatenation of two bit arrays of arbitrary length
αand βis denoted by α||β. The binary operation XOR will be denoted with
the operator ⊕. Let H : {0,1}∗ → {0,1}la one-way cryptographic function
taking a bit array of arbitrary length as input and outputting a bit array of
length l. The function Hstakes an EC point as input and outputs the result of
2
feeding its binary representation into H. The bit in the position iof a bit array
ais denoted a[i], considering a[0] the bit in the left-most position of the array.
When describing Zero Knowledge proofs we will use the notation of Camenisch
and Stadler [15]. For instance, ZKSoK[m]{(x) : h=gx}denotes a signature
of knowledge on message m of the element x that satisfies h=gx, where all
values not enclosed in () are assumed to be known to the verifier. If Ais a
set, a←Ameans that ais chosen at random from Aaccording to the uniform
distribution. If Ais a function, a←A(···) means ais assigned the value
returned from executing Awith the given parameters.
3 A mathematical introduction to the Mint op-
eration
The Zerocoin protocol [4] defines the Mint operation as the operation of minting
new private tokens (Zerocoins in the original definition). As in a regular Bitcoin
transaction [3], it requires that the amount of inputs used to feed the transaction
is equal to the value of the minted private tokens plus any fees defined by the
network policies.
“To mint a zerocoin cof denomination d, Alice runs Mint(params)→(c,skc)
and stores skc securely. She then embeds cin the output of a Bitcoin transac-
tion that spends d+ fees classical bitcoins. Once a mint transaction has been
accepted into the block chain, cis included in the global accumulator A, and
the currency cannot be accessed except through a Zerocoin spend” [4]
Mathematically minting a coin means calculating a Pedersen Commitment
[12] which value will be later accumulated in the accumulator of the correspond-
ing denomination. A Pedersen Commitment is a one-way function where you
can commit to a value vunder a blinding factor swithout revealing the value
vuntil a later time:
c=gvhs(mod p)
Additionally this structure admits commitments to ndifferent values at the
same time in the form c=hsn
i=0 gvi
i. Each additional generator gican be
calculated as gi= H(gi−1) (mod p) for i≥1. For simplicity, we will denote v0
and g0as simply vand g.
Given c, finding sand vifor 0 ≤i≤nis known as the Discrete Loga-
rithm Problem, it’s “hard” to solve and there isn’t currently any known efficient
method for computing the solution in reasonable time even if some but not all of
the values of the set (s,v1, . . . , vn) are known. Because of the hardness of find-
ing suitable values for viand s, a Pedersen Commitment c←C(v,s,v1,...,vn)
is both hiding (the Commitment cdoes not reveal the value it commits to) and
3
binding (having made the Commitment cit’s not possible to open it with dif-
ferent values for vior s) as long as loggi′giis unknown with g= (h, gi,...,gn)
for 0 ≤i≤nand 0 ≤i′ ≤ n.
Pedersen Commitments also have homomorphic properties: The product of
two commitments is equal to the commitment to the sum of its values as in
C(va, sa)·C(vb, sb) = C(va+vb, sa+sb) = gvahsagvbhsb=gva+vbhsa+sb
In the same fashion, the division of two commitments equals the commitment
to the subtraction of its values as in
C(va, sa)
C(vb, sb)= C(va−vb, sa−sb) = gvahsa
gvbhsb=gvahsag−vbh−sb=gva−vbhsa−sb
The original Zerocoin protocol [4] uses a RNG to generate different values
for S←Z∗
q(serial number of the minted coin) and r←Z∗
q(randomness used
as a blind factor) to be used in the computation of c←C(S, r) until {cprime
—c∈[A, B]}[14]. The future spender of the minted coin is required to prove
knowledge of both values Sand rconstraining the spending action to the original
minter. Our contribution allows an actor to commit in zero knowledge to secret
values only known to an external party, even if those are publicly disclosed later.
4 Constructing a transaction
We will start defining how an anonymous identity is constructed. Let Bthe
public part of a Elliptic Curve key B=bG,j1←Z∗
q,k1←Z∗
q,j2←Z∗
q,
k2←Z∗
q,z1←C(j1, k1) and z2←C(j2, k2). The triplet (B, z1, z2) is known as
the anonymous identity I, which can be publicly shared and used as an address
where users can receive private coins. The tuple (b, j1, j2, z1, z2) is considered
a private view key P Kv iew and allows the wallet to identify which outputs
contain spendable private coins and when those coins are spent. P Kv iew can
be handed to an accountant to prove an account’s history of private transac-
tions without compromising the spending rights exclusivity of funds. The tuple
(b, j1, j2, k1, k2) is considered a private spend key P Kspend and allows to con-
struct the cryptographic proofs necessary to spend private coins. Anonymous
identities admit receiving as a single output an arbitrary and divisible amount
in the range [0,2u) denoted as w.
We redefine the Mint algorithm as Mint(params, I,w), so when Alice wants
to send coins to Bob’s Private Identity IBO B she:
1. Extracts B,z1and z2from IBO B .
4
2. Generates a new EC key A=aG and calculates a Diffie-Helman secret χ
using Bob’s EC public key B.
χ= Hs(aB) (mod q)
3. Uses H as a Pseudorandom Number Generator to compute σand taking
the shared secret χas the initial seed.
σ= H(χ) (mod q)
= H(σ) (mod 2u−1)
4. Lets c=zχ
1z2(mod p) and ←C(w,c,σ) .
5. Verifies cand are prime numbers and within the allowed range required
in the accumulator proof [14]. If the test fails, she repeats the process
going back to the second step. If it passes, she continues with the next
step.
6. Includes a zero knowledge range proof that the value committed in is a
positive number and lies in the range [0,2u).
NIZKPoK{(v, σ) : =gwhcgσ
1∧0≤v≤2u−1}
Methods like Bulletproofs [16] allow provers to bundle many range proofs
in one of compressed size, making it possible to compute one proof per
transaction instead of using the more expensive model of one-proof-per-
output.
7. Lets W=w⊕the amount obfuscated with .
8. Reveals (A, c, ,W) in the output of a transaction.
Considering the following equality is satisfied
c=zχ
1z2= (gj1)χ(hk1)χgj2hk2=g(j1χ+j2)h(k1χ+k2)(mod p)
we can claim c is equivalent to a Pedersen Commitment with one secret and one
randomness value. Alice knows z1,z2and χbut she does not have knowledge of
j1,j2,k1or k2because of the properties of the Pedersen Commitment and under
the assumption of the hardness of the Discrete Log Problem, thus she would be
committing without retaining the ability of later opening the commitment by
using the serial number S=j1χ+j2or the randomness r=k1χ+k2in the
construction of the proofs that are necessary to spend the coins. This scheme
retains the perfectly hidden property from the Pedersen Commitment construc-
tion as j1,j2,k1and k2are uniformly drawn from Z∗
qwhile χis calculated mod
q, being the distribution of the resulting j1χ+j2and k1χ+k2equally uniform.
5
An actor observing the chain and acting as a validator would accumulate c
and in different accumulators Aand Vrespectively.
The private key awill be stored by Alice and used to prove the minting of
specific coins without revealing Alice’s whole transaction history or identity.
Due to the use of only one anonymous identity to receive coins, this scheme
does not facilitate the use of short-lived addresses to identify individual pay-
ments, which is a common use case for merchants in other cryptocurrencies
like Bitcoin. To solve this we propose the calculation of an extra parameter
o= H() used to obfuscate a Payment ID/Message Mas in M′=M⊕o, being
the maximum admitted length for |M|the bit length of the output from the
chosen hash function H. M′can be attached to an extra metadata parameter of
a transaction, as an additional byte array in the output’s scriptPubKey or as
an OP RETURN OP PAYID script in a 0-value output from the transaction.
If Alice wants to anonymously spend private coins to fund the transaction,
she will need to construct and attach as inputs a set of spend proofs for each of
the outputs she wants to spend.
Tim Ruffing, Sri Aravinda Thyagarajan, Viktoria Ronge and Dominique
Schrder published a paper [5] describing a cryptographic denial-of-spending at-
tack against the original Zerocoin protocol where it would be possible to block a
transaction from being propagated in blocks and reusing its serial number Sto
create a new Zerocoin mint. If this new Zerocoin mint is spent earlier than the
honest coin, the honest coin’s serial number would be marked as spent making
the honest coin thus unspendable.
They propose to “use (as a serial number) a fresh verification key of an
ordinary signature scheme, which is strongly existentially unforgeable under
chosen message attacks. The spender will additionally sign spend transactions
under this verification key, and verifiers will additionally verify these signatures
using the verification key revealed as serial number.” [5]
This solution, already implemented in other cryptocurrencies, is not com-
pletely compatible as it is with the changes in the Zerocoin protocol proposed
in this paper, as the coin’s serial number is calculated by the sender in zero
knowledge.
As an alternative we propose the following scheme to achieve serial number
unforgeability:
•When computing a coin spend proof for a transaction’s input, we consider
Sa private key and provide the serial number’s public key Sinstead as in
S=gS(mod p)
6
•Alice will also include an extra zero knowledge proof of knowledge based
on a Schnorr identification protocol [9] transformed in a non-interactive
signature of knowledge using the Fiat-Shamir heuristic [10]:
ZKSoK[m]{(S) : S=gS}
This scheme removes an attacker’s ability to reuse a serial number to mint
a new coin and later proceed with a Denial-Of-Spending attack, as even if he
could mint a new coin with the serial number public key S, he’d be unable to
spend it without knowledge of the serial number private key S.
Further modification of the Spend algorithm is required to accommodate a
new transaction’s value commitment W.
W=gwgr
1=gwg(k1χ+k2)
1(mod p)
The description of the original algorithm in [4, Appendix B] defines πas a
signature of knowledge “composed of two proofs that (1) a committed value
cis accumulated and (2) that cis a commitment to S”. A prover using our
implementation will need to extend (1) with an extra proof of the accumulation
of in Vusing the accumulation witness w′, and substitute (2) with a new
proof to prove in zero knowledge that he knows the secrets of both cand ,
that commits to cas an exponent of hand that Wand commit to the same
transaction amount w:
π=ZK S oK [m]{(c, w, S, r, v, σ) :
AccVerify((N , u), A, c, w) = 1 ∧AccVerify((N, u), V, , w′) = 1∧
S=gS∧c=Shr∧=gwhcgσ
1∧W=gwgr
1}
As a quick draft, we propose the following protocol in order to produce a
proof to mathematically convince a verifier of the aforementioned statement.
Taken y=ϑcβv=ϑ(gShr)βvand Y=ϑβς=ϑ(gwhσgc
1)βςfrom the transcripts
of the AccVerify algorithm (used to prove the accumulation of cand in the
accumulators Aand Vas described in [14]), let aand bbe generators of a group
whose order equals the modulus of the group used for the Pedersen Commitment
c. Let v′ ← Z∗
n,ς′ ← Z∗
n,y′=a(gShr)bv′and Y′=a(gwhσgc
1)bς′. Using standard
and well known techniques, Alice will first prove with a discrete log equality
proof that both yand y′, and Yand Y′, open to the same values.
Then, inspired by the double discrete log proof described in [4, Appendix
B], Alice will prove she knows how to open y′,Y′and Wand will reuse the
challenges from the zero knowledge proof to argue for the fulfilment of the rest
of conditions:
7
•She will compute for each 1 ≤i≤l:
ρi,τi,αi,γi∈Zq
ζi,ϕi,ϖi∈Zn
ti=a(Shρi)bζi
υi=a(gτihγigαi
1)bϖi
µi=gτigρi
1
κi=aγibϕi
ω= H(m||y||y′||a||b||g||h||g1||W||S||t1|| ...||tl
||υ1|| ...||υl||µ1|| ...||µl||κ1|| ...||κl)
•For every bit ω[i], when its value equals 0, let
ξi=ρi
ιi=τi
δi=αi
ψi=ζi
νi=γi
Ωi=ϖi
ηi=ϕi
If ω[i] equals 1, let
ξi=ρi−r
ιi=τi−w
δi=αi−σ
ψi=ζi−v′h(ρi−r)
νi=γi−c
Ωi=ϖi−ς′g(τi−w)h(γi−c)g(αi−σ)
1
ηi=ϕi−v′
•The proof
(ω,ξ1,...,ξl,ι1,...,ιl,δ1,...,δl,ψ1,...,ψl,ν1,...,νl,Ω1,...,Ωl,η1,...,ηl)
is sent to the verifier.
8
•For every ω[i] he will check if it equals 0. In that case, let
t′i=a(Shξi)bψi
υ′i=a(gιihνigδi
1)bΩi
µ′i=gιigξi
1
κ′i=aνibηi
otherwise
t′i=y′(hξi)bψi
υ′i=Y′(gιihνigδi
1)bΩi
µ′i=Wgιigξi
1
κ′i=y′aνibηi
•He can now compute
ω′= H(m||y||y′||a||b||g||h||g1||W||S||t′1|| ...||t′l
||υ′1|| ...||υ′l||µ′|| ...||µ′||κ′1|| ...||κ′l)
•The proof is valid iffω≡ω′.
We point the interested reader to [13, Appendix A] in order to find a full
security proof of the original zero knowledge proof which served as an inspiration
to construct this.
This proof clearly increases the communication overhead compared with the
original proof. Considering Athe size of an accumulation proof, Ethe size
of a discrete logarithm equality proof and Cthe size of a challenge used in the
double logarithm proof, a transaction’s input communication cost of the original
protocol can be approximately denoted as
W=A+E+ 2lC
while the cost of the cryptographic proofs for an input in our proposal would be
W= 2A+ 2E+ 7lC
For a default l= 80, let e=2+2l
4+7l=162
564 ≈1
4the efficiency of our implementation,
we can use
(
z
i=0
ai≥e−1)?
= True
to determine if this protocol has a communicational cost advantage for a con-
crete transaction. Even if our proposal offers better anonymity properties and
9
shows itself more efficient than Zerocoin transactions with 4 or more inputs,
we strongly encourage research in the direction of designing more efficient zero
knowledge proofs.
The following table shows the count of single- and multi-exponentiation op-
erations needed to construct and verify the different cryptographic proofs which
are part of the coin spend algorithm. Count of scalar arithmetic operations,
multiplicative inverse calculations, hash functions or other operations out of the
exponentiation realm are intentionally excluded from the scope of the table for
simplicity, as their computational cost is considered marginally low.
Table 1: Count of operations of exponentiations of n powers
n=1 n=2 n=3
Accumulation Proof Prove 1 8 2
Verify 0 0 7
DL Equality Proof Prove 0 2 0
Verify 0 0 2
Ext. Double DL Proof Prove 2l 4l 2l
Verify l 4l l
Coin Serial Signature Prove 2 0 0
Verify 2 0 0
5 A transaction’s amount signature
We substitute the public amounts from transactions with secret values hidden in
the coin and spend proof commitments. The amounts being publicly verifiable
is a key part of how traditional blockchains work to confirm all value transfers
occur inside of a constrained money supply limit and that no user is able to
spend more coins than those he proved ownership of.
For a transaction Twith minputs and noutputs we will also require the
transaction fee (following strict network policies) to appear explicit as the last
output at index nwith transparent amount f. This output can be denoted with
a special un-spendable script like OP RETURN OP FEE.
Once the explicit-fee output is added to the output’s array of the transaction,
Alice will be able to sign the transaction using the public key Nas in
N=m
i=0 Wi
gfn−1
i=0 ih−ci
=g(w′0+···+w′m)g(r0+···+rm)
1
g(f+w0+···+wn−1)g(σ0+···+σn−1)
1
(mod p)
10
only if the committed amounts in Wiand the committed amounts in i+f
match m
i=0
w′i−f−
n−1
i=0
wi
?
= 0
by using
m
i=0
ri−
n−1
i=0
σi(mod q)
as a private key.
6 Validating transactions
Bob will scan all the incoming new transactions (as he already does) and for
every output containing a Zerocoin mint, he will:
1. Reject the transaction if:
•The range proof for the outputs’ amount is not valid or
•The fee is not explicitly included or does not strictly meet the network
policies or
•Broadcasted values cand are not prime numbers or in the required
range or
•The transaction is not signed by N.
2. Extract b,z1and z2from his own P Kview .
3. Calculate a Diffie-Helman secret χ′using his own EC private key band
Alice’s EC public key A.
χ′= Hs(bA) (mod q)
4. Derive σ′and ′from χ′.
σ′= H(χ′) (mod q)
′= H(σ′) (mod 2u−1)
5. Decode the transaction amount into w′.
w′=W′ ⊕ ′
6. Reconstruct ′and c′.
c′=zχ′
1z2(mod p)
′=gw′hc′gσ′
1(mod p)
11
7. Iffc′and ′equals the values of cand submitted by Alice, Bob recognises
the output as spendable and securely stores it, so he can later calculate
the spend proofs.
As an improvement to the original specification, Bob or an accountant will be
able to reconstruct his whole transaction history of private coins by simply using
his private view key PKv iew with very low computing costs. He will need to
keep P Kview on memory to verify outputs and calculate an unspendable private
coin pc. This is considered safe, as an adversary accessing the memory resources
of Bob’s system won’t be able to steal the funds. Only when a Spend action
is performed, the private spend key P Kspend is unencrypted and temporarily
stored in memory while the proofs are constructed, reducing the likeliness of an
unauthorised access to the coins in the same manner as in the regular spending
of Bitcoin occurs.
However compromising P Kv iew from the memory space of the wallet, or
compromising access to the wallet’s database local file, would entirely compro-
mise the privacy and act as a source of evidence for an adversary as he would
be able to undoubtedly identify previous and future transactions. We encour-
age to implement full encryption for the whole wallet database to prevent those
leakages.
Acknowledgement
We would like to specially thank Samuel Dobson, Guy Kloss, the Veil develop-
ment team, Jonathan Cressman and Sarang Noether for reviewing the soundness
of this paper and providing their constructive input. Marcus Chan for reviewing
the copywriting of this paper. Craig MacGregor for coordinating reviews and
overseeing the production of this paper. Please note that reviewers of this paper
have not been commercially engaged, nor should their review of this paper be
considered an endorsement of the papers content or imply any liability what-
soever regarding the application of the private transaction methods the paper
describes.
References
[1] Zcoin. https://zcoin.io
[2] PIVX. https://pivx.org
[3] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2009. 2012.
http://www.bitcoin.org/ bitcoin.pdf
12
[4] Ian Miers, Christina Garman, Matthew Green, Aviel D. Ru-
bin: Zerocoin: Anonymous Distributed E-Cash from Bitcoin.
http://zerocoin.org/media/pdf/ZerocoinOakland.pdf
[5] Tim Ruffing, Sri Aravinda Thyagarajan, Viktoria Ronge, Do-
minique Schrder: Burning Zerocoins for Fun and for Profit A
Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol.
https://www.chaac.tf.fau.de/files/2018/04/attack-cryptocur.pdf
[6] Jens Groth, Markulf Kohlweiss. One-out-of-Many Proofs: Or How to Leak
a Secret and Spend a Coin https://eprint.iacr.org/2014/764.pdf
[7] zPOS / zPIV Staking Rewards https://www.reddit.com/r/pivx/comments/82w7s0/
[8] The NIX Developer Team: Pedersen Anonymous De-
posits: Commitment Key Packs https://nixplatform.io/wp-
content/uploads/2018/10/Commitment Key Packs v1-0-1.pdf
[9] Claus P. Schnorr. Efficient signature generation for smart cards. Journal
of Cryptology, 4(3):239252, 1991.
[10] Amos Fiat and Adi Shamir. How to Prove Yourself: Practical Solutions
to Identification and Signature Problems. CRYPTO 1986: pp. 186-194
[11] Christina Garman, Matthew Green, Ian Miers, and Aviel D. Rubin Ra-
tional Zero: Economic Security for Zerocoin with Everlasting Anonymity.
https://www.ifca.ai/fc14/bitcoin/papers/bitcoin14 submission 12.pdf
[12] Pedersen T.P. (1992) Non-Interactive and Information-Theoretic Secure
Verifiable Secret Sharing. In: Feigenbaum J. (eds) Advances in Cryptology
CRYPTO 91. CRYPTO 1991. Lecture Notes in Computer Science, vol 576.
Springer, Berlin, Heidelberg
[13] Ian Miers. Decentralized Anonymous Payments. 2017
[14] J. Camenisch and A. Lysyanskaya, Dynamic accumulators and application
to efficient revocation of anonymous credentials. in CRYPTO 02, 2002, pp.
6176.
[15] J. Camenisch and M. Stadler, Efficient group signature schemes for large
groups. in CRYPTO 97, vol. 1296 of LNCS, 1997, pp. 410424.
[16] Bunz, B., Bootle, J., Boneh, D., Poelstra, A., Maxwell, G.: Bulletproofs:
short proofs for confidential transactions and more. Cryptology ePrint
Archive, Report 2017/1066 (2017).
[17] Greg Maxwell, Confidential Transactions
https://people.xiph.org/˜greg/confidential values.txt
13
