Pinocchio Coin: Building Zerocoin from a Succinct

Pairing-based Proof System

George Danezis Cédric Fournet

Microsoft Research Microsoft Research
Cambridge, UK Cambridge, UK

Markulf Kohlweiss Bryan Parno

Microsoft Research Microsoft Research
Cambridge, UK Redmond, USA

ABSTRACT Zerocoin [MGGR13] is an anonymous decentralized e-cash

Bitcoin is the first widely adopted distributed e-cash system system that uses Bitcoin both as an append-only bulletin
and Zerocoin is a recent proposal to extend Bitcoin with board and a backing currency. Zerocoin uses a fixed bitcoin
anonymous transactions. amount, i.e. all zerocoins have the same denomination. In-
The original Zerocoin protocol relies heavily on the Strong stead of a public key, coins are identified by a commitment
RSA assumption and double-discrete logarithm proofs, long- C to a pair of fresh, random secrets: a serial number s and
standing techniques with known performance restrictions. an opening r, kept by the owner of the coin.
We show a variant of the Zerocoin protocol using instead el- To guarantee anonymity, a zerocoin spend transaction in-
liptic curves and bilinear pairings. The proof system makes volves revealing s and proving knowledge of r for any C in
use of modern techniques based on quadratic arithmetic pro- a large, public collection of previously-logged commitments
grams resulting in smaller proofs and quicker verification. C0 , . . . , Cn−1 . The opening to the commitment of the coin
We remark on several extensions to Zerocoin that are en- being spent is never revealed but is used to compute a proof
abled by the general-purpose nature of these techniques. π for a signature of knowledge that replaces the conven-
tional signature of a bitcoin spend transaction. The signa-
ture of knowledge proves that the spending party can open
Categories and Subject Descriptors one of the commitments to the serial number, i.e. that (1)
K.4.4 [Computers and Society]: Electronic Commerce- she knows a C ∈ (C1 , . . . , Cn ) and (2) that C = g s hr (the
Payment schemes, Security commitment scheme is a Pedersen commitment). By hiding
which commitment can be opened in this way, Zerocoin pro-
vides anonymity. At the same time, the uniqueness of the
Keywords serial number prevents double spending.
Zero-knowledge Proofs; anonymous electronic cash; bitcoin; [MGGR13] uses an Strong RSA based accumulator to
zerocoin. prove C ∈ (C1 , . . . , Cn ), thus all commitments Ci must be
prime numbers from an interval [A, A2 ), for some fixed in-
1. INTRODUCTION teger A, to guarantee that the product of two commitments
is outside this interval. These constraints can be met, but
The central component of Bitcoin is a public log or ledger Strong RSA based constructions like this can be quite brittle
of transactions. Each transaction entry in the log associates and it would be desirable to have an alternative construction
a bitcoin amount with a public key. A new entry is either based on prime-order groups. Another complication arises
created by contributing to the authenticity of the log by from the proof that C = g s hr being about a value C that is
checking and hashing previous transactions and performing already secret and an exponent for the group in which the
proofs of work; or by using the private key corresponding to accumulator is defined. Thus it is what is usually referred
an existing entry to sign a new entry. The latter transfers to as a double-discrete logarithm proof.
the bitcoin amount of the existing entry to the owner of the We address both of these issues by making use of Pinoc-
public key of the new entry. As regards privacy, the log chio [PHGR13], a novel pairing-based proof system with a
publicly links coins to their successive owner’s keys. very efficient implementation
Pinocchio can prove languages of the form L = {(ck )k∈[m0 ]
| E (ck )k∈[m0 ..m−1] : c0 = 1 ∧ (V · c) ◦ (W · c) − (Y · c) = 0},
Permission to make digital or hard copies of all or part of this work for where V, W, Y are d×m matrices over a field Fp for integers
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear d, m0 , m, m0 ≤ m.1 P = (V, W, Y) is called a quadratic
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with 1
We write [n] for the set {0, . . . , n − 1}. We write X · y
credit is permitted. To copy otherwise, or republish, to post on servers or to for
redistribute to lists, requires prior specific permission and/or a fee. Request P the multiplication of a matrix with a vector z =
( k∈[n] Xik yk )i∈[d] and x ◦ y for the pointwise (Hadamard)
permissions from permissions@[Link].
Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$15.00. product z = (xi yi )i∈[d] .
arithmetic program (QAP) over field F of degree d and size • Mint(params). Select a serial number and opening
m and the problem of deciding whether P can accept a sub- s, r ∈ Fq \ 1 and compute C = g s hr in Fpµ . Set
vector (c0 , . . . , cm0 −1 ) with c0 = 1 was shown by [GGPR13] skc = (s, r) and output (C, skc).
to be NP complete.
In particular the language L allows us to encode arbitrary • Spend(params, C, skc, C0 , . . . , Cn−1 ). If C ∈ / (Ci )n−1
i=0
j
input output relations for an arithmetic circuit with d multi- output ⊥. Compute S = g , and hj = h2 rj , for
s

plication gates. Intuitively, c encodes wire values, and each jQ ∈ [κ], where the rj ∈ {0, 1} are such that r =
row in V and W represents a linear combination of wires 2j rj . Then run the Pinocchio prove algorithm π ←
that will be the left and the right input of a multiplication j ν−1
Compute(EKP , (C0 , . . . , Cn−1 , S, (h2 )j=0 ), (hj )κj=1 ) and
gate respectively.
output (π, s).
Our construction of Zerocoin uses two simple insights:
First, C ∈ (C0 , . . . , Cn−1 ) can Q be represented by checking • Verify(params, π, s, C0 , . . . , Cn−1 ). Check that Verify(
that the arithmetic circuit i (C − Ci ) = 0. Second, in- j

stead of proving knowledge of r, we can prove knowledge EKP , (C0 , . . . , Cn−1 , g s , (h2 )ν−1
j=0 ), π) = 1.
of h0 , . . . , hν−1 for a security parameter ν of the commit-
(2j )
ment scheme Q such that, for j ∈s[ν], (hj − 1)(hj − h )=0 3. PERFORMANCE
and C = S j hj , where S = g can be publicly computed. Recall that Fpµ is the Galois field extension of Fp (that is,
Instead of requiring C to be a prime in [A, A2 ), the commit- [p]), defined as the quotient Fp [x]/P (x) of the polynomials
ment can now be defined over any field in which the discrete in x with coefficients in Fp divided by P (x) = xµ − ω, for
logarithm problem is hard. some fixed ω ∈ Fp such that P (x) is irreducible.
We are left with one remaining difficulty. If we use the ef- We represents elements A ∈ Fpµ by the coefficients (ai )i∈[µ]
ficient pairing groups of Pinocchio, computing discrete log- such that A(x) = i ai xi . Addition is just word-wise addi-
P
arithms in the exponent field Fp with p ≈ 256 is easy. We tion: (ai )i∈[µ] + (bi )i∈[µ] = (ai + bi )i∈[µ] . Multiplication is a
could switch to non-standard and larger pairing groups, but linear combination of µ2 word multiplications:
this seems undesirable as it would bring down the overall X X
performance of the proof system. Instead we propose to


(ai )i∈[µ] ∗(bj )j∈[µ] = (ai ∗bj )+ (ω∗ai ∗bj ) k∈[µ] .
compute C in an extension field Fpµ of size pµ > 2048. i+j=k i+j=k+µ
We do not claim that our construction is always desirable
over the existing Strong RSA construction. One drawback of We use Fpµ for Pedersen commitments, with exponents in
our scheme is that the trusted setup instead of being a single Fq . Fast exponentiation consists of ν − 1 extended multi-
i
plications, where hr = i∈[ν] h(2 ri ) and r =
Q P i
RSA modulus N is now the evaluation key of a Pinocchio 2 ri Hence,
QAP—a more complex object. It is also unclear whether computing hr and proving that each of the hi is either 1 or
i
ultimately a proof of arithmetic circuits in extension fields h(2 ) takes µ2 (2ν − 1) word multiplications.
will scale better than a double discrete logarithm proof. One Where Pinocchio really shines in the size of its proof and
performance characteristic that is, however, drastically im- the cost of proof verification. Contrary to the almost pro-
proved is the size of the proof π which no longer depends hibitive proof size of Strong RSA zerocoins of 50kB, the
linearly on ν. Another more qualitative advantage is the proof size of 344 bytes for Pinocchio zerocoins is compara-
availability of an alternative construction based on a differ- ble with existing bitcoin transactions.
ent number theoretic problem.

4. DISCUSSION
2. CONSTRUCTION This is only a very preliminary case study and we do not
In presenting our protocol we assume limited familiarity have a full implementation or security analysis yet. There
with Zerocoin [MGGR13] and Pinocchio [PHGR13]. is also one feature of the Zerocoin protocol that is not cov-
ered by our construction. The original Zerocoin construc-
• Setup(1κ ). On input a security parameter, select or tion allows to sign a transaction string R by using the Fiat-
generate a pairing-friendly elliptic curve setup G for Shamir based proof system in signature of knowledge [CL06]
curves of order p to be used by Pinocchio. mode. On the upside, the analysis of our protocol does no
Select random generators g, h ∈ Fpµ such that hgi = longer rely on Random Oracles. Moreover, we are aware
hhi is a large multiplicative subgroup of Fpµ of order of three ways to extend our protocol: (i) compute s as the
q|pµ − 1 ≈ 2ν . hash of a public key and use the corresponding secret key
to sign R; (ii) construct a signature of knowledge by using
Run evaluation key generation EK P ← KeyGen(P, G) the techniques of [Har11] to turn make the proof simulation
for the publicly-verifiable zero-knowledge variant of Pin- extractable; (iii) perform part of the proof using a Fiat-
occhio for verifying NP relations expressed as arith- Shamir based proof system and fall back on the Random
metic constraints. P is a QAP over Fp of degree and Oracle model to obtain signatures of knowledge.
size O((n + κ)µ2 ) for the following witness relation, We are excited about the potential of using a general-
where all operations and values are over Fpµ : purpose verifiable computation protocol like Pinocchio for
(C0 , . . . , Cn−1 , S), (hj )κj=1 ∈ RL ⇔


custom protocol design. Pinocchio already allows to compile
j
∀j(hj − 1)(hj − h(2 ) ) = 0 ∧ i (S j hj − Ci ) = 0.
Q Q arithmetic circuits from C-like programs.
For instance, this make it very easy to replace our commit-
Output params = (G, p, q, g, h, EK P ) as the Zerocoin ment scheme C = g s hr , by another commitment scheme like
parameters. C = HMAC(r, s), e.g. based on SHA-256. One could also
imagine, more complex spend protocols that involve multi- [Har11] Kristiyan Haralambiev. Efficient cryptographic
ple commitments or commitments with a balance controlled primitives for non-interactive zero-knowledge
by a scripting language akin to Bitcoin script. proofs and applications. PhD thesis, 2011.
[MGGR13] Ian Miers, Christina Garman, Matthew Green,
5. REFERENCES and Aviel D. Rubin. Zerocoin: Anonymous
distributed e-cash from bitcoin. In IEEE
[CL06] Melissa Chase and Anna Lysyanskaya. On
Symposium on Security and Privacy, 2013.
signatures of knowledge. In CRYPTO, 2006.
[PHGR13] Bryan Parno, Jon Howell, Craig Gentry, and
[GGPR13] Rosario Gennaro, Craig Gentry, Bryan Parno,
Mariana Raykova. Pinocchio: Nearly practical
and Mariana Raykova. Quadratic span
verifiable computation. In IEEE Symposium on
programs and succinct NIZKs without PCPs.
Security and Privacy, 2013.
In EUROCRYPT, 2013.