
Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony - monort
https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trusted-setup-ceremony
======
petertodd
When reading this, pay attention to section 1.2:

"Until the software and deterministic builds are audited, the entire ceremony
is a bunch of crypto hocus pocus that means nothing."

I'm 100% serious, and even a year later this still hasn't been done properly.

~~~
the_stc
2^80 is not _very_ weak. That's the level of brute forcing a SHA-1 collision.
It's low for a new system, but not very weak.

I agree with your 20%/10% comments, but I do not know why you call ZCash an
investment. Zcash should discourage people from investing, like Monero does.
Be a privacy coin, do not try to get in on the moon and lambo hypetrains if
you want to be taken seriously.

There is no good justification for 20% right now. ZEC market cap is half a
billion today. Do they really need that extra 50 mln now versus over time?
Feels greedy.

But with so much taken by them that way, does that not reduce their desire to
get a backdoor?

At any rate, all of this ceremony and your measures seem, as you say, hocus
pocus if you're not building from known source! Forget hardware attacks! How
can they not have the basics of a secure toolchain?!?

Did some participants at least publish the source they used and hashes of the
toolchain and environment?

At my startup (details in profile) we will end up depending on crypto (among
other things) to stay out of prison. Monero is hard to use, privacy wise -
EABE and EWE attacks are our concerns. At least with ZCash the model is fairly
easy to understand with shielded transactions. Much easier than figuring out
ringsize and traceability there. But the Monero community seems better with no
20% take, no central company, none of this trusted nonsense. And no odd
comments by both founders that require lots of mental gymnastics to make sense
of. Not that any of this should matter. ZCash should be trusted on its own
merits regardless of the inventors. Monero has anonymous inventors which could
be the NSA for all we know.

Alas I am in no position to analyze ZCash math vs RingCT but my feeling is the
latter is more understandable and thus might be more secure even if it has
much weaker safety promises.

~~~
ewillbefull
> 2^80 is not very weak. That's the level of brute forcing a SHA-1 collision.
> It's low for a new system, but not very weak.

Note that the 2^80 figure from Peter's blog post is really unsubstantiated.
There's another curve in libsnark (which we don't use) that has 80-bits of
security. I suspect what happened is whoever Peter was consulting with just
repeated this number to him. We've spoken to many cryptographers who are
experts on these curves, and none of them think that figure is reasonable. I
actually don't believe there are _any_ cryptographers that have publicly made
such a claim about the security.

2^96 was the original conservative estimate when the NFS attack was
discovered, but subsequent analysis showed concrete security closer to 2^110
(and that's ignoring the unrealistic memory costs of the specific attack.)

> How can they not have the basics of a secure toolchain?!?

We provided participants with a reproducibly built and stripped down version
of Alpine Linux, employed grsec, wrote all of our crypto software in pure
Rust, etc. All of our software is reproducibly built, hashed and signed. There
is nothing (software-wise) that cannot be caught in post-hoc review. All of it
is open-source: [https://github.com/zcash/mpc](https://github.com/zcash/mpc)

Several academic papers regarding our protocol have been published since then.
We wrote a full security proof of the crypto. We hired NCC group to audit the
ceremony as well: [https://z.cash/blog/ceremony-audit-
results.html](https://z.cash/blog/ceremony-audit-results.html)

More auditing can always be done but this is a continuing process. The primary
goal is to make it difficult for someone to undetectably compromise the
ceremony.

~~~
petertodd
What my blog actually said about that was:

"I’ve had some experts tell me they thought the security level was 2^80
operations (very weak), while others (including Zooko himself) thought it was
[more like 2^96]([https://moderncrypto.org/mail-
archive/curves/2016/000742.htm...](https://moderncrypto.org/mail-
archive/curves/2016/000742.html)). I’m not sure which figure is right, but the
fact that there’s disagreement is a bad sign."

I made it very clear that it _is_ an unsubstantiated figure, and linked to
Zooko's analysis. To both yourself and the person you're replying too, please
don't put words in my mouth.

> We provided participants with a reproducibly built and stripped down version
> of Alpine Linux, employed grsec, wrote all of our crypto software in pure
> Rust, etc. All of our software is reproducibly built, hashed and signed.
> There is nothing (software-wise) that cannot be caught in post-hoc review.
> All of it is open-source:
> [https://github.com/zcash/mpc](https://github.com/zcash/mpc)

I agree. But that's not what I said; what I said is that post-hoc review
hasn't been done, even a year after the fact.

~~~
ewillbefull
> To both yourself and the person you're replying too, please don't put words
> in my mouth.

What words did I put in your mouth? I cited the 2^80 figure in your blog post
and a reasonable theory for why you would bring up such a figure.
"Regurgitated" came across as snide so I apologize for that.

Note that you used this unsubstantiated figure to say "the fact that there’s
disagreement is a bad sign." If there isn't actually any disagreement and the
figure is unsubstantiated, why is it not baseless FUD? (BTW I notified you of
this error in your blog post some time ago but never heard back.)

> what I said is that post-hoc review hasn't been done, even a year after the
> fact.

I know, I wasn't replying to you. As I said, I believe more auditing is
needed. I also don't believe some kind of one-and-done audit of the
software/deterministic builds would satisfy either of us.

~~~
petertodd
> "Regurgitated" came across as snide so I apologize for that.

That's the thing, it didn't just come across as snide, it made it sound like I
repeated the number uncritically, when in fact I made it clear to the reader
where it came from and that there was disagreement.

> If there isn't actually any disagreement and the figure is unsubstantiated,
> why is it not baseless FUD?

The fact that competent experts could be unfamiliar with Zcash's crypto to the
degree that they could disagree on basic facts like that _is_ a sign of
concern, precisely because it's yet another strong sign that the crypto is
quite new. If this were "tried and tested" crypto, there wouldn't be any
disagreement. Note that Zooko himself was unsure of the exact strength due to
a recently found attack - tried and tested crypto wouldn't have recently found
attacks.

> BTW I notified you of this error in your blog post some time ago but never
> heard back.

Where did you notify me? For that matter, who are you anyway? I probably know
you by name from elsewhere; I don't by handle.

> I also don't believe some kind of one-and-done audit of the
> software/deterministic builds would satisfy either of us.

Well, I was just discussing the trusted setup with Matthew Green, and I think
there's some fundamental disagreement on what kinds of vulnerabilities exist
and what the risks of them are. So I really need to write a blog post on it.

~~~
ewillbefull
I'm Sean from Zcash, I coordinated the MPC and wrote the software. I messaged
you on twitter or emailed you or something about this last year.

> it made it sound like I repeated the number uncritically

I didn't say _you_ regurgitated it. I said the person you talked to did,
presumably after looking at libsnark or an unrelated paper.

> The fact that competent experts could be unfamiliar with Zcash's crypto to
> the degree that they could disagree on basic facts like that is a sign of
> concern, precisely because it's yet another strong sign that the crypto is
> quite new.

I claim the person you talked to was looking at the wrong curve construction.
2^80 is quite a torch to carry into an argument and no experts that we know
have ever suggested a security level less than 2^96. The only "disagreements"
about security were far more subtle and reasonable than what your blog post
suggested.

------
runeks
> The secret key (“cryptographic toxic waste”) generated during this phase can
> be used to steal money - currently in the form of creating counterfeit
> coins, stealing from everyone collectively.

> As one of those participants, here’s my account of what I did to ensure that
> secret was destroyed.

Regardless of what he did or did not do to destroy this secret, doesn’t this
make ZCash inherently non-trustless? If we trust that these people are honest,
why not just have them sign messages with their keys to resolve double-spends,
rather than build an elaborate system on top of this trust?

In other words, the ZCash crypto might be trustless itself, but if it’s
employed on top of a base that requires trust, what’s the point in the first
place? The weakest link is at the base.

 _“If you just trust me, I have some really cool trustless crypto to show
you”_

~~~
petertodd
The trust involved in the Zcash trusted setup is a significantly better type
of trust than what you're suggesting, because you only have to trust the
people involved _once_. Signing messages is an ongoing trust, which is far
more vulnerable to attack.

~~~
runeks
> The trust involved in the Zcash trusted setup is a significantly better type
> of trust than what you're suggesting, because you only have to trust the
> people involved once.

I disagree. Since there’s no way for you to prove that you have actually
destroyed the secret in question, there’s no way for me to know where that key
is now and, hence, how long I need to trust you.

“Only having to trust the people involved once” presupposes that I trust that
they have destroyed the key properly, otherwise the key might still be out
there, and the trust would be ongoing in this case as well.

~~~
Doxin
Worst case the two scenarios equate to the same thing. Namely there's one or
more people you need to trust indefinitely.

Best case however is where they differ a lot. Best case for this method is
trusting someone once. Best case for the other method is still trusting one or
more people indefinitely.

------
shrikant
Related Radiolab episode:
[http://www.radiolab.org/story/ceremony/](http://www.radiolab.org/story/ceremony/)

------
j_s
The Security Behind the Birth of Zcash |
[https://news.ycombinator.com/item?id=14782232](https://news.ycombinator.com/item?id=14782232)
(Jul 2017, 49 comments)

------
failrate
I enjoyed reading this. It felt like a single perspective in a pulp security
thriller. It would be interesting for someone to write fiction from the
perspective of a potential attacker.

------
jnagro
he uses a BLU phone in a few of the pictures, they had factory installed
malware if i remember correctly?

~~~
petertodd
Yup. Also the model of Thinkpad I used was vulnerable to the Intel management
engine backdoor.

------
mmel
Why does ZCash get shilled so much on HN compared to every other altcoin?

~~~
mhluongo
Because the math is freaking cool? :)

~~~
ringaroundthetx
thats what all the drones at Zcash say. It is either that they like the math,
or they find validation from stacking the team with renowned cryptographers.

there is almost no intersection of people interested in zcash and people that
actually want to use cryptocurrency or keep zcash in their portfolio who have
done any analysis of how this is not something to hold for long.

~~~
cooldude2282
I am very interested in the math, but I kind of agree with you, I am not
invested in zcash. If they didn't have first mover advantage they would not be
doing as well as they are.

The best implementation using this mathematics is definitely yet to come, I
would not be surprised if they weren't surpassed by someone else using similar
tech in the very near future.

------
unabridged
Why not up the number of participants to 1000? Or 1M?

~~~
ewillbefull
The protocol could not scale to a large number of participants at the time.
Just with six participants it took an entire weekend to perform.

~~~
unabridged
I've been looking for some kind of discussion of the scalability of the
trusted setup, but I cannot find it. Do you have a link?

~~~
ewillbefull
[https://eprint.iacr.org/2017/602](https://eprint.iacr.org/2017/602)

The protocol scales linearly with respect to the number of participants, but
as you can tell, each participant needs to do a lot of time-consuming
computations.

Each participant needs to maintain custody of the hardware during the process
of the ceremony, and then destroy the hardware afterward. If it was your turn,
you'd do some stuff for an hour, and then it's the next person's turn in a
round-robin circle. You had to wait maybe ~8 hours before it was your turn
again. The protocol involved three rounds of this.

Nobody can abort (players commit to their moves in advance to defend against
adaptive attacks) and so there needs to be a time when all N participants are
available for the entire duration of the ceremony. This makes it very
sensitive to scheduling problems.

If you want to do your own MPC, you also need to perform very expensive fast-
fourier transforms in between round 1 and 2. In our ceremony that required a
very beefy 128-core server and it still took over an hour.

I actually just found a log file from the ceremony's coordinator server (not a
privileged server, just handles messages and archives them) which shows the
timings of everything, which is kind of fun:

[https://gist.github.com/ebfull/fde1e167ba35ca67e086ca458eabc...](https://gist.github.com/ebfull/fde1e167ba35ca67e086ca458eabcf25)

------
youdontknowtho
i really enjoyed this story. i havent really followed zcash, but im going to
look into it now. cheers.

