March 31, 2017 - Dev update

This week saw the release of [1.0.8] (New Release: 1.0.8 - Electric Coin Company), so update your nodes if you haven’t yet! The release includes support not mentioned in previous updates: Tor ephemeral hidden services (PR 2177) which makes it easier for users to run nodes over Tor.

We also released in our blog [Explaining SNARKs Part III: The Knowledge of Coefficient Test and Assumption] (Explaining SNARKs Part III: The Knowledge of Coefficient Test and Assumption - Electric Coin Company) and announced [BIP199 for Hashed Timelock Contracts] (BIP199 for Hashed Timelocked Contracts - Electric Coin Company). HTLC is an important step towards an implementation of [XCAT] (Cross-chain Atomic Trades (XCAT) · Issue #2098 · zcash/zcash · GitHub) with Zcash and Bitcoin.

In preparation for a [Payment Offloading] ( proof of concept, we started work on a Javascript implementation of Zcash which will be available upon completion. This work is being based off of [BitcoinJS] ( and beyond the primary goal of moving towards a payment offloading PoC, will offer applications a JS library for Zcash integration.

We also have plans for reworking some of the website including the new [Privacy & Security Recommendations page] (Privacy Recommendations and Best Practices - Zcash) after receiving some great feedback and improved funneling for new users looking to get started with Zcash.

We’re also making some final touches on a new section of the website dedicated to a high-level overview of zk-SNARKs.

Finally, don’t forget that we’re doing our second Show & Tell featuring zmsg later today at 3pm PST/ 6pm EST/ 10pm UTC!

edit: removed “officially supported” in reference to JS library. Perhaps this will be just initially built by Zcash team and maintained by others! Needs more deliberation wrt engineer resources. :slight_smile:


ICYMI everyone I’ve also updated to use 1.0.8, too


I’m confused about the secrecy of alpha in the Explaining SNARKs Part III blog post.

In particular, it says that Bob chooses α and a, computes b=α⋅a, and then sends Alice the pair (a,b). But then the post says that because “the only information about α she has is α⋅a and G has a hard discrete log problem, we expect that Alice cannot find α.”, which I think is wrong.

My understanding is that Alice also knows a, so she can find the multiplicative inverse of a (which can be done in mere O(log(p)²) time according to Wikipedia’s Modular multiplicative inverse page). Thus Alice can compute b⋅a^(-1)=α⋅a⋅a^(-1)=α (mod p).

Can you please clarify the situation?

1 Like

Sure. We are not doing operations mod p here. That would correspond to using the group of addition mod p , where the discrete log is not hard (as you exemplified).
To get a group of prime order p where the discrete log is hard, you need to work with elliptic curve groups, so a would be a point on an elliptic curve and α is a number from 0 to p-1 saying how many times we add a to itself.
I may say a little about elliptic curves in the last post in the series; it’s a pretty complicated topic, so for the most I’ve been assuming it as a “black box”.

If you would want an analogous statement with operations mod p, you would need to use the multiplicative group where the discrete log is hard,
and the statement would be
given a,b where b=a^α (mod p) we expect that Alice cannot find α.
However, here you get a group of order p-1 (cause zero is not in the group)
and for SNARKs we need groups of order p for prime p.

Anyway, glad you asked this, cause it may have confused more people.