Zerocoin Protocol Flaws - Reading Assignment

1. Zerocash couldn’t replace Zerocoin because of lack of auditability of its supply, less testing in the underlying cryptography and because of long waiting for generating a private tx but it was better in terms of faster verification, added encryption and smaller size txs.

2. They switched to Sigma.

3. Typo in the code enableing attackers to mint new coins.

4. Zerocoin froze the funds preventing spending and minting until Sigma release, PIVIX disabled minting, spending was possible and Veil disabled anonymizing feature and used single signature trying to solve the problem, that didn’t work so they worked directly on the blockchain and with exchanges trying to fix it.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   The lack of auditability of its total supply
   Less testing in its underlying cryptography
   The time to generate a private transaction

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo in its source-code was exploited to mint 370k additional Zcoins

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin: as an urgent fix, the team disabled zerocoin mints and prevent any zerocoin spend to be conducted. They effectively froze the funds in the accumulator until the release of Sigma.

PIVX: they deactivated the privacy features from zerocoin through a spork. since then, zerocoins have been used in a public mode in a similar fasion as normal UTXO transactions.

Veil: they deactivated the anonymizing feature from the zerocoin protocol, initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint. Unfortunately, the initial fix did not protect from stealing funds from the accumulator
Withdrawals and deposits were suspended
Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.
Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions. However, unlike PIVX, minting and issuing zerocoins were not disabled (as staking was only possible in zerocoin), but privacy features have been non-existent since then.

1. More private, smaller proof, faster verification are some of the ups and lack of audibility of its total supply is one of the minusses

2. Sigma

3. A typographical error in the source code

1. Advantages: efficiency improvements and enhanced privacy
   Disadvantages: Lack of auditability of total supply, Less testing in underlying cryptography, and High time to generate a private transaction.
2. Sigma
3. A typo in the source code allowed someone to generate more coins by generating fake spends.
4. PIVX disabled the privacy features from zerocoin
   Veil Deactivated the anonymizing feature from zerocoin.

1. Advantages
   • Smaller proof size
   • Faster Verification
   • Enhanced Privacy
   Disadvantages
   • Lack of auditability of its total supply (balances are hidden)
   • Lest testing in its underlayinf cryptography (zkSNARKs)
   • Higher time to generate a private transaction (computationally intensive process).
2. Sigma
3. A typographical error in the source code which exploited to mint 370,000 additional ZCoins.
4. ZCoin: disabled zerocoin mints and prevented any zerocoin spend to be conducted.
   PIVX: Deactivated the privacy features from Zerocoin, through a spork.
   Veil: Deactivate the anonymizing feature from the Zerocoin protocol.

. Enhanced privacy. Efficiency improvements.

. Sigma.

. A typo in the source code.

. Zcoin decided to freeze the accumulator. Pivx disabled the privacy feature offered by zerocoin and made possible for the zerocoins to be « minted back ». Veil tried to fix the issues with an upgrade,but was forced to finally disable the privacy feature.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
Zerocash advantages: Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses).
Zerocoin disadvantages:

• The lack of auditability of its total supply
• Less testing in its underlying cryptography
• High time to generate a private transaction

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
Zcoin, Noir, Gravity and NIX all switched to Sigma.

3. What was the technical cause behind the 2017 “fake spend” incident?
A typo in the source code

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
Zcoin reacted by disabling zerocoin mints, and prevent zerocoin spends. They blacklisted the spends they could, and then transitioned to Sigma.
PIVX deactivated the privacy features of zerocoin, and have since treated them as normal UTXOs. Additionally the use of Schnorr signatures have been implemented, ensuring that all zerocoin sends can be traced back to base coins.
Veil also initially deanonymized the anonymizing feature of zerocoins, but the attack evolved and resulted in funds from the accumulator being stolen. Eventually Veil stooped all withdrawals and deposits from exchanges, reverted the blockchain back to a “true” state, replaced the ZK proof with a single signature linking the coin to the mint, and also began treating zerocoins as normal utxos.

1. ZeroCash: disadvantages: 1. The lack of auditability of its total supply 2. Less testing in its underlying cryptography 3. The time to generate a private transaction
   advantages: higher privacy on account balances and transactions

2. To Sigma

3.Someone found a code exploit that allowed to mint extra coins and spend them.

4. ZCoin: reacted by freezing the funds within the accumulator waiting for Sigma release, preventing both spending and minting.
   PIVX: disabled minting but kept spending possible by relying on Schnorr Signatures to prevent further vulnerability exposure
   Veil: In other words, the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature but solved the exploit nonetheless.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   adv:
   efficiency improvements (smaller proof size and faster verification).
   enhanced privacy (amount, sender & receiver)
   disadv:
   wasn’t able to see balance (Zerocoin balances were visible)
   zksnarks was too complex so auditing and testing was less than that of Zercoin
   computationally intensive so took longer for private tx

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo in the source code opened a vulnerability and was exploited.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin = froze funds to prevent spending and minting until Sigma migration.

PIVX = by removing the privacy feature preventing the ability to double spend and costing anonymity. Schnorr signatures were implemented allowing traceability of all transactions/coins.

Veil = similar to PIVX, Veil deactivate the anonymizing feature from the Zerocoin protocol. Due to the attack evolving, they contacted exchanges, to suspend deposits and withdrawals. Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

• What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin? Zerocash had efficiency improvement resulting in smaller proof size and faster verification. Also enhanced privacy where the amounts, and the sender and receiver addresses encrypted. The disadvantage, it took too long to develop private transactions. The lack of auditability of its toal supply, the balances are hidden in the zerocash protocol, whereas zerocoin does not hide them.

• In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what? Zerocoin protocol was replaced with Sigma

• What was the technical cause behind the 2017 “fake spend” incident? The technical issue was a typo in the source-code which was exploited to mint 370k additional coins, inflating the supply of zcoin.

• Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol. Zcoin disable zerocoin mint and prevented zerocoin spend to be conducted. PIVX deactivated the privacy features from zerocoin. Veil decided to deactivate the anonymizing feature from the zerocoin protocol.

1. Zerocoin makes Bitcoin more private. Zerocoin only hides sender, but receiver and amount are still public.
   2.They switched to Sigma.
   3.It was a typo allowing for minting of additional Zcoins.
   4.Zcoin removed the Zerocoin protocol for Sigma.
   PIVX deactivated the privacy features from Zerocoin.
   Veil deactivated the anonymizing feature from the Zerocoin protocol.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?

Zerocash has a lack of auditability because balances are hidden in Zerocash, less testing in its underlying cryptography and computationally intensive process.

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?

ZCoin, Noir, Gravity Coin, NIX adopted Sigma in 2019.

3.What was the technical cause behind the 2017 “fake spend” incident?

By exploiting a typo error in Zcoin source-code

4.Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.

Zcoin team decide to remove the Zerocoin protocol, replaced it with Sigma.
The veil team’s first measure is burning the additional coins and going to replace the zerocoin protocol with supersonic proof.
PIVX, the minting is disabled and also considering the move to the new protocol.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Zerocash advantages: Better efficiency and privacy.
   Zerocash disadvantages:
   -Lack of auditability of its total supply
   -Less testing in its underlying cryptography
   -Long time to generate private transactions

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo in the source code.

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   -Zcoin: Fund freezing until the release of Sigma and blacklisting of fraudulent mints.
   -PIVX: Zerocoin minting was disabled and privacy features were deactivated.
   -Veil: “the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature”. In the long run Veil also ended up departing the Zerocoin protocol following Zcoin’s example.

1.- Smaller proof size, faster verification and encryption. Higher times to generate a private transaction.

2.- Sigma, more optimized and secure.

3.- A typo in the source-code.

4.- Zcoin started using Sigma, PIVX removed privacy features from Zerocoin, Veil removed the anonymizing feature from the Zerocoin protocol.

1. The lack of auditability of its total supply, Less testing in its underlying cryptography, The time to generate a private transaction too high
2. Sigma
3. A typo in the source code
4. ZCoin replaced the protocol, PIVX deactivated the privacy features, Veil deactivated the anonymizing feature

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Smaller proof sizes
   Added encryption to sender and receiver addresses

2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   Sigma

3. What was the technical cause behind the 2017 “fake spend” incident?
   Source code typo was exploited

4. Explain the different responses by Zcoin, PIVX and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin replaced it with sigma
   PIVX deactivated zero coin minting
   Veil patch requiring signatures on minted zero coins which removed its privacy feature

1. The stated advantages of Zerocash with respect to Zerocoin are to provide full privacy, Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses). The most widely known implementation of Zerocash is ZCash.
   The stated disadvantages of Zerocash with respect to Zerocoin include the lack of auditability of its total supply: balances are hidden with the Zerocash protocol. On the other hand, the Zerocoin protocol does not hide them. Less testing in its underlying cryptography (the main implementation of zkSNARKs is ZCash) and the general complexity of the cryptographic underlying the protocol, making it complex to audit the system. The time to generate a private transaction locally is high owing to its computationally intensive process.
2. Four of the eight major Zerocoin implementations switched from Zerocoin protocol to Sigma in 2019. These were Zcoin, Noir (ex-Zoin), Gravity Coin (ex-Hexxcoin) and Nix.
3. The technical cause behind the 2017 “fake spend” incident was that a typo in its source-code was exploited by someone who was then capable of generating fake spends and 18,171 coins were generated, hence inflating the supply of ZCoin. As an immediate fix, the team released immediately an emergency update to prevent additional zerocoin spends. As an end-result, the libzerocoin v2 was released, which led to a hardfork of ZCoin, and the reintroduction of zerocoin spends.
4. The response by Zcoin to the 2019 attack on the Zerocoin core protocol was to implement an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.
   The response by PIVX to the 2019 attack on the Zerocoin core protocol was to deactivate the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions. Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin). Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability.
   The response by Viel to the 2019 attack on the Zerocoin core protocol was to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain. Unfortunately, the attack “evolved", and the initial fix did not protect attackers from stealing funds from the accumulator. As an urgent solution, Veil’s team decided to:
   Work with exchanges: withdrawals & deposits were suspended to prevent any transaction on the network, which could lead to substantial loss of funds.
   Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.
   Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions.

1. What are the stated advantages and disadvantages of Zerocash with respect to Zerocoin?
   Improvements are smaller proof size and faster verification, encrypted amount, sender, and receiver. While disadvantages include unable to audit total supply, new untested technology, and time to generate a private transaction locally.
2. In 2019, four of the eight major Zerocoin implementations switched from Zerocoin protocol to what?
   They switched to Sigma.
3. What was the technical cause behind the 2017 “fake spend” incident?
   A typo in the Zcoin source code.
4. Explain the different responses by Zcoin, PIVX, and Veil to the 2019 attack on the Zerocoin core protocol.
   Zcoin froze the accumulator to prevent anymore spends, they had been working on Sigma since early 2018, they finished Sigma and released it a few months after the exploit, then finally made it possible to convert frozen zerocoins into “Sigma mints” which could be spent. PIVX didn’t switch to Sigma, instead they used a spork to disable the anonymity features and link zerocoin spends with the original basecoin. They also stopped allowing zerocoin mints. Veil was unable to stop minting or spending zerocoins because their protocol relied on it to function, so instead they disabled the anonymity features through a hardfork. Unfortunately, they were left vulnerable to a related hack, where funds were stolen directly from the accumulator. Ultimately they burned founders funds to help with the supply and they moved to “RingCT staking” instead.

1. Zerocash as a protocol is faster, more efficient and has added encryption on both ends. However, there is a lack of auditability of its total supply as balances are hidden, as well as less testing for its underlying cryptography as it is so complex. There is also a strong relationship between computing power and the time it takes generate a private transaction.
2. Sigma. It is another PoK protocol that has a discrete logarithm that decreases the proof size (from 25kb to 1.5kb) , improves security and removes the trusted-setup.
3. A typo in the source code allowed people to fake spend Zerocoin. I highly doubt it was just a “typo”.
4. Zcoin, as an urgent fix, decided to disable any mints and prevent any spend to be conducted. PIVX deactivated the privacy feature through a spork. Veil had a similar response to PIVX, disabling the anonymity feature.

Advantages - Efficiency: smaller proof time and faster verification. Privacy: amount, sender and receiver are all encrypted.
Disadvantages - Attackers were able to create false proofs since Zerocoin’s total supply is hidden. Its protocol is more complex for testing. Slow computation.

Sigma.

A typo in the source code.

Zcoin: froze the funds in the accumulator until the release of Sigma through disabling minting, and spending.
Pivx: Deactivated privacy features from Zerocoin through a spork.
Veil: Deactivated anonymizing feature from the Zerocoin protocol. But it attackers were still able to steal funds from the accumulator, so they resorted to suspending withdrawls and deposits from exchanges and * Return to a “true” state by adding back stolen balances to the zerocoin pools and ban the remaining zerocoins that had not been shuffled with RingCT.

Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions. However, unlike PIVX, minting and issuing zerocoins were not disabled (as staking was only possible in zerocoin), but privacy features have been non-existent since then.

In the medium and long term, the team decided to adopt several solutions:

• Adjustment of the emission schedule : this attack effectively increased the supply by 12,441,690 coins. As a response, the founder’s rewards have been reduced (by ~ 10 million veils) to offset most of this supply increase and will burn them, along with an additional 2.1 million (in excess of the general budget expenses dedicated to the development of the project).
• Accelerating its departure from the Zerocoin protocol : the team has confirmed its desire to part away from the Zerocoin protocol, following ZCoin’s example