this is a newbie question. I'm under the understanding that all the transactions in the blockchain have their amounts and addresses encrypted, but if so how can a public audit of the chain be done to make sure nobody is cheating or hasn't broken it?
There are transparent (like Bitcoin) and private transactions in Zcash. But even minimal volume of private transactions makes an audit difficult at best or impossible at worst.
okay, sounds good. thanks for clarifying.
All mined coins are transparent. That's how the money supply is created and can be audited IMO.
Zcash acknowledges that they can't audit the quantity of coin to see if it has been hacked. The danger is someone gives coins to themselves on the blockchain without mining to sell on the exchanges, decreasing the value via inflation of the coin. My impression is that just breaking is more likely and catastrophic.
I didn't think this was true, zawy. If the Trusted Setup is correct, then I thought the total number of coins could be audited without revealing anyone's specific holdings.
The Trusted Setup does not protect against an error in the code. The Zcash promise is that no one knows who or how much after it's mined. There is no ledger to audit because that is the Zcash promise. It has been called its Achille's Heel. Seeing the total does not mean there is not a hack that has tricked the internal method of getting the total. The reason bitcoin is so bloated is so that every user can see the entire history of each piece of coin. Nick Szabo has written at length that the history of an object being used in transactions can be key to it's value, like someone's great grandfather's necklace being traded around in a group of 3 tribes. Remembering who owned the object for how long and how many cows it bought at each transaction is crucial.
See 51:30 in this interview with Zooko.
Just as an FYI that okturtles blogger is a big Monero proponent so I wouldn't take his advice as non-biased.
Zcash still has a ledger (ie: its own blockchain) - and it has the potential to grow even faster than Bitcoin's. It's just that people have the option of writing entries to that ledger (ie: entering transactions) that are encrypted. The only guarantee made by the Zcash developers, providing there are no bugs, is that the inputs for these protected transactions are always equal to the outputs.
A ledger identifies what or who, when, and how much. Zcash's promise is that no such ledger can be viewed by anyone to hold anyone accountable unless they want to be. An unfortunate side effect is that the total coin quantity can't be known because you can't sum up each entry like you do in accounting. The individual quantities are hidden because they could be used to identify individual transactions, so it must be hidden forever from everyone. When you audit, you don't look at the sum the accountant claims, you look at his ledger until you're sure he summed correctly. You can do it in bitcoin, but not Zcash.
Some of the assertions made above about lack of auditability seem quite misleading to me. Yes, the security properties rely on cryptographic assumptions and on the parameter generation having been performed without leakage of secrets. Bitcoin also relies on cryptographic assumptions; if there were a break of ECDSA, for example, then value might be spendable without knowledge of the private key (or private keys might be obtainable by an attacker). The differences are not fundamental.
If the OP was asking about how balance is enforced despite notes being encrypted, the answer is that a cryptographic hash is used to publish a commitment to each created note, and the zero-knowledge proof ensures that for each JoinSplit transfer, the total amount specified in these commitments (plus the transparent output) matches the total amount spent from the inputs. The enforcement that the plaintext of notes is correct is done only when they are decrypted. (We actually considered a protocol change to ensure that the ciphertext can be publicly verified to have been encrypted correctly, which is technically feasible -- but this was not necessary with the feature set we settled on.)
So in plain speak, you are saying that when I receive the coin, I can tell that there is a solid cryptographic proof that proves that at least the coins I have aren't fake, maybe even somehow leading back to their block creation?
But there is no way for me to publicly do this for all other coins in other transactions that are not mine?
Bear in mind that the 'status' of a coin can be changed between transparent and protected. Transparent coins can only be traced back as far as the last protected transaction that they came from.
Also bear in mind that newly mined coins are transparent but the following transaction must spend them to a protected address.
If you examine the blockchain you might expect to see a limited series of transparent transactions for a particular transparent coin.
The previous thread on this is a little clearer about there not currently being a way to audit the amount of coin in the Zcash ledger:
From the blog:
Perhaps there could be a way to audit the size of the Zcash monetary
base, without compromising the privacy of any users. That way...at at
least we can tell that they have not (yet) used it to counterfeit money.
Yep, this is one of the things I like least about the current design. I don't like putting all of our eggs into the prevention basket, and not having a detection and remediation
defense-in-depth. But, I have an idea to help with this in a future
version! But I don't want to spill it here and now. It is late and I
want to write it up nicely and post it before someone else does…
@jabo38 I think the answer to your two questions are no. A hash can't be undone to go back to the previous data. So you have to trust the cryptographic rules have ensured the total supply has not increased in the same way you trust them that your encrypted data has not been read. The only difference is that zero knowledge proofs are newer. They also need to implement it correctly, but this second element also existed in Bitcoin as it combined complex tools. Getting bitcoin right was harder because the newness of the combination of tools was a lot more complex.
How do you audit that your encrypted data has not been cracked by either an error in a new theory or the code used to implement it? You wait to see if anyone is attacked. How will we know in Zcash if coins were inserted? We accept the "wait", but where is the "see"?
Are Zcash clients keeping a "chain"? If I am understanding it correctly and telling jabo38 correctly, there does not seem to be any point in keeping a list of historical transactions.
How then would a client present the user with a balance?
I mean if Zcash is or could be slightly different in how it defines a block, and the block recorded every previous transaction (or maybe two) instead of just transactions since the last block, then the rest of the "chain" would be useless because you can't trace coins back through transactions. But this would not be a block "chain" but a block of "current state of all coins". It's time I learned what Zcash is, which means I have to go back and learn what bitcoin is.
Miners, or anyone else, can verify publically the information in the blockchain, including the zero-knowledge proofs. If the whole chain is verified, and the cryptographic assumptions (including on the setup process) are met, then the global balance property follows.