Zcash Audit Finds No Serious Issues in Launch Ceremony Security

A new audit of the complex and controversial zcash key generation ceremony has found any serious security compromises were unlikely.

AccessTimeIconSep 21, 2017 at 6:10 p.m. UTC
Updated Sep 13, 2021 at 6:57 a.m. UTC

In preparation for the launch of the privacy-centric cryptocurrency, zcash, the project's developers performed an elaborate ceremony.

No small feat, the proceedings would determine not only the viability and security of the entire network, but require the coordination of six participants in six locations around the world – all of whom needed to be in direct contact to ensure a successful outcome.

On the chat list, however, one name stood out: "Moses."

When the ceremony wrapped, it was revealed the owner of this pseudonym was, in fact, Derek Hinch. A consultant in Austin with the security firm NCC, Hinch had been hired to both perform the ceremony as intended and to attack it with everything he had.

Today, NCC finally published a report on Hinch's efforts – and his results may be encouraging to zcash users who harbored suspicions about the birth of the cryptocurrency, now the eighteenth-largest in the world by market value.

Most notably, Hinch reports having only minimal success with an attack on the memory of the test computer under his control, an altered replica of the one actually used for the ceremony. And he is confident that the same attack could not have been performed on the computer that was actually holding sensitive information on the day of the ceremony.

In short, according to Hinch, the ceremony was a success:

"As far as insuring that the toxic waste shards were securely generated and then disposed of properly, which was the crux of the ceremony, I can say with certainty that happened on our end."

Failed attacks

Stepping back, "toxic waste" is a term that the zcash developers coined to refer to the six shards of the single private key that had to be combined and baked into the cryptocurrency's protocol.

If someone were to get their hands on a complete copy of all the shards, it would enable them to surreptitiously create counterfeit coins, an attack that would be difficult to detect given the anonymity of zcash transactions. So, to secure the final product, the full private key was broken up into six pieces, each generated in a different location. They were then combined through a series of computations, none of which required the presentation of the key shards, which remained on isolated computers with no network capability.

At his station, Hinch had two computer setups: one harbored the actual private key shard used in the ceremony, while the other followed all the same instructions but was used to try out a series of attacks. Zcash gave Hinch root access to the machine as well as passwords that enabled him to disable some of the security protections in a layer of the software called grsec.

Even with these credentials, though, Hinch's attacks were thwarted and he failed to remotely grab the toxic waste on the computer.

But Hinch did have slightly more success with a physical attack against the memory.

Through a firewire card inserted into the test machine before the start of the ceremony, he was able to extract 2.2 gigabytes of the total 8GB on the machine, none of which contained the private key shard.

Further, Hinch says the same attack could not have been carried out against the computer he was actually using in the ceremony. To pull it off, someone would have to physically alter the computer, which was in a secure location under constant video observation.

NCC reviewed security footage of the ceremony and verified that no break-ins took place.

"That computer was as secure as you're gonna get," says Hinch.

Trying again

Nevertheless, Hinch had recommendations if a similar ceremony is conducted in the future.

For starters, he believes it would be best to create a complete inventory of the contents of each computer on which toxic waste is stored to make sure there are no physical routes to the memory, such as the firewire card provided.

The zcash key generation ceremony was designed to be secure so long as a single station successfully generated and disposed of its secret before an attacker could steal it. Other participants have since shared their methods for securing their stations.

In a blog responding to the NCC report, zcash developers point out that, while it remains impossible to prove the process was secure, the analysis provides a strong indication that the ceremony went smoothly and that the fundamental security of the coinbase is intact.

Still, as this can't be known for certain, these results are simply best read as providing added assurances against compromise.

Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Zcash Company.

Ring of keys image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.