Questions and Answers:

Why do I care?

Bitcoin is, in a lot of ways, less private than a bank account. With a bank, you only disclose your finances to the bank and their designees. With Bitcoin, you disclose it to the world since the block chain and all your transactions are public. Naïvely, you might think this is not an issue, since your name is not associated with your Bitcoin address(es)/public key(s). However, it is not very hard to identify who an address belongs to based on spending patterns. So if you have any desire for your neighbors or retailers not to know what you spend your money on, you should be interested in techniques to anonymize Bitcoin. Zerocoin is the only solution to this that offers provable anonymity even if everyone running the network is out to get you.

Will Zerocash be deployed in Bitcoin the Currency?

No. The Bitcoin core devs rightly decided that Zerocoin was too cutting edge to deploy in Bitcoin itself and, specifically in the case of the old Zerocoin protocol, had too many performance concerns. Although the Zerocash protocol fixes the performance concerns, the other issue is still present and we think rather valid: Bitcoin has a lot to lose and so needs to be cautious.

Bitcoin refers to a protocol and software stack originally developed by Satoshi Nakamoto. It also refers to the Bitcoin currency, which is one of several crypto-currencies that use Nakamoto’s protocol or a variant. This leads to some confusion in terminology: when our paper and parts of this website refers to Bitcoin, we are usually referring to Bitcoin the protocol and codebase that underlies both Bitcoin the currency and numerous other altcoins, not the actual currency itself.

Can I use it now?

Not yet. We are planning on releasing an alt-coin using the Zerocash protocol. We are currently in the process of finishing a release version of the client, based on the Bitcoin 0.9.1 codebase: there’s a big difference between research software, and a working release grade client we can stand behind. Our goal is to release this code in a production-quality form that the community can use to stand up a real, functioning currency. We will be providing further updates on this site.

What’s this about a backdoor?

There is no backdoor and there never was. This was a misinterpretation of the following quote in the original paper and a less than ideally phrased answer in an interview.

Since all Bitcoin transactions are public, anonymous transactions are necessary to avoid tracking by third parties even if we do not wish to provide the absolute anonymity typically associated with e-cash schemes. On top of such transactions, one could build mechanisms to partially or explicitly identify participants to authorized parties (e.g., law enforcement). However, to limit this information to authorized parties, we must first anonymize the underlying public transactions.

The idea was even if you are one of the “if you haven’t done anything wrong, you have nothing to hide [from the government]” people (an assertion that we by no means agree with), you’d still want privacy from the general public. After all, we have banking secrecy laws for a reason – you don’t want your neighbors knowing your financial details even if you want the FBI to know everything about criminals or terrorists. Even if you wanted that world, you’d need something like Zerocoin to make sure only the “good guys” could use it.

Could you put a backdoor in it?

Not covertly. The paper has a provably secure protocol in it which is anonymous (technical note: anonymity holds even if the trusted set up is screwed with, so no that’s not a backdoor), so absent modifications there is no way to track users. The software will be open source and so any attempt to modify the protocol by inserting a backdoor would be rather obvious.

As with any protocol (Bitcoin included), the government could mandate an overt locked “frontdoor” so to speak. On a technical level, these kind of things tend not to work for decentralized systems. Moreover, since Zerocoin will be open source any version that had such a frontdoor in it would likely be forked and have it removed.

What about criminal use of Zerocash?

Zerocash’s privacy guarantees are designed to benefit legitimate users who do not want their financial details made public. There is a concern, as always, that decentralized anonymous payments will facilitate laundering of ill-gotten funds by criminal users. As we now explain, however, Zerocash barely affects the status quo for criminal users, who already have strong incentives to hide their activity, while it provides notable benefits to legitimate users.

First, the main difficulty with money laundering does not typically lie in how to privately transfer money from one person to another, but in how to make the eventual income appear legitimate: for regulatory purposes, one still has to present credible sources to justify the income, regardless of the technical means by which it was transferred. In this respect, Zerocash does not help.

Second, even without the “help” of Zerocash, criminal users can already anonymize their activities via existing financial systems (e.g., by using cash) or Bitcoin (e.g., by using mixes). Thus, the introduction of yet another method to anonymously move money is of little consequence.

Finally, Bitcoin is increasingly subject to regulation that narrows the gap between it and traditional financial systems. For instance, Bitcoin exchanges are required to identify customers conducting sufficiently-large transfers to/from traditional currencies. Presumably such regulations would apply to Zerocash exchanges as well.

What about the balance between accountability and privacy?

Zerocash extensions can accommodate various choices of balance between accountability and privacy.

For instance, there are promising techniques for preventing money laundering without violating the privacy of legitimate users (e.g., CHL06). Roughly, the idea is to build the cryptographic protocol so that, once the total amount paid between any two users (over any number of payments) exceeds some public threshold, the payments are not private. Zerocash could incorporate such techniques (though the initial prototype does not do so).

More generally, the underlying zk-SNARK cryptographic proof machinery is flexible enough to enforce a wide range of policies. It can, for example, let users prove that they paid the taxes due on all transactions, without revealing those transactions, their amounts, or even the amount of taxes paid. As long as the policy can be specified by efficient “nondeterministic” computation, it can (in principle) be enforced using zk-SNARKs and added to Zerocash. This can help to verify and enforce a wide range of compliance and regulatory policies in manner that is non-invasive to privacy. Morever, once codified, policies will be enforced even in the presence of corrupt employees among the authorities.

This raises intriguing research, policy, and engineering questions over what policies are desirable and practically realizable.