ZecHub Wiki
ZecHub Wiki
ZK Shielded Pools vs Decoy-based Privacy
🛡️

ZK Shielded Pools vs Decoy-based Privacy

Introduction

“Cryptocurrency exposes all your spending activities to the public since it’s just like a twitter to your Bank account and this is a great issue that must be solved by adopting on chain privacy.” - Ian Miers at Devcon4.

Certain crypto projects have gained recognition for their privacy-centric approaches. Zcash is renowned for employing Zero Knowledge Proofs (ZK) to protect transaction amounts and addresses. Monero stands out for its utilization of a Decoy-based sender obfuscation in combination with other encryption schemes to attain user privacy on the blockchain.

image

Zero Knowledge Proofs are cryptographic systems that allow one party (the prover) to demonstrate to another party (the verifier) the validity of a statement without revealing any underlying information about the statement itself. In the context of Zcash, ZK proofs are employed to verify the validity of a transaction without disclosing transaction details such as the SENDER, RECEIVER or transaction AMOUNT.

This ensures that user privacy is preserved as the transaction remains confidential while still being validated. This technology is designed to ensure the confidentiality of financial transactions on the Zcash network.

In the Decoy-based systems such as RingCT, multiple transactions are combined making it challenging or difficult to trace the actual source and destination of funds. The algorithm introduces decoy inputs and outputs in transactions also employing encryption of the addresses used as inputs & using Range proofs to validate the amount transferred is spendable.

This approach obfuscates the transaction trail. The use of decoy inputs makes it challenging for anyone analyzing the blockchain to identify the real sender, receiver, or transaction amount.

Important Note: This method of on-chain privacy preserving transaction still explicitly reveals (encrypted) inputs to all user transactions. Metadata such as the FLOW OF TRANSACTIONS between different users on the network can still be gathered. If an adversary actively participates in generating transactions on the network, it effectively deanonymises the decoy inputs of other users.

Advantages of Shielded Pools Over Decoy Based Systems

Both Zcash and Monero are privacy-focused cryptocurrencies, but they achieve privacy in different ways.

Here are some advantages of Zcash’s zero-knowledge proofs (ZK) over Monero’s decoy system:

  1. Selective Disclosure: With Zcash ZK feature set, users have the option to reveal transaction details to specific parties Read ECC Blog on Selective Disclosure. In Zcash, shielded transactions’ encrypted contents allow individuals to selectively reveal data from a particular transfer. Additionally, a viewing key can be provided to disclose all transactions associated with a specific shielded address. This feature allows for regulatory compliance and auditability without compromising the overall privacy of the network. While Monero’s decoy algorithm (RingCT) helps in providing privacy, it does not offer selective disclosure in the same way.
image

  1. Optional Visibility: Zcash allows users to choose between transparent (non-private) and shielded (private) transactions. This connotes that Zcash offers users the flexibility to either keep their financial information private (shielded) or make it transparent and publicly available similar to most other blockchains as explained on Zcash official website. This opt-in privacy allows for greater flexibility and business/organisational relevant use cases, as some transactions may require less privacy for public scrutiny, while others benefit from enhanced privacy.

  1. Anonymity Set: The anonymity set of zero knowledge shielded pools comprises near all transactions that have ever occurred. This is significantly larger than most other on-chain techniques for achieving transaction unlinkability. Note: this only applies to transactions within the same shielded pool. The use of decoys does increase the anonymity set. However this approach is dependent entirely on the number of real users on the network.

  1. No Trusted Setup: Zcash’s Sprout & Sapling setup utilized a multi-party computation known as the “trusted setup ceremony”. The recent NU5 upgrade did not require any Trust in the integrity of the zero knowledge circuit’s setup. Read ECC Blog on NU5.

  1. Data Privacy: The zk-SNARK technology used in Zcash’s shielded pools allows for significantly enhanced security for users. The reduction of metadata leakage on-chain means that users are safe from adversaries such as potential hackers or oppresive state bodies. There are a number of instances in which bugs have been identified in Monero’s decoy selection algorithm. These bugs had potential lead to reveal user spends according to a report from Coindesk.
    2. image

In summary what really matters the most is to reduce or eliminate the leak of user information and data as explained by Zooko at the Orchid (priv8) AMA live session

Reference Links

https://z.cash/learn/

https://www.getmonero.org/get-started/what-is-monero/

Satoshi Has No Clothes: Failures in On-Chain Privacy by Ian Miers (Devcon4)

Visit the https://archive.devcon.org/ to gain access to the entire library of Devcon talks with the ease of filtering, playlists, personalized suggestions, decentralized access on IPFS and more. https://archive.devcon.org/archive/watch/4/satoshi-has-no-clothes-failures-in-on-chain-privacy Payments in Ethereum and Bitcoin are, by default, transparent. Transactions are conducted between pseudonyms with the sender, recipient and value exposed. While this transparency enhances auditability and decentralization, it is a major privacy issue. A growing volume of research shows that these pseudonymous identities are easily linkable. This is a major issue for privacy, fungibility, and a free market. A variety of techniques have been proposed to alleviate these issues. These include but are not limited to Confidential transactions + Conjoin, RingCT/Cryptnote, Zerocoin, Zerocash,  Hawk, and Solidus. These techniques span a large multidimensional performance envelope in terms of transactions generation and validation time, size, as well as a range of cryptographic assumptions and data retention requirements. At the same time, these protocols offer markedly different levels of privacy against various threat models. Which one should we use? If performance were the sole issue, then systems without such enhancements would likely be preferred. Clearly some amount of privacy is necessary and the cost of getting it acceptable. The question is thus, which approaches provide sufficient privacy, in what contexts, and at what cost? Speaker(s): Ian Miers Skill level: Beginner Track: Privacy Keywords: security Follow us: https://twitter.com/efdevcon, https://twitter.com/ethereum Learn more about devcon: https://www.devcon.org/ Learn more about ethereum: https://ethereum.org/ Devcon is the Ethereum conference for developers, researchers, thinkers, and makers. Devcon 4 was held in Prague, Czech Republic on Oct 30 - Nov 2, 2018. Devcon is organized and presented by the Ethereum Foundation, with the support of our sponsors. To find out more, please visit https://ethereum.foundation/

youtu.be

Satoshi Has No Clothes: Failures in On-Chain Privacy by Ian Miers (Devcon4)