Zarcanum (ZPoS) — A Private Proof of Stake Scheme with Confidential Transactions and Hidden Amounts
Any information that a digital cash system reveals about its users is information that bad actors could use against them. The Proof of Stake consensus system has been routinely rejected by projects that put user privacy (and consequently user security) first, because it requires the exact number of coins in a staking transaction to be public. Or at least it used to. Zarcanum (ZPoS) is a secure and private blockchain consensus scheme that enhances traditional Proof of Stake with untraceability and hidden amounts.
“… but it often rhymes”
In 2014, Zano Co-founder Andrey Sabelnikov (aka crypto_zoidberg) completed work on the first successful implementation of Nicholas Van Saberhagen’s pioneering CryptoNote protocol. It was released as ByteCoin, the first digital currency with protocol-level privacy. It proved that it was possible to create a decentralized digital cash system like Satoshi Nakamoto’s while revealing significantly less sensitive information about the system’s users. So like Bitcoin, but more discreet; more secure.
Seven years later, it’s Andrey’s Zano team mate Valeriy Pisarkov (aka sowle), alongside independent researcher and prominent Monero contributor koe, who’ve taken an already inspired design to even greater heights. Zarcanum (ZPoS) works like traditional (or naive) Proof of Stake, while revealing no sensitive information about the system’s users. So like naive Proof of Stake, but more discreet; more secure.
To appreciate how Zarcanum makes PoS compatible with a policy of strict user privacy and security, we must first understand how traditional PoS works.
The Problem with Traditional Proof of Stake
With Proof of Stake, stakers, rather than miners, are rewarded for creating new blocks. The difficulty of this task depends upon how many coins a user is staking: the more coins staked, the easier it is. So when a new block is produced, other nodes on the network must check that the difficulty of producing that block was proportional to the number of coins being staked — it’s one of the criteria by which a block is judged to be valid. And this check can only be made if the staker reveals publicly how many coins he “staked” in order to produce that block. A determined adversary could use this information as a starting point from which to try to de-anonymize users on an otherwise private chain.
Look at the above screenshot from the Zano explorer. We know that whoever produced this block owns 10,000 Zano ($23,000 worth at current prices) in the output with index number 33802. And, to the best of our knowledge, this information is revealed by all PoS-based currencies. You can see why privacy projects might consider the choice between Proof of Work and Proof of Stake an easy one.
How Zarcanum (ZPoS) Makes PoS Private
Zarcanum improves upon traditional PoS in two fundamental ways:
- Amount Privacy — The number of coins in the staked output is hidden
- Untraceability — The output itself is hidden within a group of equiprobable decoy outputs
In its strongest form (as described in Section 6 of the research paper) Zarcanum reveals so little information that it makes identifying individual users through chain analysis all but impossible. It achieves this through a novel combination of existing technologies.
Confidential Transactions (CT) employ Pedersen Commitments to hide the number of coins in the staked output. Ring Signatures make it infeasible to determine exactly which output was staked, and Bulletproofs+ act as highly efficient Range Proofs that let the staker prove that they know certain values and that they fall within a given range (without having to reveal the values themselves). In combination, they allow for staking where the input and amount are unknowable, but the network is still able to verify that:
- A block is valid
- Producing the block was adequately difficult
- No new coins (outside the staking reward) were produced
We’re going to assume you’re more interested in the implications than the implementation, but If you’re a cryptographer or mathematician (or just someone who knows what a Fiat-Shamir challenge is) you’ll find all the juicy details in the research paper (specifically Section 3 onwards).
Sarang Noether (CypherStack) Peer Review
A protocol with implications for an entire industry is one that should be reviewed by the best in the industry: in this case, the foremost experts in the field of applied cryptography. With that in mind, it should come as no surprise that we sought a review of Zarcanum from Dr Aaron Feickert (aka Sarang Noether). You’re almost certainly familiar with him already, but for anyone who isn’t, Dr Feickert is a mathematician and physicist who has distinguished himself as one of the most prodigious contributors to the Monero project (spending 6+ years working with the Monero Research Lab). It would be hard to name a single researcher with more expertise in, or a better understanding of, the cryptographic protocols that underpin all distributed digital cash systems.
Dr Feickert completed his review early in December and found no major issues with Zarcanum or the mathematics behind it. He also offered suggestions as to how the research paper could be further bolstered with formal proofs, and kindly provided some proofs as examples.
The team is now actively seeking reviews from cryptographers and mathematicians of similar standing as we continue to refine Zarcanum and affirm its viability.
Zarcanum Contribution Timeline
Zarcanum (ZPoS) came about through a truly collaborative effort between its authors. Here’s its history.
Sowle published his first version of the scheme in August this year, after months of research. Cryptographer (and prominent Monero contributor) koe was kind enough to look over the work and immediately alerted sowle to an issue with “sender-recipient anonymity”: the sender of an output could accurately guess when the recipient staked that output to create a new PoS block.
Koe wrote several follow-up emails that evening detailing his attempts to find a solution. His final email contained what appeared to be a working solution. It also had the unexpected benefit of making the scheme more efficient.
Impressed by koe’s knowledge and generosity, we arranged for him to do a more formal review of the work while sowle rewrote the paper to incorporate the ideas they’d discussed.
Upon completion, sowle shared the heavily revised paper with koe, who, through refinements to the language and advice on conventional use of mathematical notation, helped improve the paper’s readability.
Around this time, sowle found a way to break koe’s proposed fix to the “sender-recipient anonymity” issue, so he proposed an alternative. They discussed and refined it over several days, and the paper was again revised.
By this point koe had found the sender-recipient anonymity issue, improved the scheme’s efficiency and vastly improved the paper’s readability; so in recognition of his crucial contributions he was invited by sowle to become co-author. Happily, he accepted.
Val is humbly described as a “Core dev” on zano.org, but that doesn’t do justice to his actual skillset and the breadth of polymathic proficiently he’s shown in his work on Zarcanum. We are lucky to have him and extremely proud of his achievement. We’d also like to acknowledge the huge contribution koe made to the work — from the outset he’s been very generous with his time and knowledge, and from sowle’s accounts, a pleasure to work with. We very much hope that we’ll have the opportunity to work together again in the future.
Truly Private Proof of Stake
Up until now, the Proof of Work vs Proof of Stake debate in privacy circles has been pretty one-sided. Reductionist, even. It was widely believed that an optimally-designed PoW-based privacy protocol would always be superior to any PoS-based alternative, because PoS, by its very nature, has to expose a little more information about users’ holdings. Zarcanum turns that assumption on its head. By sealing the minor information leaks of traditional Proof of Stake, Zarcanum (ZPoS) becomes the first PoS scheme capable of delivering the same level of privacy as the most private of its PoW counterparts. Truly private Proof of Stake.
We’re currently working to implement Zarcanum in Zano, which we intend to be the reference implementation for all projects who wish to use the scheme, just as the ByteCoin code bearing Andrey’s name was for the myriad CryptoNote coins that followed. It’s our sincere hope that as many people as possible can benefit from this new technology. Privacy matters, and thanks to Zarcanum, Proof of Stake no longer represents a compromise for projects that place a premium on user security. This isn’t just a giant leap for Zano, it’s a win for all of crypto and for anyone who may need sound, uncensorable money in the future.
So Proof of Stake vs Proof of Work? It seems the answer’s no longer so simple.