Also see our followup: How To Compromise Zcash And Take Over The World

As part of our work, we will sometimes put a new system under scrutiny in order to provide constructive feedback, and/or clear up a widespread misunderstanding that could lead to problems down the road (for example, see our series on Certificate Transparency).

Today, we continue this tradition by reviewing one of the lesser known details of the Zcash cryptocurrency. A few days prior to publication, we reached out to the Zcash team and asked them to review this post for accuracy. We thank them for subsequently posting more details about Zcash’s trusted setup.

Two Seemingly Innocuous Words: "Trusted Setup"

Zcash is different from other cryptocurrencies. It is different not just with respect to privacy but also with respect to its financial fundamentals (specifically, its monetary supply), in that they are not knowable with certainty.

Type “zcash” into any search engine today and you’ll most likely stumble across this WIRED article. Like most coverage of Zcash, the WIRED piece fails to mention the Zcash Catch, otherwise known as its trusted setup.

Zcash relies on novel zero-knowledge proofs—specifically, non-interactive zero-knowledge proofs of the zk-SNARK variety—to power its privacy features. In principle, Zcash could work with many types of zero-knowledge proofs, but for efficiency reasons Zcash uses one that they say needs a trusted setup. That means you’ve got to trust that the Zcash team was able to set up the system properly.

What happens if they fail?

Someone can print as much money as they want, for free, and in total secrecy.

Given the "All coins are created equal" tagline, some might consider that to be kind of a big deal, deserving of at least a footnote somewhere. But this important detail can't be found on the z.cash website,1 nor in the media coverage about the project.

Media Coverage of Zcash

We'd like to remind the news organizations out there that by covering cryptocurrencies you are effectively advertising a financial instrument. A failure to mention that the instrument comes with a serious catch is, at the very least, a serious breach of ethics, and at worst could potentially run you afoul of the law. (As decentralists who question the ethics of many laws, we are more concerned about the former than the latter, but this is a case where the law and ethics fall into alignment.)

Even Zcash agrees that you should mention it!

However, in fairness to the media, the Zcash team could also have done a better job being transparent about this quirk.

Zcash Must Improve Its Documentation

To be clear, most of our concerns regarding Zcash have more to do with how it presents itself, and less to do with its technical approach (although as we'll discuss, we hope for improvements in that area as well).

Specifically, it is very concerning to us that the Z.cash website1 and the GitHub project page do not mention the implications of the trusted setup.

The FAQ on GitHub even contains highly misleading information:

Q. Will Zcash contain a backdoor?

Neither Zcash nor any other cryptographic algorithms or software we've made contains a backdoor, and they never will.

There are several serious problems with this answer. For one, the answer is contradicted by a nearly identical question in another Zcash project FAQ:

Screen Shot 2016-02-26 at 10.51.58 PM

That is from zerocash-project.org, an older site that visitors browsing the new z.cash domain will be unlikely to find.

The original answer is the one that should be on the GitHub. After all, Zcash requires trust to work, and hiding the details by using a slightly rephrased question doesn’t build confidence. The answer should also acknowledge that Zcash cannot guarantee that they will succeed in the trusted setup.

Another question asks:

Q. Is Zcash peer reviewed?

Yes.

Zcash is based on the peer-reviewed Zerocash protocol, which was published in the IEEE Security & Privacy conference in 2014. The Zerocash paper provides a detailed technical overview of the specification.

There is a difference between publishing a paper and peer-review. Outside of those involved with Zcash we've been unable to find peer-review that the entire approach—from the zk-SNARK implementation to the setup—is sound, and that's not from lack of trying. We've asked several of the brightest minds in the cryptocurrency space, and none feel confident enough to implement or teach zk-SNARKs, let alone vouch for the legitimacy of the trusted setup (the details of which were only recently revealed).

It will require time for folks to get a sufficient enough grasp of zk-SNARKs before they can begin to evaluate the full safety and security of what Zcash is proposing to do.

Trusting The Trusted Setup

Unless Zcash addresses the lack of sufficient clarity and transparency in its communication, it would not surprise us if this approach generates comparisons to that of an elitist group of computer geeks asking the world to trust that they won't, either through intention or incompetence, end up swindling folks out of the magic Internet money Zcash is pushing.

Why is the trusted-setup approach being taken seriously at all? This is for several reasons:

  • The people behind the Zcash project include well known and respected names like Zooko Wilcox, Matthew Green, and others from highly regarded institutions like MIT, Johns Hopkins, U.C. Berkeley, etc.
  • The Internet really needs the properties that Zcash wants to deliver (discussed below), and in principle what Zcash wants to do is possible.
  • As we'll discuss next, the Zcash team has put incredible thought and effort into minimizing the risk associated with the trusted setup.
How does the trusted setup work? We'll be honest: we don't understand it entirely ourselves (and that's part of the problem). We would love it if this question was answered on the Zcash mailing list, and if the Zcash team could take some time to explain in simpler, more accessible terms, the precise details of how the trusted setup works.

The trusted setup is described in dense technical detail in this 18-page paper. The overall gist is that it involves a group of some (currently unknown) number of people running a computer program on multiple machines. Assuming there are no flaws in the approach, if at least one those people manages to correctly follow the setup procedure on a computer that is not compromised, then Zcash should live up to its claim of having a knowable number of coins.

UPDATE August 27, 2016: However, this approach amounts to security theater. See the comments to this blog post.

The procedure is a one-time event, and the claim is that the only way it can fail is if every participant is either dishonest or is compromised in some manner.

Though we acknowledge that a lot of effort has been put into securing the trusted setup, it’s nevertheless important to ensure that every potential stakeholder in Zcash be informed about it, since:

  1. The trusted setup approach, still, ultimately asks that the world puts its faith into a small group of people, and therefore we feel it provides less of a guarantee about its overall monetary properties than other cryptocurrencies.
  2. The trusted setup may be unnecessary to achieve the desired privacy properties (see Monero vs Zcash and alternative or yet-to-be-discovered NIZKs).
The good news is the Zcash team says they're investigating alternative approaches.

The Power of Zcash

It would not be completely inaccurate to compare the cryptocurrency community's desire for zk-SNARKs/Zcash to Frodo's relationship with The Ring.

The Ring also gave Frodo privacy, but it came at a huge cost: it corrupted him.

Zcash makes it possible to hide the origin, destination, and value of a transaction in a very elegant and simple way. Just as it is easy to slip on a ring, it is easy to for users to use Zcash. That property is important for any serious digital cash system to flourish, as it protects the fungibility of the currency and the privacy of its users. After all, nobody wants every transaction that they make to reveal their entire financial story.

However, as we mentioned before, there are alternatives to using a trusted setup. Zooko does a great job comparing many of them. It’s not completely clear, however, that Zooko’s assessment of Zcash’s choice of zk-SNARKs and the supposed trade-offs with CryptoNote-based coins (like Monero and others), is entirely correct. For example, while Zooko’s post states that the amount of a transaction must be revealed in CryptoNote, this may not be true.

Also, as mentioned in the Zcash paper, there exist other zero-knowledge systems that could potentially be used (or invented) that do not require the trusted setup:NIZKs

Bitcoin already uses zero-knowledge proofs in a way that doesn’t put into question the overall properties of the system, and reusable payment codes appear to be a promising privacy-preserving solution (although not as private as Zcash).

Unanswered Questions + The Zcash Catch-22

Should Zcash proceed with the trusted setup as-is, several important questions remain:
  • How many participants will there be and how will they be selected?
  • During the setup, will they be in the same country or in different countries, within the Five Eyes or without?
  • Will they all be part of the same clique or will they come from genuinely diverse backgrounds?
  • Will there be full transparency (i.e. cameras, live broadcasts, public ceremonies), or will it be conducted in total secrecy?
  • What assurance will there be that there really were X independent participants doing Y thing at Z time?
  • And most importantly: will Zcash wait for an independent security audit of the trusted setup itself?
That last question points to the Zcash Catch-22: if Zcash delays the trusted setup then they give an adversary more time to find a way to compromise it. On the other hand, if they rush through it then they might miss a better approach they could have taken, or not notice a serious flaw that winds up compromising the system anyway.

Our Message To Zcash

We deeply admire and respect your work and we hope it succeeds on its merits. At the same time, we feel that deploying Zcash at this stage, without transparency and without an independent audit of the implementation and the trusted setup, would be unnecessary and inappropriate. We also feel it is Zcash's responsibility to ensure that every potential user/investor in Zcash understands the implications of its trusted setup, and that requires going out of your way to inform them.

Consider:

  1. Imagine selling Zcash's assets to a group of computer scientists that you don't know and letting them do the trusted setup. Would you still feel comfortable investing in Zcash? If the answer is no, you may want to reconsider your approach.
  2. It's in the interests of Zcash to verify that no better approach is possible. If a Zcash competitor accomplished the same thing, but without the trusted setup, it would very likely hurt the value of Zcash.
  3. Governments may already be wary of the privacy aspects of Zcash, so they could use issues like improper disclosure, false advertising, or fraud to go after you.
Vlad Zamfir of Ethereum, a researcher and expert in cryptocurrency consensus protocol design, also questions the wisdom of rushing forward with a technology whose consequences might be harmful and at the same time not yet well understood.

As when opening a bank account or purchasing insurance, it’s the seller’s responsibility to ensure that the buyer is able to make an informed purchasing decision. If the trusted setup is used, potential investors need to know that Zcash comes with several asterisks:

  • The total number of coins in circulation is not guaranteed from the outset, and it may not be possible to know how many there are.
  • If the trusted setup failed, then the value of the coin could be adversely affected by inflation.
  • You use this product at your own risk, etc. etc.
Thank you for reading and considering!

Our gratitude to Zaki Manian, Vlad Zamfir, Alex Chepurnoy, Andrea Devers, and Simon Grondin for reviewing this post! You can follow the turtles and the author on twitter.

1 That sentence was written prior to the recent blog post, however we’ve decided to keep it as-is for now since the post is buried where most Zcash users/investors won’t see it and, even if they do, many won’t fully grok the implications of the trusted setup unless it’s written in clearly visible, simple terms.

Donating = Loving! You can empower our work by donating!

Comments

25 Comments

dEBRUYNE

This is the finalized paper on Ring Confidential Transactions for Monero:

https://lab.getmonero.org/pubs/MRL-0005.pdf

(The one you linked to in your blog post is a draft)

Ring CT will hide amounts in Monero as well and therefore greatly improve privacy.

Finally, thanks for making this!

Mothershipstarboard

A much needed analysis of the caveats which come along with the zero cash system. There are additional problems not covered here, but that'should for another time. This will serve as a useful cautionary reference for when we see zcash bandied about as the perfect, be-all end-all financial privacy solution that it realistically isn't, which happens far too often.

It's a setup. On top of that, it's a trusted setup. What other type of setup is there? If you don't trust it, technically speaking it's not a "setup." Trust is the prerequisite for all setups.

Up next, we'll take a look at segregating witnesses - the first step in establishing a prisoner's dilemma.

truth is out there

Many but not all of the big names behind Bitcoin are too silent on Cryptonote/Monero while eager on Zcash, I find this suspect and dishonest, I have already dumped many of the still considered "leaders" and speakers of this industry, I'm waiting a new revolution on true e-cash leaded by the Monero community.

[…] coins out if thin air without anyone noticing. This is a serious problem because this makes a malicious backdoor in ZCash a real […]

zkproofs

You mention other types of NIZKs, but the caveat is that these are highly inefficient for the types of circuits that are used in Zerocash. Indeed, the paper itself mentions the Groth-Ostrovsky-Sahai proofs which grow linearly with the circuit size. For the kind of circuit in ZC, the proof size would be unimaginably large. Furthermore, for these proofs the running time of the verifier is also at least linear, since they have to read in the entire NIZK to verify it. You lose the ~5ms verification times of zkSNARKs.

zkSNARKs give you optimal proof size and verifier running time, at the cost of a trusted setup and stronger cryptographic assumptions. However, Gentry and Wichs proved that to get this optimal proof size and running time you need to rely on these stronger assumptions. The "trust" in the trusted setup can be minimized by participating in the parameter generation yourself. If any participant is honest, then the setup is correct.

Lastly, while zkSNARKs are an area of active academic research, I think asking people in the cryptocurrency space, and here I mean no disrespect, to judge the security of zkSNARKs, which rely on some deep CS theory and cryptography, is a bit of a no-go, given that this is not their field of expertise.

Greg Slepak

Hi zkproofs, thanks for your comment.

The “trust” in the trusted setup can be minimized by participating in the parameter generation yourself. If any participant is honest, then the setup is correct.

This is not true. The trusted setup is an unacceptable risk, period. It does not matter how many participants participate in it, even if I were to participate in it myself.

The reason for this is that it does not matter whether "any participant is honest", this is a common misconception about the trusted setup. The entire trusted setup can be compromised even if all participants are honest, and it's not terribly difficult to do this *EDIT: for a nation-state type adversary.

There is a way to fix this without using different cryptography, but by periodically revealing a small amount of information. They know about this, and it's up to them to decide to implement it.

zkproofs

No, there's an actual paper:

http://www.ieee-security.org/TC/SP2015/papers-archived/6949a287.pdf

As long as at least one participant is honest in this distributed computation, the parameters will be computed honestly.

Greg Slepak

zkproofs, I am aware of that paper, I read it months ago.

Again, this "one honest participant" thing is nonsense security theater.

As long as there is a central point of failure (the code) all participants can easily get compromised.

zkproofs

Then why trust a Bitcoin client? It could potentially leak your private key to any attacker in control of the code, resulting in not only anonymity loss but also monetary loss.

Bitcoin itself is a distributed computation which suffers from the same problem you bring up...

Greg Slepak
Bitcoin itself is a distributed computation which suffers from the same problem you bring up…

No it does not.

Unlike Bitcoin, Zcash's trusted setup is a 1-time operation that affects the integrity of the entire blockchain for all of time. If it fails, there is no "easy fix", you'd have to throw out the entire chain.

[…] registration in the United States, the fact that mixing is done on an opt-in basis and the possibility of secret inflation initiated by the maintainers of the […]

[…] registration in the United States, the fact that mixing is done on an opt-in basis and the possibility of secret inflation initiated by the maintainers of the […]

[…] registration in the United States, the fact that mixing is done on an opt-in basis and the possibility of secret inflation initiated by the maintainers of the […]

[…] only are the eyes of the cryptocurrency community closely watching this development, but so are would-be hackers looking for a high-value […]

[…] Don’t let fancy whitepapers fool you, the “at least one honest participant” thing in Zcash’s trusted setup is security theater. […]

patrick

if there was simply a way to know z.cash # of units outstanding at all times, then the trusted setup could be heavily mitigated

patrick

A) so did the trusted setup occur on oct28, 2016 then?

B) idea: z.cash is simply just fatally flawed to be used as a global currency because the # of units outstanding cannot be audited. People would not invest in a publicly traded stock if it was impossible to even tell how many units were outstanding

[…] a series of his concerns about the impending launch of Zcash in a blog post on the okTurtles site. In particular, he called for the Zcash team to be more transparent about the potential risks […]

[…] vor dem Launch stieß ich auf Greg Slepaks Blog-Post über den sogenannten Zcash-Trusted-Setup. Slepak ist Experte für Kryptographie und äußerte […]

[…] is not guaranteed from the outset, and it may not be possible to know how many there are.” Source. Nick Szabo, father of smart contracts, stated long ago that “trusted third parties are […]

[…] registration in the United States, the fact that mixing is done on an opt-in basis and the possibility of secret inflation initiated by the maintainers of the […]