The Bitcoin payment network offers a highly decentralized mechanism for creating and transferring electronic cash around the world. Unfortunately, Bitcoin suffers from a major limitation: since transactions are stored in a public ledger (called the “block chain”) it may be possible to trace the history of any given payment — even years after the fact. Worse, since the Bitcoin ledger is public, any party can recover this information and data mine to identify users and patterns in the transactions. In other words: Bitcoin transactions are conducted in public.

The Bitcoin protocol and clients address this in two ways: (1) all Bitcoin transactions are conducted using public keys as identifiers, and these public keys are not linked to individual names. And (2) Bitcoin clients are capable of generating many public keys (“identities”) to help users resist tracking. Unfortunately, a growing body of research indicates that these protections are insufficient. This information may allow data miners to link individual transactions, identify related payments, and otherwise trace the activities of Bitcoin users.

The most common solution to this problem is to use Bitcoin laundries – services that mix together many users’ bitcoins in order to obfuscate the transaction history. Laundries suffer from a number of potential drawbacks, however, as they must be trusted to return coins. Moreover a compromised or malicious laundry offers no anonymity.

Zerocoin protocol allows direct anonymous payments between parties. Zerocoin transactions exist alongside the (non-anonymous) Bitcoin currency. Each user can convert (non-anonymous) bitcoins into (anonymous) coins, which we call zerocoins. Users can then send zerocoins to other users, and split or merge zerocoins they own in any way that preserves the total value. Users can also convert zerocoins back into bitcoins, though in principle this is not necessary: all transactions can be made in terms of zerocoins.