Hi, I'm Ian, one of the scientists behind ZCash, Zerocash, and Zerocoin.
-laptop being stolen:
An attacker will get how much money you have, and if you have kept around the private keys for all your addresses, when and how much you were paid, but not who paid you or who you paid. The attacker can use those keys to go back and decrypt the notifications that get posted to the blockchain that allow you to access a transaction. This gets them how much funds you have been sent and when. It doesn't tell them who sent it unless someone put identifying info in the memo field(e.g.'For Homer Simpson's bar tab'), because senders are anonymous even to recipients. It also doesn't tell them anything directly about who you paid or how much. It does let them identify when you made payments though.
If you move your funds to a new address and delete those keys, then all an attacker gets is your current balance.
- deanonymize every transaction.
We can't. The zero-knowledge proofs(zkSNARKS) we use to hide transaction data are zero-knowledge no matter what. The information simply isn't there.
The confusion is there is an issue with setting things up to ensure we can't forge coins. The zkSNARKs that ZCash uses need to be generated correctly to ensure the proofs are sound (i.e. actually prove what they claim) and someone therefore cannot forge coins. We plan on doing a multiparty computation setup where if at least one party is honest, the parameters are correct. But zkSNARKs provide statistical zero-knowledge without trusted setup. So assuming the software correctly does the protocol, no one can ever deanonymize transactions (see my other comment on post quantum security for the caveats) unless they get your keys.
Thanks Ian, I really appreciate your comprehensive answer :)
- laptop being stolen: cutting out potential ifs and buts, would it be drastically unfair of me to take that as: if you laptop's compromised, all bets are off?
- deanonymize every transaction: genuinely interesting, thanks for taking the time to educate me :)
Laptop being stolen: Certainly for normal users, yes. Don't let that happen. But you can protect yourself by moving funds to new addresses and deleting the old address keys. Poor man's forward secrecy. Since no one will probably do that, yeah .... all bets are off.
> you can protect yourself by [...] deleting the old address keys.
I think it's important to distinguish between "deleting" and "securely erasing" here. The former often provides only a layer of obscurity, while the latter takes expertise to perform reliably.
Ideally the wallet's key deletion functionality would include ensuring the private data doesn't remain on disk (and warn if the media makes this impossible), but I think this is more or less impossible; a secure erase facility really needs to be implemented at the OS level, since it requires knowledge of the workings of the filesystems in use as well as its interactions with the physical media. And it gets worse; in the case of any solid state devices that perform their own write balancing, even the operating system can't know what data has actually been lost.
Of course, if someone has your (unencrypted) hard drive digging around for old ZCash key data is probably low on the list of privacy-compromising information available to them anyway.
>Laptop being stolen: Certainly for normal users, yes. Don't let that happen. But you can protect yourself by moving funds to new addresses and deleting the old address keys. Poor man's forward secrecy. Since no one will probably do that, yeah .... all bets are off.
Heh, thanks, I appreciate your honesty! :)
I guess it's a bit like the problems with trying to get mass adoption of PGP; the tech's there, but trying to get Joe Public to use it without missing any of the vital steps and not messing any of them up is difficult at best.
For me, it's one of those "last, great"-levels of problem to solve: creating privacy tech that regular people who don't know or care about the specifics can use reliably and not mess up because they don't know and/or care.
-laptop being stolen: An attacker will get how much money you have, and if you have kept around the private keys for all your addresses, when and how much you were paid, but not who paid you or who you paid. The attacker can use those keys to go back and decrypt the notifications that get posted to the blockchain that allow you to access a transaction. This gets them how much funds you have been sent and when. It doesn't tell them who sent it unless someone put identifying info in the memo field(e.g.'For Homer Simpson's bar tab'), because senders are anonymous even to recipients. It also doesn't tell them anything directly about who you paid or how much. It does let them identify when you made payments though.
If you move your funds to a new address and delete those keys, then all an attacker gets is your current balance.
- deanonymize every transaction. We can't. The zero-knowledge proofs(zkSNARKS) we use to hide transaction data are zero-knowledge no matter what. The information simply isn't there.
The confusion is there is an issue with setting things up to ensure we can't forge coins. The zkSNARKs that ZCash uses need to be generated correctly to ensure the proofs are sound (i.e. actually prove what they claim) and someone therefore cannot forge coins. We plan on doing a multiparty computation setup where if at least one party is honest, the parameters are correct. But zkSNARKs provide statistical zero-knowledge without trusted setup. So assuming the software correctly does the protocol, no one can ever deanonymize transactions (see my other comment on post quantum security for the caveats) unless they get your keys.