Zerocoin logo

Zerocoin is a cryptocurrency proposed by Johns Hopkins University professor Matthew D. Green and graduate students Ian Miers and Christina Garman as an extension to the bitcoin protocol that would add true cryptographic anonymity to bitcoin transactions. Zerocoin was first implemented into a fully functional cryptocurrency released to the public by Poramin Insom, as the Zcoin.[1] Zerocoin provides anonymity by the introduction of a separate mixing service known as zerocoin that is stored in the bitcoin blockchain. Though originally proposed for use with the bitcoin network, zerocoin could be integrated into any cryptocurrency.



What Is Zerocoin? (SUPER Simple)

Bitcoin transactions are all stored, by design, in a public ledger (the blockchain) that is accessible to everyone. These transactions provide privacy through pseudonymity, in that while each transaction is associated with the public address of the sender and receiver, the names of the owners of these addresses are at no time made known to the bitcoin network. To increase privacy, each person could create as many public addresses as they like, making it difficult to link transactions to the same person. If additional privacy were required, it is possible to launder bitcoin through a trusted third party, where the input coins are mixed in a large pool and output to a new address.

Regardless of the best precautions, by data mining of the blockchain, it becomes possible in certain cases to link a set of public addresses to a specific (unnamed) individual. For example, this could be done by the analysis of spending habits, or by having the change of a transaction from one public address being sent to another. Furthermore, by utilizing information external to the blockchain, such as public bitcoin addresses posted on a web site, or the postal address used with a bitcoin purchase, the possibility exists that every single bitcoin transaction of a given person could be determined.

Zerocoins are purchased with bitcoin in fixed denominations by a zerocoin mint transaction. Later, these zerocoins can be redeemed for bitcoin to a different bitcoin address by a zerocoin spend transaction. Through the use of cryptographic accumulators and digital commitments with zero-knowledge proofs, it is not possible to link the bitcoin address that was used to mint the original zerocoin to the bitcoin address used to redeem the zerocoin.

Zerocoin protocol

The zerocoin[2] extension to bitcoin would have functioned like a money laundering pool, temporarily pooling bitcoins together in exchange for a temporary currency called zerocoins. While the laundering pool is an established concept already utilized by several currency laundering services, zerocoin would have implemented this at the protocol level, eliminating any reliance on trusted third parties. It anonymizes the exchanges to and from the pool using cryptographic principles, and as a proposed extension to the bitcoin protocol, it would have recorded the transactions within bitcoin’s existing blockchain.

The anonymity afforded by zerocoin is the result of cryptographic operations involved with separate zerocoin mint and spend transactions.[2] To mint a zerocoin, a person generates a random serial number S, and encrypts (that is commits) this into a coin C by use of second random number r. In practice, C is a Pedersen Commitment. The coin C is added to a cryptographic accumulator by miners, and at the same time, the amount of bitcoin equal in value to the denomination of the zerocoin is added to a zerocoin escrow pool.

To redeem the zerocoin into bitcoin (preferably to a new public address) the owner of the coin needs to prove two things by way of a zero-knowledge proof. (A zero-knowledge proof is a method by which one party can prove to another that a given statement is true, without conveying any additional information apart from the fact that the statement is indeed true.) The first is that they know a coin C that belongs to the set of all other minted zerocoins (C1, C2,… Cn), without revealing which coin it is. In practice, this is done quickly by use of a one-way accumulator that does not reveal the members of the set. The second is that the person knows a number r, that along with the serial number S corresponds to a zerocoin. The proof and serial number S are posted as a zerocoin spend transaction, where miners verify the proof and that the serial number S has not been spent previously. After verification, the transaction is posted to the blockchain, and the amount of bitcoin equal to the zerocoin denomination is transferred from the zerocoin escrow pool. Anonymity in the transaction is assured because the minted coin C is not linked to the serial number S used to redeem the coin.

The accumulator used for the zero-knowledge proof would have to be re-computed every time a spend transaction is verified, and although this can be done incrementally if the accumulator checkpoint is carried on from earlier blocks to the new block, it would still add some overhead to the verification-process. Additionally, both the accumulator checkpoint and all the zerocoin serial numbers would have to be added to every bitcoin block, thus increasing the size (although not substantially).

Since the verification process for zerocoins is much more computationally heavy than for bitcoins, the verification time for a block would increase up to 6 times depending on the ratio between bitcoins and zerocoins. Preliminary tests done by the developers show that even with the increased verification time and blocks twice the size of current bitcoin blocks, the verification time for an entire block would not exceed five minutes, and since a new bitcoin block is currently created every ten minutes on average, the increased verification time should not be a problem.

Zcoin (XZC)

Zerocoin was first implemented into a fully functional cryptocurrency called Zcoin (XZC), a project that went live on September 28, 2016, 12AM UTC.[3] The project’s testnet software was first released to the public on December 18, 2015 under the name Moneta (not Moneta Verde (MCN)) before it was dubbed to Zcoin.[4]. Roger Ver was one of Zcoin’s initial investors same as Zcash.

Private Instant Verified Transaction (PIVX)

PIVX is the first Proof-of-stake cryptocurrency that has implemented the Zerocoin protocol. Zerocoin went live on PIVX on October 16th, 2017. The Zerocoin PIVX tokens are known as zPiv.

SmartCash (SMART)

SmartCash (SMART) is a Keccak SHA-3 algorithm, mineable coin that uses Zero-knowledge proofs from the zerocoin extension.

ZeroVert (ZER)

ZeroVert (ZER)[5] is a Scrypt-N algorithm coin, merge-mineable on the VTC chain with a total circulation of 8.4 million ZER.


A faster implementation of zero knowledge proofs using zk-SNARKs was created for a new cryptocurrency called CredaCash. CredaCash requires only about 3 seconds and 85 KB of memory to create a transaction proof. Similar to Zerocash, CredaCash is an alt-coin with its own blockchain and transaction protocol. The CredaCash developer hope they can offer CredaCash to the market in 2016.[6]


One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain. To counter criticisms that the anonymity offered by zerocoin would facilitate illegal activity, it has been suggested that a backdoor, or other features, could be added to the zerocoin protocol to allow police to track money laundering, but this was not advocated in the original paper.

Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however this would increase the needed computation time since multiple zerocoins could be needed for one transaction.

Depending on the specific implementation, the zerocoin protocol would rely on one or more trusted parties to generate two large prime numbers, p and q, so n = p q. Since n has to be hard to factor, p and q must be unknown to normal users for zerocoin to be secure. The protocol could rely on RSA unfactorable objects to avoid having to have a trusted party for the setup process. Such a setup, however, is not possible with the new Zerocash protocol.

Extensions of Zerocoin

Recognizing that Bitcoin was unlikely to be implement Zerocoin, the authors of Zerocoin expressed hope that other cryptocurrencies would incorporate Zerocoin anonymity features. Currently, Zerocoin is being implemented in the alternative cryptocurrency Anoncoin.[7]

See Also on BitcoinWiki

External links


  1. Zcoin (XZC) Private financial transactions enabled by the Zerocoin Protocol – Zcoin
  2. 2.02.1 PDF Zerocoin: Anonymous Distributed E-Cash from Bitcoin
  3. Zcoin – Private Financial Transactions enabled by the Zerocoin Protocol
  5. Contribute to Zerovert development by creating an account on GitHub
  6. FAQ – CredaCash™
  7. Anoncoin