The Untrusted Setup – Why you shouldn’t trust ZCash

in #zcash8 years ago

Hidden inflation

ZCash will launch today. This is not a "normal launch" like any other altcoin, because ZCash required a so called "trusted setup". During this setup, some secret (public) parameters were generated based on a "master private key". These network parameters are needed to create the so called "zero-knowledge proofs", which is the anonymizing mixer on the ZCash network. The "master private key", referred to by Zooko as toxic waste, needed to be destroyed. If this data is not destroyed, someone who has access to this key is able to generate an infinite amount of anonymous ZCash.

This is the so called "hidden inflation problem"; unlimited counterfeiting of coins while nobody is able to detect it. If this were to happen, it would undermine the value proposition of the ZCash cryptocurrency. ZCash would never be considered to be "sound money" where the emission scheme can be checked by all participants. The problem is that nobody can check if the setup actually did occur in a correct manner. People who hold value in ZCash will need to trust the setup process from the genesis block onwards.

Setup of the setup

ZCash used a "multi party protocol" which means that, according to the team, as long as one of the participants in the generating process is honest and doesn't keep a copy of his part of the "toxic waste", nobody else will be able to get access to the full "master private key" that is needed to create counterfeit coins. Only 6 people participated in the setup. This is a very small group and thus creates a theoretical possibility that these people were conspiring or were being coerced by a TLA to keep a copy of the "master private key". While this is a possibility (certainly considering possible involvement of the Israeli government), it doesn't seem all that likely due to the involvement of Peter Todd, who isn't a part of the ZCash team.

What's more worrisome is the fact that the setup itself could have been compromised: think about hardware, network, software, operating system, binaries, etc. There are a lot of attack vectors. Governments had a very big incentive to compromise the setup of the setup. If successful, they are able to create free money without people noticing and meanwhile diluting the value of a potential powerful cryptocurrency. State sponsored attacks are known to be very sophisticated, like Stuxnet that sabotaged the Iranian nuclear power plants. Is it therefore likely that governments were able to compromise this "trusted setup" as well? I my opinion it is. It's impossible to prove that an unknown attack didn't happen. You don't know what you don't know.

Sybil zk-proof attack

The ZCash team often repeats that even if the setup is compromised, the anonymity of the network isn't at risk. However, I beg to differ. Due to the high RAM requirements to generate "jointsplits", it's unlikely that the anonymizing feature of the ZCash network will be used much in the first years of the existence of the coin. This leads to the possibility of "timestamp analysis attacks". People tend to use new mixing technology as an "intermediate step" for obfuscating bitcoin transactions. But due to volatility risk, people tend to have their value for the shortest possible time in an altcoin. If people use the zk-mixer for obfuscating bitcoin transactions, it will be trivial to connect the transparent ZCash that enters the zk-mixer and the ZCash leaving the mixer again after only a few minutes or even hours. (Sidenote: this leads to fungibility problems within ZCash; you can read more about it here.)

Imagine an attacker counterfeiting a lot of fake zk-proofs. This could create the illusion of a liquid mixer. A lot of usage means that suddenly one can hide his transaction in this mixer with a lower (perceived) risk of being tracked. Timestamp analysis attacks become increasingly harder. But the attacker, who knows all the fake zk-proofs, can ignore his own counterfeited liquidity. He is still able to do the timestamp analysys based on the real (low) liquidity inside the zk-mixer. This leads to a very dangerous situation in which the user thinks he is transacting anonymously, but in which an attacker will still be able to track all transactions. Privacy theatre is a huge risk.

Chain rollbacks

There is a (drastic) option to solve this issue. Zooko proposed recently to periodically force everyone to reveal their balance as a solution for the hidden inflation problem. At a certain block height all "anonymous" coins would become invalid and an observer would be able to sum up all "transparent" coins. If the total amount is equal to or less than the emission should actually be, the system can be considered "sound" until that point in time.

If however an anomaly is discovered, then the ZCash community will face a difficult decision: continue with the inflated emission or rollback to the previous checkpoint. The network would also come to a halt until the bug is found. Trust in the currency would be lost immediately. If the community decides to do a rollback, this means that all transactions between the previous checkpoint and the detection of the hidden inflation will become invalid. Some people won't like this rollback and maybe a non-rollback ZCash fork would emerge. When people use the "rollback ZCash" however, one can only consider transactions to be "fully confirmed" after such a successful "emission checkpoint" happened. Exchanges, users, merchants and wallet services should be aware of this serious risk.

Inflation bugs

ZK-proofs are very difficult to understand. Recently, Zooko even admitted he doesn't understand the math. The ZCash team has some smart people on board, but even they can not guarantee that the network is free of bugs. During the test phase, a bug was discovered that made it possible to counterfeit coins. This attack had nothing to do with the "trusted setup", but would cause the exact same problems as described in this article. Due to the fact that the ZCash protocol is very complex code, it's not at all guaranteed that similar bugs aren't still present in the protocol.

Conclusion

You shouldn't trust ZCash.

zcash-meme

Sort:  

Hi! I am a content-detection robot. I found similar content that readers might be interested in:
http://weuse.cash/2016/10/28/the-untrusted-setup/

I'm coming to get ya Cheetah in the #posts count!! Got you in my sights!!

Thanks for posting. It's always great to see the critical view when there is so much hype. The DAO disaster comes to mind.

Research and learn before leaping into anything @stephen-somer - this is a great explanatory article alongside the original by @dnaleor for which I thank him. To the point, and factual where possible, it is one thing to support new technology, it is another to follow blindly when hit by these "new shiny objects'.

Congratulations @dnaleor! You have received a personal award!

2 Years on Steemit
Click on the badge to view your own Board of Honor on SteemitBoard.

Upvote this notificationto to help all Steemit users. Learn why here!

Congratulations @dnaleor! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Do not miss the last post from @steemitboard:

3 years on Steem - The distribution of commemorative badges has begun!
Happy Birthday! The Steem blockchain is running for 3 years.
Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Very good post. Interesting to see I'm not the only one that is thinking about this. The Trustworthiness the cryoto space brings with it one thing nobody seemingly cares about. I found this great website: https://www.coincheckup.com. They seem to give this complete indepth analysis of all cryptocoins. On: https://www.coincheckup.com/coins/Zcash#analysis For a complete Zcash Investment and research analysis.