OK I watched it all @daira, thanks for linking it here! I think some thoughts of mine below might help further make things clear for fellow readers.
Firstly I want to publicly share that seeing one of Zcash’s core cryptographers expressing hir views on the importance of, and explicitly giving certain real-world, serious scenarios of, why absolute privacy of money is essential for normal and reasonable people is a really positive signal. It says that people directly managing this complicated cryptosystem have skin in the game that is strong and personal.
I feel very safe in Daira’s hands (and str4d’s, etc), and I’m sure that ze must feel fulfilled by working on this system. We cypherpunks have to do what we can to help everyone. We have a duty.
Given Daira’s useful talk and recent reply, my current further clear thoughts on being quantum forward private (and I will edit anything accordingly if corrected):
-
If a quantum adversary knows your address (e.g. when they send you money, when you send them money and you unnecessarily give them your sender address for some reason, or if you advertise an address in public), then due to cracking to the
ivk
(incoming viewing key) they can view all your past or future incoming transactions to that address. (Thankfully though, not outgoing txs - that would be far worse, basically decrypting potentially all or most of the entire pool.) For this reason, since I want the highest future-proof privacy possible, when someone sends me ZEC I give them an address I’ve never used to receive ZEC and never will again, so that no further information is leaked other than what they already could discover, whether post-quantum or not. I practice strong OPSEC hygiene. It can be done. -
For all Zcashers, it’s really not good that any publicly advertised Zcash address (in the past or for the forseeable future) might one day have its entire incoming transaction activity (leaking most critical information like amounts, and which particular txids they are, which reveals timestamps) trivially decrypted in public. Zcash is world leading (in terms of market share combined with privacy strength), but I urge the team to make
ivk
use a quantum secure scheme ASAP. Is this prioritised in the roadmap? Is it feasible using current audited libraries? Thoughts, @str4d? -
This means that a charity or political organisation who wants future-proof privacy of their own org’s incoming donation activity should not re-use their donation address, nor even advertise a static address publicly. (As discussed above, fortunately sender addresses aren’t revealed even to the donee originally, so people won’t be able to suddenly discover donor addresses en masse, just the amounts and exact timestamps - not too bad for individual donor OPSEC, but still something. Why it may still be bad: if someone says on Signal messenger “Hey I just donated to the X political organisation!” and sadly their Signal friend had their phone seized by police and contents gathered as a result of compelled phone unlocking, now the government can correlate that timestamp to probabilistically determine (and convince a court as to) which donation it was, and revealing its amount due to what was now quantumly decrypted at the org’s Zcash end). An org wanting fullest privacy (and to give donors automatic extra protection), perhaps like Tor bridges project, could offer prospective donors a function request a special non-publicly advertised unique one-time U-address just for that donor. However this is not trustless. Luckily, donors can make their outgoing donating addresses to be ‘clean’ and use-once only themselves, to trustlessly guarantee decent post quantum privacy no matter what, and minimise consequences of this DL-breaking leakage.
-
A reminder: once quantum computers can decrypt
ivk
, anyone can decrypt it, not just NSA. Assume that it fast becomes publicly leaked information. People can already rent Amazon low-qubit quantum compute sessions.
So my updated short summary:
-
As a sender, you have decent quantum-safe default protection. Sender address is never revealed to even recipients themselves. (And as I’ve noted elsewhere a sender can guarantee full privacy policy when sending, unlike when receiving.) However, your outgoing txs’ amounts and timestamps (txids) may be trivially decryptable one day (thus combining timestamp analysis with revealed amounts). So if your needs are extreme enough, further compartmentalise and think about OPSEC techniques like churning and chopping and mitigating timing analysis.
-
As a receiver, you’re more vulnerable. If you want quantum privacy now, you definitely need to compartmentalise. Always use a new address every time you get more ZEC. (To make spending more convenient, you can just pool together disparate funds into a single wallet whose address is never shared with anyone.) Since known addresses are quantum vulnerable in the ways discussed above, consider your receiving addresses as ‘burner’ / use-once only.
Again: all of the above would be fixed if the dev team can make ivk
quantum resistant. I would love to hear how feasible that might be.