Bitcoin, despite its reputation as anonymous internet cash, was never designed for perfectly private payments. For the promise of fully untraceable money, cryptocurrency fans have been waiting for Zerocoin—a technology designed to have default uncrackable anonymity. After years of development, that incognito cryptocash is finally showing signs of a life, now in the form of a stealthy startup.
Late last week, a company calling itself the Zerocoin Electric Coin Company published a post on AngelList, a website startups use to raise funds from private investors. Zerocoin’s new CEO and co-founder, cryptographer Zooko Wilcox-O’Hearn, confirms in an email to WIRED that the company will put into practice a version of the Zerocoin design (later known as Zerocash) created in 2013 and 2014 by a team of encryption researchers at Johns Hopkins, MIT, Technion and Tel Aviv University. Their goal: to build a bitcoin-like currency with the greatest privacy and anonymity protections that modern mathematics can offer.1
“Bitcoin is HTTP for money. We are HTTPS,” reads Zerocoin’s AngelList description, an analogy to the layer of privacy enabled on encrypted web pages versus the surveillance perils of visiting an unencrypted site.
In fact, Zerocoin’s privacy advantages over bitcoin could be even more substantial than that HTTPS comparison implies: Bitcoin transactions are published on the blockchain, the public record of all bitcoin payments that serves as the backbone of the bitcoin economy. Any slip-up that identifies a user’s bitcoin addresses also makes it possible for anyone to trace all of his or her payments from and to those addresses. Zerocoin’s blockchain, on the other hand, uses a cryptographic trick known as a “zero-knowledge proof” to guarantee that transactions in the Zerocoin economy aren’t fraudulent or forged. But that zero-knowledge feature means that in contrast to bitcoin, Zerocoin’s blockchain doesn’t reveal anything about the payment’s origin, destination, or even the transaction’s amount. (Read the full paper Zerocoin’s creators presented at the 2014 IEEE Security and Privacy conference here.)
In other words, Zerocoin will let users spend internet cash with theoretically perfect anonymity. But Zerocoin’s new AngelList page also notes that if necessary, the same zero-knowledge proof trick can also allow a zerocoin user to forego that privacy and choose to reveal proof that any individual transaction was his or hers—say, as a receipt for some zerocoin purchase. “We are adding *selective disclosure* to Bitcoin and Blockchain technologies,” the AngelList page reads. “Transaction metadata in the Blockchain is confidential by default but can be disclosed to specific parties. This allows the best of both worlds: both strong privacy and transparency on the Blockchain.”
Just how Zerocoin will make money as a startup, however, is far from clear. For now, Wilcox-O’Hearn declined to answer any of WIRED’s questions about how the company will function, when it will officially launch, or how it plans to put its new cryptocurrency into circulation.
Like any bitcoin alternative, Zerocoin will no doubt face stiff competition from bitcoin itself, which already has buy-in from millions of users and an exchange rate that’s appreciated sharply in just the last week. Even so, a roster of influential angel investors have already invested $715,000 in Zerocoin, according to Wilcox-O’Hearn. Two early backers listed on the AngelList posting are Naval Ravikant, an investor in Twitter and Uber, and Barry Silbert, the founder of startup equity trading platform SecondMarket. Another is Roger Ver, a staunchly libertarian bitcoin mogul who’s made investments in startups like Blockchain.info and Bitpay, and who used his substantial crypto-fortune to bankroll much of the criminal defense of now-convicted Silk Road creator Ross Ulbricht.
Zerocoin also cites an impressive collection of “advisors” on its AngelList page. In addition to the academic teams that designed Zerocoin and Zerocash, those advisors also include Vitalik Buterin, the founder of buzzy cryptocurrency startup Ethereum, and Gavin Andresen, one of the first bitcoin coders and the chief scientist of the Bitcoin Foundation. The company’s CEO, Zooko Wilcox-O’Hearn, has crypto cred of his own: He’s the creator of the Tahoe Least Authority File Store, or Tahoe LAFS, a decentralized, encrypted file storage system.1
Even with those supporters, Zerocoin is sure to face criticism and even legal trouble because of the very privacy properties that make it unique: A cryptographically untraceable, anonymous currency could offer massive potential for money laundering and black market sales. The Silk Road’s federal prosecutors, after all, proved how valuable a tougher-to-track cryptocurrency would be to criminals, when they traced $13.4 million worth of bitcoin from the drug-selling site to its creator Ross Ulbricht’s laptop.
Zerocoin’s creators attempted to answer that concern in their online FAQ, pointing out that criminals can already make anonymous transactions with cash, or even with bitcoin if they’re careful to use “mixing” services like Dark Wallet or Bitcoin Fog that are designed to anonymize transactions. “The introduction of yet another method to anonymously move money is of little consequence,” they write. But cash can’t be spent online, and mixing services only make tracing payments more difficult—they don’t render it impossible, as Zerocoin’s zero-knowledge proofs are designed to do.
More convincingly, the Zerocoin authors also argue the opposite point: that the alternative to their cryptocurrency is to rely on bitcoin, whose blockchain can create real problems for any user seeking to keep his or her transactions private. “Would you want to publish your bank statement for everyone to see? Of course not: your bank statement can reveal…intimate details about your life,” they write. “For example, your payments to a psychiatrist could reveal that you have a mental health issue.”
Zerocoin’s coming launch as a startup, by contrast, revives the cryptocurrency community’s dream of truly anonymous money—with all the promises and perils that come with it. Stay tuned.
1Updated 11/5/2015 2:25pm EST to include more details of Zerocoin’s development and renaming in 2014 to Zerocash.