
The Dark Side of Zero Knowledge: Masking the initial setup in Zk-SNARK - discovan
https://blog.smartdec.net/the-dark-side-of-zero-knowledge-undetectable-backdoor-in-zk-snark-a9093ffe49bf
======
segfaultbuserr
Zcash knew the problem of backdoor-able initial setup, they understood that it
can raise serious doubts on the trustworthiness of their system, they even
named the initial key material for setup as "cryptographic toxic waste". As an
attempt to bring confidence to the setup ceremony, Zcash used a multiparty
setup of 6 people, and invited prominent developers of the cryptocurrency
community to participate. The setup was performed at each person's own
undisclosed geolocation, and coordinated online. The rough idea was, if at
least one participant during the setup was honest, properly destructed the
secret, and wasn't hacked, the setup will be secure.

The prominent Bitcoin developer, Peter Todd was invited to participate, too.
You can read his entertaining blogpost about the setup procedure at here.

[https://web.archive.org/web/20161114214233/https://petertodd...](https://web.archive.org/web/20161114214233/https://petertodd.org/2016/cypherpunk-
desert-bus-zcash-trusted-setup-ceremony)

The funny and alarming story is, after he finished the setup, he became
increasingly suspicious about the security of the procedures, especially
casted doubts on some technical problems that prevented reproducible build
(!!!) of the setup programs. And he later had withdrawn his blogpost and all
the claims of security altogether. To me, it's alarming, in the end, we'll
never get solid security guarantees.

~~~
dlubarov
> Zcash used a multiparty setup of 6 people

That's true of the original (Sprout) SNARK, but the newer (Sapling) SNARK used
a much more scalable MPC ceremony, which they called Powers of Tau:
[https://z.cash.foundation/blog/powers-of-
tau/](https://z.cash.foundation/blog/powers-of-tau/)

There was a public call for participation at the time, so if you wanted to be
sure that the ceremony was not corrupted, you could just participate yourself.

For backwards compatibility, the Sprout SNARK can still be used, so if the
original ceremony was compromised, an attacker could still create coins "out
of thin air". But converting a Sprout account to a Sapling account requires
making the amount public, so if the number of coins converted exceeded the
intended currency supply, that would be detected. Worst case scenario, a hard
fork could be arranged to disable the Sprout SNARK.

~~~
matthewdgreen
The original Sprout SNARK has been disabled and replaced with a new
implementation based on the powers of tao ceremony. You can still spend Sprout
coins, but not with the old parameters.

------
paulgerhardt
This discusses a weakness with all zero knowledge proofs which require a
trusted setup.

Zero knowledge proofs which don’t require a trusted setup include BCCCGP[1],
Bullet Proofs[2], ZKBOO++[3], Ligero[4], Hyrax[5], ZK-STARKs[6], and
Aurora[7].

[1][https://eprint.iacr.org/2016/263.pdf](https://eprint.iacr.org/2016/263.pdf)

[2][https://eprint.iacr.org/2017/1066.pdf](https://eprint.iacr.org/2017/1066.pdf)

[3]
[https://eprint.iacr.org/2017/279.pdf](https://eprint.iacr.org/2017/279.pdf)

[4]
[https://acmccs.github.io/papers/p2087-amesA.pdf](https://acmccs.github.io/papers/p2087-amesA.pdf)

[5]
[https://eprint.iacr.org/2017/1132.pdf](https://eprint.iacr.org/2017/1132.pdf)

[6]
[https://eprint.iacr.org/2018/046.pdf](https://eprint.iacr.org/2018/046.pdf)

[7]
[https://eprint.iacr.org/2018/828.pdf](https://eprint.iacr.org/2018/828.pdf)

To clear up confusion in the comments, the new ZCash release, sappling, used a
trusted setup with 87 people up from the original six[8].

[8] [https://z.cash/blog/completion-of-the-sapling-
mpc/](https://z.cash/blog/completion-of-the-sapling-mpc/)

------
EthanHeilman
As the article states, but is a confusing in the title, this isn't a problem
with all Zero Knowledge Protocols (ZKP) but is a problem with a specific ZKP,
namely zk-Snarks.

You can do ZKPs without a trusted setup, they are less performant than zk-
Snarks. It seems likely that in the next few years these performance problems
will be overcome. Most people I've talked to in the field are very confident
that protocols like zk-snarks can be done without trusted setup.

~~~
scottlocklin
ZK-Starks already do this.

[https://medium.com/coinmonks/zk-starks-create-verifiable-
tru...](https://medium.com/coinmonks/zk-starks-create-verifiable-trust-even-
against-quantum-computers-dd9c6a2bb13d)

------
cjbprime
It looks like there's nothing new here, making the title clickbait-y. One of
the first things anyone learns about Zcash is that there was a trusted
ceremony.

~~~
hendi_
Wrong.

"One of the first things anyone learns about Zcash" is that at least one of
the ceremony's participants must be trusted to have securely destroyed his
toxic waste.

This article is about the fact that there could be a backdoor, whose absence
can only be proven by revealing all participants' toxic waste.

You'll note that these two things are at odds with each other.

~~~
ewillbefull
There is nothing new about this article. The article is pointing out that in
addition to the trapdoors of the proving system, it's possible to subvert the
arithmetic circuit used as well. The ceremonies used by Zcash have the
property that the parameters are perfectly bound to the circuit.

Not sure why this isn't mentioned in the article.

> This article is about the fact that there could be a backdoor, whose absence
> can only be proven by revealing all participants' toxic waste.

This is incorrect, as stated above. Instead of revealing their toxic waste, we
reveal proofs-of-knowledge so we can use pairings to ensure the parameters
encode the circuit correctly.

~~~
hendi_
I stand corrected. Thank you for the clarification!

I still learned something "new" from the article, I was only aware of the
ceremony issue that "everbody knows" of.

~~~
ewillbefull
That's great! There are many issues with trusted setups that people aren't
paying enough attention to.

------
sschueller
Does this apply to monero as well?

~~~
nosuchthing
Monero's backdoor was the development team releasing a severely weakened
version of the mining app during the phase where 25% of the supply was minted,
along with a production curve that released 80% of the supply in less than
half the time of Bitcoins minting production time.

[https://old.reddit.com/r/MoneroMining/comments/6fixnr/monero...](https://old.reddit.com/r/MoneroMining/comments/6fixnr/monero_mining_schedule/)

~~~
g45y45
That was bytecoin, not Monero. Monero is a code fork of Bytecoin. Bytecoin is
considered a scam. Monero was a fair launch with no backdoors.

~~~
shpx
> I woke up on May 28th, 2014 [one month after Monero launched], on vacation
> with my family in the middle of the desert, to find a copy of my private
> source code plastered across the bitcointalk message board. Announced as a
> "new optimized version" of the Monero currency miner, it was
> enthusiastically adopted by cryptocurrency miners across the world. And in
> the process of doing so, my daily profit from the Monero Mining Project
> dropped by over five thousand dollars per day.

...

> [Monero] was a fork of Bytecoin designed to not have the 80% premine. But
> its initial developer either didn't know, didn't care, or wanted to profit
> from the de-optimized hashing. That initial developer was pretty quickly
> given the boot by the community, and in came an unrelated group of
> developers who took it over---who were, as far as I can tell, completely
> unaware of the deoptimization. So things sat there for a few weeks in the
> same state as Bytecoin.

...

> This was a brilliantly designed proof-of-work function targeting the
> strengths of modern CPUs -- native AES encryption and fast 64 bit
> multipliers -- tuned to use a scratchpad exactly the size of the per-core L3
> cache on Intel CPUs (about 2MB) that someone then wrapped in such a thick
> blanket of crap it was nearly unrecognizable until you started jumping in,
> tearing it apart, and putting it back together again.

[https://da-data.blogspot.com/2014/08/minting-money-with-mone...](https://da-
data.blogspot.com/2014/08/minting-money-with-monero-and-cpu.html)

------
diafygi
Isn't zero knowledge crypto relatively new? Seems like we're going through the
normal decades long growing pains of any new type of crypto.

If so, how did other types of crypto in the early adoption years deal with
these types of issues?

