Please bear with as I provide some background to motivate this.
Nomadic is planning on introducing shielded transactions through a contract that will compute zk-SNARKs from Merkle trees. The major weakness of this approach is that transactions can be analyzed based on values and timing coming in and out of this contract. There are two issues here. One places the onus on individual users to have good operational security, i.e. using delays and splitting the values of outputs similar to when using mixes in Bitcoin. This seems okay to me.
The second issue is that the anonymity set in the shielded contract is only as strong as how many users choose to store value in it. If few users do so, then it becomes easy for an entity to own the anonymity set and create a false sense of privacy. This is a huge problem, among others, in Monero. It’s also arguably a problem with Zcash due its anonymity set being so small, although to my knowledge no one has so far provided an analysis of this.
However, the major difference between this contract and Zcash’s division of transparent and shielded addresses is that in Tezos we’d be financially disincentivizing users from storing value in this contract through inflation. My idea to solve this involves another use of zero knowledge proofs that’s been proposed for Tezos: anonymous delegation. The entire pool of tez stored in the shielded transaction contract could be delegated anonymously, thus killing two birds with one stone as far as features. In addition to the benefits of anonymous delegation, users would now actually be incentivized to increase the anonymity set for shielded transactions even if they themselves don’t want to use them.
So who would be the delegates for the shielded pool? Ideally they would be determined by a market. Bakers could set bids for a certain number of tez that would be automatically fulfilled in order of highest rewards.
This also incentivizes users to leave tez in the shielded pool for longer periods in order to prevent large delegates from being able to analyze the output based on the reward value and determine who was delegated to them, although large blocks may end up being split between multiple delegates.
Another possibility to increase anonymity is to provide the option of locking up the shielded tez for longer intervals with longer maturities commanding a premium in rewards payouts. Something like anonymous T-bills.
Thoughts? Criticism? Has anything similar been floated in other contexts?