A new analysis, titled ‘Burning Zerocoins for fun and profit,’ exposes several flaws in Zerocoin, a technology that aims to improve anonymity and used by several cryptocurrencies. The study was published by the Chair of Applied Cryptography on April 12, 2018. The German authors said, “We identified critical coding issues in a software library implementing Zerocoin, allowing an attacker to create money out of thin air and stealing coins from honest users.”
What is Zerocoin?
Zerocoin was originally touted as a cryptographic extension to enable fully autonomous cryptocurrency transactions. It was proposed by a team of cryptographers from The John Hopkins University Department of Computer Science, Baltimore. The team included Ian Miers, Christina Garman, Matthew Green and Aviel D. Rubin.
The original Zerocoin research paper described it as, “A distributed e-cash system that uses cryptographic techniques to break the link between individual bitcoin transactions without adding trusted parties.” Zerocoin primarily works on two operations, mint and spend. Users can convert the number of digital coins they wish to spend to equivalent zerocoin, and this process is called minting.
During the process of minting, each coin is generated using a randomized minting algorithm. The minted coin is allocated a unique serial number which is then released during the spending of the coin. This unique number is validated by the algorithm to prevent double spending using zero-knowledge proofs.
Denial of Spending Attack
Out of the two major flaws highlighted by the paper, the more worrisome one is the denial of spending attack. The unique serial number required to validate zerocoin during spending is a string. Users are required to select a random serial number during initialization.
In the event that an attacker gains access to an honest user’s account, they may then be able to select the same serial number of the target instead of selecting a new serial number. The attacker can spend Zerocoins on the network or transfer them to some other account. Given that nodes would have now validated this unique serial number, they will not recognize a second legitimate transaction with the same matching serial number.