Zooko Wilcox | Mar 18, 2016
We are a science-driven company, and our team is always working on advancing the forefront of human knowledge. Here is a round-up of science news from our team.
Zero-Knowledge Contingent Payments
Zcasher Sean Bowe, working with Greg Maxwell and Peter Wuille (both of Blockstream and Bitcoin Core) demoed the first zero-knowledge contingent payment on the Bitcoin network. Also referred to as ZKCP, this payment protocol (invented by Greg Maxwell) is a reliable way for two parties to exchange information and money atomically.
In the demo performed live at Financial Cryptography 2016, Sean and Greg (remotely) swapped the solution to a 16x16 sudoku puzzle for 0.1 Bitcoin.
Such an atomic swap of money for information without either party being vulnerable to someone else has never before been possible. Before ZKCP, the only way that money and information could be swapped was for one side to hand over their goods first, thus risking that the other side would cheat and keep both, or for both sides to agree on a third party escrow agent that they would each hand over their goods to, and rely on that third party to act honestly.
In addition to being atomic, ZKCP is also private. In ZKCP, only the buyer and the seller learn the content of the information being swapped. This makes it private in a way that is currently not possible with a smart-contracting system like Ethereum.
I'm excited about this demo because it shows that zero-knowledge proofs are a flexible and powerful tool that may find many different kinds of applications beyond Zcash. In this implementation, Sean used the same kinds of tools for constructing zero-knowledge proofs that we use for Zcash, such as libsnark.
Sean also submitted a pull-request to Bitcoin Core which provides support for HTLC (Hashed Timelock Contracts) used by ZKCP and other protocols like Paypub and Lightning.
For more details, please read Greg's blog post on the Bitcoin Core blog.
Remote Key Extraction via Side Channel Attacks
Zcasher Eran Tromer and co-authors have published two new papers about side-channel attacks, one attacking GPG and another attacking ECDSA. Using small and non-intrusive sensors, the electromagnetic emanations of the device are analyzed and private keys are derived from the signals.
The attacks were detailed in two papers, "ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels" and "ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs".
The ECDSA attack was able to steal the secret key out of a Bitcoin wallet that was running on a phone sitting on a glass tabletop. We notified the Bitcoin Core team about this attack and confirmed that Bitcoin Core since v0.10.0 is safe from this attack.
These are powerful, practical attacks that underscore that danger lies ahead for software vulnerable to side-channel attacks.
Honey Badger BFT
Zcasher Andrew Miller and his co-authors released a pre-print paper draft of "The Honey Badger of Byzantine Fault Tolerance Protocols". They've invented a Byzantine Fault Tolerance protocol that does not have hard-coded timeouts. This means that the system can operate normally, and retain its fault-tolerance properties, even when the network has worse latency than anticipated.
It also means that in case of a temporary network interruption, Honey Badger BFT recovers quickly compared to other Byzantine Fault Tolerance protocols.
Honey Badger BFT may eventually be applicable to cryptocurrencies — where in future designs it could potentially serve as a high-performance BFT protocol in a hybrid mode with a more expensive censorship-resistant protocol. It may also be applicable to “blockchain” use cases, where a group of participants need a robust and efficient agreement protocol, but don't need censorship-resistance.
That's just the most recent batch of science results from Zcashers. Stay tuned for the next batch!
— Zooko Wilcox, March 18, 2016