-
Notifications
You must be signed in to change notification settings - Fork 1
/
how_zerocash_works.html
135 lines (106 loc) · 9.95 KB
/
how_zerocash_works.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>
How zerocash works | Zerocash
</title>
<meta name="description" content="">
<meta name="author" content="The Zerocash Team">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<link href="/media/css/bootstrap.min.css" rel="stylesheet">
<link href="/media/css/bootstrap-responsive.min.css" rel="stylesheet">
<link href="/media/css/style.css" rel="stylesheet">
<link href="/media/css/stickyfooter.css" rel="stylesheet">
<link href="/media/css/nav.css" rel="stylesheet">
<link href="/media/css/typography.css" rel="stylesheet">
<script>
var _gaq = [['_setAccount', 'UA-47912220-1'], ['_trackPageview']];
(function(d, t) {
var g = d.createElement(t),
s = d.getElementsByTagName(t)[0];
g.src = '//www.google-analytics.com/ga.js';
s.parentNode.insertBefore(g, s);
}(document, 'script'));
</script>
</head>
<body class="how_zerocash_works">
<div id="wrap"> <!-- Wrap for sticky footer -->
<div class="row-fluid">
<div class="span7 offset3">
<div class="navbar">
<a class="btn btn-navbar collapsed" data-align="left" data-toggle="collapse" data-target="#foobar">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<div class="nav-collapse" id="foobar">
<ul class="nav">
<li><a href="index">Overview</a></li><li class="active"><a href="how_zerocash_works">Technology</a></li><li><a href="q_and_a">Q and A</a></li><li><a href="paper">Paper</a></li><li><a href="talks_and_media">Talks & Media</a></li><li><a href="about_us">About Us</a></li></ul>
<div class="pull-right twitter-div" >
<a href="https://twitter.com/zerocashproject" class="twitter-follow-button" data-show-count="false" data-show-screen-name="false">Follow @zerocashproject</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
</div>
</div>
</div>
</div>
</div>
<div class="row-fluid banner">
<div class="span6 offset3" />
<h1>
<a class="brand" href="index.html">
Zerocash
</a>
</h1>
</div>
</div>
<div class="row-fluid"> <div class="span6 offset3" style="margin-top: 1em; background-color: #e0e0ff; box-shadow: 4px 4px 2px #808080; padding-left: 1em; padding-right: 1em;">
The Zerocash protocol is being developed into a full-fledged digital currency, <a style="font-weight: bold;" href="http://z.cash/">Zcash</a>.
</div> </div> <div class="row-fluid">
<div class="span6 offset3">
<h1 id="how-zerocash-works">How Zerocash works</h1>
<p>Zerocash is a protocol that provides a decentralized crypto-currency in which, as in Bitcoin, users collaborate to maintain the currency by broadcasting and verifying payment <em><a href="https://en.bitcoin.it/wiki/Transaction">transactions</a></em>. Zerocash, however, differs from Bitcoin in how these payment transactions are assembled and then verified.</p>
<p>Concretely, in Bitcoin, a payment transaction consists of an origin address, destination address, and payment amount. These transactions are bundled into <em><a href="https://en.bitcoin.it/wiki/Blocks">blocks</a></em> and stored on a decentralized ledger called <em><a href="https://en.bitcoin.it/wiki/Block_chain">block chain</a></em>. Because the block chain is public, the history of all transactions can be viewed by anyone, via the Bitcoin software or by visiting any <a href="http://blockchain.info">block-chain monitoring service</a>. While addresses are not explicitly tied to users' real identities, several recent works have shown that the block chain can be mined to learn information about users' spending habits.</p>
<p>Zerocash extends Bitcoin's protocol by adding <em>new</em> types of transactions that provide a separate privacy-preserving currency, in which transactions reveal neither the payment's origin, destination, or amount. Zerocash creates a separate anonymous currency, existing alongside a (non-anonymous) base currency, which we refer to as <em>Basecoin</em>. Each user can convert (non-anonymous) basecoins into (anonymous) Zerocash coins, which we call <em>zerocoins</em>. Users can then send zerocoins to other users, and split or merge zerocoins they own in any way that preserves the total value. Users can also convert zerocoins back into basecoins, though in principle this is not necessary: all payments can be directly made in terms of zerocoins.</p>
<h3 id="zerocash-transactions">Zerocash transactions</h3>
<p>Zerocash's functionality is realized using just two new types of transactions: <em>mint transactions</em> and <em>pour transactions</em>. Like Bitcoin transactions, Zerocash transactions are broadcast and appended to a decentralized ledger.</p>
<p><strong>Mint transactions.</strong>
A mint transaction allows a user to convert a specified number of non-anonymous bitcoins (from some Bitcoin address) into the same number of zerocoins belonging to a specified Zerocash address. The mint transaction itself consists of a <a href="http://en.wikipedia.org/wiki/Commitment_scheme">cryptographic commitment</a> to a new coin, which specifies the coin's value, owner address, and (unique) serial number. The commitment is based on the <a href="http://en.wikipedia.org/wiki/SHA-2">SHA-256 hash function</a>, and hides both the coin's value and owner address.</p>
<p><img alt="" src="/media/images/construction-summary.png" title="Zerocash Mint transaction format. The Comm function is implemented using SHA-256. The coins are collected into a Merkle tree." /></p>
<p>Individual Zerocash nodes maintain a <a href="http://en.wikipedia.org/wiki/Merkle_tree">Merkle tree</a> over all of the coin commitments seen thus far. Any user can then demonstrate ownership of a coin commitment, via its decommitted values as well as a short witness of membership in the tree. Unfortunately, merely publishing this information as an "ownership proof" is not private; instead, to achieve privacy, we rely on a second type of transaction, which allows a user to prove, in <em>zero knowledge</em>, that he knows such information.</p>
<p><strong>Pour transactions.</strong>
A pour transaction allows a user to make a private payment, by consuming some number of coins (owned by this user) in order to produce new coins. Roughly, a pour transaction, for (up to) two input coins and (up to) two output coins, involves proving, in <a href="http://en.wikipedia.org/wiki/Zero-knowledge_proof">zero knowledge</a>, that:</p>
<ul>
<li>the user owns the two input coins;</li>
<li>each one of the input coins appears in some previous mint transaction or as the output coin of some previous pour transaction; and</li>
<li>the total value of the input coins equals the total value of the output coins.</li>
</ul>
<p>The pour transaction consumes the input coins by revealing their serial numbers, but does not reveal any other information such as the values of the input or output coins, or the addresses of their owners. Optionally, the pour transaction can also output some (non-anoymous) bitcoins. This last feature can be used to transfer zerocoins back into (non-anonymous) bitcoins or to pay transaction fees.</p>
<h3 id="verifying-zerocash-transactions">Verifying Zerocash transactions</h3>
<p>For a mint transaction, the commitment contained therein is constructed so that that anyone can verify that the committed coin has the claimed value.</p>
<p>For a pour transaction, anyone can verify that the zero-knowledge proof contained therein is valid (and that a few other simple invariants hold). For efficiency, however, Zerocash does not use "any" zero-knowledge proof, but leverages <em>zero-knowledge Succinct Non-interactive ARguments of Knowledge</em> (zk-SNARK) systems, which are zero-knowledge proofs that are particularly short and easy to verify. Specifically, Zerocash uses zk-SNARKs constructed by <a href="http://www.scipr-lab.org/">SCIPR Lab</a>, which are described in <a href="http://eprint.iacr.org/2013/879">BCTV14</a>; such proofs are less than 300 bytes long and can be verified in only a few milliseconds.</p>
<h3 id="more-details">More details</h3>
<p>See our technical <a href="paper">paper</a>!</p>
</div>
</div>
<div id="push"></div> <!-- for sticky footer-->
</div> <!-- / sticky footer wrap -->
<div id ="footer" class="row-fluid footer">
<div class="span6 offset3">
<!--
<p>Created by <a href="">The Zerocash Team</a> <a href="https://twitter.com/">@</a></p>
-->
</div>
</div>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="/media/js/libs/jquery-1.9.1.min.js">\x3C/script>')</script>
<script src="http://netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>
<!--[if lt IE 7 ]>
<script src="/media/js/libs/dd_belatedpng.js"></script>
<script>DD_belatedPNG.fix('img, .png_bg'); // Fix any <img> or .png_bg bg-images. Also, please read goo.gl/mZiyb </script>
<![endif]-->
</body>
</html>