Cryptology ePrint Archive: Report 2018/612

Burning Zerocoins for Fun and for Profit: A Cryptographic Denial-of-Spending Attack on the Zerocoin Protocol

Tim Ruffing and Sri Aravinda Thyagarajan and Viktoria Ronge and Dominique Schröder

Abstract: Zerocoin (Miers et. al, IEEE S&P’13), designed as an extension to Bitcoin and similar cryptocurrencies, was the first anonymous cryptocurrency proposal which supports large anonymity sets. We identify a cryptographic denial-of-spending attack on the original Zerocoin protocol and a second Zerocoin protocol (Groth and Kohlweiss, EUROCRYPT’15), which enables a network attacker to destroy money of honest users. The attack leads to real-world vulnerabilities in multiple cryptocurrencies, which rely on implementations of the original Zerocoin protocol.

The existence of the attack does not contradict the formal security analyses of the two Zerocoin protocols but exposes the lack of an important missing property in the security model of Zerocoin. While the security definitions model that the attacker should not be able to create money out of thin air or steal money from honest users, it does not model that the attacker cannot destroy money of honest users. Fortunately, there are simple fixes for the security model and for both protocols.

Category / Keywords: applications / cryptocurrencies, Zerocoin, attack

Original Publication (in the same form): 2018 Crypto Valley Conference on Blockchain Technology (CVCBT 2018)

Date: received 16 Jun 2018

Contact author: tim ruffing at mmci uni-saarland de

Available format(s): PDF | BibTeX Citation

Version: 20180622:144605 (All versions of this report)

Short URL: ia.cr/2018/612


[ Cryptology ePrint archive ]