ZIP 314 - Privacy upgrades to the Zcash light client protocol

For Ycash, we’ve been using ANCHOR_OFFSET = 1 for over a year now.

5 Likes

Wow, this is really well illuminated. The customer journey/funnel you mapped out is going to be a reference point for me as I do zomg research/work. Thanks!

3 Likes

Excellent, thorough and thoughtful posts @earthrise and @adityapk00!

What do you think matters to other people and their use cases? Do you think you and others want absolute, solid privacy, or would you prefer something performant enough to compete with centralized payment processors . . . Should these trade-offs end up being options . . .

There’s a big market out there. IMHO, it’s not completely “either or”–there is enough space to have a variety of tailored products:

  • An ultra-private app for activists and hardcore users
  • A payment-oriented app for discretionary spending
    (i.e. a private replacement for debit cards)
  • A multi-currency wallet for HODLing
  • A wallet with best-in-class UX for viral user acquisition
  • A simplified “view only” wallet for tax compliance

I hope that ZOMG can eventually fund multiple products targeting a variety of use cases.

For your use cases, what matters to you?

Several ideas captivate me. Personally, the idea that excites me most is an interactive payment app where two users begin with establishing an out-of-band connection and then proceed to exchange data securely and privately, culminating with an on-chain value transfer. Think of it as a normal wallet but with Signal embedded specifically for private, end-to-end encrypted data exchange.

Example flow:

  • Alice and Bob both install the MagicWormhole ZEC app and Alice texts Bob a link
  • Bob clicks the link and establishes a P2P connection (wormhole) with Alice’s device
  • Bob sees a message, “Alice would like to send you 0.1 ZEC, tap to accept”
  • When Bob accepts, his device sends his z-address through the P2P connection
  • Alice’s device constructs a payment to the z-addr and submits it to lightwalletd
  • Alice’s device sends Bob’s device the note/nullifier that was just spent through the P2P connection!
  • Bob’s device updates his balance INSTANTLY
  • Bob is IMMEDIATELY able to use the note information to construct another transaction to Carol

In general, the wallet uses “optimistic success” to make the User Experience even smoother and faster than the tech limitations allow. A private P2P connection, initiated over an existing channel like Signal, allows users to share ZEC with anyone in their contacts without having to fiddle with addresses or QR codes. Confirmations fade to the background and everything feels instant because the wallets are able to give each other hints (and perhaps even proofs) through the “wormhole” and even leverage their existing private keys to defend against attacks.

TL;DR:
The possibilities of a P2P layer fascinate me.

“Delighting users” is what matters to me most–ideally, through experiences that feel like magic.

11 Likes

Some responses to Aditya’s great list:

1. Mempool access. An initial implementation of this was created this fall and could be leveraged immediately. Work in this area would give a large boost to the user experience with relatively low effort, given that @LarryRuane has already completed a lot of great work on this feature.

2. Initial Sync Strongly agree that checkpoints should be fetched on-demand. Flyclient proofs might prove to be very useful here.

3. Reduce ANCHOR_OFFSET to 0 or 1. I think confirmations are very important but we can mitigate them with a variety of UX techniques like deferred transactions and optimistic success.

4. Improve sync speed I think “Sync time” should be one of the biggest areas of focus. Scanning can be fundamentally re-imagined and optimized for finding spendable balance, quickly, then everything else on a second-pass. What could be accomplished by scanning backward from the tip of the chain, rather than forward from the birthday? “Save points” can be used–where a wallet periodically leaves breadcrumbs via zero-value outputs with metadata in the memo such as all prior block heights with transactions for this wallet. These clues can allow future wallets to import in seconds. Thereby, once a wallet has “paid the price” of syncing, it never has to pay full price again on any future device! Additionally, mobile wallets can implement background sync and mitigate the impact of sync time, altogether.

Lastly, I am not at all a fan of sending ivk’s to the server! I think detection keys are a similar yet more ideal alternative that avoid the many pitfalls of sharing an ivk.

7 Likes

I can see why it seems to app developers that sacrificing privacy for ease-of-onboarding makes sense, but I’m pretty sure it’s a losing battle.

Basically, it’s like trying to be as convenient as Venmo without being better than Venmo (or CashApp, etc.) The thing that makes Zcash better than Venmo is privacy. Let’s look at Venmo’s privacy weaknesses:

  1. Venmo knows who you are
  2. Venmo can spy on you
  3. Venmo can sell your data to other companies
  4. Your government can spy on your venmo use.
  5. Several other governments (US and its allies, at least) can spy on you too.

Say you tell a friend “use ZcashLiteWallet instead of Venmo because it’s more private!” So they ask you whether ZcashLiteWallet has the above issues when they’re using it with other ZcashLiteWallet users, to which you respond as truthfully as possible according to the relevant documentation:

  1. Yes, ZcashLiteWallet and Amazon (its hosting provider) know your IP address, which gives them many ways to know who you are.
  2. Yes, ZcashLiteWallet and Amazon can spy on who you transact with and when. They just can’t always see how much you’re sending.
  3. Yes, ZcashLiteWallet can sell this data to other companies.
  4. Yes, your government can know who you send money to and when, for anyone in your own country at least.
  5. Yes, the US, the UK, their allies, and likely several other countries can know who you transact with anywhere in the world and when, even if you don’t live in those countries.

Your friend is likely to be a little confused at why you said ZcashLiteWallet was great for privacy.

They’ll probably say, “Okay, it seems like ZcashLiteWallet isn’t that different than Venmo, and I already use Venmo, and so do all my friends, so I’m going to keep using it.”

Thanks to books like Crossing the Chasm we have a pretty clear understanding these days of what new techologies need to have in order to catch on. It’s hopeless for them to simply copy existing products—they’ll never catch up.

Instead, they need some unique thing that they’re 10x better at. So much better that some small group of users who need that thing will put up with a much worse user experience to get it.

For Zcash, privacy is definitely that unique differentiator. If there isn’t a clear and easy-to-explain difference between ZcashLiteWallet and Venmo on privacy, Zcash will never get traction with people who need privacy. And it won’t get traction with existing Venmo users either, since they’ve already got Venmo.

So we need (desperately, I think) to adjust the underlying tech so that the answers in the above questions are “no.”

Then Zcash has a niche. Until then, it’s just cool tech.

UPDATE: A better analogy above would be CashApp or Paypal, or Venmo with privacy turned on, since Venmo makes transactions public by default, whereas—like ZcashLiteWallet—CashApp and Paypal only expose this data to themselves, partners, infrastructure providers, governments, etc.

3 Likes

And along these lines, I think earthrise gives us a great starting point.

It will still be possible for developers to implement Zcash in ways that aren’t very private for users who want that. Coinbase and the other hosted wallets are great for this. So deciding to make these changes isn’t taking options away.

But I think there needs to be some standard design that meaningfully protects user privacy more than Venmo, in a way that’s easy to describe.

And I think it needs to be really clear, on pages like this one which Zcash wallets implement that standard, privacy-maximizing design. Otherwise there’s no way to recommend Zcash to someone and have any confidence that they’re getting the private version.

I think the “who you can transact with and when” here is overstated - the “just can’t always spy on those things” applies to those too.

2 Likes

Fair enough! I added the line “when they’re using it with other ZcashLiteWallet users” above. Does that make it true? It does, right, since the ZcashLiteWallet server and Amazon can see who is sending and who is receiving?

1 Like

Another thing to keep in mind here is that the adoption of privacy tools tend to be driven by the recommendations of security experts, or by other high-stakes users who might not be experts but will look very closely at the details.

(This is because, absent a broad consensus of experts or a recommendation from their most knowledgeable friend, most users will assume that being private online is hopeless and use whatever everyone else uses, e.g. Venmo.)

In making these recommendations, experts and high-stakes users will think carefully about whether—when they recommend something—the people they recommend it to will successful in protecting themselves.

They know that, when they recommend Zcash, the tools people will find when they search for “Zcash” in Google or the App Store are the thing they’re recommending.

So our ability to win the recommendation of these expert and high-stakes users (which are crucial to the adoption of privacy tools) depends on the leading Zcash tools being very private.

(Otherwise it gets awkward. Someone will have to create a new non-Zcash brand for the one privacy-maximizing Zcash Wallet and build traction around that to give experts something they can safely recommend. And this isn’t ideal for a number of reasons.)

2 Likes

I don’t think it’s a binary decision between privacy and user experience. Can’t the small number of users that are willing to put up with a much worse user experience run a full node? Or in one of the scenarios above toggle some settings to get advanced privacy on mobile (while knowingly making sacrifices with respect to speed, battery, data consumption etc.).

Another thing this small number of users need is More Users using the shielded pool, even if those users don’t really care too much about privacy for certain types of transactions (typically high volume low value).

I still think the onboarding experience for new users is critical, and the main component of that is the user experience.

I imagine a mobile app where my friend downloads it and it has 3 modes, Basic, Full Stealth, and Custom. It starts in Basic, but there are clear warnings that not all privacy features are enabled. I send some zec and she sees the incoming transaction immediately and can send it back immediately. Then we toggle to Full Stealth, the entire theme of the app changes as it goes into full on stealth mode, I can explain some of the extra benefits they get and explain that they come at a cost. Then allow her to decide how to use it going forward. I think she would then be more likely to show that to her friends.

Other nice bonus stealth features would be the ability to hide the app on my phone, add a duress pin which brings me to an address with a small amount of zec etc.

I think from a security expert perspective (as someone who is not a security expert!), if a lightwallet app such as the above existed, surely they would be happy to recommend XYZ app, but use it in stealth mode for full privacy?

I don’t know, I just don’t think we should be sacrificing the (in particular mobile) experience so much that most regular users will be turned off before they get a chance to fully understand the benefits available to them.

1 Like

My first reaction is that “full privacy mode” seems okay, as long as it’s standard across different apps and really clear what it is, and clear to users how they’re losing privacy in the other cases.

But then I’m not sure.

Here are some issues:

  • If a user starts in “low privacy mode” by default and leaks some data, you probably need to give them a fresh wallet that has never leaked anything to get into “full privacy mode”
  • If a user is using both modes at once, you probably have to warn them against using both wallets together in a short time frame so that they can’t be linked.
  • Having lots of users operating in “low privacy” mode doesn’t really increase the anonymity set, since those people aren’t anonymous anymore and can be ruled out as senders or recipients of a transaction.
  • “Full privacy mode” users are now in their own much smaller anonymity set, making them easier to track in other ways, especially if you can tell different apps apart by their behavior, etc. There might only be a handful of users in “full privacy mode” on a given app at a given time.
  • This last issue is the same for full node users. If a tiny number of people who aren’t a lightwalletd or an exchange use a full node, their anonymity set is tiny.

I actually think it’s possible to achieve both increased privacy and usability, and there are several ideas above on how to do that.

Once we start trying to figure it out and pushing these privacy fixes into the real world we’ll figure out how to square the circle in terms of UX.

1 Like

A bunch of great ideas have been posted above, but to add more:

  1. Sync as needed. Sync new blocks and “past day” or “past week” by default, and users can click a button to sync farther back in time (“past month”, “past year”, “since WALLET BIRTHDATE”, “all time”). This way, if a user is trying out the app with a friend, their friend can send them money, and they can receive it quickly without waiting for a long sync. (This is like @gmale’s idea of syncing forward instead of just backward, but with the twist of syncing farther back when users want to.)
  2. Always be ready to send. This issue seems really important and the anchor offset privacy issue is a problem. But also right now you have to sync transactions in order to send, which isn’t necessary. Wallets should be able to sync the bare minimum data that the network requires for them to send funds. If there’s a private way to do that sync quickly enough as part of the sending process, that’s great. Otherwise we can use background data to maintain this basic level of sync. (Not transactions, just block headers, right?) And we should find a privacy-safe way to send funds instantly.
  3. Transactions first, then memos. The transaction will always be more important than the memo. (Even if the user only cares about the memo, syncing the transaction will at least tell them they’ve received a transaction that could contain a memo!) So if we need to download everything, lets at least download all transactions first, and then all memos. That way the user will see they’ve received a transaction and funds, and the app can show a spinner while memos are being loaded.

I think @hanh is right that it’s important for users to be able to fire up the app and use funds immediately. We should be able to do this without compromising on privacy.

Also, I think for any user that already has a communication channel they feel good about with the person they’re sending money to, like Signal or something, sending the transaction via that channel and making that a first-class user experience instead of a power user feature seems like a good idea. We could even pad the data to make the transaction appear to traffic analysis as if it were an image or something :slight_smile: This gets you out of having to download any transactions since all you need to verify a transaction and spend it is to sync block headers, right?

1 Like

While I agree with your core concept, I’m not sure “always” is the right word here, given the likelihood of memos becoming more programmable, over time (frequently containing data for machines rather than messages for humans).

I absolutely love this idea! (cc: @geffen) Especially if toggling on “Full Stealth” generates a separate wallet, utilizes network privacy, and takes all the best-practice measures to disassociate with any activity that occurred under “Basic” mode.

Personally, I’m a huge fan of starting from the most delightful user experience and then working backward to make it possible, rather than starting from the most restrictive technical implementation and trying to make it tolerable.

6 Likes

I think this list of Venmo’s privacy weaknesses overlooks, perhaps, the most important one: that anyone can look at anyone else’s stream of transactions (and memos!).

When I tell a friend to “use ZcashLiteWallet instead of Venmo because it’s more private!” and they look at a block explorer and see no details leaked, I think that is a major differentiation that is frequently understated.

3 Likes

I 100% on board with the progressive privacy idea.

Basic mode which basically only guarantees on-chain privacy (compared to Venmo like @holmesworcester alluded to) and second Full Stealth mode that will create a new wallet and will ensure the highest privacy possible with Zcash light wallet.

This is perhaps the most important point to convey to Bitcoin users. Not everyone is trying to go dark from a state-level actors.

That’s true! I use Venmo in “private” mode, so my transactions aren’t shown to everyone, but it’s true that this behavior is the default.

So CashApp or Paypal (or Venmo in “private” mode) would be a better comparison to ZcashLiteWallet, since they both keep transactions private from the world, but not from CashApp, Paypal, governments, etc.

Added a note on my initial post to clarify.

1 Like

I think it’s really important to remember that we’re not just talking about state level actors here. The current “download memos just for my transactions” design leaks data to:

  1. Your ISP
  2. Your school or employer, if they’re your ISP.
  3. The maker of the wallet app.
  4. The wallet app’s hosting provider, which is usually Amazon.

If Paypal or CashApp put out a Zcash app using the current design, the privacy properties would be pretty similar to the existing versions of Paypal or CashApp, within their pool of users at least. They’d be able to see who was sending to who, but not the amounts or the memos.

Its true you usually need to have some state-level powers to go from IP address to a name and physical address, but private entities can get this information in a bunch of situations. Lawsuits for example.

And Internet providers—and employers or schools when they’re the Internet provider—already have that information.

1 Like

I’d like to share 3 interviews I conducted of users that deleted Zecwallet after trying it. Edited and reproduced here with consent.

UserA

Zecwallet: Why did you download Zecwallet?
UserA: I downloaded Zecwallet because I wanted to donate to Signal. I liked how they were sticking it to WhatsApp.

ZW: Why did you choose Zcash to donate?
UserA: Because I don’t want them to know it was me donating. I wanted to keep it anonymous.

ZW: Because the government could decide to harass you in the future?
UserA: Not the government. I didn’t want Signal to know I was donating.

ZW: Oh? Why didn’t you want Signal to know?
UserA: A few years ago, I donated [a large amount] to Wikipedia, you know, because I read Wikipedia a lot. But after donating, they now send me email every year asking for more money. And it makes me feel bad everytime if I don’t donate again. I want to donate only once. I don’t want a subscription donation. So, I wanted to hide my address from Singal.

ZW: So why didn’t Zecwallet work for you?
UserA: I downloaded and opened Zecwallet on my phone. But it started syncing. I don’t want to sync the whole blockchain just to do one donation. So I killed Zecwallet.

ZW: Did you end up eventually donating to Signal in any other form?
UserA: No

UserB

ZW: Why did you download Zecwallet?
UserB: I wanted to use the Baskin Robins Zcash offer (Editor’s note: A few months ago, Flexa was running a Basking Robins promotion if you paid with Zcash)

ZW: Why did you chose Zecwallet?
UserB: [A friend] told me Zcash was private, so I wanted to try it out.

ZW: Did Zecwallet work for you?
UserB: I opened it, and messaged my friend to send me some Zcash. She asked for my z-address and I sent it to her, and she sent me the Zcash. It didn’t show up at first in my wallet, but then later it showed up. But then when I sent the money to Flexa, it gave me an error.

ZW: What did the error say?
UserB: I don’t know, I can’t remember.

ZW: Something like “Not enough confirmations to send”?
UserB: Probably. I can’t remember.

ZW: Were you able to send the money after the confirmations?
UserB: No, I had already left [the mall] by then.

UserC

ZW: Why did you download Zecwallet?
UserC: I wanted to buy a [travel site] gift voucher with my Zcash profits to buy a plane trip. You can go to [buy gift cards with crypto] site to buy gift cards.

ZW: Why did you chose Zcash?
UserC: I wanted to hide how much money I had from [travel site]. You know, these [expletive] travel sites, they change the price based on your browsing history and cookies and how much money you’ve spent. So I wanted to hide the amount of Zcash profits I had from [travel site] so I get the best price.

ZW: Don’t you have to give your email address to book tickets?
UserC: Yeah, but they can’t see my balance with my email address! I don’t want them to charge me high prices just because of my balance.

ZW: Did Zecwallet work for you?
UserC: No, it gave me an error.

ZW: You weren’t able to create a wallet on your phone with Zecwallet?
UserC: No, the exchange gave me an error. It said ‘address is wrong’ or something like that.

ZW: You were trying to withdraw funds from your exchange to Zecwallet?
UserC: Yes. I didn’t want the [travel site] to see my Zcash balance, and if I withdraw from Exchange straight into the [travel site], they can see my balance. So, I wanted to withdraw to my z-address, and then send to [travel site] so they can’t see my balance.

ZW: Did you use your wallet z-address or wallet t-address?

UserC: I gave the exchange my wallet’s z-address, because z-address is the address that hides the amount, right? But the exchange said ‘wrong address’, so I thought I must have a corrupted Zecwallet or an old version or something, I don’t know. So I deleted Zecwallet, sorry.

Users using Zcash

As you can see, users will often use Zcash in interesting ways. They all have slightly different reasons for using Zcash, but the same foundational one - They want some level of privacy, some level of control over their identity and information, and for each of them, their idea of what constitutes “private” is slightly different. In each of these cases, the user had a legitimate reason to use Zcash, but Zecwallet did not work for them.

The interesting thing to me here is that for each of the users, Zecwallet failed them because of usability. Zecwallet and the light wallet protocol already meet their expectation of privacy, what’s failing them is that Zecwallet is not usable enough, is not user friendly enough.

There are 1000s of users like this - maybe millions - Who are eager for a more private crypto experience, but Zecwallet isn’t able to serve them right now.

What is Privacy?

When I first started working on Zecwallet, I had a very different understanding of what privacy is (Privacy = hide all data and metadata). After talking to dozens of Zecwallet users and learning how they use Zecwallet and Zcash, my understanding of what privacy is has changed.

In my mind, Privacy is consent.

Privacy is control over your own data. It allows users to hide their data when they don’t want it disclosed, and allows them to disclose their data when they want it disclosed. There is no one global, binary definition of privacy. Further, the users themselves are in the best position to determine their privacy needs, and determining what tradeoffs they want to make. We should trust that users can decide for themselves what is in their own best interest.

Users are uneasy with big tech because big tech makes these privacy decisions for them, and they want a way where they are in control of their own data, their own privacy, their own tradeoffs. This is Zcash’s competitive advantage. All other cryptos and fully transparent, offering users no privacy. Venmo, Paypal are fully transparent, offering users no privacy. Zcash, however, offers you control over your own transactions. Zcash allows you to make your own tradeoffs. Zcash allows you control.

We should strive to make wallets as usable and as friendly as possible, ensuring that users fully understand the tradeoffs they are making.

Where Zecwallet fits in

Zcash is already the most private protocol out there. It already features the most private way to access this protocol (zcashd + Tor). Zcash already has two world class teams building world class full nodes that offer unbeatable, hardened access.

I’d like Zecwallet to focus on UserA, UserB and UserC and the thousands of other users like them. I would like Zecwallet to improve usability, on boarding experience and utility for these users, users for whom Zcash already meets their privacy needs. There are a lot of such users out there, and I’d like Zecwallet to try and on board them onto Zcash.

I’m not saying we should not focus on hardening privacy - We already have world class minds working on that, and Zecwallet will benefit from their work and incorporate all the advances they are making.

I’m saying let Zecwallet work on improving usability for UserA, UserB and UserC and get them started on using Zcash.

10 Likes

These are all super interesting @adityapk00. Do you have more of these?

Also, a lot of these usability issues seem orthogonal to the “sync all memos over wifi” proposal earthrise is making…

UserA - Instant sync for first time users is solved by having a secure way for the checkpoint to be set on startup, rather than baked into the app.

UserB - This is the confirmations / anchor offset issue, which would be solved by having a privacy friendly way to send transactions immediately upon receiving them (or as a stopgap, some UX warning users about sending too soon that lets them override and do it anyway.)

UserC - This can be solved by making it clear to users that they should use their transparent address when sending from an exchange (or by getting more exchanges to support z-addresses and then maybe by deprecating t-addresses).

It seems like we can have solutions to all of these particular users problems and give people privacy protections.

It’s true that the proposal impacts one aspect of usability, sync time. But these examples show how there’s a lot we do (and need to do) to improve usability independent of sync time, right?

Also, I’m curious: it seems like since ECC is proposing this change, it would affect Nighthawk and Unstoppable more than Zecwallet, right?

1 Like

Over lunch, I was trying to explain this issue to a friend, and the best explanation I could come up with was:

Right now the current design goes to extremely costly lengths to hide the transaction graph, including on chain, but also downloading every transaction on mobile (which you would never do if you weren’t super hardcore about privacy!)…

…and then after it’s taken all those extremely costly steps it’s like like “hah just kidding, these are all my transactions” to the lightwalletd operator, Amazon, ISPs, and governments.

I’m sounding like @secparam here but it really does seem like the worst of both worlds. Why download all the tx’s if we’re just going to reveal which ones are ours a few moments later?

The proposal from earthrise makes total sense to me for this reason, and apart from slowing down an already-too-long sync time, it doesn’t close down any of the paths we have to addressing usability issues.

We can accept some version of the “all memos over wifi” proposal and still have apps that start instantly, send as soon as you receive, receive 0-conf transactions instantly, etc, since those are all other issues.

3 Likes