Edward Snowden, the former U.S. defense contractor whose leaks ignited a worldwide debate about internet surveillance, played a secret role in the creation of the privacy-enhancing cryptocurrency zcash (ZEC).
The whistleblower, who was granted asylum in Russia and has lived there since 2013 after the U.S. charged him with espionage, was one of the six participants in the “ceremony” that established zcash’s so-called trusted setup.
His previously undisclosed involvement in the 2016 ceremony was revealed in a video set to be released Thursday by Zcash Media, an outfit that produces educational materials about the privacy coin.
“I saw it being worked on by a number of trusted academic cryptographers and I thought it was a very interesting project,” Snowden said in the video.
He said he used the pseudonym “John Dobbertin” to hide his role in the setup.
In a recent message to zcash co-creator Zooko Wilcox, Snowden agreed to make his participation public knowledge.
“As long as it is clear that I was never paid and had no stake, it was just a public interest thing, I think you can tell people,” wrote Snowden, who is scheduled to speak at Consensus 2022 in June.
Zcash’s trusted setup
To understand Snowden’s role in the zcash “ceremony” of 2016, first we need to review how the cryptocurrency’s privacy works.
Zcash has two kinds of transactions: transparent and shielded. The transparent ones are visible on the public blockchain, just as regular BTC transactions are visible on the Bitcoin blockchain. The shielded transactions, however, go into “privacy pools,” which you can think of as black holes where they all get swished together. These pools ensure that there’s no way for blockchain observers to know where the coins came from or where they go.
In order to set up the privacy parameters of the original “Sprout” pool created in 2016 and “Sapling” pool created two years later, a secret cryptographic key needed to be generated for each. The key is essentially a very, very long number. The process of generating this number is called a “trusted setup,” and the problem is that anyone who knows that secret key would be able to forge as many coins as they wanted.
Possession of the entire key could lead to “counterfeiting of the supply, but it would not violate any of the current or past privacy,” said Nathan Wilcox, Zooko’s brother and another ZEC co-creator.
While it’s somewhat reassuring that the trusted setup doesn’t present a privacy risk to ZEC, the ability to counterfeit coins would clearly be a big problem.
“You can't launch this global internet money cryptocurrency if somebody just knows the secret and then promises to throw it away,” Nathan Wilcox said.
So the initial team of researchers designed what's called a multi-party computation, known as “The Ceremony.” Through this process, the secret key isn’t generated and held by just one person. Instead, it is split among many people, with each contributing a shard, or piece, of this very, very big number. This way, no single person would have a copy of the whole number.
“If at least one person succeeds in throwing away their part of the data, the computation is secure,” said Bitcoin developer Peter Todd, one of the six participants in the initial ceremony.
Decoy plane tickets and Faraday cages
The lengths Todd went to make sure he wasn’t hacked during the process are legendary. He called the adventure “Operation: Cypherpunk Desert Bus.”
“At the very last moment I bought a plane ticket to somewhere I wasn't planning to go … I immediately went to a car rental, immediately got a car, immediately went off to a computer store to buy the computers off the shelf,” Todd recalled. “I took out the Wi-Fi cards, I didn’t hook up ethernet and I literally ran it in a Faraday cage,” an enclosure to block electromagnetic fields.
“I got aluminum foil and lined a box with it in multiple layers and closed the lid. Aluminum foil really blocks Wi-Fi signals very effectively,” Todd said.
And then Todd just started driving. The logic was that the distance between him and any potential adversaries would help prevent anyone getting close enough to his machine to send commands or exploits.
“If you're in a car hurling down on the highway, it's really hard for the NSA agents who had no idea you were going to do this to actually follow you,” Todd said. “I also had cameras on the car in the front and back. So had someone tried to do that, I'd get them on camera.”
The ceremony was also written up in Fortune and documented in an episode of the "Radiolab" podcast. These accounts focused on the involvement of Zooko and his brothers, and the Fortune piece reads like something of a sci-fi fantasy novel, complete with wizards’ hats and “crackling conflagrations” of lighter fluid melting computing equipment.
But the most mysterious part of the ceremony was the participant known as John Dobbertin, whose real identity had remained unknown until today. Aside from Snowden, Todd and the Wilcox brothers, Peter van Valkenburg of the Coin Center think tank and security engineer Derek Hinch (then with contractor NCC Group, now at Amazon) took part in the proceedings.
“When it came to this concept that they needed many people in many places all cooperating, in the hopes that just one of them might not be compromised, might not work sort of against the public interest, and that that was necessary for the ceremony to succeed, I was happy to say, ‘Sure, I’ll help,’” Snowden recounted in his interview with Zcash Media.
Regardless of whether you light your equipment on fire afterwards or include one of the world’s best-known privacy advocates, and no matter how secure all the participants were, there is no way to know after the fact whether the ceremony succeeded or not.
“All I can do is run a piece of software honestly, on a computer that's clean, and then do my best to prevent the computer from being wiretapped,” Todd said. “Unfortunately, on that software, there are lots of ways someone could have surreptitiously changed it so that the number itself would not have been created randomly.”
There are roundabout ways we can tell that extra ZEC hasn’t been created, due to supply being audited during pool migration.
Two years after the original “Sprout” pool was set up, a new pool called “Sapling” was created, with significantly improved technology, and a ceremony that included hundreds of participants. We can tell that the coins that have migrated to the new pool do not exceed the amount of ZEC that is meant to exist.
Furthermore, the network will reject any transactions that exceed the amount of ZEC that the pool is meant to contain. Despite this assurance, and the hard supply cap of 21 million units that Zcash inherited from the bitcoin codebase, it still doesn’t provide 100% proof that the ceremony succeeded.
So ZEC researchers figured out how to get rid of the trusted setup, and at the end of May the team plans to launch a third pool with their Halo upgrade.
This pool, known as Orchard, would not require a trusted setup, and as coins migrate there, the systemic risk will be eliminated, Nathan Wilcox said.
According to his brother Zooko, Snowden wasn't the only controversial figure who aided Zcash early on.
“When we were designing the setup ceremony, I visited Julian Assange in the Ecuadorian embassy in London and asked for his advice on how to design it," Zooko Wilcox said. The WikiLeaks founder "advised us to emphasize and prioritize the part about air-gapping the compute nodes, which we did.”
UPDATE (April 27, 20:22 UTC): Adds detail about Assange.
UPDATE (April 27, 20:47 UTC): Corrects name of upcoming pool (it is called Orchard, not Orchid).
UPDATE (April 28, 17:13 UTC): Adds video of Snowden from Zcash Media to first section.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.