Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZeroCash: ZeroCoin meets SCIPR-lab Eli Ben-Sasson (Technion), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian.

Published byMacie Dockrey Modified over 9 years ago

Similar presentations

Presentation on theme: "ZeroCash: ZeroCoin meets SCIPR-lab Eli Ben-Sasson (Technion), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian."— Presentation transcript:

1 ZeroCash: ZeroCoin meets SCIPR-lab Eli Ben-Sasson (Technion), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian Miers (JHU), Eran Tromer (TAU), Madars Virza (MIT) www.zerocoin.orgwww.SCIPR-lab.org

2 Bitcoin’s Anonimity Problem (BAP) BAP: – If Alice pays Bob in Bitcoins, she gains information about his spending of those coins … – … And Bob gains information about Alice’s spending of her other Bitcoins How? Analyze transaction-graph [Reid, Harrigan`11; …] Solution: Use a bitcoin mix/laundry/tumbler – give Bitcoins to trusted pool, retrieve later – Problems: (1) every tx must go thru mix, (2) trust mix? – Acceptable if have much to hide, not so for average honest user ZeroCash practically solves Bitcoin’s anonymity problem

3 Should we solve Bitcoin’s Anonymity Problem? Is ZeroCash good or evil? To answer that, first answer – Is Bitcoin good? Is a decentralized payment system good? – (Is a decentralized info./comm. system – Internet – good?) – Is it good for such a system to leak (part of) your spending information to every one of your payers and payees? But what about regulation? – It is up to society to agree on the acceptable regulation of Bitcoin and similar decentralized payment systems – Jury still out (ditto for Internet) – When decisions are made, the “engine” under ZeroCash’s hood (Zero Knowledge Proofs) can help implement! No Yes! Ergo, ZeroCash is good

4 Talk outline Anonymous electronic payments – Pre-bitcoin – e-cash and beyond – Post-bitcoin – Zerocoin, PinnochioCoin – Introducing ZeroCash Zero Knowledge (ZK) – SNARKs – SCIPR-lab ZeroCash: a peek under the hood

5 Pre-bitcoin anonymous e-cash E-cash [Chaum `82,…] – Anonymous – Blind signatures by bank’s secret key used to mint coins – Problems: (1) central secret, (2) central trusted party [Sander, Ta-Shma `99] removed need for secret – Bank mints coins using Zero-Knowledge (ZK) arguments and Merkle trees (more on these later) – Anonymous, secret-less, efficient * e-cash system – Problems: (2) central trusted party, (3) divisibility * Assuming efficient non-interactive ZK arguments of knowledge. (BAP: Blockchain structure leaks information to payer and payee)

6 Post-bitcoin anonymous e-cash [based on Sander Ta-Shma `99] ZeroCoin [Miers, Garman, Green, Rubin `13] – Uses efficient* ZK proofs and RSA-accumulator – Extends Bitcoin with `decentralized laundry’ – No Bank, only trusted ledger (e.g., Blockchain) – Implemented as Bitcoin extension! Problems – Efficiency: 25Kb/spend, must appear on blockchain – Non-fungible, non-divisible, single-denomination system (allowing fungibility/divisibility compromises anonymity) Pinocchio-Coin [Danezis, Fournet, Kohlweiss, Parno ‘13] – Done concurrently to, and independently of, ZeroCash – Solves efficiency problem: 344 bytes/spend * ! – based on “Pinnochio” ZK [Parno et al. `13] – Scalability problem: tx-generation time grows linearly with #coins – Non-fungible/divisble, single-denomination (same as Zerocoin) Zerocash: divisible anonymous e-cash Solves the problems of zerocoin and pinnochio-coin: – Efficiency 288 bytes/spend * at 128-bit security level, Verification: 9ms/spend * Tx created 3min./spend * on single core i7 @ 2.7 GHz – Tx-generation scales logarithmically with #coins (up to 2 64 coins) – Fungible and divisible, hides payer, payee, and denomination Usual restrictions and disclaimers, read fine print Zerocash: divisible anonymous e-cash Solves the problems of zerocoin and pinnochio-coin: – Efficiency 288 bytes/spend * at 128-bit security level, Verification: 9ms/spend * Tx created 3min./spend * on single core i7 @ 2.7 GHz – Tx-generation scales logarithmically with #coins (up to 2 64 coins) – Fungible and divisible, hides payer, payee, and denomination Usual restrictions and disclaimers, read fine print * Size of the ZK-proof part of a spend-tx; actual spend-tx size is larger Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge-of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge-of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge- of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge- of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity

7 Talk outline Anonymous electronic payments – Pre-bitcoin – e-cash and beyond – Post-bitcoin – Zerocoin, PinnochioCoin – Introducing ZeroCash Zero Knowledge (ZK) – SNARKs – SCIPR-lab ZeroCash: a peek under the hood

8 Zero Knowledge [Goldwasser, Micali, Rackoff ‘89] Concrete bitcoin-based statement+proofs – Statement: “I own 30 bitcoins with total value 123.5 BTC” Ownership means knowledge of coin-keys. – proof: point to 30 coins on blockchain, use each coin-key to encrypt a message – Problem: proof leaks knowledge about coin-ownership! ZK-proof of knowledge: cryptographic proof that – cannot be (efficiently) generated without knowing keys – can be efficiently generated with keys – can be easily verified – reveals no information about coins ZK-proofs exist for any statement that can be efficiently computable with auxiliary secrets/trapdoors (NP-statement) – How? Magic! (2009 Godel award; 2012 Turing Award to Goldwasser+Micali) Efficiency of ZK-proofs is a huge research topic, ZeroCash uses cutting-edge techniques from SCIPR-lab

9 Academic pedigree of ZeroCash’s “ZK engine” Theory – We use a ZK preprocessing Succinct Noninteractive ARgument of Knowledge (SNARK for short), aka succinct NIZK, succinct CS proof, ZKA, … – Construction relies on pairings over elliptic curves, quadratic span programs, linear PCPs, FFTs, quasilinear PCPs, … […; Groth; Lipmaa; Ishai, Kushilevitz, Ostrovsky; Gennaro, Gentry, Parno, Raykova; Bitansky, Chiesa, Ishai, Ostrovsky, Paneth; Ben-Sasson, Chiesa, Genkin, Tromer; … 2010-14] Implementations (for general purpose programs) – Pinnochio [Parno, Gentry, Howell, Raykova `13] – “SNARKs for C” [B, Chiesa, Genkin, Tromer, Virza `13] by SCIPR-lab

10 www.SCIPR-lab.org “… is an academic collaboration of researchers from MIT, Technion, and Tel Aviv University, seeking to bring to practice cryptographic proof systems that provide S uccinct C omputational I ntegrity and PR rivacy.” Started in summer 2009 with Eran Tromer (co-PI), Alessandro Chiesa, Daniel Genkin. Madars Virza joined 2012 Initial funding: European Research Council (grant # 240258), major source of support for programming team: Ohad Barta *, Lior Greenblat, Shaul Kfir, Michael Riabzev, Gil Timnat, Arnon Yogev * (* emeritus) [Ad: seeking superb crypto+math programmer!]

11 SCIPR-lab meets ZeroCoin Both presented at Bitcoin 2013, San Jose ZeroCoin videoSCIPR-lab video – SCIPR-lab builds general-purpose programs (“Turing complete”) CRYPTO`13 videoCRYPTO`13 video Powerful, yet cumbersome systems – ZeroCoin needs specific optimized program … ZeroCash

12 Talk outline Anonymous electronic payments – Pre-bitcoin – e-cash and beyond – Post-bitcoin – Zerocoin, PinnochioCoin – Introducing ZeroCash Zero Knowledge (ZK) – SNARKs – SCIPR-lab ZeroCash: a peek under the hood

13 ZeroCash and Base-currency ZeroCash works over any base-currency with – public ledger and consensus mechanism (like PoW) – Like BitCoin and its offspring ZeroCash supports – Transactions of base-currency – Converting coins to ZeroCash and vice versa – Fully anonymous ZeroCash transactions … Fungible and divisible, Splitting and merging of coins, Hidden coin-owner and coin values – … with public transaction fees (and other payments) on them

14 ZeroCash transactions Mint: (no ZK-SNARK) – Converts a base-currency coin with value v into new ZeroCash coin c with value v Pour: (uses ZK-SNARK) – Takes the sum value v of (up to) 2 ZeroCash coins and – Pours v into (up to) 2 new ZeroCash coins (hidden values), 1 public payment (public value) Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

15 Pour-tx, viewed by Full-node (verifier) Coin is commitment c:= hash(val, r serial, addr pub ), controlled by secret address addr sec – addr pub = f(addr sec ), f is pseudorandom function (PRF) – Serial number is sn = f(addr sec, r serial ), “destroys” coin when displayed on ledger Full-nodes (verifiers) maintain – Merkle tree of all previous coins – List of all previously exposed serial numbers – Crucial: observer cannot link sn to c ! Pour-tx is (sn, sn’, r, v pub, c’’,c’’’, π,…) – sn, sn’ destroy 2 old coins (preventing double-spend) – r is root of (current) Merkle tree – v pub is public value (used, e.g., for tx-fee) – c’’, c’’’ new coins – π is a 288-byte long ZK-SNARK for a statement described later When full-node sees new pour-tx: 1.Verifies π (9 ms) 2.Checks that sn, sn’ haven’t appeared and adds them to L 3.If 1,2 pass, then adds c’’, c’’’ to tree, updates root r, and collects v pub a 2 = H(c 3, c 4 ) r= H(z 1, z 2 ) a 1 = H(c 1, c 2 ) c2c2 c1c1 c3c3 c4c4 … … Disclaimer: Simplified ZeroCash protocol, real one to appear in paper L={sn 1, sn 2, … }

16 Constructing Pour-tx (prover) Coin is commitment c:= hash(val, r serial, addr pub ) controlled by secret address addr sec – addr pub = f(addr sec ), f is pseudorandom function (PRF) – Serial number is sn = f(addr sec, r serial ), “destroys” coin when displayed on ledger Inputs – 2 coins c, c’, hidden information, and location in tree – Information for new coins: values v’’,v’’’,v pub Public addresses of payees addr’’ pub, addr’’’ pub – Proving key (0.9 Gb long) Pour-tx is (sn, sn’, r, v pub, c’’,c’’’, π, …) π is a ZK-SNARK proof of statement: What about Bitcoin/ZeroCash regulation? – When society decides on appropriate measures, efficient ZK- proofs can help implement them r= H(z 1, z 2 ) c2c2 c1c1 c3c3 c4c4 … … “ know location of coins c, c’ in tree with root r, know coin values v, v’ and computed correctly serial numbers as sn, sn’, know hidden values v’’, v’’’ of c’’, c’’’ and sum of old coins (v+v’) equals that of new ones (v’’+v’’’+v pub ) and … “ L={sn 1, sn 2, … } and paid due taxes and contributed 10% to charity …“ Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

17 ZeroCash: SCIPR-lab meets ZeroCoin First fungible, divisible, anonymous payment system based on decentralized ledger (like Bitcoin), with implementation, which solves Bitcoin’s Anonymity Problem, using cutting-edge constructions of ZK-proofs When will ZeroCash be ready? – Paper published May 18 @ “Oakland Security” conference (hopefully earlier online) – Code to be open-sourced when ready – No further comments on deployment  [Ad: SCIPR-lab needs superb crypto+math programmer]

Download ppt "ZeroCash: ZeroCoin meets SCIPR-lab Eli Ben-Sasson (Technion), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian."

Similar presentations

Zerocash Decentralized Anonymous Payments from Bitcoin

Zerocash Decentralized Anonymous Payments from Bitcoin
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer Transportation CybserSecurity 18 Feb 2014.

1 Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer Transportation CybserSecurity 18 Feb 2014.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
VIS-À-VIS CRYPTOGRAPHY : PRIVATE AND TRUSTWORTHY IN-PERSON CERTIFICATIONS IAN MIERS*, MATTHEW GREEN* CHRISTOPH U. LEHMANN †, AVIEL D. RUBIN* *Johns Hopkins.

VIS-À-VIS CRYPTOGRAPHY : PRIVATE AND TRUSTWORTHY IN-PERSON CERTIFICATIONS IAN MIERS*, MATTHEW GREEN* CHRISTOPH U. LEHMANN †, AVIEL D. RUBIN* *Johns Hopkins.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.

Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.

Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Similar presentations

Ads by Google