Because we need to check that accumulator values match an existing valid state of the ledger (think Merkle Tree Root), knowing the value corresponding to a UTXO can narrow down the search space for brute force de-anonymization attempts. Here are some potential attacks:
Knowing the root pins down which shard the UTXO comes from. Early on in the chain this can be a privacy issue since shards may contain very few UTXOs. Because this can be tracked over time, a brute force attack can gain some advantage if it starts from the beginning of the chain.
Potential Fix: Buffer the shards with some other UTXOs which cannot be distinguished from legitimate ones, reducing initial privacy leak.
Knowing the root also reveals if some transactions are grouped within one block. Blocks which create UTXOs and spend them right away removes one layer of indirection and allows UTXOs to be correlated beyond a single transaction. This can be detected if the root that was just created in the block is used in a later proof in the same block. This does not change if we allow for concurrent transactions, and even reduces the privacy by allowing transactions further in the past.
Potential Fix: Unknown.
These attacks are independent of the zero-knowledge assumed by the protocol.
Because we need to check that accumulator values match an existing valid state of the ledger (think Merkle Tree Root), knowing the value corresponding to a UTXO can narrow down the search space for brute force de-anonymization attempts. Here are some potential attacks:
Knowing the root pins down which shard the UTXO comes from. Early on in the chain this can be a privacy issue since shards may contain very few UTXOs. Because this can be tracked over time, a brute force attack can gain some advantage if it starts from the beginning of the chain.
Potential Fix: Buffer the shards with some other UTXOs which cannot be distinguished from legitimate ones, reducing initial privacy leak.
Knowing the root also reveals if some transactions are grouped within one block. Blocks which create UTXOs and spend them right away removes one layer of indirection and allows UTXOs to be correlated beyond a single transaction. This can be detected if the root that was just created in the block is used in a later proof in the same block. This does not change if we allow for concurrent transactions, and even reduces the privacy by allowing transactions further in the past.
Potential Fix: Unknown.
These attacks are independent of the zero-knowledge assumed by the protocol.