Zerocash: Decentralized Anonymous Payments from Bitcoin
5 stars based on
46 reviews
Decentralized anonymous payments from Bitcoin Ben-Sasson et al. Yesterday we saw that de-anonymising techniques can learn a lot about the true identities of participants in Bitcoin transactions. While users may employ many identities or pseudonyms to enhance their privacy, an increasing body of research shows that anyone can de-anonymize Bitcoin by using information in the blockchain, such as the structure of the transaction graph as well as the value and dates of transactions.
As a result, Bitcoin fails to offer even a modicum of the privacy provided by traditional payment systems, let alone the robust privacy of anonymous e-cash schemes. Think about it, once de-anonymised, the complete record of all your transactions — amounts, dates, recipients and so on — becomes public record.
One possible solution is to use mixes aka laundries or tumblers that pool and mix coins using a trusted central party. This is not for the average user, the authors claim. Besides, having anonymity depend on a trusted central party seems at odds with a decentralised payment system. So Ben-Sasson et al. To protect zerocash decentralized anonymous payments from bitcoin extended version privacy, users thus need an instant, risk-free, and, most importantly, automatic guarantee that data revealing their spending habits and account balances is not publicly accessible by their neighbors, co-workers, and the merchants with whom they do business.
Thankfully the paper is more approachable than I feared, although many of the cryptographic assertions I just have to take on faith. There are two nice constructions in the paper that help to tame some of the complexity.
Firstly, we get an abstract definition of a decentralised anonymous payment DAP scheme section 3which allows us to reason about the operations without being burdened by particular cryptographic scheme: Secondly, we get a 6-step gradual build up section 1. A DAP is built on top of an underlying append-only ledger-based currency such as Bitcoin, call it the Basecoin.
The ledger includes Basecoin transactions, as well as two new types of transactions: Users of the scheme generate at least one address key pair with a public key enabling others to direct payments to the user, and a secret key used to send payments. Coins are of course just data objects. A coin c has the following attributes:. Coins may have zerocash decentralized anonymous payments from bitcoin extended version attributes, but these are implementation details of particular DAP instantiations.
A transaction records that a coin with a given commitment and value has been minted. More on these later. A DAP guarantees a number of security properties see section 3. The succint property means that proofs are short and easy to verify. We are interested in zk-SNARKs for arithmetic circuit satisfiability, and the most efficient ones for this language are based on quadratic arithmetic programs; such constructions provide a linear-time KeyGen, quasilinear-time Prove, and linear-time Verify.
This allows the DAP scheme implementation to be practical for zerocash decentralized anonymous payments from bitcoin extended version, as our experiments show. You can find the Zerocash project online at http: The protocol is now being developed in a full digital currency, called Zcash:. You are commenting using your WordPress. You are commenting using your Twitter account. You are commenting using your Facebook account.
Notify me of new comments via email. Notify me of new posts via email. This site uses Akismet to reduce spam. Learn how your comment data is processed. A decentralised anonymous payment DAP scheme There are two nice constructions in the paper that help to tame some of the complexity. A coin c has the following attributes: A coin commitment, which is a string zerocash decentralized anonymous payments from bitcoin extended version appears on the ledger once the coin is minted.
A coin value, measured in basecoins. This is an integer between 0 and some system maximum. A coin serial number, a unique string associated with the coin used to prevent double spending A coin address, an address public key, representing the owner of c Coins may have other attributes, but these are implementation details of particular DAP instantiations. Zerocash decentralized anonymous payments from bitcoin extended version this setup, a DAP scheme comprises 6 abstract operations: Setup is a one-time operation executed by a trusted party to initialise the system and publish its public parameters.
After this setup no trusted party is needed and no global secrets or trapdoors are kept. CreateAddress generates a new address key pair Mint generates a coin of a given value and a mint transaction Pour transfers value from input coins to new output coins, marking the input coins as consumed.
VerifyTransaction checks the validity of a transaction: Receive scans the ledger and retrieves unspent coins paid to a particular address. Building up an intuition Section 1. The simplest base system provides for user anonymity using zerocash decentralized anonymous payments from bitcoin extended version value e. Coins are minted by sampling a random serial number and trapdoor rand from these computing a coin commitment. This first phase depends on an ever growing ledger of all coin commitments.
Keeping a linear list of all coin commitments is inefficient, instead lets keep the ledger using an efficiently updateable, append-only, collision-resistant hash-based Merkle Tree. This reduces time and space complexity from linear to logarithmic. Using Merkle trees of depth 64, Zerocash can support coins. The concept of addresses are introduced to provide for direct anonymous payments.
Without this step, every previous owner of a coin can track its future spending because those owners know its serial number sn. The pour operation is also introduced at this step for spending coins. Sending the new coins generated by a pour to another user requires that the recipient know the secret values for that key. At this juncture we can mint, merge, and split coins, but there is no way to redeem a zerocash decentralized anonymous payments from bitcoin extended version an convert it back into the Basecoin currency e.
The pour operation is modified to include a public output that can be used to specify zerocash decentralized anonymous payments from bitcoin extended version destination of redeemed funds e. To prevent embezzlement by re-targeting the public output of a pour transaction, digital signatures are introduced so that any tampering can be detected. The protocol is now being developed in a full digital currency, called Zcash: If Bitcoin is like http for money, Zcash is https — a secure transport layer.
Twitter LinkedIn Email Print. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in: Email required Address never made public. Subscribe never miss an issue! The Morning Paper delivered straight to your inbox. Post was not sent - check your email addresses!
Sorry, your blog cannot share posts by email.