"IACR, was founded by people who were working on cryptocurrency"
This is extremely misleading. IACR was proposed by David Chaum in 1982, a year before his first paper on ecash, and its first board members in 1983 included Whitfield Diffie (who had not done any work on payments) among others. Chaum's ecash ideas look nothing like "cryptocurrency" as it exists today, nor do any of the ideas presented in subsequent research on the topic.
The person you replied to correctly pointed out that "crypto" was coopted by the blockchain space and is now being used to mean any number of distributed systems technologies. I have seen people wearing t-shirts saying things like "crypto means cryptography" and making jokes about reclaiming "blockchain" to refer to block chaining modes at various cryptography conferences (many organized by IACR) over the past decade. Moxie was right when he quipped that the "crypto" spaec involves very limited use of actual cryptography.
crypto was not co-opted. FAANGies just got stuck on a WebPKI side quest.
leading research in the field is being done by blockchain companies. you don't have to believe me, try reading ePrint. cryptocurrency people lead the research in zk proof systems and more. the idea that the crypto space doesn't use cryptography is absolutely laughable
Some interesting research is being done by some cryptocurrency companies like ZCash and Algorand. Their work on ZKPs and SNARKs has been interesting, but it is worth pointing out that they are not the only people working on this. Moreover, the serious cryptographers working on anything related to blockchains have more or less stopped talking about the permissionless setting (where Bitcoin, Ethereum, and basically all of the popular blockchains in use are) because security is too hard to define in a meaningful way. In the "permissioned" setting where parties have well-known identities there has been a bit of interesting research on maintaining a shared cryptographic data structure.
Meanwhile, academic and (non-blockchain) industry researchers have been pushing the state of the art in every subfield within cryptography, ZKPs included. Big companies have been deploying MPC as a means of addressing privacy concerns and regulation, and the cryptographers working on that (full disclosure: I am one of them) have been pretty active in publishing their work. Academic researchers have further advanced the results and addressed the problems raised by industry researchers, sometimes breathing new life into almost-forgotten lines of research (like set intersection protocols).
So sure, I can grant you that there has been some interesting work on cryptography within the blockchain space, but it is not nearly as exciting and significant as you suggest. I actually have a lot of respect for the ZCash team, whose work really is top-notch and who I see (or saw pre-COVID) at high-quality conferences like CRYPTO and RWC. On the other hand they are a small and very unique team within both the blockchain ecosystem and the cryptography research community, and their research work is only nominally related to blockchains (it is inspired by an application that did not even require a blockchain in the first place). Beyond the ZCash and a few other groups with serious cryptographers the blockchain space is a desert in terms of interesting cryptography.
> Moreover, the serious cryptographers working on anything related to blockchains have more or less stopped talking about the permissionless setting (where Bitcoin, Ethereum, and basically all of the popular blockchains in use are) because security is too hard to define in a meaningful way.
This is untrue, I see far more work on the permissionless setting (including formalizing definitions) than on the permissioned setting on ePrint. This includes respected cryptographers Like Elaine Shi, Rafael Pass, Silvio Micali, Andrew Miller, Aggelos Kiayas, and more.
> Meanwhile, academic and (non-blockchain) industry researchers have been pushing the state of the art in every subfield within cryptography, ZKPs included. Big companies have been deploying MPC as a means of addressing privacy concerns and regulation, and the cryptographers working on that (full disclosure: I am one of them) have been pretty active in publishing their work
While cryptography is certainly a much bigger than zkps, it is also absolutely true that, for the metric of “deployable protocols”, the pace of zkp innovation has far outstripped the pace of MPC innovation over the past few years. I say this as a cryptographer with a bunch of non-zkSNARK papers; my general-purpose zkSNARK work has been deployed, adopted, and obsoleted in the span of ~2yrs, all while my MPC work in the same span hasn’t inched towards deployment (despite being sufficiently practical for deployment), and follow up work has provided only marginal improvements.
> Beyond the ZCash and a few other groups with serious cryptographers the blockchain space is a desert in terms of interesting cryptography.
That’s incorrect. Beyond ZKPs, there’s been blockchain-inspired-and-funded work on Verifiable Delay Functions, threshold signatures, signature aggregation, anonymous gossip networks, fuzzy variants of PIR, functional commitment schemes, set accumulators, coding theory, and more.
That is an impressive list of cryptographers working on blockchains, but at major cryptography conferences there is less and less blockchain work being presented, to the point where CRYPTO'21 didn't have any blockchain sessions at all, while EUROCRYPT'21 had a single session where blockchain work was combined with work on privacy and law enforcement. To be fair, three sessions at CCS'21 were dedicated to blockchain research, but CCS is structured to allow more topics, it is not a conference specific to cryptography, and they had two sessions dedicated to MPC and a third on federated learning which touched on MPC. It is a small sample but representative of a larger trend of cryptographers becoming less interested in blockchain research.
I have not seen ZKP innovation outstrip MPC innovations at all. In the past decade I have seen a rapid expansion of research in MPC following both a strong push by DARPA and growing interest among large tech companies and banks. There has been a revival of interest in set-intersection protocols and related functionalities, a lot of impressive work in garbled circuits and other generic protocols that have greatly reduced their resource requirements, machine learning applications, and various other ongoing lines of work. At worst I would say that ZKP and MPC research have been roughly equal in terms of the pace of innovation, which should surprise no one as the two topics have strong connections.
Moreover, while there is certainly a lot of ZK research being published year after year, most of it has nothing to do with blockchains and is not coming from anything related to blockchains. There are plenty of academic researchers publishing ZK work, and I still see lots of industry ZK research that has nothing to do with blockchain. The same is true of all the other topics you mentioned -- some blockchain-inspired work here and there, but a lot more research from elsewhere.
Sorry to hear that your MPC work has not made it into production, but maybe that is because it is not as practical as you claim. Personally I like to say that the only test of "practicality" that matters is whether or not it is useful in a real-world application. Obviously your SNARK work cleared that bar, which is great but does not really say much about the pace of innovation. I can say that most of my published research at this point has been put into production -- an equally meaningless statement since I have been working for a big tech company for a long time, and the research I have published in that time has all been the result of work I did to address various privacy and security problems that company faces. My judgement of where the innovation is happening is based on the research I am seeing people present at various conferences. Maybe I am looking in the wrong places, and there is actually a whole world of cryptography conferences where people are excited about blockchain work?
When people say stuff like this, I wonder what they think the state of the art in web3 innovation is. Do people just see the monkey JPGs and write off the whole technology?
What do you see? I've just had a 2 hour conversation with someone trying to get me into this "business" without being able to articulate a single use case where NFTs actually make my day better in a way that is not currently possible with other tech so, yeah...what do you see?
I see a whole new wave of fouls about to lose their money to ponzi schemes and over-hyped "investments", much like it happened with the bitcoin/crypto train.
Just write NFT or crypto in Youtube and you immediately see all the sharks promising you millions in their videos, trying to manipulate you into investing - don't read the comments though, it's even worse. I see a lot of red flags and trouble for nothing. I hold crypto assets so I'm not talking out of my but here - I must confess; I've had no real benefits yet from this new tech. The crypto I hold is because one of my products has crypto as a payment method so I decided to just hold a piece of it and try to make use of "new tech".
In the crypto space I'm most excited about the ability to have open projects where anyone who contributes can have a stake in the financial rewards of the project, and there are no barriers to becoming a contributor. A lot of the time the financial benefits of open-source contributors are fully captured by a "host" corporation, and open collaboration platforms for non-software projects like textbooks and IRL shared spaces are almost nonexistent.
Proof-of-personhood a la BrightID is something that governments could theoretically provide, but most don't, and even if they did, there are serious privacy and interoperability concerns. SaaS companies trying to provide a free trial can prevent abuse by verifying unique personhood using web3 tech without needing to ask for any more information about the user. I'm sure you can think of other applications for that tech. Even if every government in the world provided this service, everyone who wants to use it either has to implement 195 different APIs or fork over money to a cottage industry whose sole job it is to unify those APIs.
Finance and commerce on blockchains has a lot of real-world benefits that traditional finance can't or refuses to provide. You can't easily set up a 3-of-5 multisig for your photography club in traditional finance. A lot of normal people have their payments blocked or funds frozen in TradFi for arbitrary reasons. Sex workers get kicked off of platforms all the time, and a friend recently had their PayPal frozen while raising funds for a school reunion party.
I'm not super into NFTs personally, but I can see them having a use case as a more consumer-friendly business model for gacha games and games with similar mechanics. There are probably other promising applications that I just don't know about because I don't follow that space very closely.
> SaaS companies trying to provide a free trial can prevent abuse by verifying unique personhood using web3 tech without needing to ask for any more information about the user
A trial is usually backed by a financial instrument. Usually that financial instrument is a credit card. A credit card can be uniquely identified, and so if you really are concerned about trial reuse, you can check reuse of the credit card, and that gets you pretty far. Folks can use prepaid cards, but you can also block those, which isn't totally unreasonable when you are talking about a subscription-- and a lot of subscription services do block them. Is it indefeatable? No. Is it good enough? Yeah actually. So why do I need to replace the concept of a credit card with an entirely new type of financial instrument that most users (especially non-technical users) don't have or understand?
SaaS just seemed relevant to the audience here, but there are a lot of applications which want to limit one account per natural person, not just SaaS. For example, social networks want to prevent astroturfing, and video games want to prevent cheaters from ban-evasion. Anyway, a lot of people don't want to provide their credit card info for a service they are not sure if they want to use yet (purpose of a trial), and a lot of services want to allow credit card-free trials without opening themselves up to abuse.
I think the vast majority of reflexive dismissals of crypto tech have two themes in common: "if the technology doesn't satisfy this use case, or the UX is not perfect yet, then surely there is no way to fix that and we should discard the whole idea;" and "why use this decentralized solution when we can use this centralized one which, in many cases, doesn't work as well?"
I've reached my weekly budget on the amount of time I want to spend explaining this tech online, but maybe consider if problems you see are truly insurmountable, or if you are simply uncomfortable with the idea of an economic layer that is actually open to build on.
Not super familiar with BrightID but I took a look at the website. So I guess the idea is that other humans verify a human and issue cryptographic proof that they are a human.
My question: What about BrightID stops you from verifying and creating multiple identities by simply joining these Zoom-based verification parties multiple times? If someone does that, what's to stop someone from then providing those multiple identities to other people?
While personally i think the original satoshi paper was interesting, and some of the proof of stake stuff. If i'm being generous, some zero knowledge proof stuff. Its not really cryptocurrency,but cryptocurrency has caused attention to be drawn to it.
Beyond that its all minor fixes and applications that are mildly interesting at best. So yeah, very little innovation, but please enlighten me if i missed something.
Pretty much actually. Most layman regard Web3 as a joke at best, and more often a scam. Most of those same people know little, if anything, about Web3 beyond a general association with crypto, regardless of whether that association is merited.
Er blockchains are the largest deployments of non-trivial zero knowledge proofs, which are more advanced cryptography than anything used in traditional WebPKI crypto. This deployment has required tons of novel peer-reviewed (academic and industrial) research as well as massive engineering efforts to bring the tech to production.
The result of these efforts is that ZKPs have gone from a academic curiosity to widely productionized tech. this stuff is beyond the wildest dreams of people like David Chaum.
Except that ZKPs had already seen real-world use before Satoshi's whitepaper was circulated; in fact, there was an already-defunct startup that was selling ZKP-driven authentication tech. Secure multiparty computation is even more advanced than ZKPs, was already deployed in several real-world applications prior to Bitcoin, and has probably driven more research on ZKPs (as a building block in MPC protocols) than anything in the blockchain space thus far. As for how widely productionized the technology is, while I am not sure how you define "non-trivial" ZKPs, U2F was almost certainly a more widely used ZKP application than any blockchain tech, and there are plenty more real-world ZKP applications having nothing to do with blockchains that we could list.
David Chaum dreamed about a world where electronic payments could be anonymous and secure, but the demand was not there and his startup never took off. "Blockchain" sucked most of the oxygen out of the room when it comes to further work on ecash, which is unfortunate given that even the most technically complex ecash proposals were overwhelmingly more efficient than any blockchain-based payment tech ever could be. For what it's worth, the most recent ecash proposals also advanced the research on NIZKs and ZKPs more generally (it is actually hard to avoid some kind of NIZK in a system that supports offline payments) and had ecash been deployed more widely we probably would have seen at least as much research and productionization activity as we see in the blockchain space.
On the other hand, blockchain research has struggled with a foundational question that does not present a problem for any of the technology I mentioned above: how to properly define security. Especially in the permissionless setting the effort on defining security has been unconvincing so far, requiring a very stretched approach to formalizing computational resources that is hard to actually map onto a real-world application. Satoshi did not start with a well-defined problem he was trying to solve with Bitcoin, and such an approach -- clearly identifying the problem you are actually trying to solve and verifying that the definition is logically consistent and realistic -- is exceedingly rare in the blockchain space, while in mainstream cryptography research it is a de facto requirement. So while blockchain tech has not experienced a spectacular failure due to some theoretical shortcomings, the theory itself is not well developed compared to the theory of cryptography in general (including ecash, which can be rigorously defined and proposed systems can be proved to satisfy the definition).
Zerocash is an crash system in the vein of Amon Ta-Shma’s variant from 99, and has rigorous security definitions and proofs. Follow-up work like Zexe strengthens these definitions to standard ones used in MPC, namely simulation-based security.
Furthermore, the MPC deployments you speak of are rather small-scale, there have been no deployments of general-purpose MPC beyond maybe the sugar beets auction.
MPC has been deployed at large scale by numerous companies, at least for the ads industry; I know because I actually work on exactly this full time and I have seen the numbers (but unfortunately I cannot share specifics). There is nothing special about general-purpose protocols that makes them more "legitimate" or whatever; we use specialized protocols in practice because it is almost always more efficient and thus less expensive to run (and MPC is usually right on the threshold of being too expensive).
As for zerocash, the last time I looked into it what I saw were a set of security definitions that assume a reliable ledger of some kind; whether or not that ledger is implemented using a blockchain at all is not addressed in the theoretical work. The practical deployment relied on Bitcoin, but since Bitcoin security is not well-defined (or at least not convincingly defined) that makes the rest of the security argument dubious. As far as I know Zexe has the same problem: yes, the security definition is much stronger, but they do not address the realization of the ledger functionality itself and thus any real-world deployment that relies on e.g. Bitcoin, or really any permissionless blockchain, has the same theoretical shortcomings. Ultimately the permissionless setting itself is the problem; zerocoin could be implemented using a ledger managed by a trusted party, and it would achieve its security goals without those theoretical problems.
I should also be clear that when I say ecash does not share this problem, it is because ecash has a well-defined security model and all functionalities needed to realize an ecash system also have well-defined security. We can instantiate ecash using any of the security assumptions we commonly use for digital signatures, and in theory ecash can be instantiated from MPC (by using a generic MPC protocol to implement a blind signature, then using the blind signature to implement ecash), which itself can be instantiated with standard cryptographic assumptions. So ecash has a security definition that is as well-defined as a cryptographic security definition can be.
Zerocash and Zexe and Zerocoin are all strict supersets of ecash. If you instantiate them underlying ledger with a single server, you recover ecash. If you instantiate with a permissioned distributed ledger (eg via PBFT), you get a distributed but permissioned ecash system. If you use a permissionless ledger, you get a permissionless system with no central authority. The entire point of the ledger abstraction in those works is to enable a composition-based security analysis. That’s literally the way 99% of cryptography proofs are structured. Saying that “Zerocash doesn’t specify details of the ledger” is like saying that “Schnorr signatures don’t specify details of the underlying DL-hard group”; the point is to abstract away those concerns.
Re: MPC deployments, the point about deploying general-purpose MPC is that it’s a much more complex task than specialized protocols. That’s why I specified general-purpose zkps; we already have ubiquitous deployments of specialized zkps (I.e. digital signatures). And maybe your project indeed has a large scale MPC deployment, that’s awesome. Doesn’t take away from the fact that cryptocurrencies are pushing zkp innovation at unprecedented rates.
I’m glad to see pushback on the “crypto means cryptography” meme, which is really just an indicator they aren’t interested in the leading cryptographic research.
Well, let's see, the technical program for this year's RealWorldCrypto conference includes...side channel attacks, symmetric cryptography, privacy, attacks on privacy, cryptography for the ads industry, messaging, post-quantum crypto, threshold crypto, and zero knowledge proofs. Funny how Blockchain did not make the cut for a popular conference on practical applications of advanced cryptography.
Looking through the CRYPTO'21 and EUROCRYPT'21 conferences, there is only one session between them involving "blockchain" and it is not even dedicated to the topic (it also includes papers related to law enforcement and privacy).
This may be hard for blockchain enthusiasts to hear, but it is not really a hot topic among cryptographers. There was a bit of interest a few years ago as people tried to figure out if any good security definitions can be developed, and the results were not very convincing. Beyond that almost all the academic interest in block chains has focused on the "permissioned" setting where security can be defined in a meaningful and useful way.
So, yes, "crypto means cryptography" and "blockchain" should refer to block cipher chaining modes.
This is extremely misleading. IACR was proposed by David Chaum in 1982, a year before his first paper on ecash, and its first board members in 1983 included Whitfield Diffie (who had not done any work on payments) among others. Chaum's ecash ideas look nothing like "cryptocurrency" as it exists today, nor do any of the ideas presented in subsequent research on the topic.
The person you replied to correctly pointed out that "crypto" was coopted by the blockchain space and is now being used to mean any number of distributed systems technologies. I have seen people wearing t-shirts saying things like "crypto means cryptography" and making jokes about reclaiming "blockchain" to refer to block chaining modes at various cryptography conferences (many organized by IACR) over the past decade. Moxie was right when he quipped that the "crypto" spaec involves very limited use of actual cryptography.