Hacker News new | comments | show | ask | jobs | submit login
The Security Behind the Birth of Zcash (ieee.org)
129 points by soneca on July 16, 2017 | hide | past | web | favorite | 49 comments

Related recent radiolab episode: http://www.radiolab.org/story/ceremony/

Very well told story, but it was a little frustrating to not hear why the reporter's iPhone was feeding back into the hangout.

Android, but yes, I agree.

Actually I heard about it at Radiolab first, but thought it was better to share here one of the linked written article.

The article is better in that it has no Robert Krulwich.

Neither does this episode.

Regardless of the secure computation done during the ceremony at the end of the day there is a degree of trust in the founding participants of Zcash. I think given the people involved, and that they are all essentially security zealots with provable records. messing this up doesn't seem likely. There is no monetary incentive to make a mistake in the trusted setup, and there is significant personal reputation damage to the participants if it was provably hijacked.

Further, the founder's reward despite having a slight smell is really not an unfair way to structure something like this. Significant resources were put into Zcash well before it was deployed, are the founder's supposed to just eat that cost? Why shouldn't their success be tied to the success of the coin they created over a period of time? Would a Satoshi style pre-mine be more fair? These questions are complicated, but without an ICO driving the development, this doesn't seem like the worse case scenario for a commercial entity.

> I think given the people involved, and that they are all essentially security zealots with provable records. messing this up doesn't seem likely.

Speaking as one of those people, even with driving ~2000km across Canada with the compute laptop in a faraday cage, I can assure you there's a lot of ways we could have screwed it up... See https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trust... for some of them.

I wonder if there isn't a more ethically sound way of rewarding the founders of cryptocurrency initiatives. A percentage of the total value of the whole currency seems disproportionally large if you consider the value of the total coin offering possible if they ever attained a status akin to the Euro, Dollar, Yen, or Pound Sterling. While that may or may not ever happen, it certainly seems to be a goal for many of these initiatives.

To me it makes all cryptocurrencies seem like Ponzi schemes designed to profit its founders first and foremost; regardless of any merits.

> […] are the founder's supposed to just eat that cost?

Ideally, some philanthropist driven by idealism would work with a bright bunch of crypto enthusiasts like them to fund development, precisely to prevent the ethical problem of a founder's reward. Alternatively, perhaps a capped value that is based on a fair estimate of the initial costs of development with a fair profit margin (to compensate for the risk) would encounter less resistance than the current trend of an open-ended percentage.

Agreed. As a programmer who's worked with Zooko and other Zcash developers (on unrelated projects before it) I'll add that I was impressed by their security-engineering skill and integrity. (I'm unqualified to judge their crypto.)

I appreciate the research of zcash, but trusted-setup is still just a very sophisticated security theater. The least they should have done is have constructed an open participation.

Indeed. Secure multiparty computation with large numbers assumed malicious participants to do the initial setup would've been enough. As it was, I just can't trust it - even if all the parties are honest and completely trustworthy. I may be paranoid but, in my opinion, if you have to do the same rigmarole that the CA system does then you're still fundamentally broken.

The problem was the existing MPC protocol for generating the paramaters didn't scale that well. 1) It required participants to stay secure during the entire computation. With 6 people we still had problems because it took long enough people had to sleep.

2) If anyone aborted, the protocol had to restart

The next version of the protocol will resolve both of these issues.

At the time, the multi-party computation protocol could not scale to a large number of participants.

Define large. In any case, I would rather have a protocol in which only one of the participants need successfully discard their local state for total security than n participants.

That was the case. If one of the 6 people completed the computation and discarded the results, the paramaters are secure.

Ideally it would have been more than 6 people, but that protocol really didn't scale to more than a handful of people.

You still would need just 1 participant, it's the computation part that would be open to any number participants in order to reduce the possibility of collusion.

I do not like 20% founders tax. I do not like "trusted" setup. I do like Zooko trying to make fungibility stronger. I do like zero knowledge proofs making their way into the wild.

isn't it 10%? Main site says 10%, but I hear people complaining about 20%. I'm not sure what's going on here.

I don't know what website you are reading, but the Zcash website says it is 20% now but after 4 years drops to nothing, and when you account for the dropping rewards given to minors, after ten years (when mining will end) the result will be 10% went to the founders: so people saying "a 20% tax" are correct today even if the tax rate will amortize a long time from now to only be 10%.

> At first, 50 ZEC will be created every ten minutes. 80% of the newly created ZEC will go to the miners, and 20% ZEC to the founders.


> Every four years, the rate of ZEC being created will halve (again, just like in Bitcoin). After the first four years the ZEC created per ten minutes will drop to 25ⓩ, but after the first four years, 100% of it goes to the miners.

> The end result (as shown in the diagram) is that there will ultimately be 21 million ⓩ, and 10% of it, or 2.1 million ⓩ, will have been initially distributed to the founders.

It's 10% of all ZEC over planned mining-distribution, but front-loaded: 20% of mining-rewards for the 1st four years, then 0% thereafter.

Everything but the actual private key/parameters should be open-source, vetted and approved before going forward on a cryptocurrency... no magic obscurity when it comes to money. Otherwise, scams and/or vulns lead to amateur-hour fail.

Zooko was talking about doing KYC/AML at the exchange level. He did not suggest to weaken the Zcash protocol:


Just like _actual_ cash!

The bank doesn't scan the serial numbers on the money I deposit and yet they somehow correctly credit my account.

Cash counting machines in banks scan and record numbers to find bills that have already been flagged (such as those stolen from banks/ATMs), but that process is unrelated to the crediting of money to your account. General cash tracking is hypothetically possible, but it would not be trivial to implement.

They actually do.

Well not _you_ but bills do get flagged if they're involved in crimes (like kidnapping or robbery). So when they're deposited in a bank the FBI can track the _relative_ location of criminals.

Just like on the tweets mentions but zooko didn't reply to; what about just having a zaddr cleaning those coins? KYC/AML already exists on (most) exchanges.

I don't think so, you can exchange your money through services like ShapeShift where it remains anonymous at the other end and you can make the exchange to fiat money via Localbitcoins. There are many other alternatives we can think of.

I think it would be good to have an optional KYC/AML attached to cryptocurrency transactions. In this way they can be more popular and more connected to the regulated world.

> it would be good to have an optional KYC/AML attached to cryptocurrency transactions

This is already the case, minus the optional part [1]. Broadly, I'd guess anyone involved with an unregulated money transmission operation is one pissed-off D.A. away from serious jail time.

[1] http://www.coindesk.com/bitcoin-law-what-us-businesses-need-...

That article applies to US law.

If you do anything with U.S. dollars, the United States claims jurisdiction.

You don't need to use dollars in exchanges.

KYC/AML applies to the person, not to the serial numbers printed on the bills they hand over.

I am not sure if you understood what I said. You can connect transactions with people.

That about seals the deal for me.

Seals what? People talking about big ideas that are hard to solve?

It's interesting and definitely worth the read, but if anyone is interested in a cryptocurrency with privacy, Monero is a better choice.

(Monero doesn't require a trusted setup, doesn't have a founder's tax, isn't run by a US company, and address balances are private.)

Too many of these alt-coins are premined cashgrabs.

Okay, that doesn't have anything to do with Monero though as it's fairly mined (no premine or dev tax).

Monero has very good and active dev team that has fixed and disclosed bugs instead of exploiting them for free coins like other alt-coins.

Apologies, I should have clarified that Monero was a rare exception to the pre-mining get rich quick schemes.

Monero is not premined.

FYI, this is from December 2016.

Curious to know the complete story of the phone after this article. Does someone know about it?

BitCoin developer Peter Todd's part in this story:


ok why does the URL change after it's loaded in such a way that I can't reload, it seems like it cuts off the last part of the path

If you put almost any HP RPN calculator right up to your ear, you can hear computation via capacitors.

Wait, but what about block sizes, mining costs and all that? Zcash will suffer as much as Bitcoin and everything will be lost forever.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact