As Zcash approaches the Genesis Block with just one month left until launch many people have been looking into how Zcash technology works. Zcash’s promise to hide not only the sender and receiver but the amount of the transaction has been heralded as the solution to what some see as serious privacy flaws in Bitcoins current implementation.
Like any crypto-currency the Genesis block scheduled for launch October 28th will be the very first block on the blockchain but because Zcash has the ability to hide the information in transactions using Zero-Knowledge proofs, the lead-up to the Genesis block also requires an additional ceremony that creates the parameters for the Zero-Knowledge Proving System. This additional step is what’s commonly known as the “Trusted Setup”. This Trusted Setup has been a very hot topic for months with several articles being written about it and countless Reddit and forum posts debating it.
So what is the Trusted Setup and why should I care?
The Trusted Setup is a vital part of what makes Zcash work. Zcash is the first coin to use a simplified implementation of a new cryptographic proof called zk-SNARKs (SNARKS for short). These SNARKS are the engine that can quickly and efficiently verify a transaction and add it to the blockchain without revealing any details to the public. The tricky thing about these SNARKS is that (like many algorithms) they need to have a one time setup. And the reason that this setup is called the “Trusted Setup” is because you have to trust that whoever generated those keys destroyed them when they were done.
Why do these keys have to be destroyed?
The initial parameter generation for the zk-SNARKS creates the keys that are used to create proofs for private transactions, and to verify those proofs. These keys are the single way for transactions to be proven as good and not forgeries on the global encrypted blockchain. When the keys are first created there is a hidden parameter that links the two keys. It is the secrets used to generate these keys that if not destroyed could be used to forge transactions by false verification thereby giving that person the ability to create unlimited Zcash undetected.
What are the Developers doing about this?
The problem of the Trusted Setup for the Zerocash protocol has been known since it was first invented by Eli Ben-Sasson, Alessandro Chiesa, Ian Miers, Christina Garman, Eran Tromer, Matthew Green, and Madars Virza back in 2014; indeed it has been a known issue for zero-knowledge-based protocols in general. (Unlike other coins that are attempting to use the Zerocash protocol or its predecessor Zerocoin, all of the inventors are still advisors for Zcash and actively work with the team to review and improve the protocol.) Zooko and team have just begun rolling out the actual method that they will use to generate the Trusted Setup and you can see the math behind it in this blog post https://z.cash/blog/generating-zcash-parameters.html
Now if you are like me that post is difficult to understand because I do not know the equations. But it can be summed up as Secure Multiparty Computation in which multiple people each generate a “shard” of the public/private keypair, then they each destroy their shard of the private key, and then they all bring together their shards of the public key to to form the Snark public parameters. You can read the entire whitepaper about this process here.
As we get closer to launch I’m sure we will have more details about who will be involved, and when the Trusted Setup will take place. But I’m not expecting a full detail on the Trusted Setup until the very last minute/day because of the possibility of attackers wanting to undermine the system. I do know that Zooko and his team are working to make it as transparent as possible without compromising security.
-Thank you to Daira Hopwood for technical correctness
8 thoughts on “Zcash and the Trusted Setup”
Comments are closed.