Paper 2018/612

Burning Zerocoins for Fun and for Profit: A Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol

Tim Ruffing, Sri Aravinda Thyagarajan, Viktoria Ronge, and Dominique Schröder


Zerocoin (Miers et. al, IEEE S&P’13), designed as an extension to Bitcoin and similar cryptocurrencies, was the first anonymous cryptocurrency proposal which supports large anonymity sets. We identify a cryptographic denial-of-spending attack on the original Zerocoin protocol and a second Zerocoin protocol (Groth and Kohlweiss, EUROCRYPT’15), which enables a network attacker to destroy money of honest users. The attack leads to real-world vulnerabilities in multiple cryptocurrencies, which rely on implementations of the original Zerocoin protocol. The existence of the attack does not contradict the formal security analyses of the two Zerocoin protocols but exposes the lack of an important missing property in the security model of Zerocoin. While the security definitions model that the attacker should not be able to create money out of thin air or steal money from honest users, it does not model that the attacker cannot destroy money of honest users. Fortunately, there are simple fixes for the security model and for both protocols.

Available format(s)
Publication info
Published elsewhere. 2018 Crypto Valley Conference on Blockchain Technology (CVCBT 2018)
Contact author(s)
tim ruffing @ mmci uni-saarland de
2018-06-22: received
Short URL
Creative Commons Attribution


      author = {Tim Ruffing and Sri Aravinda Thyagarajan and Viktoria Ronge and Dominique Schröder},
      title = {Burning Zerocoins for Fun and for Profit: A Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol},
      howpublished = {Cryptology ePrint Archive, Paper 2018/612},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.