BLOCKCHAIN PRIVACYTLS ‣Deploy public key crypto (1990s) ‣Nakamoto (2009) Zcash ‣Deploy zero-...

transcript

BLOCKCHAIN PRIVACYZooko Wilcox 9-10 April 2018

Part 1: A History of CryptographyZooko Wilcox 9 April 2018

Crypto discoveries & deployments

Symmetric Key Encryption

Public Key Cryptography

Zero-knowledge proofs Blockchain

‣ Julius Caeser (50 BC)

‣ Alan Turing (1940s)

‣ Merkle‣ Diffie & Hellman‣ Rivest, Shamir &

Adleman (1970s)

‣ Goldwasser, Micali et al.

(1980s)

‣ Deploy public key

crypto (1990s)

‣ Nakamoto (2009)

‣ Deploy zero-

knowledge proofs (2016)

‣ Cocks & Ellis (1960s)

From Caesar to Turing..

In the 60s & 70s...

In the 70’s...

In the 80’s...

Adleman (1970s)

(1980s)

crypto (1990s)

‣ Nakamoto (2009)

‣ Deploy zero-

Part 2: Cryptography FundamentalsZooko Wilcox 9 April 2018

Symmetric Encryption

Hash function

a76fb6813c70bbf4d2fa...

Hash function

b1a65f0d9cd2b85fa71c...

Digital signatures

a76fb6813c70bbf4d2fa......A

Zero-knowledge proofs

TLS/HTTPS

https://blog.cryptographyengineering.com/2012/09/06/on-provable-security-of-tls-part-1/

End-to-end encryption (client-client)

https://heimdalsecurity.com/blog/wp-content/uploads/end-to-end-encryption-comparison.png

‣ Demo:

Signature verification

https://commons.wikimedia.org/wiki/File:Digital_Signature_diagram.svg

‣ Demo:

Adleman (1970s)

(1980s)

crypto (1990s)

‣ Nakamoto (2009)

‣ Deploy zero-

Part 3: Blockchain HistoryZooko Wilcox 9 April 2018

Adleman (1970s)

(1980s)

crypto (1990s)

‣ Nakamoto (2009)

‣ Deploy zero-

Before 2009...

‣ eCash (David Chaum, 1983), then DigiCash (1995)

‣ Bit gold (Nick Szabo, 1998)

‣ Hashcash (Adam Back, 1997)

In 2009...

‣ The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.

In 2009...

Building blockchains beyond bitcoin...

Adleman (1970s)

(1980s)

crypto (1990s)

‣ Nakamoto (2009)

‣ Deploy zero-

Part 4: Blockchain FundamentalsZooko Wilcox 9 April 2018

Blockchain

Verifying blocks

https://en.wikipedia.org/wiki/Bitcoin_network

‣ Demo:

Syncing the Zcash client

Part 5: Intro to Blockchain PrivacyZooko Wilcox 10 April 2018

The problem with privacy in bitcoin

Block number Sender Recipient Amount

36809 Address A Address B 3 BTC

38223 Address B Address C 2 BTC

98001 Address C Address D 1 BTC

Bitcoin

Comparing different technologies

Technology Sender Recipient Transaction details

Stealth addresses

Confidential transactions

Decoys/mixins

zk-SNARKs

Implementations combining multiple technologies

Implementation Sender Recipient Amount

Confidential Transactions

CryptoNote

Monero with RingCT

Types of decoys/mixinsCoinJoin

Mimblewimble

RingSig

Fragility of decoys/mixins

Deanonymizing decoy/mixinshttps://monerolink.com

TXN6 UTXO12

UTXO7 UTXO12

Deanonymizing RingCT

Buyer Seller Exchange

TXN1 (UTXO1)

Deanonymizing RingCT

TXN2 (UTXO6)

Buyer Seller Exchange

UTXO10

Deanonymizing RingCTUTXO1

UTXO10

TXN1 (UTXO1)

TXN2 (UTXO6)

Exchange

Part 6: Privacy in ZcashZooko Wilcox 11 April 2018

Transparent & Shielded▸ Forked Bitcoin (v 0.11.2)▸ Transparent addresses: public & verifiable▸ Shielded addresses: encrypted & verifiable (+ memo field)

Blockchain

Encryption

Blockchain + encryption

Zero-knowledge in Zcash (as a spreadsheet)

Block number Sender Recipient Amount

36809 Address A Address B 3 BTC

38223 Address B Address C 2 BTC

98001 Address C Address D 1 BTC

Block number Sender Recipient Amount Proof

36809 Encrypted Encrypted Encrypted hcv5…

38223 Encrypted Encrypted Encrypted m89g…

98001 Encrypted Encrypted Encrypted mv7l…

vsBitcoin Zcash

Selective disclosure‣ Allows either party to a transaction to disclose transaction details to a

third party, while keeping them hidden from everyone elseWhat Deutsche Bank, Citadel, the SEC, and the DTCC see:

Deutsche Bank sells 1,000,000 US912828P469 to Citadel at USD 97.567574

What the trade reporting repository or market data aggregator see:

⌷⌷⌷⌷⌷⌷⌷⌷⌷⌷ sells ⌷⌷⌷⌷⌷⌷⌷ US912828P469 to ⌷⌷⌷⌷ at USD 97.567574

What everyone else sees:

⌷⌷⌷⌷⌷⌷⌷⌷⌷⌷ sells ⌷⌷⌷⌷⌷⌷⌷ ⌷⌷⌷⌷⌷⌷⌷⌷⌷⌷ to ⌷⌷⌷⌷ at ⌷⌷⌷ ⌷⌷⌷⌷⌷⌷⌷

Zerocashrt = Merkle-tree rootcm = note commitmentnu = note nullifierv = note valuer, s = commitment rand.p = nullifier rand.(apk, pkenc) = address public key(ask, skenc) = address secret key

(a) Merkle-tree over (cm1, cm2,...) (b) note

(c) note commitment (d) note nullifier

c = ((apk, pkenc),v,p,r,s,cmrt

CRH CRH

CRH CRH CRH CRH

cm1 cm2 cm3 cm4 cm5 cm6 cm7 cm8 ...

apk PRFaddr 0p

PRFnuask

Sprout zk-SNARKsp apk rt fee

Vout1 Vout2

ZUTXO1

ZUTXO2

ZUTXO1

ZUTXO2

public

private

Sapling zk-SNARKs

Output

Inputs Outputs

V ZKP V ZKP

Vin = Vout + fee

public

private

commitment

Pedersen commitment

GR x HV

Part 6: Privacy Use CasesZooko Wilcox 11 April 2018

Payments with Symmetric Encryption

Payments with Public Key Cryptography

Payments with ZKP & Blockchain

Adleman (1970s)

(1980s)

crypto (1990s)

‣ Nakamoto (2009)

‣ Deploy zero-

Get involved!

Mine Zcash! Pay and get paid in Zcash! Write code! Apply for grants!

‣ Foundation - https://z.cash.foundation

‣ Code - https://github.com/zcash

‣ Chat - https://chat.zcashcommunity.com

BLOCKCHAIN PRIVACYTLS ‣Deploy public key crypto (1990s) ‣Nakamoto (2009) Zcash ‣Deploy zero-...

Documents