This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
Zerocoin is a privacy protocol proposed in 2013 by Johns Hopkins University professor Matthew D. Green and his graduate students, Ian Miers and Christina Garman. It was designed as an extension to the Bitcoin protocol that would improve Bitcoin transactions' anonymity by having coin-mixing capabilities natively built into the protocol. Zerocoin is not currently compatible with Bitcoin.
Due to the public nature of the blockchain, users may have their privacy compromised while interacting with the network. To address this problem, third-party coin mixing service can be used to obscure the trail of cryptocurrency transactions. In May 2013, Matthew D. Green and his graduate students (Ian Miers and Christina Garman) proposed the Zerocoin protocol where cryptocurrency transactions can be anonymised without going through a trusted third-party, by which a coin is destroyed then minted again to erase its history.
While a coin is spent, there is no information available which reveal exactly which coin is being spent. Initially, the Zerocoin protocol was planned to be integrated into the Bitcoin network. However, the proposal was not accepted by the Bitcoin community. Thus, the Zerocoin developers decided to launch the protocol into an independent cryptocurrency. The project to create a standalone cryptocurrency implementing the Zerocoin protocol was named "Moneta". In September 2016, Zcoin (XZC), the first cryptocurrency to implement the zerocoin protocol, was launched by Poramin Insom and team. In January 2018, an academic paper partially funded by Zcoin was published on replacing Proof-of-work system with memory intensive Merkle tree proof algorithm in ensuring more equitable mining among ordinary users. In April 2018, a cryptographic flaw was found in the Zerocoin protocol which allows an attacker to destroy the coins owned by honest users, create coins out of thin air, and steal users' coins. The Zcoin cryptocurrency team while acknowledging the flaw, stated the high difficulty in performing such attacks and the low probability of giving economic benefit to the attacker. In December 2018, Zcoin released an academic paper proposing the Lelantus protocol that removes the need for a trusted setup and hides the origin and the amount of coins in a transaction when using the Zerocoin protocol.
Transactions which use the Zerocoin feature are drawn from an escrow pool, where each coin's transaction history is erased when it emerges. Transactions are verified by zero-knowledge proofs, a mathematical way to prove a statement is true without revealing any other details about the question.
On 16 November 2013, Matthew D. Green announced the Zerocash protocol, which provides additional anonymity by shielding the amount transacted. Zerocash reduces transaction sizes by 98%, however was significantly more computationally expensive, taking up to 3.2GB of memory to generate. More recent developments into the protocol have reduced this to 40MB.
Zerocash utilizes succinct non-interactive zero-knowledge arguments of knowledge (also known as zk-SNARKs), a special kind of zero-knowledge method for proving the integrity of computations. Such proofs are less than 300 bytes long and can be verified in only a few milliseconds, and contain the additional advantage of hiding the amount transacted as well. However, unlike Zerocoin, Zerocash requires an initial set up by a trusted entity.
In the late 2014, Poramin Insom, a student in Masters in Security Informatics from Johns Hopkins University wrote a paper on implementing the zerocoin protocol into a cryptocurrency with Matthew Green as faculty member. Roger Ver and Tim Lee were Zcoin's initial investors. Poramin also set up an exchanged named "Satang" that can convert Thai Baht to Zcoin directly.
On 20 February 2017, a malicious coding attack on Zerocoin protocol created 370,000 fake tokens which perpetrators sold for over 400 Bitcoins ($440,000). Zcoin team announced that a single-symbol error in a piece of code "allowed an attacker to create Zerocoin spend transactions without a corresponding mint". Unlike Ethereum during the DAO event, developers have opted not to destroy any coins or attempt to reverse what happened with the newly generated ones.
In September 2018, Zcoin introduced the Dandelion protocol that hides the origin IP address of a sender without using a The Onion Router (Tor) or Virtual Private Network (VPN). In November 2018, Zcoin conducted the world's first large-scale party elections for Thailand Democrat Party using InterPlanetary File System (IPFS). In December 2018, Zcoin implemented Merkle tree proof, a mining algorithm that deters the usage of Application-specific integrated circuit (ASIC) in mining coins by being more memory intensive for the miners. This allows ordinary users to use central processing unit (CPU) and graphics card for mining, so as to enable egalitarianism in coin mining. On 30 July 2019, Zcoin formally departed from Zerocoin protocol by adopting a new protocol called "Sigma" that prevents counterfeit privacy coins from inflating coin supply. This is achieved by removing a feature called "trusted setup" from the Zerocoin protocol.
One criticism of zerocoin is the added computation time required by the process, which would need to have been performed primarily by bitcoin miners. If the proofs were posted to the blockchain, this would also dramatically increase the size of the blockchain. Nevertheless, as stated by the original author, the proofs could be stored outside of the blockchain.
Since a zerocoin will have the same denomination as the bitcoin used to mint the zerocoin, anonymity would be compromised if no other zerocoins (or few zerocoins) with the same denomination are currently minted but unspent. A potential solution to this problem would be to only allow zerocoins of specific set denominations, however, this would increase the needed computation time since multiple zerocoins could be needed for one transaction.
Depending on the specific implementation, Zerocoin requires two very large prime numbers to generate a parameter which cannot be easily factored. As such, these values must either be generated by trusted parties, or rely on RSA unfactorable objects to avoid the requirement of a trusted party. Such a setup, however, is not possible with the Zerocash protocol.