Author

Topic: Critical flaws in zerocoins (Read 153 times)

newbie
Activity: 160
Merit: 0
April 14, 2018, 05:25:19 AM
#6
Of course, I think best you need to wait with this case, because over time it will take its tops over all projects. The main thing to believe.
QFT
sr. member
Activity: 476
Merit: 250
April 13, 2018, 01:35:13 PM
#5
Zcoin, PIVX, SmartCash, Zoin, and Hexxcoin have been vulnerable to the denial-of-spending attack. Of those currencies, Zcoin,  and Zoin are still vulnerable at the time of writing.

Quote
A denial-of-spending attack on Zerocoin

In both of the proposed Zerocoin schemes, a minted zerocoin is represented by a public bitstring, which is a commitment to the serial number but hides the serial number at the time of minting. Users are supposed to choose a random serial number to ensure that it is unique (with very high probability). However, an attacker can, instead of taking a new random serial number, freely choose the serial number when he mints a zerocoin.


Quote
This leads to the following attack:

 An honest user tries to spend her (honestly generated) zerocoin and sends the spend transaction (including the serial number) to the network. An attacker, which is assumed to have control over the victim’s network, now blocks that message such that it never reaches the nodes of the cryptocurrency. Then the attacker mints a new malicious zerocoin with the exact same serial number. The attacker can now spend this maliciously zerocoin, revealing the serial number.

As soon as this spend transaction performed by the attacker is confirmed, the nodes in the cryptocurrency network record this serial number as used. As a result, the honest user cannot spend her zerocoin anymore.

Tldr; Basically, some number while minting coins should have been randomly generated but it turns out to be there are ways to ignore that function. Some evil bastards can exploit that shit and choose whatever number they want over that random number. As a result, he can print as many coins as he wants on those networks mentioned above.

As far as I know PIVX is the biggest coin on that list. R.I.P.

Thanks for the summary, seems a little more severe than I thought.
legendary
Activity: 3276
Merit: 2442
April 13, 2018, 01:31:03 PM
#4
Zcoin, PIVX, SmartCash, Zoin, and Hexxcoin have been vulnerable to the denial-of-spending attack. Of those currencies, Zcoin,  and Zoin are still vulnerable at the time of writing.

Quote
A denial-of-spending attack on Zerocoin

In both of the proposed Zerocoin schemes, a minted zerocoin is represented by a public bitstring, which is a commitment to the serial number but hides the serial number at the time of minting. Users are supposed to choose a random serial number to ensure that it is unique (with very high probability). However, an attacker can, instead of taking a new random serial number, freely choose the serial number when he mints a zerocoin.


Quote
This leads to the following attack:

 An honest user tries to spend her (honestly generated) zerocoin and sends the spend transaction (including the serial number) to the network. An attacker, which is assumed to have control over the victim’s network, now blocks that message such that it never reaches the nodes of the cryptocurrency. Then the attacker mints a new malicious zerocoin with the exact same serial number. The attacker can now spend this maliciously zerocoin, revealing the serial number.

As soon as this spend transaction performed by the attacker is confirmed, the nodes in the cryptocurrency network record this serial number as used. As a result, the honest user cannot spend her zerocoin anymore.

Tldr; Basically, some number while minting coins should have been randomly generated but it turns out to be there are ways to ignore that function. Some evil bastards can exploit that shit and choose whatever number they want over that random number. As a result, he can print as many coins as he wants on those networks mentioned above.

As far as I know PIVX is the biggest coin on that list. R.I.P.

Edit:That was a bit confusing. The attacker mints a coin and can spend what he created but the honest miner can't. (because the coins they created share the same serial number) That's not like what I thought I guess. I mean It's not like printing coins. (you know like breaking the supply cap) The attacker can only block the honest miner's coins If I understood correctly. Still very serious.

newbie
Activity: 28
Merit: 0
April 13, 2018, 01:20:12 PM
#3
So, there is an article, explaining some serious flaws in zerocoins.
https://www.chaac.tf.fau.eu/2018/04/12/zerocoinzcoinpivxzoinsmartcashhexxcoin-attack/

You might be thinking that I am FUDDING my own coin right now, that I've posted about multiple times, but Zero(ZER) runs on the zero-cash protocol, not the zero-coin protocol.

yes.. i checcked your link and it seems a long.. can you summarize it? thank you

D25
full member
Activity: 238
Merit: 101
Decentralize The $15-Trillion Global Trade Industr
April 13, 2018, 01:07:52 PM
#2
That is quite the long article and I don't have time to read it. Could you explain for us tech newbies what the difference between the two are? I thought they were one in the same or close to it.
full member
Activity: 392
Merit: 101
PVxYGaa1UZM6oDqW3ZKe4Esi18DgwBpDkr
April 13, 2018, 01:00:59 PM
#1
So, there is an article, explaining some serious flaws in zerocoins.
https://www.chaac.tf.fau.eu/2018/04/12/zerocoinzcoinpivxzoinsmartcashhexxcoin-attack/

You might be thinking that I am FUDDING my own coin right now, that I've posted about multiple times, but Zero(ZER) runs on the zero-cash protocol, not the zero-coin protocol.
Jump to: