Paper 2018/612
Burning Zerocoins for Fun and for Profit: A Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol
Tim Ruffing, Sri Aravinda Thyagarajan, Viktoria Ronge, and Dominique Schröder
Abstract
Zerocoin (Miers et. al, IEEE S&P’13), designed as an extension to Bitcoin and similar cryptocurrencies, was the first anonymous cryptocurrency proposal which supports large anonymity sets. We identify a cryptographic denial-of-spending attack on the original Zerocoin protocol and a second Zerocoin protocol (Groth and Kohlweiss, EUROCRYPT’15), which enables a network attacker to destroy money of honest users. The attack leads to real-world vulnerabilities in multiple cryptocurrencies, which rely on implementations of the original Zerocoin protocol. The existence of the attack does not contradict the formal security analyses of the two Zerocoin protocols but exposes the lack of an important missing property in the security model of Zerocoin. While the security definitions model that the attacker should not be able to create money out of thin air or steal money from honest users, it does not model that the attacker cannot destroy money of honest users. Fortunately, there are simple fixes for the security model and for both protocols.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Published elsewhere. 2018 Crypto Valley Conference on Blockchain Technology (CVCBT 2018)
- Keywords
- cryptocurrenciesZerocoinattack
- Contact author(s)
- tim ruffing @ mmci uni-saarland de
- History
- 2018-06-22: received
- Short URL
- https://ia.cr/2018/612
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/612, author = {Tim Ruffing and Sri Aravinda Thyagarajan and Viktoria Ronge and Dominique Schröder}, title = {Burning Zerocoins for Fun and for Profit: A Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol}, howpublished = {Cryptology {ePrint} Archive, Paper 2018/612}, year = {2018}, url = {https://eprint.iacr.org/2018/612} }