hush
/
attackingzcash.com
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
attackingzcash.com website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
116 Commits
1 Branch
0 Tags
5.3 MiB
 
Tree: 4caa277875
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4caa277875'
${ noResults }
attackingzcash.com/shielded-coinbase/index.html

179 lines
9.6 KiB
Raw Blame History

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset='utf-8'>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/assets/css/style.css?v=47bbb5f0c2b88c044894e21dc589cc64b0a99fe4">
<!-- Begin Jekyll SEO tag v2.6.1 -->
<title>Shielded Coinbase ZIP213 Considered Harmful | Attacking Zcash For Fun And Profit</title>
<meta name="generator" content="Jekyll v3.8.7-CVE.2020.14001" />
<meta property="og:title" content="Shielded Coinbase ZIP213 Considered Harmful" />
<meta property="og:locale" content="en_US" />
<link rel="canonical" href="https://attackingzcash.com/shielded-coinbase/" />
<meta property="og:url" content="https://attackingzcash.com/shielded-coinbase/" />
<meta property="og:site_name" content="Attacking Zcash For Fun And Profit" />
<script type="application/ld+json">
{"@type":"WebPage","headline":"Shielded Coinbase ZIP213 Considered Harmful","url":"https://attackingzcash.com/shielded-coinbase/","@context":"https://schema.org"}</script>
<!-- End Jekyll SEO tag -->
</head>
<body>
<header>
<div class="container">
<a id="a-title" href="/">
<h1>Attacking Zcash</h1>
</a>
<h2></h2>
<section id="downloads">
</section>
</div>
</header>
<div class="container">
<section id="main_content">
<h1 id="shielded-coinbase-zip213-considered-harmful">Shielded Coinbase ZIP213 Considered Harmful</h1>
<h2 id="tldr">TLDR</h2>
<ul>
<li>Shielded Coinbase (<a href="https://zips.z.cash/zip-0213" target="_blank">ZIP213</a>) is new Zcash Protocol consensus change</li>
<li>It allows mining directly to a shielded address</li>
<li>This sounds good at first, but has many problems</li>
<li>It actually reduces privacy of miners, as <a href="https://twitter.com/feministPLT/status/1264858630068875264">Duke Leto pointed out to the creator of Zcash Protocol</a></li>
<li>Zcash is marketing this as a new feature, when it’s really a bug</li>
</ul>
<center>
<img src="zip213-meme.png" />
</center>
<h2 id="what-is-shielded-coinbase">What is Shielded Coinbase?</h2>
<p>Firstly, what is coinbase? We are not talking about the evil company, we are talking about newly mined
coins. The internals of Bitcoin refers to this as “coinbase”, which is a cool name and why the evil
company stole it, to make their vile KYC seem palatable.</p>
<p>Every cryptocoin has “coinbase”, which are the brand new coins that come as the “block reward” in a new
block. All coinbase traditionally goes to a transparent address.</p>
<p>Shielded coinbase is a new feature of Zcash Protocol where a miner can mine to a shielded address (zaddr)
instead of a transparent address (taddr). Sounds like a huge privacy win, right? At first glance, yes.
But then with further perusal, we will find that because of <em>how</em> Zcash Company chose to implement this feature
and because of some previous technical limitations, this feature will actually <em>reduce</em> privacy of the individual
miner and the shielded pool.</p>
<center>
<a href="https://twitter.com/feministPLT/status/1264858630068875264" target="_blank"><img src="zip213.png" /></a>
</center>
<h2 id="why-does-shielded-coinbase-reduce-miner-privacy">Why does Shielded Coinbase reduce miner privacy?</h2>
<p>A few fundamental reasons conspire together to forcefully leak metadata when ZEC miners use ZIP213:</p>
<ul>
<li>Miners must hardcode their zaddr via the command-line</li>
<li>Miners must make their zaddr public, in the block metadata</li>
<li>Active attacks against zaddrs require knowing the zaddr</li>
</ul>
<p>Because miners must set their zaddr when starting their node, it will be fixed until the next time they stop and restart.
This encourages miners to set one zaddr and mine to it for long periods of time, since changing it would require
stopping and restarting a node. Not only is that extra work, but you cannot mine while your node is restarting, so it
has a definite cost that can be calculated, per minute of downtime. Miners do not want downtime and hence they will
not use the feature correctly.</p>
<p>The first issue could be fixed with technical changes, but most likely will not, because ZIP213 was meant mostly
for marketing purposes and not for increasing chain privacy.</p>
<p>Lastly, various attacks against shielded addresses exist, but usually require <em>knowing</em> the address, so transactions
can be sent to it. Shielded Coinbase forces a miner to publicize their address and hence opens them up to
Denial-of-Service attacks and De-Anonymization Attacks which are only possible if the attacker knows your address.</p>
<p>The author of Zcash Protocol offers the advice to use only one zaddr for mining and then use private zaddrs for other
uses. This is not as private as you could be, since in the past there was <a href="http://duke.leto.net/2019/10/01/zcash-metadata-leakage-cve-2019-16930.html" target="_blank">CVE-2019-16930</a> which could identify the IP address
of a zaddress. If another similar bug happens, which is very possible, IP addresses of miner zaddrs could be correlated
to IP addresses of the other zaddrs, proving they are owned by the same person who is running a node at that IP address.
To address this, miners using ZIP213 should use completely distinct wallets with different IP addresses for maximum
privacy. As we all know users of software do the least work to get the job done, these things won’t happen and miners
are likely to use the tech in a <em>privacy-destroying</em> manner.</p>
<p>This is why zaddrs should <em>never</em> be made public, and they should only be given to parties that must absolutely know them,
i.e. people sending funds to that address.</p>
<h2 id="shielded-coinbase-is-optimized-for-auditability">Shielded Coinbase Is Optimized for Auditability</h2>
<p>Zcash Company wrote this feature with maximal auditability in mind, which is why privacy suffers so badly. The Hush community
feels that optimizing for this defeats the entire purpose of the technology.</p>
<p>Auditibility means that the address being mined to is public, and it’s public how much is being mined and at what time, because
mining data is public.</p>
<p>Since Zcash refuses to enforce privacy on their mainnet and only 5% of funds use privacy features, it makes sense for Zcash
mainnet to have ZIP213. There is no privacy anyway.</p>
<p>The Komodo and Hush communities will not be implementing ZIP213 in any of our blockchains, because we feel it’s a privacy
regression rather than improvement.</p>
<h2 id="zip213-hurts-the-entire-shieded-pool">ZIP213 Hurts The Entire Shieded Pool</h2>
<p>Not only does using this “feature/bug” from ECC hurt the individual miner, but it hurts the entire privacy of Zcash mainnet.
As a chain analysis company, Shielded Coinbase leaks extra metadata about miners compared to the traditional way of mining.
This is especially bad given recent <a href="https://eprint.iacr.org/2020/627" target="_blank">metadata attacks against Zcash Protocol</a>.</p>
<p>Normally, a miner receives funds to a taddr, <em>then</em> send to a zaddr. This is a very privacy-preserving process, as the zaddr
NEVER APPEARS PUBLICLY.</p>
<p>With ZIP213, a miner PUBLISHES their zaddr (something the Hush community considers extremely bad for privacy) and then proceeds
to publiish various details in transactions that are mined to the public zaddr. It’s similar to saying “this is my z2z transaction id and also
the amounts that were involved and the address”, which removes all privacy from the transaction, while still being able to say
that a shielded address is used.</p>
<center>
<a href="https://twitter.com/least_nathan/status/1283800664838045696" target="_blank">
<img src="leastnathan-zip213.png" />
</a>
</center>
<p>Even if funds are then moved again to another zaddress, chain analysis companies will use this historical data to correlate
which miners sold to which exchanges that were then used later on in various transactions. The metadata infects the blockchain
history <em>forever</em>.</p>
<p>Not only does this happen once, but it happens <em>continuously</em>, a stream of metadata leakage, as a miner uses ZIP213 and does
not change their zaddr. Zcash chose to do this <em>on purpose</em> for supply audit reasons, but it ends up ruining any kind of
improvement to privacy.</p>
<h2 id="shielded-mining-pool-payouts">Shielded Mining Pool Payouts</h2>
<p>We want to clarify that we are talking about solo miners and mining pools receiving block rewards directly from the blockchain,
not pool miners getting payouts. Getting paid out to a shielded address is very good for privacy! Everything here is specific
to Shielded Coinbase. Pooled miners who are getting payouts to zaddrs do not need to take any action. Those payouts do not expose their addresses publicly, unlike Shielded Coinbase.</p>
<h2 id="conclusions">Conclusions</h2>
<ul>
<li>Don’t solo mine directly to a zaddr on any blockchain.</li>
<li>Mine to a taddr, then send to a zaddr, while keeping your zaddr private.</li>
<li>Question anything coming from Zcash Foundation + ECC</li>
<li><a target="_blank" href="https://hush.is">Hush</a> and <a target="_blank" href="https://komodoplatform.com">Komodo</a> will not implement Shielded Coinbase, it’s bad for privacy</li>
<li>If Zcash truly cared about privacy, they would enforce usage of shielded addresses</li>
</ul>
</section>
<div>
<section id=footer>
<hr>
<a href="https://hush.is/telegram">Telegram</a> <br/>
Buy/Sell HUSH: <a href="https://safe.trade/trading/hushbtc">SafeTrade</a>
</section>
</div>
</div>
</body>
</html>