This Cryptocurrency Could Be an Answer to Bitcoin’s Privacy Problems

This story is a companion to the May 23rd SciFri segment “Customizing Your Currency With Altcoins” and the February 28th segment “Making Sense Out of Bitcoin.

In 2011, at the very first Bitcoin conference in New York City, Jeff Garzik, one of the core developers of the Bitcoin software, stood before an audience of about 40 cryptocurrency enthusiasts and told them something that no one in the room wanted to hear. “Sorry,” he declared. “Bitcoins aren’t anonymous. [The currency] is more private and more anonymous than your credit card or PayPal. But it is less private and less anonymous than just face-to-face cash transactions.”

Whether they cared to admit it, everyone in the audience probably already knew the truth—that each transaction on the Bitcoin network is indelibly recorded on a public ledger for anyone to see, and that this transparency is, in fact, central to Bitcoin’s security strategy. Remove it, and Bitcoin is vulnerable to fraudulent transactions and counterfeiting. Those who were dissatisfied with this trade-off—personal privacy, in return for security—have since implemented various imperfect workarounds. Eventually, there could be an alternative: an entirely new currency called ZeroCash, which promises to provide true anonymity to its users.

Matthew Green, a professor at Johns Hopkins University's Information Security Institute, is part of the brains behind ZeroCash. He first started working on it not as a stand-alone currency, however, but as a possible add-on to the Bitcoin software, which he also considers to have significant weaknesses in regards to privacy. “That is where Bitcoin falls down,” says Green. “That is where Bitcoin needs to be fixed.”

Green first proposed a fix to Bitcoin in a presentation last year in San Jose, California. His solution entailed pooling people’s bitcoins, tossing them around, and allowing users to pull out a new random set with a completely different transaction history.

The concept isn’t entirely new. Various third-party mixing services are already available where Bitcoiners can randomly swap coins with other people in real time. The problem with existing services, however, is that users can only swap with others who happen to be online at the same time. Moreover, everyone must trust that whoever is running the service will not also run off with their bitcoins.

Green wanted to avoid both obstacles by integrating a mixing service into Bitcoin itself. To do so, he proposed adding a new, ephemeral token to the software. Essentially, this would be the receipt that a user would get after throwing a bitcoin into the communal pot. Show the receipt, and you would receive a different bitcoin than the one you had. The trick, or the crypto “magic,” as Green calls it, is that this receipt would bear no identifying information. By redeeming your receipt, you’d prove that you did in fact throw your bitcoin into the pot, but you would never reveal which one it was.

When Green presented his idea—at the time, he called it ZeroCoin—in San Jose, the Bitcoin community seemed interested, maybe even impressed. But they certainly weren’t sold. The concept was evidently too experimental for their taste. Mike Hearn, one of the core Bitcoin developers, called it “academic.” Others thought it would exacerbate Bitcoin’s already burgeoning problems with storage space (in order for the Bitcoin ledger to remain public, a peer-to-peer network must collectively store it, even as it grows. For more on how Bitcoin works, check out this SciFri segment.). “The original proposal had serious scaling problems, and was untenable long-term,” says Garzik.

But Green suspects that some in the Bitcoin community got skittish about what would happen to the currency’s image if it provided complete anonymity. “Nobody said this to us, but I think there’s also a political reason, which is that Bitcoin was just finally getting respect from regulators,” says Green. “The last thing you want to do is mess with that by going and saying, ‘Hey, anonymous currency is something we care about.’”

After teaming with a group of cryptographers from MIT, the Israel Institute of Technology, and Tel Aviv University, Green ditched the idea of integrating his idea into Bitcoin. “I remember specifically,” he says, “We sat down and said, ‘Wait a second, why are we even bothering with this Bitcoin stuff to begin with? Let’s just throw it away.’”

They instead reimagined ZeroCoin as an independent cryptocurrency and changed the name to ZeroCash. When it launches, it will join the ranks with hundreds of other Bitcoin lookalikes, or “altcoins,” as they’re called. (For more on altcoins, listen to this SciFri segment.)

Like Bitcoin, ZeroCash has a traceable base currency. It also has a mixing service that will exchange the currency for anonymous receipts, as Green had originally envisioned. What’s new is that the receipts themselves will also act as transferrable coins, which users will be able to divide, merge, or pay to other people. In essence, a ZeroCash user can “do everything you ever wanted to do in a completely anonymous fashion,” says Green. “The only information that makes it into the [public ledger] is the fact that a transaction occurred.” Should you want to make a traceable purchase, you can always redeem the receipt and spend the equivalent amount in the base currency.

ZeroCash is certainly more experimental than what Bitcoin founder Satoshi Nakamoto used, and it will take some vetting from cryptographers before the design can be fully trusted, says Green. As an indication of what could go wrong—Bitcoin itself had a rocky first year. In August of 2010, someone used a bug in the code to create billions of new Bitcoins out of the blue. While a breach such as this is immediately apparent in Bitcoin (this particular one was spotted and fixed within hours), the same attack would be much more difficult to spot in ZeroCash, because the ledger tracks encrypted coins.

Although Green is hesitant to set a firm date on when ZeroCash will launch, he plans to present a peer-reviewed paper about it on May 20th at the IEEE Symposium on Security and Privacy. When ZeroCash makes its public debut, it will be a test drive more than anything. “It’s totally possible this thing will blow up. It’s totally possible people will find a vulnerability,” says Green. “‘I’d like it to come out in a responsible way and be tested.”

UPDATE: Read Green's peer-reviewed paper on ZeroCash here.

RELATED SCIENCE FRIDAY LINK

This story is a companion to the May 23rd SciFri segment “Customizing Your Currency With Altcoins” and the February 28th segment “Making Sense Out of Bitcoin.

In 2011, at the very first Bitcoin conference in New York City, Jeff Garzik, one of the core developers of the Bitcoin software, stood before an audience of about 40 cryptocurrency enthusiasts and told them something that no one in the room wanted to hear. “Sorry,” he declared. “Bitcoins aren’t anonymous. [The currency] is more private and more anonymous than your credit card or PayPal. But it is less private and less anonymous than just face-to-face cash transactions.”

Whether they cared to admit it, everyone in the audience probably already knew the truth—that each transaction on the Bitcoin network is indelibly recorded on a public ledger for anyone to see, and that this transparency is, in fact, central to Bitcoin’s security strategy. Remove it, and Bitcoin is vulnerable to fraudulent transactions and counterfeiting. Those who were dissatisfied with this trade-off—personal privacy, in return for security—have since implemented various imperfect workarounds. Eventually, there could be an alternative: an entirely new currency called ZeroCash, which promises to provide true anonymity to its users.

Matthew Green, a professor at Johns Hopkins University's Information Security Institute, is part of the brains behind ZeroCash. He first started working on it not as a stand-alone currency, however, but as a possible add-on to the Bitcoin software, which he also considers to have significant weaknesses in regards to privacy. “That is where Bitcoin falls down,” says Green. “That is where Bitcoin needs to be fixed.”

Green first proposed a fix to Bitcoin in a presentation last year in San Jose, California. His solution entailed pooling people’s bitcoins, tossing them around, and allowing users to pull out a new random set with a completely different transaction history.

The concept isn’t entirely new. Various third-party mixing services are already available where Bitcoiners can randomly swap coins with other people in real time. The problem with existing services, however, is that users can only swap with others who happen to be online at the same time. Moreover, everyone must trust that whoever is running the service will not also run off with their bitcoins.

Green wanted to avoid both obstacles by integrating a mixing service into Bitcoin itself. To do so, he proposed adding a new, ephemeral token to the software. Essentially, this would be the receipt that a user would get after throwing a bitcoin into the communal pot. Show the receipt, and you would receive a different bitcoin than the one you had. The trick, or the crypto “magic,” as Green calls it, is that this receipt would bear no identifying information. By redeeming your receipt, you’d prove that you did in fact throw your bitcoin into the pot, but you would never reveal which one it was.

When Green presented his idea—at the time, he called it ZeroCoin—in San Jose, the Bitcoin community seemed interested, maybe even impressed. But they certainly weren’t sold. The concept was evidently too experimental for their taste. Mike Hearn, one of the core Bitcoin developers, called it “academic.” Others thought it would exacerbate Bitcoin’s already burgeoning problems with storage space (in order for the Bitcoin ledger to remain public, a peer-to-peer network must collectively store it, even as it grows. For more on how Bitcoin works, check out this SciFri segment.). “The original proposal had serious scaling problems, and was untenable long-term,” says Garzik.

But Green suspects that some in the Bitcoin community got skittish about what would happen to the currency’s image if it provided complete anonymity. “Nobody said this to us, but I think there’s also a political reason, which is that Bitcoin was just finally getting respect from regulators,” says Green. “The last thing you want to do is mess with that by going and saying, ‘Hey, anonymous currency is something we care about.’”

After teaming with a group of cryptographers from MIT, the Israel Institute of Technology, and Tel Aviv University, Green ditched the idea of integrating his idea into Bitcoin. “I remember specifically,” he says, “We sat down and said, ‘Wait a second, why are we even bothering with this Bitcoin stuff to begin with? Let’s just throw it away.’”

They instead reimagined ZeroCoin as an independent cryptocurrency and changed the name to ZeroCash. When it launches, it will join the ranks with hundreds of other Bitcoin lookalikes, or “altcoins,” as they’re called. (For more on altcoins, listen to this SciFri segment.)

Like Bitcoin, ZeroCash has a traceable base currency. It also has a mixing service that will exchange the currency for anonymous receipts, as Green had originally envisioned. What’s new is that the receipts themselves will also act as transferrable coins, which users will be able to divide, merge, or pay to other people. In essence, a ZeroCash user can “do everything you ever wanted to do in a completely anonymous fashion,” says Green. “The only information that makes it into the [public ledger] is the fact that a transaction occurred.” Should you want to make a traceable purchase, you can always redeem the receipt and spend the equivalent amount in the base currency.

ZeroCash is certainly more experimental than what Bitcoin founder Satoshi Nakamoto used, and it will take some vetting from cryptographers before the design can be fully trusted, says Green. As an indication of what could go wrong—Bitcoin itself had a rocky first year. In August of 2010, someone used a bug in the code to create billions of new Bitcoins out of the blue. While a breach such as this is immediately apparent in Bitcoin (this particular one was spotted and fixed within hours), the same attack would be much more difficult to spot in ZeroCash, because the ledger tracks encrypted coins.

Although Green is hesitant to set a firm date on when ZeroCash will launch, he plans to present a peer-reviewed paper about it on May 20th at the IEEE Symposium on Security and Privacy. When ZeroCash makes its public debut, it will be a test drive more than anything. “It’s totally possible this thing will blow up. It’s totally possible people will find a vulnerability,” says Green. “‘I’d like it to come out in a responsible way and be tested.”

UPDATE: Read Green's peer-reviewed paper on ZeroCash here.

RELATED SCIENCE FRIDAY LINK

Will you support The World with a monthly donation?

Every day, reporters and producers at The World are hard at work bringing you human-centered news from across the globe. But we can’t do it without you. We need your support to ensure we can continue this work for another year.

Make a gift today, and you’ll help us unlock a matching gift of $67,000!