匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo

匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo

匿名性通貨に関して気になったので素人がホワイトペーパーを読みながら追ってみました。Zerocashはいきなり取り掛かるにはかなりゴツいので、他の通貨から始める #blockchaintokyo

Ebac3bbb6c39bee8da4d2772f704164a?s=128

Masashi Salvador Mitsuzawa

January 16, 2018
Tweet

Transcript

  1. ಗ໊ੑ͕ؾʹͳͬͯ;FSPDBTIͷ
 8IJUF1BQFSΛ௥ͬͯΈͨ @MasashiSalvador 2018/01/16 blockchain.tokyo#4 @Mercari

  2. Who am I? %F/" ιʔγϟϧήʔϜ։ൃ FVSFLB σʔςΟϯάΞϓϦέʔγϣϯ։ൃ (Pݴޠ 'PVOEFEBTUBSUVQ'SFFMBODF ཱྀߦऀ޲͚ͷαʔϏε্ཱͪ͛

    3FBDU 3BJMT J04։ൃ (VOPTZOPX d/08 άϊγʔͷಈըपลͷ։ൃ @MasashiSalvador (Masashi Salvador Mitsuzawa) ܦྺ झຯ ΧϨʔ৯͏ͨΊʹੜ͖ͯΔ!JOTUBHSBN ஡ಓ͓஡पΓ ɹɹք۾Ͱ͓஡΍ͬͯΔํ͓੠͕͚Λʜ
  3. - Ծ૝௨՟ʹ͓͚Δಗ໊ੑ - Zcashೖ໳ - Zcashͱ͸ - θϩ஌ࣝূ໌ - zcashd

    / zcash-cli - Zcashͷߟ͑ํ - Zcash White PaperΛಡΉ
  4. Ծ૝௨՟ʹ͓͚Δಗ໊ੑ - औҾ͕νΣʔϯ্ʹશͯެ։͞Ε͍ͯΔ - ୭͔Β୭ʹ͍͘Βࢧ෷ΘΕ͔ͨΛtraceͰ͖Δ - ࢧ෷͍ܦ࿏ / ֹ͕ݟ͑ͯ͠·͏ͱ͍͏ҙຯͰඇಗ໊ -

    Mixing - Ring Signature - One-Time Address - Zero Knowledge Proof - Bitcoin - traceabilityΛԼ͛ΔͨΊͷٕज़ 5Y 5Y 5Y 5Y 1PPM/PEF 5Y 5Y
  5. - ֤छಗ໊ੑ௨՟ͱར༻ٕज़ - ͦͷଞʮಗ໊ੑʯΛ࣮ݱ͢ΔͨΊͷٕज़ - Blind Signature (த਎Λ஌Δ͜ͱͳ͘ॺ໊͢Δʣ

  6. ;$BTIͱ͸ʁ - ਖ਼ࣜϦϦʔε: 2016/10/26 ~ - ZCash Company͕؅ཧओମ - ZCash

    Foundation͕Zcash ProtocolΛ؅ཧ
 https://github.com/ZcashFoundation/ZcashFoundation/blob/master/MISSION.md - Protocol΍࣮૷͸Φʔϓϯιʔε - White PaperΛϕʔεʹProtocol Specʹ۩ମԽͷํ๏͕هࡌ - ൃߦ૯ྔ͸Bitcoinͱಉ͡2100ສຕ - ൃߦϧʔϧ͸ௐ੔͞Ε͍ͯΔ - Proof of Work / EquiHash - ιʔείʔυͷେݩ͸Bitcoin - ͔ͳΓScientificͳํ๏Ͱ࡞͍ͬͯΔͳ͊…ͱ͍͏ҹ৅
  7. θϩ஌ࣝূ໌<d> - > ࣗ෼ͷ͍࣋ͬͯΔ໋୊͕ਅͰ͋Δ͜ͱΛ఻͑ΔͷʹɺਅͰ͋Δ͜ͱҎ֎ͷԿͷ஌ࣝ΋఻͑Δ͜ͱ ͳ͘ূ໌Ͱ͖ΔΑ͏ͳ΍ΓͱΓͷख๏ (https://ja.wikipedia.org/wiki/θϩ஌ࣝূ໌) - Πϝʔδ:ະ࢖༻τϥϯβΫγϣϯʹରԠ͢Δൿີ伴Λॴ͍࣋ͯ͠Δ͜ͱΛൿີ伴Λఏࣔͤͣʹূ໌ - ֬཰తূ໌

    (ࢼߦճ਺Λ܁Γฦ͢͜ͱͰِͷ໋୊Λਅͱࣔ֬͢཰ΛݮΒ͢ - ಎ۸ͷྫ - ຤ඌʹࢀߟจݙΛ෇͠·͢ - ର࿩ܕͱඇର࿩ܕ͕͋Δ
  8. [DBTIE[DBTIDMJ - جຊbitcoinͱಉ͡ / Debianܥʹ͸γϡοͱೖΔ TFFIUUQTHJUIVCDPN[DBTI[DBTIXJLJ%FCJBOCJOBSZQBDLBHFT - Installation - Download

    Required Parameters - testnet༻ͷઃఆΛॻ͍ͯΰχϣΔ
  9. [DBTIE[DBTIDMJ - جຊbitcoinͷclientͱಉ͡ - Shield address / ී௨ͷΞυϨεͲͪΒ΋ൃߦͰ͖Δ

  10. τϥϯβΫγϣϯͷத਎ - https://explorer.zcha.inɹͰݟΕΔ - ಗ໊ΞυϨε -> ެ։ΞυϨε https://explorer.zcha.in/transactions/ad01194807f9f343f46125ef703742ea91be14c72c5277880a98b4e4a5a3f450 - ެ։ΞυϨε

    -> ಗ໊ΞυϨε https://explorer.zcha.in/transactions/757b8ec048fc76a39c12813d5861df868e9036f98c13b4464b1662b55b09609e
  11. ;DBTIͷߟ͑ํ - ҎԼ White Paper[2014] ʹଇΓ·͢ - Լهͷ6εςοϓͰ Decentralized Anonimous

    PaymentΛߟ͑Δ 1. user anonymity with fixed-value coins ૹ৴ऀΛൿಗ͢Δํ๏Λ؆୯ʹఏҊ 2. compressing the list of coin commitments. ϚʔΫϧπϦʔΛѹॖͯ͠ޮ཰Λ্͛Δ 3. extending coins for direct anonymous payments. ಗ໊ੑΛอͬͨ··ະ࢖༻τϥϯβΫγϣϯΛ࢖༻͢Δํ๏ 4. sending coins. ɹɹkey-private encryption schemeΛ༻͍ͨૹۚ๏ 5. public outputs. ɹɹඇಗ໊ͳτϥϯβΫγϣϯΞ΢τϓοτΛ࡞ΕΔΑ͏ʹमਖ਼ 6. non-malleability. ɹɹϚϦΞϏϦςΟʹؔ͢Δߟ࡯
  12. 1. user anonymity with fixed-value coins બ୒ͨ͠ϥϯμϜͳ஋ ϝοηʔδ ίϛοτϝϯτ statistically-hiding

    non-interactive commitment schemeΛ༻͍Δͦ͏ ༻ޠ ྆ऀΛ஌͍ͬͯΔ৔߹ͷΈ౳߸ͷ੒ཱΛ֬ೝͰ͖Δ coinͷϕʔεͱͳΔߟ͑ํ 2ͭͷཚ਺ Λબ୒͠ Λܭࢉ͢Δ ͱ͢Δ ΛؚΊͯ ૹ৴ 1BTCΛpoolʹdeposit ωοτϫʔΫʹه࿥͞ΕͨίϛοτϝϯτͷҰཡ ίΠϯੜ੒
  13. ΋஌͍ͬͯΔͷͰ͕ Λ࢖͔ͬͨͲ͏͔෼͔Δɻͦ΋ͦ΋͕ෆਖ਼ʹ࢖͑Δ ͓Αͼ ྆ऀΛؚΜͩ ͕ ૹ৴ ίΠϯ࢖༻ θϩ஌ࣝূ໌͢Δ໋୊ : ʹؚ·ΕΔΑ͏ͳ

    Λ஌͍ͬͯΔ ূ໌Ͱ͖Ε͹depositͨ͠1BTC͕෷͍ग़͞ΕΔ White Paperʹ͸͜ΕʹΑΓར༻ऀͷಗ໊ੑ͕ಘΒΕΔͱॻ͔Ε͍ͯΔ͕ʢϐϯͱ͖͍ͯͳ͍…) > the origin of the payment is anonymous. ໰୊఺:ૹۚͰ͖ͳ͍ ΋
  14. 3. extending coins for direct anonymous payments ಗ໊Ͱૹۚ͠߹͑ΔΑ͏ʹಓ۩Λಋೖ pseudorandom function

    (moreover collision-resistant) address public key / address private key Լ४උ Λੜ੒ γʔυ ੜ੒͞Εͨaddress private key ίΠϯͷੜ੒ ͷྔͷcoinΛੜ੒ Λ1ͭબͼcoinͷγϦΞϧφϯόʔ ΛఆΊΔ ཚ਺ ʹରͯ͠ Λܭࢉ͢Δ ʹରͯ͠ Λܭࢉ͢Δ Λcoinͱ͠ ͸ ΛؚΉ Λdepositͨ͠৔߹ͷΈωοτϫʔΫʹτϥϯβΫγϣϯ͕औΓࠐ·ΕΔ ཚ਺
  15. 3. extending coins for direct anonymous payments ίΠϯͷ࢖༻ address: address:

    ίΠϯੜ੒ͱಉ༷ʹ Λܭࢉ Լهͷθϩ஌ࣝূ໌͢΂໋͖୊ΛίΠϯར༻ͷτϥϯβΫγϣϯʹؚΊΔ ʁʁ
  16. Λղऍ͢Δͱ - ൿಗ͢΂͖৘ใΛ໌͔ͣ͞ʹɺίΠϯ͕ϧʔϧʹଇͬͯੜ੒͞Ε͍ͯΔ͜ͱ - ૹۚݩͷެ։伴Λੜ੒͢Δൿີ伴஌͍ͬͯΔ͜ͱ - ίΠϯͷ࢖༻৚݅Ͱ͋ΔγϦΞϧφϯόʔΛੜ੒͢Δൿີ伴Λ஌͍ͬͯΔ͜ͱ - ࢖༻͢ΔίΠϯʹରԠ͢Δੜ੒τϥϯβΫγϣϯ͕ଘࡏ͢Δ -

    ૹۚ͢ΔίΠϯͷֹ໘͕͍͘Β͔͸໌͔͞ͳ͍͕ɺ߹ܭ஋ͰӕΛ͍͍ͭͯͳ͍ ͱ͍͏͜ͱʹͳΔ
  17. - ݁ՌɺτϥϯβΫγϣϯʹૹۚઌΞυϨε΋ૹۚ͢Δ஋΋ؚΊ͍ͯͳ͍ - ಗ໊ੑ͕੒Γཱ͍ͬͯΔ - ίΠϯΛ࢖༻͢ΔͨΊͷ஋Λ҆શʹૹۚ૬खʹ఻͑Δඞཁ͕͋Δ…

  18. ௥͍͖Ε͍ͯͳ͍͜ͱ - εέʔϥϏϦςΟ - Zk-SNARKͱݺ͹ΕΔθϩ஌ࣝূ໌ͷৄࡉ - ඇର࿩ܕͰͲ͏࣮૷͍ͯ͠Δ͔ - τϥϯβΫγϣϯͷৄࡉ -

    JoinSplit Transaction - ͲΜͳ෩ʹ࣮૷͞Ε͍ͯΔͷ͔… - पลٕज़.. - ੬ऑੑपΓ
 https://z.cash/blog/fixing-zcash-vulns.html
  19. ॴײ - ։ൃ͸ͦΕͳΓʹਐΜͰ͍ͦ͏ - BlogͰͷ৘ใൃ৴΋׆ൃ - ΰπ͔ͬͨ…