Zero-knowledge (ZK) proof systems are a central cryptographic tool for anonymous authentication and in particular for transferable e-cash. Their main drawback is that they require a trusted setup, as is the case for their efficient variant zk-SNARKs. At PKC'18, we proved that the main efficient SNARK schemes proposed so far remain zero-knowledge under setup subversion; we also showed that Zcash is anonymous even if even if its parameter-generation ceremony was subverted.
At ACNS'18 we proposed a (witness-indistinguishable) proof of knowledge that does not require any setup. And at CRYPTO'18 we proved Groth's SNARK (the most efficient scheme) sound in the algebraic group model, a weaker idealization than the generic group model, in which the scheme was originally proven secure.
The classical approach to (transferable) e-cash consists of combining signatures with ZK proofs of knowledge: a coin is a proof of knowledge of a signature by the bank. Transferable e-cash uses re-randomizable proofs, as anonymity requires coins to change after every transfer, which leads to a loss in efficiency. Equivalence-class signatures avoid proofs, as their signatures and messages are randomizable themselves. We have used this primitive to construct the first anonymous credential scheme with constant-size credentials.
All of today's main cryptocurrencies rely on the concept of proof of work, which is the cause of the colossal energy consumption provoked by these schemes. With researchers at MIT and IST Austria we have proposed a cryptocurrency scheme whose security relies on proof of space instead (more on this here).
All cryptocurrencies store all transactions that ever occurred in the blockchain forever, and keeping this history is essential to verify the system state. Mimblewimble is a proposal for a cryptocurrency that only requires to store the current state and discard spent transaction outputs, while maintaining verifiability. We have recently finished a formal security evaluation of the proposal.