Zerocoin Protocol Flaws - Reading Assignment

1. Advantages include; A) Efficiency Improvements (i.e., smaller proof size and faster verification), B) Enhanced Privacy (i.e., with added encryption of the amount and both sender & receiver address), Disadvantage include; a) The lack of auditability of its total supply, b) Less testing in its underlying cryptography, c) The time to generate private transaction is high owing to its computational intensive process
2. Sigma protocol
3. typo in its source code
4. Zcoin team decide to disable zerocoin mints and prevent any zerocoin spend to be conducted, the PIVX team deactivated the privacy features from Zerocoin, through a spork, to become a public mode similar to normal UTXO transaction, the Veil team decide to deactivate the anonymizing feature from the Zerocoin protocol to prevent the attack from being conducted on the Veil chain.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
Advantages: Enhanced privacy and added encryption, smaller proof size, faster verification
Disadvantages:Not possible to audit, underlying cryptography is less tested, takes a long time to generate a private tx as it’s computationally intensive

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
Source code typo

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
Zcoin: Zerocoin minting was disabled and spends were frozen
PIVX: Minting and privacy features were disabled
Veil: Disables anonymizing feature from Zerocoin protocol

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Zerocoin is rather bloated and computation intensive. Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses).
   The Advantages of Zerocoin over Zerocash were:
   The lack of auditability of its total supply : balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them.
   Less testing in its underlying cryptography (the main implementation of [zkSNARKs] is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system
   The time to generate a private transaction locally is high owing to its computationally intensive process

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   They Moved to SIgma, and got rid of the need for a trusted setup.

3. What was the technical cause behind the 2017 “fake spend” incident?
   It seems to have been a typo, that caused the flaw.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin moved to the Sigma protokol instead of Zerocoin
   PIVX removed the privacy features and so removed the problem from Zerocoin and Viel deactivated the anonymiszing feature of the coin in Zerocoin protocol. Further changes hadto be made as the attack evolved.

1. The advantages of Zerocash with respect to Zerocoin are: Efficiency improvements (i.e., smaller proof size and faster verification). Enhanced privacy (with added encryption of the amount and both sender & receiver addresses). The most widely known implementation of Zerocash is ZCash. The disadvantages are: The lack of auditability of its total supply: balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them. Less testing in its underlying cryptography (the main implementation of zkSNARKs is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system. The time to generate a private transaction locally is high owing to its computationally intensive process.

2. In 2019 four of the eight major Zerocoin implementations switched from Zerocoin protocol to Sigma.

3. The technical cause behind the 2017 “fake spend” incident was a typo in the source code.

4. The different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol were: 1. Zcoin team decide to disable zerocoin mints and prevent any zerocoin spend to be conducted. The PIVX team deactivated the privacy features from Zerocoin, through a spork, to become a public mode similar to normal UTXO transaction. The Veil team decide to deactivate the anonymizing feature from the Zerocoin protocol to prevent the attack from being conducted on the Veil chain.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Advantages are smaller proofs with faster verification and better privacy
   Disadvantages - inability to determine total supply, problems testing underlying crypto,

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   They switched to Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
   A denial of spending attack by intercepting the spender’s transaction serial number, and re-mint with that serial number rejecting the spender’s transaction as a double-spend.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin supplanted Zerocoin protocol with Sigma, PIVX turned off the features of Zerocoin privacy. Veil deactivated the anonymizing part of Zerocoin .

1. Advantages: More privacy, smaller proof size, faster verification, and added encryption.
   Disadvantages: lack of auditability of its total supply (balances are hidden), lest testing in its
   underlaying cryptography (zkSNARKs) and higher time to generate a private
   transaction (computationally intensive process).
2. ZCoin, Noir, GravityCoin, and NIX move to Sigma.
3. A typo in the source code led to an exploit, resulting in the creation of extra coins and fake spending of those.
4. Zcoin: move away from the Zerocoin in favor of Sigma.
   PIVX: deactivating some features (the privacy ones) of the Zerocoin protocol.
   Veil: deactivating the anonymizing feature from the Zerocoin protocol.

1. Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses). The disadvantages were the lack of auditability of its total supply, less testing in its underlying cryptography, and the time to generate a private transaction is high.

2. Sigma protocol

3. Zcoin had a typo in its source-code.

4. • ZCoin as an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. They froze the funds in the accumulator until the release of Sigma. In July 2019, the team officially removed the Zerocoin protocol and replaced it with the Sigma protocol.

• PIVX team had deactivated the privacy features from Zerocoin, through a spork. Zerocoin minting has been disabled while zerocoin spending remains enabled. On January 5th 2020, PoS Time Protocol v2 was introduced with the 4.0 along with Cold Staking). Following this hardfork, PIVX is expected to announce its next privacy protocol very soon.

• VEIL team decided to deactivate the anonymizing feature from the Zerocoin protocol.

They also worked with exchanges: withdrawals & deposits were suspended,

returned to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

The team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions.

Adjustment of the emission schedule : this attack effectively increased the supply by 12,441,690 coins.

Accelerating its departure from the Zerocoin protocol, the team has confirmed its desire to part away from the Zerocoin protocol, following ZCoin’s example.

The most prominent solution to consider has been RingCT staking in order to stake anonymously again. In addition, the team has also been working on a new protocol using Supersonic proofs.

1: Advantages Increase privacy, higher encryption, smaller Proof size
Disadvantages, Lack of auditing in available supply, inferior testing in crytography used, time consuming processing
2: Swithed to the sigma protocol when it was released
3:A typo on the source code caused additional Zcoins to be minted
4: Zcoin switched from ZeroCoin to Sigma, PIVX disabled features IE privacy, minting and issuing was stopped, Veil anonimizing feature disabled from ZeroCoin protocol

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

advantages- Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses). The most widely known implementation of Zerocash

the disadvantges: the lack of auditability of its total supply, less testing in its underlying cryptography, the time it took to generate a private transaction.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

they switched over to sigma

3. What was the technical cause behind the 2017 “fake spend” incident?

Following this 2017 incident, ZCoin teams announced that 18,171 coins were generated through this exploit. Specifically, someone was capable of generating fake spends, hence inflating the supply of ZCoin.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin- they switched over to sigma

Pivx- the PIVX team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions .

Veil- the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain

What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

Advantages of ZeroCash:
Smaller proof size and faster verification.
Enchanced privacy and encryption. the encryption was added to amount of TX, both sender and reciever address.

Disadvantages of ZeroCash:
Lack of audibility of its total supply, how many are there?
Less testing in its underlying cryptography, still new, kinks have to be ironed out and explored.
The time to generate a private transaction, takes forever to process a transaction, cant wait online at the grocery store forever.

In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

Zerocoin implementations switched from Zerocoin protocol to Sigma.

What was the technical cause behind the 2017 “fake spend” incident?

A typo in the source code, lead to the minting of over 18,000 new coins beyond the established set limit.

Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin:
Zcoins response was to disable zerocoin mints and prevent any Zerocoin spends to be conducted. they froze the funds in the accumulator until the release of sigma.

Pivx:
“PIVX team had deactivated the privacy features from Zerocoin, through a spork.” They also disabled Zerocoin minting while Zerocoin spending is still enabled. Also moving on with their own unique updates that are coming in the near future.

Veil:
" Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol."
“Hence, the initial fix did not rely on deactivating the complete reliance on the zerocoin protocol through an immediate hardfork.”
“This initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint.”
" Unfortunately, the attack “evolved", and the initial fix did not protect–(typo from article, i think they meant prevent) attackers [from stealing funds from the accumulator."

Veil’s team decided to:

“Work with exchanges: withdrawals & deposits were suspended** to prevent any transaction on the network, which could lead to substantial loss of funds.”
“Return to a “true” state by adding back stolen balances to the zerocoin pools** and ban the remaining zerocoins that had not been shuffled with RingCT.”
“Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions”
In the meduim to longterm the team:
Made " Adjustment of the emission schedule : this attack effectively increased the supply by 12,441,690 coins. As a response, the founder’s rewards have been reduced (by ~ 10 million veils) to offset most of this supply increase and will burn them, along with an additional 2.1 million (in excess of the general budget expenses dedicated to the development of the project).
Along with " Accelerating its departure from the Zerocoin protocol : the team has confirmed its desire to part away from the Zerocoin protocol, following ZCoin’s example."
" the most prominent solution to consider has been RingCT staking in order to stake anonymously again. In addition, the team has also been working on a new protocol using Supersonic proofs."

1. The stated advantages/disadvantages of Zerocash wrt Zerocoin are: Improved efficiency & privacy but lack of auditabilty of the supply, difficulty in auditing the complex underlying cryptography and long time to generate a local transaction.
2. They sqitched to Sigma.
3. The technical cause behind the 2017 fake spend event was a typo in the source code.
4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol. PVIX deactivated privacy features, Veil deactivated the deanyonamizing feature, Zcoin disable coin minting and spending then subsequently black listed some coins.

Zerocoin hides the origin of a payment,while zerocash hides the destination and the amount.
They switched to Sigma reducing the size of the file for better security.
There was a typo in the source code that caused the fake spend.
Zcoin removed Zerocoin and replaced it with Sigma.
PIVX deactivated the privacy featre in Zerocoin.
Veil deactivated the anonymity of the Zerocoin protocol.

1. Lack of auditability of its total supply, less testing in its underlying cryptography and time to generate a private transaction.
2. They switched to Sigma
3. A typo in the source code.

• Zcoin disable zerocoin mints and prevent any zerocoin spend to be conducted
• PIVX zerocoin minting has been disabled
• Veil deactivate the anonymizing feature

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Advantages

• Aiming to provide full privacy, Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses).
  Disadvantages

• The lack of auditability of its total supply : balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them.
• Less testing in its underlying cryptography The main implementation of zkSNARKs is ZCash and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system.
• The time to generate a private transaction locally is high owing to its computationally intensive process.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

• ZCoin Removed the Zerocoin protocol and adopted Sigma in 2019.
• Gravity Coin(ex- Hexxcoin) Removed the zerocoin protocol and adopted Sigma in 2019
• NIX The Zerocoin protocol was incorporated in its “Ghost privacy protocol” but got disabled in April 2019. NIX adopted Sigma in May 2019.
• Veil Staking rewards are currently paid in zerocoin. Since July 2019, it has been de-anonymized, but zerocoin mints/spends are still possible. It is looking to shift away from the Zerocoin protocol.

3. What was the technical cause behind the 2017 “fake spend” incident?
   The attack would work as follows:

• An honest user wants to spend his zerocoin and sends the spend transaction (including the serial number) to the network.
• Meanwhile, the attacker, who needs control over his target victim’s network, now intercepts the spending message to make sure it never reaches the nodes of the network. Afterward, the attacker mints a new malicious zerocoin with the exact same serial number. By doing so, the attacker is able to spend this zerocoin by revealing the correct serial number .
• Following this initial spend by the malicious user, if the honest individual attempted to spend his zerocoin, the transaction would be rejected by the network and considered as a double-spending attempt due to the earlier malicious spend.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Based on the disclosure provided by ZCoin, an attacker with at least one legitimately minted coin could create as many spends as he wants out of it, in any Zerocoin-based cryptocurrency. None of these fake spendings would be indistinguishable from authentic ones.

Zcoin - The team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.
PIVX - The PIVX team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions. Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin).
Veil - The Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain. This initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint. In other words, the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature but solved the exploit nonetheless.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin? Zerocash, (an upgrade of Zerocoin) improved efficiency with smaller proof size and enhanced privacy with added encryption of the amount as well as both the sender & receiver. Zero cash was most widely implemented in Zcash.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what? Sigma

3. What was the technical cause behind the 2017 “fake spend” incident? A malicious attacker could intercept Zerocoin’s spending message by taking control of the victims network. The message would never reach the nodes of the network and the attacker could mint a new coin with the same serial number and when the honest user went to spend the coin, it would be rejected as a double-spending attempt.The malicious user would burn the coin ahead of the honest user usurping the new “no-history” coins of the honest user.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

5. Zcoin - the team disabled zero coin mints and froze funds until the release of sigma which would be implemented to replace zerocoin.

6. PIVX - deactivated privacy features through a “spork disabling zero coin minting but allowing spendinding through Schnorr signitures without exposure to the pre-existing vulnerability.

7. Veil - initially, the Veil team deactivated the anonymizing feature from the zero coin protocol, which included the addition of a patch that required all zero coin spends to have a signature that attached the spend to the mint. The attack evolved and attackers were able to steal funds from the accumulator. In response, the Veil team then suspended withdrawals and deposits on exchanges, and returned to a “true” state by adding back stolen balances to the zero coin pools. The team disabled zero-knowledge proofs, but continued minting and issuing coins.

1 proposed extension on BTC to make it more private. Zerocoin only hides the origin of a paiment.

2 Sigma

3 typo in the source code

4
Coin: froze funds waiting for Sigma release
PIVx: Disabled minting
Veil: Deactivation of Zcoin’s anonymising feature.

What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
Advantages: More privacy, smaller proof size, faster verification and added encryption

Disadvantages: lack of audibility of its total supply (balances are hidden), lest testing in its underlying cryptography (zkSNARKs) and higher time to generate a private
transaction (computationally intensive process)

What was the technical cause behind the 2017 “fake spend” incident?
A typo in its source-code was exploited to mint 370,000 additional ZCoins

Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
ZCoin: froze funds waiting for Sigma release
PIVx: Disabled minting
Veil: Deactivation of Zcoin’s anonymising feature

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses). The disadvantages were The lack of auditability of its total supply: balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them. However, as discussed in the next section, some attackers managed to create false proofs from the RSA accumulator without detection, i.e., spending other people’s coins. Less testing in its underlying cryptography (the main implementation of zkSNARKs is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system. The time to generate a private transaction locally is high owing to its computationally intensive process.
2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what? Sigma
3. What was the technical cause behind the 2017 “fake spend” incident? A typo in its source-code was exploited to mint 370,000 additional ZCoins.
4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol?
The libzerocoin v2 was released, which led to a hardfork of ZCoin, and the reintroduction of zerocoin spends.
PIVX and Veil implemented fix getuint256 method now throws a std::range_error if the bignum has more than 256 bits (both for OpenSSL and for GMP libraries).

ExtractVersionFromSerial and HasValidSignature methods catch the std::range_error thrown by the getuint256 method (and the former returns version 2 in that case).

IsValidSerialnow checks for the correct bitsize.

SerialNumberSignatureOfKnowledge::Verify now ensures that both the serial number and the commitment to the coin are within the proper ranges

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

• Smaller proof size;
• Faster verification;
• Encrypted amount, sender and receiver addresses;
• Total supply is not auditable. Counterfeiting is not noticed;
• Less testing has been done;
• Private transactions take long to construct.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

• Switched from Zerocoin to Sigma protocol.

3. What was the technical cause behind the 2017 “fake spend” incident?

• A typo in the source code of Zcoin.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

• Zcoin temporarily froze the accumulator until Sigma was implemented. Then, a feature to re-mint Zcoins with Sigma was introduced.
• PIVX deactivated privacy features and disabled Zerocoin minting. According to their Road Map, they will stick to Zerocoin. I also ran into this:
  
  So, as I understand, at the moment PIVX is still transparent.
• Veil also disabled the privacy feature. Now it has a signature that links spending and minting of the coin. Zerocoins can still be minted, but that doesn’t give any privacy.

I think PIVX is implementing ZK-snarks.