1 / 64

Matthew Green Johns Hopkins University (Joint work with Ian Miers, Christina Garman, Avi Rubin)

Zerocoin: Anonymous Distributed e-Cash from Bitcoin or ‘How will Satoshi Nakamoto spend his fortune?’. Matthew Green Johns Hopkins University (Joint work with Ian Miers, Christina Garman, Avi Rubin). What is money?. What is money?. What is money?. Limited quantity Widely accepted.

kiaria
Download Presentation

Matthew Green Johns Hopkins University (Joint work with Ian Miers, Christina Garman, Avi Rubin)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zerocoin: Anonymous Distributed e-Cash from Bitcoinor‘How will Satoshi Nakamoto spend his fortune?’ • Matthew GreenJohns Hopkins University • (Joint work with Ian Miers, Christina Garman, Avi Rubin)

  2. What is money?

  3. What is money?

  4. What is money? • Limited quantity • Widely accepted • Easy to transfer

  5. What is money?

  6. What is money?

  7. Problem: electronic money 1) Very difficult 2) Very simple

  8. Naive approach 1) Very difficult 2) Very simple

  9. Account-based approach 1) Very difficult 2) Very simple

  10. Account-based approach

  11. Problems • Centralization & Trust • You need a trusted party to operate the bank • They can create currency, steal or simply fail

  12. Problems • Centralization & Trust • You need a trusted party to operate the bank • They can create currency, steal or simply fail • Privacy • The bank sees every transaction you make!

  13. “Ideal electronic currency” Decentralized Private Secure

  14. Bitcoin

  15. Bitcoin • Proposed in 2008 by “Nakamoto” • Extends and improves ideas of Dai (b-money),Szabo (bit gold) • Provides for effective, verifiable currency transfers & creation in a decentralized peer-to-peer setting • A real system with a $1.38 billion ‘market cap’ (4/21/13)

  16. Alice

  17. Alice

  18. Alice Pay to the order of Bob xxAlice

  19. Pay to the order of Bob xxAlice Pay to the order of Charlie xxBob

  20. Can we make this electronic? • Idea: • Replace names with public keys • Replace handwritten signatures with digital signatures Public key 0xa8fc93875a927472ea Pay to 0x9fea3018e89... Digital signature

  21. Can we make this electronic? • Problem: Alice can still double spend! • Alice “gives” the same checkto Bob and Charlie Pay to the order of Bob xxAlice Pay to the order of Charlie xxAlice

  22. Double-spending • Keep a central ‘ledger’ of all transfers • Register all transfers on the ledger • Recipients can check if money has already been ‘spent’ • How to do this in a decentralized fashion??

  23. The block chain • Bitcoin solves this through consensus • All participants keep a copy of the ledger(divided into ‘blocks’ of many transactions) • The blocks are connected through hash chaining 1.45,C->S .32,A->B 1.0,J->Z 1.0,H->J 1.2,E->J 1.03,S->J .23,B->C .9,M->B .2,M->J 2.5,M->S .1,S->F 1.3,S->S ... ... ... ... HASH HASH HASH Block 1 Block 2 Block 3 Block 4

  24. The block chain • Nodes compete to add new blocks to the chain • This is done by making nodes solve a simple “proof of work” • This prevents a single node from controlling the chain 1.45,C->S .32,A->B 1.0,J->Z 1.0,H->J 1.2,E->J 1.03,S->J .23,B->C .9,M->B .2,M->J 2.5,M->S .1,S->F 1.3,S->S ... ... ... ... HASH HASH HASH Block 1 Block 2 Block 3 Block 4

  25. The block chain • Nodes get a reward for ‘winning’ the PoW on a given block • They’re allowed to ‘mint’ 25 new Bitcoin out of thin air • (They can also receive transaction fees) 1.45,C->S .32,A->B 1.0,J->Z 1.0,H->J 1.2,E->J 1.03,S->J .23,B->C .9,M->B .2,M->J 2.5,M->S .1,S->F 1.3,S->S ... ... ... ... HASH HASH HASH Block 1 Block 2 Block 3 Block 4

  26. Bitcoin triangle

  27. Bitcoin triangle Decentralized

  28. Bitcoin triangle Decentralized Secure

  29. Bitcoin triangle Decentralized Private Secure

  30. Bitcoin privacy • The block chain is a history of every Bitcoin transaction ever! • Identifiers are public keys not names (“pseudonyms”) • You can make as many public keys as you want • But these still leak information! .23,C->E .32,A->B 1.0,J->Z .23,E->F 1.2,E->J 1.03,S->J .23,B->C .9,M->B .2,M->J 2.5,M->S .9B->D .9,D->Z ... ... ... ... HASH HASH HASH Block 1 Block 2 Block 3 Block 4

  31. Bitcoin privacy Sender

  32. Bitcoin privacy Sender Receiver

  33. Bitcoin privacy Sender Sender (again!) Receiver

  34. Bitcoin privacy

  35. Bitcoin privacy

  36. Bitcoin privacy

  37. http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  38. The Nakamoto Treasure http://bitslog.wordpress.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/

  39. Privacy solutions • “Be careful” • Use ‘laundry’ services • Mix many users’ coins together • You must really trust the laundry • Bu

  40. Chaumian e-Cash • Dates to Chaum [82] (many subsequent works) • Completely untraceable electronic cash • Withdraw ‘coins’ from a central bank(using blind signatures) • Even the bank can’t track the coins Blind sign “s” signature(s)

  41. Laundries & Chaum Decentralized Private Secure

  42. Zerocoin • New approach to creating electronic coins • Based on a technique due to Sander and Ta-shma • Extends Bitcoin by adding a ‘decentralized laundry’ • Requires only a trusted, append-onlybulletin board • Bitcoin block chain gives us this ‘for free’!

  43. 823848273471012983 Making Zerocoin • Zerocoins are just numbers • Each is a digital commitment to a random serial number • Anyone can make one!

  44. Making Zerocoin • Zerocoins are just numbers • They have value once you put them on the block chain • This costs e.g., 1 bitcoin .23,C->E .23,E->F 1.0,A->B 1.0,J->Z .23,E->F 1.2,E->J .9,M->B 1.03,S->J 1.0, .9,M->B bitcoins 1.0->Z .2,M->J 2.5,M->S .9B->D 1.0->Z ... ... ... ... ... HASH HASH HASH HASH Block 5 Block 1 Block 2 Block 3 Block 4

  45. Spending Zerocoin .23,C->E .23,E->F 1.0,A->B 1.0,J->Z .23,E->F 1.2,E->J 1.0,Z->B 1.03,S->J 1.0, .9,M->B bitcoins 1.0->Z .2,M->J 2.5,M->S .9B->D 1.0->Z bitcoins ... ... ... ... ... HASH HASH HASH HASH Block 5 Block 1 Block 2 Block 3 Block 4

  46. Spending Zerocoin • Where do the bitcoins go/come from? • Nowhere -- they get ‘escrowed’ in place • A Zerocoin spend transaction allows you to claim the coinsleft by some other Zerocoin user 1.0,C->E .23,E->F 1.0,A->B 1.0,J->Z .23,E->F 1.2,E->J 1.0,Z->B 1.03,S->J 1.0, .9,M->B bitcoins 1.0->Z .2,M->J 2.5,M->S .9B->D 1.0->Z ... ... ... ... ... HASH HASH HASH HASH Block 5 Block 1 Block 2 Block 3 Block 4

  47. Spending Zerocoin • Why is this anonymous? • It’s all in the way we ‘prove’ we have a Zerocoin • This is done using a zero knowledge proof 1.0,C->E .23,E->F 1.0,A->B 1.0,J->Z .23,E->F 1.2,E->J .9,M->B 1.03,S->J 1.0, .9,M->B 1.0->Z .2,M->J 2.5,M->S .9B->D 1.0->Z ... ... ... ... ... HASH HASH HASH HASH Block 5 Block 1 Block 2 Block 3 Block 4

  48. Spending Zerocoin • Zero knowledge [Goldwasser, Micali 1980s, and beyond] • Prove a statement without revealing any other knowledge • Specific variant: proof of knowledge • Here we prove knowledge of: (a) a Zerocoin in the block chain(b) we just revealed the actual serial number inside of it • The trick is doing this efficiently!

  49. Spending Zerocoin • Inefficient proof • Identify all valid Zerocoins in the blockchain(call them ) • Prove knowledge of such that: These ‘or’ proofs have cost O(N)

  50. Spending Zerocoin • Better approach • Use an efficient one-way accumulator • Accumulate to produce accumulator • Then prove knowledge of a witness s.t.

More Related