A few corrections: - "note" and "nullifier" are the current terms. "coin" and "serial number" were the older terms used in the Zerocash protocol that is being attacked here. (Zcash was never vulnerable because the problem was fixed before launch.) - ρ is a Greek letter, pronounced "rho". ρ is not the serial number/nullifier; you also need another separate key (a_sk in Zerocash) to compute the nullifier from it. - The slide with the chefs could be slightly misleading because it makes it look like a commitment works like encryption, i.e. that there is a key you can decrypt the commitment with. Actually the main difference between encryption and commitments is that for the latter we have no such key. Instead we need to know the contents of the box (including the randomness) in order to "open" it, but if we have some opening, we can reliably confirm that it is the correct one, i.e. no other opening will work. - Only a single machine, costing $10 million at the time (much less now), would have been needed to find a 128-bit hash collision in 21 days. SHA256Compress is slightly more expensive than MD5 but that would only make a small difference. - Zcash has had 6 major upgrades since launch :-) - The 0xB0 is not related to binding; it is just a constant called a "domain separator", that helps to avoid complications in analysing the protocol by ensuring that all distinct uses of SHA-256 have disjoint inputs. - There's a bit missing from the explanation: to understand why violating the binding property leads to double spending, you also need to know how nullifiers are used in the protocol. Basically we rely on the fact that if a note with a given commitment were spent twice, it would have the same nullifier. We reveal the commitment when the note is created, and the nullifier when it is spent; the zero knowledge proofs check that they are consistent. If the commitment scheme is not binding then we can create two notes that have the same commitment but different nullifiers. Only one of these needs to come from a real source of funds, but we can spend that one and also the other one (pointing to the same commitment on the chain), because they have different nullifiers. Thanks for the video :-) Btw, anyone who wants a deeper dive into what makes later versions of the shielded protocol secure, might be interested in my talk at Zcon3: kzbin.info/www/bejne/nGe4haKnnq6Xm7s
@tinerispe Жыл бұрын
thanks, i'm following this zk series and your comment clarifies a lot
@d-squared70 Жыл бұрын
This is one of the many reasons why I love the internet! 💗 Thank you for clarifying some of the areas I've missed as a ZK n00b. Also, thank you for contributing the wider crypto movement. 😄
@sreckohorvat2298 Жыл бұрын
Homer's son is named Bart!
@satyabratadash2858 Жыл бұрын
Eagerly waiting for your videos......
@d-squared70 Жыл бұрын
Thank you so much 😀
@text___hackeralexei Жыл бұрын
Y’all should knw how it feels to earn 4BTC all with the help of this great hacker and programmer He’s the best