Who is the trusted prover?


#1

I am curious, zk-SNARKS seem to depend on a trusted third party to provide the proof that the pours are valid and the other parties have to trust them to be correct. Am I understanding this correctly?


#2

No, there is no trust required in parties who generate proofs. A proof is needed in order to spend a Zcash note, and anyone who holds currency can do so, anonymously.

The security issue you may have heard about is the generation of initial parameters. zkSNARK systems require a single set of public parameters called the proving and verifying keys. The proving key is needed in order to generate a proof, and the verifying key to verify one. For systems that are currently practical at the size of circuit needed by Zcash, the parameter generation unfortunately requires intermediate secrets which must be securely deleted. If the parameters were generated by a single party who retained the secrets, they would be able to create false proofs that would pass verification, and thereby forge currency (but not compromise privacy of transactions, except to the extent that they can do so indirectly as a consequence of forging currency).

Our plan is to generate the parameters using a multi-party computation in which every participant would have to collude --or have their computer compromised-- in order for the above situation to happen. Zooko's blog post at https://z.cash/blog/snark-parameters.html describes this.


#3

Why not generate a new key pair each block and expire the public keys used in addition to the multiparty computation?


#4

So will that multi-party computation be open to the public to participate?

I think there would be a lot more trust in it down the road if it is an open process from the start and people can for example blog about how they participated, destroyed their private key, etc.