Listen up, super-villains and laboratory mice!
Outlined in this post is a masterplan for how to "take over the world!" — by compromising Zcash.1
The potential consequences of compromising Zcash's trusted setup range from the fairly benign (someone buys themselves a private island) to the cartoonishly evil. The worst-case scenario is literally people dying. Maybe even a lot of people.
For those who understand, this is not news:
But to most people this is news, and it is wrong to advertise a cryptocurrency without informing them of the potential consequences. Don't expect the existence of our posts to be sufficient, for our voice has limited reach.2
If it's ever discovered that Zcash's trusted setup was compromised, the entire blockchain would probably be thrown out (and/or lose its value) because it would mean the whole thing is full of funny-money and nobody knows who has it or how much there is.
In the event of compromise, loss of money ($) following discovery of compromise is the best-case scenario. The worst-case scenarios occur when nobody finds out.
In the rare instance this problem is mentioned, it is referred to as "secret inflation" — a notion misleading to the point of being wrong. If the U.S. Government prints $1 trillion dollars in secret (meaning: nobody knows about it), then sure, technically "monetary inflation" occurs, but it has no immediate effect on the value of the dollar, and it might never have a noticeable effect. Those dollars are just as capable of financing wars as all other dollars, and their impact on the value of the token can be masked by any growth in the value of the currency.
It's also very important to understand that compromising the trusted setup grants one the general power to create certain types of false proofs that are accepted as true, of which counterfeit coins are but one result.
So please: don't just call it "secret inflation". Call it what it is: a potential "calamity" or "weapon of mass destruction"—not some euphemism but something that gets across the worst-case potential.3
Step-By-Step Instructions For World Domination
Don't let fancy whitepapers fool you, the "at least one honest participant" thing in Zcash's trusted setup is security theater.
This is all it takes to compromise everyone involved:
- Task a few professional saboteurs with infiltrating the Zcash team (governments were potentially aware early on), or conduct surveillance of the team's communications.
- Learn their plans for the trusted setup.
- Use one or more of a variety of available methods to compromise the setup. This is by no means comprehensive:
- Insert a vulnerability into the code or one of its dependencies (since everyone will be running the same code).
- More sneaky: compromise one of the tools that's used to build Zcash, that way the code looks fine but the binary has a "surprise".
- Modify the binaries after they've been generated and verified.
- Use a hardware backdoor in the CPU (or a handful of 0-days) to root everyone's machine and sabotages all attempts at detection.
- Assist in the advertising of the now-permanently-compromised magic internet money. “Trust us. It’s private. And it’s safe—we’ve got Matthew Green!”
Congrats, you are the proud new owner of a fancy new form of anonymous digital cash that people think is safe and is advertised as being decentralized. Obviously, now that you control pretty much the entire monetary supply it's not really decentralized, but nobody has to find that out if you play your cards right. Zcash's crypto-magic will do its best to keep your little secret.4 🙂
Zcash developers acknowledge these risks:
Auditing Isn't Enough
I have to admit that I failed to make adequately clear in our previous post that an audit is not enough. That post was written before I realized the (now obvious) central point of failure in Zcash's trusted setup, and that was before I watched as multiple experts looked and failed to detect the bug that caused the fallout from Ethereum's "The DAO" DAO.
This situation, however, is far more serious than The DAO. Zcash's code is several orders of magnitude larger and more complicated, and the consequences of failure are several orders of magnitude bigger.
In Zcash's current state: it is impossible to know whether a successful attack occurred. Unless a saboteur turns whistleblower, we'll know it was compromised only after damages have occurred. And the more valuable Zcash is, the more dangerous it is. There is no "Undo" button.
There are some things you simply cannot audit sufficiently for. This is one of them.
Why Nation States Are Most Likely Targeting Zcash
Zcash's potential value and its trusted setup creates a very strong incentive for nation-states to attack it. If you're a nation-state and one of your adversaries might get their hands on a dangerous weapon, then you have three choices:
- Prevent anyone from getting it.
- Get your hands on it first.
- Develop your own version of the same thing (or worse).
Make no mistake: as long as Zcash is considered valuable, whoever compromises Zcash holds the key to a very dangerous weapon.
Zcash Team On Defending Against Targeted Attacks
Before they decided to take on targeted attacks from nation-states, some of the current members of the Zcash team had this to say about attempting that very thing:
"a targeted attack on a user would probably defeat any encryption tech available today."
"It does not help if you are specifically targeted."
Matthew Green's thoughts
"You can't secure against targeted attacks."
Both agree, you shouldn't trust it:
Privacy Without Calamity
All of this is worth it though because there's no alternative, right? (Right??)
There are a bunch of fantastic new privacy solutions out there and in the works, some of which can be used to fix Zcash, and some that can be implemented today on top of the existing Bitcoin blockchain:5
- Update February 6, 2017: STARK!
- Ring Confidential Transactions
- "Chinese New Year reset"
- TumbleBit (needs review!)
What there is not enough of is the common sense to use those instead.
There Are Some Things Responsible Adults Don't Do
- Tossing a loaded gun into a school yard.
- Operating heavy machinery while intoxicated.
- ...[a million other items]...
It feels strange having to re-emphasize this last one:
- Begging nation-states to take invisible control of your no-longer-decentralized magic internet money to secretly finance their dirty business… for no good reason.
When a digital weapon falls into the wrong hands, what does Matthew Green have to say?
You really have to wonder what kind of human being says "this is how I want to make my money". pic.twitter.com/pruQSkqvQ5— Matthew Green (@matthew_d_green) August 25, 2016
One More Thing...
It's interesting to see Zooko publicly acknowledging these sentiments:
He's a great guy and part of me wonders if those notifications are an indication of a cry for help, but whatever the case, one thing is clear: we cannot be the only ones talking about this.6 So please speak up, demand better, and ask the Zcash team to follow their own advice.
Thanks to John Light, Andrea Devers, and Simon Grondin for reviewing this post. You can follow the author and the turtles.
Writing these posts takes time and money!
Please support our work by donating.
Success not guaranteed, especially in the case of laboratory mice. ↩
In part because journalists have been disappointing failures when it comes to covering Zcash's trusted setup, in part because the Zcash team has done their best to avoid the topic or use jargon to obscure and downplay the risk and consequences of what they're doing, and in part because our blog post and tweets on the topic have likely been censored and throttled on social networks. ↩
It's incredible how the media manages to sensationalize the inappropriate, and then downplay the sensational. ↩
Worth noting that this situation also places your life in danger. ↩
These likely have tradeoffs of their own. We haven't reviewed any in enough depth to give our full endorsement, but we include them to invite further review, encourage outside-the-box thinking, and to illustrate the many options for addressing blockchain privacy. ↩
Kudos to those who start threads like this, but it is not enough. We need more people, and especially the cryptocurrency/news media, to step up and point out that these serious problems must be fully addressed before Zcash launches. Don't complain about how "the world is messed up" if you could do something about this but choose to sit on your butt instead. Failure to act says we're incapable of regulating ourselves and are therefore in need of "adult supervision". ↩