edit: to the above poster, bitcoin is not mostly anonymous, in fact it is entirely non anonymous and totally public record. I think it is going to be hard to really understand Zerocoin at a low level if you can't figure out what the set of formulas in appendix B means. It explains their zero knowledge proof of knowledge algorithm. I tried to paste it here, but it cannot be displayed correctly. Needless to say, it looks like it is pretty advanced. [edit: removed formulas because pasting them fucked up all formatting and some characters cannot be displayed] One of the reasons why it is hard to figure out what is going on in this paper is because it is actually discussing at least three different things: a system to prevent double spending, a system to allow for anonymous spending and a way to integrate all of this with the current Bitcoin network. Also they are describing the systems that they use briefly, to really have a good chance of understanding this you should also read the cited papers , for example there is an entire paper dedicated to the accumulator and blind witness technique that they are using, but they summarize it in a few paragraphs. So, the user generates a zerocoin (C) which is a commitment to the coin serial number (S). C is unlocked with a random number (R) into S. At the risk of being repetitive, I will repost the example of such a mechanism that I showed previously: The Commitment (coin) C = fc4b5fd6816f75a7c81fc8eaa9499d6a299bd803397166e8c4cf9280b801d62c The Random Number R = 0283da60063abfb3a87f1aed845d17fe2d9ba8c780b478dc4ae048f5ee97a6d5 The coin serial number S = efdf88c3315309fa0d4245389d79e035cd761813b85a954f2b924f81ee6bb248 because SHA256(C || R) == S Now the user needs to add the value C to a public accumulator. As I mentioned before, accumulators are constructs such as bloom filters, they are for checking for set membership of an object. It is probably even correct to consider a list of items as an accumulator, which can be checked to see if it contains element A with the algorithm (A == A1) OR (A == A2) OR ... OR (A == An). This OR based example is actually about the worst possible performing accumulator possible, but I just am trying to show that all an accumulator is , is something that can be queried with some data (a witness, the object itself in the previous example) to determine if the queried for item is present. Now one of the most tricky things to wrap your head around is how the Zerocoin accumulator is queried for element C, and this is really the heart of Zerocoin. Now in the OR based example I just now wrote about, the verifier is given the actual item to check for its presence in the accumulator. In a bloom filter, they are given the item itself as well in some cases, or in others just the items hash. Regardless, the point is that in both of these examples the verifier can determine which element the client is checking for the presence of , if the verifier knows all the items that have been accumulated. The Zerocoin scheme allows for the client to prove to the verifier that it knows an element in the accumulator, without the verifier being able to determine anything about which of the elements in the accumulator the client is proving that it knows about. Put another way, the Zerocoin accumulator scheme allows the client to prove to the verifier that it has a Zerocoin in the accumulator, without revealing which of the Zerocoins it is (this mechanism is where the anonymity comes from). Even more impressively, it allows the client to prove that the element (C) which is present in the accumulator (ie: the Zerocoin the client has in the accumulator), opens up to serial number S (something that would only be known by the person who created the element C in the first place), without the verifier being able to determine which of the C's in the accumulator open up to S, and without the verifier learning the secret number R (this mechanism protects from double spending, and keeps the person who put the Zerocoin into the accumulator in charge of it)! The anonymity of Zerocoin is derived from the fact that the verifier cannot determine which element C the client proves knowledge of (ie: the client can prove that it has a Zerocoin in the accumulator without revealing which of the Zerocoins it is). So Alice adds an element C to the accumulator (ie: Alice gets a Zerocoin). Of course, she also needs to be charged some bitcoins to add the element to the accumulator (ie: She needs to buy the Zerocoin from the Bitcoin network with Bitcoins), and I believe this is where the full Bitcoin integration request comes from. They want the current Bitcoin network to be modified so that Alice can essentially return X Bitcoins to the entire network, so that they are not under the control of anybody anymore, and in return for doing this Alice can add an element C worth that value of Bitcoins to the accumulator, which they also want to be run distributed over the Bitcoin network. After sending X Bitcoins back to the network and then adding element C to the accumulator, Alice can use the Zerocoin proof of knowledge formula to create what I will call a blinded witness (and what the paper calls a zero knowledge signature of knowledge). The blinded witness is the information that allows Alice to prove to the verifier that she knows of an element C in the accumulator (ie: it lets her prove that she has a Zerocoin in the accumulator), and to prove that the element C opens up to the never before used serial number S (ie: it lets her prove that she has not spent the Zerocoin before). I actually would prefer calling the (Blinded Witness, Serial Number) pair a Zerocoin, rather than the value C in the accumulator. However, in order to not go against the terminology defined in the paper, I will instead call the (Blinded Witness, Serial Number) pair a "Bitcoin Redemption Slip", or BRS for brevity. Alice could very well send her BRS to Bob, who she is doing business with. However, it makes a bit more sense for Alice to merely use her BRS to have coins sent to Bobs Bitcoin address. There are actually a lot of different ways in which it can be used. Assume that Alice actually does send her BRS to Bob. Now after Bob obtains the BRS from Alice, he can send it to the Bitcoin network, where the blinded witness is used with the Zerocoin zero knowledge system to prove that: A. Bob put a value C (aka: Zerocoin) into the accumulator (or, in this case, Bob was sent a BRS by somebody who did) and B. Bob knows a unique value S which C opens up to (which means that the BRS has never been used before) Thanks to the cryptographic properties of the Zerocoin accumulator and zero knowledge proof of knowledge scheme (blinded witness) , the verifier cannot link Bob to any specific C in the accumulator, despite being able to tell that Bob (or somebody who did business with Bob) put a C into the accumulator. This means that the verifier cannot link Bob to Alice. Now that Bob has proven he has a Zerocoin in the accumulator, the Bitcoin network releases a Bitcoin to whatever Bitcoin address Bob tells it to, and it takes the released Bitcoin from the no mans land that Alice put them into, in order to put a C of equivalent value into the accumulator and get a BRS in the first place. Additionally, the network keeps track of serial number S, so that nobody can ever redeem the associated BRS for a Bitcoin again (ie: nobody can double spend). Now a passive adversary who observes the blockchain can determine that Alice put some Bitcoins into no mans land, and that Bob took some Bitcoins out of no mans land, but that is all of the information that they can get. If enough people are using the Zerocoin system, and the C values are standardized denominations, then the sheer volume of traffic will prevent traffic analysis from being carried out to link Bob and Alice. Additionally, because of the Zerocoin accumulator and ZKPOK properties, even the Bitcoin network / verifier itself cannot link Alice to Bob. If Alice redeems the BRS herself, in order to send Bitcoins to Bobs Bitcoin Address, rather than sending Bob the BRS for him to exchange for bitcoins himself, Alice will still learn one of Bobs bitcoin addresses. Since Bob doesn't trust Alice, he will be smart to then spend this Bitcoin on yet another BRS , and then redeem his new BRS for Bitcoins sent to another Bitcoin address that Alice is unaware of. By Bob taking this final step, Alice and Bob will not only be protected from being linked together by any third parties, but additionally Alice will be prevented from determining the Bitcoin address that Bob cashes out from.