Transcript from Sprout MPC Restored


The protocol transcript (and other assets) from the original Sprout MPC have been restored to our S3 bucket. Check out the repository for more information. I currently can’t archive these on the Internet Archive or put a torrent up, but I hope this will happen soon.


The “Sprout” MPC ceremony took place over two years ago and produced the parameters used by the original “Sprout” shielded addresses in Zcash. We have since replaced these parameters with much more secure parameters produced in a newer and much larger ceremony. You can read more about that here. Our new “Sapling” shielded addresses use parameters built in the same ceremony.

If you’re interested, you can use the protocol transcript from that ceremony to verify that the parameters initially deployed in Zcash were constructed correctly.

Contrary to what I’ve seen people say recently, you do not need to verify the transcript to ensure that your privacy holds. (This would be unacceptable, considering verification of the transcript is expensive.) Our particular construction depends only on a property in the proving system (witness indistinguishability) that can be trivially guaranteed to hold without access to the transcript. I hope to write a blog post about things like this soon.


The transcript was hosted publicly on an S3 bucket for about 18 months after the original launch of Zcash, but it was deleted or cleared out earlier this year. Probably due to its size, it was never archived on the Internet Archive. I began looking for a backup copy after some drama on Twitter appeared last month.

I once had a backup of the transcript, but the backup was on a laptop that had since been wiped. Others at the company were under the impression I had a backup, so I take responsibility for the delay. We were unable to find anyone that kept a copy of the transcript, because most that had downloaded it later deleted it due to its size. This meant that we had to reconstruct the transcript from the DVDs of the participants.

Because all of the participants archived their discs, we achieved this. :partying_face: Special thanks to Nat Kramer for recovering archives of the DVDs from Derek Hinch’s station, and Saleem Rashid for helping us recover Peter Todd’s DVD images. Thank you also to Andrew Miller and John Dobbertin for uploading their DVDs. And thank you to everyone else who looked for a copy on their computers!


When people started asking me about this, I had to think more carefully about what the transcript is good for. As Sean mentioned, it turns out not to be necessary to make sure you’re getting privacy, but what is it necessary for? It doesn’t prove that the six original participants of the original ceremony didn’t collude to combine their six precursors and generate the toxic waste. (No mathematical proof could possibly prove that.) So what is it needed to prove?

Finally with the help of Sean and Ariel Gabizon, I came to understand: the point of the transcript is to prove the linkage between the six participants’s publicly posted hashes of their part in the ceremony, and the resulting public parameters used in the Zcash 1.0 “Sprout” between October 2016 and October 2018. If you don’t have the transcript, you can’t verify that those six public hashes match the original parameters, which means someone (for example, someone who had hacked into one of the Zcash Company’s laptops) could have substituted their own parameters (for which they could have the toxic waste) in place of the parameters that the six participants collectively generated.

So, now that the transcript has been restored, go forth and use it to check that the original parameters used in Zcash 1.0 match the hashes published by the six different participants. :+1:


getting access denied on S3 bucket still.


Yeah, permissions issue I think. I fixed it as far as I can tell.


One can mirror these transcript files with ipfs:

ipfs pin add QmNN3TfF7ZeLHBzhDWaX14vUZ7UKL5T5aYFdtobJf7gRw8