The Zcash Blockchain and the Art of Security Theater

Rage Review : Security theater refers to a display of security measures, but there is a lack of or even no actual execution process. The price of Zcash, a blockchain-based digital currency, soared in a short period of time after its release. In the context of frequent loopholes in blockchain projects, it is inevitable to cause concern. For this reason, the blockchain field also conducted such a ceremony - security theater. But as the author said, this ceremony relies on people's trust in Zcash. But in order to ensure the effectiveness behind this ceremony, the development team will continue to upgrade Zcash's security measures.

Translation: Annie_Xu

Bitcoin Core developer Peter Todd burned the computer he was working on to develop Zcash to prevent anyone from recovering the data, with cameras following him. He then packed up the burned components and took them to the birthplace of the digital currency.

Only six people in the world perform this unique ritual, which Todd blogs about over several weeks.

If this security measure works as expected, it could prevent anyone from using keyboard input records stored on a computer to issue counterfeit digital currency that could be mistaken for the real thing.

Maybe you think these measures are totally unnecessary, but you must not be familiar with the big events in this field. Within two weeks of Zcash’s launch, its market value jumped from zero to $3.2 million, which is a growth rate of $200,000 per day. Compared with other digital currencies, it is enough to make you exclaim that anything is possible.

The problem is, there is currently no way to prove the effectiveness of this ritual.

Todd said that with a little work, hackers can quietly confirm the keystrokes on a personal computer through radio signals, traditional cameras, satellites or other means. Then they can just repeat every step of the ritual exactly and create Zcash out of thin air like magic. But Zcash has zero-knowledge proof, so there is no need to worry about this problem.

This ritual is called "safety theater," which comes from an article by safety expert Bruce Schneier, who defines it as "safety design that makes you feel safer."

But it is also a deterrent.

There are many examples of this, such as RFID bracelets used by hospitals to prevent child abduction, and countries conducting military demonstrations to give citizens peace of mind.

But the Zcash ceremony highlights a core element of security theater: trust. Are RFID bracelets really useful, or are they more than just nicely printed plastic strips? Do fighter jets in military exercises have warheads, or are they just empty shells?

As Todd said, this safe theater is meaningless if the audience doesn't trust the performers.

Peter Todd

Although Todd’s blog post has not been published yet, we have seen the introduction of the blog post.

“The following content does not change the fact that you trust me and the other five participants did not collude. There is no way for myself and other participants to prove to a third party that we did not secretly keep the key. If you doubt your trust in me, then please stop reading immediately.”

Trust and trustlessness

So do you trust Todd, Zcash advisor Andrew Miller, Peter Van Valkenburgh, Zcash CEO Zooko Wilcox, and two other unnamed participants?

Although Zcash uses a trustless protocol, this ceremony adds an element of trust in order to achieve the anonymity that the developers originally intended.

“Even if it’s perfectly executed, it still doesn’t eliminate the concerns that people have about whether these six people can be trusted or can be immune to outside influence,” said Greg Slepak, founder of email security solutions company Tao Effect and the nonprofit okTurtles (Ensuring Decentralized Technology Works for the Good of People).

Slepak was one of the first to question Zcash’s “trusted configuration,” arguing that security theater did not serve its purpose of deterring hackers.

Slepak’s blog in March detailed concerns about the Zcash launch and called on the Zcash team to immediately disclose potential risks of the so-called “trusted configuration.”

In September he published another account of the many incentives that could lead third parties to disrupt this configuration, specifically citing concerns that government intelligence agencies would not give up their monopoly over alternative currencies.

Of course, he still had some faith in the expectation that the central bank would withdraw from the financial sector in the future, so the media reports ignored his warning.

“It’s basically become a taboo and nobody wants to talk about the elephant in the room,” Slepak said. “It’s so bad and so outrageous that nobody wants to take a second look at it or bring it up.”

Six shards combined

Slepak’s comments have left people teetering between fears of Zcash’s collapse and conspiracy theories.

For this purpose, we analyze Zcash.

Zcash is based on a fork of the Bitcoin blockchain, but unlike Bitcoin, it uses a cryptographic tool called zero-knowledge proofs (zk-SNARKs) to allow counterparties to conduct anonymous, or “zero-knowledge” transactions.

If the counterparty is anonymous, the actual transaction amount will also be kept confidential. Therefore, the counterparty's authorization must be obtained to track or audit the transaction. This requires adding randomness to the system, which is why the security theater scene appears.

Although the entire ceremony was explained before the release of Zcash, the complexity of the process was revealed to us in Todd's blog afterwards.

If Todd is to be believed, it is certain that Wilcox initially invited him to witness the ceremony via an unencrypted Twitter message.

Later, out of concern for the security of private communications, Todd received a short document, "Zcash Multi-party Computation Instructions." The document lists the technical specifications of the software, software download instructions, and steps to burn the DVD data.

This ceremony is called multi-party computation (MPC), and it was these six people who witnessed the ceremony who created the public key of Zcash according to the instructions.

The final result of the experiment was that six people each generated a public key shard, and these DVDs stored one-sixth of the key.

The Zcash documentation says these shards are toxic waste.

Zcash describes the ceremony like this.

"The MPC protocol allows at least one participant to successfully delete the key shard, and these toxic wastes cannot be reconstructed. Unless any participant in the protocol is dishonest or attacked."

Todd estimates that the chances of completing the ritual safely are between 50 and 90 percent.

"Remember, only one of the six shards is needed for the ritual to succeed."

Cryptocurrency Cold War

So who will destroy Zcash?

There are always bad guys in the world. But Slepak said that identifying all the shards would require a lot of resources, and there are only two factors that can incentivize such behavior.

The first is for money. Assuming Zcash becomes popular, the right to issue it will be very tempting. But Slepak said that Iron Man is probably the only person in the world who has the technology and resources to do so.

The real risk comes from national intelligence agencies or other government departments.

The government wants to attack Zcash for two reasons. First, the widespread circulation of Zcash has the potential to undermine the government's currency monopoly. Second, even if they do not do so, other governments will do so.

The dynamic result is what is known as the situation in game theory. That is, if one country strikes first, the other country will inevitably imitate this behavior.

"If another country attacks them, they have the digital and financial weapons to strike back."

Security Dilemma

Steve Ehrlich, a former senior intelligence analyst at the US Defense Intelligence Agency, said Slepak's concerns are actually a zero-sum game of international security. That is, the gain of one part of the system means the loss of another part. This situation reminds him of the "security dilemma", in which the defender gives others a false impression of attack.

For example, the United States deployed a missile defense system in Eastern Europe to protect the NATO alliance from the threat of Iranian missiles, but this made Russia worry that this would affect its nuclear deterrence.

Ehrlich is skeptical of Slepak’s concerns. “All of these predictions are based on the assumption that Zcash will gain global traction. We all think that this assumption is not very tenable.”

According to the World Bank, even Bitcoin, which currently has the highest market value, only accounts for 0.01% of the global GDP. So the market value of Zcash is even smaller.

Erhlich therefore believes that the government will only choose to learn from it rather than attack it.

“I think the government will study Zcash’s technology, just like it did with Bitcoin, to assess its strengths and weaknesses and prevent it from being used for illegal purposes.”

Not perfect, but . . .

Zcash’s Zerocash protocol was exposed to potential vulnerabilities early on.

Zooko Wilcox

In February 2016, Wilcox published a message on the Zcash blog, explaining how to generate SNARK security parameters and how to perform the ceremony. Finally, he concluded, "We think this solution is feasible."

"Unfortunately, after that incident, there is no way to verify its effectiveness."

Slepak is concerned that zero-knowledge proofs will make it impossible to distinguish legitimate tokens from counterfeit ones.

“That’s dangerous because if the token is priced based on a maximum supply, these fake coins will affect the price.”

One of the developers of the Zerocash protocol says Zcash does have room for improvement. But Alessandro Chiesa says he’s not worried.

Chiesa and the Zerocash team are developing zero-knowledge proofs that do not require trust, hoping to fix the vulnerability, but trusted configurations can be an obstacle.

Regarding Todd's 50% chance estimate, Chiesa said:

"If someone collects the keys of six people, they will do bad things. That's why this ritual is performed, but I don't think it has any effect."

High risk

Wilcox explained why he was concerned about safety and believed it was just a blip.

Simply put, the longer blockchain works, the less people will worry about it.

The only way to completely eliminate this concern is for the funds on the blockchain to accumulate slowly over time without any hacker attacks. The Zcash team has said that it is still investigating whether there are any system attack risks.

Wilcox added:

"I believe this ceremony successfully generated the public key and there are no extra harmful keys."

To speed up the dispelling of doubts, Zcash is preparing to release a video of the ceremony to give us a direct feel of the specific security measures. Chiesa said that the upgrade will be carried out next year.

But Slepak believes that when billions of dollars enter the Zcash blockchain in the future, perfection must be achieved.

Organizations and national intelligence agencies that pose a potential threat to Zcash could result in more than just a loss of funds.

Slepak said the worst-case scenario is not the demise of new cryptocurrencies, but rather the continuation of a centralized money supply strategy by the existing financial system.

Regarding the possibility of Zcash being attacked after it becomes popular, Slepak said that we only need to observe the current system, that is, a small number of people control the global currency supply.

“They can control all the citizens and use their money to make them suffer, such as in a large-scale war between countries. So the worst case scenario for Zcash is war, where a lot of people will die, which is terrible.”