Nano-node: Would be possible implement zk-Snarks in Nano?

Created on 24 Aug 2018  路  11Comments  路  Source: nanocurrency/nano-node

A lot of people are talking in Discord about implement privacy in Nano. I think that the best way to do it is through zk-Snarks.

Nano doesn't need to be private, but he could offer it like a optional feature because, certainly, a shielded transaction wouldn't be instantaneous.

This is a library that implements zk-Snarks in C++ the same language of Nano, so, It would facilitate the work: https://github.com/scipr-lab/libsnark

enhancement question

Most helpful comment

I think that a anom transaction could happen between 2 accounts that have the same representative. So, the weight of the representative would be the same, the difference would be that we don't know how is distributed the coins between the accounts.

All 11 comments

A significant problem with implementing privacy is how to handle representative weights. Simply having private accounts not stake their balance may result in a much lower amount of staked nano.

One option for this could be to treat all "private accounts" has being represented by a single representative. How that representative is selected and maintained represents at least different problems.

@rkeene It sounds good, but I think that it could generate a centralization

I think that a anom transaction could happen between 2 accounts that have the same representative. So, the weight of the representative would be the same, the difference would be that we don't know how is distributed the coins between the accounts.

That's an extremely interesting idea, though I'll have to think about how limiting it would be (and if that could be enforced).

As said in the first post, it's important to note ZK-Snarks takes intense computational power, so it really impacts the 'instant' claim of Nano (for senders). It should be opt-in only.

If accounts are forced to have the same representative, we can also have the representative facilitate the TX (for a fee). Sort of like how Dash handles PrivateSend...

In general, the most privacy features takes an elevate computational power. This is the motive that it anom should be an optional feature. For me, It is not possible a currency private, instant, feeless, secure and light exists.

In general, the most privacy features takes an elevate computational power. This is the motive that it anom should be an optional feature. For me, It is not possible a currency private, instant, feeless, secure and light exists.

IMO adding anonymity opt-in would be a good choice regardless of the CPU consumption. If this is for NANO's adoption and many Cryptocurrency advocates are also pushing for anonymity.
I'm not a dev, though.

It's not an issue for senders, but it does raise a concern for validators.

To be clear, you said in your post that you were discussing different anonymity options. What other options are there besides from zk-snarks that are opt-in?

@brunoerg

How private would this make transactions?

@brunoerg While heralded at the time as a breakthrough, the use of zk-snarks has room for improvement. For one, there鈥檚 the fact that there鈥檚 no way to tell with any real certainty that the elaborate procedure used to set up the cryptocurrency wasn鈥檛 in some way compromised. A year after the launch, the zcash team is still putting out audits on the matter. Yet as critics point out, their results, while helpful in mitigating doubts, can鈥檛 ever be conclusive.

ZK-SNARKs have a few underlying issues that will lead to reduced adoption for leveraging zero-knowledge cryptography in blockchains and other potential implementations as well:

  1. The trusted setup phase can be compromised (there is an underlying assumption that when using a ZK-SNARK system, the trusted setup phase is secure)
  2. Scalability of ZK-SNARKs can be improved, as run-time increases, the time needed to generate and especially verify proofs needs to be improved
  3. ZK-SNARK cryptography is vulnerable to attacks from quantum computers

@asdfghjz Another option would be: ZK-STARKs
There are some important advantages of ZK-STARKs over ZK-SNARKs.

  1. One is their transparency, which avoids the need for trust between the participants when the system is setup. This is usually anathema to the cryptocurrency communities.
  2. Another important advantage is the assumptions underlying the system. ZK-SNARKs are based on Elliptic-Curve Cryptography, which is susceptible to advances in Quantum-Computers. Zk-STARKs, on the other hand, are Post-Quantum systems, meaning that even if Quantum-Computers become powerful and ubiquitous they will not have an advantage, compared to classical computers, in breaking ZK-STARKs (at least with our current knowledge of Quantum algorithms).
  3. Finally, ZK-STARKs have yet another advantage, which is that the Verification process is simpler and faster than in ZK-SNARKs.

There is a downside to ZK-STARKs, however, in that the proof size is some orders of magnitude larger than for ZK-SNARKs. This means the use of one or the other technique is not immediately a no-brainer. But research will certainly go on, and may yet find ways to reduce the proof size, which will make ZK-STARKs even more appealing than they already are. The maths also seems to be easier, so I鈥檓 favouring them instead of ZK-SNARKs.

Finally, if the topic is on privacy, other options would be using the three different privacy technologies of Monero: ring signatures, ring confidential transactions (RingCT), and stealth addresses. These hide the sender, amount, and receiver in the transaction, respectively. Bulletproofs make RingCT obscure transaction amounts more efficiently.

Three prominent proof systems are mentioned currently: ZK-SNARK (used by Zcash and a few others), ZK-STARK (commercialized by StarkWare, and sponsored by the Ethereum Foundation), and Bulletproofs (being explored by the Monero cryptocurrency).
Therefore, #721 is related to this topic.

Background information links
https://drive.google.com/file/d/1Osa0MXu-04dfwn1YOSgN6CXOgWnsp-Tu/view
https://www.coindesk.com/zk-starks-new-take-on-zcash-tech-could-power-truly-private-blockchains
https://medium.com/coinmonks/zk-starks-create-verifiable-trust-even-against-quantum-computers-dd9c6a2bb13d
https://ethereum.stackexchange.com/questions/59145/zk-snarks-vs-zk-starks-vs-bulletproofs-updated
https://zkp.science/

Was this page helpful?
0 / 5 - 0 ratings

Related issues

FndNur1Labs picture FndNur1Labs  路  6Comments

bartclaeys picture bartclaeys  路  3Comments

BitDesert picture BitDesert  路  6Comments

termhn picture termhn  路  4Comments

AugustoResende picture AugustoResende  路  3Comments