I should point out this tweet might not age well. Markets and orgs can change. But seeing so many folks from major projects, including Bitcoin, say yep, this is the way to do private payments—in terms of tech, culture around security and bugs, and philosophy—is really touching.

Huge thanks to the devs who kept slugging through the trenches in those times.

Glad Zcash is exciting again. It's come a long way since Matt and I started working on it as a "make Bitcoin private" project. One of the coolest things I've worked on in my life. And a tough few years when private payments seemed to only matter in the dark corners of the web.

The flip side is, most FHE does not get you integrity, so to add that you need, e.g., zk proofs. So fully untrsuted for privacy and integrity FHE evaluation is even more expensive.

Once you accept that FHE fundamentally depends on a non-collusion/non-compromise assumption for threshold decryption, there is one very modest security advantage over MPC: Key holders are less exposed than in MPC. They only decrypt, they don't compute the function.

Since this seems overlooked: the point is an FHE protocol involving multiple parties has the same security assumptions and trade-offs as an MPC one. Who holds keys/shares and should they be trusted not to collude? For MPC, this is well understood, but for FHE, it’s not.

To be clear, there are legitimate use cases for this, and some very impressive research. BUT, the discussion around security for them should be "ok, where's the key?"

Scenario B is where we see proposed protocols IRL: darkpools, private anti-money laundering systems, etc. No one person is trusted to hold the key, theres a committee for threshold decryption. But the security of the entire solution depends on the committee not just "encryption"!

Given Enc(data), FHE lets you compute Enc(f(data)) for any f. But someone has to decrypt the result! There two scenarios a) Your data, your key, you just outsourced computation. Safe, but rarely worth the FHE overhead. b) Its multiple people's secret data, so who gets the key?

There's no such thing as Fully-Homomorphic Decryption. Anytime you see a system using FHE to compute on your sensitive data, remember: someone has the key. If its not you, do you trust them?

ZK proofs could be part of new anti-money laundering systems for digital assets. But many of the ideas out there "miss the game we are playing," @secparam said at the DC Privacy Summit.

We're releasing ZisK v0.13 today - The version that makes this milestone possible. ZisK is fully open source, quantum resistant, and provides 128-bit security, ensuring trustless and future-proof verifiability for Ethereum. https://t.co/DBVn0FcGtW

This is why having "some set of nodes" do MPC or FHE decryption is risky. Blockchains have convinced people they can trust random incentivized strangers on the Internet. But signatures are a very special case

Updating. FHE is MPC with 9,000% of the compute on an untrusted server and less bandwidth. But the interesting application are the same, as are the trust requirements.

To take Bitcoin as an example. The "recommended" options are 1) mixing services that are under active attack by analytics services and themselves leave a footprint, 2) a thing called Cashu, that’s bleeding-edge tech and requires you to find a trustworthy issuer not to rob you.

There are work arounds, but even for intelligence services and trained professionals, they are very tricky. They are nearly impossible if you need to spend the cryptocurrency you get. Which activists need to do. Its not an investment for them.

Cryptocurrency is twitter for your bank account. Its all public, just not under your real name. But just like social media, doxing is easy. Chain analysis plus AI-powered OSINT makes linking identities trivial. And under dictatorships, potentially deadly for dissidents.

Reminder: Some of the people building blockchain surveillance sold spyware to dictators in their last job. You can't ethically recommend crypto to activists as a privacy tool. Even privacy coins require caution, as they need enough users in a country. https://t.co/eAol3Mva3X.

@m_mosier_ @CampbellJAustin

Assume banks want to stop criminal activity, comply with the law, and the costs of a compliance program are pretty small. Why is current banking structured so that they don't have to know their customer's customer? What would go wrong if that changed?