The Metropolis release adds ADD and MUL operations on elliptic curve, which makes it possible to implement ring signatures.
That opens up use cases like anonymous funds transfer similar to Monero and zCash.
You can only be anonymous by blending into a large anonymity set. If the very act of using the privacy features singles you out as being part of a small set that is trying to be covert then it makes things worse.
The incident happened in 1 of 6 stations around the world, each creates a shard of the key.
So if the phone compromised the air-gapped machine on the other side of the room (which the article concludes is unlikely) the attacker has 1/6 of the key.
Do you have any evidence, even circumstantial, that the other 5 stations were compromised? Or do you have some other reason to believe the entirety of Zcash is "likely compromised"?
Does anybody actually understand the implications of this? This press release is very light on information. What does this technology being added to Ethereum enable that wasn't possible before?
You can read the release notes here btw that point to the EIP and Github issues for "Precomipled contracts for modular exponetiation; elliptic curve addition, scalar multiplication and pairing" here: https://blog.ethereum.org/2017/09/14/geth-1-7-megara/
AFAIK there were only 4 precompiled contracts (ECDSARECOVER, SHA256, RIPEMD, and IDENTITY) so this is sort of a big deal, but I think the right way to go (being able to natively support zkSNARKs, or RingCT/RuffCT directly on ETH would be incredibly powerful.
The practical implications for this particular change is being able to run private tokens directly on Ethereum (vs globally visible transactions), although AFAIK the initial zkSNARKs implementation is not currently compatible w/ ERC20 tokens ATM.
The elliptic curve pairings that will be added to Metropolis will enable fully anonymous transactions as in Zcash. The zk-SNARKS that Zcash uses for currency transactions can be used for a wider variety of transactions in Ethereum. The elliptic curve tech will also enable things like the BLS signatures used by Dfinity.
As a practical note, on that curve, Zcash is about the limit in terms of complexity for what you can do practically with a SNARK. This is why ZCash is switching to a much faster construction and supporting curve which gives it a lot of room for interesting features. As Vitalik mentioned on twitter, however, that is a long way away for Ethereum.
Most applications of the pairing curve operations are probably going to be signatures and the like, not SNARKs for this reason.
Normally when you send a payment with crypto currencies you leave a trace in the blockchain. i.e. other people can see which address is sending how much to where. This information is required so that the transaction can be validated by all nodes.
The zk-SNARK technology allows you to send a payment without revealing the who sent how much to where.
can you help me understand why this is the case? would it not be possible to map all other addresses or to monitor balances of all other addresses and infer? i think this one is over my head.
I found it funny that Zooko Wilcox-O'Hearn who started the ZCash project, and has a background in cryptography and security, publicly admitted to not understanding how Zk-SNARK works. I once spent a long evening trying to understand it.. involving lots of analogies about ali baba going into caves.. but still no idea.
There's also the famous tweet were Zooko said he'd consider bypassing anonymity of ZCash in order to help authorities catch the WannaCry hackers [0] [lol j/k]
I like ZCash but I think Z-transactions (anonymous) should be the default as there has been advances in the performance and memory requirements [1]
Why isn’t there a private key to view the transaction in the ledger? Seems like this way the transaction could be private except if parties wish to release?
Similarly, would it make sense to have to mine the ledger or transactions? Similar to gas, depending on how secure you want you could adjust the complexity/duration to mine. Perhaps involved parties could mine at a great discount given their transaction to seed the mining where a 3rd party could take months or more.
These thoughts have been bouncing around in my head for a while. Thought I’d pass along for whatever they’re worth.
Monero has something similar. Private keys to send your coins and private keys to see transaction details. When looking at the transactions, you can see 'something was transferred', but the addresses and amounts are encrypted. You can only see the details (of your half of the transaction) by using your private key to view it.
They already can. They could convert the tokens they steal into zCash or Monero (or zCoin, Dash, Particl, PIVX, etc) and transfer anonymously. Adding this feature to Ethereum just means one less step.
The post claims "the addition of the zk-SNARK technology does not by itself provide privacy protection for Ethereum users. There is a new tool in the toolbox, but for now Ethereum transactions are no more private than before."
Does this just mean that Byzantium does not contain the ability to somehow convert Ether into Zcash? That would seem to be the feature that would enable existing ethereum balances to become anonymized.
ether and zcash live on separate chains. there's work underway that could allow for trustless cross chain exchange between ether and zcash (https://z.cash/blog/project-alchemy.html). This new crypto primitive in Byzantium is one of the things required for that project.
with Byzantium, it's now possible to create a zcash-like token on top of ethereum (it would however be wholly separate from zcash). since it lives inside of ethereum, it would be easy to exchange for ether. however, its value would float separately. it might look something like this: https://github.com/zcash-hackworks/babyzoe.
Byzantium also makes it possible to create an ethereum contract into which you can deposit ether (locking it up), transact around privately with others, and then later withdraw back out into ether.
What does this add that didn't exist before? Some here are stating that it will allow you to send anonymous transactions in Ethereum, but the post clearly states that "There is a new tool in the toolbox, but for now Ethereum transactions are no more private than before." So what's the point? Is this just a building block for future features around transaction privacy?
'What can we do with a SNARKs-enabled Ethereum? Certain contract variables can be effectively made private. Instead of storing the secret information on-chain, it can be stored with users, who prove they’re behaving by the rules of the contract using SNARKs. Each of these uses require their own trusted setup, but once a circuit exists, it can be easily cloned.
Imagine an ERC20-like token that doesn’t publish individual holders’ balances, while still maintaining a public and predictable token supply, or a lending platform that keeps the terms of a loan private.'
> The addition of zk-SNARK technology into Ethereum is another validation, like the JP Morgan partnership, that privacy and auditability are important for business and for the economy, and that zk-SNARKs are the premier technology for privacy and auditability.
This sentence has no meaning. It was clearly written by a marketing department with no idea what they are talking about.