Zerocoin Protocol Flaws - Reading Assignment

1. Advantages: Efficiency improvements and enhanced privacy
   Disadvantages:
   The lack of audibility of its total supply, less testing in its underlying cryptography, time to generate a private transaction locally is high

2. Sigma

3. A typo in its source code was exploited to mint 370,000 additional ZCoins.

4. Zcoin disabled spends

PIVX disabled the privacy features and zerocoin minting

Veil initially deactivated the anonymizing feature from the Zerocoin Protocol but the attack had evolved. Which resulted in Veil disabling zero-knowledge proof making and also

• Work with exchanges: withdrawals & deposits were suspended to prevent any transaction on the network, which could lead to substantial loss of funds.
• Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

While zerocash is more efficient and provides more provacy that Zerocoin, has not been audited less widely and tested much less, his high transaction times, an has a high degree of inauditability both from a block creation standpoint, as well as in total supply. most of the Zerocoin implementations have moved on to different protocols, most notably sigma. The main tech problem behind a 2017 fake spend that rocked the zerocoin family of projects was an entry by way of a typo in the protocols source code which accidentaly provided a means for mintin new coins.
ZCoin went on to disable the minting function, prevent zerocash spends, blacklisting some of the mints they had access to know or and eventually replaced the protocol. PIVX decided to deactivate all the privacy features, disable zerocoin minting, implement Schnorr Signatures, and implemented a temporary POS TIME Protocol version 2.
Veil, in addition to disabling the anonymity feature, placed a patch that forced the coins to be linked to the minting, thereby creating a single signature. They were also proactive with exchanges and consumers, including the top off to previous levels of affected coin holders. Lastly, after adjusting the overall emission schedule to reset the ecosystem, they opted to do away with ZKPs altogether and change protocol completely, looking to Ring CT technology as a possible solution.

1. Zerocash introduced efficiency improvements like smaller proof size and faster verification, and enhanced privacy with added encryption of the amount and both sender and receiver addresses. But because balances are hidden, some attackers managed to create false proofs from the RSA accumulator without detection to spend other peoples coins. It also has less testing in its underlying cryptography. The time to generate a private transaction is also high.

2. They switched from the Zerocoin protocol to Sigma.

3. The cause of the 2017 fake spend incident was a typo in the source code that led to the minting of an extra 370000 Zcoins.

4. Zcoin disabled zerocoin mints and prevented any zerocoin spending. They froze the funds in the accumulator until the release of Sigma.

The PIVX team deactivated the privacy features of Zerocoin, so the zerocoins have been used in a public mode like normal UTXO transactions. Zerocoin minting was disabled while zerocoin spending remained enabled with full links to the original basecoin. The team also relied on Schnorr Signatures to ensure that zerocoins could be spend back to basecoins without exposure to the pre existing vulnerability.

The Veil team deactivated the anonymizing feature from the Zerocoin protocol which initially prevented the attack from being conducted on the Veil chain. Since staking rewards can only be paid in zerocoin unless they did a hard fork, the initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attatched that links the spend to the mint. The zero knowledge proof required to prevent a double spend was replaced by a single signature, leading to a removal of the anonymity but it solved the exploit.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
The advantages are that smaller proof size, faster verification, and enhanced privacy.
Disadvantages are the following: hided balance will give the hacker opportunities to create fake coins. Second, it is difficult to audit the system. Third, the time to generate transaction is long.
2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
Sigma
3. What was the technical cause behind the 2017 “fake spend” incident?
Causing a hard fork
4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
Zcoin team decide to remove the Zerocoin protocol, replaced it with Sigma.
The veil team’s first measure is burning the additional coins and going to replace the zerocoin protocol with supersonic proof.
PIVX, the minting is disabled and also considering the move to the new protocol.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?Advantages
   ◦ Smaller proof size
   ◦ Faster Verification
   ◦ Enhanced Privacy

Disadvantages
◦ Lack of Accountability of its total supply
◦ Less testing in its underlying cryptography
◦ The time to generate a private transaction locally is high owing to its computationally intensive process

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?

Denial-of-spending attack

The attack would work as follows:

• An honest user wants to spend his zerocoin and sends the spend transaction (including the serial number) to the network.

• Meanwhile, the attacker, who needs control over his target victim’s network, now intercepts the spending message to make sure it never reaches the nodes of the network. Afterward, the attacker mints a new malicious zerocoin with the exact same serial number. By doing so, the attacker is able to spend this zerocoin by revealing the correct serial number.

• Following this initial spend by the malicious user, if the honest individual attempted to spend his zerocoin, the transaction would be rejected by the network and considered as a double-spending attempt due to the earlier malicious spend.

As a result, the malicious user would burn the zerocoin ahead of the honest user, usurping the new, “no-history" coins of the honest user.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin officially removed the Zerocoin protocol and replaced it with Sigma.

PIVX deactivated the privacy features from Zerocoin

Veil deactivated the anonymizing feature from the Zerocoin protocol

1.On the upside, Zerocash produces smaller proofs and faster verification making transactions more efficient. It also improves privacy by hiding the amount, the sender and the receiver address.

On the downside, it’s so private that no-one knows the total supply of a cryptocurrency using the Zerocash protocol as the balances are hidden - this makes auditability more difficult, but then again, if we want a private coin do we want to audit it? It’s also a very complicated protocol that hasn’t stood the test of time and it uses a lot of computational power, which effectively causes transactions to take their sweet merry time.

2. Sigma

3. The first was a simple typo. That’s insane!!!
   The second was a denial-of-spending attack - a malicious user intercepts a broadcasted spend transaction from an honest user before it reaches a node in the network and copies the serial number. Then he/she creates a “fake” mint corresponding to that serial number and uses it to spend the coin using the correct serial before the original honest user gets to spend his/hers. This effectively causes the network to see the original transaction as a double spend, which is then rejected by the network.

4. Zcoin: they immediately haltet all action by disabling zerocoin mints and spends and eventually abandoned the protocol altogether replacing it with Sigma.

PIVX: they disabled zerocoin minting, but kept zerocoin spending. It was/is also possible to convert zerocoins back to basecoins.

Veil: they replaced zero-knowledge proofs with signatures that linked a spend to a mint. This stabilised the system by preventing double spends, but effectively got rid of the anonymity feature of zerocoin. Disabling the zk-proofs made it similar to a normal UTXO-based cryptocurrency, so not much privacy there. The change didn’t save them for long as the attackers adapted their skills and began harrassing again. As a result the Veil team basically started freezing transactions that could cause a significant loss. To make up for their mistake (which inflated the entire system by over 12 million coins) the founders decided to burn a little over 12 million coins in compensation. They also decided that they had enough of the Zerocoin protoco and wish to get rid of it. RingCT staking is currently their best solution at making Veil private again.

1. some attackers managed to create false proofs from the RSA accumulator without detection, i.e., spending other people’s coins.

2.they switched over to Sigma .
3.someone was capable of generating fake spends, hence inflating the supply of ZCoin
4.zcoin disable zerocoin mints and prevent any zerocoin spend to be conducted . Hence, they effectively froze the funds in the accumulator until the release of Sigma.
pivx team : zerocoin minting has been disabled** while zerocoin spending remains enabled
Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol , In other words, the zero-knowledge proof required to prevent a double spend was replaced by a single signature , leading to the removal of the anonymity feature but solved the exploit

1. The advantages are the efficiency improvements and enhanced privacy. While the disadvantages are the lack of auditability of its total supply, Less testing in its underlying cryptography and the time to generate a private transaction.

2. Sigma.

3. A Typo error in the source Code.

4. Zcoin decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. PIVX opted for deactivation of the privacy features from Zerocoin, through a spork. Veil decided to deactivate the anonymizing feature from the Zerocoin protocol.

1. • Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses).

   • The lack of auditability of its total supply: balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them. However some attackers managed to create false proofs from the RSA accumulator without detection, i.e., spending other people’s coins.

   • Less testing in its underlying cryptography (the main implementation of zkSNARKs is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system.

   • The time to generate a private transaction locally is high owing to its computationally intensive process.

2. Sigma - for removal of trusted setup, reduces proof size from 25kb to 1.5kb and improve security.

3. In 2017, an incident occurred, a few months after ZCoin revealed that a typo in its source-code was exploited to mint 370,000 additional ZCoins
   Following this 2017 incident, ZCoin teams that 18,171 coins were generated through this exploit. Specifically, someone was capable of generating fake spends, hence inflating the supply of ZCoin.

4. • Zcoin - As an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted . Hence, they effectively froze the funds in the accumulator until the release of Sigma. Owing to a specific signature from the attack, the team was also able to blacklist some mints , hence preventing the attackers from converting some zerocoins into Sigma mints. As a result, the total damage was estimated at 54,321 XZC , according to ZCoin’s recent update. In July 2019, the team officially removed the Zerocoin protocol and replaced it by Sigma , also bypassing the need for any trusted set-up. Indeed, ZCoin had started working on deprecating the Zerocoin protocol since early 2018. After its migration to Sigma, ZCoin introduced a feature to “ remint " zerocoins, i.e., transfer zerocoins to Sigma mints.

   • PIVX - the PIVX team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions . Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin). Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability. On January 5th 2020, PoS Time Protocol v2 was introduced with the 4.0 release (along with Cold Staking). Following this hardfork, PIVX is expected to announce its next privacy protocol very soon.

   • VEIL - Following the flaw discovery by [ZCoin on April 17th 2019], the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain. For Veil, staking rewards can only be paid in zerocoin (and not in basecoin). Hence, the initial fix did not rely on deactivating the complete reliance on the zerocoin protocol through an immediate hardfork. This initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint. In other words, the zero-knowledge proof required to prevent a double spend was replaced by a single signature , leading to the removal of the anonymity feature but solved the exploit nonetheless. Unfortunately, the attack “evolved", and the initial fix did not protect attackers from stealing funds from the accumulator. As an urgent solution, Veil’s team decided to:

• Work with exchanges: withdrawals & deposits were suspended to prevent any transaction on the network, which could lead to substantial loss of funds.
• Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions. However, unlike PIVX, minting and issuing zerocoins were not disabled (as staking was only possible in zerocoin), but privacy features have been non-existent since then.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   advantages:
   efficiency improvements (i.e., smaller proof size and faster verification)
   enhanced privacy

disadvantages:
The lack of auditability of its total supply
Less testing in its underlying cryptography
The time to generate a private transaction

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
   typo which allowed to generate fake spends and inflate the supply of zcash

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   zcoin froze the funds till the introduction of sigma
   pivx minting was disabled
   veil deactivate the anonymizing feature preventing to be attacked

1. Advantages are efficiency improvements (smaller proof size, faster verification) and enhanced privacy (added encryption of the amount and sender and receiver addresses).
   Disadvantages are lack of auditability of its total supply, less testing in its underlying cryptography, and the time to generate a private transaction locally is high due to the computationally intense process

2. Sigma

3. A typo in the source code was the cause of the incident

4. Zcoin disabled zerocoin mints, effectively freezing funds in the accumulator until the release of Sigma.
   PIVX deactivated privacy features from Zerocoin and disabled minting zerocoins but zerocoins could still be spent in a similar fashion as normal UTXO transaction.
   Veil deactivated the anonymizing feature from the protocol, replacing the zero-knowledge proof required to prevent double spend with a single signature.

1. The advantages are lack of accountabillity of total supply, smaller proof of size, faster verification, and enhanced privacy. The disadvantages are a lack of accountabillity of the total supply, less testing in the underlying cryptography and the time to generate a private transaction locally is high owing to its computationally intensive process.

2.Moved to sigma

3. A typographical error in the source code.

4. Z coin froze funds waiting for Sigma release, PIVX Disabled minting and
   Veil Deactivated Zcoin’s protocol anonymising feature.

1.) What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
Advantages: Efficiency Improvements, Enhaced Privacy
Disadvantages: The lack of auditability of its total supply, Less testing in its underlying cryptography, The time to generate a private transaction

2.) In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
Sigma, another proof of knowledge protocol.

3.) What was the technical cause behind the 2017 “fake spend” incident?
A typo in its source-code was exploited to mint 370,000 additional ZCoins.

4.) Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
Zcoin officially removed the Zerocoin protocol and replaced it by Sigma. PIVX deactivated the privacy features from Zerocoin. Veil deactivated the anonymizing feature from the Zerocoin protocol.

1
Advantages

• smaller proof size
• faster verification
• enhanced privacy

Disadvantages

• The lack of auditability of its total supply
• Less testing in its underlying cryptography
• The time to generate a private transaction

2 Sigma

3 A typing error in the source code.

4
ZCoin Disabling zerocoin mints and zerocoin spendings.
PIVX Disabling the privacy features from Zerocoin.
Veil Disableing the anonymizing feature.

1.)
Advantages:

• Smaller proof size
• Faster Verification
• Enhanced Privacy

Disadvantages:

• Lack of Accountability of its total supply
• Less testing in its underlying cryptography
• The time to generate a private transaction locally is high owing to its computationally intensive process.

2.)
Sigma

3.)
A typo in its source-code was exploited to mint 370,000 additional ZCoins

4.)
-Zcoin-
As an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.
And they introduce a feature to “remint” zerocoins.

-PIVX-
As a response to the incident, the PIVX team had deactivated the privacy features from Zerocoin, through a spork(fork ???).
Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions.Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled
Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins

-Veil-
The Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol.
This initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint.
Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   A) Advantages, smaller proof size, faster, added encryption, Disadvantages. Difficult to audit. Balances are hidden.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   A) Sigma.

3. What was the technical cause behind the 2017 “fake spend” incident?
   A) A written typo in the source code.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   A)Zcoin removed the ZeroCoin Protocol and replaced this with SIGMA, PIVX deactivated the privacy feature and moved to POS Time Protocol V2, Veil deactivated the deanyomizing feature, zero proof of knowledge, and this was replaced by a single signature.

1. Advantages: More privacy, smaller proof size, faster verification and added encryption.
   Disadvantages: lack of auditability of its total supply (balances are hidden), lest testing in its
   underlayinf cryptography (zkSNARKs) and higher time to generate a private
   transaction (computationally intensive process).
2. Sigma
3. A typographical error in the source code, that allowed to mint additional ZCoins.
4. ZCoin: disabled zerocoin mints and prevented any zerocoin spend to be conducted.
   PIVX: Deactivated the privacy features from Zerocoin, through a spork.
   Veil: Deactivate the anonymizing feature from the Zerocoin protocol.

1.- Advantages: small proof size; faster verification; enhance privacy.
Disadvantages: lasca of accountability of its total supply; less testing in its underlying cryptography; the time to generate a private TX is higher, because of the intensity of the computational process.

2.- They switched to Sigma, which had an impact because it removes the trusted setup, reduce the proof size and improves security.

3.- An error within the code that allowed to mint additional Zcoins.

4.- Zcoin.- Removed the Zerocoin protocol and replaced it with Sigma.
PIVX.- Desactivated the privacy features from Zerocoin.
Veil.- Desactivated the anonymixing features from the Zerocoin protocol.

1. Advantages = smaller proof size, faster verification, enhanced privacy (with added encryption of the amount and both sender & receiver addresses)
   Disadvantages = lack of auditability of its total supply, less testing in its underlying cryptography, the time to generate a private transaction is long

2. Sigma

3. a typo in the code…

4. Zcoin = migrated to Sigma, bypassing the need for any trusted set-up and introduced a feature to remint/transfer zerocoins to Sigma mints.

   PIVX = deactivated the privacy features from Zerocoin, through a spork. also zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin). Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability.

   Veil = decided to deactivate the anonymizing feature from the Zerocoin protocol. the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature but solved the exploit nonetheless. also cooperation with trading venues and giving up a significant part of the founders’ allocation.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Advantages: enhanced privacy, smaller pool size, faster verification
   Disadvantages: lack of auditability of its total supply, takes a long time to generate a private tx as it’s computationally intensive and the less testing in its underlying cryptography( zkSNARKs])

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   They disable the need for a trusted setup, and moved to Sigma.

3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo in the source code led to an exploit, resulting in the creation of extra coins and fake spending of those.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin: switch from ZeroCoin to Sigma, disable coin minting and spending then subsequently black listed some coins.
   PIVX: They disactivated the privacy features from Zerocoin, through a spork.
   Veil: disactivated the anonymizing feature