Secure Genesis Block Generation


#1

Hi,
I have a quick question. As I understand it, to generate the main-net genesis block, ZKSnark protocol needs to be initialized securely because the keys generated at the genesis block mus be destroyed or they can be used to de-anonymize the entire blockchain. Is this a correct assertion? Any feedback is much appreciated,if you can provide links to where this is addressed in the literature you get double props :wink:

Pablo.


#2

You are partially correct.
The intial Trusted Setup is required to produce the CRS or Common Reference Strings that produce the two Public proving keys to be used for verifying transactions. The CRS contains a secret backdoor that must be destroyed.
If the Trusted Setup is somehow compromised by a malicious party they could theoretically forge currency, but it would not compromise anonymity of transactions.

See this thread for the whitepaper and discussion: https://forum.zcashcommunity.com/t/is-there-a-whitepaper/24/9


#3

Thank you for your detailed response. Do we happen to know how this generation will be specifically handled on mainnet? I remember there were rumors, I think it was last year that there would be a back door for LEO's but that was later retracted, is that correct?

I appreciate your guidance as I am very interested in ZCash.

Thank you,
Pablo.


#4

I'm not sure what you are referring to about a backdoor for LEO's? There will be no backdoors left in Zcash else it will compromise the entire system.

I do not have confirmation on how exactly they will handle the Trusted Setup, but keep and eye on https://z.cash/blog/ for future announcements.


#5

Ok much appreciated.

About back door: there was an article in either 2015 or 2014 that said ZCash would include a means to de-anonymize transactions for law enforcement requests. It was later retracted and denied but I recall it distinctly. Still, it's clear this is no longer the case. Thank you for the info I will be sure to consider investment once the coin goes live.

Pablo.


#6

Ah, I see what you mean.
I am not aware of the article you're remembering, but there is a feature of Zcash called "Selective Transparency" that allows a party to show proof of a private transaction to another party if they choose to do so.

I'm not sure exactly how it works in practice but here is a video of Zooko explaining the concept behind it:


(fast forward to about the 31min mark for the explanation)

#7

Thanks I will take a look at the video now.

This is an interesting link I found about the need for "Trusted Setup". The way they are aiming to do it seems reasonably sound to me, although I am looking for more up to date info on this issue.

https://z.cash/blog/snark-parameters.html#what-else-can-we-do

http://www.ieee-security.org/TC/SP2015/papers-archived/6949a287.pdf

My original post was wrong vis a vis the risk of de-anonymization, I think I mixed up de-anonymization in my head with the back door article I read way back. I acknowledge that is no longer an issue though (don't want you to think I'm trolling or anything :slight_smile: ). Trusted setup is an interesting issue for the coin, I am still going through the paper but I look forward to seeing how it is addressed on launch day.

Pablo.


#8

https://github.com/zcash/zcash/wiki/FAQ#q-will-zcash-contain-a-backdoor :

"Neither Zcash nor any other cryptographic algorithms or software we've made contains a backdoor, and they never will."

I wasn't aware of any article stating otherwise, but if there was then it was not based on well-founded information.