Zerocoin Protocol Flaws - Reading Assignment

Read a history of flaws in the Zerocoin Protocol. Answer the questions and post your answers below:

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
3. What was the technical cause behind the 2017 “fake spend” incident?
4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

1. Zerocash was better in terms of efficiency and privacy, thanks to smaller proof size, faster verification and added encryption. However, it was less performing because balances are hidden (so it is not possible to audit the total supply), less testing in the cryptographic system and higher time to generate a private transaction (because of the intensity of the computational process).
2. They switched to Sigma, another proof of knowledge based protocol thanks to which “the prover can not only prove the knowledge of the discrete logarithm, but also that the discrete logarithm is of a specific form”. It has an impact because it removes the trusted setup, reduces the proof size from 25 kB to 1.5 kB and improves security.
3. A typo (mistake in writing, in this case an error within the code) in the source code that allowed to mint additional ZCoins.
4. ZCoin reacted by frozing the funds within the accumulator waiting for Sigma release, preventing both spending and minting.
   PIVX disabled minting but kept spending possible by relying on Schnorr Signatures to prevent further vulnerability exposure.
   Veil deactivated Zerocoin’s anonymizing feature and replaced the zk-proof with a single signature, trying to solve the issue. However, it didn’t work and they worked with exchanges to prevent transactions as well as working directly on the blockchain to restore the “true” balances.

1.Zerocoin is a proposed extension on Bitcoin to make Bitcoin more private. Zerocoin only hides the origin of a payment, the destination and amounts are still public.
Zerocash is a further extension of the zerocoin protocol which hides the destination and amounts. Zerocash transactions are more compact than zerocoin transactions.

2 They switched to Sigma for * Removal of trusted setup
Reduction of proof size from 25 kB to 1.5 kB
Improved Security

3. In 2017, an incident occurred, a few months after ZCoin revealed that a typo in its source-code was exploited to mint 370,000 additional ZCoins
   Following this 2017 incident, ZCoin teams that 18,171 coins were generated through this exploit. Specifically, someone was capable of generating fake spends, hence inflating the supply of ZCoin.

4.Zcoin As an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted . Hence, they effectively froze the funds in the accumulator until the release of Sigma.

Following the end of the window to convert the zerocoin on January 20th, the total damage from the attack was assessed: a total of 66,996 XZC was forged through this vulnerability.
Owing to a specific signature from the attack, the team was also able to blacklist some mints , hence preventing the attackers from converting some zerocoins into Sigma mints.

PIVX
As a response to the incident described in subsection 2.1.3, the PIVX team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions .

Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin). Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability.

Veil: Following the flaw discovery by [ZCoin on April 17th 2019] the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain.
Unfortunately, the attack “evolved", and the initial fix did not protect attackers from stealing funds from the accumulator. As an urgent solution, Veil’s team decided to:

• Work with exchanges: withdrawals & deposits were suspended to prevent any transaction on the network, which could lead to substantial loss of funds.
• Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

   Advantages
   ◦ Smaller proof size
   ◦ Faster Verification
   ◦ Enhanced Privacy

Disadvantages
◦ Lack of Accountability of its total supply
◦ Less testing in its underlying cryptography
◦ The time to generate a private transaction locally is high owing to its computationally intensive process

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

   Sigma
   

3. What was the technical cause behind the 2017 “fake spend” incident?

Denial-of-spending attack

The attack would work as follows:

• An honest user wants to spend his zerocoin and sends the spend transaction (including the serial number) to the network.

• Meanwhile, the attacker, who needs control over his target victim’s network, now intercepts the spending message to make sure it never reaches the nodes of the network. Afterward, the attacker mints a new malicious zerocoin with the exact same serial number. By doing so, the attacker is able to spend this zerocoin by revealing the correct serial number.

• Following this initial spend by the malicious user, if the honest individual attempted to spend his zerocoin, the transaction would be rejected by the network and considered as a double-spending attempt due to the earlier malicious spend.

As a result, the malicious user would burn the zerocoin ahead of the honest user, usurping the new, “no-history" coins of the honest user.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin officially removed the Zerocoin protocol and replaced it with Sigma.

PIVX deactivated the privacy features from Zerocoin

Veil deactivated the anonymizing feature from the Zerocoin protocol

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Advantages: efficiency improvements (smaller proof size and faster verification) and enhanced privacy (added encryption of the ammount, sender and receiver).
   Disadvantages: lack of auditability of its total supply (balances are hidden), lest testing in its underlayinf cryptography (zkSNARKs) and higher time to generate a private transaction (computationally intensive process).

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   ZCoin, Noir, GravityCoin and NIX move to Sigma.

3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo (typographical error) in the source code.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin: as urgent fix disable zerocoin mints and prevent any zerocoin spend to be conducted, in July 2019 remove Zerocoin protocol and replace it by Sigma, and then introduce a feature to “remint” zerocoins.
   PIVX: deactivated privacy features from Zerocoin, disabling minting (Zerocoin spending remains enabled); the team relies on Schnoor Signatures to ensure that zerocoins could be spent back to basecoins. At he beginnig of 2020 PoS Time Protocol V2, a hard fork that allows Cold Staking.
   Veil: deactivate the anonymizing feature from Zerocoin, did not work, so they had to work with exchanges and return to a “true” state by adding back stolen balances to zerocoin pools. Disable zero-knowledge proof (minting and issuing zerocoins were not disabled). In the medium/long term Veil will adjust the emission schedule and accelerate its departure from Zerocoin protocol. The most prominent solution to consider has been RingCT staking, in order to stake anonymously again. The team has also been working on a new protocol using Supersonic Proofs.

1. Advantages: More privacy, smaller proof size, faster verification and added encryption.
   Disadvantages: lack of auditability of its total supply (balances are hidden), lest testing in its
   underlayinf cryptography (zkSNARKs) and higher time to generate a private
   transaction (computationally intensive process).
2. Sigma
3. A typographical error in the source code, that allowed to mint additional ZCoins.
4. ZCoin: disabled zerocoin mints and prevented any zerocoin spend to be conducted.
   PIVX: Deactivated the privacy features from Zerocoin, through a spork.
   Veil: Deactivate the anonymizing feature from the Zerocoin protocol.

1. ZCash provided efficiency improvementes and enhanced privacy. But there is a lack of auditability of its total supply, less testing in its underlying cryptography and more time for generating a gransaction.
2. To Sigma
3. A typo in its source-code was exploited to mint 370,000 additional ZCoins.
4. ZCoin: froze funds waiting for Sigma release
   PIVx: Disabled minting
   Veil: Deactivation of Zcoin’s anonymising feature.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

• Advantages: Efficiency improvements (smaller proof size, faster verification), enhanced privacy (added encryption to hide amount, sender & receiver address)
• Disadvanges: Lack of audibility of total supply (balances are hidden, so coins can be created out of thin air without anyone noticing), underlying cryptography is less tested (zkSNARKs), time to generate a private transaction (computationally intensive)

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   ZCoin, Noir, Gravity Coin, NIX adopted Sigma in 2019.

3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo in the source code led to an exploit, resulting of a creation of extra coins and fake spends of those.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin disabled zerocoin mints and zerocoin spends, effectively freezing the funds in the accumulator until they moved to Sigma. PIVX disabled all privacy features, zerocoin mints were disabled while zerocoin spends were linked to the base coin. Veil also deactivated the anonymity, zero coin spends were directly linked to the zero coin mints.

1. Disadvantages of Zerocash : the lack of auditability of its total supply, less testing of its total cryptography, the time to generate a private transaction. Advantages of Zerocash : efficiency improvements, enhanced privacy.
2. The most used alternatives are RingCT, the use of stealth addresses, Super Sonic and Sigma.
3. By exploiting a typo in Zcoin source-code.
4. PIVX : rely on Schnorr Signatures. Zcoin : remove Zerocoin protocol and replace it by Sigma. Veil : use of RingCT staking.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   • The lack of auditability of its total supply: balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them. However, some attackers managed to create false proofs from the RSA accumulator without detection, i.e., spending other people’s coins.
   • Less testing in its underlying cryptography (the main implementation of zkSNARKs is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system.
   • The time to generate a private transaction locally is high owing to its computationally intensive process.
2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   • Sigma
3. What was the technical cause behind the 2017 “fake spend” incident?
   • A typo in the source-code was exploited to mint 370,000 additional ZCoins6.
4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   • Zcoin froze all funds in the accumulator until the sigma release. No minting, no spending.
   • Pivx disabled the anonymity, and used zerocoins in a public mode i.e., in a similar fashion as normal UTXO transactions. Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled
   • Veil replaced the zero-knowledge proof required to prevent a double spend by a single signature, leading to the removal of the anonymity feature. After the attack evolved and these measures were not sufficient anymore, they worked with exchange to suspend withdrawals and deposits, returned to a true state by adding back stolen balances, adjusted the emission schedule, and accellerated departure from the zerocoin protocol.

1- Efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy with added encryption of the amount and both sender & receiver.

2- Zerocash

3- A typo in its source-code was exploited to mint 370,000 additional ZCoins.

4-ZCoin: Disabled zerocoin mints and prevented any zerocoin spend to be conducted.
PIVX: Disabled the privacy features from Zerocoin, through a spork.
Veil: Disabled the anonymizing feature from the Zerocoin protocol.

1. Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses).
2. Sigma
3. a typo in its source-code

ZCoin : “an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted” then changed to Sigma

PIVX: “zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin). Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability.”

Veil: “team decided to deactivate the anonymizing feature from the Zerocoin protocol.”
“initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint. In other words, the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature but solved the exploit nonetheless.” “Unfortunately, the attack “evolved”,
They had to stop the markets, and compensate pools with the founders funds, and finaly decided to replace the stacking anonymity solution probably with “RingCT staking” instead of zerocoin.

1. Efficiency improvements and enhanced privacy with added encryption of the amount and both sender & receiver.

2. Zerocash

3. A typo in its source-code was exploited to mint 370,000 additional ZCoins.

4. ZCoin: Disabled zerocoin mints and prevented any zerocoin spend to be conducted.
   PIVX: Disabled the privacy features from Zerocoin, through a spork.
   Veil: Disabled the anonymizing feature from the Zerocoin protocol

1. advantages or zerocash: efficiency privacy because of a smaller proof size, faster verification and added encryption . disadvantage , balances are hidden so not possible to audit the total supply, less tested, longer to generate a transaction becasue of computationally intesive process
   2.to sigma
   3.denial of spending attack, basically a malicious user would make sure a legimate spending message never reaches the network nodes. then attacker mints new malicious zercoin with same serial number. by doing so the attacker can spend the zerocoin by revealing the correct serial number.
   following the spend by the malicious user, if the honest individual attempted to spend his zerocoin, the transaction would be considered a double spend, of the zerocoins of malicious user.
2. zcoin removed zerocoin protocol and moved to sigma
   pivx deactived the privacy features in zerocoin
   veil deactivated the anonymizing feature from zerocoin protocol

1. Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses). Unfortunately, Zerocash lacked auditability, as it hid total balance, the cryptography was new and unproven, and it took way too long to generate a transaction.

2. Sigma

3. When a user sends his spend transaction, an attacker intercepts the spending message and mints a new zerocoin with the same serial number, which he can then spend.

4. Zcoin disabled zerocoin mints and prevented any more zerocoin spends, before removing the Zerocoin protocol altogether and replacing it with Sigma. It then introduced a way to “remint” zerocoins into Sigam.

PIVX deactivated the privacy features through a spork, and disabled minting of new Zerocoins while leaving spending enabled and relying on Schnorr Signatures.

Veil deactivated the anonymizing feature from the Zerocoin protocol while leaving enough of it enabled to continue supporting staking rewards. Zerocoin spends now required a signature than links the spend to the mint. Unfortunately, the attack evolved and the team suspended withdrawals and deposits, then added back stolen balances to the pools and banned the remaining zerocoins that had not been shuffled with RingCT. The disabled ZK proofsand disabled all privacy features.

• What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

Advantages:
efficiency improvements, enhanced privacy.

disadvantages:
The lack of auditability of its total supply
Less testing in its underlying cryptography
The time to generate a private transaction

• In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

sigma.

• What was the technical cause behind the 2017 “fake spend” incident?

A syntax typo.

• Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

zcoin: As an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conduct
PIVX: the team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions .
Veil: the team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain.

• What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

• Advantages: Efficiency improvements (smaller proof size, faster verification), enhanced privacy (added encryption to hide amount, sender & receiver address)

• Disadvanges: Lack of audibility of total supply (balances are hidden, so coins can be created out of thin air without anyone noticing), underlying cryptography is less tested (zkSNARKs), time to generate a private transaction (computationally intensive).

• In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
  Sigma.

• What was the technical cause behind the 2017 “fake spend” incident?
  A typo in its source-code was exploited to mint 370,000 additional ZCoins.

• Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
  Zcoin disabled zerocoin mints and zerocoin spends, effectively freezing the funds in the accumulator until they moved to Sigma. PIVX disabled all privacy features, zerocoin mints were disabled while zerocoin spends were linked to the base coin. Veil also deactivated the anonymity, zero coin spends were directly linked to the zero coin mints.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
Some of the advantages of Zerocash relative to Zerocoin include improvements in efficiency(smaller proof size and faster verification) and privacy enhancements(added encryption to both sender and receiver addresses). Some key disadvantages, however, consist of the lack of total supply auditability, lack of cryptographic testing, and the time to create a private transaction.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
In 2019, four of the eight major Zerocoin implementations switched from Zerocoin to Sigma.

3. What was the technical cause behind the 2017 “fake spend” incident?
The technical cause of the 2017 “fake spend” incident was but a typo in Zcoin’s source-code.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
Zcoin responded to the 2019 attack by first disabling the Zerocoin mints and prevented any Zerocoin spends to be conducted. After, Zcoin replaced Zerocoin with Sigma.

PIVX decided to remove its privacy features through a spork before they released their PoS Time Protocol v2 within their 4.0 version. The PIVX team has yet to implement a new privacy protocol.

Veil believed it best to deactivate the deanonymizing feature from Zerocoin. Further complications forced Veil to disable zkp. Veil has been considering the use of ringCT staking as well as Supersonic proofs.

The Zerocash protocol offers enhanced privacy (encrypted amoutns, encrypted receiver and sender addresses) and better performance. The disadvantages are that the total amount of coins is not auditable, slow creation of a private transaction locally and not so well-known cryptography.

The switched to the Sigma protocol.

It was a typo in the source code.

Zcoin: disabled zerocoin mints and prevent any zerocoin spend to be conducted, changed to Sigma
PIVX: deactivated privacy features
Veil: deactivated anonymity feature, added stolen balances back, worked together with exchanges