You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
179 lines
9.6 KiB
179 lines
9.6 KiB
<!DOCTYPE html>
|
|
<html lang="en-US">
|
|
<head>
|
|
<meta charset='utf-8'>
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<link rel="stylesheet" href="/assets/css/style.css?v=47bbb5f0c2b88c044894e21dc589cc64b0a99fe4">
|
|
|
|
<!-- Begin Jekyll SEO tag v2.6.1 -->
|
|
<title>Shielded Coinbase ZIP213 Considered Harmful | Attacking Zcash For Fun And Profit</title>
|
|
<meta name="generator" content="Jekyll v3.8.7-CVE.2020.14001" />
|
|
<meta property="og:title" content="Shielded Coinbase ZIP213 Considered Harmful" />
|
|
<meta property="og:locale" content="en_US" />
|
|
<link rel="canonical" href="https://attackingzcash.com/shielded-coinbase/" />
|
|
<meta property="og:url" content="https://attackingzcash.com/shielded-coinbase/" />
|
|
<meta property="og:site_name" content="Attacking Zcash For Fun And Profit" />
|
|
<script type="application/ld+json">
|
|
{"@type":"WebPage","headline":"Shielded Coinbase ZIP213 Considered Harmful","url":"https://attackingzcash.com/shielded-coinbase/","@context":"https://schema.org"}</script>
|
|
<!-- End Jekyll SEO tag -->
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<header>
|
|
<div class="container">
|
|
<a id="a-title" href="/">
|
|
<h1>Attacking Zcash</h1>
|
|
</a>
|
|
<h2></h2>
|
|
|
|
<section id="downloads">
|
|
|
|
</section>
|
|
</div>
|
|
</header>
|
|
|
|
<div class="container">
|
|
<section id="main_content">
|
|
<h1 id="shielded-coinbase-zip213-considered-harmful">Shielded Coinbase ZIP213 Considered Harmful</h1>
|
|
|
|
<h2 id="tldr">TLDR</h2>
|
|
|
|
<ul>
|
|
<li>Shielded Coinbase (<a href="https://zips.z.cash/zip-0213" target="_blank">ZIP213</a>) is new Zcash Protocol consensus change</li>
|
|
<li>It allows mining directly to a shielded address</li>
|
|
<li>This sounds good at first, but has many problems</li>
|
|
<li>It actually reduces privacy of miners, as <a href="https://twitter.com/feministPLT/status/1264858630068875264">Duke Leto pointed out to the creator of Zcash Protocol</a></li>
|
|
<li>Zcash is marketing this as a new feature, when it’s really a bug</li>
|
|
</ul>
|
|
|
|
<center>
|
|
<img src="zip213-meme.png" />
|
|
</center>
|
|
|
|
<h2 id="what-is-shielded-coinbase">What is Shielded Coinbase?</h2>
|
|
|
|
<p>Firstly, what is coinbase? We are not talking about the evil company, we are talking about newly mined
|
|
coins. The internals of Bitcoin refers to this as “coinbase”, which is a cool name and why the evil
|
|
company stole it, to make their vile KYC seem palatable.</p>
|
|
|
|
<p>Every cryptocoin has “coinbase”, which are the brand new coins that come as the “block reward” in a new
|
|
block. All coinbase traditionally goes to a transparent address.</p>
|
|
|
|
<p>Shielded coinbase is a new feature of Zcash Protocol where a miner can mine to a shielded address (zaddr)
|
|
instead of a transparent address (taddr). Sounds like a huge privacy win, right? At first glance, yes.
|
|
But then with further perusal, we will find that because of <em>how</em> Zcash Company chose to implement this feature
|
|
and because of some previous technical limitations, this feature will actually <em>reduce</em> privacy of the individual
|
|
miner and the shielded pool.</p>
|
|
|
|
<center>
|
|
<a href="https://twitter.com/feministPLT/status/1264858630068875264" target="_blank"><img src="zip213.png" /></a>
|
|
</center>
|
|
|
|
<h2 id="why-does-shielded-coinbase-reduce-miner-privacy">Why does Shielded Coinbase reduce miner privacy?</h2>
|
|
|
|
<p>A few fundamental reasons conspire together to forcefully leak metadata when ZEC miners use ZIP213:</p>
|
|
|
|
<ul>
|
|
<li>Miners must hardcode their zaddr via the command-line</li>
|
|
<li>Miners must make their zaddr public, in the block metadata</li>
|
|
<li>Active attacks against zaddrs require knowing the zaddr</li>
|
|
</ul>
|
|
|
|
<p>Because miners must set their zaddr when starting their node, it will be fixed until the next time they stop and restart.
|
|
This encourages miners to set one zaddr and mine to it for long periods of time, since changing it would require
|
|
stopping and restarting a node. Not only is that extra work, but you cannot mine while your node is restarting, so it
|
|
has a definite cost that can be calculated, per minute of downtime. Miners do not want downtime and hence they will
|
|
not use the feature correctly.</p>
|
|
|
|
<p>The first issue could be fixed with technical changes, but most likely will not, because ZIP213 was meant mostly
|
|
for marketing purposes and not for increasing chain privacy.</p>
|
|
|
|
<p>Lastly, various attacks against shielded addresses exist, but usually require <em>knowing</em> the address, so transactions
|
|
can be sent to it. Shielded Coinbase forces a miner to publicize their address and hence opens them up to
|
|
Denial-of-Service attacks and De-Anonymization Attacks which are only possible if the attacker knows your address.</p>
|
|
|
|
<p>The author of Zcash Protocol offers the advice to use only one zaddr for mining and then use private zaddrs for other
|
|
uses. This is not as private as you could be, since in the past there was <a href="http://duke.leto.net/2019/10/01/zcash-metadata-leakage-cve-2019-16930.html" target="_blank">CVE-2019-16930</a> which could identify the IP address
|
|
of a zaddress. If another similar bug happens, which is very possible, IP addresses of miner zaddrs could be correlated
|
|
to IP addresses of the other zaddrs, proving they are owned by the same person who is running a node at that IP address.
|
|
To address this, miners using ZIP213 should use completely distinct wallets with different IP addresses for maximum
|
|
privacy. As we all know users of software do the least work to get the job done, these things won’t happen and miners
|
|
are likely to use the tech in a <em>privacy-destroying</em> manner.</p>
|
|
|
|
<p>This is why zaddrs should <em>never</em> be made public, and they should only be given to parties that must absolutely know them,
|
|
i.e. people sending funds to that address.</p>
|
|
|
|
<h2 id="shielded-coinbase-is-optimized-for-auditability">Shielded Coinbase Is Optimized for Auditability</h2>
|
|
|
|
<p>Zcash Company wrote this feature with maximal auditability in mind, which is why privacy suffers so badly. The Hush community
|
|
feels that optimizing for this defeats the entire purpose of the technology.</p>
|
|
|
|
<p>Auditibility means that the address being mined to is public, and it’s public how much is being mined and at what time, because
|
|
mining data is public.</p>
|
|
|
|
<p>Since Zcash refuses to enforce privacy on their mainnet and only 5% of funds use privacy features, it makes sense for Zcash
|
|
mainnet to have ZIP213. There is no privacy anyway.</p>
|
|
|
|
<p>The Komodo and Hush communities will not be implementing ZIP213 in any of our blockchains, because we feel it’s a privacy
|
|
regression rather than improvement.</p>
|
|
|
|
<h2 id="zip213-hurts-the-entire-shieded-pool">ZIP213 Hurts The Entire Shieded Pool</h2>
|
|
|
|
<p>Not only does using this “feature/bug” from ECC hurt the individual miner, but it hurts the entire privacy of Zcash mainnet.
|
|
As a chain analysis company, Shielded Coinbase leaks extra metadata about miners compared to the traditional way of mining.
|
|
This is especially bad given recent <a href="https://eprint.iacr.org/2020/627" target="_blank">metadata attacks against Zcash Protocol</a>.</p>
|
|
|
|
<p>Normally, a miner receives funds to a taddr, <em>then</em> send to a zaddr. This is a very privacy-preserving process, as the zaddr
|
|
NEVER APPEARS PUBLICLY.</p>
|
|
|
|
<p>With ZIP213, a miner PUBLISHES their zaddr (something the Hush community considers extremely bad for privacy) and then proceeds
|
|
to publiish various details in transactions that are mined to the public zaddr. It’s similar to saying “this is my z2z transaction id and also
|
|
the amounts that were involved and the address”, which removes all privacy from the transaction, while still being able to say
|
|
that a shielded address is used.</p>
|
|
|
|
<center>
|
|
<a href="https://twitter.com/least_nathan/status/1283800664838045696" target="_blank">
|
|
<img src="leastnathan-zip213.png" />
|
|
</a>
|
|
</center>
|
|
|
|
<p>Even if funds are then moved again to another zaddress, chain analysis companies will use this historical data to correlate
|
|
which miners sold to which exchanges that were then used later on in various transactions. The metadata infects the blockchain
|
|
history <em>forever</em>.</p>
|
|
|
|
<p>Not only does this happen once, but it happens <em>continuously</em>, a stream of metadata leakage, as a miner uses ZIP213 and does
|
|
not change their zaddr. Zcash chose to do this <em>on purpose</em> for supply audit reasons, but it ends up ruining any kind of
|
|
improvement to privacy.</p>
|
|
|
|
<h2 id="shielded-mining-pool-payouts">Shielded Mining Pool Payouts</h2>
|
|
|
|
<p>We want to clarify that we are talking about solo miners and mining pools receiving block rewards directly from the blockchain,
|
|
not pool miners getting payouts. Getting paid out to a shielded address is very good for privacy! Everything here is specific
|
|
to Shielded Coinbase. Pooled miners who are getting payouts to zaddrs do not need to take any action. Those payouts do not expose their addresses publicly, unlike Shielded Coinbase.</p>
|
|
|
|
<h2 id="conclusions">Conclusions</h2>
|
|
|
|
<ul>
|
|
<li>Don’t solo mine directly to a zaddr on any blockchain.</li>
|
|
<li>Mine to a taddr, then send to a zaddr, while keeping your zaddr private.</li>
|
|
<li>Question anything coming from Zcash Foundation + ECC</li>
|
|
<li><a target="_blank" href="https://hush.is">Hush</a> and <a target="_blank" href="https://komodoplatform.com">Komodo</a> will not implement Shielded Coinbase, it’s bad for privacy</li>
|
|
<li>If Zcash truly cared about privacy, they would enforce usage of shielded addresses</li>
|
|
</ul>
|
|
|
|
</section>
|
|
<div>
|
|
<section id=footer>
|
|
<hr>
|
|
<a href="https://hush.is/telegram">Telegram</a> <br/>
|
|
Buy/Sell HUSH: <a href="https://safe.trade/trading/hushbtc">SafeTrade</a>
|
|
</section>
|
|
</div>
|
|
|
|
</div>
|
|
|
|
</body>
|
|
</html>
|
|
|