Hacker News new | comments | show | ask | jobs | submit login
Ethereum Adoption of Zk-SNARK Technology (z.cash)
153 points by ianopolous 10 months ago | hide | past | web | favorite | 36 comments

The Metropolis release adds ADD and MUL operations on elliptic curve, which makes it possible to implement ring signatures. That opens up use cases like anonymous funds transfer similar to Monero and zCash.

While interesting, privacy is not a switch you use when you really need it. It has to be always on, to protect everyone.

What do you mean?

You can only be anonymous by blending into a large anonymity set. If the very act of using the privacy features singles you out as being part of a small set that is trying to be covert then it makes things worse.

If you're the only one using Tor on a network, you can be easily singled out and identified.

Presumably this relies on Zcash's Trusted Setup which was likely compromised:

>“Morgen, why is your phone playing the audio from our Google Hangout?” asked Wilcox, bemused, curious, and slightly alarmed.


The incident happened in 1 of 6 stations around the world, each creates a shard of the key.

So if the phone compromised the air-gapped machine on the other side of the room (which the article concludes is unlikely) the attacker has 1/6 of the key.

Do you have any evidence, even circumstantial, that the other 5 stations were compromised? Or do you have some other reason to believe the entirety of Zcash is "likely compromised"?

No proof whatsoever, but the ceremony and who was involved was most certainly known ahead of time.

Is prudence not prudent in matters such as these?

Does anybody actually understand the implications of this? This press release is very light on information. What does this technology being added to Ethereum enable that wasn't possible before?

For those interested in more details, avsa (@avsa, Alex Van de Sande, Ethereum UX guy) broke down a list of the Metropolis (Byzantium) changes a few days ago: https://www.reddit.com/r/ethereum/comments/702t95/eli5_byzan...

You can read the release notes here btw that point to the EIP and Github issues for "Precomipled contracts for modular exponetiation; elliptic curve addition, scalar multiplication and pairing" here: https://blog.ethereum.org/2017/09/14/geth-1-7-megara/

AFAIK there were only 4 precompiled contracts (ECDSARECOVER, SHA256, RIPEMD, and IDENTITY) so this is sort of a big deal, but I think the right way to go (being able to natively support zkSNARKs, or RingCT/RuffCT directly on ETH would be incredibly powerful.

The practical implications for this particular change is being able to run private tokens directly on Ethereum (vs globally visible transactions), although AFAIK the initial zkSNARKs implementation is not currently compatible w/ ERC20 tokens ATM.

The elliptic curve pairings that will be added to Metropolis will enable fully anonymous transactions as in Zcash. The zk-SNARKS that Zcash uses for currency transactions can be used for a wider variety of transactions in Ethereum. The elliptic curve tech will also enable things like the BLS signatures used by Dfinity.

As a practical note, on that curve, Zcash is about the limit in terms of complexity for what you can do practically with a SNARK. This is why ZCash is switching to a much faster construction and supporting curve which gives it a lot of room for interesting features. As Vitalik mentioned on twitter, however, that is a long way away for Ethereum.

Most applications of the pairing curve operations are probably going to be signatures and the like, not SNARKs for this reason.

In short - confidential payments.

A bit longer...

Normally when you send a payment with crypto currencies you leave a trace in the blockchain. i.e. other people can see which address is sending how much to where. This information is required so that the transaction can be validated by all nodes.

The zk-SNARK technology allows you to send a payment without revealing the who sent how much to where.

can you help me understand why this is the case? would it not be possible to map all other addresses or to monitor balances of all other addresses and infer? i think this one is over my head.

Just wrote a blog post about this. You can use SNARKs verification for data privacy https://medium.com/@mhluongo/zero-knowledge-proofs-zcash-and...

I found it funny that Zooko Wilcox-O'Hearn who started the ZCash project, and has a background in cryptography and security, publicly admitted to not understanding how Zk-SNARK works. I once spent a long evening trying to understand it.. involving lots of analogies about ali baba going into caves.. but still no idea.

There's also the famous tweet were Zooko said he'd consider bypassing anonymity of ZCash in order to help authorities catch the WannaCry hackers [0] [lol j/k]

I like ZCash but I think Z-transactions (anonymous) should be the default as there has been advances in the performance and memory requirements [1]

[0] - https://twitter.com/zooko/status/863202798883577856

[lol j/k] - https://twitter.com/zooko/status/863543600663101440

[1] - https://twitter.com/ebfull/status/907997752709091329

And "Zcash partners with JP Morgan" doesn't exactly scream anonymity to me.


I found this article to about Zero-Knowledge proofs to be very helpful.


There's plenty of information here: https://z.cash/technology/zksnarks.html

Why isn’t there a private key to view the transaction in the ledger? Seems like this way the transaction could be private except if parties wish to release?

Similarly, would it make sense to have to mine the ledger or transactions? Similar to gas, depending on how secure you want you could adjust the complexity/duration to mine. Perhaps involved parties could mine at a great discount given their transaction to seed the mining where a 3rd party could take months or more.

These thoughts have been bouncing around in my head for a while. Thought I’d pass along for whatever they’re worth.

Monero has something similar. Private keys to send your coins and private keys to see transaction details. When looking at the transactions, you can see 'something was transferred', but the addresses and amounts are encrypted. You can only see the details (of your half of the transaction) by using your private key to view it.

Because other parties need to verify or view that transaction. How else will you know that you've received money?

This could have an interesting effect on incentives for hackers. Now, any hacker should be able to cash their winnings out instantly and anonymously.

They already can. They could convert the tokens they steal into zCash or Monero (or zCoin, Dash, Particl, PIVX, etc) and transfer anonymously. Adding this feature to Ethereum just means one less step.

The only anonymous cryptocurrency we know we can trust right now is Monero. Zcash has a way to proof itself.

The post claims "the addition of the zk-SNARK technology does not by itself provide privacy protection for Ethereum users. There is a new tool in the toolbox, but for now Ethereum transactions are no more private than before."

Does this just mean that Byzantium does not contain the ability to somehow convert Ether into Zcash? That would seem to be the feature that would enable existing ethereum balances to become anonymized.

ether and zcash live on separate chains. there's work underway that could allow for trustless cross chain exchange between ether and zcash (https://z.cash/blog/project-alchemy.html). This new crypto primitive in Byzantium is one of the things required for that project.

with Byzantium, it's now possible to create a zcash-like token on top of ethereum (it would however be wholly separate from zcash). since it lives inside of ethereum, it would be easy to exchange for ether. however, its value would float separately. it might look something like this: https://github.com/zcash-hackworks/babyzoe.

Byzantium also makes it possible to create an ethereum contract into which you can deposit ether (locking it up), transact around privately with others, and then later withdraw back out into ether.

All of this adds up to something less secure and less practical than just using Monero

What does this add that didn't exist before? Some here are stating that it will allow you to send anonymous transactions in Ethereum, but the post clearly states that "There is a new tool in the toolbox, but for now Ethereum transactions are no more private than before." So what's the point? Is this just a building block for future features around transaction privacy?

Found a great description:

'What can we do with a SNARKs-enabled Ethereum? Certain contract variables can be effectively made private. Instead of storing the secret information on-chain, it can be stored with users, who prove they’re behaving by the rules of the contract using SNARKs. Each of these uses require their own trusted setup, but once a circuit exists, it can be easily cloned. Imagine an ERC20-like token that doesn’t publish individual holders’ balances, while still maintaining a public and predictable token supply, or a lending platform that keeps the terms of a loan private.'


If anyone is looking for an overview of SNARKs and what this means for Ethereum, I wrote it up for a series I'm doing on privacy https://news.ycombinator.com/item?id=15302841

> The addition of zk-SNARK technology into Ethereum is another validation, like the JP Morgan partnership, that privacy and auditability are important for business and for the economy, and that zk-SNARKs are the premier technology for privacy and auditability.

This sentence has no meaning. It was clearly written by a marketing department with no idea what they are talking about.

This is one area of blockchain and new cryptography that is genuinely worth its weight.

Will this make ZEC obsolete once it's established on Eth's network?

If you are interested in zcash, check out monero and zerocoin.io

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact