I said at the top of my previous comment that it is unclear how safe are the transactions on the Zcash blockchain today. That statement needs to be unpacked into three separate questions:
-
For “fully shielded transactions”, where the sender and the receiver each use shielded addresses, then it is probably very good. This is true even if nobody else has made any fully shielded transactions in a while! Because unlike Chaumian-mix-style systems — such as the ring sigs used in Monero — zero-knowledge privacy is a lot less “temporally vulnerable”.
Basically, if you send Zcash from your shielded address to someone else’s shielded address today, then the attacker who is just watching the blockchain learns “somebody made a fully shielded transaction today”. They don’t learn anything else!
In contrast, with Chaumian-mix-style systems like ring sigs, they learn that “one of these four outputs just moved”. Since they also know when each of those outputs previously moved, and what other inputs and outputs they are each potentially connected to, then this is quite a lot of information that they get! The question then becomes whether they can combine that information with other information (including both other information from the blockchain and outside-the-blockchain information like their knowledge of what timezone you live in and what companies you do business with). This is the fundamental reason why I think Chaumian-mix-style privacy is not good enough for Internet Money.
The bottom line is, if you make fully shielded transactions on the Zcash network today, then you are almost certainly protected from exposure, even if relatively few others are also making such transactions today. (And in fact, there are a lot of others! In the first six months there have been somewhere between 30,000 and 130,000 fully-shielded transactions, depending on whether coinbase-shieldings count as increasing your privacy-set. I think. This is where we need an independent investigator to confirm or refute these claims.)
(But beware! Even if blockchain-layer privacy leakage is almost completely prevented by the zero-knowledge approach, you have to beware of network-layer privacy leakage. If you made that shielded-to-shielded transaction from a clearnet IP address instead of over Tor or I2P, then the recipient you sent the money to can probably figure out which IP address you sent the money from.)
-
For “partially shielded transactions” where some of the input and output addresses are shielded and some aren’t, the reasoning is a lot more complicated. A partially-shielded transaction exposes some or all of the amounts involved, and exposing the amounts is sometimes enough information right there to let an analyst deduce the flows. But not always. Basically, if you’re using a shielded address (over Tor/I2P), and you send and receive amounts to unshielded addresses, then this is exposing which unshielded addresses, which amounts, and the timings, but it is not exposing anything about your shielded address — not even the fact that it is the same shielded address involved in the different transactions. This is definitely a case where scientific and empirical analysis would help give us clarity on the privacy consequences.
-
For fully transparent transactions, the privacy consequences are also quite complicated! A convenient simplification is to say “if you’re using an unshielded address then you’re getting no better privacy than you would get with Bitcoin”, but that’s actually wrong! As Figure 1 shows in Transaction Linkability, you might be getting “collateral privacy” from the other members of your community who are using shielded addresses. This, too, deserves better study by researchers.
