Anonymous cryptocurrency Zcoin has given an indication that it will discharge the trusted setup by the end of 2017. Although zero knowledge systems such as used in Zerocoin offer much larger anonymity sets numbering thousands as compared to preceding anonymity schemes that are typically limited to several dozen, they have been criticised for having a trusted setup.

The network intends to implement the Sigma protocol after MTP completion and Znodes.

Reuben Yap, the community and communication manager of Zcoin, explains that once Zcoin implements the Sigma protocol, they would have a very compelling solution. It would offer the power and large anonymity sets of zero-knowledge proofs with low proof size without having to trust anyone with the generation of initial parameters, which is required in other zero-knowledge setups such as in Zcash.

Zerocoin and other zero information cryptocurrencies like Zcash.


Reuben Yap says:

"We have found the answer in solving the trustless setup problem through the use of the Sigma protocol in Zerocoin as detailed by Jens Groth and Markulf Kohlweiss from the University College London and Microsoft Research."

What the Sigma protocol does is it eliminates the use of the trusted setup and replaces the RSA accumulators with elliptic curve groups.

More so, there will be a reduction of Zerocoin proof sizes from 25 KB to around ~1 KB allowing more Zerocoin transactions per block and making Zcoin much more scalable coupled with higher security using 256-bit elliptic curves roughly equivalent to 3072-bit RSA. At the moment, the Zcoin network is using 2048-bit RSA.

Trusted setup

A trusted setup involves the need to trust someone to create some primary parametersand then erase those frameworks. Yap gives this analogy:

"A way to visualize it would be akin to making a lock and then trusting another person to destroy the only key to it. It is, however, not easy to prove that the key was destroyed. For instance, if a duplicate was made somewhere or a photo was taken of the key before it was destroyed. The same type of problems exists when trying to prove that the initial parameters were permanently destroyed and not known by anyone."

Auditable supply

Yap says that the consequences of initial parameters being leaked or compromised are severe with someone able to generate coins out of thin air by performing forged Zerocoin spend transactions. When Cointelegraph queried him on how this threat is dealt with currently, he revealed that having an auditable supply allowed the detection of such forgeries.

In February, a hacker created and spent 370,000 Zcoin, worth 410 BTC. The Zcoin team was able to determine this, raising eyebrows as to how other zero-knowledge coins can determine such an attack.

$200,000 unclaimed prize

With the trusted setup, the Zerocoin network is using the RSA accumulators which require the generation of two large prime numbers.

"We are utilizing the RSA-2048 parameters generated in 1991 from the RSA factoring challenge which was an academic challenge to learn about the difficulty of factoring large numbers. The parameters we used had a $200,000 prize if someone managed to factor it," Yap wrote. "To this day, no one has claimed the prize or announced a successful factorization of RSA-2048 with the last successful public factorization at RSA-768."

According to Yap, Zcoin's current setup uses the parameters from the RSA factoring challenge which meant that you did not need to trust the Zcoin developers to destroy them but instead only trust that the RSA factoring challenge parameters were secure. "But we recognize that having a trusted setup is not ideal and it is always in our roadmap to implement a trustless setup," Yap noted.

He also indicated there have been previous attempts to remove the trusted setup in Zerocoin and the most well-known one was the proposed use of RSA UFOs which thus far have been impractical to implement.

Yap adds:

"Our users should expect better anonymity with no worries of hidden loopholes and greater scalability."