ZeroCash: ZeroCoin meets SCIPR-lab Eli Ben-Sasson (Technion), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian Miers (JHU), Eran Tromer (TAU), Madars Virza (MIT)

Bitcoin’s Anonimity Problem (BAP) BAP: – If Alice pays Bob in Bitcoins, she gains information about his spending of those coins … – … And Bob gains information about Alice’s spending of her other Bitcoins How? Analyze transaction-graph [Reid, Harrigan`11; …] Solution: Use a bitcoin mix/laundry/tumbler – give Bitcoins to trusted pool, retrieve later – Problems: (1) every tx must go thru mix, (2) trust mix? – Acceptable if have much to hide, not so for average honest user ZeroCash practically solves Bitcoin’s anonymity problem

Should we solve Bitcoin’s Anonymity Problem? Is ZeroCash good or evil? To answer that, first answer – Is Bitcoin good? Is a decentralized payment system good? – (Is a decentralized info./comm. system – Internet – good?) – Is it good for such a system to leak (part of) your spending information to every one of your payers and payees? But what about regulation? – It is up to society to agree on the acceptable regulation of Bitcoin and similar decentralized payment systems – Jury still out (ditto for Internet) – When decisions are made, the “engine” under ZeroCash’s hood (Zero Knowledge Proofs) can help implement! No Yes! Ergo, ZeroCash is good

Talk outline Anonymous electronic payments – Pre-bitcoin – e-cash and beyond – Post-bitcoin – Zerocoin, PinnochioCoin – Introducing ZeroCash Zero Knowledge (ZK) – SNARKs – SCIPR-lab ZeroCash: a peek under the hood

Pre-bitcoin anonymous e-cash E-cash [Chaum `82,…] – Anonymous – Blind signatures by bank’s secret key used to mint coins – Problems: (1) central secret, (2) central trusted party [Sander, Ta-Shma `99] removed need for secret – Bank mints coins using Zero-Knowledge (ZK) arguments and Merkle trees (more on these later) – Anonymous, secret-less, efficient * e-cash system – Problems: (2) central trusted party, (3) divisibility * Assuming efficient non-interactive ZK arguments of knowledge. (BAP: Blockchain structure leaks information to payer and payee)

Post-bitcoin anonymous e-cash [based on Sander Ta-Shma `99] ZeroCoin [Miers, Garman, Green, Rubin `13] – Uses efficient* ZK proofs and RSA-accumulator – Extends Bitcoin with `decentralized laundry’ – No Bank, only trusted ledger (e.g., Blockchain) – Implemented as Bitcoin extension! Problems – Efficiency: 25Kb/spend, must appear on blockchain – Non-fungible, non-divisible, single-denomination system (allowing fungibility/divisibility compromises anonymity) Pinocchio-Coin [Danezis, Fournet, Kohlweiss, Parno ‘13] – Done concurrently to, and independently of, ZeroCash – Solves efficiency problem: 344 bytes/spend * ! – based on “Pinnochio” ZK [Parno et al. `13] – Scalability problem: tx-generation time grows linearly with #coins – Non-fungible/divisble, single-denomination (same as Zerocoin) Zerocash: divisible anonymous e-cash Solves the problems of zerocoin and pinnochio-coin: – Efficiency 288 bytes/spend * at 128-bit security level, Verification: 9ms/spend * Tx created 3min./spend * on single core 2.7 GHz – Tx-generation scales logarithmically with #coins (up to 2 64 coins) – Fungible and divisible, hides payer, payee, and denomination Usual restrictions and disclaimers, read fine print Zerocash: divisible anonymous e-cash Solves the problems of zerocoin and pinnochio-coin: – Efficiency 288 bytes/spend * at 128-bit security level, Verification: 9ms/spend * Tx created 3min./spend * on single core 2.7 GHz – Tx-generation scales logarithmically with #coins (up to 2 64 coins) – Fungible and divisible, hides payer, payee, and denomination Usual restrictions and disclaimers, read fine print * Size of the ZK-proof part of a spend-tx; actual spend-tx size is larger Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge-of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge-of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge- of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity Fine print – Relatively new crypto assumptions – pairing-based cryptography, knowledge- of-exponent, … -- can use more cryptanalysis – To spend, need (public) key of size 0.9Gb (downloaded only once) – Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) – … otherwise party with trapdoor can forge tx, but cannot break anonymity

Talk outline Anonymous electronic payments – Pre-bitcoin – e-cash and beyond – Post-bitcoin – Zerocoin, PinnochioCoin – Introducing ZeroCash Zero Knowledge (ZK) – SNARKs – SCIPR-lab ZeroCash: a peek under the hood

Zero Knowledge [Goldwasser, Micali, Rackoff ‘89] Concrete bitcoin-based statement+proofs – Statement: “I own 30 bitcoins with total value BTC” Ownership means knowledge of coin-keys. – proof: point to 30 coins on blockchain, use each coin-key to encrypt a message – Problem: proof leaks knowledge about coin-ownership! ZK-proof of knowledge: cryptographic proof that – cannot be (efficiently) generated without knowing keys – can be efficiently generated with keys – can be easily verified – reveals no information about coins ZK-proofs exist for any statement that can be efficiently computable with auxiliary secrets/trapdoors (NP-statement) – How? Magic! (2009 Godel award; 2012 Turing Award to Goldwasser+Micali) Efficiency of ZK-proofs is a huge research topic, ZeroCash uses cutting-edge techniques from SCIPR-lab

Academic pedigree of ZeroCash’s “ZK engine” Theory – We use a ZK preprocessing Succinct Noninteractive ARgument of Knowledge (SNARK for short), aka succinct NIZK, succinct CS proof, ZKA, … – Construction relies on pairings over elliptic curves, quadratic span programs, linear PCPs, FFTs, quasilinear PCPs, … […; Groth; Lipmaa; Ishai, Kushilevitz, Ostrovsky; Gennaro, Gentry, Parno, Raykova; Bitansky, Chiesa, Ishai, Ostrovsky, Paneth; Ben-Sasson, Chiesa, Genkin, Tromer; … ] Implementations (for general purpose programs) – Pinnochio [Parno, Gentry, Howell, Raykova `13] – “SNARKs for C” [B, Chiesa, Genkin, Tromer, Virza `13] by SCIPR-lab

“… is an academic collaboration of researchers from MIT, Technion, and Tel Aviv University, seeking to bring to practice cryptographic proof systems that provide S uccinct C omputational I ntegrity and PR rivacy.” Started in summer 2009 with Eran Tromer (co-PI), Alessandro Chiesa, Daniel Genkin. Madars Virza joined 2012 Initial funding: European Research Council (grant # ), major source of support for programming team: Ohad Barta *, Lior Greenblat, Shaul Kfir, Michael Riabzev, Gil Timnat, Arnon Yogev * (* emeritus) [Ad: seeking superb crypto+math programmer!]

SCIPR-lab meets ZeroCoin Both presented at Bitcoin 2013, San Jose ZeroCoin videoSCIPR-lab video – SCIPR-lab builds general-purpose programs (“Turing complete”) CRYPTO`13 videoCRYPTO`13 video Powerful, yet cumbersome systems – ZeroCoin needs specific optimized program … ZeroCash

Talk outline Anonymous electronic payments – Pre-bitcoin – e-cash and beyond – Post-bitcoin – Zerocoin, PinnochioCoin – Introducing ZeroCash Zero Knowledge (ZK) – SNARKs – SCIPR-lab ZeroCash: a peek under the hood

ZeroCash and Base-currency ZeroCash works over any base-currency with – public ledger and consensus mechanism (like PoW) – Like BitCoin and its offspring ZeroCash supports – Transactions of base-currency – Converting coins to ZeroCash and vice versa – Fully anonymous ZeroCash transactions … Fungible and divisible, Splitting and merging of coins, Hidden coin-owner and coin values – … with public transaction fees (and other payments) on them

ZeroCash transactions Mint: (no ZK-SNARK) – Converts a base-currency coin with value v into new ZeroCash coin c with value v Pour: (uses ZK-SNARK) – Takes the sum value v of (up to) 2 ZeroCash coins and – Pours v into (up to) 2 new ZeroCash coins (hidden values), 1 public payment (public value) Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

Pour-tx, viewed by Full-node (verifier) Coin is commitment c:= hash(val, r serial, addr pub ), controlled by secret address addr sec – addr pub = f(addr sec ), f is pseudorandom function (PRF) – Serial number is sn = f(addr sec, r serial ), “destroys” coin when displayed on ledger Full-nodes (verifiers) maintain – Merkle tree of all previous coins – List of all previously exposed serial numbers – Crucial: observer cannot link sn to c ! Pour-tx is (sn, sn’, r, v pub, c’’,c’’’, π,…) – sn, sn’ destroy 2 old coins (preventing double-spend) – r is root of (current) Merkle tree – v pub is public value (used, e.g., for tx-fee) – c’’, c’’’ new coins – π is a 288-byte long ZK-SNARK for a statement described later When full-node sees new pour-tx: 1.Verifies π (9 ms) 2.Checks that sn, sn’ haven’t appeared and adds them to L 3.If 1,2 pass, then adds c’’, c’’’ to tree, updates root r, and collects v pub a 2 = H(c 3, c 4 ) r= H(z 1, z 2 ) a 1 = H(c 1, c 2 ) c2c2 c1c1 c3c3 c4c4 … … Disclaimer: Simplified ZeroCash protocol, real one to appear in paper L={sn 1, sn 2, … }

Constructing Pour-tx (prover) Coin is commitment c:= hash(val, r serial, addr pub ) controlled by secret address addr sec – addr pub = f(addr sec ), f is pseudorandom function (PRF) – Serial number is sn = f(addr sec, r serial ), “destroys” coin when displayed on ledger Inputs – 2 coins c, c’, hidden information, and location in tree – Information for new coins: values v’’,v’’’,v pub Public addresses of payees addr’’ pub, addr’’’ pub – Proving key (0.9 Gb long) Pour-tx is (sn, sn’, r, v pub, c’’,c’’’, π, …) π is a ZK-SNARK proof of statement: What about Bitcoin/ZeroCash regulation? – When society decides on appropriate measures, efficient ZK- proofs can help implement them r= H(z 1, z 2 ) c2c2 c1c1 c3c3 c4c4 … … “ know location of coins c, c’ in tree with root r, know coin values v, v’ and computed correctly serial numbers as sn, sn’, know hidden values v’’, v’’’ of c’’, c’’’ and sum of old coins (v+v’) equals that of new ones (v’’+v’’’+v pub ) and … “ L={sn 1, sn 2, … } and paid due taxes and contributed 10% to charity …“ Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

ZeroCash: SCIPR-lab meets ZeroCoin First fungible, divisible, anonymous payment system based on decentralized ledger (like Bitcoin), with implementation, which solves Bitcoin’s Anonymity Problem, using cutting-edge constructions of ZK-proofs When will ZeroCash be ready? – Paper published May “Oakland Security” conference (hopefully earlier online) – Code to be open-sourced when ready – No further comments on deployment  [Ad: SCIPR-lab needs superb crypto+math programmer]