Zeno de Angeli

Master’s student in Information Security, specializing in Cryptography and Cryptocurrency.

5 minute read

Introduction

This is a short write-up on Firo, a privacy-focused cryptocurrency that caught my attention during my course on Cryptocurrencies for my MSc. Firo (previously known as ZCoin) aims to provide high levels of financial privacy without sacrificing trustlessness. What makes it interesting is how they’ve solved some fundamental problems that other privacy coins have.

Most cryptocurrencies have a privacy problem. For example, Bitcoin’s philosophy on privacy is that, as long as users utilise pseudonomyns, their privacy is safe, but this is not the case. Beyond having Bitcoin transactions be completely public, clever people can trace back transactions by following change addresses (addresses that are utilised once to store the change of a Bitcoin transaction). Someone might say that CoinJoins fix this problem, but they introduce the need to communicate with other users to obfuscate the inputs and outputs of a transaction.

Firo takes a different approach. They’ve built a system that provides strong privacy guarantees while maintaining the trustless properties expected out of privacy coins.

No Trusted Setup Required

Firo’s Spark Transaction Protocol doesn’t need a trusted setup. This is pretty important because trusted setups are always a potential point of failure (i.e. for example, Zcash requires a trusted setup for their zero knowledge proof system). If the setup is compromised, the entire system’s privacy can be broken.

Large Anonymity Sets

Firo achieves large anonymity sets of $2^{16}$ through a sliding window mechanism. Instead of starting fresh with each anonymity set, they overlap them so new sets are never “empty.” You’re always mixing with a substantial number of other transactions.

Groth-Bootle Proofs

The system uses Groth-Bootle One-out-of-Many proofs. These are zero-knowledge proofs that allow you to burn and redeem Firo coins of arbitrary size while keeping the change hidden. You don’t leak information about transaction amounts.

The mathematical foundation relies on the discrete logarithm assumption over elliptic curve groups. For a cyclic group $\mathbb{G}$ of prime order $q$ with generators $g, h \in \mathbb{G}$, the prover demonstrates knowledge of a secret witness $(w, r) \in \mathbb{Z}_q^2$ such that:

\[C_i = g^w h^r\]

where $C_i$ belongs to the anonymity set $\mathcal{S} = {C_1, C_2, …, C_n}$ without revealing the index $i$.

The one-out-of-many relation is formally defined as:

\[\mathcal{R}_{1\text{-out-of-}n} = \left\{((\mathbf{C}, i, w, r) : C_i = g^w h^r \land i \in [1,n]) \right\}\]

The commitment scheme employs the Pedersen construction: \(\text{Com}(m, r) = g^m h^r\)

Where the binding property relies on the discrete logarithm assumption: $\log_g h$ is unknown.

The proof size scales as $\mathcal{O}(\log n)$ bits, where $n$ is the anonymity set size, achieved through recursive folding techniques that reduce the statement:

This cryptographic primitive fundamentally breaks the transaction graph analysis found in Bitcoin, since observers cannot determine which coins are being spent or link inputs to outputs. The proof system maintains perfect hiding of both coin ownership and transaction amounts while providing computational soundness under standard cryptographic assumptions.

IP Address Protection

Lastly, Firo implements Dandelion++, a protocol that hides the IP addresses used for transactions. This protocols has two phases:

  1. Stem Phase: Let’s say user $U_0$ creates a transaction and gives it to $U_1$. The transaction, in the stem phase, will jump up to $n$ users before it’s announced to the entire network. In such way, $U_1$ does not know that the originator of the transaction is $U_0$, as they may simply be someone part of the stem phase.
  2. Fluff Phase: In the fluff phase, instead, the transaction gets announced to the rest of the network by user $U_n$. The objective of Dandelion++ is to obfuscate the origin of the transaction, in such way that it cannot be traced back to the creator of said transaction. However, a study on this protocol has shown that, with enough presence in the system, a malicious actor is still able to trace the transaction back to its origin. The figure below should give a pretty good intuitive understanding of the system.
Dandelion++ Visualization


How Spark Works

The core of Firo’s privacy comes from their Spark Transaction Protocol.

Spark addresses consist of a tuple of three keys: \((addr_{in}, addr_{full}, addr_{sk})\) These keys work together to let you generate any number of diversified public addresses from a single Spark address. These diversified addresses are indistinguishable from each other. Even if someone knows one of your addresses, they can’t link it to your other addresses.

Here’s how the protocol flows:

Example commit rule cordial miners - partially synchronous version


The process:

  1. Create Address: Your Spark address generates a diversified public address using $addr_{in}$ and some index $i$
  2. Create Coin: When someone sends you Firo, they create a coin associated with your diversified address
  3. Mint: The coin gets minted into the anonymity set
  4. Identify: Your Spark address can identify which coins belong to you
  5. Recover: You can recover the coin information
  6. Spend: You can spend the coin, which burns it and creates a new coin for the recipient

Coins don’t carry transaction history by default. When you receive a coin, it’s “clean.” There’s no way to trace where it came from or link it to previous transactions.

Benefits of Firo

The biggest problem with Bitcoin and similar cryptocurrencies is coin taint. If you receive Bitcoin that was previously used in illegal activities, your coins might be flagged by exchanges. This creates a situation where some bitcoins are worth less than others.

Firo solves this completely. Since coins don’t carry transaction history, there’s no such thing as “tainted” coins. Every Firo coin is identical to every other Firo coin.

Conclusion

Firo represents a mature approach to cryptocurrency privacy. Instead of bolting privacy features onto an existing system, they’ve designed the entire protocol around privacy from the ground up.

The combination of no trusted setup, large anonymity sets, zero-knowledge proofs, and IP address protection creates a system that provides strong privacy guarantees. The fact that coins don’t carry transaction history is particularly elegant. It solves the fungibility problem that most cryptocurrencies have.

For anyone interested in financial privacy, Firo is worth looking at. The Spark protocol shows that it’s possible to have both strong privacy and trustless operation.