Cryptocurrency News, ICO Reviews. Blockchain Features: 100% Ad Free & Independent

zk-SNARK Glitch Could Result In Crypto Double Take

Trusted setups and cryptographic assumptions could make it a target for malicious agents.


Fundamental flaws with zk-SNARKs, the privacy algorithm used in Zcash (ZEC), may allow malicious agents to mint additional tokens, according to the COO of a rival privacy coin.

Reuben Yap, the Chief Operating Officer at Zcoin (XZC), says that unproved cryptographic assumptions and possible bugs with zk-SNARKs place blockchains using the algorithm – like Zcash – at a security risk. Believing it to be a “very real threat,” hackers may be able to exploit this weakness, enabling them to double-spend on the network, Yap argues.

“The main disadvantage of zk-SNARKs… is the fact they [sic] rely on relatively new cryptographic security assumptions,” Yap said, in an email exchange with Crypto Briefing. “A flaw in the cryptography…will allow an attacker to create coins out of thin air without being detected.”

What are zk-SNARKs?

zk-SNARK, short for zero-knowledge succinct non-interactive arguments of knowledge,  is an algorithm that can check the validity of a transaction while simultaneously keeping confidential or personal information private, otherwise known as zero-knowledge.

Zcash was the first coin to use zk-SNARKs, but other cryptocurrencies have expressed interest. Platform network TRON (TRX) announced plans to integrate the algorithm in early December.

What are the vulnerabilities?

zk-SNARKs algorithm rests on an assumption known as the first Knowledge of Exponent Assumption – KEA1. Formulated more than a decade ago, it simply states that transactions must be correct if they have a certain output. This is what makes zero-knowledge privacy possible.

KEA1 is the linchpin for zk-SNARKS and the foundation for any blockchain which uses the algorithm. KEA2, a later cryptographic assumption, was conclusively falsified in an academic paper published in 2004.

Yap admits that no one has yet managed to break KEA1, but that doesn’t mean it’s completely watertight. Now that billion-dollar networks use zero-knowledge tech- with more looking to adopt it – there are obvious incentives for malicious agents to break it.

Someone able to crack KEA1 would have an unrestricted ability to print tokens and double-spend at will, without anybody knowing. “If the assumption breaks, then the cryptography breaks. If the cryptography breaks then it would be possible to fake proofs and potentially more,” Yap wrote.

Are trusted setups…’trustworthy’?

Other figures have expressed concern over zk-SNARKs, mostly around the need for a ‘trusted setup.’ A trusted setup is an event where cryptographers create a public key, needed to generate and verify proofs, and destroy the associated private key to prevent malicious actors from subverting the protocol.

Cryptographers from all over the world participate, each of whom has a small part of a private key. A public key is assembled from the numbers, whereas fragments of the private key – known as “toxic waste” – are destroyed.

Anyone with access to the private key would have been able to mint tokens at will. Therefore, there is a significant incentive for someone to create a backdoor.

Zcash went to extreme lengths – even destroying the computers involved in the original 2016 ceremony – to ensure all parts of the private key were destroyed. However, oversights – like the fact that part of the software was not verified, and only released a day before the ceremony –  could put the network in peril.

Developer Peter Todd, who participated in the 2016 ceremony, says that a compromise in the trusted setup would also compromise privacy. He believes the network’s parameters can be constructed in such a way that “absolutely can wreck privacy:”

This could throw wrenches into the works of a currency mainly distinguished by enhanced anonymity. “What’s at stake here is that if the parameters were not destroyed correctly, someone can create coins out of thin air without being detected,” Yap wrote. “If the ceremony was compromised, the overall privacy may be broken, unveiling transaction and user details.”

“Above my paygrade”

Zcash is known as a privacy protocol,  but few transactions used zk-SNARKs until quite recently. Prior to the Sapling update, the algorithm took significant computational power, making transactions prohibitively expensive.

Sapling, which went live in late October, drastically reduces the amount of computational power required, even making it possible to send zk-SNARKs-enabled transactions from mobile devices.

Zcash has also been added to some of the most exclusive cryptocurrency exchanges. Coinbase only listed the privacy coin at the end of November. Gemini’s ZEC-USD trading pair is popular,  with a trading volume worth $250,000 in the past 24 hours, according to CryptoCompare.

Crypto Briefing reached out to other developers to ask for their thoughts on zk-SNARKs. One of the few to get back to us was Vitalik Buterin. He had said earlier this month that zk-SNARKs had the potential to scale Ethereum (ETH) up to 500 transactions per second.

When Crypto Briefing asked him whether the KEA1 assumption represented a potential vulnerability, he said this was beyond his area of expertise. “[A]ssessing security of elliptic curve cryptographic assumptions is above my paygrade,” the Ethereum co-founder wrote.

With more people involved in cryptocurrency than ever before, the risks of someone detecting a backdoor become quite a bit  higher.

That leaves us wondering: could the sector be sleepwalking into a significant security risk?

The author is invested in digital assets,  including ETH which is mentioned in this article.


Join the conversation on Telegram and Twitter!

News, And Only When It's NEWS
Sign up for our editor's picks, crypto trade updates, and DARE reports!
You can unsubscribe at any time, and we NEVER sell your info.

Leave A Reply

Your email address will not be published.

1 Comment
  1. Daira Hopwood says

    Peter Todd’s claim that a compromise of (either of) the Zcash trusted setups could compromise privacy is incorrect. I think it arises from a misundertanding due to the fact that the files needed to verify Zcash’s “Sprout” setup were temporarily unavailable. They are now available here:

    The problem with KEA2 can be described in a single paragraph:

    “At an intuitive level, the weakness in KEA2 is easy to see, and indeed it is surprising this was not noted before. Namely, consider an adversary A that on input q, g, g^a, g^b, g^{ab}, picks c1, c2 in some fashion, and outputs (C, Y) where C = g^c1 (g^a)^c2 and Y = (g^b)^c1 (g^{ab})^c2. Then Y = C^b but this adversary does not appear to “know” c such that either g^c = C or (g^a)^c = C.”

    In other words, this was a completely elementary mistake (not the only one) by the authors of the paper introducing KEA2. There’s no reason at all to believe that this has any bearing on the reasonableness of KEA1, which is a much simpler, older, “common-sense” assumption. In practice, an attack on KEA1 would call into question the whole basis of discrete-log cryptosystems, whereas the attack on KEA2 is only worth a bit of eyerolling that the paper introducing it even got through peer review. Don’t be confused by the similarity of names.

    I’d also like to say something about the criticism of knowledge assumptions as being “non-falsifiable”. First of all, the Bellare and Palacio paper *does* “falsify” KEA2 (conditionally). So “non-falsifiability” of an assumption in the technical sense used in the cryptographic literature, certainly does not mean that no evidence can be provided either for or against its reasonableness. In this sense there’s no hard distinction between assumptions that are called “non-falsifiable” and those that are not. In addition, there’s no substantial difference in principle from other *very widely used* security models that are incomparable to the standard model. That is, making a KEA assumption is similar to providing a security proof in other formally non-instantiable models such as the Random Oracle or Algebraic Group model, or using the Fiat-Shamir heuristic. These models are best thought of as resulting in proofs of security against a somewhat restricted class of possible attacks. Please note that *all* formal security proofs are necessarily for some class of modelled attacks; whether that is as the result of using a model other than the standard model, or the choice of formalisation of desired security properties. The main purpose of doing security proofs is as an aid to the system designer in avoiding the modelled class of attacks, and to draw the attention of other cryptanalysts to where any problems are *more likely* to lie. Armchair assessments of systems by non-cryptanalysts based on the assumptions and models used in their proofs should be strongly discouraged.

    As it happens, the whole line of criticism based on reliance on KEA in Zcash is somewhat obsolete, because since the Sapling upgrade, Zcash no longer uses the PHGR13 proving system whose proof of Knowledge Soundness relied on KEA. It now uses Groth16, for which Knowledge Soundness is proven in the Algebraic Group model. Although this does not by itself exclude forgery based on breaking KEA before Sapling activated, any new attack of that form can no longer be used. Note also that privacy never relied on KEA.

    I will refrain from giving my opinion about the security of Zcoin other than to state some facts:
    * it relies on a trusted setup (that is, the assumption that the factors of a particular RSA modulus were deleted);
    * it directly deployed academic prototype code that was clearly labelled as unsuitable for deployment;
    * it has experienced successful forgery attacks, resulting in more money being extracted by the attacker from the Zcoin private pool than was ever put into it. Just over 25% of the current monetary base of Zcoin was forged by this attacker:

    Disclosure of interest: I am a Zcash developer and cryptanalyst. In this comment I’m speaking for myself, not Zcash Company.

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More