
Ethereum Adoption of Zk-SNARK Technology - ianopolous
https://z.cash/blog/ethereum-snarks.html
======
coolspot
The Metropolis release adds ADD and MUL operations on elliptic curve, which
makes it possible to implement ring signatures. That opens up use cases like
anonymous funds transfer similar to Monero and zCash.

~~~
etaty
While interesting, privacy is not a switch you use when you really need it. It
has to be always on, to protect everyone.

~~~
Kiro
What do you mean?

~~~
codingmyway
You can only be anonymous by blending into a large anonymity set. If the very
act of using the privacy features singles you out as being part of a small set
that is trying to be covert then it makes things worse.

------
grubles
Presumably this relies on Zcash's Trusted Setup which was likely compromised:

>“Morgen, why is your phone playing the audio from our Google Hangout?” asked
Wilcox, bemused, curious, and slightly alarmed.

[https://spectrum.ieee.org/tech-
talk/computing/networks/the-c...](https://spectrum.ieee.org/tech-
talk/computing/networks/the-crazy-security-behind-the-birth-of-zcash)

~~~
SippinLean
The incident happened in 1 of 6 stations around the world, each creates a
shard of the key.

So _if_ the phone compromised the air-gapped machine on the other side of the
room (which the article concludes is unlikely) the attacker has 1/6 of the
key.

Do you have any evidence, even circumstantial, that the other 5 stations were
compromised? Or do you have some other reason to believe the entirety of Zcash
is "likely compromised"?

~~~
honestlyreally
No proof whatsoever, but the ceremony and who was involved was most certainly
known ahead of time.

Is prudence not prudent in matters such as these?

------
wskinner
Does anybody actually understand the implications of this? This press release
is very light on information. What does this technology being added to
Ethereum enable that wasn't possible before?

~~~
chrispeel
The elliptic curve pairings that will be added to Metropolis will enable fully
anonymous transactions as in Zcash. The zk-SNARKS that Zcash uses for currency
transactions can be used for a wider variety of transactions in Ethereum. The
elliptic curve tech will also enable things like the BLS signatures used by
Dfinity.

~~~
ianmiers
As a practical note, on that curve, Zcash is about the limit in terms of
complexity for what you can do practically with a SNARK. This is why ZCash is
switching to a much faster construction and supporting curve which gives it a
lot of room for interesting features. As Vitalik mentioned on twitter,
however, that is a long way away for Ethereum.

Most applications of the pairing curve operations are probably going to be
signatures and the like, not SNARKs for this reason.

------
noddy1
I found it funny that Zooko Wilcox-O'Hearn who started the ZCash project, and
has a background in cryptography and security, publicly admitted to not
understanding how Zk-SNARK works. I once spent a long evening trying to
understand it.. involving lots of analogies about ali baba going into caves..
but still no idea.

~~~
hackerboos
There's also the famous tweet were Zooko said he'd consider bypassing
anonymity of ZCash in order to help authorities catch the WannaCry hackers [0]
[lol j/k]

I like ZCash but I think Z-transactions (anonymous) should be the default as
there has been advances in the performance and memory requirements [1]

[0] -
[https://twitter.com/zooko/status/863202798883577856](https://twitter.com/zooko/status/863202798883577856)

[lol j/k] -
[https://twitter.com/zooko/status/863543600663101440](https://twitter.com/zooko/status/863543600663101440)

[1] -
[https://twitter.com/ebfull/status/907997752709091329](https://twitter.com/ebfull/status/907997752709091329)

~~~
everdev
And "Zcash partners with JP Morgan" doesn't exactly scream anonymity to me.

[https://www.coindesk.com/jpmorgan-partners-zcash-team-add-
en...](https://www.coindesk.com/jpmorgan-partners-zcash-team-add-enterprise-
security/)

------
brentis
Why isn’t there a private key to view the transaction in the ledger? Seems
like this way the transaction could be private except if parties wish to
release?

Similarly, would it make sense to have to mine the ledger or transactions?
Similar to gas, depending on how secure you want you could adjust the
complexity/duration to mine. Perhaps involved parties could mine at a great
discount given their transaction to seed the mining where a 3rd party could
take months or more.

These thoughts have been bouncing around in my head for a while. Thought I’d
pass along for whatever they’re worth.

~~~
ChrisClark
Monero has something similar. Private keys to send your coins and private keys
to see transaction details. When looking at the transactions, you can see
'something was transferred', but the addresses and amounts are encrypted. You
can only see the details (of your half of the transaction) by using your
private key to view it.

------
drawnwren
This could have an interesting effect on incentives for hackers. Now, any
hacker should be able to cash their winnings out instantly and anonymously.

~~~
ChrisClark
They already can. They could convert the tokens they steal into zCash or
Monero (or zCoin, Dash, Particl, PIVX, etc) and transfer anonymously. Adding
this feature to Ethereum just means one less step.

~~~
mtgx
The only anonymous cryptocurrency we know we can trust right now is Monero.
Zcash has a way to proof itself.

------
nextstep
All of this adds up to something less secure and less practical than just
using Monero

------
evbots
What does this add that didn't exist before? Some here are stating that it
will allow you to send anonymous transactions in Ethereum, but the post
clearly states that "There is a new tool in the toolbox, but for now Ethereum
transactions are no more private than before." So what's the point? Is this
just a building block for future features around transaction privacy?

~~~
evbots
Found a great description:

'What can we do with a SNARKs-enabled Ethereum? Certain contract variables can
be effectively made private. Instead of storing the secret information on-
chain, it can be stored with users, who prove they’re behaving by the rules of
the contract using SNARKs. Each of these uses require their own trusted setup,
but once a circuit exists, it can be easily cloned. Imagine an ERC20-like
token that doesn’t publish individual holders’ balances, while still
maintaining a public and predictable token supply, or a lending platform that
keeps the terms of a loan private.'

[https://decentralize.today/zero-knowledge-proofs-zcash-
and-e...](https://decentralize.today/zero-knowledge-proofs-zcash-and-
ethereum-f6d89fa7cba8)

------
mhluongo
If anyone is looking for an overview of SNARKs and what this means for
Ethereum, I wrote it up for a series I'm doing on privacy
[https://news.ycombinator.com/item?id=15302841](https://news.ycombinator.com/item?id=15302841)

------
dmitriid
> The addition of zk-SNARK technology into Ethereum is another validation,
> like the JP Morgan partnership, that privacy and auditability are important
> for business and for the economy, and that zk-SNARKs are the premier
> technology for privacy and auditability.

This sentence has no meaning. It was clearly written by a marketing department
with no idea what they are talking about.

------
ritarong
This is one area of blockchain and new cryptography that is genuinely worth
its weight.

------
eosophos
Will this make ZEC obsolete once it's established on Eth's network?

------
55555
If you are interested in zcash, check out monero and zerocoin.io

