Zerocash Decentralized Anonymous Payments from Bitcoin Eli BenSasson

Zerocash Decentralized Anonymous Payments from Bitcoin Eli Ben-Sasson (Technion) Alessandro Chiesa (MIT) Christina Garman (JHU) Matthew Green (JHU) Ian Miers (JHU) Eran Tromer (Tel Aviv University) Madars Virza (MIT) zerocash-project. org 1 IEEE Symposium on Security and Privacy 2014 20 May 2014

Bitcoin’s privacy problem 0110 1010 010010 1011 00 Bitcoin: decentralized digital currency. What’s to prevent double-spending? 0110 1010 010010 1011 00 2 0110 1010 010010 1011 00

Bitcoin’s privacy problem Bitcoin: decentralized digital currency. What’s to prevent double-spending? Solution: broadcast every transaction into a public ledger (blockchain): 3 From: To: Value: 11 From: To: Value: 5 From: To: Value: 17 00010111 00100011 00 00 01000111 1011 00 00 01110100011 10 00 01100100 10101011 10 00 0110 1010 010010 1011 00 The cost: privacy. • Consumer purchases (timing, amounts, merchant) seen by friends, neighbors, and co-workers. • Account balance revealed in every transaction. • Merchant’s cash flow exposed to competitors.

Bitcoin’s privacy problem (cont. ) From: To: Value: 11 From: To: Value: 5 From: To: Value: 17 00010111 00100011 00 00 01000111 1011 00 00 01110100011 10 00 01100100 10101011 10 00 • Pseudonymous, but: – Most users use a single or few addresses – Transaction graph can be analyzed. [Reid Martin 11] [Barber Boyen Shi Uzun 12] [Ron Shamir 12] [Meiklejohn PJLMVS 13] • Also: threat to the currency’s fungibility. • Centralized: reveal to the bank. • Decentralized: reveal to everyone? ! 4

Past attempts at Bitcoin anonymity • 5

Zerocash: divisible anonymous payments • Zerocash is a new privacy-preserving protocol for digital currency designed to sit on top of Bitcoin (or similar ledger-based currencies). • Zerocash enables users to pay one another directly via payment transactions of variable denomination that reveal neither the origin, destination, or amount. From: To: Value: 11 ? 6 From: To: Value: 11 ? From: To: Value: 5 ? From: To: Value: 17 ?

Zerocash: in proofs we trust I got the money from last night, and I haven’t spent it in any of my prior transactions. “ 17 ” accountant’s ZK proof signature Intuition: “virtual accountant” using cryptographic proofs. 7

More about Zerocash • Efficiency: – 288 proof bytes/spend at 128 -bit security level, – <6 ms to verify a proof – <1 min to create for 264 coins; asymptotically: log(#coins) – 896 MB “system parameters” (fixed throughout system lifetime). • Trust in initial generation of system parameters (once). • Crypto assumptions: – Pairing-based elliptic-curve crypto – Less common: Knowledge of Exponent [Boneh Boyen 04] [Gennaro 04] [Groth 10] – Properties of SHA 256, encryption and signature schemes 8

The Zerocash scheme 9

Basic anonymous e-cash commit Legend: In private wallet In public ledger Proved to be known 10 CRH CRH CRH Spending: CRH Minting: [Sander Ta-Shma 1999]

Basic anonymous e-cash – requisite proofs Spending: Requires: zero knowledge succinct noninteractive argument proof of knowledge zk. SNARK 11 commit

zk. SNARK constructions for any NP statement Without trusted setup: – Theory [BFLS 91] [Kilian 92] [Micali 94] […PCP… [Ben-Sasson Chiesa Genkin Tromer 13 zero knowledge With trusted setup: succinct – Theory [Groth 10] [Lipmaa 12 noninteractive [Gennaro Gentry Parno Raykova 13 argument [Bitansky Chiesa Ishai Ostrovsky Paneth 13 of knowledge – Implementations zk. SNARK 12 SCIPR [Parno Gentry Howell Raykova 13 [Ben-Sasson Chiesa Genkin Tromer Virza 13 Lab [Ben-Sasson Chiesa Tromer Virza 14 Underlying zk. SNARK used in Zerocash

zk. SNARK with great power comes great functionality commit 13

Adding variable denomination Minting: Spending: K zk. SNAR commit 14

Adding direct anonymous payments Minting, spending analogous to above. Sending? commit PRF commit 15 Un k to p nown aye r

Sending direct anonymous payments commit PRF commit 16 yee pa n to ow Kn

Simp lified Pouring Zerocash coins Single transaction type capturing: dest 1 dest 2 old Zerocash coin Sending payments Making change Exchanging into bitcoins Transaction fees new Zerocash coin old Zerocash coin new Zerocash coin Pour public bitcoins proof 17

Simp lified Pouring Zerocash coins Single transaction type capturing: dest 1 dest 2 old Zerocash coin Sending payments Making change Exchanging into bitcoins Transaction fees new Zerocash coin old Zerocash coin new Zerocash coin Pour public bitcoins proof 18

Example of a Zerocash Pour transaction root sn_1 sn_2 cm_1 cm_2 v_pub pubkey. Hash info Sig. PK Sig MAC_1 MAC_2 ciphertext_1 ciphertext_2 zk. SNARKproof 19 1 c 4 a 110 e 863 deeca 050 dc 5 e 5153 f 2 b 7010 af 9 a 365 e 7006565 f 14342 df 9096 b 46 cc 7 f 1 d 2 b 9949367180 fdd 8 de 4090 eee 30 bfdc 6937031 dce 13 facdebe 79 e 8 e 2712 ffad 2 e 980 c 911 e 4 cec 8 ca 9 b 25 fc 88 df 73 b 52 a 4 d 015440 f 9 cfae 0 c 3 ca 3 a 38 cf 04058262 d 74 b 60 cb 14 ecd 6063 e 047694580103 2 ca 1 f 833 b 63 ac 827 ba 6 ae 69 b 53 edc 855 e 66 e 2 c 2 d 0 a 24 f 8 ed 5 b 04 fa 50 d 42 dc 772 000000042 8 f 9 a 43 f 0 fe 28 bef 052 ec 209724 bb 0 e 502 ffb 5427 2 dd 489 d 97 daa 8 ceb 006 cb 6049 e 1699 b 16 a 6 d 108 d 43 f 1 d 2 d 2 f 924 e 986 ac 86 fdf 7 b 36 c 94 bcdf 32 beec 15 a 38359 c 82 f 32 dbb 3342 cb 4 bedcb 78 ce 116 bac 69 e b 8 a 5917 eca 1587 a 970 bc 9 e 3 ec 5 e 395240 ceb 1 ef 700276 ec 0 fa 92 d 1835 cb 7 f 629 ade 6218 b 3 a 17 d 609936 ec 6894 b 7 b 2 bb 446 f 12698 d 4 bcafa 85 fcbf 39 fb 546603 a 048070 fe 125 bdaf 93 ae 6 a 7 c 08 b 65 adbb 2 a 438468 d 7243 c 74 e 80 abc 5 b 74 dfe 3524 a 987 a 2 e 3 ed 075 d 54 ae 7 a 53866973 eaa 5070 c 4 e 08954 ff 5 d 80 caae 214 ce 572 f 42 dc 6676 f 0 e 59 d 5 b 1 ed 68 ad 33 b 0 c 73 cf 9 eac 671 d 8 f 0126 d 86 b 667 b 319 d 255 d 7002 d 0 a 02 d 82 efc 47 fd 8 fd 64805 7 fa 823 a 25 dd 3 f 52 e 86 ed 65 ce 229 db 56816 e 646967 baf 4 d 2303 af 7 fe 09 d 24 b 8 e 30277336 cb 7 d 8 c 81 d 3 c 786 f 1547 fe 0 d 00 c 029 b 63 bd 927 2 aad 87 b 3 f 1 a 2 b 667 fa 575 e 0493110814319 b 0 b 5 cabb 9 a 9225062354987 c 8 b 8 f 604 d 96985 ca 52 c 71 a 77055 b 4979 a 50099 cefc 5 a 359 bdf 0411983388 fa 5 de 840 a 0 d 6 4816 f 1 d 9 f 38641 d 217986 af 98176 f 420 caf 19 a 2 dc 18 c 79 abcf 14 b 9 d 78624 e 80 ac 272063 e 6 b 6 f 78 bc 42 c 6 ee 01 edfbcddbeb 60 eba 586 ea ecd 6 cb 017069 c 8 be 2 ebe 8 a 2 fa 5 e 0 f 6780 a 4 e 2466 d 72 bc 3243 e 873820 b 2 d 2 e 4 b 954 e 9216 b 566 c 140 de 79351 abf 47254 d 122 a 35 f 17 f 840156 bd 7 b 1 feb 942729 dc a 4 c 3 cad 6 e 02 eec 51 dc 8 a 37 ebc 51885 cf 86 c 5 da 04 bb 1 c 1 c 0 bf 3 ed 97 b 778277 fb 8 adceb 240 c 40 a 0 cc 3 f 2854 ce 3 df 1 eafdcefccc 532 bc 5 afaefefe 9 d 3975726 f 2 ca 829228 6 ca 8 dd 4 f 8 da 21 b 3 f 98 c 61 fac 2 a 13 f 0 b 82544855 b 1 c 4 ce 7 a 0 c 9 e 57592 ee 1 d 233 d 43 a 2 e 76 b 9 bdeb 5 a 365947896 f 117002 b 095 f 7058 bdf 611 e 20 b 6 c 2087618 c 58208 e 3 658 cfcc 00846413 f 8 f 355139 d 0180 ac 11182095 cdee 6 d 9432287699 e 76 ed 7832 a 5 fc 5 dc 30874 ff 0982 d 9658 b 8 e 7 c 51523 e 0 fa 1 a 5 b 649 e 3 df 2 c 9 ff 58 dc 05 dac 7563741 298025 f 806 dfbe 9 cfe 5 c 8 c 40 d 1 bf 4 e 87 dacb 11467 b 9 e 6154 fb 9623 d 3 fba 9 e 7 c 8 ad 17 f 08 b 17992715 dfd 431 c 9451 e 0 b 59 d 7 dc 506 dad 84 aef 98475 d 4 be 530 eb 501925 dfd 22981 a 2970 a 3799523 b 99 a 98 e 50 d 00 eaab 5306 c 10 be 5 ~1 KB total. Less without direct payments and public outputs.

Decentralized Anonymous Payment (DAP) system Algorithms: Setup Create. Address Mint Pour Verify. Transaction Receive Security: 1. Ledger indistinguishability Nothing revealed beside public information, even by chosen -transaction adversary. 2. Balance Can’t own more money than received or minted. 3. Transaction non-malleability Cannot manipulate transactions en route to ledger. (Requires further changes to the construction. ) 20

Implementation Network simulation third-scale Bitcoin network on EC 2 Bitcoind + Zerocash hybrid currency Setup libzerocash provides DAP interface Statement for zk. SNARK Hand-optimized libsnark Instantiate zk. SNARK SCIPR Lab 21 Zerocash primitives and parameters Performance (quadcore desktop) <2 min, 896 MB params Mint bitcoind. Pour 46 s, 1 KB transaction Verify <9 Transact ms/transaction Receive <2 ms/transaction

Trusted setup • Setup generate fixed keys used by all provers and verifiers. • If Setup is compromised at the dawn of the currency, attacker could later forge coins. • Ran once. Once done and intermediate results erased, no further trust (beyond underlying cryptographic assumptions) • Anonymity is unaffected by corrupted setup. • Practical trustworthy protocol for running Setup? 22

Open research problems • zk. SNARKs can enforce policies and regulation in a privacy-preserving, corruption-proof way. – What policies are desireable and feasible? • Other Bitcoin applications – Blockchain compression – Turing-complete scripts/contracts – Proof of reserve • Eliminating trusted setup. 23