Question about z-addr and receiving funds and privacy

If I give my z-addr to someone so they can send me ZEC, and I release NO OTHER INFORMATION except the address to that person, what additional information (outside of my address) do they gain over anyone else?

More detailed scenario: Let’s say I have 1 ZEC in a z-addr. I perform a service in person and give my z-addr to the person to pay me with. S/he sends the funds. I reveal NO other information to that person. What information (because s/he has my z-addr while others do not) do they have that others do not?

Do they now know the # of incoming and outgoing transactions to/from that z-addr? Do they know from/to where (t-addrs and/or z-addrs) and how much?

Just by giving them your z-addr they learn nothing else.

There are a few caveats regarding potential linkability of transactions which you should be aware of and there is some worthwhile reading at Payment Contexts & Reusing Shielded Addresses - Electric Coin Company, Privacy Recommendations and Best Practices - Zcash and Transaction Linkability - Electric Coin Company.

2 Likes

Thanks for the reply!

If you give the same address out to different people, they can collude to figure out they are paying the same person (by trivially comparing addresses). This is solveable with the diversified addresses feature, but given the above question, I will treat this as out-of-scope (because the adversary is the only person with the address).

Assuming that the adversary does not have access to an efficient quantum computer, they learn nothing (that someone without the address couldn’t learn) from fully-shielded transactions:

  • Shielded addresses are not visible in transactions. They are present in an encrypted form in Sapling outputs, but the corresponding encryption key can’t be derived from the address.
  • The sender of a note to an address cannot compute its nullifier (in Sprout they need the spending key; in Sapling they need nk from the full viewing key) and thus can’t tell when the note is subsequently spent.

In shielding and unshielding transactions, the shielded part retains the same properties as above, but the transparent part leaks information (as @garethtdavies mentions above). For example, if the adversary sends some particular value X.xxxxxxxx to the shielded address, and then later sees the exact same X.xxxxxxxx getting unshielded to a transparent address (and nowhere else in the block chain), they can be reasonably confident that the unshielding transaction is from the same address.

If the adversary has access to an efficient quantum computer, they can compute the incoming viewing key from the address, and therefore see everything that an incoming viewing key can see. That is:

  • They can detect every transaction received by the address.
  • They can decrypt and see the note values received, and the corresponding memo fields.

Note that this requires the adversary to have access to the address. They can’t arbitrarily decrypt transactions on the block chain, because what they actually need to do is break the Diffie-Hellman part of the output key derivation, which requires either knowing the address and recovering the private part of the ephemeral public key in each transaction (to then compute DH(pk_d, esk)), or recovering the incoming viewing key from the address (to then compute DH(epk, ivk)). They would of course do the latter, because they only need to do so once in order to then detect every incoming transaction).

They can’t see outgoing transactions, or detect when any particular note sent to the address is spent, because breaking those parts of the key structure would require breaking hash functions or symmetric cryptography, neither of which are (currently) known to have efficient quantum algorithms.

4 Likes

Here is a question, how are you giving them the Z address? your email? a text, a website?

Those things can tell people who and where you are if additional actions are not taken

1 Like