Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.

Published byGilbert Robbins Modified over 9 years ago

Similar presentations

Presentation on theme: "Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin."— Presentation transcript:

1 Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin

2 What is money?

3 Digitizing money Two ways to do it Create digital cash Create digital checks

4 Bank accounts

5 Problem: privacy Bank sees every transaction Merchants can track customers across interactions

6 Digital cash Can’t make uncopyable digital currency Can make single use currency Get a unique serial number when you withdraw money Spend it by showing an unused serial number

7 E-cash Chaum82: blind signatures for e-cash Chaum88: retroactive double spender identification Brandis95: restricted blind signatures Camenisch05: compact offline e-cash

8 E-cash schemes Chaum82: blind signatures for e-cash Chaum88: offline e-cash with double spender identification Brandis95: restricted blind signatures Camenisch05: compact offline e-cash

9 Trust Apparently it’s hard for people to trust this guy

10 Trust Must trust the bank not to Fail Steal your money Print more money

11 Decentralized Secure An ideal digital currency Anonymous

12 Bitcoin A distributed digital currency system Released by Satoshi Nakamoto 2008 Market cap of 1.2 Billion USD (as of early May 2013) Effectively a bank run by an ad hoc network Digital checks A distributed transaction log

13 Bitcoin: digital checks Public key 0xa8fc93875a972ea Signature 0xa87g14632d452cd Public key 0xc7b2f68...

14 Bitcoin: transaction log How do you maintain a transaction log? Pick a trusted party Vote

15 A physical analogy A room full of people and a chalk board We assume most are honest Select one person at random to add an entry and check previous work

16 Avoiding the clone wars Select a node at random proportional to its computational power to update the log Nodes race to compute a partial hash collision: hash(data || nonce) < x Pick the longest chain Bitcoin calls this ledger the block chain

17 DecentralizedBitcoin

18 Bitcoin Secure

19 Bitcoin Decentralized Secure Anonymous?

20

21

22

23 Bitcoin Decentralized Secure Anonymous

24 Bitcoin: all of your information is known to the bank the merchants EVERYONE

25 Data mining and privacy Target used data mining on customer purchases to identify pregnant women and target ads at them (NYT 2012) Ended up informing a woman’s father that his teenage daughter was pregnant Imagine what credit card companies could do with the data

26 Chaum’s e-cash + Bitcoin Decentralized Secure Anonymous +

27 Bitcoin laundries & mixes Decentralized Secure +

28 Zerocoin A distributed approach to private electronic cash Extends Bitcoin by adding an anonymous currency on top of it Zerocoins are exchangeable for bitcoins Similar to techniques by Sander and Ta-shma

29 What is a zerocoin? A zerocoin is: Economically: a promissory note redeemable for a bitcoin Cryptographically: an opaque envelope containing a serial number used to prevent double spending 823848273471 012983

30 Commitments Allow you to commit to and later reveal a value Binding: value cannot be tampered with Blinding: value cannot be read until revealed We use Pedersen commitments 812... 812..

31 Zerocoins: where do they come from? Anyone can make one Choose a random serial number and commit to it Mint a zerocoin by putting a mint transaction in the block chain which “spends” a bitcoin and includes the commitment Spending a zerocoin gives the recipient a bitcoin

32 Zerocoins:...and where do they go? The “spent” bitcoins end up escrowed To spend a zerocoin You reveal the serial number Prove it is from some zerocoin in the block chain Put the spent serial number in the block chain

33 Zero-knowledge proofs Zero-knowledge [Goldwasser, Micali 1980s, and beyond] Prove knowledge of a witness satisfying a statement Specific variant: non-interactive proof of knowledge Here we prove we know: 1. The serial number of a zerocoin 2. That the coin is in the block chain

34 An inefficient approach Inefficient proof Identify all valid zerocoins in the block chain (call them ) Prove that S is the serial number of a coin C and This “OR” proof is O(N)

35 Cryptographic accumulators Allow constant size set membership proofs Strong RSA accumulator originally due to Benaloh and de Mare Efficient proof for accumulation of primes proposed by Camenisch and Lysyanskaya ‘01

36 Zerocoin protocol Generate a commitment to a random serial number S: (Store serial number S and randomness r) Accumulate all valid coins, compute witness w i Reveal S and prove knowledge of witness to commitment accumulation and its randomness r where is prime

37 Zerocoin optimizations The accumulator is computable incrementally Network can maintain accumulator checkpoints Don’t need to compute the accumulator for spend Reduces computation for witness

38 Performance Modified bitcoind client on 3.5GZ Intel Xeon E3- 1270V2 1024 bit commitments 1024, 2048, and 3072 bit RSA moduli

39 Obstacles and future work Scale to larger networks Reduce proof size (duh) Make divisible coins (we have a construction) Get people to believe this works

40 Zerocoin.org Decentralized Secure Ian Miers @imichaelmiers Christina Garman Matthew Green Avi Rubin Anonymous

41 Divisible coins (Not in paper) Encode both a serial number and a denomination in the coin commitment as the low and high order bits To divide a coin C with balance b and serial number S Mint two new coins c’,c’’ with balances b’ and b’’ Prove in zero knowledge that b = b’ + b’’ and those are the high order bits Reveal S to prevent reuse

42 Prime commitments Perfectly Blinding Perfectly Blinding Binding under discrete log

43 How much anonymity Consider a universe where 10 coins exist and one more coin is minted and then spent If all 10 original coins are already spent before minting, k =1 If only 9 of them are spent, k = 11 Lower bound: All unspent coins controlled by honest parties Upper bound: All the coins

44 Why so large?

45 Not much slower (our code is single threaded) Laptop performance

46 In UFOs we trust RSA moduli of Unknown FactOrization (Sander99) N is an RSA-UFO if it has at least two large prime factors P and Q and no one can find N 1,N 2 such that Q divides N 1 and P divides N 2 Get an assumption analogous to the Strong RSA assumption

47 UFOs: Impractically Large Problem: for the security of a 1024 bit RSA modulus, we need a 40k bit UFO

Download ppt "Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin."

Similar presentations

Zerocash Decentralized Anonymous Payments from Bitcoin

Zerocash Decentralized Anonymous Payments from Bitcoin
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
BITCOIN INTRODUCTION TECHNOLOGY AND TOOL *Various slides adapted from James D’Angelo’s “How the Constraints of Digital Define Bitcoin”

BITCOIN INTRODUCTION TECHNOLOGY AND TOOL *Various slides adapted from James D’Angelo’s “How the Constraints of Digital Define Bitcoin”
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.

Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Class 12 Anonymous Digital Currency CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 12 Anonymous Digital Currency CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google