A lot of people are talking in Discord about implement privacy in Nano. I think that the best way to do it is through zk-Snarks.
Nano doesn't need to be private, but he could offer it like a optional feature because, certainly, a shielded transaction wouldn't be instantaneous.
This is a library that implements zk-Snarks in C++ the same language of Nano, so, It would facilitate the work: https://github.com/scipr-lab/libsnark
A significant problem with implementing privacy is how to handle representative weights. Simply having private accounts not stake their balance may result in a much lower amount of staked nano.
One option for this could be to treat all "private accounts" has being represented by a single representative. How that representative is selected and maintained represents at least different problems.
@rkeene It sounds good, but I think that it could generate a centralization
I think that a anom transaction could happen between 2 accounts that have the same representative. So, the weight of the representative would be the same, the difference would be that we don't know how is distributed the coins between the accounts.
That's an extremely interesting idea, though I'll have to think about how limiting it would be (and if that could be enforced).
As said in the first post, it's important to note ZK-Snarks takes intense computational power, so it really impacts the 'instant' claim of Nano (for senders). It should be opt-in only.
If accounts are forced to have the same representative, we can also have the representative facilitate the TX (for a fee). Sort of like how Dash handles PrivateSend...
In general, the most privacy features takes an elevate computational power. This is the motive that it anom should be an optional feature. For me, It is not possible a currency private, instant, feeless, secure and light exists.
In general, the most privacy features takes an elevate computational power. This is the motive that it anom should be an optional feature. For me, It is not possible a currency private, instant, feeless, secure and light exists.
IMO adding anonymity opt-in would be a good choice regardless of the CPU consumption. If this is for NANO's adoption and many Cryptocurrency advocates are also pushing for anonymity.
I'm not a dev, though.
It's not an issue for senders, but it does raise a concern for validators.
To be clear, you said in your post that you were discussing different anonymity options. What other options are there besides from zk-snarks that are opt-in?
@brunoerg
How private would this make transactions?
@brunoerg While heralded at the time as a breakthrough, the use of zk-snarks has room for improvement. For one, there鈥檚 the fact that there鈥檚 no way to tell with any real certainty that the elaborate procedure used to set up the cryptocurrency wasn鈥檛 in some way compromised. A year after the launch, the zcash team is still putting out audits on the matter. Yet as critics point out, their results, while helpful in mitigating doubts, can鈥檛 ever be conclusive.
ZK-SNARKs have a few underlying issues that will lead to reduced adoption for leveraging zero-knowledge cryptography in blockchains and other potential implementations as well:
@asdfghjz Another option would be: ZK-STARKs
There are some important advantages of ZK-STARKs over ZK-SNARKs.
There is a downside to ZK-STARKs, however, in that the proof size is some orders of magnitude larger than for ZK-SNARKs. This means the use of one or the other technique is not immediately a no-brainer. But research will certainly go on, and may yet find ways to reduce the proof size, which will make ZK-STARKs even more appealing than they already are. The maths also seems to be easier, so I鈥檓 favouring them instead of ZK-SNARKs.
Finally, if the topic is on privacy, other options would be using the three different privacy technologies of Monero: ring signatures, ring confidential transactions (RingCT), and stealth addresses. These hide the sender, amount, and receiver in the transaction, respectively. Bulletproofs make RingCT obscure transaction amounts more efficiently.
Three prominent proof systems are mentioned currently: ZK-SNARK (used by Zcash and a few others), ZK-STARK (commercialized by StarkWare, and sponsored by the Ethereum Foundation), and Bulletproofs (being explored by the Monero cryptocurrency).
Therefore, #721 is related to this topic.
Background information links
https://drive.google.com/file/d/1Osa0MXu-04dfwn1YOSgN6CXOgWnsp-Tu/view
https://www.coindesk.com/zk-starks-new-take-on-zcash-tech-could-power-truly-private-blockchains
https://medium.com/coinmonks/zk-starks-create-verifiable-trust-even-against-quantum-computers-dd9c6a2bb13d
https://ethereum.stackexchange.com/questions/59145/zk-snarks-vs-zk-starks-vs-bulletproofs-updated
https://zkp.science/
Most helpful comment
I think that a anom transaction could happen between 2 accounts that have the same representative. So, the weight of the representative would be the same, the difference would be that we don't know how is distributed the coins between the accounts.