Zerocoin Protocol Flaws - Reading Assignment

Privacy Coins - Ultimate Course
#21

  1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
    Efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses).

  2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
    To Sigma. A replacement of Zerocoin that removes the trusted setup, reduces the proof size from 25 kB to 1.5 kB and improves Security.

  3. What was the technical cause behind the 2017 ā€œfake spendā€ incident?
    A typo in its source-code.

  4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
    Zcoin: move away from the Zerocoin in favor of Sigma.
    PIVX: deactivating some features (the privacy ones) of the Zerocoin protocol.
    Veil: deactivating the anonymizing feature from the Zerocoin protocol.

2 Likes
#22
  1. Zerocoin total supply is known, ZCash is complex to audit (due to most information being hidden).
  2. Sigma
  3. A typo

ZCoin disabled zerocoin mints and prevented any zerocoin spend to be conducted.
PIVX deactivated the privacy features from Zerocoin, also minting and issuing were disabled.
Veil deactivated the privacy features from Zerocoin, minting and issuing were not disabled.

2 Likes
#23
  1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
  • Advantages: Efficiency improvements, enhances privacy
  • Disadvantages: The lack of auditability of its total supply, Less testing in its underlying cryptography, the time to generate a private transaction
  1. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
  • Sigma
  1. What was the technical cause behind the 2017 ā€œfake spendā€ incident?
  • a typo in its source-code
  1. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
  • Zcoin : Fix the problem by removing the original protocol and replaced it with Sigma.
  • PIVX: Stop privacy features
  • Veil: Stop the anonymizing feature
1 Like
#24

  1. advantages: smaller proof size, faster verification, added encryption of the amount and both sender & receiver addresses
    disadvantages: Lack of auditability of supply, less testing of underlying cryptography (zkSnarks), general complexity of the cryptographic underlying the protocol, making it complex to audit the system, time to generate a transaction locally is very high, due to intensive computational process

  2. Sigma

  3. a typo in the source-code

  4. Zcoin disabled zerocoin minting and spending, disabled some mints, removed zerocoin protocol replacing it by Sigma, introduced a feature called reminting
    PIVX deactivated Zerocoin privacy features by a spork, disabling Zerocoin spending, Schnorr Signatures to spent zerocoins back to basecoins, introduced PoS Time Protocol v2.
    Veil deactivated the anonymizing feature from the Zerocoin protocol, suspend deposits and withdrawals at exchanges, adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT, disabled zero-knowledge proof.

1 Like
#25

Q1: Advantages included efficiency improvements (smaller proof size and quicker verification) and enhanced privacy (addresses & amounts were encrypted). Disadvantages were that it was hard to audit due to hackers and hidden balances, the tech behind it was hard to understand better yet improve, and the need for high computing power made it so long to complete a private TX.

Q2: Switched over to Sigma, a proof of knowledge protocol that replaced the need for a trusted set up and reduced the proof size from 25kb to 1.5kb while also increasing security measures,

Q3: A typo in the source code allowed additional ZCoins to be minted

Q4: ZCoin reacted by freezing the funds within the accumulator waiting for Sigma release, preventing both spending and minting.
PIVX disabled minting but kept spending possible by relying on Schnorr Signatures to prevent further vulnerability exposure.
Veil deactivated Zerocoinā€™s anonymizing feature and replaced the zk-proof with a single signature, trying to solve the issue. However, it didnā€™t work and they worked with exchanges to prevent transactions as well as working directly on the blockchain to restore the ā€œtrueā€ balances.

1 Like
#26

  1. ZeroCash had some benefits, such as smaller proof size and faster verification, and also that the amount, sender, and receiver would now be private. However, because balances are hidden, the total supply was not auditable. Because zkSNARKs was a complex and new technology, it was not easy to test. Lastly, generating private transactions in ZeroCash was computationally intensive, and took longer.

  2. They switched to Sigma.

  3. A typo in the Zcoin source code caused the 2017 ā€œfake spendā€.

  4. a) Zcoin: Disabled minting of zerocoins, and prevented zerocoins from being spent. Then transferred zerocoins into Sigma mints.

    b) PIVX: Deactivated the privacy features of Zerocoin and disabled minting of zerocoinsā€¦ Zerocoin transactions now function as normal UTXOs.

    c) Veil: Deactivated the anonymizing feature from the Zerocoin protocol. They were attacked again when the attack ā€œevolvedā€. They adjusted the emission schedule and plan to move away from the Zerocoin protocol. Veil still mints zerocoins but those zerocoins do not have privacy features.

1 Like
#27

  1. Advantages
    Smaller proof size
    Faster Verification
    Enhanced Privacy

    b) Disadvantages
    Lack of Accountability of its total supply
    Less testing in its underlying cryptography
    The time to generate a private transaction locally is high owing to its computationally
    intensive process

  2. Sigma

  3. In 2017, an incident occurred, a few months after ZCoin revealed that a typo in its source-code was exploited to mint 370,000 additional ZCoins

  4. a) Zcoin: As an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.

b) PIVX: As a response to the incident described in subsection 2.1.3, the PIVX team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions.

c) Veil: Following the flaw discovery by ZCoin on April 17th 2019, the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain.

1 Like
#28
  1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
    Advantages:
  • efficiency improvements (i.e., smaller proof size and faster verification)
  • enhanced privacy (with added encryption of the amount and both sender & receiver addresses)
    Disadvantages:
  • The lack of auditability of its total supply: balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them.
  • Less testing in its underlying cryptography (the main implementation of zkSNARKs is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system.
  • The time to generate a private transaction locally is high owing to its computationally intensive process.

  1. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
    The ZCoin, Noir, GravityCoin and NIX switched to Sigma

  2. What was the technical cause behind the 2017 ā€œfake spendā€ incident?
    A typo in its source-code was taken advantage of that.

  3. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
    For Zcoin, the team officially removed the Zerocoin protocol and replaced it by Sigma, also bypassing the need for any trusted set-up.
    For PIVX, zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin).
    For Veil, the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol.

1 Like
#29

  1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
    Zerocash introduced efficiency improvements and enhanced privacy but have the disavantages of The lack of auditability of its total supply Less testing in its underlying cryptography and The time to generate a private transaction.

  2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
    Sigma

  3. What was the technical cause behind the 2017 ā€œfake spendā€ incident?
    A typo in its source-code.

  4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
    ZCoin team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted.
    PIVX team had deactivated the privacy features from Zerocoin, through a spork.
    Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol.

1 Like
#30

1 - What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

ZCash is the most widely known implementation of Zerocash.

Advantages of Zerocash: Improvements in efficiency include smaller proof size and faster verification.
Enhanced privacy with added encryption of the amount and both sender & receiver addresses.

Disadvantages of Zerocash: The total supply are not auditability because balances are hidden with the Zerocash protocol.
It is quite difficult to audit, as the underlying protocol is implemeted using complex cryptography. The main implementation of zkSNARKs is ZCash.
The time taken to generate a private transaction locally is high owing to its computationally intensive process.

2 - In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

The four major Zerocoin implementations that switched from Zerocoin are ZCoin, Noir (ex-Zoin), Gravity Coin (ex- Hexxcoin) and NIX.

Sigma is the replacement to Zerocoin. It was slated to have been activated on the mainnet on the 23 July 2019.
The improvements over Zerocoin are in three areas:
- Removal of trusted setup
- Reduction of proof size from 25 kB to 1.5 kB
- Improved Security

3 - What was the technical cause behind the 2017 ā€œfake spendā€ incident?

In 2017 an incident occurred few months after the ZCoin team revealed a typo in its source-code, which allowed an exploit to be realized. The exploit allowed the minting an additional 370,000 ZCoins6.

4 - Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Veil: The Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain.
A patch was applied to all zerocoin spends, such that the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature but solved the exploit.
Unfortunately, the attack ā€œevolved", and the initial fix did not protect attackers from stealing funds from the accumulator. As an urgent solution, Veilā€™s team decided to:
- Work with exchanges: withdrawals & deposits were suspended to prevent any transaction on the network, which could lead to substantial loss of funds.
- Return to a ā€œtrueā€ state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

  Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions. However, unlike PIVX, minting and issuing zerocoins were not disabled (as staking was only possible in zerocoin), but privacy features have been non-existent since then.In the medium and long term, the team decided to adopt several solutions:
	- Adjustment of the emission schedule: this attack effectively increased the supply by 12,441,690 coins. As a response, the founderā€™s rewards have been reduced (by ~ 10 million veils) to offset most of this supply increase and will burn them, along with an additional 2.1 million (in excess of the general budget expenses dedicated to the development of the project).
	- Accelerating its departure from the Zerocoin protocol: the team has confirmed its desire to part away from the Zerocoin protocol, following ZCoinā€™s example.

PIVX: Zerocoin minting has been disabled while zerocoin spending remained enabled. Also, the PIVX team relied on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability.

ZCoin: The ZCoin team to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.

1 Like
#31

  1. Advantages of Zerocoin over Zerocash are that efficiency upgrades and heightened privacy were introduced, Disadvantages of Zerocin compated to Zerocash are that balances where hidden, there was less testing in its cryptography which was also more complex and it took longer to complete a transaction.

  2. ZCoin, Noir, Gravity Coin and NIX all removed the ZeroCoin protocol and replaced this with SIGMA.

  3. The technical cause responsible for the 2017 ā€œfake spendā€ incident was a typo in its source code.

  4. Zcoin removed the ZeroCoin Protocol and replaced this with SIGMA, PIVX deactivated the privacy feature and moved to POS Time Protocol V2, Veil deactivated the deanyomizing feature, zero proof of knowledge, and this was replaced by a single signature.

1 Like
#32

#1 - What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
Advantages: smaller proof size and faster verification, enhanced privacy with added encryption of the amount and both sender & receiver addresses

Disadvantages: lack of auditability of its total supply, more experimental nature of the underlying cryptography, long time to generate a private transactions

#2 - In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
ZCoin, Noir, GravityCoin and NIX switched to Sigma

#3 - What was the technical cause behind the 2017 ā€œfake spendā€ incident?
A typo in the source code

#4 - Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
ZCoin moved away from the protocol and activated Sigma

PIVX simply deactivated the privacy features

Veil is working on alternatives such as RingCT

1 Like
#33

  1. Zerocash claimed its advantages were full privacy which is achieved through effieciency improvements (smaller proof size, faster verification) in combination with enhanced privacy (added the encryption of the amount of both sender and receiver).
    But there were of course some major disadvantages such as the lack of auditability of its total supply (no one knows if some create coins out of thin air), new cryptography which is not verified, checked and tested by several cryptographic experts (less peer review) and the high time of generating a private transaction

  2. To Sigma

  3. A typo in the source-code enabled an exploitation from an attacker who could generated fake spends (18,171 ZCoins) and consequently inflated the supply of ZCoin.

4.ZCoin: The first fix was to disable zerocoin mints and prevent any zerocoin spend to be conducted. That means they freezed the funds until the release of the new Sigma protocol. Furthermore, the blacklisted also some minted coins to prevent the malicious minted coins into the new Sigma protocol. As a result they released a new protocol called Sigma.
PIVX: Deactivated the privacy features from Zerocoin via a spork. Zerocoins were then used in a public mode (similar to normal UTXO). Through this minting was disabled while zerocoin spending are still possible. Furthermore they relied on Schnorr Signatures and they released the PoS Time Protocol v2 with the 4.0 release.
Veil: At first they deactivated the anonymizing feature from the ZCoin protocol. This fixed was based on adding a patch to require all zerocoin spends to have a signature attached which linked the spend to the mint. It leads to removal of the anonymity but fixed the issue. Unfortunately, the attacker could still steal funds from the accumulator which leads to the following actions of Veil: Work with exchanges in order to suspend withdrawals & deposits and return to a ā€œtrueā€ state by adding back stolen balances to the zerocoin pools. Furthermore, they disabled zero knowledge proof, but they disabled not minting and issuing of zerocoins. In the long term they want to use RingCT staking and release a new protocol which uses supersonic proofs.

1 Like
#34

  1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
    Advantages are full privacy and efficiency. Disadvantage was lack of auditabillity, bad tests (peer review of the used cryptography) en delay of generating a privating transaction

  2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
    To Sigma

  3. What was the technical cause behind the 2017 ā€œfake spendā€ incident?
    A typei in the code which gave an hacker the possibility to create faked spends.

  4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
    Zcoin: disable the mining and blacklisted the malicious minted coins tot the new Sigma protocol
    PIVX: Deactivated privacy features, relied on Schnorr Signatures.
    Veil: Deactivated the anonoymize feature.

1 Like
#35
  1. Zerocash has better efficiency (ie, smaller proof size and faster verification) and greater privacy, but has some disadvantages such as: The lack of auditability of its total supply, less testing in its underlying cryptograph and the time to generate a private transaction locally is high
  2. They switched to Sigma.
  3. The Zerocoin 2017 incident occurred due to a typo, an error in the Zcoin source code.
  4. The Zcoin team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted, in July 2019, they removed the Zerocoin protocol and replaced it by Sigma.
    The PIVX team had deactivated the privacy features from Zerocoin, Zerocoin minting has been disabled, while zerocoin spending remains enabled. On January 5th 2020, PoS Time Protocol v2 was introduced with the 4.0 release.
    The Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol.
1 Like
#36

ā€¢ Advantages; smaller proof size, faster verification, and enhanced privacy by encrypting sender, receiver, and amounts.
Disadvantages: Lack of auditability to its supply, less tested/proven cryptography, the time to generate a private transaction.
ā€¢ Sigma
ā€¢ There was a typo in the source code, someone exploited that, and generated 370K Zcoins. After this incident, Zcoins team announced that someone generated 18,171 through this exploit and fake spent, causing inflation of supply.
ā€¢ Zcoin had to shutdown basically until the implementation of Sigma. Total estimated damage 54K XZC
PIVX deactivated the privacy features of Zerocoin, leaving the TX as a normal UTXO, the minting was also disable. In 2020 they introduced PoS time protocol v2 4.0
ā€¢ Veil also deactivated the privacy features. It initially prevented the attack, but the attacked evolved and they had to shutdown and work with exchanges to stop withdrawals and deposits to avoid any substantial loss of funds. They had to reimbursed balances to the pools and enforced RingCT.

1 Like
#37

  1. The stated advantages and disadvantages of Zerocash with respect to Zerocoin are; Advantages - a) smaller proof size, b) faster verification, and c) added encryption of amount, and senders and receivers address. Disadvantages - a) lack of auditability of total supply, b) less testing done of underlying cryptography due to its complexity, and c) transactions are slow.

  2. Four of the eight major Zerocoin implementations which switched from Zerocoin protocol in 2019 switched to ā€œSigmaā€.

  3. The technical cause behind the ā€œfake spendā€ in 2017 was the exploitation of a typo in the source code.

  4. The different responses of Zcoin, PIVX and Veil in the 2019 attack on the Zerocoin core protocol are as follows;

Zcoin - disabled the minting of coins and prevented any spending, effectively freezing funds.

PIVX - deactivated the privacy features through a ā€œsporkā€.

Veil - because the anonymising feature had already been disabled, their fix required all Zerocoin spends to have a signature attached to them, instead of the zero knowledge proof. This did not work, so they were forced to prevent transactions from happening on the network, then adding back stolen balances to the Zerocoin pools and banning Zerocoins which had not been shuffled with RingCT.

1 Like
#38
  1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

Advantages

  • Faster Verification
  • Smaller proof size
  • Enhanced Privacy

Disadvantages

  • The lack of auditability of its total suppl
  • Less testing in its underlying cryptography
  • The time to generate a private transaction
  1. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

Sigma

  1. What was the technical cause behind the 2017 ā€œfake spendā€ incident?

Typo in its source-code was exploited to mint 370,000 additional ZCoins (denial-of-spending attack).

  1. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

ZCoin: Officially removed the Zerocoin protocol and replaced it by Sigma.
PIVX: Zerocoin minting has been disabled.
Veil: Disabled the anonymizing feature from the Zerocoin protocol.

1 Like
#39

image
image874Ɨ716 192 KB

1 Like
#40
  1. Advantages are: smaller proof size, faster verification, and added encryption of the amount, and sending and receiving addresses.
    Disadvantages are: lack of auditability of its total supply, insufficient testing on the underlying cryptography, and the delays when creating a transaction locally.
  2. Sigma.
  3. A typo in the source code allowed for exploitation and fake spends of 18,171 ZCoins.
  4. ZCoin - the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.
    PIVX - the PIVX team deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions.
    Veil - the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain.
2 Likes