Hacker News new | past | comments | ask | show | jobs | submit login
Fixing Vulnerabilities in the Zcash Protocol (z.cash)
63 points by sibrahim on May 6, 2016 | hide | past | favorite | 10 comments

The most impactful: "Taylor Hornby found the InternalH Collision vulnerability, which would let someone double-spend a specially-crafted note, if they have a computer powerful enough to find 128-bit hash collisions."

How difficult it is to find 128-bit hash collision, sane hash function assumed? For example sha256 truncated to 128 bits. On a quick thought it feels pretty much impossible.

It takes approximately 2^64 attempts to find a 128-bit collision. The Bitcoin network as a whole--with custom ASICs--computes 2^61 SHA256 compression function calls per second and consumes 150 MW, so it would take it 8 seconds. Or it would take 160 000 secs/44 hours with a single dense rack (7.5 kW) of custom ASICs.

So yeah if you care about the security of a crypto currency, this 2^64 collision attack is very doable and unacceptable. The rule of thumb in crypto is to aim at making attacks cost at least 2^128.

I didn't actually read the analysis, but to find two arbitrary inputs that hash to the same value for a 128-bit hash, collisions would follow the birthday bound, so it would take 2^(128/2) = 2^64 effort. Definitely not out of the realm of possibility for a modestly-funded effort, and certainly less security than I would expect for a cryptocurrency.

> certainly less security than I would expect for a cryptocurrency

The good news here is that a Zcash team member found this weakness in the Zcash protocol and it's being fixed before it ships.

Kudos to the Zcash team for employing aggressive internal security auditing.

Since the code is open source, what's stopping someone from releasing zerocoins before it's release in July?

Nothing, but no one will/should trust them without cryptographic expert consensus saying it's ready. Right now, the cryptographers most familiar with it are working on/with the official team and aren't clamoring to release it yet.

And anyone doing an early release will need to handle the initial parameter selection which has to be done publicly/securely to convince people that the private key toxic waste (that would theoretically allow counterfeiting) wasn't retained.

They are planning a secure multiparty computation that never creates the private key in usable form provided that at least one of the n parties follows the procedure correctly. This again relies on expert consensus that the process is secure.

On a side note, this is likely to produce some fun spectacle: I fully expect someone involved will try to verify they destroyed their private key share by live streaming the generation process then immediately and totally destroying the equipment involved.

If my request to participate in the parameter generation is granted, I'm going to use TAILS with no persistence to generate then manually copy the base64-encoded public key over to my other computer, then I'm terminating the other machine.

Who would buy coins (or mine) on a unofficial Zcash network? I can't imagine many people would expend resources supporting an unofficial network since one of the major risks of a zero-knowledge protocol is that the initial operator could "premine" a large quantity of coins and no-one would know.

People will probably wait for the official Zcash launch because they trust the Zcash team to launch a secure network and (importantly) to maintain the network going forward. In some ways this is like a Schnelling point, where people will wait for the official network because their expect other people will wait for the official network, and so on.

Those are some fairly scary bugs! Zcash is a highly ambitious protocol, so perhaps some nasty bugs were to be expected - but still, double-spending is probably enough to take down the production network?

(I haven't followed all details of Zcash, and remain unconvinced that it would actually be a good thing if Zcash succeeded - note that Bitcoin hasn't so much brought a new libertarian era of free thought as ransomware, hacking and old-fashioned crooks.)

AFAIK Zcash hasn't launched yet.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact