No cryptocurrency anonymity solutions have caused as much excitement as Zerocoin and its successor Zerocash. That’s both because of the ingenious cryptography that they employ and because of the powerful anonymity that they promise. Whereas all of the anonymity-enhancing technologies that we have seen so far add anonymity on top of the core protocol, Zerocoin and Zerocash incorporate anonymity at the protocol level. We’ll present a high-level view of the protocol here and necessarily simplify some details, but you can find references to the original papers in the Further Reading section. Compatibility. As we’ll see, the strong anonymity guarantees of Zerocoin and Zerocash come at a cost: unlike centralized mixing and Coin join, these protocols are not compatible with Bitcoin as it stands today. It is technically possible to deploy Zerocoin with a soft fork to Bitcoin, but the practical difficulties are serious enough to make this infeasible. With Zerocash, a fork is not even possible, and an alt coin is the only option. Cryptographic guarantees. Zerocoin and Zerocash incorporate protocol-level mixing, and the anonymity properties come with cryptographic guarantees. These guarantees are qualitatively better than those of the other mixing technologies that we have discussed. You don't need to trust anybody — mixes, peers, or intermediaries of any kind, or even miners and the consensus protocol — to ensure your privacy. The promise of anonymity relies only on the adversary’s computational limits, as with most cryptographic guarantees.

Zerocoin. To explain Zerocoin, we’ll first introduce the concept of Basecoin. Basecoin is a Bitcoin-like altcoin, and Zerocoin is an extension of this altcoin. The key feature that provides anonymity is that you can convert basecoins into zerocoins and back again, and when you do that, it breaks the link between the original basecoin and the new basecoin. In this system, Basecoin is the currency that you transact in, and Zerocoin just provides a mechanism to trade your basecoins in for new ones that are unlinkable to the old ones. You can view each zerocoin you own as a token which you can use to prove that you owned a basecoin and made it unspendable. The proof does not reveal which basecoin you owned, merely that you did own a basecoin. You can later redeem this proof for a new basecoin by presenting this proof to the miners. An analogy is entering a casino and exchanging your cash for poker chips. These serve as proof that you deposited some cash, which you can later exchange for different cash of the same value on exiting the casino. Of course, unlike poker chips, you can’t actually do anything with a zerocoin except hold on to it and later redeem it for a basecoin. To make this work in a cryptocurrency, we implement these proofs cryptographically. We need to make sure that each proof can be used only once to redeem a basecoin. Otherwise you’d be able to earn basecoins for free by turning a basecoin into a zerocoin and then redeeming it more than once.