An Introduction to Payment Disclosure in Zcash


#1

I wrote a simple overview of using the new payment disclosure feature in the 1.0.13 release for anyone interested :grinning:


#2

so… … …

I get the use-case as described in your piece, but doesn’t this whole disclosure feature take some of the privacy of a shielded address out of the hands of the owner of that shielded address and put it into the hands of anyone and everyone who has ever sent funds to that shielded address and can therefore publicly prove that a certain amount was sent to the shielded address?

I have a shielded address on my keybase.io account too and in my profile here and my assumption upon publicly posting those shielded addresses is that nobody but me can ever know prove how much (or even if any) funds have ever been sent to those addresses, nor know what other addresses have ever sent to them. It seems like the payment disclosure feature is taking the first part of that assumption away from me without my having a choice about opting in to that disclosure.


#3

Great points and I hadn’t really considered it from that angle but I do agree with you.

I guess publically linking a z-addr to an identity is not the best idea (unless like I do with my Bitcoin address on Keybase it is specifically used for purposes that I want to be identified - such as signing messages).


#4

Yeah, but it’s not just the public linking, though that definitely exaggerates the issue.

The whole capability of disclosing anything about an address that you don’t yourself own seems to me like it substantially weakens the privacy of Zcash in a very fundamental way.

Again, I understand the use-case for being able to disclose, but I think I am against the feature altogether anyway.


#5

I had misgivings about entering a z_addr onto my keybase profile but I just hadn’t thought it through. The whole world can know my z_addr and still be unable to know anything else, such as transaction history.

Now maybe I have this wrong but these payment disclosures should only reveal information about a single transaction - and typically, they’re not going to be made publicly available. The caveat here is that you have to trust the person you provide the disclosure to that they wont share it any further. But even if they do, the worst outcome is that the whole world knows about a single transaction you made. Correct me if I’m wrong.


#6

I get where you are coming from but you are not disclosing anything you couldn’t already disclose via different means (albeit it could be disputed) as you obviously already know the sender address and amount. It’s still impossible to disclose anything else about the receiving address that you didn’t already know.

I can see the argument that data that was once ephemeral is now persistent (assuming the feature is enabled) and could potentially fall into the wrong hands and would be able to retroactively see all shielded addresses that were transacted to (which if you make a z-addr public would be trivial to link).


#7

Agreed but you can easily make multiple z-addrs for specific purposes such as this. In general, I think it’s just a good idea not to make your z-addrs public (unless you specifically want to be tied to it such as for digital signatures). If nothing else we have quantum computers to worry about where not knowing your address would have benefits https://z.cash/support/faq.html#quantum-computers.


#8

Other than sending transactions to me, what good is my z_addr to anyone else? What can anyone else discover once they have that piece of information?


#9

With just that piece of information absolutely nothing but why voluntarily offer this information if privacy is of the utmost concern? In the context of this thread if someone got a hold of a payment disclosure then all they would learn would be the amount and shielded address - if you haven’t publicised this anywhere then you still have a layer of pseudonymity.

If nothing else it is written here by Daira https://github.com/zcash/zcash/issues/805

I’d like to reiterate that Zcash as it stands, already is conjectured to be post-quantum forward private when addresses are kept secret.