Bitcoin is the first digital currency to see widespread adoption. Although payments are
conducted between pseudonyms, Bitcoin cannot offer strong privacy guarantees: payment
transactions are recorded in a public decentralized ledger, from which much information can
be deduced. Zerocoin (Miers et al., IEEE S&P 2013) tackles some of these privacy issues by
unlinking transactions from the payment’s origin. Yet it still reveals payment destinations and
amounts, and is limited in functionality.
In this paper, we construct a full-fledged ledger-based digital currency with strong privacy
guarantees. Our results leverage recent advances in zero-knowledge Succinct Non-interactive
ARguments of Knowledge (zk-SNARKs).
We formulate and construct decentralized anonymous payment schemes (DAP schemes). A
DAP scheme lets users pay each other directly and privately: the corresponding transaction
hides the payment’s origin, destination, and amount. We provide formal definitions and proofs
of the construction’s security.
We then build Zerocash, a practical instantiation of our DAP scheme construction. InZcash whitepaper
Zerocash, transactions are less than 1 kB and take under 6 ms to verify — orders of magnitude
more efficient than the less-anonymous Zerocoin and competitive with plain Bitcoin.