Fundamental flaws with zk-SNARKs, the privacy algorithm used in Zcash (ZEC), may allow malicious agents to mint additional tokens, according to the COO of a rival privacy coin.
Reuben Yap, the Chief Operating Officer at Zcoin (XZC), says that unproved cryptographic assumptions and possible bugs with zk-SNARKs place blockchains using the algorithm – like Zcash – at a security risk. Believing it to be a “very real threat,” hackers may be able to exploit this weakness, enabling them to double-spend on the network, Yap argues.
“The main disadvantage of zk-SNARKs… is the fact they [sic] rely on relatively new cryptographic security assumptions,” Yap said, in an email exchange with Crypto Briefing. “A flaw in the cryptography…will allow an attacker to create coins out of thin air without being detected.”
What are zk-SNARKs?
zk-SNARK, short for zero-knowledge succinct non-interactive arguments of knowledge, is an algorithm that can check the validity of a transaction while simultaneously keeping confidential or personal information private, otherwise known as zero-knowledge.
Zcash was the first coin to use zk-SNARKs, but other cryptocurrencies have expressed interest. Platform network TRON (TRX) announced plans to integrate the algorithm in early December.
What are the vulnerabilities?
zk-SNARKs algorithm rests on an assumption known as the first Knowledge of Exponent Assumption – KEA1. Formulated more than a decade ago, it simply states that transactions must be correct if they have a certain output. This is what makes zero-knowledge privacy possible.
KEA1 is the linchpin for zk-SNARKS and the foundation for any blockchain which uses the algorithm. KEA2, a later cryptographic assumption, was conclusively falsified in an academic paper published in 2004.
Yap admits that no one has yet managed to break KEA1, but that doesn’t mean it’s completely watertight. Now that billion-dollar networks use zero-knowledge tech- with more looking to adopt it – there are obvious incentives for malicious agents to break it.
Someone able to crack KEA1 would have an unrestricted ability to print tokens and double-spend at will, without anybody knowing. “If the assumption breaks, then the cryptography breaks. If the cryptography breaks then it would be possible to fake proofs and potentially more,” Yap wrote.
Are trusted setups…’trustworthy’?
Other figures have expressed concern over zk-SNARKs, mostly around the need for a ‘trusted setup.’ A trusted setup is an event where cryptographers create a public key, needed to generate and verify proofs, and destroy the associated private key to prevent malicious actors from subverting the protocol.
Cryptographers from all over the world participate, each of whom has a small part of a private key. A public key is assembled from the numbers, whereas fragments of the private key – known as “toxic waste” – are destroyed.
Anyone with access to the private key would have been able to mint tokens at will. Therefore, there is a significant incentive for someone to create a backdoor.
Zcash went to extreme lengths – even destroying the computers involved in the original 2016 ceremony – to ensure all parts of the private key were destroyed. However, oversights – like the fact that part of the software was not verified, and only released a day before the ceremony – could put the network in peril.
Developer Peter Todd, who participated in the 2016 ceremony, says that a compromise in the trusted setup would also compromise privacy. He believes the network’s parameters can be constructed in such a way that “absolutely can wreck privacy:”
There’s been some claims made recently that a compromise of the Zcash trusted setup can’t compromise privacy.
I checked with one of the cryptographers working on zk-SNARKs, and these claims are false.
A compromised MPC absolutely can wreck privacy; Zooko needs to correct this. pic.twitter.com/07tfMQQurL
— Peter Todd (@peterktodd) September 27, 2018
This could throw wrenches into the works of a currency mainly distinguished by enhanced anonymity. “What’s at stake here is that if the parameters were not destroyed correctly, someone can create coins out of thin air without being detected,” Yap wrote. “If the ceremony was compromised, the overall privacy may be broken, unveiling transaction and user details.”
“Above my paygrade”
Zcash is known as a privacy protocol, but few transactions used zk-SNARKs until quite recently. Prior to the Sapling update, the algorithm took significant computational power, making transactions prohibitively expensive.
Sapling, which went live in late October, drastically reduces the amount of computational power required, even making it possible to send zk-SNARKs-enabled transactions from mobile devices.
Zcash has also been added to some of the most exclusive cryptocurrency exchanges. Coinbase only listed the privacy coin at the end of November. Gemini’s ZEC-USD trading pair is popular, with a trading volume worth $250,000 in the past 24 hours, according to CryptoCompare.
Crypto Briefing reached out to other developers to ask for their thoughts on zk-SNARKs. One of the few to get back to us was Vitalik Buterin. He had said earlier this month that zk-SNARKs had the potential to scale Ethereum (ETH) up to 500 transactions per second.
When Crypto Briefing asked him whether the KEA1 assumption represented a potential vulnerability, he said this was beyond his area of expertise. “[A]ssessing security of elliptic curve cryptographic assumptions is above my paygrade,” the Ethereum co-founder wrote.
With more people involved in cryptocurrency than ever before, the risks of someone detecting a backdoor become quite a bit higher.
That leaves us wondering: could the sector be sleepwalking into a significant security risk?
The author is invested in digital assets, including ETH which is mentioned in this article.