
Fixing Vulnerabilities in the Zcash Protocol - sibrahim
https://z.cash/blog/fixing-zcash-vulns.html
======
jerguismi
The most impactful: "Taylor Hornby found the InternalH Collision
vulnerability, which would let someone double-spend a specially-crafted note,
if they have a computer powerful enough to find 128-bit hash collisions."

How difficult it is to find 128-bit hash collision, sane hash function
assumed? For example sha256 truncated to 128 bits. On a quick thought it feels
pretty much impossible.

~~~
tcoppi
I didn't actually read the analysis, but to find two arbitrary inputs that
hash to the same value for a 128-bit hash, collisions would follow the
birthday bound, so it would take 2^(128/2) = 2^64 effort. Definitely not out
of the realm of possibility for a modestly-funded effort, and certainly less
security than I would expect for a cryptocurrency.

~~~
CiPHPerCoder
> certainly less security than I would expect for a cryptocurrency

The good news here is that a Zcash team member found this weakness in the
Zcash protocol and it's being fixed before it ships.

Kudos to the Zcash team for employing aggressive internal security auditing.

------
nxzero
Since the code is open source, what's stopping someone from releasing
zerocoins before it's release in July?

~~~
sibrahim
Nothing, but no one will/should trust them without cryptographic expert
consensus saying it's ready. Right now, the cryptographers most familiar with
it are working on/with the official team and aren't clamoring to release it
yet.

And anyone doing an early release will need to handle the initial parameter
selection which has to be done publicly/securely to convince people that the
private key toxic waste (that would theoretically allow counterfeiting) wasn't
retained.

They are planning a secure multiparty computation that never creates the
private key in usable form provided that at least one of the n parties follows
the procedure correctly. This again relies on expert consensus that the
process is secure.

On a side note, this is likely to produce some fun spectacle: I fully expect
someone involved will try to verify they destroyed their private key share by
live streaming the generation process then immediately and totally destroying
the equipment involved.

~~~
CiPHPerCoder
If my request to participate in the parameter generation is granted, I'm going
to use TAILS with no persistence to generate then manually copy the
base64-encoded public key over to my other computer, then I'm terminating the
other machine.

------
JoachimSchipper
Those are some fairly scary bugs! Zcash is a highly ambitious protocol, so
perhaps some nasty bugs were to be expected - but still, double-spending is
probably enough to take down the production network?

(I haven't followed all details of Zcash, and remain unconvinced that it would
actually be a good thing if Zcash succeeded - note that Bitcoin hasn't so much
brought a new libertarian era of free thought as ransomware, hacking and old-
fashioned crooks.)

~~~
jerguismi
AFAIK Zcash hasn't launched yet.

