Image: European Southern Observatory (CC-BY).
Black Hole Coin™ (HOLE)
An anonymous correspondent wrote (slightly edited here):
The worst problem with the transparent value pool is the way people—both anti-Zcashers and Zcashers—misunderstand t-addresses by thinking that they undermine the privacy of shielded users. This is a huge and persistent problem.
This is surprising to me, perhaps because I never made the same mistake. I think that the transparent value pool is an important strategic part of Zcash’s design; and I don’t think that the drop-in Bitcoin-compatible pool should ever be deprecated, at least, not as long as Bitcoin has a transparent value pool.
I say that when I so much care about shielding that I have given my own money away to friends, to induce them to set up shielded wallets on their own private nodes. I am currently lobbying elsewhere for shielded support by organizations. I am preparing to lobby here for a rule that Zcash grants must only be sent to shielded addresses, in fully-shielded transactions. I push for shielded usage with a tenacity that some may find downright intimidating. Nonetheless, I recognize that the transparent value pool gives Zcash some important practical advantages—without any harm to fully-shielded usage.
Besides appeals to magic, how can this be explained to Zcashers (and anti-Zcashers) who do not fully understand the privacy characteristics of the shielded pool?
For this purpose, I will invent a new thought experiment very loosely inspired by the Random Oracle Model. (To learn more about that, see the five-part series on @Matthewdgreen’s blog.) I will invent a theoretically almost-perfect privacy coin.
I originally called it something else, then realized that I may someday want to use that as a name for an altcoin. I will therefore call my model Black Hole Coin™ (HOLE) (© nullius). Any physicists in the audience will now ponder questions over whether a black hole can truly destroy information.
More or less informally, Black Hole Coin™ has the following characteristics:
HOLE transactions are totally invisible and perfectly unobservable, except to direct participants. They don’t even have txids. They are not even broadcast. The Black Hole™ has no blockchain privacy issues, because it has no blockchain. The Black Hole™ has no network-layer issues, because it is not connected to any network. The Black Hole™ has no address-linkability issues, because it has no addresses. Needless to say, HOLE transactions have impossibly perfect unlinkability and anonymity.
For value from other currencies to pass in and out (!) of the Black Hole™, it must be traded for HOLE at the Event Horizon. Here, I will handicap HOLE by intentionally making it less than perfect: At the Event Horizon, the amount of HOLE involved in a trade must be publicly revealed.
Ponies. Of course, Black Hole Coin™ has ponies.
Thereupon, I propound a rhetorical question: Do fully transparent transactions in other cryptocurrencies undermine the privacy of HOLE transactions within the Black Hole?
If not, then how can transparent Zcash transactions undermine the privacy of fully-shielded Zcash transactions? The privacy characteristics of fully-shielded Zcash are not quite as impossibly perfect as HOLE—but Zcash is amazingly close! To a computationally bounded attacker, the blockchain record of a Zcash fully-shielded transaction reveals only, “someone sent some money somewhere”—whereas HOLE transactions do not even reveal that a transaction occurred.
For that matter, do Bitcoin transactions occurring on the Bitcoin blockchain undermine the privacy of fully-shielded Zcash transactions? If not, then how can Zcash transparent transactions undermine the privacy of Zcash fully-shielded transactions?
To the foregoing, I add two caveats:
Global damage to privacy
A global reduction in privacy harms everybody’s privacy, by making more information available for a sophisticated attacker to use for correlation, for partition attacks, for confirmation attacks, and for the methods used in old-fashioned detective work.
This is not a problem specific to Zcash’s transparent value pool; and I believe that transparent Zcash makes only a marginal difference in the big picture here. If the Zcash transparent value pool were deprecated, or if it had never existed, then this problem would still exist.
Dangers at the Event Horizon
Improperly using shielded Zcash as a pass-through quasi-mixer for other coins is a well-known way for people to shoot themselves in the foot.
This problem is irrelevant to fully-shielded transactions. An observer who correlates interrelated transactions passing our notional Event Horizon does not thus gain any information about unrelated transactions that occur fully within our notional Black Hole™.
This is not a Zcash-specific problem. Any privacy coin that is improperly used as a pass-through quasi-mixer could suffer linkages of transactions for the transparent coin being “mixed”.
This problem is not caused by Zcash’s transparent value pool. The transparent value pool does provide an attacker some useful information: When not many exchanges support shielded, t-addresses provide a fully public record of the exact amount of ZEC passing in and out of a shielded pool. This factor needs to be considered in any analysis; but overestimating its significance can provide a false sense of security about other privacy coins: The current value of a transaction is always publicly leaked on the transparent-coin side, it can be adjusted by attackers using market pricing data, and—you don’t want to make your exchange a trusted party, anyway!
To avoid shooting themselves in the foot this way, people generally need better guidance on the proper usage of Zcash. I saw someone suggest somewhere that we should create a new informational site for this type of guidance; I think that’s an excellent idea. Meanwhile, I urge everyone to read these pages:
Don‘t make the mistake of treating any privacy solution as if it could instantly and easily erase information that you are leaking all over the place. Nothing can do that! Remember always that as @zooko says, privacy comes from shielded money at rest, not from money in flight.
In the real world, the closest thing to a HOLE transaction is an off-chain transaction. The problem is that off-chain transactions usually either are either fully exposed to a trusted third party, or transiently leak information to random strangers instead of permanently publishing leakage on the blockchain. An onion-routed atomic multipath transaction on Bitcoin’s Lightning Network may achieve a formidable level of privacy. However, such systems have different issues; in current practice, I do not think they are comparable to HOLE. ↩︎
Worrying about cookies is passé. The Web is evil. If you want privacy, you essentially need to stop using the Web. ↩︎