Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minimize cross-chain nullifier-related privacy leaks with self-churn and zero-fee self-churns #11

gojomo opened this issue Jun 18, 2019 · 3 comments


Copy link

gojomo commented Jun 18, 2019

As mentioned in Zcash #4007, shielded spends on a chain-fork like Ycash will reveal the same nullifiers as on the 'parent' chain, causing a small privacy leak above-and-beyond what might also be revealed by things like correlated-amounts.

For example, consider a user who on Ycash sends some ZEC-that-became-Y-at-the-fork, via the Ycash chain, to one exchange, revealing a pre-fork nullifier. Later, that same user sends some of that pre-fork ZEC to another exchange or merchant. An observer who sees both of those receipts – perhaps because the receivers are both subject to security compromises, or legal demands, or are related-entities – will then know both spends came from the same keyholder.

A partial amelioration is suggested in a comment by Zooko: if on one or the other chain the user self-churns the funds, sort-of a same-pool funds-migration, then the 1st time the funds are sent to an outside party, nullifiers won't reveal any cross-chain correlation except that they were moved on both chains.

However, users might need to be reminded to do this, and the extra transaction fees involved could discourage the step. The Ycash client & consensus/miner rules could help, by: (1) offering an in-client 'churn' option, to break all nullifier-relationships with the 'parent' chain – and perhaps even prompting to run this at or soon after 1st launch; (2) waiving transaction-fees for all-shielded transactions that consume only pre-fork nullifiers. (And, it's much easier for Ycash to offer this than the parent chain, as the fork is already necessarily a consensus-change and self-aware of the relevant fork-height before which shared-nullifiers are problematic.)

While not necessary for the nullifier issue, the self-churn might even offer the option of moving funds to a new private key, and wipe all local record of the pre-churn key, to further minimize the risk of shared-keymatter ever leading to a future loss-of-funds on both chains.

Copy link

hloo commented Jun 19, 2019

Thank you so much @gojomo. I've been monitoring your comments on Zcash #4007. At a minimum, we'll provide a warning to users on our website about this nullifier issue and provide instructions for how to self-churn.

We are going to consider implementing some of the ideas that you've suggested, but not until after the fork (given how close we are to the fork date).

I really like your idea of combining a self-churn with a local wipe of the pre-churn key. I think that would be a useful tool to have.

I appreciate you taking the time to think through these issues and offer solutions.

Copy link

Nullifier migration tool will be in ycash 2.0.6

Copy link

Tool available in 2.0.6

miodragpop pushed a commit that referenced this issue Oct 10, 2021
98fadc090 Merge #24: Push bool into array correctly
5f03f1f39 Push bool into array correctly
98261b1e7 Merge #22: Clamp JSON object depth to PHP limit
54c401541 Clamp JSON object depth to PHP limit
5a58a4667 Merge #21: Remove hand-coded UniValue destructor.
b4cdfc4f4 Remove hand-coded UniValue destructor.
7fba60b5a Merge #17: [docs] Update readme
4577454e7 Merge #13: Fix typo
ac7e73cda [docs] Update readme
7890db99d Merge #11: Remove deprecated std pair wrappers
40e34852a Merge #14: Cleaned up namespace imports to reduce symbol collisions
4a4964729 Fix typo
85052a481 Remove deprecated std::pair wrappers
51d3ab34b Merge #10: Add pushKV(key, boolean) function (replaces #5)
129bad96d [tests] test pushKV for boolean values
b3c44c947 Pushing boolean value to univalue correctly
07947ff2d Merge #9: [tests] Fix BOOST_CHECK_THROW macro
ec849d9a2 [tests] Fix BOOST_CHECK_THROW macro
d208f986d Cleaned up namespace imports to reduce symbol collisions
31bc9f5a4 Merge #8: Remove unused Homebrew workaround
fa042093d Remove HomeBrew workaround
a523e08ae Merge #7: Declare single-argument (non-converting) constructors "explicit"
a9e53b38b Merge #4: Pull upstream
fe805ea74 Declare single-argument (non-converting) constructors "explicit"
8a2d6f1e3 Merge pull request zcash#41 from jgarzik/get-obj-map
ba341a20d Add getObjMap() helper method.  Also, constify checkObject().
ceb119413 Handle .pushKV() and .checkObject() edge cases.
107db9829 Add ::push_back(double) method for feature parity.
d41530031 Move one-line implementation of UniValue::read() to header.
52e85b35b Move exception-throwing get_* methods into separate implementation module.
dac529675 update code quotes
3e31dcffb close code quote
d09b8429d Update
f1b86edb4 Convert README to markdown style.
1dfe464ef Import UniValue class unit tests from bitcoin project.
0d3e74dd1 operator[] takes size_t index parameter (versus unsigned int)
640158fa2 Private findKey() method becomes size_t clean, and returns bool on failure.
709913585 Merge pull request #36 from ryanofsky/pr/end-str
4fd5444d1 Reject unterminated strings
16a1f7f6e Merge #3: Pull upstream
daf1285af Merge pull request #2 from jgarzik/master
f32df99e9 Merge branch '2016_04_unicode' into bitcoin
280b191cb Merge remote-tracking branch 'jgarzik/master' into bitcoin
2740c4f71 Merge branch '2015_11_escape_plan' into bitcoin
REVERT: 9ef5b78c1 Use size_t for UniValue array indexing

git-subtree-dir: src/univalue
git-subtree-split: 98fadc090984fa7e070b6c41ccb514f69a371c85
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

3 participants