Hacker News new | past | comments | ask | show | jobs | submit login

Hi Zooko,

Has there been any serious discussion about incorporating the results of PQCRYPTO in your protocol so Zcash is still secure and viable (at >= 2^128 security level) after the development of practical quantum computers?


Hi, I'm one of the ZCash scientists: Section 8.1 in the full paper describes how to get anonymity that survives quantum computers. (http://zerocash-project.org/media/pdf/zerocash-extended-2014...).

The zero-knowledge proof itself offers statistical privacy in the face of unbounded (so more powerful than quantum) attackers. So surprisingly, you are mostly fine. But you would need to take two steps to protect yourself. First, you have to use each zcash address only once.

Second, you need to use a post quantum secure means of notifying the recipient they got a transaction and of the coin commitment openings. The built in mechanism in ZCash, which posts a ciphertext to the blockchain encrypted under the recipients public key is standard off the shelf public key cryptography. It's efficient, but is of course not post quantum secure. Nothing requires that you use this mechanism, however. You can always post a garbage ciphertext and inform the recipient some other way.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact