On improving user understanding & progressing tech with science

Regarding the recent analysis on Monero transaction traceability published and co-authored by Zcash advisor, Andrew Miller, we’re happy to see continued research efforts on security/privacy in various cryptocurrencies. The Zcash Company had no involvement with the research (either in contribution or sponsorship) but being a science-driven team, we fully support the efforts by researchers (whether affiliated or not) in producing publicly available, well-backed science. Research like https://monerolink.com and the other paper released a few days later covering similar concepts (https://drive.google.com/file/d/0B7e8g-wJId8md3FYUGF0TlB5NjQ/view) are critical for users to better understand the risks when becoming involved in these experimental technologies.

Even though we attempt to be very clear when educating users about the risks of Zcash (such as the differences in purpose of transparent vs shielded addresses), similar analysis on the Zcash blockchain (even in it’s infancy) is welcome and encouraged! Protecting users from risks to life and liberty and communicating those concepts from different perspectives should be priority, especially for technologies which focus on user privacy and security.

Having multiple approaches to blockchain privacy is beneficial for the entire ecosystem. In fact, having considered the vulnerabilities in mixing & ringsig approaches to blockchain analysis is the reason why @zooko started Zcash in the first place! Had there been proof that these types of systems are safe for users, Zcash would not be here today.

Providing good security and privacy in open networks is a complex problem, and we need all the help we can get. Our company is a science-based company, and we strongly encourage scientific research — whether studying the Zcash technology or other technologies — which exposes vulnerabilities so that we as a community can learn, and can better protect users.

In the end, the goal of Zcash is to be general-purpose Internet money and privacy (and fungibility) is just one of the requirements for that.

Solid research. I just wish the authors were more upfront about the fact that this analysis does not apply to current transactions on the Monero chain and that the Monero community has been aware of all of this for years. Without both points being clearly and strongly stated (they are stated with little emphasis), it’s easy to see how some consider this research more of a competitive attack than a science-based undertaking.

You might find this post-release write-up by Andrew interesting which touches on a couple of points you mention: Revealing the hidden links in the Monero blockchain

Thanks. I’m not sure presenting a few cherry-picked reddit posts is evidence of what the monero community consensus has been regarding privacy-hardness, though. Equally anecdotally, my own understanding has been that this is a work in progress and that it’s obvious even at the surface level that privacy is limited while the percentage of zero-mixin tx onchain is relatively high. The point has always been where the technology is going, not where it has been, so this empirical research indeed came as no surprise to many.

I’ve also been interested in ZCash since being in the room for Ian’s zerocoin talk at Bitcoin 2013. ZCash is obviously exciting as the practical evolution of that, and I personally find it valuable to have strong chains (Monero and ZCash) pursuing both approaches given the inherent tradeoffs. I hope both succeed.

Hi,
here is an unofficial response from the xmr-community:

And sorry to say so, but some tweets of ZcashCo-members are prone to believing in bad intent: https://twitter.com/matthew_d_green/status/832972004877799426

I mean, come on, what kind of academic sends out tweets like this unless he has some beef over something, can’t blame the community for taking this as a bit of an attack… And then this:  https://twitter.com/matthew_d_green/status/852968830800338944 Sorry, but calling this a “deanonymization-paper” just ain’t right and is sensationalist to say the least, so much for academic integrity… You must understand that this can provoke sour reactions…

Anyway, thanks for the peerreview
best regards

*Zcash
20 characters

Here’s Andrew Miller’s blog post about it: Revealing the hidden links in the Monero blockchain

“Furthermore, the report incorrectly states that most transactions in 2016 are traceable with the 0-mixin method. This is largely untrue, since these were prohibited in March, and most transaction volume for the year occurred during and after August. Nevertheless, many of these post-March transactions have inputs that can be deducible, but the traceability typically is not as severe as with 0-mixin transactions.”

It sounds like the writers of this still don’t understand the impact of the research. Most transactions in 2016 are indeed traceable, because it was not until the adoption of RingCT in January 2017 that inputs from zero-mixin transactions were effectively prohibited. As Andrew Miller points out:

Monero developer smooth_xmr confirms VedadoAnonimato’s concerns, but then refers to the MRL report to convince readers that the problem is already dealt with.

"The math in MRL-0001 shows that those outputs will eventually become irrelevant though… we plan to blacklist those from any future mixins which will immediately solve the problem” (permalink)

The authoritative “math in MRL-0001” is the final word, effectively ending the discussion. Incidentally, the proposed change to “immediately solve the problem” was never implemented (the measures actually implemented have had a gradual effect instead).

That is, the Monero developers could have solved the problem in March 2016, but they didn’t until January 2017 (contrary to assertions I’ve heard from Monero advocates on Twitter, who apparently still believe that inputs from zero-mixin transactions, as opposed to zero-mixin transactions themselves, were prohibited in March 2016).

By the way, this sort of empirical analysis of Zcash would be great! It is unclear — to me, at least — how safe are the transactions that people are currently making on the Zcash blockchain today.

There are two important values we would get from someone doing a thorough https://monerolink.com -style analysis of the Zcash blockchain:

First value: user education. The most important factor in user safety is: how well does the user understand the security properties? (This is true of all security/privacy tech, by the way, not just cryptocurrencies.) If a tech offers weak security properties and the users understand that, then they don’t use it in a way that would harm them. It may therefore be less useful than a stronger tech, but it isn’t dangerous to the user.

On the other hand if a tech offers medium-level security properties and the user thinks it offers super strong security properties then it is dangerous! Users may mistakenly rely on it to protect them when they are danger, and then may be seriously harmed.

So the most important effect of research like this is to provide information that people can then use to educate users so that they can make an informed choice.

Paige has written a great pair of blog posts on the basic principles (“Transaction Linkability” and A Shielded Ecosystem), but we still need empirical analysis to complement these basic principles.

The second value we get is feedback on the technology design. Are our current privacy/security mechanisms working as well as intended? What is the empirical consequences of the majority of addresses being unshielded? (Certain people have been publicly asserting that the consequence is that almost no Zcash users are actually getting privacy. I’m pretty sure that’s wrong, but I’m not 100% sure, and we don’t know empirically just how wrong it is.)

Are there some low-hanging fruits for privacy improvements that we could easily deploy? We already have a roadmap for improvements that pave the way to a Shielded-Only future, but good empirical analysis might reveal to us that there are more urgent needs, or bigger payoffs from different improvements.

Here’s a forum thread about such empirical analysis. I humbly request to the security researchers of the world to consider digging into this. I know it is a huge amount of work, but you will be helping move mankind forward in an urgent and important way.

I said at the top of my previous comment that it is unclear how safe are the transactions on the Zcash blockchain today. That statement needs to be unpacked into three separate questions:

1. For “fully shielded transactions”, where the sender and the receiver each use shielded addresses, then it is probably very good. This is true even if nobody else has made any fully shielded transactions in a while! Because unlike Chaumian-mix-style systems — such as the ring sigs used in Monero — zero-knowledge privacy is a lot less “temporally vulnerable”.

   Basically, if you send Zcash from your shielded address to someone else’s shielded address today, then the attacker who is just watching the blockchain learns “somebody made a fully shielded transaction today”. They don’t learn anything else!

   In contrast, with Chaumian-mix-style systems like ring sigs, they learn that “one of these four outputs just moved”. Since they also know when each of those outputs previously moved, and what other inputs and outputs they are each potentially connected to, then this is quite a lot of information that they get! The question then becomes whether they can combine that information with other information (including both other information from the blockchain and outside-the-blockchain information like their knowledge of what timezone you live in and what companies you do business with). This is the fundamental reason why I think Chaumian-mix-style privacy is not good enough for Internet Money.

   The bottom line is, if you make fully shielded transactions on the Zcash network today, then you are almost certainly protected from exposure, even if relatively few others are also making such transactions today. (And in fact, there are a lot of others! In the first six months there have been somewhere between 30,000 and 130,000 fully-shielded transactions, depending on whether coinbase-shieldings count as increasing your privacy-set. I think. This is where we need an independent investigator to confirm or refute these claims.)

   (But beware! Even if blockchain-layer privacy leakage is almost completely prevented by the zero-knowledge approach, you have to beware of network-layer privacy leakage. If you made that shielded-to-shielded transaction from a clearnet IP address instead of over Tor or I2P, then the recipient you sent the money to can probably figure out which IP address you sent the money from.)

2. For “partially shielded transactions” where some of the input and output addresses are shielded and some aren’t, the reasoning is a lot more complicated. A partially-shielded transaction exposes some or all of the amounts involved, and exposing the amounts is sometimes enough information right there to let an analyst deduce the flows. But not always. Basically, if you’re using a shielded address (over Tor/I2P), and you send and receive amounts to unshielded addresses, then this is exposing which unshielded addresses, which amounts, and the timings, but it is not exposing anything about your shielded address — not even the fact that it is the same shielded address involved in the different transactions. This is definitely a case where scientific and empirical analysis would help give us clarity on the privacy consequences.

3. For fully transparent transactions, the privacy consequences are also quite complicated! A convenient simplification is to say “if you’re using an unshielded address then you’re getting no better privacy than you would get with Bitcoin”, but that’s actually wrong! As Figure 1 shows in Transaction Linkability, you might be getting “collateral privacy” from the other members of your community who are using shielded addresses. This, too, deserves better study by researchers.

t-vs-z-links.png1508×822 39.3 KB

Today, a vulnerability disclosure was published based off work conducted in part by another Zcash scientist so we thought to take the opportunity to talk about it here.

The above article talks about how a Zcash scientist, Madars Virza, in collaboration with other researchers at MIT, Neha Nerula, Ethan Heilman and Tadge Dryja found a security vulnerability in the IOTA cryptocurrency protocol. As with the Monero Link research published earlier this year, we are glad to see any research which progresses technology users depend on. Promoting science is an important pillar within the Zcash Company’s mission and we are proud of Madars’ participation within this particular research.

https://gist.githubusercontent.com/Come-from-Beyond/a84ab8615aac13a4543c786f9e35b84a/raw/bb00cdf3625deba453d614f55c27f769b261df56/CFB’s%2520letters%2520to%2520Neha%2520Narula’s%2520team%2520during%2520their%2520analysis%2520of%2520Curl-P%2520hash%2520function

There’s a new open source tool, BlockSci that is perfect for doing empirical analysis of graph-theoretic privacy issues around mixed and transparent transactions. Here’s a blog post intro which also links to a working paper.

If this conversation (or, the side that has been published) is supposed to be a refutation of the validity of the attacks against Curl, it’s not very convincing. There are so many red flags there suggesting inexperience of the IOTA team in hash function and signature design/cryptanalysis. I see that they’re still not using Keccak; they’re using some ternary variant of it that has had no significant analysis, which suggests to me a quite dangerous “not invented here” attitude.

[Edit: some of the details referenced in Why I find Iota deeply alarming | HackerNoon reinforce my opinion.]

Hey y’all, someone did an Empirical analysis of Zcash! New Empirical Research into Zcash Privacy - Electric Coin Company