Actually, zerocash is significantly different than other altcoins, in that it replaces digital signatures with zero knowledge proofs. It's technically very interesting, and seems like a believable next direction for Bitcoiners. The other direction would be some variant of ethereum.
If you don't believe that a general purpose one-size-fits-all blockchain technology can be easily and safely created, but you would prefer more privacy and security, Zcash is a frankly compelling idea, and deserves a look.
Monero uses a different scheme (ring signatures, essentially mixing in fake and real digital signatures) for privacy. To my knowledge, they don't duplicate the 'blinding' type of hiding about bucket recipients and ownership that zcash does.
Note also that BIP47 and the like are trying to add some of these privacy features into Bitcoin core, so there's lots of angles on improved privacy.
- my laptop is stolen in a compromised state (eg logged on, nothing left encrypted); can anyone trace my transactions?
- I've read suggestions that Zcash themselves can deanonymize every transaction, thanks to generating the initial "Genesis" block. Is that roughly right? (Ignoring obfuscation techniques like getting many other people to create separate signatures)
I'm definitely concerned that this comes with a lot of asterisks next to its claims.
Hi, I'm Ian, one of the scientists behind ZCash, Zerocash, and Zerocoin.
-laptop being stolen:
An attacker will get how much money you have, and if you have kept around the private keys for all your addresses, when and how much you were paid, but not who paid you or who you paid. The attacker can use those keys to go back and decrypt the notifications that get posted to the blockchain that allow you to access a transaction. This gets them how much funds you have been sent and when. It doesn't tell them who sent it unless someone put identifying info in the memo field(e.g.'For Homer Simpson's bar tab'), because senders are anonymous even to recipients. It also doesn't tell them anything directly about who you paid or how much. It does let them identify when you made payments though.
If you move your funds to a new address and delete those keys, then all an attacker gets is your current balance.
- deanonymize every transaction.
We can't. The zero-knowledge proofs(zkSNARKS) we use to hide transaction data are zero-knowledge no matter what. The information simply isn't there.
The confusion is there is an issue with setting things up to ensure we can't forge coins. The zkSNARKs that ZCash uses need to be generated correctly to ensure the proofs are sound (i.e. actually prove what they claim) and someone therefore cannot forge coins. We plan on doing a multiparty computation setup where if at least one party is honest, the parameters are correct. But zkSNARKs provide statistical zero-knowledge without trusted setup. So assuming the software correctly does the protocol, no one can ever deanonymize transactions (see my other comment on post quantum security for the caveats) unless they get your keys.
Thanks Ian, I really appreciate your comprehensive answer :)
- laptop being stolen: cutting out potential ifs and buts, would it be drastically unfair of me to take that as: if you laptop's compromised, all bets are off?
- deanonymize every transaction: genuinely interesting, thanks for taking the time to educate me :)
Laptop being stolen: Certainly for normal users, yes. Don't let that happen. But you can protect yourself by moving funds to new addresses and deleting the old address keys. Poor man's forward secrecy. Since no one will probably do that, yeah .... all bets are off.
> you can protect yourself by [...] deleting the old address keys.
I think it's important to distinguish between "deleting" and "securely erasing" here. The former often provides only a layer of obscurity, while the latter takes expertise to perform reliably.
Ideally the wallet's key deletion functionality would include ensuring the private data doesn't remain on disk (and warn if the media makes this impossible), but I think this is more or less impossible; a secure erase facility really needs to be implemented at the OS level, since it requires knowledge of the workings of the filesystems in use as well as its interactions with the physical media. And it gets worse; in the case of any solid state devices that perform their own write balancing, even the operating system can't know what data has actually been lost.
Of course, if someone has your (unencrypted) hard drive digging around for old ZCash key data is probably low on the list of privacy-compromising information available to them anyway.
>Laptop being stolen: Certainly for normal users, yes. Don't let that happen. But you can protect yourself by moving funds to new addresses and deleting the old address keys. Poor man's forward secrecy. Since no one will probably do that, yeah .... all bets are off.
Heh, thanks, I appreciate your honesty! :)
I guess it's a bit like the problems with trying to get mass adoption of PGP; the tech's there, but trying to get Joe Public to use it without missing any of the vital steps and not messing any of them up is difficult at best.
For me, it's one of those "last, great"-levels of problem to solve: creating privacy tech that regular people who don't know or care about the specifics can use reliably and not mess up because they don't know and/or care.
1) Laptop stolen, unlocked, you never encrypted anything: yep, you're hosed as far as I know. How else would your wallet be able to tell you a balance?
2) The creation of the genesis block involves a trust 'game' of sorts, in which many participants are asked to pick a number. The statement from zcash, which a better cryptographer than me could verify, is that only one of the participants need be trustworthy in order to make this step safe.
I think anyone can participate in the genesis block creation, so you may be just who they need to get the genesis block in good shape. :)
On a different note, it would take a juvenile and short-sighted thinker to want to be able to deanonymize the transactions; not that those people don't exist, but most rational adults would not wish to be emotionally and personally liable in some way for knowing the identities of the money launderers, child pornographers and others who will undoubtedly be drawn to a technology like this.
Ah, two of the Four Horsemen of the Infocalypse rear their ugly heads:
8.3.4. "How will privacy and anonymity be attacked?"
[...]
like so many other "computer hacker" items, as a tool for the "Four Horsemen": drug-dealers, money-launderers, terrorists, and pedophiles.
It's pleasant to be snarky or even in denial about the existence of those four archetypes. The sad truth is not only that they exist, but that they benefit from cryptocurrencies in general.
I spent 2012 and 2013 vigorously parrying journalists who only wanted to write about Bitcoin and the four horsemen. I was wrong to do that. Most Bitcoin transactions of substance in 2012 were related to one of the four.
While I'm pissed off that I spent time taking shots in the public limelight on behalf of asshole drug dealers, that was not actually the point I was raising above. I presume that the zcash folks are aware their inventions will be used for bad things, and have weighed the moral calculus, and are fine with the outcome. And, I wouldn't necessarily disagree with that calculus.
What I was saying is that a clear-headed individual needs to go into launching a cryptocurrency like this with the certain knowledge that their tool will be used, very rapidly, and perhaps very aggressively, to forward the agendas of the four horsemen. In fact, those will likely be the earliest adopters, or the earliest adopters with real money.
That has some implications for how you design your own responsibility / rights / powers in a cryptocurrency. To think otherwise is terribly avoidant behavior.
I think this moral panic (for lack of a better term) is omnipresent because it's actually true to some degree. You can't seriously claim these groups wouldn't benefit from anonymous, secure payment systems. However:
- They already have anonymous, secure payment systems (cash, drugs, jewels, shell companies, etc)
- The cat is out of the bag, so they're going to have it anyway
- These proverbial Horsement do more than just move money around; there's still plenty of room for detective work.
Splitting the atom gave us nuclear power, viable cancer treatment, smoke detectors, and also Hiroshima, Nagasaki, and the threat of radiological terrorism. The proverbial sword is always double-edged.
To make an actual point: I think we'd do well as a community to acknowledge the degree of truth these moral panics hold, because I suspect we frustrate a lot of people by being dismissive of what they perceive to be an apocalyptic problem.
I agree that we shouldn't be dismissive. However, I still think you are being somewhat dismissive when you say "The cat is out of the bag, so they're going to have it anyway."
This is binary thinking but crime isn't binary. There are varying levels of crime. New technologies can make criminal behavior easier or more difficult. Just giving up on money laundering isn't something most people are willing to think about, particular for an experimental payment system that they don't care about and probably won't use.
For someone who doesn't understand the benefits of a new technology and is rounding it to zero, the cost/benefit tradeoff isn't hard to decide, and making an analogy to splitting the atom is unlikely to be persuasive.
>Just giving up on money laundering isn't something most people are willing to think about, particular for an experimental payment system that they don't care about and probably won't use.
But nobody is actually advocating this, least of all me. The argument is that tracking every financial transaction is no longer viable, whether we like it or not.
Moreover, digging your heels into the sand and saying "but it's not right to give up on money-laundering" doesn't change the reality: there exists technology that makes arbitrary, anonymous payments trivial to perform. What do you propose we do?
>These proverbial Horsement do more than just move money around; there's still plenty of room for detective work.
This. Taking away everyone's privacy because somebody might use privacy to break the law is dumb. You want to bust drug dealers? Bust them for selling drugs.
The response to this will be "yes, but it's only natural to give up some privacy for the greater good", and they'll be right insofar as there's a lot of precedence for this.
- We have driver's licenses, passports and all manner of ID's
- The IRS can audit banking records to ensure there's no tax fraud, sans warrant.
- You can be filmed and photographed in public places for security purposes
The list goes on, and the argument will be that new technologies require new compromises. Yours is hardly a constructive (or even correct) approach to the problem, because it (a) dismisses valid concerns and (b) implies a warped interpretation of privacy law. There is no absolute right to privacy; there cannot be!
That said, we're largely in agreement -- restricting privacy is probably the wrong approach in this particular case, but I think the counter argument should instead be made as I previously described, rather than by a knee-jerk opposition to restricted privacy.
"Taking away" is interesting language. The ability to transfer money without either meeting in person (meetings can be surveilled) or generating records subject to disclosure (shell companies and laundering schemes can be deciphered through forensic accounting) is unprecedented. We've never lived in a time when people had cryptographic certainty of the secrecy of their transactions.
Cash and dead drops provide both of those properties. There are many other ways to investigate crimes. Just because the internet is new doesn't mean that human rights don't apply for this new communication medium.
Government-impervious money transfer as a human right is nebulous at best. The internet has not changed the legal or ethical status of money laundering. At best you could say it has always been a human right, but it's certainly never existed in the US or Western Europe.
Cash transactions carry substantial risk: both parties must be physically present in some place to make the deal. They can be tailed, the meeting place can be under surveillance, they can be raided, they can murder each other and run, etc. It's also impractical to deal with large amounts of cash due to the risk of robbery/theft (including civil forfeiture), and legitimate entities won't take suitcases full of cash for large purchases. Infiltrating and exfiltrating large amounts of money from the legitimate banking system is also very likely to leave traces that can be understood by sufficiently skilled/motivated forensic accountants.
Whereas flipping some bytes in the firehose of cryptographically secure bytes already coming in and out of every home is undetectable and basically risk-free.
Some much more concrete human rights are ensured through taxation: food, shelter, water, health care, police, education, national defense, etc. If you make taxation effectively optional by running a perfect, free money-laundering system, some of them may have to go.
You clearly don't understand how money laundering works or what it is. Anonymous payment systems do not make it any easier to launder money, tax offices can still figure out that you have unregistered income.
Surveilling and busting in-person deals with suitcases full of cash was the bread and butter of law enforcement for decades, so much so that it's a Hollywood trope.
Businesses which operate mostly or exclusively in cash are pretty much guaranteed regular IRS audits, which they'll need damn good records to survive.
Doing a significant volume of cash transactions with any financial institution also causes it to send a Suspicious Activity Report [0] to the federal government, which greatly increases your chance of being selected for an audit.
It's true that you don't need records to explain your personal spending, but you will need to produce records justifying any deductions/benefits claimed, and if your lifestyle appears to be large for your reported taxable income, you'll need to account for that too. Recently the IRS has started using public social media posts indicating lavish spending against people who are only paying taxes on meagre incomes.
Laundromats are actually classic tax fraud vehicles. There was an article on HN recently about how the government will pull their water/electric bills to see if the volume of business they claim their doing is in line with their actual resource usage.
I remember the time the internet went mainstream and the general public (non-tech people) were very receptive to media spelling out all the negative horrors ... about all the potentially dark corners ... all the porn ... people dating online ... all which ultimately leading to a meltdown of society.
In reality we sorted a lot of the problems out as we went along. We have muddled through somehow. The process I think was hardly linear or deterministic. And I think it never will be. Look at InfoSec where it is a constant game of catching up. Yet somehow our ancient technology stacks (DNS, SMTP, HTTP, ...) still seem to work and our world has not yet imploded. Society not yet collapsed. Our children who grew up with the Internet have turned out pretty well (people today seem a lot smarter than most of the guys I grew up with in the 70ies/80ies mainly because of the Internet)
Seems that every time we're on the verge to discovering something totally radical (crypto currencies, big-data, IoT, ...) fear is strong. The only place (people) I have seen where the mainstream approaches technologies with an open mind is Japan. There even old people think robots are cute and innovation is ultimately good. In the rest of the world technology is something potentially evil that must be regulated at all cost before it is even invented.
What if we succeed in creating a decentralized autonomous organizations (DAO)[0] or an economy that doesn't answer to the state. We are pretty close to having the tools for it, and I'm sure this is scary as hell for a lot of nation states. See also the latest news about UK government creating their own version of a blockchain by removing the best feature (decentralization [1]). I doubt though that any of this will lead to anarchy (unless our system/society is already so broken that it was due to be replaced with a healthier model anyway).
People profiting off the illegality of drugs who are drawn to high-risk/high-reward work.
> money-launderers
People who want to keep ANY of their income sources private. Also see: Anyone who uses cash.
> terrorists
"There is neither an academic nor an accurate legal consensus regarding the definition of terrorism." https://en.wikipedia.org/wiki/Definitions_of_terrorism
This makes it a "weasel word" (or "appeal to anonymous authority" fallacy) pure and simple, like "treason" from back in the day.
> pedophiles
Most aren't active and suffer in silence. The rest can be managed. As the grain of truth of Louis CK's infamous "Most Offensive Joke Ever," if pedophilia wasn't as demonized as it is now, then most people would get their kids back after being abused, instead of them ending up dead in a ditch. The former being arguably not as bad as the latter.
> People who want to keep ANY of their income sources private. Also see: Anyone who uses cash.
That's not what money laundering is, I really wish people would stop perpetuating this misinformation. Money laundering is when somebody takes illegal income and "cleans" it by creating fake clients that pay a front business. You obviously have to pay taxes, etc but at the end of the day you have a completely clean cut of your illegal income.
Anonymous payment methods only solve one (very small part) of the money-laundring problem: getting the money to someone who will clean it. After that, you still need to create fake clients and do your tax returns (which require believable income figures). So you're still stuck with trying to convince the IRS (or tax office of your choice) that the money you gained was legitimate.
I found the problem. I don't think money has an intrinsic morality. It might be the result of (what some may deem) immoral action, but the money itself should not be illegal. There is nothing about "suddenly" having a lot of money which should be automatically illegal or prevented, and people should not have to explain every detail about how they obtained the money they did.
This kind of thinking leads to things like asset forfeiture abuse, where merely having a bunch of money on your person is apparently grounds for confiscation.
"illegal income" means "income that was acquired illegally". And I was specifically referring to money laundering (which in of itself is a fairly emotionally-charged term if you think that money can be "dirty" in a moral sense). I don't see how you could read "illegal income" as "illegal money". And yes, I agree that money doesn't have morality.
As I understand it, it means that a valid transaction is accompanied by a zero-knowledge proof, proving that this transaction is in fact valid, but revealing nothing about source or destination of funds.
Bitcoin requires each user to verify the entire blockchain, whereas the SNARK-technique means a single user can verify the blockchain, and produce a piece of data which essentially proves that 1. the verification has taken place and that 2. the claimed result of the verification (valid/non-valid) is the actual result of running the verification.
If it sounds too good to be true, that's because it is fairly revolutionary (if it works). Here's the paper: https://eprint.iacr.org/2013/507.pdf
If you don't believe that a general purpose one-size-fits-all blockchain technology can be easily and safely created, but you would prefer more privacy and security, Zcash is a frankly compelling idea, and deserves a look.
Monero uses a different scheme (ring signatures, essentially mixing in fake and real digital signatures) for privacy. To my knowledge, they don't duplicate the 'blinding' type of hiding about bucket recipients and ownership that zcash does.
Note also that BIP47 and the like are trying to add some of these privacy features into Bitcoin core, so there's lots of angles on improved privacy.