The “Sprout” MPC ceremony took place over two years ago and produced the parameters used by the original “Sprout” shielded addresses in Zcash. We have since replaced these parameters with much more secure parameters produced in a newer and much larger ceremony. You can read more about that here. Our new “Sapling” shielded addresses use parameters built in the same ceremony.
If you’re interested, you can use the protocol transcript from that ceremony to verify that the parameters initially deployed in Zcash were constructed correctly.
Contrary to what I’ve seen people say recently, you do not need to verify the transcript to ensure that your privacy holds. (This would be unacceptable, considering verification of the transcript is expensive.) Our particular construction depends only on a property in the proving system (witness indistinguishability) that can be trivially guaranteed to hold without access to the transcript. I hope to write a blog post about things like this soon.
The transcript was hosted publicly on an S3 bucket for about 18 months after the original launch of Zcash, but it was deleted or cleared out earlier this year. Probably due to its size, it was never archived on the Internet Archive. I began looking for a backup copy after some drama on Twitter appeared last month.
I once had a backup of the transcript, but the backup was on a laptop that had since been wiped. Others at the company were under the impression I had a backup, so I take responsibility for the delay. We were unable to find anyone that kept a copy of the transcript, because most that had downloaded it later deleted it due to its size. This meant that we had to reconstruct the transcript from the DVDs of the participants.
Because all of the participants archived their discs, we achieved this. Special thanks to Nat Kramer for recovering archives of the DVDs from Derek Hinch’s station, and Saleem Rashid for helping us recover Peter Todd’s DVD images. Thank you also to Andrew Miller and John Dobbertin for uploading their DVDs. And thank you to everyone else who looked for a copy on their computers!
When people started asking me about this, I had to think more carefully about what the transcript is good for. As Sean mentioned, it turns out not to be necessary to make sure you’re getting privacy, but what is it necessary for? It doesn’t prove that the six original participants of the original ceremony didn’t collude to combine their six precursors and generate the toxic waste. (No mathematical proof could possibly prove that.) So what is it needed to prove?
Finally with the help of Sean and Ariel Gabizon, I came to understand: the point of the transcript is to prove the linkage between the six participants’s publicly posted hashes of their part in the ceremony, and the resulting public parameters used in the Zcash 1.0 “Sprout” between October 2016 and October 2018. If you don’t have the transcript, you can’t verify that those six public hashes match the original parameters, which means someone (for example, someone who had hacked into one of the Zcash Company’s laptops) could have substituted their own parameters (for which they could have the toxic waste) in place of the parameters that the six participants collectively generated.
So, now that the transcript has been restored, go forth and use it to check that the original parameters used in Zcash 1.0 match the hashes published by the six different participants.
Sure, that’s a fair suggestion. I’ll add to my TODO, although again, because I do not understand the math, I cannot vouch for it, and also, I feel there is just something fundamentally questionable about trusted setups of any sort that are done in the past. It’s asking a lot of faith from future generations.
And if you’ve study that in any serious depth you’ll see how much that’s cost us. Why go through all this trouble to repeat another karmic cycle? At least improve on the old one!
Turnstile offers little protection. I do like that Zcash has stated their intent on getting rid of the trusted setup though, that seems like a genuine security improvement (plus STARKs are post-quantum safe allegedly).
Hmm. That’s a good question, how is it possible to analyze systems one only partially understands?
Well, I could pick a variety of analogies. For example, I might not know exactly how a Toyota Prius works, but I do know that it would be foolish to try to carry a full-sized house with it.
I might not know exactly how my computer works, but I know it would be silly to try to make a salad with it.
One does not need to know every single thing about a system in order to make statements about it. Even the authors of the Zcash paper did not fully understand what they wrote, leading to potentially disastrous consequences.
Sidenote: there’s something that’s unclear to me from the post. Is it possible for someone to be counterfeiting right now in the Sprout pool, @ebfull?
That’s correct, it definitely doesn’t have that vulnerability. Note that Groth16 (the new system) is much better supported by security proofs; actually it has two independent proofs of the precise variant, including the setup MPC, that we are using.
BCTV14 (the system with the vulnerability) was never proven secure; its informal security argument relied on similarity to the earlier PHGR13 system. We used it in Zcash because the Zerocash paper used it, and because it was the most practical system to use at the time; PHGR13 was not defined for asymmetric pairings and so there was no option to fall back to it without potentially introducing other security problems.