-
m-relay<handpickencounter:matrix.org> is FCMP actually zero knowledge? thats the only way it can advertise "forward secrecy" afaik. but it still relies on ECC so a CRQC can theoretically print coin?
-
m-relay<handpickencounter:matrix.org> this is the only actual advantage zcash actually has over monero atm, their anon-set is backed by zero knowledge.
-
m-relay<jeffro256:monero.social> Hmmm? Zero-knowledge proving systems don't inherently mean anti-forging security against discrete log solvers. Some are, like ZK-STARKS, but (last time I checked) Zcash uses ZK-SNARKs (with an "N") in their protocol called Halo2 which isn't anti-forging secure against discrete log solvers. FCMP++, which uses a variation of Bulletproofs called "Generalized Bulletproofs", also isn't<clipped message>
-
m-relay<jeffro256:monero.social> secure against discrete log solvers. But both FCMP++ and Halo2 are still *quantum forward secret*, meaning that the proofs still reveal zero-knowledge about the statements proven, even with access to a discrete log solver (i.e. a working quantum computer)
-
m-relay<jeffro256:monero.social> In short, quantum properties between Zcash's protocol and Monero's protocol are basically the same: not forging resistant, but with forward privacy
-
m-relay<jeffro256:monero.social> To be clear, Zcash also still relies on the discrete log problem over elliptic curves for their cryptographic hardness assumption in Halo2, hence why it doesn't have anti-forging resistant against a quantum computer
-
m-relay<handpickencounter:matrix.org> That was my understanding which south to confirm, STARKs are ideal but the proof size is unacceptable for individual transacitons. However FCMP++ is still not mainline so sadly "quantum properties between Zcash's protocol and Monero's protocol" aren't the same yet.
-
m-relay<handpickencounter:matrix.org> That was my understanding which I sought to confirm, STARKs are ideal but the proof size is unacceptable for individual transacitons. However FCMP++ is still not mainline so sadly "quantum properties between Zcash's protocol and Monero's protocol" aren't the same yet.
3 hours ago