The Cambrian Interface Explosion

Cross-posting my thoughts from the ZCG Signal chat:

"I am likely missing something, and I want to be clear that I’d still vote to reject the most recent grant for the reasons I outlined at the time (no delivered ZSA product, no demonstrated demand), but to be 100 with you, I don’t really find the objections on privacy persuasive. I think a lot of the arguments directly apply to Taddrs and TEX addresses, and we use them, for convenience and compliance purposes.

Yes LE could (inevitably will) get an issuer’s keys, which isn’t ideal, but c’mon.
Yes the keys could be compromised and leaked to the public, which would suck a lot. If we’re honest, this has a decent probability of happening at least once. To me, that’s not a deal-breaker. I think some ZSA stable issuers could pull off acceptable security, and provide users much better privacy for a stablecoin than what’s available at present.

I would be interested in asking @nuttycom / @daira / any other objector how they see stablecoins existing on ZEC without these compliance features - anyone know if there’s a clear quick answer to this? What’s the competing vision?"

i think one difference is t address is designed to be transparent. (even when some users dont realize always)

but ZSAs in theory as shielded assets is assumed more from user perspective to be private and not leak info.

its like half shielded until something bad happens. i have no clue how this could be done better or solved.

In terms of competing possibilities, the ideal from my perspective would be to start out with bridged coins from other chains, including algorithmic stablecoins like RAI and DAI.

The world has plenty of transparent stablecoins, and in my opinion a ZSA with deanonymization keys is just another transparent coin; it’s not a matter of whether the deanonymization keys are leaked, it’s a matter of when. But, it’s actually worse than a transparent coin, because users can mistakenly believe they have privacy.

Also, I fundamentally disagree with the principle of preemptive compliance.

1. The community has spent years against the FUD that “Zcash is not private. It has T-Addresses”. T-Addresses were necessary when the chain launched because of the tech not being ready and there are multiple threads on this forum about deprecating them. This is worse than that. This pretends to be private until it is not.

2. We can educate the users all day long but with Chat GPT/ Gen AI, volume is truth and you would only need the keys to be leaked/misused once and Zcash would be branded as useless for its core purpose.

3. If this gets added, this kind of specification would be the only one used just like how with T-Addresses majority of coins are still in the transparent pool. We can pontificate about giving users the choice and market deciding but we already have a data point with T-Addresses.

4. There are other chains which have raised more money than Zcash’s entire market cap. Their marketing budget is more than the Zcash devfund. If a chain is more valuable because it has stable coins, then Zcash has 0 chance of surviving. Any other chain with a bit of incentives would siphon off any users. We see this all the time with points/yield farming and liquidity incentives

Isn’t this just Tornado Cash redux? How does this not end up blacklisted at the top level?

Even if we had a confirmed issuer I think this would not be a good grant, but if we don’t even have a confirmed issuer that is going to use these compliance tools it should be a slam dunk to not fund this.

Can this money be used towards POS Research/implementation? There is more consensus around that

I want to clarify my understanding (and expectation) for the outcome of the design work that we’ve funded Qedit to do with this grant. If this work eventually gets implemented, my expectation is that:

1. Shielded ZEC remains untouched and retains the high standard of privacy that exists today.
2. ZSAs are optional. People who don’t like the features that ZSAs leverage don’t have to use them.
3. These added user control capabilities are optional (and not compulsory) by the issuer of the ZSA. Issuance of a competing, decentralized stablecoin without these features could still occur.
4. The features proposed by Qedit go through the ZIP process with scrutiny and vetting of the ZIP editors.

@Jon, can you confirm these points?

I view this capability as an option (user control) to an option (ZSA) which is about as far up the stack as I believe we can get right now. My understanding is that the Zcash protocol will remain pristine.

I believe it’s essential to emphasize the importance of accommodating operators who need compliance capabilities while working on top of Zcash. This approach can help bridge the gap between Zcash’s cypherpunk roots and the traditional financial system’s requirements. By enabling such compliance capabilities, Zcash can thrive within the broader crypto ecosystem. I appreciate Qedit’s proactive efforts in this direction.

yes confirming this, with emphasis on point 4. we still haven’t agreed on the fees for ZSA for this exact reason.

This is the order of operations I propose:

1. Pause Qedit’s work on ZSA surveillance, focus their highly-qualified engineering resources elsewhere.
2. Deploy the ZSA standard to mainnet.
3. Watch and learn how developers are building and issuing ZSAs in the real world (someone might launch a wrapped DAI as the chain’s first stablecoin token, for example, alongside wBTC and plenty of memes)
4. Poll early ZSA users and developers on whether they need or want this surveillance feature.
5. If so, fund it.

Is there a formal place that I can propose this to the funding organization’s board?

I firmly believe that the entire Zcash community should be polled on whether or not they want this feature. I consider myself a power user and was not aware of it until reading this post.

I firmly believe that most users are not actively monitoring the forums and that deploying this feature would bring extreme negative sentiment, well beyond T-addresses (which I personally support as a key regulatory differentiator verses other privacy coins).

ZSA developers have not yet voiced demand for this feature. Because there are not any ZSA developers/issuers yet. Let’s get ZSAs live then decide on further expansions, especially extremely controversial features like this.

A user of surveilled ZSAs cannot be warned enough: “By using this Surveilled ZSA, be aware that its issuer can see all of your transaction history when using this ZSA. You can never know who they may share their view key with in the future, or even sell it to, which would reveal all transactions in this ZSA’s history. Using this feature may give you temporary privacy, but assume that all of your transactions may be made public some day. Treat Surveilled ZSAs as no different from public Ethereum ERC-20 tokens.”

What are the consequences for Zcash when a back-door key leaks?

What’s the value of a stable coin? Are there implications for stable-coins when DEX’s become default?

TEX isn’t speculative technology we want to build out to add a feature. It’s a necessary evil that’s being forced on us by an immoral system.

On the subject of TEX’s and DEX’s… could QEDIT contribute to technologies that we all (I think) want by helping implement DEX support?

Why not spearhead more DEX support? Serai, anyone?

I would like to support this proposal in any way I can.

• zcashd deprecation
• zebra tooling and APIs/SDKs for full node + wallet/interface options
• ZSAs on main with first iteration of fees
• documentation, interfaces, SDKs…
• …

After doing these things we will know a lot more and can make better decisions than imagining the future “on paper” now. Features should be demanded.

[Speaking for myself. I’m also tapping this out on a tiny phone screen while on holiday, so this comment might not be as polished as usual for me.]

As others have pointed out, @nuttycom and I voiced our opposition to this proposal on Arborist calls. I also did so at ZK Proof 6 where the cryptographic protocol was presented. [Edit: I misremembered also doing so in a panel discussion in Zcon V, but I was confusing that with a private call preparing for Zcon V.]

I will refer to it as a surveillance protocol, because it enables surveillance; that is its purpose. Calling it a “compliance” protocol is misleadingly vague as to what is being “complied” with.

I was not aware that a USD 600,000 grant was being considered. Frankly, that seems an absurdly high amount for the work proposed, even aside from the critical privacy objections (which I’ll expand on below). I would have expected that given the size of the grant, the obviously controversial subject matter, and the protocol complexity issues, that the ZCG Committee would have sought input from the protocol designers and full node implementors at ECC and ZF. Speaking for myself, I consider it a failure of governance that they did not.

ECC and ZF don’t have any veto over what can be funded, which is how it should be, but it just makes no sense to me that such a grant was approved without seeking our input. There is huge opportunity cost in spending USD 600,000 on this rather than other projects in the Zcash ecosystem. There is also a potential reputational cost to Zcash in having funded this work even if (as I think is likely) it is never deployed.

The first time I heard the cryptographic detail of what Qedit was proposing was in Pablo’s talk at ZK Proof 6. I was actually shocked at how bad it was. There is a single key for each surveilled token that if compromised, would leak its entire transaction graph. I cannot see how such keys could be kept secure; they are too much of a target. We won the arguments against such concentration of surveillance authority in previous Crypto Wars, as described in [Keys Under Doormats, 2015]. Almost all of those arguments, and others (the extreme difficulty of implementing correct zk circuits, for instance) are equally valid in this context. We know that even well-funded intelligence agencies or large corporations are not in practice able to keep high-value secrets.

The idea that this is okay because we have transparent addresses does not hold water. Transparent addresses were an explicit compromise to enable use of Bitcoin libraries and adoption on exchanges that already supported Bitcoin-derived altcoins. With hindsight, it isn’t clear that this was a good trade-off. If I could go back in time I would recommend that we take a different approach, in which all addresses that have a transparent component also have a shielded component. In my opinion, some of the arguments against having transparent functionality in the protocol are valid, and we should be working toward removing it. The progress in that direction has been significantly slower than I would have liked.

In any case, to me it is significantly worse to have a protocol that promises privacy against anyone but the issuer and the surveillance state, but where that privacy fails catastrophically in the case of key compromise, than it is to have an explicitly transparent protocol.

It is also objectionable that the proposal adds verifiable encryption that benefits the surveillance authorities without providing any direct benefit to users (e.g. in strengthening the properties of consensual selective transparency features). I am concerned by the resulting effects on protocol complexity, especially if this verifiable encryption is post-quantum (which is important in order to maintain the current property that Zcash has post-quantum privacy when addresses are treated as shared secrets). If the encryption to the surveillance keys is post-quantum but the ordinary note encryption is not, I object. If the anonymity set is split in order to avoid imposing high circuit and/or bandwidth costs on non-surveilled tokens, I object: this was specifically avoided in the “vanilla” ZSA design because it was not clear that ZSA usage would have sufficient transaction volume initially. If this proposal interferes with possibilities for moving note ciphertexts off-chain to improve scalability, I object. If it makes potential improvements to reduce the impact of key compromise (approximating forward secrecy) more difficult, I object.

The “slippery slope” argument against adding surveillance to the protocol is very persuasive to me, especially in the current regulatory and political environment. Adding surveillance of some tokens allows regulators to apply pressure to extend that surveillance to other Zcash tokens. As someone who may be a direct target of such pressure up to and including legal threats, I don’t consent to this!

Any facility to allow the state to surveil financial transactions will be abused. It is not a matter of “whether” it will be abused. Recently, for example, it was proposed in the UK to routinely surveil bank accounts of benefits claimants, in order to detect so-called “benefits fraud”. In fact, fraud is a negligible issue and the vast majority of errors in paying benefits are made by the benefits authority. The proposal was actually part of an agenda of denigrating and scapegoating benefits claimants, and would have disproportionately affected disabled claimants, putting them in constant fear of being made destitute.

We live at a time when the mechanisms of democracy are under serious threat in several countries, and where we already have unethical laws attacking basic rights such as bodily autonomy. It is naive to pretend otherwise.

Daira, I sympathize with your (and others) reasons for fundamentally objecting with having a feature like this (as designed) present on Zcash. But is there no room to enable space for compliance bound issuers to experiment with ZSAs on Zcash using an optional feature? Sure, maybe the design isn’t perfect. I watched the arborist call where you voiced concerns and I hear your concerns here. However, I know that Qedit is eager to work with the ZIP editors to find an agreeable solution.

Stablecoin issuers who need a mechanism by which to ensure they are compliant with regulations are the glaringly obvious use case for this feature. But lately I’ve been thinking more abstract. Take the case of TLS inspection and various regulations that require that organizations inspect TLS traffic traversing their perimeters. While the analogy is not perfect and the technology works much differently, I think there could be a multitude of use cases where ZSA issuers might want to have some mechanism to ensure that they can apply requirements that they know they face in other highly regulated facets of their business to their experimentation with private ZSAs.

I think that refusing to innovate and provide options for compliance governed orgs severely limits Zcash’s marketability. I don’t think that these orgs are going to come to a niche community to propose their requirements and wait years for something to be built to their specification.

Can we work together towards a solution that creates space for compliance bound issuers to experiment, makes it harder for abuse, and doesn’t overly burden the issuer?

Regarding communication, we (ZCG) sometimes take for granted that all grants are posted here for comment (as this one was for months). We know that Qedit works closely with the ZIP editors for a variety of things and we should not assume that the ZIP editors are in approval of submitted proposals. So while we might have been able to communicate and seek input directly, it’s also the responsibility of community members to remain engaged with providing feedback on proposals here because this is our main communication channel with the community. We need your input while proposals are open for discussion

Can @ZcashGrants clear up any misunderstandings? This seems important.

I said what I said. I have not failed to consider the potential benefits of fiat-backed stablecoin tokens on Zcash (if there are issuers for such tokens, which has not been demonstrated). I just believe that those potential benefits don’t outweigh the objections I’ve outlined. In particular, the slippery slope argument is persuasive to me that it would be dangerous to do so. This is absolutely not a case where it is harmless to experiment.

We can still have algorithmic stablecoins on Zcash, possibly, and I think we should seriously pursue that avenue.

I somewhat object to a principled stance against enabling surveillance being framed as “refusing to innovate” (especially directed at me and at Zcash, given my and the rest of the Zcash designers’ past contributions to zk technology, honestly).

Emphasis here

You’re missing the patently obvious benefit to users, which is that ZSA-stablecoins exist - with accessibility/ usability/ relative compliance assurances.

Without ZSA-stablecoin jurisdictional compliance, many users will have nothing. And the entire feature project risks having lost its greatest use case: shielded-fiat(s)

The technical debate is out of my league, as you mention, if there are significant technical concerns then certainly the initiative needs to be further scrutinized.

No issuer has confirmed that they are going to use these tools and deploy a stablecoin on Zcash. There is good reason to believe that nobody will do it because of optics. In that case we would have spent $600 000 on developing a backdoor and destroyed the remnants of Zcash’s reputation with nothing to show for it.

Speaking on behalf of ZCG: we take all this feedback seriously. It indicates we have definitely had a communication failure. We acknowledge this and we intend to work to (a) mitigate the current situation – @emersonian 's list is a great starting point that we’re working from, and (b) improve our communication strategies going forward taking into account what happened here.

We will follow up with more details, but we wanted you to know right away that we are in the process of responding in light of what has been raised here.