Long term privacy

@str4d answered this in Discord (copied with permission):

A good place to start is ZIP 310: Security Properties of Sapling Viewing Keys which documents the privacy properties of Sapling Full Viewing Keys.
But to short-cut the process: we rely on ECHD to derive the encryption key that is used by the recipient to decrypt an incoming note, so a discrete-log-breaking adversary can compromise it and recover ivk. Once they have that, the adversary can scan the chain and recover the same information that someone with the incoming viewing capability could.
For a known payment address, it’s trivial (a single DL break). For an unknown payment address, it would naively require 2^88 work to figure out which diversified base ( g_d ) is the one used by a specific note. IDK if there are any quantum algorithms that help speed up the singe-target many-base situation.
In any case, all the adversary learns is the recipient address, output note value, and the contents of the memo field. Given a single transaction, they do not learn the sender address or input note value.
Also, even after learning the received notes, they wouldn’t know when those notes became spent, because they’d need to obtain nk for that, and ivk is derived from nk via a commitment scheme. Sapling uses BLAKE2s (so would require a preimage attack), while Orchard uses SinsemillaCommit which is perfectly blinding.

1 Like