Cryptology ePrint Archive: Report 2014/349

Zerocash: Decentralized Anonymous Payments from Bitcoin

Eli Ben-Sasson and Alessandro Chiesa and Christina Garman and Matthew Green and Ian Miers and Eran Tromer and Madars Virza

Abstract: Bitcoin is the first digital currency to see widespread adoption. While payments are conducted between pseudonyms, Bitcoin cannot offer strong privacy guarantees: payment transactions are recorded in a public decentralized ledger, from which much information can be deduced. Zerocoin (Miers et al., IEEE S&P 2013) tackles some of these privacy issues by unlinking transactions from the payment's origin. Yet, it still reveals payments' destinations and amounts, and is limited in functionality.

In this paper, we construct a full-fledged ledger-based digital currency with strong privacy guarantees. Our results leverage recent advances in zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs).

First, we formulate and construct decentralized anonymous payment schemes (DAP schemes). A DAP scheme enables users to directly pay each other privately: the corresponding transaction hides the payment's origin, destination, and transferred amount. We provide formal definitions and proofs of the construction's security.

Second, we build Zerocash, a practical instantiation of our DAP scheme construction. In Zerocash, transactions are less than 1 kB and take under 6 ms to verify --- orders of magnitude more efficient than the less-anonymous Zerocoin and competitive with plain Bitcoin.

Category / Keywords: cryptographic protocols / Bitcoin, decentralized electronic cash, zero-knowledge proofs

Original Publication (with major differences): 2014 IEEE Symposium on Security and Privacy

Date: received 19 May 2014

Contact author: alexch at mit edu

Available format(s): PDF | BibTeX Citation

Note: See for more information.

Version: 20140519:163647 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]