Zcoin cryptocurrency introduces zero knowledge proofs with no trusted set-up
The fast-moving area of privacy technologies is an essential part of blockchain's future.
The Zcoin cryptocurrency has hard forked into an interesting new privacy protocol, the Sigma Protocol, making it the first cryptocurrency to introduce zero knowledge proofs without a trusted set-up.
Here's some background on what that actually means to help situate the significance of this development in the space.
Once upon a time...
Privacy has always been innately at odds with distributed ledger technology, which is transparent by nature.
The core of the challenge is that the blockchain needs to be able to verify all transactions (for example, to confirm that someone isn't trying to double spend coins), but if you simply give the blockchain this information, your transaction information is publicly available. At the same time, users need to be able to confirm that the system is able to correctly perform this task without ever needing to entrust one's privacy to third parties.
But it's not an unsolvable problem, and several different privacy protocols have emerged to solve this issue. Each of them is characterised by its flaws as much as by its benefits, and it's mostly about balancing the pros and cons for different situations. One application might call for offloading all your privacy to a single trusted entity, while another might be about trying to ensure maximum scalability with just the minimal level of privacy needed.
Privacy cryptocurrencies are naturally focused on ensuring the confidentiality of transactions, with the best possible scalability and perfect trustlessness as befits a public blockchain, which leads to protocols such as these:
- CryptoNote: This is used by Monero, Loki and others. This system mixes in about a dozen decoy transactions along with the real one in an effort to obscure coin trails. It integrates nicely with other systems, but through the use of various systems in conjunction, it's possible to identify the decoys and find the real transaction through the process of elimination. Another downside is that decoys need to be mandatory for all users in all transactions for privacy to be maintained, which means CryptoNote has always-on privacy, putting it at risk of ending up on the wrong side of the law.
- Mimblewimble: This is a relatively new protocol, used by Grin, Beam and others. It's a combination of individual upgrades that were independently proposed for Bitcoin at various points and that theoretically offer exceptionally strong and wide-ranging privacy features when put together – assuming it all works as intended. The main downsides are that it's generally challenging and complex, it doesn't play well with existing blockchain infrastructure, it has mandatory always-on privacy and the high level of privacy innate to the system means it's hard to spot issues if something goes wrong.
- Zerocoin and zk-SNARKs: Zero knowledge proofs are essentially a system for mathematically proving to someone that you know something, without disclosing what it is that you know. It's naturally relevant for overcoming the problems of blockchain privacy and has been explored in different protocols including Zerocoin (previously Zcoin and PIVX) and zk-SNARKs (Zcash, Ethereum and others). Unlike other privacy protocols, these kinds of systems can facilitate optional privacy.
Zerocoin vs zk-SNARKs
Zerocoin essentially works by letting people clean the transaction history off coins by burning old dirty coins and minting new clean money. It cleans the transaction trails to anonymise users but doesn't conceal the amounts being transferred. This means careless Zerocoin users may inadvertently identify themselves through minting and transaction patterns and may be subject to some viable but wildly impractical attack vectors. It's also relatively large and clunky compared to zk-SNARKs and a hassle to actually use because the dirty coins have to be burnt and the new ones minted in specific denominations.
zk-SNARKs (zero knowledge succinct non-interactive argument of knowledge) as used in Zcash let users use "shielded" wallets to send and receive "shielded" transactions when they want some privacy. This allows for the concealing of transaction value and the concealing of sender and receiver information, and it generally offers a thorough level of optional privacy. But one downside of this level of privacy is that it's tough to spot problems if something goes wrong. For example, it's not possible to say with 100% certainty that previously discovered Zcash money printing bugs haven't been exploited.
But one major downside, inherent to all zero knowledge blockchain set-ups to date, is that there's a single potential point of failure in the creation of the system itself, plus a relatively high chance of money-printing vulnerabilities. These have been found in both Zerocoin and Zcash.
Trusted set-ups: A single point of failure
One issue with zero knowledge proofs is that all of that cryptographic mojo takes up a lot of data on the blockchain compared to standard transactions. It's largely a question of latency. If transactions are too large, they can't propagate around the network quickly enough, which increases the chances of accidental forks and opens up all kinds of vulnerabilities and other problems.
To compress all that cryptography down to a workable size for the blockchain's sake, you have to partly pre-fabricate these zero knowledge proofs around a cryptographic framework.
This cryptographic framework is that single point of failure. It needs to be kept secret because if anyone can rebuild that same cryptographic framework, they can potentially trick the blockchain into accepting invalid transactions, which would let them freely print money.
The catch is that it's really difficult to build that framework without anyone – not even the builders themselves – knowing what it is. In the end, there's always an element of trust in whatever method was used to build that framework.
This "trusted set-up" means you can never be 100% certain. You can be 99% or even 99.99% certain, but that's still not the same as 100%.
The Sigma Protocol
Privacy in cryptocurrencies is a difficult and fast-moving area in the space, but it's also vital for many applications. For example, if you need to verify some personal or identity details with a blockchain, without disclosing it to any third parties, that's quite likely to be done with zero knowledge proofs.
Zero knowledge proofs are extremely useful for smart contracts and other blockchain goodness beyond cryptocurrencies alone, so developments in the area are notable.
With that background, it may be easier to appreciate the significance of Zcoin's Sigma Protocol, which was introduced to replace the Zerocoin protocol as the world's first mainnet integration of a burning-and-redeeming-style zero knowledge proofs system that does not require a trusted set-up. As a bonus, it also reduces the size of the cryptographic proofs about 17-fold and improves security by upgrading from the increasingly old RSA-2048 to a significantly newer and tougher type of cryptography.
It basically works by having you build your own secret and unique "cryptography framework" as part of the actual process of making a transaction, rather than having the same framework permanently baked into the fabric of the blockchain itself.
The Sigma Protocol, in addition to being an exciting step in its own right, is also designed to be a safe replacement for the Zerocoin protocol, buying some time as Lelantus, Zcoin's next generation privacy protocol, undergoes more testing and peer review.
The testing grounds
Privacy is an essential application in blockchain technology, far beyond cryptocurrency alone. But despite government antipathy towards privacy-oriented cryptocurrencies, they're probably one of the best ways of promoting rapid innovation in cryptography and privacy technologies such as zero knowledge proofs.
This is because there's always such a big incentive to crack them.
Previously, you'd create your thing and then put up bounties to encourage people to try to break it. But with cryptocurrency, the thing itself acts as the bounty, encouraging people to come along and crack it.
Disclosure: The author holds BNB and BTC at the time of writing.