
The Security Behind the Birth of Zcash - mrb
http://spectrum.ieee.org/tech-talk/computing/networks/the-crazy-security-behind-the-birth-of-zcash
======
exolymph
Obligatory link to Peter Todd's experience of participating in this ceremony
(for lack of a better word) — as a skeptic, no less — which is an excellent
read for the opsec alone: [https://petertodd.org/2016/cypherpunk-desert-bus-
zcash-trust...](https://petertodd.org/2016/cypherpunk-desert-bus-zcash-
trusted-setup-ceremony)

~~~
lccarrasco
Thanks for sharing, really fascinating :).

------
Animats
The developers don't need to steal. They're making money from early mining.
Here's ZCash right now, down about 99% from the initial price.[1] The market
cap keeps rising as the price falls, indicating it is being mined way too fast
for the market.

[1]
[https://coinmarketcap.com/currencies/zcash/](https://coinmarketcap.com/currencies/zcash/)

~~~
saycheese
Agree with the analysis, puzzles me why the currency doesn't balance the cost
of mining in a way that doesn't significantly devalue existing holdings. It
would be interesting to see an estimate of the cost to mine the coins at the
rate they're being mined. If the cost is more than the face value of the coin,
seems like something funny is going on.

------
saycheese
>> "The number of people who really understand zk-SNARKs, and therefore the
Zcash protocol, is probably small enough that you could feed them all with one
Thanksgiving turkey."

If the list is so small, who are they?

~~~
s_q_b
More importantly, where are they having this turkey?

In all seriousness though, if I were one of a handlful of people who
understood a rising anonymous currency platform, I wouldn't want to be
publicly exposed that way.

~~~
kbody
Indeed, even though a couple popular cryptographers have vouched, it's still
not the classic definition of peer-reviewed for something that ground-
breaking.

That aside, the MPC (Multi-Party Computation) setup is more of a security
theater than actual security. It completely goes against of what cryptography
is all about and I'm puzzled as to why any cryptographer would base their
system's security in such a way.

~~~
moyix
It actually is the classic definition of peer reviewed! The paper on Zerocash
(renamed Zcash) was published at the IEEE Symposium on Security and Privacy:

[http://zerocash-project.org/media/pdf/zerocash-
oakland2014.p...](http://zerocash-project.org/media/pdf/zerocash-
oakland2014.pdf)

It's a peer-reviewed conference and basically the top venue (along with Usenix
Security and ACM CCS) for academic computer security.

I'm not sure what you mean by "for something that ground-breaking"?

~~~
lmeyerov
Oakland is more of a systems security conference, so peer review here speaks
more to the architectural thinking, and says little about the deeper math.
Same thing for Usenix. I'd want to see somewhere like Crypto/EuroCrypt, or
maybe IACR, to call it peer reviewed. Even then, it may pass largely on
novelty & prestige.

(For background, I used to publish at this conference and others, did my share
of paper reviewing, and my colleagues were working on e-cash crypto around the
time of bitcoin's rise.)

~~~
ianmiers
zkSNARKS, the underlying tricky bit of crypto that Zerocash uses to make
anonymous transactions, existed before Zerocash/Zcash. There is a bunch of
work on them that was published in Eurocrypt/Crypto/TCC etc. For example [0]
at Eurocrypt and [1] at Crypto. Page 37 of that last paper [2] has a summary
of work on the subject, though it is now dated as the paper is from 2013.

SNARKs have gotten the appropriate peer review from the right parts of
academia. To everyone else reading this: Of course, that doesn't make it
secure and there are limmits to peer review. Just because 3 to 5 reviewers
read the paper and thought it was publishable doesn't mean it's correct.
However, those works were high enough profile that others have looked at the
papers once they were published, which is the real meaningful part of peer
review and that comes after publication.

None the less, snarks are one of the more sophisticated cryptogrphic
techniques ever deployed. And peer review also says abosultely nothing about
the security of the implimentations of software instantiating the
cryptography. But the only way to remidy that is to build software, deploy it,
and get people to look at it.

Zerocash itself is a fairly simple protocol built on top of SNARKs, so the
fact that it was published at Oakland isn't the biggest worry. It's also
gotten a bunch of scrutiny after that.

[0]
[http://link.springer.com/chapter/10.1007/978-3-642-38348-9_3...](http://link.springer.com/chapter/10.1007/978-3-642-38348-9_37)
[1]
[http://link.springer.com/chapter/10.1007/978-3-642-40084-1_6...](http://link.springer.com/chapter/10.1007/978-3-642-40084-1_6#page-1)
[2]
[https://eprint.iacr.org/2013/507.pdf](https://eprint.iacr.org/2013/507.pdf)

------
quickben
Do you guys know of a decent overview website for all these new hipster
currencies?

But I mean a realistic one, including info such as: \- how much it has been
pre-mined. \- why is it being pushed ( research, corp goals, etc) \- limits
(does one need a GPU to use it or can it execute on a CPU)

I know of few places that have lists, but I get the impression that people
start currencies lately as a shot at getting rich if they take off, and not
from a realistic need to do so.

~~~
maxerickson
Zcash is materially different than Bitcoin, so it at least isn't any more
hipster than Bitcoin itself.

 _Unlike Bitcoin, Zcash transactions can be shielded to hide the sender,
recipient, and value of all transactions on the blockchain._

[https://z.cash/](https://z.cash/)

~~~
plasticmachine
It uses completely unproven cryptography that may quite possibly be horribly
broken. If you have a better definition of "hipster" than "use something for
the sake of it, regardless of practicality" I'd love to hear it.

~~~
maxerickson
Oh, I will continue to own $0 in Zcash, but trying to provide actual
confidential transactions isn't "for the sake of it, regardless of
practicality", there is a clear motivation.

~~~
plasticmachine
No, it is. Those already exist in the form of Monero. Using some new-fangled,
likely broken cryptography, is very hipster.

~~~
mrb
IMHO the biggest privacy-breaking problem of Monero is that it leaks the
transaction amounts, while Zcash does not. Monero also has other inconvenients
compared to Zcash:
[https://www.reddit.com/r/Monero/comments/41vg68/monero_vs_zc...](https://www.reddit.com/r/Monero/comments/41vg68/monero_vs_zcash_eli5_fundamental_differences/cz5ge90/)

So you can't claim Monero already solved all the problems that Zcash is trying
to solve.

~~~
plasticmachine
That's incorrect, Monero does not leak amounts since they created and added
RingCT (currently compulsory on testnet, and compulsory on mainnet from a hard
fork next year September) -
[https://lab.getmonero.org/pubs/MRL-0005.pdf](https://lab.getmonero.org/pubs/MRL-0005.pdf)

Not only does Monero already do what ZCash is trying to do, but it has two
main advantages:

1\. EVERY transaction is private, which means that the entropy of the
anonymityset is continuously growing. Instead, ZCash restricts privacy to an
opt-in mechanism (mostly due to private transactions being horrible -
requiring north of 8gb of RAM and several minutes on a modern computer) which
means that there is a trivial amount of entropy, and deanonymization is pretty
trivial.

2\. Monero is focusing on further improvements that ZCash is just dreaming
about, such as their C++ i2p router, Kovri. They can do this because they've
been in production, tested, and hammered for several years.

The real question is: what does ZCash provide that Monero doesn't, except some
sort of ridiculous "star cred"?

~~~
mrb
Monero doesn't already do what Zcash is doing. As you point out yourself, it
will be "next year September" that RingCT will be live.

I agree with your other criticism of Zcash though. The situation is far from
perfect.

~~~
plasticmachine
No, it'll be MANDATORY from next year September, not LIVE from next year
September...

------
based2
[http://zerocash-project.org/media/pdf/zerocash-
extended-2014...](http://zerocash-project.org/media/pdf/zerocash-
extended-20140518.pdf)

