It’s suspected that the recent increase in Orch txs are a spamming attack though honestly I think it probably more closely represents typical future usage levels. Scaling to properly handle this kind of throughput is already kind of in the sight so-to-speak along with other cool stuff.
Very interesting, so possibly a DDOS to slow down legit Txs. Or, maybe not.
If the metadata pattern is indistinguishable from other people’s regular transactions, e.g.:
fee same as what’s used by default software
no unique pattern of timestamps of the storm’s txs (I assume the requirement for miners to generate a tx means they couldn’t control that exactly)
then this ‘attack’ would actually be a privacy boon to everyone doing Orchard transactions. The opposite of what I was worried about.
(I won’t look into the data to check what’s the case.)
In fact, it could be a deliberate community assistance by somebody. I’ve mentioned this idea previously. (The idea of us needing noise, like Monero’s tens of thousands of tx’s per day, to hide in.)
Or the party could be doing it solely for their own benefit, and everyone else is side beneficiary. This party knows Zcash is the best privacy coin on the planet (because it has highest ratio of the combination of network effect + pure privacy tech design), so they wanted to really hide things by creating all this noise.
So assuming this ‘spam’ genuinely helps obscure other people’s transactions, and also isn’t ruining the core experience, it is a good thing, and wonderful that we cannot ascertain the cause of this huge amount of transactions. Welcome to privacy.
Why such large transactions though? They are needlessly large (30-50x larger). These transactions stand out like sore thumbs and don’t help anybody hide in the crowd. They are clearly not 1 input, 2 output style transactions. I’m guessing this is abuse, because it’s easier to execute (obviously cheaper), or more potent to send a few really big transactions that are harder to validate than lots of normal sized ones. Hence, wallets have trouble synching, getblocktemplate rpc calls are slower, etc.
To mitigate this, fees should be higher in general.
Food for thought: I have sometimes given close friends (only close personal friends!) nontrivial gifts of ZEC, in the manner of, “Install a wallet that supports shielded, and give me your shielded address so that I can send you a few hundred bucks worth of starter ZEC in total privacy.” I believe in privacy, so I do not pry into my friends’ finances; I have no idea if they held it, dumped it, spent it, or bought more ZEC to add to it. None of my business.
Any which way, their newbie wallets were born fully-shielded.
Pause to reflect on that for a few moments; and keep it in mind, when reading the below.
This is entirely unneeded for fully-shielded transactions. (It is an issue at shielding/unshielding boundaries—although the issue there is more complicated than most people understand.)
Fully-shielded transactions have no anonymity set issues, in the sense that applies to CoinJoins or Monero mixins. A fully-shielded transaction only reveals: “Someone sent some money somewhere.” Excluding network-layer spying, timing correlation to data leaked by e.g. a compromised/malicious shopcart, etc., the Zcash blockchain itself reveals no information whatsoever that could be used to infer anything whatsoever about the source or destination of funds in a fully-shielded transaction.
It is for this reason that Jameson Lopp described Zerocoin for Bitcoin and the Zerocash altcoin concept as “Infinite Anonymity”, in this 2014 essay (onebox metadata are wrong), before Zcash existed:
Indeed, it is true: Zero knowledge equals infinite anonymity.
Please never create unnecessary fully-shielded transactions in a misguided attempt to help the network. It does not help anything. Zcash has no need for decoys or added “noise” within the shielded value pools. Fully-shielded ZEC does not need obfuscation.
(Adding noise at the shielding/unshielding boundaries could be helpful; but that would require a rigorous understanding of what threats you are trying to counteract, and of how your transactions monkey-wrench them. Please do not try it without that rigorous approach.)
Insane number of outputs (AKA actions)! That means this is only net bad. (Only possibly benefitting the entity doing this.)
I’m sure trying to hide in this particular noise - to emulate their exact pattern of transaction composition - is annoying to work out at best. Not worth it.
@nullius: The problem is probablistic ‘linkability’, based on timestamp analysis alone. (This piece of metadata carries great analysable meaning, until we have thousands of legit, completely indistinguishable fully shielded txs occurring per day, after which there is too much noise to draw statistically significant meaning to any given tx’s timestamp.)
Alongside security, privacy and anonymity, I’ve identified a fourth major vector of OPSEC which I call ‘unlinkability’ (or ‘untraceability’ - making sure one part of your activity cannot be traced to another - even if both are anonymous, private, or secure). Holistically, linkability is a problem that can undermine one of the other three pillars of OPSEC.
Perhaps ‘compartmentalisation’ is a synonym for it (or part of it). And this scenario is an example of this fourth pillar.
Somewhere in my post history I’ve gone over this, as have some others IIRC, but:
You may be anonymous, but if there are only 100 normal fully shielded txs per day, and you always transact at a certain time of day, they become probablistically linkable.
Two completely random, anonymous txs can be probablistically analysed to say: “65% chance these two txs are by same person because of X/Y/Z historical blockchain timestamp reasons”. (The more data gatherable, the more accurate it could become, or more data to build stories from.) It’s getting worse all the time due to machine learning / big data etc.
Pure blockchain analysis alone could eventually lead to meaningful linkability to off-chain vectors, after enough analysis. E.g. they probabilistically guess (even for txs inside one’s own churning): “This fully shielded tx has X% higher chance to be related to this other ZEC tx whose off-chain data we do have off-chain data on (because we secretly control, have successfully subpoaena’d, or have simply hacked into coin exchange Y to see their data) vs. this other one over there, because this tx was done only 3 hours after and the other one was done 3 days after” etc.
Furthermore, they could gather probablistic ‘profiles’ (a bit like Facebook shadow profiles) on certain users in the mix by building models like, “What is the statistical probability that these 50 transactions in the month of June, which all correlate to timezone X because they never occur within the average person’s waking hours of timezone Y or Z, belong to one person? or that 25 of them do?”
The sky’s the limit for this type of analysis. We should fear it as much as quantum computing.
Surely you would agree with that? We definitely need noise to plug this hole.
One day - and this is attainable for ZEC - Zcash will actually be more easily untraceable than physical cash (which has its own problems like avoiding CCTV for facial recognition, DNA traces left on the cash, etc). That day will be glorious.
Until then, I’ve concluded that to be as anonymous as cash, since the pool of legit transactions is still so small vs. Monero, you need to do your ZEC txs quite sporadically and patiently and thwart timezone probablistic analysis. Already possible, not fun, but doable.
REALLY? Is the network really grinding to a halt right now? I haven’t done frequent ZEC transacting during this current transition period after I turnstiled my ZEC into Orchard.
(I was about to link to another good resource, but it seems to have disappeared. Such is the ephemeral nature of the Web.)
Aside, if you are interested in freedom of speech as many privacy activists are, I also recommend Censorbib (onion).
What is your threat model? Any rigorous security discussion must start with a threat model.
My threat model includes some pretty wild scenarios, up to and including targeted attacks by nation-state actors seeking to deanonymize political dissidents. My threat model does not include someone somewhere vaguely guessing, with undefined probability, that two anonymous txids with no other context may or may not be related.
Timezone analysis is a big problem for many things (such as forum posts—or transactions on transparent blockchains). However, I just don’t see how that’s an issue here unless you are doing some terrific bunches of bursty transactions at specific times of day.
Sorry but I’m not, that’s just fearmongering and emotionalism. Not rigorous security analysis.
You have not identified any “hole” in Zcash. There are some significant non-blockchain privacy issues with Zcash; I have been intending to post about those (and had a post for one of those threads mostly drafted awhile ago, while lurking). But there are no linkability problems within the shielded pools for fully-shielded transactions—not solely from on-chain data—not without a cryptoanalytic break of the “zero-knowledgeness” property of Zcash’s proof systems. In case of a cryptanalytic break, “anonymity sets” would not help.
One thing that does concern me, on a theoretical level, is that Zcash gave up the statistical hiding properties of Zerocoin. In the sense that I want Zcash to come with a pony, I wish that Zcash had statistical hiding like Zerocoin (or, with a very different type of cryptography, DigiCash). But since computationally unbounded attackers do not exist, I am not actually worried about this. [Self-correction on 2022-07-29: Wow, I was way out of date here! What I just said was applicable only to Sprout. Sapling regained, and Orchard also has, the statistically hiding commitments and “everlasting anonymity” that Sprout gave up compared to Zerocoin. See the discussion in § 8.5 of protocol.pdf, p. 140 of the current version (latest version). For a rigorous definition of what the Zcash designers mean by “statistical zero knowledge”, see the “security requirements” list in § 4.1.13, p. 32. Yes, I caught this myself; nobody else commented on it. When I catch myself in error, I like to correct myself. End of edit.] Those who do not know what that means definitely shouldn’t worry about it! @daira and @str4d know what this means (and I daresay they understand it much more rigorously than I do).
Fully-shielded Zcash is already much more untraceable than physical cash.
Physical cash has serial numbers. Nowadays, networked cash counters scan the serial numbers of every bill they count, and send the information to a database. It is well-known in some circles, but not yet realized by most of the public. I recently saw Snowden discuss this somewhere (sorry, no link handy).
I have also heard that ATMs scan serial numbers (which ones? where?), but do not have hard information about it. I mention it only because it seems logical, in the sense that I’d be surprised if banks were not tracking who withdrew a particular bill, and who next deposited it.
Each paper cash note can now have a point-by-point location history built up, with some points linked directly to a fully doxed bank account.
Please tell me, why are you waiting for when “Zcash will actually be more easily untraceable than physical cash”? It has already been that way since 2016.