/1 From what was just a desire to solve trusted setup and no fancy curve pairings in a privacy protocol to Lelantus coming live on $FIRO, it's been a wild ride! $XZC @aramjivanyan
2/ We first looked at bulletproof circuits which turned out to be a dead end due to poor performance. Verification times were several seconds long. We were crushed as we didn't have any immediate idea on how to bring Zcoin's tech forward.
3/ We decided to look at one-out-of-many proofs (OOOMP) again despite many dismissing it as being too slow with verification time increasing linearly with the size of the set. OOOMP did not support hidden amounts which also represented a huge privacy issue.
4/ Turns out, batch verification and other optimization tricks can make OOOMP pretty quick! @aramjivanyan also found a way to embed additional data into the construction to support hidden amounts which gave birth to the first paper on Lelantus.
5/ We had plenty of help along the way. Jens Groth, one of the father's of ZKP, took the time to validate our construction. We also had valuable feedback from @relgabizon from a ZK Summit event and Sarang Noether from @MoneroKon.
6/ The first version of Lelantus did support direct anonymous spends but had an issue where users needed to self-spend to themselves to hide further movements from the original sender. This was bad as it added an intermediary step.
7/ @aramjivanyan found a way around the self spend issue during one of his holidays and also validated it with Sarang who was also looking at it due to it's applicability to scaling @monero's ring sizes. Once this was solved, it allowed seamless direct anonymous payments!
8/ Our work on Lelantus in combining OOOMP and hidden amounts also lead to other privacy protocols being created such as Triptych in Monero and Lelantus-MW in Beam. A whole new family of privacy protocols has been opened presenting an alternative to RingCT, MW and zkSNARKs.
9/ Now that the cryptography was settled, implementation was also a challenge. As Lelantus supported anonymity sets of around 65k, what happens when the set becomes full? Starting empty new sets meant that the first few people who used it had poor privacy or forced them to wait.
10/ We decided to implement a sliding window approach where the sets overlap with each other a little meaning that even when a new set is created, it was preseeded with 16k commitments from the previous set. This meant that the minimum anonymity will be 16k for any single tx.
11/ We also got our cryptography library audited by @trailofbits and our cryptography audited by ABDK Consulting @Khovr. Funds for these were raised from donations from the community and also three of our seed investors. Their support was invaluable during the bear market.
12/ Despite challenging conditions, I'm so proud of what our team has achieved with Lelantus. Special shout-out to Levon who did most of the heavy lifting with Lelantus, often working through weekends and odd hours to get it out on time.
13/ Also would like to thank the community members who stood with us through thick and thin, donated, helped give feedback and test! You know who you are!
14/ Special shout-out to @MintPondMining who provided us a testnet pool and whose feedback was invaluable in ensuring mining was smooth. @Zergpool_com's bug reports helped a lot too!
15/ The work isn't over though! Light wallet support of Lelantus, enabling direct anonymous payments and finishing up our new fancy wallet is the next order of business along with other improvements such as chain locks. Today is a first step albeit a big one.
16/ In a world where we are increasingly losing control over our own money and privacy which is set to accelerate with CBDCs, I truly believe what we are building is important and will set the stage for what the future of money is going to be.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Reuben Zcoin

Reuben Zcoin Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ZreubenZ

11 Sep 20
It irks me when people say "[insert privacy project] is the best". There is a poor understanding of blockchain privacy even within the industry. Privacy is not a binary, it's a multi-faceted spectrum. And achieving privacy isn't free, it always comes at a cost. /1
This cost can take many forms. Scalability (size, verification, proving times), exotic math, complicated constructions, trusted setup, requiring interactivity and losing supply auditability. There are always trade-offs. /2
Additionally, on top of the privacy protocol itself, you also need to think about implementation and user behavior. How easy is it to use safely? For e.g., although Zerocash has the highest theoretical anonymity, the anonymity of an average user can be low due to user behavior /3
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!