Auditable Zerocoin.

Bitcoin is the first widely adopted decentralized digital e-cash system. All Bitcoin transactions that include addresses of senders and receivers are stored in the public blockchain which could cause privacy problems. The Zerocoin protocol hides the link between individual Bitcoin transactions without adding trusted third parties. However such an un-traceable remittance system could cause illegal transfers such as money laundering. In this paper we address this problem and propose an auditable decentralized e-cash scheme based on the Zerocoin protocol. Our scheme allows designated auditors to extract link information from Zerocoin transactions while preventing other users including miners from obtaining it. Respecting the mind of the decentralized system, the auditor doesn't have other authorities such as stopping transfers, confiscating funds, and deactivating accounts. A technical contribution of our scheme is that a coin sender embeds audit information with a non-interactive zero-knowledge proof of knowledge (NIZKP). This zero-knowledge prevents malicious senders from embedding indiscriminate audit information, and we construct it simply using only the standard Schnorr protocol for discrete logarithm without zk-SNARKs or other recent techniques for zero-knowledge proof.