1 / 17

Zero Cash : ZeroCoin meets SCIPR-lab

www.zerocoin.org. www.SCIPR-lab.org. Zero Cash : ZeroCoin meets SCIPR-lab. Eli Ben-Sasson ( Technion ), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian Miers (JHU), Eran Tromer (TAU), Madars Virza (MIT).

amadeus-franks
Download Presentation

Zero Cash : ZeroCoin meets SCIPR-lab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.zerocoin.org www.SCIPR-lab.org ZeroCash:ZeroCoin meets SCIPR-lab Eli Ben-Sasson (Technion), Joint work with Alessandro Chiesa (MIT), Christina Garman (JHU), Matthew Green (JHU), Ian Miers (JHU), EranTromer (TAU), MadarsVirza(MIT)

  2. Bitcoin’sAnonimity Problem (BAP) • BAP: • If Alice pays Bob in Bitcoins, she gains information about his spending of those coins … • … And Bob gains information about Alice’s spending of her other Bitcoins • How? Analyze transaction-graph [Reid, Harrigan`11; …] • Solution: Use a bitcoin mix/laundry/tumbler • give Bitcoins to trusted pool, retrieve later • Problems: (1) every tx must go thru mix, (2) trust mix? • Acceptable if have much to hide, not so for average honest user • ZeroCash practically solves Bitcoin’s anonymity problem

  3. Should we solve Bitcoin’sAnonymity Problem? • Is ZeroCash good or evil? • To answer that, first answer • Is Bitcoin good? Is a decentralized payment system good? • (Is a decentralized info./comm. system – Internet – good?) • Is it good for such a system to leak (part of) your spending information to every one of your payers and payees? • But what about regulation? • It is up to society to agree on the acceptable regulation of Bitcoin and similar decentralized payment systems • Jury still out (ditto for Internet) • When decisions are made, the “engine” under ZeroCash’s hood (Zero Knowledge Proofs) can help implement! Yes! Yes! No Ergo, ZeroCash is good

  4. Talk outline • Anonymous electronic payments • Pre-bitcoin – e-cash and beyond • Post-bitcoin – Zerocoin, PinnochioCoin • Introducing ZeroCash • Zero Knowledge (ZK) • SNARKs • SCIPR-lab • ZeroCash: a peek under the hood

  5. Pre-bitcoin anonymous e-cash (BAP: Blockchain structure leaks information to payer and payee) • E-cash [Chaum `82,…] • Anonymous • Blind signatures by bank’s secret key used to mint coins • Problems: (1) central secret, (2) central trusted party • [Sander, Ta-Shma `99] removed need for secret • Bank mints coins using Zero-Knowledge (ZK) arguments and Merkle trees (more on these later) • Anonymous, secret-less, efficient* e-cash system • Problems: (2) central trusted party, (3) divisibility * Assuming efficient non-interactive ZK arguments of knowledge.

  6. Post-bitcoin anonymous e-cash[based on Sander Ta-Shma `99] • Zerocash: divisible anonymous e-cash • Solves the problems of zerocoin and pinnochio-coin: • Efficiency • 288 bytes/spend* at 128-bit security level, • Verification: 9ms/spend* • Tx created 3min./spend* on single core i7 @ 2.7 GHz • Tx-generation scales logarithmically with #coins (up to 264coins) • Fungible and divisible, hides payer, payee, and denomination • Usual restrictions and disclaimers, read fine print • Fine print • Relatively new crypto assumptions – pairing-based cryptography, knowledge-of-exponent, … -- can use more cryptanalysis • To spend, need (public) key of size 0.9Gb (downloaded only once) • Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) • … otherwise party with trapdoor can forge tx, but cannot break anonymity • ZeroCoin[Miers, Garman, Green, Rubin `13] • Uses efficient* ZK proofs and RSA-accumulator • Extends Bitcoin with `decentralized laundry’ • No Bank, only trusted ledger (e.g., Blockchain) • Implemented as Bitcoin extension! • Problems • Efficiency: 25Kb/spend, must appear on blockchain • Non-fungible, non-divisible, single-denomination system (allowing fungibility/divisibility compromises anonymity) • Pinocchio-Coin [Danezis, Fournet, Kohlweiss, Parno ‘13] • Done concurrently to, and independently of, ZeroCash • Solves efficiency problem: 344 bytes/spend* ! • based on “Pinnochio” ZK [Parno et al. `13] • Scalability problem: tx-generation time grows linearly with #coins • Non-fungible/divisble, single-denomination (same as Zerocoin) • Fine print • Relatively new crypto assumptions – pairing-based cryptography, knowledge-of-exponent, … -- can use more cryptanalysis • To spend, need (public) key of size 0.9Gb (downloaded only once) • Public key must be set up (only once) by trusted party using a random trapdoor which must be destroyed (no secrets afterwards) • … otherwise party with trapdoor can forge tx, but cannot break anonymity * Size of the ZK-proof part of a spend-tx; actual spend-tx size is larger

  7. Talk outline • Anonymous electronic payments • Pre-bitcoin – e-cash and beyond • Post-bitcoin – Zerocoin, PinnochioCoin • Introducing ZeroCash • Zero Knowledge (ZK) • SNARKs • SCIPR-lab • ZeroCash: a peek under the hood

  8. Zero Knowledge [Goldwasser, Micali, Rackoff ‘89] • Concrete bitcoin-based statement+proofs • Statement: “I own 30 bitcoins with total value 123.5 BTC” Ownership means knowledgeof coin-keys. • proof: point to 30 coins on blockchain, use each coin-key to encrypt a message • Problem: proof leaks knowledge about coin-ownership! • ZK-proof of knowledge: cryptographic proof that • cannot be (efficiently) generated without knowing keys • can be efficiently generated with keys • can be easily verified • reveals no information about coins • ZK-proofs exist for any statement that can be efficiently computablewith auxiliary secrets/trapdoors (NP-statement) • How? Magic! (2009 Godel award; 2012 Turing Award to Goldwasser+Micali) • Efficiency of ZK-proofs is a huge research topic, • ZeroCash uses cutting-edge techniques from SCIPR-lab

  9. Academic pedigree of ZeroCash’s “ZK engine” • Theory • We use a ZK preprocessing Succinct NoninteractiveARgument of Knowledge (SNARK for short), aka succinct NIZK, succinct CS proof, ZKA, … • Construction relies on pairings over elliptic curves, quadratic span programs, linear PCPs, FFTs, quasilinear PCPs, … […; Groth; Lipmaa; Ishai, Kushilevitz, Ostrovsky; Gennaro, Gentry, Parno, Raykova; Bitansky, Chiesa, Ishai, Ostrovsky, Paneth; Ben-Sasson, Chiesa, Genkin, Tromer; … 2010-14] • Implementations (for general purpose programs) • Pinnochio[Parno, Gentry, Howell, Raykova `13] • “SNARKs for C” [B, Chiesa, Genkin, Tromer, Virza `13] by SCIPR-lab

  10. www.SCIPR-lab.org “… is an academic collaboration of researchers from MIT, Technion, and Tel Aviv University, seeking to bring to practice cryptographic proof systems that provide Succinct Computational Integrity and PRrivacy.” • Started in summer 2009 with EranTromer (co-PI), Alessandro Chiesa, Daniel Genkin. MadarsVirza joined 2012 • Initial funding: European Research Council (grant # 240258), major source of support for programming team: OhadBarta*, LiorGreenblat, ShaulKfir, Michael Riabzev, Gil Timnat, ArnonYogev* (* emeritus) [Ad: seeking superb crypto+math programmer!]

  11. SCIPR-lab meets ZeroCoin • Both presented at Bitcoin 2013, San Jose ZeroCoin videoSCIPR-lab video • SCIPR-lab builds general-purpose programs (“Turing complete”) CRYPTO`13 video Powerful, yet cumbersome systems • ZeroCoin needs specific optimized program • … ZeroCash

  12. Talk outline • Anonymous electronic payments • Pre-bitcoin – e-cash and beyond • Post-bitcoin – Zerocoin, PinnochioCoin • Introducing ZeroCash • Zero Knowledge (ZK) • SNARKs • SCIPR-lab • ZeroCash: a peek under the hood

  13. ZeroCash and Base-currency • ZeroCash works over any base-currency with • public ledger and consensus mechanism (like PoW) • Like BitCoin and its offspring • ZeroCash supports • Transactions of base-currency • Converting coins to ZeroCash and vice versa • Fully anonymous ZeroCash transactions … • Fungible and divisible, • Splitting and merging of coins, • Hidden coin-owner and coin values • … with public transaction fees (and other payments) on them

  14. ZeroCash transactions • Mint: (no ZK-SNARK) • Converts a base-currency coin with value v into new ZeroCash coin c with value v • Pour: (uses ZK-SNARK) • Takes the sum value v of (up to) 2 ZeroCash coins and • Poursv into (up to) • 2 new ZeroCash coins (hidden values), • 1 public payment (public value) Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

  15. Pour-tx, viewed by Full-node (verifier) r= H(z1, z2) • Coin is commitment c:= hash(val, rserial , addrpub), • controlled by secret address addrsec • addrpub = f(addrsec), fis pseudorandom function (PRF) • Serial number is sn = f(addrsec, rserial), “destroys” coin when displayed on ledger • Full-nodes (verifiers) maintain • Merkle tree of all previous coins • List of all previously exposed serial numbers • Crucial: observer cannot link sn to c ! • Pour-txis (sn, sn’, r, vpub, c’’,c’’’, π,…) • sn, sn’ destroy 2 old coins (preventing double-spend) • r is root of (current) Merkle tree • vpub is public value (used, e.g., for tx-fee) • c’’, c’’’ new coins • π is a 288-byte long ZK-SNARK for a statement described later • When full-node sees new pour-tx: • Verifies π (9 ms) • Checks that sn, sn’ haven’t appeared and adds them to L • If 1,2 pass, then adds c’’, c’’’ to tree, updates root r, and collects vpub … a1= H(c1, c2) a2= H(c3, c4) c1 c2 c3 c4 … L={sn1, sn2, … } Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

  16. Constructing Pour-tx (prover) r= H(z1, z2) • Coin is commitment c:= hash(val, rserial , addrpub) • controlled by secret address addrsec • addrpub = f(addrsec), fis pseudorandom function (PRF) • Serial number is sn = f(addrsec, rserial), “destroys” coin when displayed on ledger • Inputs • 2 coins c, c’, hidden information, and location in tree • Information for new coins: • values v’’,v’’’,vpub • Public addresses of payees addr’’pub, addr’’’pub • Proving key (0.9 Gb long) • Pour-tx is (sn, sn’, r, vpub, c’’,c’’’, π, …) πis a ZK-SNARK proof of statement: • What about Bitcoin/ZeroCash regulation? • When society decides on appropriate measures, efficient ZK-proofs can help implement them … c1 c2 c3 c4 … L={sn1, sn2, … } “knowlocation of coins c, c’ in tree with root r, know coin values v, v’ and computed correctly serial numbers as sn, sn’, know hidden values v’’, v’’’ of c’’, c’’’ and sum of old coins (v+v’) equals that of new ones (v’’+v’’’+vpub) and … “ and paid due taxes and contributed 10% to charity …“ Disclaimer: Simplified ZeroCash protocol, real one to appear in paper

  17. ZeroCash: SCIPR-lab meets ZeroCoin • First fungible, divisible, anonymous payment system based on decentralized ledger (like Bitcoin), with implementation, • which solves Bitcoin’s Anonymity Problem, • using cutting-edge constructions of ZK-proofs When will ZeroCash be ready? • Paper published May 18 @ “Oakland Security” conference (hopefully earlier online) • Code to be open-sourced when ready • No further comments on deployment  [Ad: SCIPR-lab needs superb crypto+math programmer]

More Related