Is a >99% attack possible?

Hello!

For example: I want to transfer 1 ZEC from my_address to his_address.
So I have to place this transaction WISH to the network. And then this transaction will be processed or my be not. I guess in >99% of the cases it will be successful. Okay, later it's impossible to see this transaction in the zcash blockchain.

BUT:

Everyone could see my transaction wish, the amount, my address and the recipient address.
So, isn't it possible that someone (e.g. government) runs a ZEC miner and listen and stores all the coming transaction wishes? Parallel running, in this way a historical list of all the transaction wishes with all addresses is build. Of course, this transaction-WISH-list doesn't cover exactly the executed transactions, but with a >99% probability all the money flows can be reconstructed.

Am I wrong?

Ana

If you send a transaction with a z address it will be encrypted. That's the difference between zcash and bitcoin.

I understand that
* the z address will be saved encrypted inside the blockchain and
* perhaps will be send encrypted to the miners (SSL, etc.)
but isn't it so that all miners will be able and have to read my z address un-encrypted?
Otherwise the miners couln't make the transaction. And if a miner can have my z address, also a government miner can have it and create a log file of all incoming transaction requests.

The z-address is converted to a hash when you send the money.

https://z.cash/blog/anatomy-of-zcash.html?page=0

The use of shielded addresses - whether sending or receiving - requires the generation of a zero-knowledge proof which allows others to verify a transaction's encrypted data without it being revealed.

http://www.nytimes.com/2016/11/01/business/dealbook/zcash-a-harder-to-trace-virtual-currency-generates-price-frenzy.html

In contrast, Zcash uses a method developed by a team of cryptographers working at M.I.T. and in Israel — known as zk-Snark — that allows transactions to be confirmed by the network without anyone recording the Zcash addresses involved in the transactions. Users can opt out of this privacy function.

Rather than a public address, a hash is shown on the left side which is comparable to, say, a reddit nickname being turned into random number and letters, preventing us, therefore, from knowing the pseudonym. The same applies to the right side. That is all we can see. No amount is shown, no public address, therefore there is no way to gain any information whatever from this transaction. An incredibly strong privacy guarantee as it allows no tracking, making Zcash, arguably, more private than paper money.

The z-address is converted to a hash when you send the money.

Rather than a public address, a hash is shown on the left side which is comparable to, say, a reddit nickname being turned into random number and letters, preventing us, therefore, from knowing the pseudonym. The same applies to the right side. That is all we can see. No amount is shown, no public address, therefore there is no way to gain any information whatever from this transaction.

Please excuse me if I am too slow understanding this complex topic...

So, the zcash network / the miners don't get my z address, only a hash of my z address. But will the hash of the same z address always be the same hash at several transactions? If yes, then you can build a historic logfile of all z-address-hashes and their related transactions. You know that hash-1 transfers money to hash-2 and later the same person/account with hash-2 to ...

For example what is if I make two transactions with the same z address. Will the network see two equal hashes?

If you are worried about addresses or it's hashed versions, use a new address for each transaction you make.

This wouldn't help much if the hash of an address is always the same in each transaction request. Then anstead of my_address_hash -> recipient_address_hash it would be the same in the end: my_address_hash -> xyz_address_hash -> recipient_address_hash. Everyone can log the money flow.
To know the hash of an address isn't more secure than to know the address. You can track the money flow.

Or does the hash of the same z address change on every transaction request?

Random salt?
Would me my first guess when it comes to this idea.

I don't know exactly how is shielded an address in Zcoin, I haven't read about it yet.
But should be something like an RSA message with public and private keys, so the sender and receiver only share the public keys, and can proof that they are the sender and receiver of the message.
In RSA if you send a message two times with a different pair of public and private keys, the encoded message is different.

Now change the words 'encoded message' with 'hash' and you have the answer! :+1:
Please, read carefully what @fibonacci posted.
Hope this helps!

I think salt is mainly used to secure words from a brute force dictionary attack.
An address is not a word of a dictionary so I guess no salt is added.

Short answer: no, the hashes seen are always different.

Long answer (here we go):

The hashes in that argument aren't technically accurate, as they aren't hashes of addresses. Here is what you actually see on the block chain:

  • The encrypted output notes.
  • Commitment hashes for the output notes.
  • Nullifier hashes for the input notes.
  • The proof that everything is valid.

Looking at the Zcash protocol spec, we can see that the publicly-visible hashes are calculated as follows:

  • Commitment hash: SHA256(prefix || recipient_address || value || rho || r)
  • Nullifier hash: SHA256(prefix || sender_spending_key || rho)

rho and r are random strings, specific to each note. Thus the hashes published in the transaction are specific to each note, and will not stay the same for the same address.

2 Likes

Well, I was wrong.. some salt is added.

Thanks @str4d!

1 Like

1 Like

LOL :laughing:
(20 characters)

1 Like