In this paper the authors describe Zerocoin, a distributed e-cash system that uses cryptographic techniques to break the link between individual Bitcoin transactions without adding trusted parties. To do this, the authors first define the abstract functionality and security requirements of a new primitive that they call a decentralised e-cash scheme. We next propose a concrete instantiation and prove it secure under standard cryptographic assumptions. Finally, we describe the specific extensions required to integrate our protocol into the Bitcoin system and evaluate the performance of a prototype implementation derived from the original open-source Bitcoin client.

This is not the first paper to propose e-cash techniques for solving Bitcoin’s privacy problems. However, a common problem with many e-cash protocols is that they rely fundamentally on a trusted currency issuer or “bank,” who creates electronic “coins” using a blind signature scheme. One solution (attempted unsuccessfully with Bitcoin is to simply appoint such a party. Alternatively, one can distribute the responsibility among a quorum of nodes using threshold cryptography. Unfortunately, both of these solutions introduce points of failure and seem inconsistent with the Bitcoin network model, which consists of many untrusted nodes that routinely enter and exit the network. Moreover, the problem of choosing long-term trusted parties, especially in the legal and regulatory grey area Bitcoin operates in, seems like a major impediment to adoption. Zerocoin eliminates the need for such coin issuers by allowing individual Bitcoin clients to generate their own coins — provided that they have sufficient classical Bitcoins to do so.