2^80 is not very weak. That's the level of brute forcing a SHA-1 collision. It's low for a new system, but not very weak.
I agree with your 20%/10% comments, but I do not know why you call ZCash an investment. Zcash should discourage people from investing, like Monero does. Be a privacy coin, do not try to get in on the moon and lambo hypetrains if you want to be taken seriously.
There is no good justification for 20% right now. ZEC market cap is half a billion today. Do they really need that extra 50 mln now versus over time? Feels greedy.
But with so much taken by them that way, does that not reduce their desire to get a backdoor?
At any rate, all of this ceremony and your measures seem, as you say, hocus pocus if you're not building from known source! Forget hardware attacks! How can they not have the basics of a secure toolchain?!?
Did some participants at least publish the source they used and hashes of the toolchain and environment?
At my startup (details in profile) we will end up depending on crypto (among other things) to stay out of prison. Monero is hard to use, privacy wise - EABE and EWE attacks are our concerns. At least with ZCash the model is fairly easy to understand with shielded transactions. Much easier than figuring out ringsize and traceability there. But the Monero community seems better with no 20% take, no central company, none of this trusted nonsense. And no odd comments by both founders that require lots of mental gymnastics to make sense of. Not that any of this should matter. ZCash should be trusted on its own merits regardless of the inventors. Monero has anonymous inventors which could be the NSA for all we know.
Alas I am in no position to analyze ZCash math vs RingCT but my feeling is the latter is more understandable and thus might be more secure even if it has much weaker safety promises.
> 2^80 is not very weak. That's the level of brute forcing a SHA-1 collision. It's low for a new system, but not very weak.
Note that the 2^80 figure from Peter's blog post is really unsubstantiated. There's another curve in libsnark (which we don't use) that has 80-bits of security. I suspect what happened is whoever Peter was consulting with just repeated this number to him. We've spoken to many cryptographers who are experts on these curves, and none of them think that figure is reasonable. I actually don't believe there are _any_ cryptographers that have publicly made such a claim about the security.
2^96 was the original conservative estimate when the NFS attack was discovered, but subsequent analysis showed concrete security closer to 2^110 (and that's ignoring the unrealistic memory costs of the specific attack.)
> How can they not have the basics of a secure toolchain?!?
We provided participants with a reproducibly built and stripped down version of Alpine Linux, employed grsec, wrote all of our crypto software in pure Rust, etc. All of our software is reproducibly built, hashed and signed. There is nothing (software-wise) that cannot be caught in post-hoc review. All of it is open-source: https://github.com/zcash/mpc
Several academic papers regarding our protocol have been published since then. We wrote a full security proof of the crypto. We hired NCC group to audit the ceremony as well: https://z.cash/blog/ceremony-audit-results.html
More auditing can always be done but this is a continuing process. The primary goal is to make it difficult for someone to undetectably compromise the ceremony.
"I’ve had some experts tell me they thought the security level was 2^80 operations (very weak), while others (including Zooko himself) thought it was [more like 2^96](https://moderncrypto.org/mail-archive/curves/2016/000742.htm...). I’m not sure which figure is right, but the fact that there’s disagreement is a bad sign."
I made it very clear that it is an unsubstantiated figure, and linked to Zooko's analysis. To both yourself and the person you're replying too, please don't put words in my mouth.
> We provided participants with a reproducibly built and stripped down version of Alpine Linux, employed grsec, wrote all of our crypto software in pure Rust, etc. All of our software is reproducibly built, hashed and signed. There is nothing (software-wise) that cannot be caught in post-hoc review. All of it is open-source: https://github.com/zcash/mpc
I agree. But that's not what I said; what I said is that post-hoc review hasn't been done, even a year after the fact.
> To both yourself and the person you're replying too, please don't put words in my mouth.
What words did I put in your mouth? I cited the 2^80 figure in your blog post and a reasonable theory for why you would bring up such a figure. "Regurgitated" came across as snide so I apologize for that.
Note that you used this unsubstantiated figure to say "the fact that there’s disagreement is a bad sign." If there isn't actually any disagreement and the figure is unsubstantiated, why is it not baseless FUD? (BTW I notified you of this error in your blog post some time ago but never heard back.)
> what I said is that post-hoc review hasn't been done, even a year after the fact.
I know, I wasn't replying to you. As I said, I believe more auditing is needed. I also don't believe some kind of one-and-done audit of the software/deterministic builds would satisfy either of us.
> "Regurgitated" came across as snide so I apologize for that.
That's the thing, it didn't just come across as snide, it made it sound like I repeated the number uncritically, when in fact I made it clear to the reader where it came from and that there was disagreement.
> If there isn't actually any disagreement and the figure is unsubstantiated, why is it not baseless FUD?
The fact that competent experts could be unfamiliar with Zcash's crypto to the degree that they could disagree on basic facts like that is a sign of concern, precisely because it's yet another strong sign that the crypto is quite new. If this were "tried and tested" crypto, there wouldn't be any disagreement. Note that Zooko himself was unsure of the exact strength due to a recently found attack - tried and tested crypto wouldn't have recently found attacks.
> BTW I notified you of this error in your blog post some time ago but never heard back.
Where did you notify me? For that matter, who are you anyway? I probably know you by name from elsewhere; I don't by handle.
> I also don't believe some kind of one-and-done audit of the software/deterministic builds would satisfy either of us.
Well, I was just discussing the trusted setup with Matthew Green, and I think there's some fundamental disagreement on what kinds of vulnerabilities exist and what the risks of them are. So I really need to write a blog post on it.
I'm Sean from Zcash, I coordinated the MPC and wrote the software. I messaged you on twitter or emailed you or something about this last year.
> it made it sound like I repeated the number uncritically
I didn't say you regurgitated it. I said the person you talked to did, presumably after looking at libsnark or an unrelated paper.
> The fact that competent experts could be unfamiliar with Zcash's crypto to the degree that they could disagree on basic facts like that is a sign of concern, precisely because it's yet another strong sign that the crypto is quite new.
I claim the person you talked to was looking at the wrong curve construction. 2^80 is quite a torch to carry into an argument and no experts that we know have ever suggested a security level less than 2^96. The only "disagreements" about security were far more subtle and reasonable than what your blog post suggested.
This is one situation in which I think that using grsec is absolutely the wrong choice. Grsec mitigates a lot of kernel bugs, but it also adds bugs. More importantly, it isn't particularly well audited, and it is unlikely to have many eyeballs on it at all in the future, given it's not-really-open-source status.
In our case, the use of grsec was one of the simplest counter-measures that achieved an almost purely additive security improvement. That's even when accepting the risk that grsec has security bugs in it.
If the participant did everything right, one of the only remaining ways that the secrets could be exfiltrated from the machine was by exploiting a theoretical vulnerability in xorriso, the software we use to read/write DVDs for airgapped communication in the ceremony. Even then, it was likely to leave an evidence trail on the DVDs for post-hoc review.
As an extra precaution, we needed to impose strict policies on the xorriso process. Grsec was trivial to employ using off-the-shelf Alpine Linux tools, and didn't require any dependencies which would increase the cost of auditing afterward. Grsec was also not likely to introduce bugs we couldn't catch in post-hoc review due to the evidence trail left on the DVDs.
The hope was to force an adversary to exploit both xorriso and grsec in practice. One important question is: was grsec likely to introduce a category of bugs that would not otherwise exist in Linux already? I think the answer to that question is no. Funny enough, just a day or two before the ceremony the Dirty COW vulnerability was patched in the Linux kernel, and we just managed to update our OS before the scheduled ceremony.
What I said was those builds hadn't been properly audited; just being reproducible isn't enough unless people actually reproduce them, and additionally, audit the dependencies that go into those builds.
> Alas I am in no position to analyze ZCash math vs RingCT but my feeling is the latter is more understandable and thus might be more secure even if it has much weaker safety promises.
Depends on what type of security you want. If you're talking about security against inflation, then RingCT is definitely safer than Zcash.
But if you're talking about privacy security, then Zcash is more secure than RingCT; the trusted setup can only be used to create fake Zcash, not deanonymize transactions.
>the trusted setup can only be used to create fake Zcash, not deanonymize transactions.
"I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible"
"I _don't_ mean weakening security (https://z.cash/support/faq.html#backdoor …). I mean that a secure protocol layer is compatible with good law enforcement." -zooko
Not sure how your statements carry water in the face of that comment.
> The secret key (“cryptographic toxic waste”) generated during this phase can be used to steal money - currently in the form of creating counterfeit coins, stealing from everyone collectively.
> As one of those participants, here’s my account of what I did to ensure that secret was destroyed.
Regardless of what he did or did not do to destroy this secret, doesn’t this make ZCash inherently non-trustless? If we trust that these people are honest, why not just have them sign messages with their keys to resolve double-spends, rather than build an elaborate system on top of this trust?
In other words, the ZCash crypto might be trustless itself, but if it’s employed on top of a base that requires trust, what’s the point in the first place? The weakest link is at the base.
“If you just trust me, I have some really cool trustless crypto to show you”
The trust involved in the Zcash trusted setup is a significantly better type of trust than what you're suggesting, because you only have to trust the people involved once. Signing messages is an ongoing trust, which is far more vulnerable to attack.
> The trust involved in the Zcash trusted setup is a significantly better type of trust than what you're suggesting, because you only have to trust the people involved once.
I disagree. Since there’s no way for you to prove that you have actually destroyed the secret in question, there’s no way for me to know where that key is now and, hence, how long I need to trust you.
“Only having to trust the people involved once” presupposes that I trust that they have destroyed the key properly, otherwise the key might still be out there, and the trust would be ongoing in this case as well.
Worst case the two scenarios equate to the same thing. Namely there's one or more people you need to trust indefinitely.
Best case however is where they differ a lot. Best case for this method is trusting someone once. Best case for the other method is still trusting one or more people indefinitely.
> Nothing you will read below changes the fact that you’re trusting me and five other participants not to collude. Full stop. End of story. It is IMPOSSIBLE for myself and the other participants to prove to a third party that we did not collude to keep the secret key. If you do not believe you can trust me, you should stop reading now.
I enjoyed reading this. It felt like a single perspective in a pulp security thriller. It would be interesting for someone to write fiction from the perspective of a potential attacker.
The top comment on the Zcash post from yesterday (!) has a good theory on why Zcash is posted about so often:
"Is it just me or are more and more stories which look like fluff pieces for ZCash coming up on the HN frontpage? If they were a startup, I'd guess they were prepping for an IPO/acquisition. Most of them have titles with rhetorical questions, and come across as marketing pieces more than anything else.
thats what all the drones at Zcash say. It is either that they like the math, or they find validation from stacking the team with renowned cryptographers.
there is almost no intersection of people interested in zcash and people that actually want to use cryptocurrency or keep zcash in their portfolio who have done any analysis of how this is not something to hold for long.
I am very interested in the math, but I kind of agree with you, I am not invested in zcash. If they didn't have first mover advantage they would not be doing as well as they are.
The best implementation using this mathematics is definitely yet to come, I would not be surprised if they weren't surpassed by someone else using similar tech in the very near future.
The protocol scales linearly with respect to the number of participants, but as you can tell, each participant needs to do a lot of time-consuming computations.
Each participant needs to maintain custody of the hardware during the process of the ceremony, and then destroy the hardware afterward. If it was your turn, you'd do some stuff for an hour, and then it's the next person's turn in a round-robin circle. You had to wait maybe ~8 hours before it was your turn again. The protocol involved three rounds of this.
Nobody can abort (players commit to their moves in advance to defend against adaptive attacks) and so there needs to be a time when all N participants are available for the entire duration of the ceremony. This makes it very sensitive to scheduling problems.
If you want to do your own MPC, you also need to perform very expensive fast-fourier transforms in between round 1 and 2. In our ceremony that required a very beefy 128-core server and it still took over an hour.
I actually just found a log file from the ceremony's coordinator server (not a privileged server, just handles messages and archives them) which shows the timings of everything, which is kind of fun:
"Until the software and deterministic builds are audited, the entire ceremony is a bunch of crypto hocus pocus that means nothing."
I'm 100% serious, and even a year later this still hasn't been done properly.