Zerocoin anonymous distributed e cash from bitcoin or how will satoshi nakamoto spend his fortune
Download
1 / 64

Matthew Green Johns Hopkins University (Joint work with Ian Miers, Christina Garman, Avi Rubin) - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Zerocoin: Anonymous Distributed e-Cash from Bitcoin or ‘How will Satoshi Nakamoto spend his fortune?’. Matthew Green Johns Hopkins University (Joint work with Ian Miers, Christina Garman, Avi Rubin). What is money?. What is money?. What is money?. Limited quantity Widely accepted.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Matthew Green Johns Hopkins University (Joint work with Ian Miers, Christina Garman, Avi Rubin)' - kiaria


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Zerocoin anonymous distributed e cash from bitcoin or how will satoshi nakamoto spend his fortune
Zerocoin: Anonymous Distributed e-Cash from Bitcoinor‘How will Satoshi Nakamoto spend his fortune?’

  • Matthew GreenJohns Hopkins University

  • (Joint work with Ian Miers, Christina Garman, Avi Rubin)




What is money2
What is money?

  • Limited quantity

  • Widely accepted

  • Easy to transfer




Problem electronic money
Problem: electronic money

1) Very difficult

2) Very simple


Naive approach
Naive approach

1) Very difficult

2) Very simple


Account based approach
Account-based approach

1) Very difficult

2) Very simple



Problems
Problems

  • Centralization & Trust

    • You need a trusted party to operate the bank

    • They can create currency, steal or simply fail


Problems1
Problems

  • Centralization & Trust

    • You need a trusted party to operate the bank

    • They can create currency, steal or simply fail

  • Privacy

    • The bank sees every transaction you make!


Ideal electronic currency
“Ideal electronic currency”

Decentralized

Private

Secure



Bitcoin1
Bitcoin

  • Proposed in 2008 by “Nakamoto”

    • Extends and improves ideas of Dai (b-money),Szabo (bit gold)

    • Provides for effective, verifiable currency transfers & creation in a decentralized peer-to-peer setting

    • A real system with a $1.38 billion ‘market cap’ (4/21/13)




Alice

Pay to the order of Bob

xxAlice


Pay to the order of Bob

xxAlice

Pay to the order of Charlie

xxBob


Can we make this electronic
Can we make this electronic?

  • Idea:

    • Replace names with public keys

    • Replace handwritten signatures with digital signatures

Public key 0xa8fc93875a927472ea

Pay to 0x9fea3018e89...

Digital signature


Can we make this electronic1
Can we make this electronic?

  • Problem: Alice can still double spend!

    • Alice “gives” the same checkto Bob and Charlie

Pay to the order of Bob

xxAlice

Pay to the order of Charlie

xxAlice


Double spending
Double-spending

  • Keep a central ‘ledger’ of all transfers

    • Register all transfers on the ledger

    • Recipients can check if money has already been ‘spent’

    • How to do this in a decentralized fashion??


The block chain
The block chain

  • Bitcoin solves this through consensus

  • All participants keep a copy of the ledger(divided into ‘blocks’ of many transactions)

  • The blocks are connected through hash chaining

1.45,C->S

.32,A->B

1.0,J->Z

1.0,H->J

1.2,E->J

1.03,S->J

.23,B->C

.9,M->B

.2,M->J

2.5,M->S

.1,S->F

1.3,S->S

...

...

...

...

HASH

HASH

HASH

Block 1

Block 2

Block 3

Block 4


The block chain1
The block chain

  • Nodes compete to add new blocks to the chain

  • This is done by making nodes solve a simple “proof of work”

  • This prevents a single node from controlling the chain

1.45,C->S

.32,A->B

1.0,J->Z

1.0,H->J

1.2,E->J

1.03,S->J

.23,B->C

.9,M->B

.2,M->J

2.5,M->S

.1,S->F

1.3,S->S

...

...

...

...

HASH

HASH

HASH

Block 1

Block 2

Block 3

Block 4


The block chain2
The block chain

  • Nodes get a reward for ‘winning’ the PoW on a given block

  • They’re allowed to ‘mint’ 25 new Bitcoin out of thin air

  • (They can also receive transaction fees)

1.45,C->S

.32,A->B

1.0,J->Z

1.0,H->J

1.2,E->J

1.03,S->J

.23,B->C

.9,M->B

.2,M->J

2.5,M->S

.1,S->F

1.3,S->S

...

...

...

...

HASH

HASH

HASH

Block 1

Block 2

Block 3

Block 4



Bitcoin triangle1
Bitcoin triangle

Decentralized


Bitcoin triangle2
Bitcoin triangle

Decentralized

Secure


Bitcoin triangle3
Bitcoin triangle

Decentralized

Private

Secure


Bitcoin privacy
Bitcoin privacy

  • The block chain is a history of every Bitcoin transaction ever!

  • Identifiers are public keys not names (“pseudonyms”)

  • You can make as many public keys as you want

  • But these still leak information!

.23,C->E

.32,A->B

1.0,J->Z

.23,E->F

1.2,E->J

1.03,S->J

.23,B->C

.9,M->B

.2,M->J

2.5,M->S

.9B->D

.9,D->Z

...

...

...

...

HASH

HASH

HASH

Block 1

Block 2

Block 3

Block 4



Bitcoin privacy2
Bitcoin privacy

Sender

Receiver


Bitcoin privacy3
Bitcoin privacy

Sender

Sender (again!)

Receiver





http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/


The nakamoto treasure
The Nakamoto Treasurehttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/


Privacy solutions
Privacy solutionshttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • “Be careful”

  • Use ‘laundry’ services

    • Mix many users’ coins together

    • You must really trust the laundry

    • Bu


Chaumian e cash
Chaumian e-Cashhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Dates to Chaum [82] (many subsequent works)

  • Completely untraceable electronic cash

  • Withdraw ‘coins’ from a central bank(using blind signatures)

  • Even the bank can’t track the coins

Blind sign “s”

signature(s)


Laundries chaum
Laundries & Chaumhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

Decentralized

Private

Secure


Zerocoin
Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • New approach to creating electronic coins

  • Based on a technique due to Sander and Ta-shma

  • Extends Bitcoin by adding a ‘decentralized laundry’

  • Requires only a trusted, append-onlybulletin board

    • Bitcoin block chain gives us this ‘for free’!


Making zerocoin

823848273471012983http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

Making Zerocoin

  • Zerocoins are just numbers

  • Each is a digital commitment to a random serial number

  • Anyone can make one!


Making zerocoin1
Making Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Zerocoins are just numbers

  • They have value once you put them on the block chain

  • This costs e.g., 1 bitcoin

.23,C->E

.23,E->F

1.0,A->B

1.0,J->Z

.23,E->F

1.2,E->J

.9,M->B

1.03,S->J

1.0,

.9,M->B

bitcoins

1.0->Z

.2,M->J

2.5,M->S

.9B->D

1.0->Z

...

...

...

...

...

HASH

HASH

HASH

HASH

Block 5

Block 1

Block 2

Block 3

Block 4


Spending zerocoin
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

.23,C->E

.23,E->F

1.0,A->B

1.0,J->Z

.23,E->F

1.2,E->J

1.0,Z->B

1.03,S->J

1.0,

.9,M->B

bitcoins

1.0->Z

.2,M->J

2.5,M->S

.9B->D

1.0->Z

bitcoins

...

...

...

...

...

HASH

HASH

HASH

HASH

Block 5

Block 1

Block 2

Block 3

Block 4


Spending zerocoin1
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Where do the bitcoins go/come from?

  • Nowhere -- they get ‘escrowed’ in place

  • A Zerocoin spend transaction allows you to claim the coinsleft by some other Zerocoin user

1.0,C->E

.23,E->F

1.0,A->B

1.0,J->Z

.23,E->F

1.2,E->J

1.0,Z->B

1.03,S->J

1.0,

.9,M->B

bitcoins

1.0->Z

.2,M->J

2.5,M->S

.9B->D

1.0->Z

...

...

...

...

...

HASH

HASH

HASH

HASH

Block 5

Block 1

Block 2

Block 3

Block 4


Spending zerocoin2
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Why is this anonymous?

  • It’s all in the way we ‘prove’ we have a Zerocoin

  • This is done using a zero knowledge proof

1.0,C->E

.23,E->F

1.0,A->B

1.0,J->Z

.23,E->F

1.2,E->J

.9,M->B

1.03,S->J

1.0,

.9,M->B

1.0->Z

.2,M->J

2.5,M->S

.9B->D

1.0->Z

...

...

...

...

...

HASH

HASH

HASH

HASH

Block 5

Block 1

Block 2

Block 3

Block 4


Spending zerocoin3
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Zero knowledge [Goldwasser, Micali 1980s, and beyond]

  • Prove a statement without revealing any other knowledge

    • Specific variant: proof of knowledge

  • Here we prove knowledge of: (a) a Zerocoin in the block chain(b) we just revealed the actual serial number inside of it

  • The trick is doing this efficiently!


Spending zerocoin4
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Inefficient proof

  • Identify all valid Zerocoins in the blockchain(call them )

  • Prove knowledge of such that:

These ‘or’ proofs have cost O(N)


Spending zerocoin5
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Better approach

  • Use an efficient one-way accumulator

  • Accumulate to produce accumulator

  • Then prove knowledge of a witness s.t.


Spending zerocoin6
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Better approach

  • Use an efficient one-way accumulator

  • Accumulate to produce accumulator

  • Then prove knowledge of a witness s.t.

A

H(C1,C2)

H(C3,C4)

H(C1)

H(C2)

H(C3)

H(C4)


Spending zerocoin7
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Better approach

  • Use an efficient one-way accumulator

  • Accumulate to produce accumulator

  • Then prove knowledge of a witness s.t.

A

= sibling nodes

H(C1,C2)

H(C3,C4)

H(C1)

H(C2)

H(C3)

H(C4)


Spending zerocoin8
Spending Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Problem:

  • There are relatively few accumulators that meet our criteria

  • 1. Computing the accumulator should not require any secrets (i.e., it’s publicly computable/verifiable) 2. There must be an efficient ZK proof of knowledge of a witness.

Merkle trees don’t (seem) to possess one


Strong rsa accumulator benaloh de mare
Strong RSA Accumulatorhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/(Benaloh & de Mare)

To accumulate primes compute:

An efficient ZKPoK proposed by Camenisch/Lysyanskaya ’01!


The protocol overview
The protocol overviewhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • The protocol:

    • Generate random serial number S. Compute:

      • (Retain S, commitment randomness )

    • Accumulate all valid coins, compute witness

    • Reveal S, prove knowledge of accumulator witnessand commitment randomness

s.t. C is prime,

Requires a DDL proof (~40kb)


Optimizations
Optimizationshttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Accumulator can be incrementally computed

    • Don’t make Prover do it: have the miners computean accumulator ‘checkpoint’ each block

    • This minimizes accumulator computation time

  • Probabilistic verification

    • The proof doesn’t need to be fully verified

    • Verify random portions (reduces certainty)


Performance
Performancehttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/


The upshot
The upshothttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • I can take Bitcoin from my wallet

    • Turn them into Zerocoins

    • Where they get ‘mixed up’ with many other users’ coins

    • I can redeem them to a new fresh Wallet

    • Nobody will be able to link the new ones to the old!


Zerocoin1
Zerocoinhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

Decentralized

Private

Secure


Divisible zerocoin
Divisible Zerocoin!http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Make coins divisible!

    • Include coin values in the commitment

    • Users can insert ‘divide’ instructions that converta single Zerocoin into two separate coins thatsum to the original value

      • Note: doesn’t even require ZK proofs!


Anonymous credentials
Anonymous Credentials!http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Wait a second: e-Cash is just a form of anonymous credential

    • New systems like Namecoin allow us to establishidentities (with attributes, e.g., time identity established)

    • By adding similar commitments to the identities/attributeswe can prove statements about our identity

    • No trusted credential issuer

    • Can use this to implement decentralizedanonymous reputation systems &‘subscription’ services to manage resourcesin ad-hoc networks!


Can we build this today
Can we build this today?http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • Short answer: yes and no

    • We have code that does all of it(update to the bitcoind client)

    • But to make this work we need to get the newtransactions built into Bitcoin

    • The algorithms add cost to the Bitcoin networkand many will be unwilling to do this


The future
The futurehttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  • There’s much more to talk about

    • Can something like this be deployed?

    • What are the ethics of doing it?

    • What’s the future of Bitcoin as a technology? As a currency?

    • What about identity management?


Blog cryptographyengineering com
blog.cryptographyengineering.comhttp://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

The paper:

spar.isi.jhu.edu/~mgreen/ZerocoinOakland.pdf

Code & website (coming soon):

zerocoin.org


ad