/1 From what was just a desire to solve trusted setup and no fancy curve pairings in a privacy protocol to Lelantus coming live on $FIRO, it's been a wild ride! $XZC @aramjivanyan
https://twitter.com/JMKmotorsports/status/1349510789133197312
2/ We first looked at bulletproof circuits which turned out to be a dead end due to poor performance. Verification times were several seconds long. We were crushed as we didn't have any immediate idea on how to bring Zcoin's tech forward.
3/ We decided to look at one-out-of-many proofs (OOOMP) again despite many dismissing it as being too slow with verification time increasing linearly with the size of the set. OOOMP did not support hidden amounts which also represented a huge privacy issue.
4/ Turns out, batch verification and other optimization tricks can make OOOMP pretty quick! @aramjivanyan also found a way to embed additional data into the construction to support hidden amounts which gave birth to the first paper on Lelantus.
5/ We had plenty of help along the way. Jens Groth, one of the father's of ZKP, took the time to validate our construction. We also had valuable feedback from @relgabizon from a ZK Summit event and Sarang Noether from @MoneroKon.
6/ The first version of Lelantus did support direct anonymous spends but had an issue where users needed to self-spend to themselves to hide further movements from the original sender. This was bad as it added an intermediary step.
7/ @aramjivanyan found a way around the self spend issue during one of his holidays and also validated it with Sarang who was also looking at it due to it's applicability to scaling @monero's ring sizes. Once this was solved, it allowed seamless direct anonymous payments!
8/ Our work on Lelantus in combining OOOMP and hidden amounts also lead to other privacy protocols being created such as Triptych in Monero and Lelantus-MW in Beam. A whole new family of privacy protocols has been opened presenting an alternative to RingCT, MW and zkSNARKs.
9/ Now that the cryptography was settled, implementation was also a challenge. As Lelantus supported anonymity sets of around 65k, what happens when the set becomes full? Starting empty new sets meant that the first few people who used it had poor privacy or forced them to wait.
10/ We decided to implement a sliding window approach where the sets overlap with each other a little meaning that even when a new set is created, it was preseeded with 16k commitments from the previous set. This meant that the minimum anonymity will be 16k for any single tx.
11/ We also got our cryptography library audited by @trailofbits and our cryptography audited by ABDK Consulting @Khovr. Funds for these were raised from donations from the community and also three of our seed investors. Their support was invaluable during the bear market.
12/ Despite challenging conditions, I'm so proud of what our team has achieved with Lelantus. Special shout-out to Levon who did most of the heavy lifting with Lelantus, often working through weekends and odd hours to get it out on time.
13/ Also would like to thank the community members who stood with us through thick and thin, donated, helped give feedback and test! You know who you are!
14/ Special shout-out to @MintPondMining who provided us a testnet pool and whose feedback was invaluable in ensuring mining was smooth. @Zergpool_com's bug reports helped a lot too!
15/ The work isn't over though! Light wallet support of Lelantus, enabling direct anonymous payments and finishing up our new fancy wallet is the next order of business along with other improvements such as chain locks. Today is a first step albeit a big one.
16/ In a world where we are increasingly losing control over our own money and privacy which is set to accelerate with CBDCs, I truly believe what we are building is important and will set the stage for what the future of money is going to be.
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
