
The Security Behind the Birth of Zcash - soneca
http://spectrum.ieee.org/tech-talk/computing/networks/the-crazy-security-behind-the-birth-of-zcash#.WWt_NS1uwR8.hackernews
======
evanb
Related recent radiolab episode:
[http://www.radiolab.org/story/ceremony/](http://www.radiolab.org/story/ceremony/)

~~~
criddell
Very well told story, but it was a little frustrating to not hear why the
reporter's iPhone was feeding back into the hangout.

~~~
justusthane
Android, but yes, I agree.

------
buttershakes
Regardless of the secure computation done during the ceremony at the end of
the day there is a degree of trust in the founding participants of Zcash. I
think given the people involved, and that they are all essentially security
zealots with provable records. messing this up doesn't seem likely. There is
no monetary incentive to make a mistake in the trusted setup, and there is
significant personal reputation damage to the participants if it was provably
hijacked.

Further, the founder's reward despite having a slight smell is really not an
unfair way to structure something like this. Significant resources were put
into Zcash well before it was deployed, are the founder's supposed to just eat
that cost? Why shouldn't their success be tied to the success of the coin they
created over a period of time? Would a Satoshi style pre-mine be more fair?
These questions are complicated, but without an ICO driving the development,
this doesn't seem like the worse case scenario for a commercial entity.

~~~
petertodd
> I think given the people involved, and that they are all essentially
> security zealots with provable records. messing this up doesn't seem likely.

Speaking as one of those people, even with driving ~2000km across Canada with
the compute laptop in a faraday cage, I can assure you there's a lot of ways
we could have screwed it up... See [https://petertodd.org/2016/cypherpunk-
desert-bus-zcash-trust...](https://petertodd.org/2016/cypherpunk-desert-bus-
zcash-trusted-setup-ceremony) for some of them.

------
kbody
I appreciate the research of zcash, but trusted-setup is still just a very
sophisticated security theater. The least they should have done is have
constructed an open participation.

~~~
ewillbefull
At the time, the multi-party computation protocol could not scale to a large
number of participants.

~~~
justinjlynn
Define large. In any case, I would rather have a protocol in which only one of
the participants need successfully discard their local state for total
security than n participants.

~~~
ianmiers
That was the case. If one of the 6 people completed the computation and
discarded the results, the paramaters are secure.

Ideally it would have been more than 6 people, but that protocol really didn't
scale to more than a handful of people.

------
RichardHeart
I do not like 20% founders tax. I do not like "trusted" setup. I do like Zooko
trying to make fungibility stronger. I do like zero knowledge proofs making
their way into the wild.

~~~
GhotiFish
isn't it 10%? Main site says 10%, but I hear people complaining about 20%. I'm
not sure what's going on here.

~~~
saurik
I don't know what website you are reading, but the Zcash website says it is
20% now but after 4 years drops to nothing, and when you account for the
dropping rewards given to minors, after ten years (when mining will end) the
result will be 10% went to the founders: so people saying "a 20% tax" are
correct today even if the tax rate will amortize a long time from now to only
be 10%.

> At first, 50 ZEC will be created every ten minutes. 80% of the newly created
> ZEC will go to the miners, and 20% ZEC to the founders.

[https://z.cash/blog/funding.html](https://z.cash/blog/funding.html)

> Every four years, the rate of ZEC being created will halve (again, just like
> in Bitcoin). After the first four years the ZEC created per ten minutes will
> drop to 25ⓩ, but after the first four years, 100% of it goes to the miners.

> The end result (as shown in the diagram) is that there will ultimately be 21
> million ⓩ, and 10% of it, or 2.1 million ⓩ, will have been initially
> distributed to the founders.

------
nawre
[https://twitter.com/zooko/status/863202798883577856](https://twitter.com/zooko/status/863202798883577856)

~~~
mrb
Zooko was talking about doing KYC/AML at the exchange level. He did _not_
suggest to weaken the Zcash protocol:

[https://mobile.twitter.com/zooko/status/863506504518914050](https://mobile.twitter.com/zooko/status/863506504518914050)

~~~
erpellan
Just like _actual_ cash!

The bank doesn't scan the serial numbers on the money I deposit and yet they
somehow correctly credit my account.

~~~
Mcphja
Cash counting machines in banks scan and record numbers to find bills that
have already been flagged (such as those stolen from banks/ATMs), but that
process is unrelated to the crediting of money to your account. General cash
tracking is hypothetically possible, but it would not be trivial to implement.

------
Casseres
It's interesting and definitely worth the read, but if anyone is interested in
a cryptocurrency with privacy, Monero is a better choice.

(Monero doesn't require a trusted setup, doesn't have a founder's tax, isn't
run by a US company, and address balances are private.)

~~~
mmel
Too many of these alt-coins are premined cashgrabs.

~~~
Casseres
Okay, that doesn't have anything to do with Monero though as it's fairly mined
(no premine or dev tax).

Monero has very good and active dev team that has fixed and disclosed bugs
instead of exploiting them for free coins like other alt-coins.

~~~
mmel
Apologies, I should have clarified that Monero was a rare exception to the
pre-mining get rich quick schemes.

------
asymmetric
FYI, this is from December 2016.

------
n3x10e8
Curious to know the complete story of the phone after this article. Does
someone know about it?

------
j_s
BitCoin developer Peter Todd's part in this story:

[https://petertodd.org/2016/cypherpunk-desert-bus-zcash-
trust...](https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trusted-
setup-ceremony)

------
pmarreck
ok why does the URL change after it's loaded in such a way that I can't
reload, it seems like it cuts off the last part of the path

------
anon4728
If you put almost any HP RPN calculator right up to your ear, you can hear
computation via capacitors.

------
based2
alt
[https://github.com/z-classic/zclassic](https://github.com/z-classic/zclassic)
[http://zclassic.org/](http://zclassic.org/)

------
fiatjaf
Wait, but what about block sizes, mining costs and all that? Zcash will suffer
as much as Bitcoin and everything will be lost forever.

