Hi,
Wanted to share what I think is a useful tip with other Zcash users looking for very high anonymity and privacy. I’m surprised ‘churning’ hasn’t been discussed much in Zcash circles, I guess Zcash (so far) is a smaller community than Monero. Hope that changes! Think it will.
I recently read what must be every research paper on advanced attacks on Zcash, including active ones like dusting/gifting attacks. Some good reading if it matters to you:
(The last one: while it has some silly marketing hype words and some vague nonsense that shouldn’t be in a ‘paper’ like that, after further reading elsewhere, then coming back to it to double check, I saw there was substance to its core claim as well as its author’s other contributions on GitHub. Now I’m mystified as to how that paper actually carries out its “ITM attack” - by trying to resend other existing Txs’ raw notes via a custom raw transaction and seeing how the network responds, or something?)
I’ve concluded - similarly to a recommendation of one of the above papers - that ‘churning’ your own fully shielded ZEC one time - i.e. creating another local wallet controlled by yourself and using good OPSEC, transferring your initial ZEC to it - reliably eliminates, or is a required part of eliminating all of the above attacks. ‘Churning’ is already a well-known concept in the Monero community, indeed Monero needs way more churning than Zcash because its anonymity design is much poorer. Where I churned Zcash 1 time, I’d churn Monero an order of magnitude more. (And even then, not rely on Monero alone.)
No OPSEC can guarantee protection against a targeted attack, but certain OPSEC I’ve identified nullifies all general passive or active attacks I’ve seen that undermine Zcash’s anonymity. With Zcash, like Tor, using the tool alone doesn’t guarantee magic protection, you have to work with it with some skill and knowledge, and use other side protections at the same time.
Also, for those really serious about trying to be quantum private (see here) (and here), below I suggest an additional element to the churning to make that as least problematic as possible.
Here’s my tips (not necessarily my complete list):
-
When receiving ZEC initially from another party, even if to a locally controlled ZEC wallet, immediately churn it once. This will neutralise any ‘dust attacks’ described in the papers above. It’s that simple. Keep your large amount of ZEC funds in this first ‘hop’ which is result of your first proper churn. Hop1.
-
Try to get ZEC from someone else’s shielded address in the first place, not from a transparent address. Otherwise, churn it twice initially - a second time after the first ‘shielding’ tx churn. We really want to go ‘dark’. This churning is a ‘black hole’ to make the outgoing ZEC very, very untraceable.
-
Use your own zcashd full nodes (and cli if possible), not light wallets that use someone else’s node - yes it’s a lot of effort to set it up, but it plugs some of the important holes in the research papers.
-
Always leave some ZEC in your last hop upon each churn (e.g. a random amount between 1-3%, or random amount within a certain set range that you set for yourself as a randomised secret ‘fee’ for the sake of less traceability - make it random, use random number generator). Why? Quantum computers in next few years or decades might unfortunately expose all transaction output amounts within shielded ZEC pools. Either way it’s good habit for churning any cryptocurrency in general, to make any attack tracing transaction amounts less severe.
-
Round off churn amounts to be less unique (e.g. don’t transfer 0.176584, transfer 0.176 and leave the rest it costs nothing), and/or make the patterns non-similar - if you always move 2.573 or 1.573 in churns, that’s potentially linkable.
-
Randomise all what time of the day you churn every time (to not be similar to each other, e.g. correlated in terms of timezone statistical similarity).
-
Delay your churns and space out across multiple days. The more delay, the better (after several months is best of all - start churning NOW so later it’s only more anonymous when you’re ready to use money in your final top). Check the daily transaction numbers at https://zcha.in/statistics/usage or elsewhere. Right now there’s about 100 fully shielded tx happening per day. Not a lot, but workable, and it’s always improving over time - 2022 should be great year for Zcash! For strong anonymity I’d recommend space out your churns across 7 days at least.
-
Randomise the spacing between your churns, too. I have more tips like that but I’ve written enough. Just try to thwart timing analysis.
-
Study the anonymity set of the current main shielded tx pool. E.g. Zcash / Transactions — Blockchair (onion link) - make sure your transactions don’t stand out in ANY way, e.g. make sure churns have just one input and two outputs in this current Sapling era.
-
The wallets you use to churn multiple times (3 churns is enough, so that you have four locally controlled ZEC wallets - 4 hops - in total, all of them only ever having touched shielded ZEC in or out) - make them disposable ‘burner’ wallets only used for temporary, one-time, single-transaction churning (one tx in, then later one tx out) - NEVER never log into them ever again on the Zcash p2p network apart from doing the isolated churning events. (There’s an active malicious node attack that can target wallets connected in real-time to the network to reveal things normally hidden, so reduce that attack surface to keep your ‘black hole’ truly black.) I call this “churn ‘n’ burn”.
-
Always buy at least 2-3x your required ZEC coming in, and never spend the same initial amount in a single outgoing transaction within the shielded ZEC pool. The money you bring into ZEC should always be your largest amount sitting in a wallet by far. Hold all your ZEC funds at the first ‘hop’.
-
Only ever chop up your ZEC (never churn the whole amount from one address to the next). Why? Combined with timing randomness, this is my only known mitigation against the possible quantum privacy weakness of shielded ZEC as discussed in my other thread. If quantum attacker can see all transaction amounts (e.g. outputs), then at least don’t make two hops have the same amount, too close to each other in time. Start with as big an amount as possible, coming into ZEC.
-
Never recombine chopped up ZEC. This makes it worse upon possible future quantum decryption - it increases correlation and connection points if everything is unmasked. The ONLY quantum-safe way to recombine ZEC-anonymised funds is in the analog world, i.e. physical cash.
-
Regarding quantum concerns, you can achieve pretty good PQ privacy regarding linkage between your churn wallets because they’re all created locally and it can be done with good OPSEC like Tor and zcashd. When you finally spend the chopped up, highly anonymised ZEC, it’s at least quite hard for quantum attackers to determine where the ZEC originally came from, since sender addresses apparently remain private to quantum attacker.
Chop, churn ‘n’ burn.
Note: have refined the above as I learned more.