Zerocash Decentralized Anonymous Payments from Bitcoin Eli BenSasson Alessandro Chiesa - PDF document

470 463 468 465 460 466 461 467 462 471 2014 IEEE Symposium on Security and Privacy© 2014, Eli Ben-Sasson. Under license to IEEE.DOI 10.1109/SP.2014.36459 469 474 472 473 464 throughthenetwork,veriedbyeverynode,andpermanently storedintheledger.Theentailedcostsarehigher,byorders ofmagnitude,thanthoseinBitcoinandcanseriouslytaxa Bitcoinnetworkoperatingatnormalscale. Thesecondreasonisfunctionality.WhileZerocoinconsti- tutesabasice-cashscheme,itlackscriticalfeaturesrequired offull-edgedanonymouspayments.First,Zerocoinuses coinsofxeddenomination:itdoesnotsupportpayments ofexactvalues,nordoesitprovideameanstomakechange followingatransaction(i.e.,dividecoins).Second,Zerocoin hasnomechanismforoneusertopayanotheronedirectly in“zerocoins.”Andthird,whileZerocoinprovidesanonymity byunlinkingapaymenttransactionfromitsoriginaddress,it doesnothidetheamountorothermetadataabouttransactions occurringonthenetwork. Ourcontribution. Inthisworkweaddresstheaforemen- tionedissuesviatwomaincontributions. (1) Weintroducethenotionofa decentralizedanonymous paymentscheme ,whichformallycapturesthefunctionalityand securityguaranteesofafull-edgeddecentralizedelectronic currencywithstronganonymityguarantees.Weprovideacon- structionofthisprimitiveandproveitssecurityunderspecic cryptographicassumptions.Theconstructionleveragesrecent advancesintheareaofzero-knowledgeproofs.Specically,it uses zero-knowledgeSuccinctNon-interactiveARgumentsof Knowledge (zk-SNARKs)[9,10,11,12,13,14,15,16]. (2) Weachieveanimplementationoftheaboveprimitive,via asystemthatwecall Zerocash .ComparedtoZerocoin,our system(at 128 bitsofsecurity):  Reducesthesizeoftransactionsspendingacoinby 97 : 7% .  Reducesthespend-transactionvericationtimeby 98 : 6% .  Allowsforanonymoustransactionsofvariableamounts.  Hidestransactionamountsandthevaluesofcoinsheldby users.  Allowsforpaymentstobemadedirectlytoauser'sxed address(withoutuserinteraction). Tovalidateoursystem,wemeasureditsperformanceand establishedfeasibilitybyconductingexperimentsinatest networkof 1000 nodes(approximately 1 16 oftheuniqueIPs intheBitcoinnetworkand 1 3 ofthenodesreachableatany giventime[17]).ThisinspirescondencethatZerocashcan bedeployedasaforkofBitcoinandoperateatthesame scale.Thus,duetoitssignicantlyimprovedfunctionalityand performance,Zerocashmakesitpossibletoentirelyreplace traditionalBitcoinpaymentswithanonymousalternatives. Concurrentwork. Theideaofusing zk-SNARK sinthe settingofBitcoinwasrstpresentedbyoneoftheauthors atBitcoin2013[18].Inconcurrentwork,Danezisetal.[19] suggestusing zk-SNARK storeduceproofsizeandverication timeinZerocoin;seeSectionIXforacomparison. A.zk-SNARKs Wenowsketchinmoretechnicaltermsthedenitionof a zk-SNARK ;seeSectionIIformoredetails.A zk-SNARK isanon-interactivezero-knowledgeproofofknowledgethat is succinct ,i.e.,forwhichproofsareveryshortandeasyto verify.Moreprecisely,let L bean NP language,andlet C bea nondeterministicdecisioncircuitfor L onagiveninstancesize n .A zk-SNARK canbeusedtoproveandverifymembership in L ,forinstancesofsize n ,asfollows.Aftertaking C as input,atrustedpartyconductsaone-timesetupphasethat resultsintwopublickeys:aprovingkey pk andaverication key vk .Theprovingkey pk enablesany(untrusted)prover toproduceaproof  attestingtothefactthat x 2L ,foran instance x (ofsize n )ofhischoice.Thenon-interactiveproof  is zeroknowledge anda proofofknowledge .Anyonecan usethevericationkey vk toverifytheproof  ;inparticular zk-SNARK proofsarepubliclyveriable:anyonecanverify  , withouteverhavingtointeractwiththeproverthatgenerated  .Succinctnessrequiresthat(foragivensecuritylevel)  has constantsize andcanbeveriedintimethatislinearin j x j (ratherthanlinearin j C j ). B.Decentralizedanonymouspaymentschemes Weconstructa decentralizedanonymouspayment(DAP) scheme ,whichisadecentralizede-cashschemethatallows directanonymouspaymentsofanyamount.SeeSectionIIIfor aformaldenition.Here,weoutlineourconstructioninsix incrementalsteps;theconstructiondetailsareinSectionIV. Ourconstructionfunctionsontopofanyledger-basedbase currency,suchasBitcoin.Atanygiventime,auniquevalid snapshotofthecurrency's ledger isavailabletoallusers. Theledgerisasequenceof transactions andisappend- only.Transactionsincludeboththeunderlyingcurrency's transactions,aswellasnewtransactionsintroducedbyour construction.Forconcreteness,wefocusthediscussionbelow onBitcoin(thoughlaterdenitionsandconstructionsare statedabstractly).WeassumefamiliaritywithBitcoin[20] andZerocoin[8]. Step1:useranonymitywithxed-valuecoins. Werst describeasimpliedconstruction,inwhichallcoinshave thesamevalueof,e.g., 1 BTC .Thisconstruction,similar totheZerocoinprotocol,showshowtohideapayment's origin.Intermsoftools,wemakeuseof zk-SNARK s(recalled above)andacommitmentscheme.Let COMM denotea statistically-hidingnon-interactivecommitmentscheme(i.e., givenrandomness r andmessage m ,thecommitmentis c := COMM r ( m ) ;subsequently, c isopenedbyrevealing r and m ,andonecanverifythat COMM r ( m ) equals c ). Inthesimpliedconstruction,anewcoin c ismintedas follows:auser u samplesarandom serialnumber sn anda trapdoor r ,computesa coincommitment cm := COMM r ( sn ) , andsets c :=( r; sn ; cm ) .Acorrespondingminttransaction tx Mint ,containing cm (butnot sn or r ),issenttotheledger; tx Mint isappendedtotheledgeronlyif u haspaid 1 BTC toabackingescrowpool(e.g.,the 1 BTC maybepaidvia plaintextinformationencodedin tx Mint ).Minttransactions arethuscerticatesofdeposit,derivingtheirvaluefromthe backingpool. Subsequently,letting CMList denotethelistofallcoin commitmentsontheledger, u mayspend c bypostingaspend transaction tx Spend thatcontains(i)thecoin'sserialnumber sn ;and(ii)a zk-SNARK proof  ofthe NP statement “Iknow r suchthat COMM r ( sn ) appearsinthelist CMList ofcoin commitments” .Assumingthat sn doesnotalreadyappearon theledger(aspartofapastspendtransaction), u canredeem thedepositedamountof 1 BTC ,which u caneitherkeepfor himself,transfertosomeoneelse,orimmediatelydepositinto anewcoin.(If sn doesalreadyappearontheledger,thisis considereddoublespending,andthetransactionisdiscarded.) Useranonymityisachievedbecausetheproof  iszero- knowledge:while sn isrevealed,noinformationabout r is,andndingwhichofthenumerouscommitmentsin CMList correspondstoaparticularspendtransaction tx Spend is equivalenttoinverting f ( x ):= COMM x ( sn ) ,whichisassumed tobeinfeasible.Thus,theoriginofthepaymentisanonymous. Step2:compressingthelistofcoincommitments. Inthe above NP statement, CMList isspeciedexplicitlyasalistof coincommitments.Thisnaiverepresentationseverelylimits scalabilitybecausethetimeandspacecomplexityofmost protocolalgorithms(e.g.,theproofvericationalgorithm) growslinearlywith CMList .Moreover,coincommitments correspondingtoalreadyspentcoinscannotbedroppedfrom CMList toreducecosts,sincetheycannotbeidentied(dueto thesamezero-knowledgepropertythatprovidesanonymity). Asin[3],werelyonacollision-resistanthashfunction CRH toavoidanexplicitrepresentationof CMList .Wemaintain anefcientlyupdatableappend-only CRH -basedMerkletree Tree ( CMList ) overthe(growing)list CMList .Letting rt denote therootof Tree ( CMList ) ,itiswell-knownthatupdating rt to accountforinsertionofnewleavescanbedonewithtimeand spaceproportionaltothetreedepth.Hence,thetimeandspace complexityisreducedfromlinearinthesizeof CMList to logarithmic.Withthisinmind,wemodifythe NP statementto thefollowingone: “Iknow r suchthat COMM r ( sn ) appearsas aleafina CRH -basedMerkletreewhoserootis rt ” .Compared withthenaivedatastructurefor CMList ,thismodication increasesexponentiallythesizeof CMList whichagiven zk-SNARK implementationcansupport(concretely,usingtrees ofdepth 64 ,Zerocashsupports 2 64 coins). Step3:extendingcoinsfordirectanonymouspayments. Sofar,thecoincommitment cm ofacoin c isacommitment tothecoin'sserialnumber sn .However,thiscreatesaproblem whentransferring c toanotheruser.Indeed,supposethatauser u A created c ,and u A sends c toanotheruser u B .First,since u A knows sn ,thespendingof c by u B isbothnotanonymous (since u A seeswhen c isspent,byrecognizing sn )andrisky (since u A couldstillspend c rst).Thus, u B mustimmediately spend c andmintanewcoin c 0 toprotecthimself.Second,if u A infactwantstotransferto u B ,e.g., 100 BTC ,thendoing soisbothunwieldy(sinceitrequires 100 transfers)andnot anonymous(sincetheamountofthetransferisleaked).And third,transfersinamountsthatarenotmultiplesof 1 BTC (the xedvalueofacoin)arenotsupported.Thus,thesimplied constructiondescribedisinadequateasapaymentscheme. Weaddressthisbymodifyingthederivationofacoin commitment,andusingpseudorandomfunctionstotarget paymentsandtoderiveserialnumbers,asfollows.Weusethree pseudorandomfunctions(derivedfromasingleone).Fora seed x thesearedenoted PRF addr x (
) , PRF sn x (
) ,and PRF pk x (
) . Weassumethat PRF sn ismoreovercollision-resistant. Toprovidetargetsforpayments,weuse addresses :each user u generatesanaddresskeypair ( a pk ;a sk ) .Thecoinsof u containthevalue a pk andcanbespentonlywithknowledge of a sk .Akeypair ( a pk ;a sk ) issampledbyselectingarandom seed a sk andsetting a pk := PRF addr a sk (0) .Ausercangenerate anduseanynumberofaddresskeypairs. Next,were-designmintingtoallowforgreaterfunctionality. Tomintacoin c ofadesiredvalue v ,theuser u rstsamples  , whichisasecretvaluethatdeterminesthecoin'sserialnumber as sn := PRF sn a sk (  ) .Then, u commitstothetuple ( a pk ;v; ) in twophases:(a) u computes k := COMM r ( a pk k  ) forarandom r ;andthen(b) u computes cm := COMM s ( v k k ) forarandom s .Themintingresultsinacoin c :=( a pk ;v;;r;s; cm ) anda minttransaction tx Mint :=( v;k;s; cm ) .Crucially,duetothe nestedcommitment,anyonecanverifythat cm in tx Mint is acoincommitmentofacoinofvalue v (bycheckingthat COMM s ( v k k ) equals cm )butcannotdiscerntheowner(by learningtheaddresskey a pk )orserialnumber(derivedfrom  )becausethesearehiddenin k .Asbefore, tx Mint isaccepted bytheledgeronlyif u depositsthecorrectamount,inthis case v BTC. Coinsarespentusingthe pour operation,whichtakesaset ofinputcoins,tobeconsumed,and“pours”theirvalueintoa setoffreshoutputcoins—suchthatthetotalvalueofoutput coinsequalsthetotalvalueoftheinputcoins.Supposethat u ,withaddresskeypair ( a old pk ;a old sk ) ,wishestoconsumehis coin c old =( a old pk ;v old ; old ;r old ;s old ; cm old ) andproducetwo newcoins c new 1 and c new 2 ,withtotalvalue v new 1 + v new 2 = v old , respectivelytargetedataddresspublickeys a new pk ; 1 and a new pk ; 2 . (Theaddresses a new pk ; 1 and a new pk ; 2 maybelongto u ortosome otheruser.)Theuser u ,foreach i 2f 1 ; 2 g ,proceedsasfollows: (i) u samplesserialnumberrandomness  new i ;(ii) u computes k new i := COMM r new i ( a new pk ;i k  new i ) forarandom r new i ;and(iii) u computes cm new i := COMM s new i ( v new i k k new i ) forarandom s new i . Thisyieldsthecoins c new 1 :=( a new pk ; 1 ;v new 1 ; new 1 ;r new 1 ;s new 1 ; cm new 1 ) and c new 2 :=( a new pk ; 2 ;v new 2 ; new 2 ;r new 2 ;s new 2 ; cm new 2 ) . Next, u producesa zk-SNARK proof  POUR forthefollowing NP statement,whichwecall POUR : “GiventheMerkle-treeroot rt ,serialnumber sn old , andcoincommitments cm new 1 ; cm new 2 ,Iknowcoins c old ; c new 1 ; c new 2 ,andaddresssecretkey a old sk suchthat:  Thecoinsarewell-formed:for c old itholdsthat k old = COMM r old ( a old pk k  old ) and cm old = COMM s old ( v old k k old ) ; andsimilarlyfor c new 1 and c new 2 .  Theaddresssecretkeymatchesthepublickey: a old pk = PRF addr a old sk (0) .  Theserialnumberiscomputedcorrectly: sn old := PRF sn a old sk (  old ) .  Thecoincommitment cm old appearsasaleafofaMerkle- treewithroot rt .  Thevaluesaddup: v new 1 + v new 2 = v old .” Aresultingpourtransaction tx Pour :=( rt ; sn old ; cm new 1 ; cm new 2 ; POUR ) isappendedtotheledger.(Asbefore,the transactionisrejectediftheserialnumber sn appearsina previoustransaction.) Nowsupposethat u doesnotknow,say,theaddresssecret key a new sk ; 1 thatisassociatedwiththepublickey a new pk ; 1 .Then, u cannotspend c new 1 becausehecannotprovide a new sk ; 1 aspartof thewitnessofasubsequentpouroperation.Furthermore,when auserthatknows a new sk ; 1 doesspend c new 1 ,theuser u cannot trackit,becauseheknowsnoinformationaboutitsrevealed serialnumber,whichis sn new 1 := PRF sn a new sk ; 1 (  new 1 ) . Alsoobservethat tx Pour revealsnoinformationabouthow thevalueoftheconsumedcoinwasdividedamongthetwo newfreshcoins,norwhichcoincommitmentcorrespondsto theconsumedcoin,northeaddresspublickeystowhichthe twonewfreshcoinsaretargeted.Thepaymentwasconducted infullanonymity. Moregenerally,ausermaypour N old  0 coinsinto N new  0 coins.Forsimplicityweconsiderthecase N old = N new =2 , withoutlossofgenerality.Indeed,for N old 2 ,theusercan mintacoinwithvalue0andthenprovideitasa“null”input, andfor N new 2 ,theusercancreate(anddiscard)anew coinwithvalue0.For N old � 2 or N new � 2 ,theusercan compose log N old +log N new ofthe2-input/2-outputpours. Step4:sendingcoins. Supposethat a new pk ; 1 istheaddresspublic keyof u 1 .Inordertoallow u 1 toactuallyspendthenewcoin c new 1 producedabove, u mustsomehowsendthesecretvalues in c new 1 to u 1 .Onewayisfor u tosend u 1 aprivatemessage, buttherequisiteprivatecommunicationchannelnecessitates additionalinfrastructureorassumptions.Weavoidthis“out- of-band”channelandinsteadbuildthiscapabilitydirectlyinto ourconstructionbyleveragingtheledgerasfollows. Wemodifythestructureofanaddresskeypair.Each usernowhasakeypair ( addr pk ; addr sk ) ,where addr pk = ( a pk ; pk enc ) and addr sk =( a sk ; sk enc ) .Thevalues ( a pk ;a sk ) aregeneratedasbefore.Inaddition, ( pk enc ; sk enc ) isakeypair fora key-privateencryptionscheme [21]. Then, u computestheciphertext C 1 thatistheencryption oftheplaintext ( v new 1 ; new 1 ;r new 1 ;s new 1 ) ,under pk new enc ; 1 (which ispartof u 1 'saddresspublickey addr new sk ; 1 ),andincludes C 1 inthepourtransaction tx Pour .Theuser u 1 canthenndand decryptthismessage(usinghis sk new enc ; 1 )byscanningthepour transactionsonthepublicledger.Again,notethatadding C 1 to tx Pour leaksneitherpaidamounts,nortargetaddressesdue tothekey-privatepropertyoftheencryptionscheme.(The user u doesthesamewith c new 2 andincludesacorresponding ciphertext C 2 in tx Pour .) Step5:publicoutputs. Theconstructionsofarallowsusers tomint,merge,andsplitcoins.Buthowcanauserredeem oneofhiscoins,i.e.,convertitbacktothebasecurrency (Bitcoin)?Forthis,wemodifythepouroperationtoincludea publicoutput .Whenspendingacoin,theuser u alsospecies anonnegative v pub andanarbitrarystring info .Thebalance equationinthe NP statement POUR ischangedaccordingly: “ v new 1 + v new 2 + v pub = v old ”.Thus,oftheinputvalue v old , apart v pub ispubliclydeclared,anditstargetisspecied, somehow,bythestring info .Thestring info canbeusedto specifythedestinationoftheseredeemedfunds(e.g.,aBitcoin walletpublickey). 4 Both v pub and info arenowincludedinthe resultingpourtransaction tx Pour .(Thepublicoutputisoptional, astheuser u canset v pub =0 .) Step6:non-malleability. Topreventmalleabilityattackson apourtransaction tx Pour (e.g.,embezzlementbyre-targeting thepublicoutputofthepourbymodifying info ),wefurther modifythe NP statement POUR andusedigitalsignatures. Specically,duringthepouroperation,theuser u (i)samples akeypair ( pk sig ; sk sig ) foraone-timesignaturescheme; (ii)computes h Sig := CRH ( pk sig ) ;(iii)computesthetwovalues h 1 := PRF pk a old sk ; 1 ( h Sig ) and h 2 := PRF pk a old sk ; 2 ( h Sig ) ,whichactas MACsto“tie” h Sig tobothaddresssecretkeys;(iv)modies POUR toincludethethreevalues h Sig ;h 1 ;h 2 andprovethat thelattertwoarecomputedcorrectly;and(v)uses sk sig tosign everyvalueassociatedwiththepouroperation,thusobtaining asignature  ,whichisincluded,alongwith pk sig ,in tx Pour . Sincethe a old sk ;i aresecret,andwithhighprobability h Sig changes foreachpourtransaction,thevalues h 1 ;h 2 areunpredictable. Moreover,thesignatureonthe NP statement(andothervalues) bindsallofthesetogether. Thisendstheoutlineoftheconstruction,whichissummarized inpartinFigure1.Weconcludebynotingthat,dueto the zk-SNARK ,ourconstructionrequiresaone-timetrusted setupofpublicparameters.Thetrustaffectssoundnessofthe proofs,thoughanonymitycontinuestoholdevenifthesetup iscorruptedbyamaliciousparty. C.Zerocash WeoutlineZerocash,aconcreteimplementation,at 128 bitsofsecurity,ofourDAPschemeconstruction;seeSec- tionVfordetails.Zerocashentailscarefullyinstantiating thecryptographicingredientsoftheconstructiontoensure thatthe zk-SNARK ,the“heaviest”component,isefcient enoughinpractice.Intheconstruction,the zk-SNARK is usedtoprove/verifyaspecic NP statement: POUR .While zk-SNARK sareasymptoticallyefcient,theirconcreteef- ciencydependsonthearithmeticcircuit C thatisusedto decidethe NP statement.Thus,weseekinstantiationsforwhich wecandesignarelatively-smallarithmeticcircuit C POUR for verifyingthe NP statement POUR . Ourapproachistoinstantiateallofthenecessarycryp- tographicingredients(commitmentschemes,pseudorandom functions,andcollision-resistanthashing)basedon SHA256 . Werstdesignahand-optimizedcircuitforverifying SHA256 computations(or,moreprecisely,itscompressionfunction, 4 Thesepublicoutputscanbeconsideredasan“input”toaBitcoin-style transaction,wherethe info stringcontainstheBitcoinoutputscripts.This mechanismalsoallowsustosupportBitcoin'spublictransactionfees. Fig.1: (a) Illustrationofthe CRH -basedMerkletreeoverthelist CMList ofcoincommitments. (b) Acoin c . (c) Illustrationofthestructure ofacoincommitment cm . (d) Illustrationofthestructureofacoinserialnumber sn . whichsufcesforourpurposes). 5 Then,weusethiscircuitin constructing C POUR ,whichveriesallthenecessarychecksfor satisfyingthe NP statement C POUR . This,alongwithjudiciousparameterchoices,andastate-of- the-artimplementationofa zk-SNARK forarithmeticcircuits [16](seeSection II-C ),resultsina zk-SNARK proverrunning timeoffewminutesand zk-SNARK verierrunningtimeof fewmilliseconds.ThisallowstheDAPschemeimplementation tobepracticalfordeployment,asourexperimentsshow. ZerocashcanbeintegratedintoBitcoinorforksofit (commonlyreferredtoas“altcoins”);welaterdescribehow thisisdone. D.Paperorganization Theremainderofthispaperisorganizedasfollows. SectionIIprovidesbackgroundon zk-SNARK s.Wedene DAPschemesinSectionIII,andourconstructionthereofin SectionIV.SectionVdiscussestheconcreteinstantiationin Zerocash.SectionVIdescribestheintegrationofZerocash intoexistingledger-basedcurrencies.SectionVIIprovides microbenchmarksforourprototypeimplementation,aswell asresultsbasedonfull-networksimulations.SectionVIII describesoptimizations.WediscussconcurrentworkinSec- tionIXandsummarizeourcontributionsandfuturedirections inSectionX. II.B ACKGROUNDONZK -SNARK S Themaincryptographicprimitiveusedinthispaperis aspecialkindof SuccinctNon-interactiveARgumentof Knowledge (SNARK).Concretely,weusea publicly-veriable preprocessingzero-knowledge SNARK,or zk-SNARK forshort. Inthissectionweprovidebasicbackgroundon zk-SNARK s, provideaninformaldenition,andrecallknownconstructions andimplementations. 5 Alternatively,wecouldhaveoptedtorelyonthecircuitgenerators[13,14, 16],whichsupportvariousclassesofCprograms,bywritingCcodeexpressing the POUR checks.However,asdiscussedlater,thesegenericapproachesare moreexpensivethanourhand-optimizedconstruction. A.Informaldenition Weinformallydene zk-SNARK sforarithmeticcircuit satisability.Wereferthereaderto,e.g.,[11]foraformal denition. Foraeld F ,an F -arithmeticcircuit takesinputsthatare elementsin F ,anditsgatesoutputelementsin F .Wenaturally associateacircuitwiththefunctionitcomputes.Tomodel nondeterminismweconsidercircuitsthathavean input x 2 F n andanauxiliaryinput a 2 F h ,calleda witness .The circuitsweconsideronlyhave bilineargates . 6 Arithmetic circuitsatisabilityisdenedanalogouslytothebooleancase, asfollows. DenitionII.1. The arithmeticcircuitsatisabilityproblem ofan F -arithmeticcircuit C : F n  F h ! F l iscapturedbythe relation R C = f ( x;a ) 2 F n  F h : C ( x;a )=0 l g ;itslanguage is L C = f x 2 F n : 9 a 2 F h s.t. C ( x;a )=0 l g . Givenaeld F ,a(publicly-veriablepreprocessing) zk-SNARK for F -arithmeticcircuitsatisabilityisatriple ofpolynomial-timealgorithms ( KeyGen ; Prove ; Verify ) :  KeyGen (1  ;C ) ! ( pk ; vk ) .Oninputasecurityparameter  (presentedinunary)andan F -arithmeticcircuit C ,the keygenerator KeyGen probabilisticallysamplesa proving key pk anda vericationkey vk .Bothkeysarepublishedas publicparametersandcanbeused,anynumberoftimes,to prove/verifymembershipin L C .  Prove ( pk ;x;a ) !  .Oninputaprovingkey pk andany ( x;a ) 2R C ,the prover Prove outputsanon-interactive proof  forthestatement x 2L C .  Verify ( vk ;x; ) ! b .Oninputavericationkey vk ,aninput x ,andaproof  ,the verier Verify outputs b =1 ifheis convincedthat x 2L C . Azk-SNARKsatisesthefollowingproperties. Completeness. Foreverysecurityparameter  ,any F - arithmeticcircuit C ,andany ( x;a ) 2R C ,thehonestprover 6 Agatewithinputs y 1 ;:::;y m 2 F is bilinear iftheoutputis h ~a; (1 ;y 1 ;:::;y m ) i
h ~ b; (1 ;y 1 ;:::;y m ) i forsome ~a; ~ b 2 F m +1 .These includeaddition,multiplication,negation,andconstantgates. canconvincetheverier.Namely, b =1 withprobabil- ity 1 � negl(  ) inthefollowingexperiment: ( pk ; vk ) KeyGen (1  ;C ) ;  Prove ( pk ;x;a ) ; b Verify ( vk ;x; ) . Succinctness. Anhonestly-generatedproof  has O  (1) bits and Verify ( vk ;x; ) runsintime O  ( j x j ) .(Here, O  hidesa xedpolynomialfactorin  .) Proofofknowledge(andsoundness). Iftheverieraccepts aproofoutputbyaboundedprover,thentheprover“knows” awitnessforthegiveninstance.(Inparticular,soundness holdsagainstboundedprovers.)Namely,forevery poly(  ) - sizeadversary A ,thereisa poly(  ) -sizeextractor E suchthat Verify ( vk ;x; )=1 and ( x;a ) 62R C withprobability negl(  ) inthefollowingexperiment: ( pk ; vk ) KeyGen (1  ;C ) ; ( x; ) A ( pk ; vk ) ; a E ( pk ; vk ) . Perfectzeroknowledge. Anhonestly-generatedproofisper- fectzeroknowledge. 7 Namely,thereisa poly(  ) -sizesimulator Sim suchthatforallstateful poly(  ) -sizedistinguishers D the followingtwoprobabilitiesareequal:  Theprobabilitythat D (  )=1 onanhonestproof. Pr 2 4 ( x;a ) 2R C D (  )=1       ( pk ; vk ) KeyGen ( C ) ( x;a ) D ( pk ; vk )  Prove ( pk ;x;a ) 3 5  Theprobabilitythat D (  )=1 onasimulatedproof. Pr 2 4 ( x;a ) 2R C D (  )=1       ( pk ; vk ; trap ) Sim ( C ) ( x;a ) D ( pk ; vk )  Sim ( pk ;x; trap ) 3 5 B.Knownconstructionsandsecurity Therearemany zk-SNARK constructionsintheliterature [9,10,11,12,13,14,15,16].Weareinterestedin zk-SNARK s forarithmeticcircuitsatisability,andthemostefcientones forthislanguagearebasedon quadraticarithmeticprograms [12,11,13,14,16];suchconstructionsprovidealinear-time KeyGen ,quasilinear-time Prove ,andlinear-time Verify . Securityof zk-SNARK sisbasedonknowledge-of-exponent assumptionsandvariantsofDife–Hellmanassumptionsin bilineargroups[9,22,23].Whileknowledge-of-exponent assumptionsarefairlystrong,thereisevidencethatsuch assumptionsmaybeinherentforconstructing zk-SNARK s [24,25]. C.zk-SNARKimplementations Therearethreepublishedimplementationsofzk-SNARKs: (i)Parnoetal.[13]presentanimplementationof zk-SNARK s forprogramshavingnodatadependencies; 8 (ii)Ben-Sasson etal.[14]presentanimplementationof zk-SNARK sfor arbitraryprograms(withdatadependencies);and(iii)Ben- Sassonetal.[16]presentanimplementationof zk-SNARK s 7 Whilemost zk-SNARK descriptionsintheliteratureonlymentionstatistical zeroknowledge,all zk-SNARK constructionscanbemadeperfectzero knowledgebyallowingforanegligibleerrorprobabilityincompleteness. 8 Theyonlysupportprogramswherearrayindicesarerestrictedtobeknown compile-timeconstants;similarly,loopiterationcounts(oratleastupper boundstothese)mustbeknownatcompiletime. thatsupportsprogramsthatmodifytheirowncode(e.g.,for runtimecodegeneration);theirimplementationalsoreduces costsforprogramsoflargersizeandallowsforuniversalkey pairs. Eachoftheworksabovealsoachieves zk-SNARK sfor arithmeticcircuitsatisabilityasasteppingstonetowards theirrespectivehigher-levelefforts.Inthispaperweareonly interestedina zk-SNARK forarithmeticcircuitsatisability, andwerelyontheimplementationof[16]forsucha zk-SNARK . 9 Theimplementationin[16]isitselfbasedonthe protocolofParnoetal.[13].Wethusrefertheinterestedreader to[13]fordetailsoftheprotocol,itsintuition,anditsproofof security;andto[16]fortheimplementationanditsperformance. Intermsofconcreteparameters,theimplementationof[16] provides 128 bitsofsecurity,andtheeld F isofa 256 -bit primeorder p . III.D EFINITIONOFADECENTRALIZEDANONYMOUS PAYMENTSCHEME Weintroducethenotionofa decentralizedanonymous paymentscheme (DAPscheme),extendingthenotionof decentralizede-cash [8].Later,inSectionIV,weprovide aconstruction. A.Datastructures Webeginbydescribing,andgivingintuitionabout,thedata structuresusedbyaDAPscheme.Thealgorithmsthatuseand producethesedatastructuresareintroducedinSectionIII-B. Basecoinledger. Ourprotocolisappliedontopofaledger- basedbasecurrencysuchasBitcoin;forgeneralitywerefer tothisbasecurrencyas Basecoin .Atanygiventime T ,all usershaveaccessto L T ,the ledger attime T ,whichisa sequenceof transactions .Theledgerisappend-only(i.e., T T 0 impliesthat L T isaprexof L T 0 ). 10 Thetransactionsin theledgerincludebothBasecointransactionsaswellastwo newtransactiontypesdescribedbelow. Publicparameters. Alistof publicparameters pp isavailable toallusersinthesystem.Thesearegeneratedbyatrustedparty atthe“startoftime”andareusedbythesystem'salgorithms. Addresses. Eachusergeneratesatleastone addresskey pair ( addr pk ; addr sk ) .Thepublickey addr pk ispublishedand enablesotherstodirectpaymentstotheuser.Thesecretkey addr sk isusedtoreceivepaymentssentto addr pk .Ausermay generateanynumberofaddresskeypairs. Coins. A coin isadataobject c ,towhichweassociatethe following:  A coincommitment ,denoted cm ( c ) :astringthatappears ontheledgeronce c is minted . 9 In[16],oneoptimizationtotheverier'sruntimerequirespreprocessing thevericationkey vk ;forsimplicity,wedonotusethisoptimization. 10 Inreality,theBasecoinledger(suchastheoneofBitcoin)isnotperfect andmayincurtemporaryinconsistencies.Inthisrespectourconstructionis asgoodastheunderlyingledger.Wediscusstheeffectsofthisonanonymity andmitigationsinSectionVI-C.  A coinvalue ,denoted v ( c ) :thedenominationof c ,as measuredinbasecoins,asanintegerbetween 0 anda maximumvalue v max (whichisasystemparameter).  A coinserialnumber ,denoted sn ( c ) :auniquestring associatedwiththe c ,usedtopreventdoublespending.  A coinaddress ,denoted addr pk ( c ) :anaddresspublickey, representingwhoowns c . Anyotherquantitiesassociatedwithacoin c (e.g.,various trapdoors)areimplementationdetails. Newtransactions. BesidesBasecointransactions,thereare twonewtypesoftransactions.  Minttransactions. Aminttransaction tx Mint isatuple ( cm ;v;  ) ,where cm isacoincommitment, v isacoinvalue, and  denotesother(implementation-dependent)information. Thetransaction tx Mint recordsthatacoin c withcoin commitment cm andvalue v hasbeenminted.  Pourtransactions. Apourtransaction tx Pour isatuple ( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ; info ;  ) ,where rt isaroot ofaMerkletree, sn old 1 ; sn old 2 aretwocoinserialnumbers, cm new 1 ; cm new 2 aretwocoincommitments, v pub isacoin value, info isanarbitrarystring,and  denotesother (implementation-dependent)information.Thetransaction tx Pour recordsthepouringoftwoinput(andnowconsumed) coins c old 1 ; c old 2 ,withrespectiveserialnumbers sn old 1 ; sn old 2 , intotwonewoutputcoins c new 1 ; c new 2 ,withrespectivecoin commitments cm new 1 ; cm new 2 ,aswellasapublicoutput v pub (whichmaybezero).Furthermore, tx Pour alsorecordsan informationstring info (perhapscontaininginformationon whoistherecipientof v pub basecoins)andthat,whenthis transactionwasmade,therootoftheMerkletreeovercoin commitmentswas rt (seebelow). Commitmentsofmintedcoinsandserialnumbersofspent coins. Foranygiventime T ,  CMList T denotesthelistofallcoincommitmentsappearing inmintandpourtransactionsin L T ;  SNList T denotesthelistofallserialnumbersappearingin pourtransactionsin L T . Whilebothoftheselistscanbededucedfrom L T ,itwillbe convenienttothinkaboutthemasseparate(as,inpractice, thesemaybeseparatelymaintainedduetoefciencyreasons). Merkletreeovercommitments. Foranygiventime T , Tree T denotesaMerkletreeover CMList T and rt T itsroot. Moreover,thefunction Path T ( cm ) givestheauthentication pathfromacoincommitment cm appearingin CMList T to therootof Tree T . 11 Forconvenience,weassumethat L T also stores rt T 0 forall T 0  T (i.e.,itstoresallpastMerkletree roots). B.Algorithms ADAPscheme  isatupleofpolynomial-timealgorithms ( Setup ; CreateAddress ; Mint ; Pour ; VerifyTransaction ; Receive ) 11 WhilewerefertoMekletreesforsimplicity,itisstraightforwardtoextend thedenitiontoallowotherdatastructuresrepresentingsetswithfastinsertion andshortproofsofmembership. withthefollowingsyntaxandsemantics. Systemsetup. Thealgorithm Setup generatesalistofpublic parameters: Setup  INPUTS :securityparameter   OUTPUTS :publicparameters pp Thealgorithm Setup isexecutedbyatrustedparty.The resultingpublicparameters pp arepublishedandmadeavailable toallparties(e.g.,byembeddingthemintotheprotocol's implementation).Thesetupisdone onlyonce ;afterwards,no trustedpartyisneeded,andnoglobalsecretsortrapdoorsare kept. Creatingpaymentaddresses. Thealgorithm CreateAddress generatesanewaddresskeypair: CreateAddress  INPUTS :publicparameters pp  OUTPUTS :addresskeypair ( addr pk ; addr sk ) Eachusergeneratesatleastoneaddresskeypair ( addr pk ; addr sk ) inordertoreceivecoins.Thepublickey addr pk ispublished,whilethesecretkey addr sk isusedtoredeem coinssentto addr pk .Ausermaygenerateanynumberof addresskeypairs;doingsodoesnotrequireanyinteraction. Mintingcoins. Thealgorithm Mint generatesacoin(ofa givenvalue)andaminttransaction: Mint  INPUTS : – publicparameters pp – coinvalue v 2f 0 ; 1 ;:::;v max g – destinationaddresspublickey addr pk  OUTPUTS :coin c andminttransaction tx Mint Asystemparameter, v max ,capsthevalueofanysinglecoin. Theoutputcoin c hasvalue v andcoinaddress addr pk ;the outputminttransaction tx Mint equals ( cm ;v;  ) ,where cm is thecoincommitmentof c . Pouringcoins. The Pour algorithmtransfersvaluefrom inputcoinsintonewoutputcoins,markingtheinputcoins asconsumed.Moreover,afractionoftheinputvaluemaybe publiclyrevealed.Pouringallowsuserstosubdividecoinsinto smallerdenominations,mergecoins,andtransferownership ofanonymouscoins,ormakepublicpayments. 12 Pour  INPUTS : – publicparameters pp – theMerkleroot rt – oldcoins c old 1 ; c old 2 – oldaddressessecretkeys addr old sk ; 1 ; addr old sk ; 2 – authenticationpath path 1 fromcommitment cm ( c old 1 ) to root rt , 12 Weconsiderpourswith2inputsand2outputs,forsimplicityand(as discussedinSectionI-B)withoutlossofgenerality. authenticationpath path 2 fromcommitment cm ( c old 2 ) to root rt – newvalues v new 1 ;v new 2 – newaddressespublickeys addr new pk ; 1 ; addr new pk ; 2 – publicvalue v pub – transactionstring info  OUTPUTS : newcoins c new 1 ; c new 2 andpourtransaction tx Pour Thus,the Pour algorithmtakesasinputtwodistinctinput coins c old 1 ; c old 2 ,alongwithcorrespondingaddresssecretkeys addr old sk ; 1 ; addr old sk ; 2 (requiredtoredeemthetwoinputcoins).To ensurethat c old 1 ; c old 2 havebeenpreviouslyminted,the Pour algorithmalsotakesasinputtheMerkleroot rt (allegedly, equaltotherootofMerkletreeoverallcoincommitmentsso far),alongwithtwoauthenticationpaths path 1 ; path 2 forthe twocoincommitments cm ( c old 1 ) ; cm ( c old 2 ) .Twoinputvalues v new 1 ;v new 2 specifythevaluesoftwonewanonymouscoins c new 1 ; c new 2 tobegenerated,andtwoinputaddresspublickeys addr new pk ; 1 ; addr new pk ; 2 specifytherecipientsof c new 1 ; c new 2 .Athird value, v pub ,speciestheamounttobepubliclyspent(e.g., toredeemcoinsorpaytransactionfees).Thesumofoutput values v 1 + v 2 + v pub mustbeequaltothesumofthevalues oftheinputcoins(andcannotexceed v max ).Finally,the Pour algorithmalsoreceivesanarbitrarystring info ,whichisbound intotheoutputpourtransaction tx Pour . The Pour algorithmoutputstwonewcoins c new 1 ; c new 2 andapourtransaction tx Pour .Thetransaction tx Pour equals ( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ; info ;  ) ,where cm new 1 ; cm new 2 arethetwocoincommitmentsofthetwooutputcoins, and  denotesother(implementation-dependent)information. Crucially, tx Pour revealsonlyonecurrencyvalue,thepublic value v pub (whichmaybezero);itdoesnotrevealthepayment addressesorvaluesoftheoldornewcoins. Verifyingtransactions. Thealgorithm VerifyTransaction checksthevalidityofatransaction: VerifyTransaction  INPUTS : – publicparameters pp – a(mintorpour)transaction tx – thecurrentledger L  OUTPUTS :bit b ,equals1iffthetransactionisvalid Bothmintandpourtransactionsmustbeveriedbeforebeing consideredwell-formed.Inpractice,transactionscanbeveried bythenodesinthedistributedsystemmaintainingtheledger, aswellasbyuserswhorelyonthesetransactions. Receivingcoins. Thealgorithm Receive scanstheledgerand retrievesunspentcoinspaidtoaparticularuseraddress: Receive  INPUTS : – recipientaddresskeypair ( addr pk ; addr sk ) – thecurrentledger L  OUTPUTS :setof(unspent)receivedcoins Whenauserwithaddresskeypair ( addr pk ; addr sk ) wishesto receivepaymentssentto addr pk ,heusesthe Receive algorithm toscantheledger.Foreachpaymentto addr pk appearinginthe ledger, Receive outputsthecorrespondingcoinswhoseserial numbersdonotappearontheledger L .Coinsreceivedin thiswaymaybespent,justlikemintedcoins,usingthe Pour algorithm.(Weonlyrequire Receive todetectcoinspaidto addr pk viathe Pour algorithmandnotalsodetectcoinsminted bytheuserhimself.) Next,wedescribecompleteness(Section III-C )andsecurity (SectionIII-D). C.Completeness CompletenessofaDAPschemerequiresthatunspentcoins canbespent.Moreprecisely,considera ledgersampler S outputtingaledger L .If c 1 and c 2 aretwocoinswhosecoin commitmentsappearin(valid)transactionson L ,buttheir serialnumbersdonotappearin L ,then c 1 and c 2 canbe spentusing Pour .Namely,running Pour resultsinapour transaction tx Pour that VerifyTransaction accepts,andthenew coinscanbereceivedbytheintendedrecipients(byusing Receive );moreover, tx Pour correctlyrecordstheintended v pub andtransactionstring info .Thispropertyisformalizedviaan incompletenessexperiment INCOMP . DenitionIII.1. ADAPscheme =( Setup ; CreateAddress ; Mint ; Pour ; VerifyTransaction ; Receive ) is complete ifno polynomial-sizeledgersampler S wins INCOMP withmore thannegligibleprobability. D.Security SecurityofaDAPschemeischaracterizedbythreeprop- erties,whichwecall ledgerindistinguishability , transaction non-malleability ,and balance . DenitionIII.2. ADAPscheme =( Setup ; CreateAddress ; Mint ; Pour ; VerifyTransaction ; Receive ) is secure ifitsatises ledgerindistinguishability,transactionnon-malleability,and balance. Below,weprovideaninformaloverviewofeachproperty, anddeferformaldenitionstotheextendedversionofthis paper[26]. Eachpropertyisformalizedasagamebetweenanadversary A andachallenger C .Ineachgame,thebehaviorofhonest partiesisrealizedviaaDAPschemeoracle O DAP ,which maintainsaledger L andprovidesaninterfaceforexecuting CreateAddress , Mint , Pour and Receive algorithmsforhonest parties.Toelicitbehaviorfromhonestparties, A passesaquery to C ,which(aftersanitychecks)proxiesthequeryto O DAP . Foreachquerythatrequestsanhonestpartytoperforman action, A speciesidentitiesofprevioustransactionsandthe inputvalues,andlearnstheresultingtransaction,butnotanyof thesecretsortrapdoorsinvolvedinproducingthattransaction. Theoracle O DAP alsoprovidesan Insert querythatallows A todirectlyaddaribtrarytransactionstotheledger L . Ledgerindistinguishability. Thispropertycapturesthe requirementthattheledgerrevealsnonewinformationto theadversarybeyondthepublicly-revealedinformation(values ofmintedcoins,publicvalues,informationstrings,totalnumber oftransactions,etc.),evenwhentheadversarycanadaptively inducehonestpartiestoperformDAPoperationsofhischoice. Thatis,noboundedadversary A candistinguishbetweentwo ledgers L 0 and L 1 ,constructedby A usingqueriestotwo DAPschemeoracles,whenthequeriestothetwooraclesare publiclyconsistent :theyhavematchingtypeandareidentical intermsofpublicly-revealedinformationandtheinformation relatedtoaddressescontrolledby A . Ledgerindistinguishabilityisformalizedbyanexperiment L-IND thatproceedsasfollows.First,achallengersamplesa randombit b andinitializestwoDAPschemeoracles O DAP 0 and O DAP 1 ,maintainingledgers L 0 and L 1 .Throughout,the challengerallows A toissuequeriesto O DAP 0 and O DAP 1 ,thus controllingthebehaviorofhonestpartieson L 0 and L 1 .The challengerprovidestheadversarywiththeviewofbothledgers, butinrandomizedorder: L Left := L b and L Right := L 1 � b .The adversary'sgoalistodistinguishwhethertheviewhesees correspondsto ( L Left ;L Right )=( L 0 ;L 1 ) ,i.e. b =0 ,orto ( L Left ;L Right )=( L 1 ;L 0 ) ,i.e. b =1 . Ateachroundoftheexperiment,theadversaryissuesqueries inpairs Q;Q 0 ofmatchingquerytype.Ifthequerytypeis CreateAddress ,thenthesameaddressisgeneratedatboth oracles.Ifitisto Mint , Pour or Receive ,then Q isforwarded to L 0 and Q 0 to L 1 ;for Insert queries,query Q isforwarded to L Left and Q 0 isforwardedto L Right .Theadversary'squeries arerestrictedinthesensethattheymustmaintainthe public consistency ofthetwoledgers.Forexample,thepublicvalues for Pour queriesmustbethesame,aswellasmintedamounts for Mint queries. Attheconclusionoftheexperiment, A outputsaguess b 0 , andwinswhen b = b 0 .Ledgerindistinguishabilityrequiresthat A wins L-IND withprobabilityatmostnegligiblygreaterthan 1 = 2 . Transactionnon-malleability. Thispropertyrequiresthat noboundedadversary A canalteranyofthedatastored withina(valid)pourtransaction tx Pour .This transactionnon- malleability preventsmaliciousattackersfrommodifyingothers' transactionsbeforetheyareaddedtotheledger(e.g.,byre- targetingtheBasecoinpublicoutputofapourtransaction). Transactionnon-malleabilityisformalizedbyanexperiment TR-NM ,inwhich A adaptivelyinteractswithaDAPscheme oracle O DAP andthenoutputsapourtransaction tx  .Letting T denotethesetofpourtransactionsreturnedby O DAP ,and L denotethenalledger, A winsthegameifthereexists tx 2T ,suchthat(i) tx  6 = tx ;(ii) tx  revealsaserialnumber containedin tx ;and(iii)both tx and tx  arevalidwithrespect totheledger L 0 containingalltransactionspreceding tx on L . Inotherwords, A winsthegameif tx  managestomodify somepreviouspourtransactiontospendthesamecoinina differentway. Transactionnon-malleabilityrequiresthat A wins TR-NM withonlynegligibleprobability.(Notethat A canofcourse producevalidpourtransactionsthatareunrelatedtothosein T ; theconditionthat tx  revealsaserialnumberofapreviously- spentcoincapturesnon-malleability.) Balance. Thispropertyrequiresthatnoboundedadversary A canownmoremoneythanwhathemintedorreceivedvia paymentsfromothers. Balanceisformalizedbyanexperiment BAL ,inwhich A adaptivelyinteractswithaDAPschemeoracle O DAP andthen outputsasetofcoins S coin .Letting S addr besetofaddresses returnedby CreateAddress queries(i.e.,addressesof“honest” users), A winsthegameifthetotalvaluehecanspendor hasspent(eitherascoinsor Basecoin publicoutputs)is greaterthanthevaluehehasreceivedormined.Thatis, A winsif v Unspent + v Basecoin + v A! ADDR �v Mint + v ADDR !A where:(i) v Unspent isthetotalvalueofunspentcoinsin S coin ; (ii) v Basecoin isthetotalvalueofpublicoutputsplacedby A on theledger;(iii) v Mint isthetotalvalueof A 'sminttransactions; (iv) v ADDR !A isthetotalvalueofpaymentsreceivedby A fromaddressesin S addr ;(v) v A! ADDR isthetotalvalueof paymentssentby A toaddressesin S addr . Balancerequiresthat A wins BAL withonlynegligible probability. IV.C ONSTRUCTIONOFADECENTRALIZEDANONYMOUS PAYMENTSCHEME WeshowhowtoconstructaDAPscheme(introduced inSectionIII)using zk-SNARK sandotherbuildingblocks. Later,inSectionV,wegiveaconcreteinstantiationofthis construction. A.Cryptographicbuildingblocks Werstintroducenotationforthestandardcryptographic buildingblocksthatweuse.Weassumefamiliaritywiththe denitionsofthesebuildingblocks;formoredetails,see,e.g., [27].Throughout,  denotesthesecurityparameter. Collision-resistanthashing. Weuseacollision-resistanthash function CRH : f 0 ; 1 g  !f 0 ; 1 g O (  ) . Pseudorandomfunctions. Weuseapseudorandomfunction family PRF = f PRF x : f 0 ; 1 g  !f 0 ; 1 g O (  ) g x where x de- notestheseed.From PRF x ,wederivethree“non-overlapping” pseudorandomfunctions,chosenarbitrarilyas PRF addr x ( z ):= PRF x (00 k z ) ; PRF sn x ( z ):= PRF x (01 k z ) ; PRF pk x ( z ):= PRF x (10 k z ) .Furthermore,weassumethat PRF sn isalso collisionresistant,inthesensethatitisinfeasibletond ( x;z ) 6 =( x 0 ;z 0 ) suchthat PRF sn x ( z )= PRF sn x 0 ( z 0 ) . Statistically-hidingcommitments. Weuseacommitment scheme COMM wherethebindingpropertyholdscomputa- tionally,whilethehidingpropertyholdsstatistically.Itis denoted f COMM x : f 0 ; 1 g  !f 0 ; 1 g O (  ) g x where x denotes thecommitmenttrapdoor.Namely,torevealacommitment cm toavalue z ,itsufcestoprovide z andthetrapdoor x ;then onecancheckthat cm = COMM x ( z ) . One-timestrongly-unforgeabledigitalsignatures. Weusea digitalsignaturescheme Sig =( G sig ; K sig ; S sig ; V sig ) thatworks asfollows.  G sig (1  ) ! pp sig .Givenasecurityparameter  (presented inunary), G sig samplespublicparameters pp enc forthe encryptionscheme.  K sig ( pp sig ) ! ( pk sig ; sk sig ) .Givenpublicparameters pp sig , K sig samplesapublickeyandasecretkeyforasingleuser.  S sig ( sk sig ;m ) !  .Givenasecretkey sk sig andamessage m , S sig signs m toobtainasignature  .  V sig ( pk sig ;m; ) ! b .Givenapublickey pk sig ,message m , andsignature  , V sig outputs b =1 ifthesignature  isvalid formessage m ;elseitoutputs b =0 . Thesignaturescheme Sig satisesthesecuritypropertyof one-timestrongunforgeabilityagainstchosen-messageattacks ( SUF-1CMA security). Key-privatepublic-keyencryption. Weuseapublic-key encryptionscheme Enc =( G enc ; K enc ; E enc ; D enc ) thatworks asfollows.  G enc (1  ) ! pp enc .Givenasecurityparameter  (presented inunary), G enc samplespublicparameters pp enc forthe encryptionscheme.  K enc ( pp enc ) ! ( pk enc ; sk enc ) .Givenpublicparameters pp enc , K enc samplesapublickeyandasecretkeyforasingleuser.  E enc ( pk enc ;m ) ! c .Givenapublickey pk enc andamessage m , E enc encrypts m toobtainaciphertext c .  D enc ( sk enc ;c ) ! m .Givenasecretkey sk enc andaciphertext c , D enc decrypts c toproduceamessage m (or ? if decryptionfails). Theencryptionscheme Enc satisestwosecurityproperties: (i) ciphertextindistinguishabilityunderchosen-ciphertextattack ( IND-CCA security);and(ii) keyindistinguishabilityunder chosen-ciphertextattack ( IK-CCA security).Whiletherst propertyisstandard,thesecondislessknown;informally, IK-CCA requiresthatciphertextscannotbelinkedtothepublic keyusedtoencryptthem,ortootherciphertextsencrypted withthesamepublickey.Fordenitions,wereferthereader to[21]. B.zk-SNARKsforpouringcoins AsoutlinedinSection I-B ,ourconstructioninvokesa zk-SNARK foraspecic NP statement, POUR ,whichwenow dene.Werstrecallthecontextmotivating POUR .Whena user u pours “old”coins c old 1 ; c old 2 intonewcoins c new 1 ; c new 2 , acorrespondingpourtransaction tx Pour =( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ; info ;  ) isgenerated.Inourconstruction,weneedtoprovideevidencein “  ”thatvariousconditionswererespectedbythepouroperation. Concretely, tx Pour shoulddemonstratethat(i) u owns c old 1 ; c old 2 ; (ii)coincommitmentsfor c old 1 ; c old 2 appearsomewhereonthe ledger;(iii)therevealedserialnumbers sn old 1 ; sn old 2 areof c old 1 ; c old 2 ;(iv)therevealedcoincommitments cm new 1 ; cm new 2 areof c new 1 ; c new 2 ;(v)balanceispreserved.Ourconstruction achievesthisbyincludinga zk-SNARK proof  POUR forthe statement POUR whichcheckstheaboveinvariants(aswellas othersneededfornon-malleability). Thestatement POUR . Concretely,the NP statement POUR isdenedasfollows.  Instancesareoftheform ~x =( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ; v pub ;h Sig ;h 1 ;h 2 ) .Thus,aninstance ~x speciesaroot rt for a CRH -basedMerkletree(overthelistofcommitmentsso far),thetwoserialnumbersoftheconsumedcoins,twocoin commitmentsforthetwonewcoins,apublicvalue,and elds h Sig ;h 1 ;h 2 usedfornon-malleability.  Witnessesareoftheform ~a =( path 1 ; path 2 ; c old 1 ; c old 2 ; addr old sk ; 1 ; addr old sk ; 2 ; c new 1 ; c new 2 ) where,foreach i 2f 1 ; 2 g : c old i =( addr old pk ;i ;v old i ; old i ;r old i ;s old i ; cm old i ) ; c new i =( addr new pk ;i ;v new i ; new i ;r new i ;s new i ; cm new i ) forthesame cm new i asin ~x; addr old pk ;i =( a old pk ;i ; pk old enc ;i ) ; addr new pk ;i =( a new pk ;i ; pk new enc ;i ) ; addr old sk ;i =( a old sk ;i ; sk old enc ;i ) : Thus,awitness ~a speciesauthenticationpathsforthetwo newcoincommitments,theentiretyofcoininformation aboutboththeoldandnewcoins,andaddresssecretkeys fortheoldcoins. Givena POUR instance ~x ,awitness ~a isvalidfor ~x ifthe followingholds: 1) Foreach i 2f 1 ; 2 g : a) Thecoincommitment cm old i of c old i appearsonthe ledger,i.e., path i isavalidauthenticationpathfor leaf cm old i withrespecttoroot rt ,ina CRH -based Merkletree. b) Theaddresssecretkey a old sk ;i matchestheaddresspublic keyof c old i ,i.e., a old pk ;i = PRF addr a old sk ;i (0) . c) Theserialnumber sn old i of c old i iscomputedcorrectly, i.e., sn old i = PRF sn a old sk ;i (  old i ) . d) Thecoin c old i iswell-formed,i.e., cm old i = COMM s old i ( COMM r old i ( a old pk ;i k  old i ) k v old i ) . e) Thecoin c new i iswell-formed,i.e., cm new i = COMM s new i ( COMM r new i ( a new pk ;i k  new i ) k v new i ) . f) Theaddresssecretkey a old sk ;i ties h Sig to h i ,i.e., h i = PRF pk a old sk ;i ( h Sig ) . 2) Balanceispreserved: v new 1 + v new 2 + v pub = v old 1 + v old 2 (with v old 1 ;v old 2  0 and v old 1 + v old 2  v max ). Recallthatinthispaper zk-SNARK sarerelativetothe languageofarithmeticcircuitsatisability(seeSectionII); thus,weexpressthechecksin POUR viaanarithmeticcircuit, denoted C POUR .Inparticular,thedepth d tree oftheMerkle treeneedstobehardcodedin C POUR ,andwethusmakeit aparameterofourconstruction(seebelow);themaximum numberofsupportedcoinsisthen 2 d tree . C.Algorithmconstructions WeproceedtodescribetheconstructionoftheDAPscheme =( Setup ; CreateAddress ; Mint ; Pour ; VerifyTransaction ; Receive ) whoseintuitionwasgiveninSection I-B .Figure2 givesthepseudocodeforeachoneofthesixalgorithmsin  , intermsofthebuildingblocksintroducedinSection IV-A and Section IV-B .Intheconstruction,wehardcodetwoquantities: Setup  INPUTS :securityparameter   OUTPUTS :publicparameters pp 1) Construct C POUR for POUR atsecurity  . 2) Compute ( pk POUR ; vk POUR ):= KeyGen (1  ;C POUR ) . 3) Compute pp enc := G enc (1  ) . 4) Compute pp sig := G sig (1  ) . 5) Set pp :=( pk POUR ; vk POUR ; pp enc ; pp sig ) . 6) Output pp . CreateAddress  INPUTS :publicparameters pp  OUTPUTS :addresskeypair ( addr pk ; addr sk ) 1) Compute ( pk enc ; sk enc ):= K enc ( pp enc ) . 2) Randomlysamplea PRF addr seed a sk . 3) Compute a pk = PRF addr a sk (0) . 4) Set addr pk :=( a pk ; pk enc ) . 5) Set addr sk :=( a sk ; sk enc ) . 6) Output ( addr pk ; addr sk ) . Mint  INPUTS : – publicparameters pp – coinvalue v 2f 0 ; 1 ;:::;v max g – destinationaddresspublickey addr pk  OUTPUTS :coin c andminttransaction tx Mint 1) Parse addr pk as ( a pk ; pk enc ) . 2) Randomlysamplea PRF sn seed  . 3) Randomlysampletwo COMM trapdoors r;s . 4) Compute k := COMM r ( a pk k  ) . 5) Compute cm := COMM s ( v k k ) . 6) Set c :=( addr pk ;v;;r;s; cm ) . 7) Set tx Mint :=( cm ;v;  ) ,where  :=( k;s ) . 8) Output c and tx Mint . VerifyTransaction  INPUTS : – publicparameters pp – a(mintorpour)transaction tx – thecurrentledger L  OUTPUTS :bit b ,equals1iffthetransactionisvalid 1) Ifgivenaminttransaction tx = tx Mint : a) Parse tx Mint as ( cm ;v;  ) ,and  as ( k;s ) . b) Set cm 0 := COMM s ( v k k ) . c) Output b :=1 if cm = cm 0 ,elseoutput b :=0 . 2) Ifgivenapourtransaction tx = tx Pour : a) Parse tx Pour as ( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ; info ;  ) ,and  as ( pk sig ;h 1 ;h 2 ; POUR ; C 1 ; C 2 ; ) . b) If sn old 1 or sn old 2 appearson L (or sn old 1 = sn old 2 ),output b :=0 . c) IftheMerkleroot rt doesnotappearon L ,output b :=0 . d) Compute h Sig := CRH ( pk sig ) . e) Set ~x :=( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ;h Sig ;h 1 ;h 2 ) . f) Set m :=( ~x; POUR ; info ; C 1 ; C 2 ) g) Compute b := V sig ( pk sig ;m; ) . h) Compute b 0 := Verify ( vk POUR ;~x; POUR ) ,andoutput b ^ b 0 . Pour  INPUTS : – publicparameters pp – theMerkleroot rt – oldcoins c old 1 ; c old 2 – oldaddressessecretkeys addr old sk ; 1 ; addr old sk ; 2 – path path 1 fromcommitment cm ( c old 1 ) toroot rt , path path 2 fromcommitment cm ( c old 2 ) toroot rt – newvalues v new 1 ;v new 2 – newaddressespublickeys addr new pk ; 1 ; addr new pk ; 2 – publicvalue v pub – transactionstring info  OUTPUTS :newcoins c new 1 ; c new 2 andpourtransaction tx Pour 1) Foreach i 2f 1 ; 2 g : a) Parse c old i as ( addr old pk ;i ;v old i ; old i ;r old i ;s old i ; cm old i ) . b) Parse addr old sk ;i as ( a old sk ;i ; sk old enc ;i ) . c) Compute sn old i := PRF sn a old sk ;i (  old i ) . d) Parse addr new pk ;i as ( a new pk ;i ; pk new enc ;i ) . e) Randomlysamplea PRF sn seed  new i . f) Randomlysampletwo COMM trapdoors r new i ;s new i . g) Compute k new i := COMM r new i ( a new pk ;i k  new i ) . h) Compute cm new i := COMM s new i ( v new i k k new i ) . i) Set c new i :=( addr new pk ;i ;v new i ; new i ;r new i ;s new i ; cm new i ) . j) Set C i := E enc ( pk new enc ;i ; ( v new i ; new i ;r new i ;s new i )) . 2) Generate ( pk sig ; sk sig ):= K sig ( pp sig ) . 3) Compute h Sig := CRH ( pk sig ) . 4) Compute h 1 := PRF pk a old sk ; 1 ( h Sig ) and h 2 := PRF pk a old sk ; 2 ( h Sig ) . 5) Set ~x :=( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ;h Sig ;h 1 ;h 2 ) . 6) Set ~a :=( path 1 ; path 2 ; c old 1 ; c old 2 ; addr old sk ; 1 ; addr old sk ; 2 ; c new 1 ; c new 2 ) . 7) Compute  POUR := Prove ( pk POUR ;~x;~a ) . 8) Set m :=( ~x; POUR ; info ; C 1 ; C 2 ) . 9) Compute  := S sig ( sk sig ;m ) . 10) Set tx Pour :=( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ; info ;  ) ,where  :=( pk sig ;h 1 ;h 2 ; POUR ; C 1 ; C 2 ; ) . 11) Output c new 1 ; c new 2 and tx Pour . Receive  INPUTS : – publicparameters pp – recipientaddresskeypair ( addr pk ; addr sk ) – thecurrentledger L  OUTPUTS :setofreceivedcoins 1) Parse addr pk as ( a pk ; pk enc ) . 2) Parse addr sk as ( a sk ; sk enc ) . 3) ForeachPourtransaction tx Pour ontheledger: a) Parse tx Pour as ( rt ; sn old 1 ; sn old 2 ; cm new 1 ; cm new 2 ;v pub ; info ;  ) , and  as ( pk sig ;h 1 ;h 2 ; POUR ; C 1 ; C 2 ; ) . b) Foreach i 2f 1 ; 2 g : i) Compute ( v i ; i ;r i ;s i ):= D enc ( sk enc ; C i ) . ii) If D enc 'soutputisnot ? ,verifythat:  cm new i equals COMM s i ( v i k COMM r i ( a pk k  i )) ;  sn i := PRF sn a sk (  i ) doesnotappearon L . iii) Ifbothcheckssucceed,output c i :=( addr pk ;v i ; i ;r i ;s i ; cm new i ) . Fig.2:ConstructionofaDAPschemeusingzk-SNARKsandotheringredients. themaximumvalueofacoin, v max ,andthedepthofthe Merkletree, d tree . D.Completenessandsecurity Ourmaintheoremstatesthattheaboveconstructionisindeed aDAPscheme. TheoremIV.1. Thetuple =( Setup ; CreateAddress ; Mint ; Pour ; VerifyTransaction ; Receive ) ,asdenedinSection IV-C , isacomplete(cf.DenitionIII.1)andsecure(cf.Deni- tionIII.2)DAPscheme. WeprovideaproofofTheoremIV.1intheextendedversionof thispaper[26].Wenotethatourconstructioncanbemodiedto yieldstatistical(i.e.,everlasting)anonymity;seethediscussion intheextensionsectionofthefullversionofthispaper. Remark (trustedsetup) . Securityof  reliesonatrustedparty