Zcash Audit Finds No Serious Issues in Launch Ceremony Security

A new audit of the complex and controversial zcash key generation ceremony has found any serious security compromises were unlikely.

AccessTimeIconSep 21, 2017 at 6:10 p.m. UTC
Updated Sep 13, 2021 at 6:57 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

In preparation for the launch of the privacy-centric cryptocurrency, zcash, the project's developers performed an elaborate ceremony.

No small feat, the proceedings would determine not only the viability and security of the entire network, but require the coordination of six participants in six locations around the world – all of whom needed to be in direct contact to ensure a successful outcome.

On the chat list, however, one name stood out: "Moses."

When the ceremony wrapped, it was revealed the owner of this pseudonym was, in fact, Derek Hinch. A consultant in Austin with the security firm NCC, Hinch had been hired to both perform the ceremony as intended and to attack it with everything he had.

Today, NCC finally published a report on Hinch's efforts – and his results may be encouraging to zcash users who harbored suspicions about the birth of the cryptocurrency, now the eighteenth-largest in the world by market value.

Most notably, Hinch reports having only minimal success with an attack on the memory of the test computer under his control, an altered replica of the one actually used for the ceremony. And he is confident that the same attack could not have been performed on the computer that was actually holding sensitive information on the day of the ceremony.

In short, according to Hinch, the ceremony was a success:

"As far as insuring that the toxic waste shards were securely generated and then disposed of properly, which was the crux of the ceremony, I can say with certainty that happened on our end."

Failed attacks

Stepping back, "toxic waste" is a term that the zcash developers coined to refer to the six shards of the single private key that had to be combined and baked into the cryptocurrency's protocol.

If someone were to get their hands on a complete copy of all the shards, it would enable them to surreptitiously create counterfeit coins, an attack that would be difficult to detect given the anonymity of zcash transactions. So, to secure the final product, the full private key was broken up into six pieces, each generated in a different location. They were then combined through a series of computations, none of which required the presentation of the key shards, which remained on isolated computers with no network capability.

At his station, Hinch had two computer setups: one harbored the actual private key shard used in the ceremony, while the other followed all the same instructions but was used to try out a series of attacks. Zcash gave Hinch root access to the machine as well as passwords that enabled him to disable some of the security protections in a layer of the software called grsec.

Even with these credentials, though, Hinch's attacks were thwarted and he failed to remotely grab the toxic waste on the computer.

But Hinch did have slightly more success with a physical attack against the memory.

Through a firewire card inserted into the test machine before the start of the ceremony, he was able to extract 2.2 gigabytes of the total 8GB on the machine, none of which contained the private key shard.

Further, Hinch says the same attack could not have been carried out against the computer he was actually using in the ceremony. To pull it off, someone would have to physically alter the computer, which was in a secure location under constant video observation.

NCC reviewed security footage of the ceremony and verified that no break-ins took place.

"That computer was as secure as you're gonna get," says Hinch.

Trying again

Nevertheless, Hinch had recommendations if a similar ceremony is conducted in the future.

For starters, he believes it would be best to create a complete inventory of the contents of each computer on which toxic waste is stored to make sure there are no physical routes to the memory, such as the firewire card provided.

The zcash key generation ceremony was designed to be secure so long as a single station successfully generated and disposed of its secret before an attacker could steal it. Other participants have since shared their methods for securing their stations.

In a blog responding to the NCC report, zcash developers point out that, while it remains impossible to prove the process was secure, the analysis provides a strong indication that the ceremony went smoothly and that the fundamental security of the coinbase is intact.

Still, as this can't be known for certain, these results are simply best read as providing added assurances against compromise.

Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Zcash Company.

Ring of keys image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.