Zcoin is the first project to fully apply the Zerocoin Protocol, which fully protects users' privacy through zero-knowledge proof. Zcoin's feature is that casting technology is available. This means that if you want to send a coin or keep a personal book, you can use Zerocoin technology to make coins in public books a personal coin. These coins do not need to reveal the token owner at the time of the transfer and do not have transaction records left. This ensures that personal information is not fully traceable.
Zcoin: All About Znodes
What Is a Znode?Znodes are incentivized nodes that provide support for transactions. Given that Zerocoin transactions are computationally intensive and are relatively large, it makes sense to have a layer of high performance nodes that can verify and broadcast transactions efficiently and also store the blockchain. Znodes provide a strong support system for the network, providing resilience to the network.Znode Requirements· 1000 XZC· Server (virtual or otherwise) with fixed IP address· 1 GB RAM· Adequate storage capacity (~25 GB)Znode SpecificsA 1000 XZC stake is required for a Znode to operate. This stake is sent to a new address and held. However, this stake remains liquid. That is, you can access your stake at any time and transfer it immediately. You always keep full control over your stake. If you take your stake back, you simply lose the Znode status and become a regular node. There is no penalty assessed for doing so.Further, Znodes themselves do not hold funds. They hold a Znode key which allows you to start and stop your node. While you should keep your Znode key private, your coins are still safe if it were to be leaked. If leaked, one could only start or stop your Znode. However, going offline will cause you to lose your position in the payment queue.Any provider you choose for your Znode will not require your actual private key that corresponds to your funds. No funds need to be sent to the provider. The 1000 XZC collateral remains in your local wallet. As such, make sure to secure your wallet, where security involves confidentiality, integrity, and availability.Each Znode receives a portion of the block reward (30% of the block reward) as their reward for providing support for the network. The return on investment depends on how much of the supply is held in Znodes and the take up rate of the Znodes, where a larger number of active Znodes result in a lower return per Znode. Znodes are put into a queue for the reward. The time it takes to receive a payout depends on how many active Znodes exist. It is estimated that the first year will provide a return of 20–30% per annum based on approximately 50% of circulating coins being converted into Znodes.The team is exploring further possibilities of using this incentivized node layer which include scalability solutions. Another idea of Znodes is that in the future, Zerocoin processing can be delegated to the Znode layer in the event Zerocoin transactions reach a high volume and nodes can choose to trust the consensus reached by the Znodes instead of having to verify it themselves should they choose to do so.MotivationSpend Proofs. Currently, these are 25 kilobytes each. With the adoption of Sigma Protocol (slated for 2018 release), we should see this go down to about 2–3 kilobytes each. However, with the future in mind, having well paid incentivized nodes ensures that nodes will always be able to keep a full copy of the blockchain even if it grows significantly and especially when Zerocoin transactions will be always larger than regular transactions for the forseeable future.Verification of Zerocoin spend transactions: Zerocoin spend transactions are computationally intensive to verify and in the original paper was benchmarked to take around 0.5 seconds to verify per spend. As Zerocoin transactions become more popular, it is important that the majority of nodes are able to cope with such verifications at speed and incentivizing nodes means that better hardware. Our Zerocoin implementation allows parallelized verification meaning nodes with multiple cores can verify Zerocoin verifications much quicker. For e.g. a top end multiple core CPU like the i7–8700k can verify 100 Zerocoin spends in 8.26 seconds meaning each Zerocoin spend only takes 0.08 seconds. Providing an incentive for nodes allow those hosting nodes to afford better hardware to improve Zerocoin scalability.Services. In the future, these nodes will provide a layer for additional services.Znodes vs MasternodesMasternodes are the term by which other cryptocurrencies call what are similar to Znodes. However, there are a few technical differences which we will highlight:Mixing. Masternodes such as used in Dash generally support mixing of coins in order to provide anonymity. This, of course, requires trust in the Masternode. The Masternode sees all transactions coming in and can examine them, if it wishes, prior to providing anonymity. Znodes, however, do not require this trust. Using zero knowledge proofs, spend transactions can be verified as having a properly minted coin without knowing which mint it is. Privacy is preserved prior to entering the Znode. As such, you do not need to trust that the node will maintain your anonymity.Governance. Masternodes generally contain a governance system whereby those nodes provide a decentralized system of decision-making. Our opinion is that the current way it is implemented in Dash allows too much centralization of decision making in large masternode holders. At this time, Zcoin does not implement any governance system within Znodes though the team are exploring ways that this can be done in a fairer manner.Wrapping UpZnodes provide a foundation of strength for the network, supporting necessary operations and reducing load on others. In doing so, Znodes are granted a substantial reward. Further, Znodes provide a layer upon which to build features in the future.For more information on Znodes visit https://zcoin.io/znodes/https://youtu.be/sJJv91C3hZE
18. 04. 04
Zcoin: Merkle Tree Proof, v...
IntroductionMerkle Tree Proof (MTP) is a Proof-of-Work algorithm designed by Alex Biryukov and Dmitry Khovratovich and detailed in the initial version of their paper, Egalitarian Computing (MTPv1). The same duo also designed another Proof-of-Work algorithm, Equihash. MTP is their effort to improve upon Equihash.MTP was designed to provide a fairer and more democratic process. It was designed to be closer to the initial intention presented by Satoshi Nakamoto in his landmark Bitcoin paper as “one-cpu-one-vote”.The development of ASICS that far outpaced any CPU or GPU lead to miner centralization where only a handful of companies that could produce these ASICS effectively controlled the supply of new hashrate to a coin. Several past attempts have been made at building ASIC resistance which involved chaining several algorithms together (such as x11) or involving a little memory (such as Scrypt which uses 128kb) both which have failed to provide true ASIC resistance.In fact, on March 11th, 2018 an ASIC manufacturing company announced the development of miners for “ASIC resistant” using the CryptoNight and CryptoNight algorithms.MTP aims to solve this issue by introducing memory-hardness on a different scale. Finding a solution is difficult and requires lots of memory. In Zcoin’s reference implementation, 2 GB of RAM are used. MTP can use up to 10 GB of RAM, if elected. However, unlike previous memory hard algorithms, verification is extremely quick and requires little memory, which helps protect against Denial-of-Service attacks on verifiers.The huge memory requirement also helps mitigate the risk of botnets as the infected system would be more likely to notice any abnormalities caused by mining due to the increased memory load.Zcoin was ready to implement MTP in August 2017, but a vulnerability was found and they put off implementation while waiting upon the designers to release an update paper that addressed any attacks found. Further, Zcoin funded a bounty to help find any additional attacks on MTP.Attacks on MTP v1From the challenge bounty that Zcoin started and funded, a total of five submissions were accepted spanning the MTP paper itself and implementation issues. Four submissions came from Marc Bevand and one submission came from Fabien Coelho and Hidetoshi. Listed below are the submissions for each party. These submissions can also be viewed in their entirety on the dedicated page of Zcoin’s GitHub wiki, MTP Audit and Implementation Bounty Submissions.Fabien Coelho and Hidetoshi1. Parallel searches using transposed search hardwareMarc Bevand1. Argon2 Segment Sharing2. Location in Merkle tree not verified3. 1/3rd of openings not verified4. Time-memory trade-off with 1/16th the memory, 2.88× the timeBevand’s second attack (above) was submitted under the Audit portion of the bounty. Upon review, a judge declared that the attack was not considered a flaw in the paper but a point not touched upon instead. As such, the judge ruled that it would be considered an implementation bug instead and accepted it under the Implementation portion of the bounty.MTP v1.2With these new attacks and bugs in mind, it was time to fix these issues in MTP before Zcoin implemented it. At the beginning of 2018, Biryukov and Khovratovich released an updated version of the paper Egalitarian Computing in which the issues found in MTP were fixed.At the end of the paper, after the references, a new section can be found, Difference to the Original MTP. Its contents are reproduced below, detailing what has been fixed from MTPv1 to MTPv1.2.The Argon2 compression function is moified where 3 16-byte blocks of its intermediate block R are replaced with the block index i and input hash H0.The Merkle tree opening for X[ij] is now included, though the block itself doesn’t need to be included, since it is computed from the blocks (X[φ(ij)],X[ij −1]). Opening the paths of X[ij-1] and X[ij] share most of the nodes, which can be used by efficient implementation;The positions of opened blocks are now included in the proof and are verified;4-round Blake2 is used in the Merkle tree generation;New “skewed blocks” attack strategy is presented in Sect. 4.2. However it does not effect the security parameter recommendations for MTP-Argon2, while it might effect other other MTP-based PoWs such as Itsuku.ConclusionWith these fixes implemented, Zcoin is now ready to begin implementing MTP. While it is a bit later than its originally scheduled 2017 release, the team wanted to make sure that this would be done correctly and securely. In a YouTube video featuring Chief Operations Officer of Zcoin, Reuben Yap, then community manager, he stated that they’ve already begun using their existing MTPv1 code and are adapting it to comply with MTPv1.2, with an estimated release date at the end of Q2 2018. Also of note is that a potential alternative, Itsuku, will not be used at this time with Zcoin due to its drawbacks highlighted in the paper.
18. 03. 15
我们很高兴的宣布，Zcoin发布了新版本0.13.5.7 “French Drop”。新版本是Zcoin底层技术固化和隐私保护升级的重要里程碑。“French Drop” 取名源于经典硬币魔术，以此象征零知识证明背后的复杂算法和技术。零币协议代码升级我们对零币协议的执行代码进行了全面更新，包括对原始零币协议代码库的安全修复并对其就行了巨大的性能改进，使得零币协议能够更顺畅的工作，同时也使我们的代码更容易被审查。这是Zcoin团队几个月的辛勤工作结晶。具体更新内容包括:重建索引速度提高7–8倍最优化增量累加器，提高使用较大体积的累加器熔铸和取回的速度增加了额外的数据以缩短取回硬币的验证时间整合零币协议功能到块状索引中，以优化货币性能通过重组数据和只存储个人用户熔铸的数据，减小钱包.dat的大小解决wallet.dat和索引不同步的问题通过消除非确定性状况，改善稳定性安全修复这次安全更新需要在区块78500上硬分叉实现。因此我们强烈建议用户尽快更新。新版本零币协议方案会修复几个潜在的安全漏洞，因此硬分叉不可避免。同时，我们也强烈建议用户取回使用钱包已熔铸掉但还未取回的硬币，避免在新版本丢失它们。我们很确定的相信，通过这次代码升级，Zcoin会成为市场上最具优势的零币协议应用。接下来，Zcoin团队会进一步增强用户使用的便利性和易操作性，用户将可以自主选择合适的面值。我们也会对面值和收费结构进行研究设计，以方便用户通使用零币协议进行匿名交易。TOR整合我们整合TOR到钱包中，用户只需简单点击便可以启用TOR，而此前需要单独的安装和设置才可以在Zcoin中使用TOR。Zcoin对TOR的整合还包括TOR流分离，也就是说钱包的每个链接都是通关过单独的TOR回路并且引用不同的IP地址。TOR的整合更好的保护了用户的IP地址，同时用户在Zcoin交易时也不再需要额外的安装。更多关于TOR发布和相关优势的信息，可以观看以下视频介绍。安装和更新的注意事项在更新之前，用户请备份钱包.dat。要注意的是，一旦进行了更新，钱包.dat会被重置为新的设置，新设置和以前的Zcoin版本不兼容。在这一次性的索引重建之后，用户便可以使用新索引和新版本钱包。我们也强烈建议用户取回使用钱包已熔铸掉但还未取回的硬币，尽快更新到性能优化和安全隐私升级的新零币协议方案。https://zcoin.io
18. 03. 13
The Privacy Advantages of Z...
Zcoin is a privacy-centric cryptocurrency based on the Zerocoin protocol, developed by Johns Hopkins University cryptographer Matthew D. Green, Ian Miers, Christina Garman and Aviel D. Rubin Being privacy-centric, Zcoin has a number of features that help to enhance or protect one’s privacy as they perform transactions, including: strong, tested encryption; having an auditable supply; a larger anonymity set; and zero knowledge proofs.No Tumblers/Mixers or Ring SignaturesTumblers, also known as mixers, attempt to provide privacy by distorting and potentially severing the link between transactions. Through a process known by various names as ‘tumbling’, ‘coinjoin’, ‘coin shuffling’, ‘fog’, and so on, coins are gathered from multiple sources and mixed together, creating obfuscation. This process could be roughly visualized as shuffling a deck of cards where one card was your transaction.When tumblers mix coins from various transactions together to create anonymity, each source gets back the same amount of coins that they put in. However, the coins they receive may or may not be the exact coins they put in. When mixers are involved, (1) you must trust the mixer to be honest and (2) the mixer must be online. If the mixer is not online, no mixing can be done. This removes an element of privacy protection.Mixing can be implemented in two ways: active or passive. Active mixing, as done in DASH’s PrivateSend, requires that 1. all parties are actively involved and intend to participate in the mixing process and 2. that there is enough liquidity. That is, it is a manual process that requires user intervention. Passive mixing, as done in Monero or AEON, as done automatically. One implementation of passive mixing is the usage of ring signatures, as used in Monero. However, the ring size limits the anonymity set. The effectiveness of mixers as it relates to anonymity is directly proportional to their usage. Zcoin, on the other hand, does not require the usage of a mixer or ring signatures. Zcoin has implemented Zerocoin anonymity at a protocol level to make the above features unnecessary.Anonymity SetZcoin utilizes a process of minting and spending. Through this process, an individual burns up a set of coins (in specific denominations with current limitations) to mint coins. These new coins — Zerocoins — can then be used in a spend transaction to convert them back into the base coin. These new base coins appear as brand new coins, similar to freshly mined coins with no previous transaction history. They hold no technical link to the initial coins you burned up in the minting process. As such, the transactions are rendered anonymous.In other cryptocurrencies, the anonymity set can be limited by how many people you mix with or how many people with which you form a ring. However, the anonymity set in Zcoin is based on the number of people who have performed a mint of a particular amount and is an ever increasing amount which can scale into the many thousands as opposed to mixing solutions which are typically limited to a couple of dozen. This level of anonymity is realized instantaneously. This causes Zcoin’s anonymity set to scale far beyond other coins.However, timing could potentially de-anonymize the process. For example, if you always immediately do a Zerocoin spend after a mint with regularity, that pattern could be observed and analyzed to discern which transactions correspond to a prior mint. Therefore, it is advised to mint in advance of planned spend and to let time elapse before spending.Auditable SupplyZcoin has an auditable supply and this has been tested. Without this feature, forged coins cannot be detected in other coins such as in Zcash or Hush. Forgery of coins may occur if a trusted setup is broken, a flaw in cryptography is found or if there’s an implementation bug. Combined with the use of experimental cryptography and a controversial trusted setup in Zcash, this compounds the risk.EncryptionZcoin utilizes RSA accumulators. RSA, having been around for decades, has seen thorough review and usage throughout industry, such as in financial applications. Other currencies use less suitable encryption that is not as widely used, reviewed, or tested. Additionally, the Zerocoin paper is frequently cited by academics and cryptographic schemes underpinning the technology peer-reviewed.For example, Zcash uses zk-SNARKs. Zk-SNARKs is an experimental cryptography that uses arguably weak cryptographic assumptions and generates private transactions significantly slower than alternatives. Further, given that Zcash does not have an auditable supply, any breaks in the chain related to this experimental cryptography cannot be detected.An example of what happens when thoroughly tested cryptography is not used is the case of IOTA in the latter half of 2017. A group of individuals discovered that the developers implemented their own hash function. This function produced collisions that allowed forgery of signatures on payments.Trusted SetupCurrently, Zcoin uses a trusted set up meaning certain initial parameters need to be generated and then destroyed. Leakage of these parameters can allow forgery of coins. Zcoin’s trusted setup uses parameters from the RSA Factoring Challenge in 1991, where special care was taken to destroy the initial parameters. Zcoin plans to eliminate trusted setup with the implementation of the Sigma protocol of which a proof of concept library is already functional while coding continues.Zcash, based on the Zerocash protocol and also developed by the same Matthew D. Green is a separate project that he moved onto after developing the Zerocoin protocol. Zcash, on the other hand, uses a multi-party ceremony to generate the parameters for its trusted setup. At this time, Zcash is considering a replacement for the trusted setup with zkSTARKs.An important difference between the trusted setup for Zcoin and Zcash is that for Zcoin, the trusted setup was done completely by third parties (meaning that even the Zcoin developers cannot know the initial parameters) and was from a purely academic challenge meant to test the practical difficulty of cracking RSA cryptography. This was further strengthened by a USD $200,000 bounty to find those RSA Factoring challenge parameters which remained unclaimed and to date, to the best of our knowledge, has not been broken. As such, the incentive for secretly keeping the initial parameters are a lot lower compared to Zcash’s trusted setup which was done solely for the creation of Zcash.Summing UpZcoin implements several of the most advanced technologies to help prevent information leakage and ensure privacy. Through tested encryption, an auditable supply, and privacy mechanisms, such as a large anonymity set and zero-knowledge proofs, Zcoin helps to ensure security, integrity of supply, and preserve privacy on the network.For more information on Zcoin and where to buy it, go to http://zcoin.ioFollow us on Twitter https://twitter.com/zcoinofficialFollow us on Instagram https://www.instagram.com/zcoinofficial/Join our Discord here https://discordapp.com/invite/4FjnQ2q
18. 02. 24
Zcoin: Blockchain and IP Ad...
What is an IP address?An Internet Protocol (IP) address can be thought of like your home address. It uniquely identifies you on the Internet. When someone wants to send you a piece of mail or a package, they send it to your home address (or any other physical address you want to receive mail at). Similarly, if anyone wants to send you some data over the Internet–music, video, programs, websites, et cetera–they need a way to reach you. That’s where your IP address comes in.You also use IP addresses to navigate the Internet. Instead, though, the Domain Name System (DNS) helps out. Instead of typing 22.214.171.124, you type google.com. DNS translates human-readable forms, like google.com, into the hard to remember IP addresses where those servers reside. Say you have a friend, John. Instead of telling your other friends to go to 1234 Main Street, New York, NY every time, you just tell them to go to John’s house. Everyone automatically translates that simple request into John’s known address. (As a side note, Google maintains a large number of IP addresses. The IP address mentioned above is not the only way to reach their website.)Internet Service Providers (ISPs) negotiate the flow of data between your device and the Internet. They are gatekeepers, essentially. Considering that they control the route, they are also able to see all traffic that passes through that route. When using plain HTTP, data is sent over the network in plaintext (not encrypted). When sent over HTTPS, the data is encrypted and then sent over the network. This prevents the ISP from easily looking at what you’re sending. Additionally, an ISP has plenty of personally identifying information on you considering they require it for you to sign up for their services, including name, address, and banking information.How does it relate to a transaction on Zcoin?Zcoin transactions do not contain IP addresses. Bitcoin, and its derivatives, operate in the same fashion.A transaction contains:· the amount· sending addresses· receiving addressesWhy, then, is it recommended to hide your IP address for transactions?When transactions are created and sent, it is merely relayed across the entire network. This can be done by a method of trickling or diffusion, which we’ll discuss later. In either event, a motivated adversary with access to a node that connects to most other nodes in the network can gather, record, and analyze the transaction data in order to piece together where a transaction may have originated from. That is, this adversary may be able to follow the graph of data and identify the source IP address of the given transaction. As Dan Kaminsky notes in his Black Hat USA 2011 talk, Black Ops of TCP/IP 2011, “[when] you’re connected to every node, the first node to inform you of a transaction is the source of it.” Giulia Fanti and Pramod Viswanath show in Deanonymization in the Bitcoin P2P Network that such deanonymization occurs with up to 30% accuracy.While diffusion attempts to help protect against this by delaying the relaying of transactions, it does not offer much more anonymity than its predecessor, trickling. As Fanti and Viswanath summarize, “trickle and diffusion have similar probabilities of detection.”However, hiding your IP address can help in preserving your privacy. One such method of doing such is by using Tor, which we’ll discuss next. Even if analysis by an adversary as depicted above occurs and the source IP address is discovered, your real IP address is still safe.As Gavin Andreson is quoted as saying in Kaminsky’s talk:Unless you are very careful in the way you use Bitcoin (and you have the technical know-how to use it with other anonymizing technologies like Tor or i2p), you should assume that a persistent, motivated attacker will be able to associate your IP address with your bitcoin transactions.What is Tor (The Onion Router)Tor provides a level of privacy by routing your network traffic through “a series of virtual tunnels.” Instead of directly connecting to a website, your traffic travels through these tunnels to the destination. Your traffic follows a random sequence through Tor relays to route your traffic. Additionally, the pathway you take is not known in its entirety to others.When data is passed off to a relay, that relay only knows the relay that gave it the data and the next relay it is giving the data to. That is, a given relay only knows about its immediate neighbors and nothing about the remainder of the route. There are new encryption keys used for each hop to ensure that a given hop cannot trace any connections through identical keys.Traffic analysis is unable to generate a link between the source and destination due to the visibility from each relay. Further, the same circuit is used for all connections that occur within the same ten minutes. Additional requests use a new circuit, stopping anyone from linking previous requests.In terms of cryptocurrency transactions, this means that the motivated adversary from before will be unable to determine the source IP address as the IP address they will see will be one from the virtual tunnels, not yours.Zcoin has had full TOR support for quite some time and now with the most recent version of the release, it will be easier for casual users to switch on and off.Why blockchain privacy is important and not just IP address protectionIn Deanonymisation of Clients in Bitcoin P2P Network, Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov explain, “We demonstrate that the use of Tor does not rule out the attack as Tor connections can be prohibited for the entire network.” This means that IP address protection is not the only thing that matters. Rather, blockchain privacy must be built in to ensure privacy as well.Several problems plague cryptocurrencies that don’t implement blockchain privacy:Multi-input transactions. When there isn’t enough of a given coin in a given address, wallets can combine the coins in multiple addresses in your wallet in order to satisfy the payment. Considering that this only works with addresses that are in your wallet, this shows that multiple addresses are grouped in one wallet when viewing transaction data. If a single address that is part of a multi-input transactions is linked to an identity, then they all become linked to that identity.Building on the idea of multiple inputs, multiple outputs can also erode privacy. Change addresses are generated to collect the change of a transaction. Think of it like inserting $2 into a vending machine for a bag of chips that cost $1.25. The vending machine returns $0.75. In Bitcoin, though, you’ll be getting the change in a new address. While this is done in the interest of user privacy, it can also be used to link a single change address to multiple addresses that were used for the input. It then follows that they can all be linked together if a single address is tied to an identity.Exchanges. To combat money laundering of fiat currencies, exchanges are required to collect information about you. They also provide an address for your account to use. Considering that this address will be the intermediary between the fiat currency and cryptocurrency, it could reveal your identity once you deposit or withdraw from the exchange.General linkage. Some people put their Bitcoin address on their blog that may use their true identity. That address is then already linked to their identity.An important aspect of Zcoin is in its solution to blockchain privacy through the implementation of the Zerocoin protocol. With Zerocoin, the user is able to “burn” coins to create brand new coins for spending later — effectively severing the link between them.What’s next?There is ongoing research as to how to improve the privacy of cryptocurrencies. Dandelion has garnered support in the Bitcoin community and Zcoin is looking at it as a potential solution. Dandelion works by implementing asymmetry whereby a transaction is initially relayed normally. It then takes a change from the traditional approach by then being broadcast by a node down the line; that is, the source node is not the one that broadcasts the transactions to the entire network. This process and its resultant pattern ends up looking like a dandelion and makes it more difficult to determine the source than trickling or diffusion. Sigma and EZC research is also underway. In the mid-term, Zcoin will be releasing MTPv2, BIP47 for stealth addresses and a decentralized mixer for Ethereum.For more information on Zcoin and where to buy it, go to http://zcoin.ioFollow us on Twitter https://twitter.com/zcoinofficial and Instagram https://www.instagram.com/zcoinofficial/Join our Discord here https://discordapp.com/invite/4FjnQ2q
18. 02. 18