Zerocoin Vulnerabilities Disclosed: “Forged Coins Created, but Not Exceeding 1% of Circulating Supply”
On Tuesday, April 9th, 2019, the Zcoin team supposedly discovered irregularities in relation to the number of Zerocoin spends.
To ensure further problems do not arise, the team decided it would be best to reach out to pools to inactivate Zerocoin spends – leading to a vigorous investigation. Said inactivation simply implies that created coins cannot be spent until notified.
Zcoin Team’s efforts did not simply stop on April 9, as they continued to dig into the matters to see what might have gone wrong. A group including, Veil, PIVX, Navcoin and NIX, was created in an attempt to find the root of the cause.
It was not until Friday, April 19th, 2019, that evidence of the cause was found. In particular, it was shared that:
“Core Developer, Peter Shugalev found the root cause […] and confirmed it was a failure in the Cryptography of the Zerocoin protocol and that it affected all Zerocoin implementations. We have disclosed the part of the Zerocoin proof that was flawed in to above-mentioned teams and how the forgery worked on a high level.”
The most recent update comes in, just days ago (April 24), and the team released an “emergency update 13.7.9,” which is deemed a mandatory security update. This will disable Zerocoin until Sigma has been implemented.
Given this current issue, the team has also shared some of the vulnerabilities with the community. Here’s what the list includes.
- Creation of forged coins, equivalent to less than 1% of circulating supply
- Main issue: cryptographic flaw in Zerocoin’s protocol proof
- While issue can be resolved, team believes it best to move away from Zerocoin and focus on Sigma – which was part of their roadmap
Overview of Sigma
The team involved is introducing Sigma, which will be replacing Zerocoin, in an attempt to better three areas of the latter. In particular, said areas include the removal of trusted set up, reducing proof size from 25kB to 1.5kB and enhancing security.
Problem #1: Trusted Setup
As explained by the Zcoin team:
“In a trusted setup, some secret (public) parameters are generated based on a ‘master private key.’ These network parameters are needed to create the so called, ‘zero-knowledge proofs”, which is the anonymizing technology that we use. The ‘master private key’ […] needs to be destroyed. If this is not destroyed, someone who has access to this key is able to generate infinite amounts of anonymous coins.”
Sigma, which was derived from an academic paper dubbed, “One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin,” by Jens Groth and Markulf Kohlweiss, supposedly entails the use of Pedersen commitments and others that carry a cryptographic construction without a trusted setup.
Problem #2: Too large of a Proof Size
The team reasoned that reducing proof size will allow for an inexpensive mean to store data on blockchain, while being able to house more private send transactions in a block.
As for how this will be implemented in Sigma, the team retorted to another paper, “Short Accountable Ring Signatures Based on DDH,” which they claim has since been effective in helping to reduce proof size.
Problem #3: Need for Security
Finally, when it comes to the security aspects, Sigma will be using 256-bit ECC curves, which is said to be equivalent to roughly 3072-bit RSA. This, again, is an improvement from Zerocoin’s current security level of 2048-bit RSA.