Zcash and the Art of Security Theater
The cameras were rolling as Bitcoin Core developer Peter Todd set fire to the computer he'd just used to help bring Zcash to life.
Wearing a gas mask he’d purchased at a local shop near Valemount, British Columbia, he burned the components with a propane torch until they turned almost completely black. His intention was to prevent anyone from ever recovering their contents.
Todd then bagged up the torched components, and drove in a rented car from the sparsely populated setting of the ceremony to the small town of Kamloops, better known for its pulp mill than for being one of the birthplaces of a new cryptocurrency.
The burn ceremony was the final step of a weeks-long process to be described in detail in an upcoming post on Todd's blog. (Todd was just one of six people around the world conducting their own unique version of the ceremony).
If the defensive measures do what they were intended to do, they should have prevented anyone from using the keystrokes recorded on the various computers from creating undetectable counterfeit cryptocurrency.
If that and countless other steps seem like unwarranted caution consider this: in the two weeks since Zcash launched its global market cap has grown from zero dollars to $3.2m, or an increase of about $200,000 per day. With a long history of comparisons to cyrptocurrency as a possible global currency, the sky is the limit.
The problem is it doesn't currently appear to be possible to prove the ceremony worked.
With a bit of work perpetrators could surreptitiously ascertain keystrokes using radio signals, traditional cameras, satellites or other methods, according to Todd. If they are able to repeat the events of the ceremony exactly, they would have the almost magical powers to create Zcash out of thin air, and thanks to the zero-knowledge nature of the currency, no one would ever know.
The ceremony is an act of what is called security theater, a term popularized in the late-2000s by the writings of security expert Bruce Schneier who defined it as "security primarily designed to make you feel more secure."
But security theater is also a form of deterrence.
Examples range from babies wearing RFID bracelets in hospitals to discourage kidnapping to nations parading war planes and missiles in front of their citizens to make them feel safe.
But the Zcash ceremony highlighted a crucial component of security theater: trust. Do those RFID bracelets actually do anything or are they just plastic strips with pretty shapes printed on them? Do those planes actually have warheads in them or are they little more than empty shells?
As Todd made clear, all this security theater means nothing if the audience doesn't trust the actors.
From the introduction to the unpublished post:
"Nothing you will read below changes the fact that you're trusting me and five other participants not to collude. Full stop. End of story. It is IMPOSSIBLE for myself and the other participants to prove to a third party that we did not collude to keep the secret key. If you do not believe you can trust me, you should stop reading now."
Trust and trustlessness
And therein lies the problem. Do you trust Todd? Do you trust Zcash advisor, Andrew Miller, who is another of the public participants in the ceremony. Or Coin Center director of research Peter Van Valkenburgh? How about Zooko Wilcox, Zcash’s CEO? The identities of two of the other people entrusted to ensure the safety of the system have yet to be revealed.
Though Zcash is built on a trustless protocol, to provide the true anonymity its creators desired, the ceremony reintroduced the element of trust.
"Even if they executed perfectly, there’s another concern that still, ultimately, the only thing that other people have, the other 7 billion people on this planet have, is to trust six people and assume that what they’re saying is absolutely true, and that nobody was able to compromise them," said Greg Slepak, founder of email security firm Tao Effect, and the non-profit okTurtles (which works to ensure decentralized technologies are used for the benefit of society).
Slepak is an early detractor of Zcash's so-called "trusted setup" and a vocal skeptic who alleges the security theater designed to discourage attacks may have not actually done what it was designed to do.
In March, Slepak enumerated a series of his concerns about the impending launch of Zcash in a blog post on the okTurtles site. In particular, he called for the Zcash team to be more transparent about the potential risks surrounding the trusted setup prior to the launch.
Then, in September, he published another account of a number of incentives that exist for third-parties to compromise the setup. Specifically, he expressed concern about intelligence agencies from state governments that don’t want to lose the monopoly they have on printing truly fungible currency.
The frustration in Slepak's voice is noticeable when he talks about his concerns. In Zcash, he sees the promise of a financial future void of central banks and their perceived evils — if the ceremony was successful.
"Basically, a taboo is created and it's that elephant in the room that nobody wants to talk about. It's something that's so outrageous and so bad that nobody even wants to look in that direction or bring it up."
Six shards unite
When speaking with Slepak, it's easy to slip back and forth between being incredibly concerned about the doomsday scenarios he presents if Zcash is widely adopted in its current state and thoughts that this is just another conspiracy theory.
Let's start by giving him the benefit of the doubt. How might this all work?
Zcash is based on a fork of the bitcoin blockchain. But unlike bitcoin, Zcash employs cryptographic tools called zk-SNARKs that let counterparties conduct truly anonymous, or "zero-knowledge" transactions.
Not only are the counterparties' identities obscured, but so is the actual transaction value (making it practically impossible to trace or audit without permission granted by the counterparties). But for this to work a degree of randomness must be inserted into the system, which is where the high-priests of the ceremony, the actors in this particular security theater, come into play.
While some aspects of the ceremony were revealed in a Zcash blog leading up to the launch and in an IEEE report following Wilcox’s own actions in Colorado, the full extent of how elaborate was the process wasn't clear until Todd's post.
If we believe Todd, we now know that Wilcox initially contacted him via an unencrypted direct message on Twitter on 26th September when he invited him to be a "human witness" and participant in the unique events.
After a series of mishaps that made Todd concerned about potential security vulnerabilities in his communication with Zooko, he received a three-page document called "Zcash Multi-party Computation Instructions." Obtained by CoinDesk, the document lists the technical specifications for the hardware required, instructions for downloading the software and further steps for burning the information to a series of DVDs.
The ceremony itself is formally known as a multi-party computation (MPC) protocol. Basically, what happened is the six participants are asked to follow the instructions to create what amounts to a public key for Zcash.
Some of the instructions are in the document while others were presented on a screen based on the document. The result is that each of the six people create a "shard" of the public key and what ends up on those DVDs is exactly one-sixth of the private key.
The shards are referred to in Zcash documents as toxic waste.
From the official Zcash description of the ceremony:
"With the MPC protocol, as long as at least one of the participants successfully deletes their private key shard, then the toxic waste is impossible for anyone to reconstruct. The only way the toxic waste can be reconstructed is if every participant in the protocol were dishonest or compromised."
In conversation with CoinDesk, Todd estimated between a 50% and 90% chance that he completed the ceremony without being compromised.
"Keep in mind," he added. "You only need one of the six to succeed" for the ceremony to work.
A cryptocurrency cold war
But who would want to undermine Zcash?
Of course there are trolls who just want to see the world burn. But according to Slepak, the resources required to surreptitiously ascertain all six of the shards would be immense, and there’s only two likely incentives for those people to act.
The first incentive is to get rich. Assuming that Zcash becomes a widely used cryptocurrency, the ability to create more of it willy-nilly could be lucrative. But Slepak says few private citizens other than the Tony Starks of the world have the resources and the technical ability to pull off the feat.
The real threat he argues is from a national intelligence agency or another branch of a state government.
And there's two reasons a state government might have to wanted to compromise Zcash, according to Slepak. First, if the currency becomes widely adopted it has the potential to undermine that government’s monopoly on printing money. And second, because if a government didn’t compromise the ceremony, another nation might.
This dynamic results in a game-theoretic situation where one country is incentivized to compromise the system before another does, and the other country reacts in a similar way resulting in an almost inevitable likelihood of attack.
"If it's another nation state that manages to compromise them then that other nation state effectively has a very very powerful digital and financial weapon that they can employ against whatever nation is concerned," said Slepak.
The security dilemma
Slepak’s concerns amount to what is called a zero-sum outlook on international security, according to a former senior intelligence analyst who worked with the US Defense Intelligence Agency, Steve Ehrlich. The idea that a gain anywhere in a system must be accompanied by a loss elsewhere.
Now a cryptocurrency specialist at corporate advisory firm Spitzberg Partners, Ehrlich said the concern also reminds him of what is called the security dilemma, when one party accidentally gives of the impression of aggression while taking a defensive posture.
For example, the US deploying anti-missile defense systems in Eastern Europe to protect NATO allies from Iranian missiles, could result in Russia being concerned its own nuclear deterrent might be compromised.
But Ehrlich is dubious about Slepak's misgivings generally speaking. "All of this is predicated upon the assumption that Zcash becomes a globally significant currency, which I think we can all agree is a very tenuous proposition."
With an $11bn market cap, even the most valuable cryptocurrency, bitcoin, is only about .01% the global GDP, according to World Bank data. If bitcoin is barely a blip of the total GDP, Zcash's $3.2m market cap is even less so.
Instead of trying to compromise the system Erhlich predicts an interested government would most likely try to learn from it.
He told CoinDesk:
"My assessment is that governments will study the technology just as they did with bitcoin to evaluate its merits and vulnerabilities and look into ways of safeguarding themselves against actors using them for illicit purposes."
Not perfect, but…
The potential vulnerabilities have been known since the earliest days of the Zerocash protocol on which Zcash was built.
In February 2016, Wilcox published an article on the Zcash blog about how to generate SNARK parameter security. After describing in very general terms how the ceremony works, Wilcox concluded that "we think this solution is good enough to move ahead with."
From the post:
"Unfortunately, there is no way to confirm, after the fact, that it actually worked."
The reason that’s the case is the zero-knowledge SNARKS prevent the community from distinguishing between legitimate and counterfeit tokens, a grave concern to Slepak.
"That is very dangerous," he said. "Because if people are pricing the tokens on the assumption that there's only 21 million of them maximum, then those fake tokens get imbued with that price."
One of the inventors of the Zerocash protocol acknowledged to CoinDesk there was room for improvement to the Zcash implementation. But unlike Slepak and Todd, Alessandro Chiesa says he's not concerned.
Chiesa and other members of the Zerocash team are currently working on more advanced zk-SNARKs that don’t require trust, not because of a vulnerability but because he says the trusted setup is a "hassle" to implement.
As for Todd’s estimation that there was as low as a 50% chance of success preventing a compromise, Chiesa told CoinDesk:
"If someone had managed to glean the trapdoor from all six parties they could do some bad things. That’s why we did the ceremony. I view it as incredibly unlikely to the point of a vanishing possibility."
Wilcox himself acknowledged reason for ongoing security concerns in a September conversation with CoinDesk in which he described what he called the "half-life of doubt."
Simply put, the idea is that the longer the blockchain has been functioning the less doubt will remain that it can or has been compromised.
During that conversation he said that the "only thing" that will make him satisfied is "if years go by with more and more money" on the blockchain and no hack. A representative of Zcash last week told CoinDesk the team was "still investigating" if there there were any signs the system had been compromised.
But Wilcox added:
"I am very confident that the ceremony succeeded at producing the public keys without allowing the toxic waste key to come into existence."
To help accelerate the rate that doubt disappears, Zcash is currently preparing to release a video recording of some of the security measures conducted at the Denver incarnation of the ceremony. Chiesa told CoinDesk more will be published with time, and upgrade is planned in the coming year.
But to Slepak, if billions of dollars move to the Zcash blockchain as he thinks might someday happen, anything less than perfection isn’t good enough.
With national intelligence agencies at the top of both his list and Todd’s list of organizations with a potential incentive to compromise Zcash there’s much more potentially at stake than just money.
Slepak argues that the worst case scenario isn’t the collapse of a burgeoning new cryptocurrency, but the continuation of the same centralized monetary supply strategies that exist in the current financial system.
To understand what would happen if a compromised Zcash achieved widespread adoption, Slepak said we need to look no further than what happens in the current system when a small group of people controls the global monetary supply.
"What happens is they are able to enslave entire nations of people and they are able to channel that money to various projects that create a lot of human suffering. And some of these projects literally involve massive wars between various nations. So the worst that could happen if Zcash is compromised, I can say is wars, people dying. But that's pretty bad."
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Zcash.
Soldiers image via Shutterstock