ENS is an example of a project that is extant, working, and has a decent amount of funding (controlled democratically through a delegated token voting system). Here's my ENS record:
What I like about handshake is that you can own the TLD. I own searchableguy/ top level domain. This is gated by ICANN right now and they charge huge fees for nothing.
yeah, it links to a standard JSON format for my article. mirror's data is portable. the json also contains my signature which authenticates the post to my self-sovereign identity (the keypair associated with my ENS name).
>And those who respond with indifference and denial of that reality, much like a person in your position, will have no say or power within the new system.
that wasn't my point. my point is that this technology shows no sign of slowing down, so by just angrily and reflexively dismissing it critics are throwing away an opportunity to make real, constructive criticism like Moxie did here at a time when it could make the most impact.
The people like me who really need your communications are starving for it. People who are already bought in and want quality content aren't getting much. This is a risk to the long term adoption of crypto.
My sources are few. I get a few crumbs on /ethfinance, and some nice nuggets from this thread, but there's just so much crap and snark to wade through it's almost not worth it.
there is no reason why apple or google would need to do this. Rainbow or similar apps just need to change their code in their already deployed wallet software on these platforms to do light client verification.
As an on-demand authentication mechanism manually implemented by every application, sure. Would just be curious what the benefit of a light client is versus connecting to an API in that case.
But this idea that it would be a persistently connected service running in the background on your phone. That's a completely different story.
This makes sense to me. Running a light client at the OS level isn't needed.
Is there some benefit to users from OS integration eventually? ie "Pay With Ethereum" in the same way Apple Pay / Google Pay / NFC works, does that benefit from running a light client?
Sure, maybe the incentives aren't there because Apple wants Apple Pay money but whoever does implement it will make their device more useful.
I'm pretty sure that you can pop down to the search bar and type "TLS too inefficient" and see that, in fact, they did. there was a large period of time where TLS was not widely deployed and where it was viewed as not likely to be deployed, due to marginal performance reasons
True, the overhead of TLS is relatively much lower than it was. It turned out we all really need the greater security. So we got hardware AES acceleration for example.
But this example misses the more general point that protocols always evolve more slowly than platforms.
It's not really a good example. Platforms aren't in competition with layer 3 network protocols. The examples Moxie gave were layer 7 application protocols.
i have worked on both TLS and blockchain tech for years.
my point is that the purpose of the security architecture proposed in the article is to authenticate data from the chain. this is a protocol-level detail: like TLS secures transport between a client and a server, light clients authenticate data between a validator set and a user. whether a particular person or group decides to use such a protocol, or if they decide to censor data, is a separate concern.
- download the set of validator signatures over that hash and verify each signature against the hash. if using aggregation-friendly curve, download the aggregate signature and verify it against the root.
- for each state fragment, download the merkle uncles and compute the root hash and verify that it is the same as that signed off by the validator set.
so yes, easily within resource limits for having them running all the time with near zero impact. Find My has comparable impact.
fascinating thank you. The Find My analogy is thought provoking - a background service that creates a useful network. What does the light client world look like once complete, I wonder
"IACR, was founded by people who were working on cryptocurrency"
This is extremely misleading. IACR was proposed by David Chaum in 1982, a year before his first paper on ecash, and its first board members in 1983 included Whitfield Diffie (who had not done any work on payments) among others. Chaum's ecash ideas look nothing like "cryptocurrency" as it exists today, nor do any of the ideas presented in subsequent research on the topic.
The person you replied to correctly pointed out that "crypto" was coopted by the blockchain space and is now being used to mean any number of distributed systems technologies. I have seen people wearing t-shirts saying things like "crypto means cryptography" and making jokes about reclaiming "blockchain" to refer to block chaining modes at various cryptography conferences (many organized by IACR) over the past decade. Moxie was right when he quipped that the "crypto" spaec involves very limited use of actual cryptography.
crypto was not co-opted. FAANGies just got stuck on a WebPKI side quest.
leading research in the field is being done by blockchain companies. you don't have to believe me, try reading ePrint. cryptocurrency people lead the research in zk proof systems and more. the idea that the crypto space doesn't use cryptography is absolutely laughable
Some interesting research is being done by some cryptocurrency companies like ZCash and Algorand. Their work on ZKPs and SNARKs has been interesting, but it is worth pointing out that they are not the only people working on this. Moreover, the serious cryptographers working on anything related to blockchains have more or less stopped talking about the permissionless setting (where Bitcoin, Ethereum, and basically all of the popular blockchains in use are) because security is too hard to define in a meaningful way. In the "permissioned" setting where parties have well-known identities there has been a bit of interesting research on maintaining a shared cryptographic data structure.
Meanwhile, academic and (non-blockchain) industry researchers have been pushing the state of the art in every subfield within cryptography, ZKPs included. Big companies have been deploying MPC as a means of addressing privacy concerns and regulation, and the cryptographers working on that (full disclosure: I am one of them) have been pretty active in publishing their work. Academic researchers have further advanced the results and addressed the problems raised by industry researchers, sometimes breathing new life into almost-forgotten lines of research (like set intersection protocols).
So sure, I can grant you that there has been some interesting work on cryptography within the blockchain space, but it is not nearly as exciting and significant as you suggest. I actually have a lot of respect for the ZCash team, whose work really is top-notch and who I see (or saw pre-COVID) at high-quality conferences like CRYPTO and RWC. On the other hand they are a small and very unique team within both the blockchain ecosystem and the cryptography research community, and their research work is only nominally related to blockchains (it is inspired by an application that did not even require a blockchain in the first place). Beyond the ZCash and a few other groups with serious cryptographers the blockchain space is a desert in terms of interesting cryptography.
> Moreover, the serious cryptographers working on anything related to blockchains have more or less stopped talking about the permissionless setting (where Bitcoin, Ethereum, and basically all of the popular blockchains in use are) because security is too hard to define in a meaningful way.
This is untrue, I see far more work on the permissionless setting (including formalizing definitions) than on the permissioned setting on ePrint. This includes respected cryptographers Like Elaine Shi, Rafael Pass, Silvio Micali, Andrew Miller, Aggelos Kiayas, and more.
> Meanwhile, academic and (non-blockchain) industry researchers have been pushing the state of the art in every subfield within cryptography, ZKPs included. Big companies have been deploying MPC as a means of addressing privacy concerns and regulation, and the cryptographers working on that (full disclosure: I am one of them) have been pretty active in publishing their work
While cryptography is certainly a much bigger than zkps, it is also absolutely true that, for the metric of “deployable protocols”, the pace of zkp innovation has far outstripped the pace of MPC innovation over the past few years. I say this as a cryptographer with a bunch of non-zkSNARK papers; my general-purpose zkSNARK work has been deployed, adopted, and obsoleted in the span of ~2yrs, all while my MPC work in the same span hasn’t inched towards deployment (despite being sufficiently practical for deployment), and follow up work has provided only marginal improvements.
> Beyond the ZCash and a few other groups with serious cryptographers the blockchain space is a desert in terms of interesting cryptography.
That’s incorrect. Beyond ZKPs, there’s been blockchain-inspired-and-funded work on Verifiable Delay Functions, threshold signatures, signature aggregation, anonymous gossip networks, fuzzy variants of PIR, functional commitment schemes, set accumulators, coding theory, and more.
That is an impressive list of cryptographers working on blockchains, but at major cryptography conferences there is less and less blockchain work being presented, to the point where CRYPTO'21 didn't have any blockchain sessions at all, while EUROCRYPT'21 had a single session where blockchain work was combined with work on privacy and law enforcement. To be fair, three sessions at CCS'21 were dedicated to blockchain research, but CCS is structured to allow more topics, it is not a conference specific to cryptography, and they had two sessions dedicated to MPC and a third on federated learning which touched on MPC. It is a small sample but representative of a larger trend of cryptographers becoming less interested in blockchain research.
I have not seen ZKP innovation outstrip MPC innovations at all. In the past decade I have seen a rapid expansion of research in MPC following both a strong push by DARPA and growing interest among large tech companies and banks. There has been a revival of interest in set-intersection protocols and related functionalities, a lot of impressive work in garbled circuits and other generic protocols that have greatly reduced their resource requirements, machine learning applications, and various other ongoing lines of work. At worst I would say that ZKP and MPC research have been roughly equal in terms of the pace of innovation, which should surprise no one as the two topics have strong connections.
Moreover, while there is certainly a lot of ZK research being published year after year, most of it has nothing to do with blockchains and is not coming from anything related to blockchains. There are plenty of academic researchers publishing ZK work, and I still see lots of industry ZK research that has nothing to do with blockchain. The same is true of all the other topics you mentioned -- some blockchain-inspired work here and there, but a lot more research from elsewhere.
Sorry to hear that your MPC work has not made it into production, but maybe that is because it is not as practical as you claim. Personally I like to say that the only test of "practicality" that matters is whether or not it is useful in a real-world application. Obviously your SNARK work cleared that bar, which is great but does not really say much about the pace of innovation. I can say that most of my published research at this point has been put into production -- an equally meaningless statement since I have been working for a big tech company for a long time, and the research I have published in that time has all been the result of work I did to address various privacy and security problems that company faces. My judgement of where the innovation is happening is based on the research I am seeing people present at various conferences. Maybe I am looking in the wrong places, and there is actually a whole world of cryptography conferences where people are excited about blockchain work?
When people say stuff like this, I wonder what they think the state of the art in web3 innovation is. Do people just see the monkey JPGs and write off the whole technology?
What do you see? I've just had a 2 hour conversation with someone trying to get me into this "business" without being able to articulate a single use case where NFTs actually make my day better in a way that is not currently possible with other tech so, yeah...what do you see?
I see a whole new wave of fouls about to lose their money to ponzi schemes and over-hyped "investments", much like it happened with the bitcoin/crypto train.
Just write NFT or crypto in Youtube and you immediately see all the sharks promising you millions in their videos, trying to manipulate you into investing - don't read the comments though, it's even worse. I see a lot of red flags and trouble for nothing. I hold crypto assets so I'm not talking out of my but here - I must confess; I've had no real benefits yet from this new tech. The crypto I hold is because one of my products has crypto as a payment method so I decided to just hold a piece of it and try to make use of "new tech".
In the crypto space I'm most excited about the ability to have open projects where anyone who contributes can have a stake in the financial rewards of the project, and there are no barriers to becoming a contributor. A lot of the time the financial benefits of open-source contributors are fully captured by a "host" corporation, and open collaboration platforms for non-software projects like textbooks and IRL shared spaces are almost nonexistent.
Proof-of-personhood a la BrightID is something that governments could theoretically provide, but most don't, and even if they did, there are serious privacy and interoperability concerns. SaaS companies trying to provide a free trial can prevent abuse by verifying unique personhood using web3 tech without needing to ask for any more information about the user. I'm sure you can think of other applications for that tech. Even if every government in the world provided this service, everyone who wants to use it either has to implement 195 different APIs or fork over money to a cottage industry whose sole job it is to unify those APIs.
Finance and commerce on blockchains has a lot of real-world benefits that traditional finance can't or refuses to provide. You can't easily set up a 3-of-5 multisig for your photography club in traditional finance. A lot of normal people have their payments blocked or funds frozen in TradFi for arbitrary reasons. Sex workers get kicked off of platforms all the time, and a friend recently had their PayPal frozen while raising funds for a school reunion party.
I'm not super into NFTs personally, but I can see them having a use case as a more consumer-friendly business model for gacha games and games with similar mechanics. There are probably other promising applications that I just don't know about because I don't follow that space very closely.
> SaaS companies trying to provide a free trial can prevent abuse by verifying unique personhood using web3 tech without needing to ask for any more information about the user
A trial is usually backed by a financial instrument. Usually that financial instrument is a credit card. A credit card can be uniquely identified, and so if you really are concerned about trial reuse, you can check reuse of the credit card, and that gets you pretty far. Folks can use prepaid cards, but you can also block those, which isn't totally unreasonable when you are talking about a subscription-- and a lot of subscription services do block them. Is it indefeatable? No. Is it good enough? Yeah actually. So why do I need to replace the concept of a credit card with an entirely new type of financial instrument that most users (especially non-technical users) don't have or understand?
SaaS just seemed relevant to the audience here, but there are a lot of applications which want to limit one account per natural person, not just SaaS. For example, social networks want to prevent astroturfing, and video games want to prevent cheaters from ban-evasion. Anyway, a lot of people don't want to provide their credit card info for a service they are not sure if they want to use yet (purpose of a trial), and a lot of services want to allow credit card-free trials without opening themselves up to abuse.
I think the vast majority of reflexive dismissals of crypto tech have two themes in common: "if the technology doesn't satisfy this use case, or the UX is not perfect yet, then surely there is no way to fix that and we should discard the whole idea;" and "why use this decentralized solution when we can use this centralized one which, in many cases, doesn't work as well?"
I've reached my weekly budget on the amount of time I want to spend explaining this tech online, but maybe consider if problems you see are truly insurmountable, or if you are simply uncomfortable with the idea of an economic layer that is actually open to build on.
> I've reached my weekly budget on the amount of time I want to spend explaining this tech online
Granted, take care of yourself! I hope you feel no obligation or attack in my line of questioning, and perhaps others can fill in here if they are active over the weekend.
> SaaS just seemed relevant to the audience here, but there are a lot of applications which want to limit one account per natural person, not just SaaS. For example, social networks want to prevent astroturfing, and video games want to prevent cheaters from ban-evasion
That's true, so then I wonder what stops someone from farming these identities and selling them?
> I think the vast majority of reflexive dismissals of crypto tech have two themes in common: "if the technology doesn't satisfy this use case, or the UX is not perfect yet, then surely there is no way to fix that and we should discard the whole idea;"
The main issue for me is that quite often existing well-known problems are tackled with this new hammer that ostensibly offers no real benefit on top of solutions we already have. This is not true of all applications of blockchain technology, but it's clear that there is not a strong case that it is as generally applicable as a movement like "web3" would suggest.
> and "why use this decentralized solution when we can use this centralized one which, in many cases, doesn't work as well?"
The traditional financial system is basically not available for an individual to build on without the blessing of VCs. If you do manage that, you have to come head-to-head with money transmitter licensing, collecting personal info from your customers and keeping it safe, implementing rules about who can send money to whom (that differ by country), and playing by Visa et al's rules about who isn't allowed to use your app and for what (which includes a lot of normal people doing normal things.)
It feels wrong to me that building financial apps for public good basically requires creating a capital class and handing over profits and control to them. Will VCs fund another Kickstarter or Open Collective?
I got into crypto because I realized the things I actually wanted to build I could basically only do so using crypto. (Also, watching myself earn interest every 15 seconds was just incredibly cool.) Granted, that was in 2018, and prices are a lot higher now, and so is the level of grifting and hype. A stronger layer of psychological self-defence is warranted both from people in the space and outside of it.
Anyway, the short answer to your question is that the time cost of Zoom verification will in many cases deter low-level and botting fraud, but Zoom verification overall is a stopgap to bootstrap the network, and over the long term applications will require users to be verified by a few of their IRL F&F (and Zoom parties can be used to connect their social network to the rest of the graph.)
> The traditional financial system is basically not available for an individual to build on without the blessing of VCs. ... implementing rules about who can send money to whom (that differ by country)
Building on the blockchain does not indemnify you from following the relevant laws. You mention also Visa's rules, which also mostly tend to be based on the relevant laws (though there are exceptions, like their restrictions on adult content).
> It feels wrong to me that building financial apps for public good basically requires creating a capital class and handing over profits and control to them
The amount of "financial apps for public good" being made are exceedingly few. Acting like the apps being made by "web3" companies just want to faciliate trade for underserved populations with no gain to themselves is perhaps disingenous. Yeah sure if you are one person it might be easier to build an app to allow folks to send money to each other when you build it on a cryptocurrency, but is it easier or have you ignored all the ways nefarious people will use your app to do things that are absolutely something that should be stopped? Is that better than gatekeeping these apps for those who can manage these sort of protections?
> I got into crypto because I realized the things I actually wanted to build I could basically only do so using crypto. (Also, watching myself earn interest every 15 seconds was just incredibly cool.)
Hey, if you want to build some financial apps, that's great. Go forth! But it is not "web3". I will say that I don't think of earning interest in real time as anywhere near as "cool" as literally any other aspect of technology/engineering I can think of. And I don't feel compelled to enable that feeling you had in everyone else either.
> prices are a lot higher now, and so is the level of grifting and hype
The prices are a lot higher because of the hype, not the other way around. In fact, the prices are above zero because of the hype. To be clear, that is not to say the hype isn't warranted, but I think it's important to have the ordering clear.
> Anyway, the short answer to your question is that the time cost of Zoom verification will in many cases deter low-level and botting fraud, but Zoom verification overall is a stopgap to bootstrap the network, and over the long term applications will require users to be verified by a few of their IRL F&F (and Zoom parties can be used to connect their social network to the rest of the graph.)
The time cost of Zoom verification will deter individuals from performing it, but not specialists who do it on individuals' behalf. I could imagine starting a business solely to participate in these Zoom calls, generate identities, and then pass the credentials for one or more of those identities to anyone who puts up the ETH. Since I have to assume it's not just the same people in every one of these Zoom calls, I have no doubt you could send the same "seemingly unique" person to many of them and get a new set of credentials for each one, and then sell those off like anything else. Given how things like Spotify botting and phone farming are actually happening, this will be compromised in no time, just like all the previous prevention techniques have been.
> but Zoom verification overall is a stopgap to bootstrap the network ... over the long term applications will require users to be verified by a few of their IRL F&F (and Zoom parties can be used to connect their social network to the rest of the graph.)
Even after the stopgap is stopped and the network is strapped and booted, is someone without a network of "acceptable" social contacts not worthy of being able to participate in this ecosystem? So folks who do not want to divulge their social contacts literally cannot participate? This seems like one of the core audiences of decentralized privacy-conscious technologies, and yet they could not participate without (publically?) divulging personal information.
> Building on the blockchain does not indemnify you from following the relevant laws.
You are right. The relevant laws apply to money service operators and blockchain software developers, in most cases, are not money service operators. Software developers, in most societies, cannot be deputized to enforce particular uses or non-uses of their software.
> have you ignored all the ways nefarious people will use your app to do things that are absolutely something that should be stopped?
I think freedom to transact is as valuable as freedom to access information (uncensored, using Tor) and freedom to communicate (securely, using E2E.) In fact, the latter two freedoms boil down to the former. If you disagree, you are correct to not like DeFi.
> And I don't feel compelled to enable that feeling you had in everyone else either.
I know you don't, but I wanted to share the first time using a blockchain tech was more pleasant than using its traditional counterpart for me. Trying to convince people that "blockchains are useful" is not very compelling either. It's not my job, but I can spend hours on it with no benefit to me.
> So folks who do not want to divulge their social contacts literally cannot participate?
You are right that Zoom verification is a low level of verification. On BrightID today, you can be verified by a friend without having to divulge the identity of yourself or your friend to any blockchain, any application, or any other person in your social network. Using zero-knowledge proofs, the entire anonymous network graph can be hidden as well.
In addition, the only apps they cannot use are those which require anti-Sybil guarantees. Is "has 3 friends who will vouch for you" too high of a bar compared to "qualifies for and has a credit card"? If it is, is it bad to have the former as an option for those who cannot reach the latter?
ETA: government/institutional ID verification is a valid BrightID graph node as well, for institutions/individuals/applications which choose to use it.
> You are right. The relevant laws apply to money service operators and blockchain software developers, in most cases, are not money service operators. Software developers, in most societies, cannot be deputized to enforce particular uses or non-uses of their software.
i think you're in for a rude awakening if you believe that, especially if you are financially benefitting or are advertising the software is useful for the prescribed purpose.
For example, people who sell malware get arrested all the time. People who run naspster got sued off their ass.
Not super familiar with BrightID but I took a look at the website. So I guess the idea is that other humans verify a human and issue cryptographic proof that they are a human.
My question: What about BrightID stops you from verifying and creating multiple identities by simply joining these Zoom-based verification parties multiple times? If someone does that, what's to stop someone from then providing those multiple identities to other people?
While personally i think the original satoshi paper was interesting, and some of the proof of stake stuff. If i'm being generous, some zero knowledge proof stuff. Its not really cryptocurrency,but cryptocurrency has caused attention to be drawn to it.
Beyond that its all minor fixes and applications that are mildly interesting at best. So yeah, very little innovation, but please enlighten me if i missed something.
Pretty much actually. Most layman regard Web3 as a joke at best, and more often a scam. Most of those same people know little, if anything, about Web3 beyond a general association with crypto, regardless of whether that association is merited.
Er blockchains are the largest deployments of non-trivial zero knowledge proofs, which are more advanced cryptography than anything used in traditional WebPKI crypto. This deployment has required tons of novel peer-reviewed (academic and industrial) research as well as massive engineering efforts to bring the tech to production.
The result of these efforts is that ZKPs have gone from a academic curiosity to widely productionized tech. this stuff is beyond the wildest dreams of people like David Chaum.
Except that ZKPs had already seen real-world use before Satoshi's whitepaper was circulated; in fact, there was an already-defunct startup that was selling ZKP-driven authentication tech. Secure multiparty computation is even more advanced than ZKPs, was already deployed in several real-world applications prior to Bitcoin, and has probably driven more research on ZKPs (as a building block in MPC protocols) than anything in the blockchain space thus far. As for how widely productionized the technology is, while I am not sure how you define "non-trivial" ZKPs, U2F was almost certainly a more widely used ZKP application than any blockchain tech, and there are plenty more real-world ZKP applications having nothing to do with blockchains that we could list.
David Chaum dreamed about a world where electronic payments could be anonymous and secure, but the demand was not there and his startup never took off. "Blockchain" sucked most of the oxygen out of the room when it comes to further work on ecash, which is unfortunate given that even the most technically complex ecash proposals were overwhelmingly more efficient than any blockchain-based payment tech ever could be. For what it's worth, the most recent ecash proposals also advanced the research on NIZKs and ZKPs more generally (it is actually hard to avoid some kind of NIZK in a system that supports offline payments) and had ecash been deployed more widely we probably would have seen at least as much research and productionization activity as we see in the blockchain space.
On the other hand, blockchain research has struggled with a foundational question that does not present a problem for any of the technology I mentioned above: how to properly define security. Especially in the permissionless setting the effort on defining security has been unconvincing so far, requiring a very stretched approach to formalizing computational resources that is hard to actually map onto a real-world application. Satoshi did not start with a well-defined problem he was trying to solve with Bitcoin, and such an approach -- clearly identifying the problem you are actually trying to solve and verifying that the definition is logically consistent and realistic -- is exceedingly rare in the blockchain space, while in mainstream cryptography research it is a de facto requirement. So while blockchain tech has not experienced a spectacular failure due to some theoretical shortcomings, the theory itself is not well developed compared to the theory of cryptography in general (including ecash, which can be rigorously defined and proposed systems can be proved to satisfy the definition).
Zerocash is an crash system in the vein of Amon Ta-Shma’s variant from 99, and has rigorous security definitions and proofs. Follow-up work like Zexe strengthens these definitions to standard ones used in MPC, namely simulation-based security.
Furthermore, the MPC deployments you speak of are rather small-scale, there have been no deployments of general-purpose MPC beyond maybe the sugar beets auction.
MPC has been deployed at large scale by numerous companies, at least for the ads industry; I know because I actually work on exactly this full time and I have seen the numbers (but unfortunately I cannot share specifics). There is nothing special about general-purpose protocols that makes them more "legitimate" or whatever; we use specialized protocols in practice because it is almost always more efficient and thus less expensive to run (and MPC is usually right on the threshold of being too expensive).
As for zerocash, the last time I looked into it what I saw were a set of security definitions that assume a reliable ledger of some kind; whether or not that ledger is implemented using a blockchain at all is not addressed in the theoretical work. The practical deployment relied on Bitcoin, but since Bitcoin security is not well-defined (or at least not convincingly defined) that makes the rest of the security argument dubious. As far as I know Zexe has the same problem: yes, the security definition is much stronger, but they do not address the realization of the ledger functionality itself and thus any real-world deployment that relies on e.g. Bitcoin, or really any permissionless blockchain, has the same theoretical shortcomings. Ultimately the permissionless setting itself is the problem; zerocoin could be implemented using a ledger managed by a trusted party, and it would achieve its security goals without those theoretical problems.
I should also be clear that when I say ecash does not share this problem, it is because ecash has a well-defined security model and all functionalities needed to realize an ecash system also have well-defined security. We can instantiate ecash using any of the security assumptions we commonly use for digital signatures, and in theory ecash can be instantiated from MPC (by using a generic MPC protocol to implement a blind signature, then using the blind signature to implement ecash), which itself can be instantiated with standard cryptographic assumptions. So ecash has a security definition that is as well-defined as a cryptographic security definition can be.
Zerocash and Zexe and Zerocoin are all strict supersets of ecash. If you instantiate them underlying ledger with a single server, you recover ecash. If you instantiate with a permissioned distributed ledger (eg via PBFT), you get a distributed but permissioned ecash system. If you use a permissionless ledger, you get a permissionless system with no central authority. The entire point of the ledger abstraction in those works is to enable a composition-based security analysis. That’s literally the way 99% of cryptography proofs are structured. Saying that “Zerocash doesn’t specify details of the ledger” is like saying that “Schnorr signatures don’t specify details of the underlying DL-hard group”; the point is to abstract away those concerns.
Re: MPC deployments, the point about deploying general-purpose MPC is that it’s a much more complex task than specialized protocols. That’s why I specified general-purpose zkps; we already have ubiquitous deployments of specialized zkps (I.e. digital signatures). And maybe your project indeed has a large scale MPC deployment, that’s awesome. Doesn’t take away from the fact that cryptocurrencies are pushing zkp innovation at unprecedented rates.
My job would be much simpler if I could deploy generic MPC; all I would have to do is maintain a library and maybe a compiler, without having to design and implement an entirely new protocol every time someone came along with some new feature or use-case. The engineering effort of productionizing a generic protocol is a one-time cost and my coworkers and I could do that work relatively quickly. On the other hand, special-purpose protocols are typically difficult to modify, we are have to do our security proofs over and over whenever we roll out anything new, and we must go through the engineering effort over and over.
Engineering effort is not what holds back the deployment of generic MPC protocols. Those protocols are just too expensive to run in the majority of real-world MPC applications. Even special-purpose protocols are sometimes too resource-intensive to be deployed. I do not see that situation changing without a radically different approach to generic protocols. I also do not understand what is so uniquely exciting about deploying a generic ZKP or MPC protocol. If it works in a giving setting and no special-purpose construction could be used, great, but it is not some kind of badge of honor.
As for Zerocash, you had originally said that blockchains are where we can finding the largest deployments of non-trivial ZKPs, which is why I pointed out that Zerocash and its followup work do not really involve "blockchains" beyond a particular instantiation of a ledger. If the construction can be implemented without any blockchain at all -- which the authors of the original paper took the time to point out -- then I do not see how any of the research on ZKPs motivated by Zerocash and its followup work supports your claim at all. You are saying that Zerocash is actually ecash, which kind of makes my point for me: we are not actually talking about something in the "blockchain space."
(Also, I have a somewhat controversial view that NIZKs and signatures are not actually "zero knowledge," since the verifier obviously cannot compute a NIZK or signature without receiving a message from the prover/signer and thus gains knowledge when it does receive those strings. Not that it matters in any way for this conversation, since the value of innovation in NIZKs or ZKSNARKs is not in doubt, but I did want to mention that signatures are a poor example of real-world deployments of ZKPs.)
I’m glad to see pushback on the “crypto means cryptography” meme, which is really just an indicator they aren’t interested in the leading cryptographic research.
Well, let's see, the technical program for this year's RealWorldCrypto conference includes...side channel attacks, symmetric cryptography, privacy, attacks on privacy, cryptography for the ads industry, messaging, post-quantum crypto, threshold crypto, and zero knowledge proofs. Funny how Blockchain did not make the cut for a popular conference on practical applications of advanced cryptography.
Looking through the CRYPTO'21 and EUROCRYPT'21 conferences, there is only one session between them involving "blockchain" and it is not even dedicated to the topic (it also includes papers related to law enforcement and privacy).
This may be hard for blockchain enthusiasts to hear, but it is not really a hot topic among cryptographers. There was a bit of interest a few years ago as people tried to figure out if any good security definitions can be developed, and the results were not very convincing. Beyond that almost all the academic interest in block chains has focused on the "permissioned" setting where security can be defined in a meaningful and useful way.
So, yes, "crypto means cryptography" and "blockchain" should refer to block cipher chaining modes.
We should not be building our infrastructure to rely on the incidental beneficence of the oligarchy. We should build tools for decentralized permissionless economic coordination. Quadratic funding as used in Gitcoin and others is promising.
https://app.ens.domains/name/suzuha.eth/details
also, my post is on arweave, one of the cryptoeconomic data availability layers mentioned on the post:
https://3m44zon3blpnpjs3neglffbhqaibvuaeofkln2rd645dvky7cblq...