Outline Motivation 8271 discussion of: “Zerocoin: Anonymous Crypto background Distributed E-Cash from Bitcoin” Zerocoin crypto Stephen McCamant (Original paper: Ian Miers, Christina Garman, Matthew Green, and Aviel D. Rubin) Administrative break University of Minnesota (Original paper: Johns Hopkins) Application to Bitcoin Bitcoin pseudonymity Problems of pseudonymity Once you know one identity, can track Block chain is radically public forward or back But addresses are just random crypto E.g., Ron and Shamir ’13 and DPR keys Analysis just from structure Persistent and linkable pseudonyms “10 richest people on Bitcoin” How does this compare with full De-anonymize via other public info? anonymity? Netflix prize data and IMDB Mixing and laundering Idea: cryptographic mixing Standard approach: add mixing on top Get effect of laundry without trusted Compare: multi-cloud, anonymous party remailers, Tor, etc. Put a coin into mix, later withdraw one Unsatisfactory: trusted third-party No one else can see linkage “laundry” Use crypto to make possible without Can log permutation, or just take your money allowing cheating Prove you inserted a coin without Existing opt-in systems all have low revealing which volume
Outline Cryptographic commitment Common building block: commit to Motivation value now, but don’t reveal until later Crypto background opening Compare to scratch-off lottery ticket Zerocoin crypto Two key properties: Administrative break Hiding : can’t see value until opened Binding : can only open to one value Application to Bitcoin One implementation: encrypt, open by revealing key Zero-knowledge proof ZK example: Hamiltonian path P and V share a graph, P knows a path Interactive randomized protocol that visits each vertex once between Prover and Verifier On each round, P commits to a shuffled P convinces V of a fact with high version of G probability Based on a coin flipped by V, either: But reveals no other information Reveals the whole graph, shows the Afterwards, transcript could be faked by isomorphism; or anybody Reveals just the path Non-interactive ZK: Fiat-Shamir One-way accumulators Prove membership in set in constant Converts a ZK proof technique to a space non-interactive signature Idea: replace V’s random choices with Based on function ❍ with the output of a hash function ❍ ✭ ❍ ✭ ①❀ ② ✶ ✮ ❀ ② ✷ ✮ ❂ ❍ ✭ ❍ ✭ ①❀ ② ✷ ✮ ❀ ② ✶ ✮ , such as ① ② mod ◆ Just as uncontrollable if the function is pseudo-random Think: represent set as product of Security proof works only in Random primes: witness for ♣ ✐ is product of all Oracle Model other members
Outline Zerocoin overview Motivation Zerocoin “Mint”: turn one BTC into one Crypto background Zerocoin Commit to serial number Zerocoin crypto Zerocoin “Spend”: convert one Zerocoin into BTC Administrative break Reveal serial number, must be unique Application to Bitcoin Formal definition Security def.: anonymity Setup ✭ ✶ ✕ ✮ ✦ params Honest party mints two valid coins Mint ✭ params ✮ ✦ ✭ ❝❀ s❦❝ ✮ ❝ ✵ ❀ ❝ ✶ , adversary picks ❈ and ❘ ❝ : coin, s❦❝ : corresponding secret key Honest party picks ❜ ✥ ❢ ✵❀ ✶ ❣ , spends Spend ✭ params ❀ ❝❀ s❦❝❀ ❘❀ ❈ ✮ ✦ ✭ ✙❀ ❙ ✮ ❝ ❜ with ❘ and ❈ ❬ ❢ ❝ ✵ ❀ ❝ ✶ ❣ ❘ : transaction string, ❈ : previous coins, Adversary tries to guess ❜ , should not ✙ : ZK proof, ❙ : serial number do much better than 50-50. Verify ✭ params ❀ ✙❀ ❙❀ ❘❀ ❈ ✮ ✦ ❢ ✵❀ ✶ ❣ Security def.: balance Core of construction To mint, choose ❙ and r at random Honest party mints ◆ coins such that ❝ ❂ ❣ ❙ ❤ r mod ♣ is prime Adversary constructs ♠ coins and Secret key is ✭ ❙❀ r ✮ ♠ ✰ ✶ spends Accumulate coins ❈ into ❆ Adversary wins if all ♠ ✰ ✶ spends To spend, ✙ proves knowledge of verify using the ◆ ✰ ♠ coins, have ❝❀ ✇❀ r such that: unique serial numbers, but none are ✇ witnesses ❝ is in ❆ ❝ ❂ ❣ ❙ ❤ r mod ♣ honest spends of the ◆ coins
Trusted setup issue Outline Accumulator based on exponentiation Motivation mod a product of primes ♣q Crypto background Knowledge of primes allows forgery (c.f. RSA) Zerocoin crypto Honest party deletes them, but this isn’t verifiable Administrative break Other techniques (“RSA UFO”) allow Application to Bitcoin constructing product without getting primes Project meetings Presentation choices Purpose: discuss project topics Already got a volunteer for next Monday Email me to set up Expect other results soon Thursday, Friday, or next week Presentation slides Outline Motivation If you send them early, I can give Crypto background suggestions Send final version for my grading use Zerocoin crypto Decide whether you want them public, Administrative break on Moodle, or forgotten Application to Bitcoin
Zerocoin transactions New state required Simple design: only one value of Accumulator computed incrementally Zerocoin Checkpointed in each block Can run multiple copies for more Nodes must maintain list of spent denominations Zerocoin serial numbers Zerocoin “Mint” puts BTC in escrow Proofs might be kept outside the block Zerocoin “Spend” takes its BTC from chain any previous Mint Limits of anonymity Parameter sizes Group used in commitments: size All Zerocoin does is obscure sensitive connection between mints and spends Make 1024 bit, assume periodically Security still limited by number of regenerated outstanding Zerocoins RSA modulus used in accumulator: 10 mints; 10 spends; 1 mint: no anonymity hard to regenerate, must last Also can’t help if too many other users At least 3072 bits proposed collude against you ZK # rounds: just affect a single proof E.g. other coins all created by a single Proposed ✷ ✽✵ security adversary Performance Deployment: plans as of paper Integrate into the regular Bitcoin Not cheap, but can scale beyond network then-current Bitcoin volumes Cleanest: add new operations in Proof is about 40KB protocol, “flag day” upgrade Mint, spend, verify all less than 1 second Incremental alternative: build on current protocol Verification of blocks by nodes more Zerocoin information is in comments problematic than by miners Signatures by a quorum of semi-trusted Zerocoin nodes
Deployment realities Bitcoin community not excited Coding effort, conceptual complexity, node load, unpopular uses New plan: alternative network (c.f. Litecoin, etc., etc.) Details RSN, says web site, beta maybe May 2014
Recommend
More recommend
