Until Zcash’s most recent protocol upgrade called ‘Sapling’, there were considered to be at least two major limitations with regard to Zcash’s use of zk-SNARKs – the necessary setup phase and the computation time. The Sapling upgrade has been in development for years and has recently been launched on October 29th 2018. It includes many interesting updates that you should definitely check out for yourself, but here we’ll briefly go over two of its most important changes.
With zk-SNARKs, Zcash uses a novel cryptographic tool that is cheap to verify. However, the trade-off here is that the zk-SNARKs used by Zcash rely on a set of public parameters which allow users to construct and verify private transactions. Due to cryptographic limitations, a setup phase is needed to create these system parameters.
This setup phase is similar to the setup phase of a public-key cryptosystem, but with one important difference: as in a public-key cryptosystem, a pair (privkey, pubkey) is generated, but then the privkey has to be destroyed.
In this setup phase, the pubkey corresponds to the required system parameters, while the privkey is considered to be a kind of cryptographic ‘toxic waste’. The private key material is considered to be a toxic waste byproduct because it is something that is produced as an unwanted side-effect of the public parameter generation and that needs to be contained and destroyed as safely as possible because anybody who gets a copy of the private key can use it to counterfeit new Zcash coins (however, it has to be mentioned that the privacy of transactions is not at risk from this).
In order to minimize the threat that this setup phase brings with it, the Zcash team has devised a secure multi-party computation ceremony, in which multiple people each generate a ‘shard’ of the public/private key. Only if all the shards of the private key are brought together, can the toxic waste private key be created. The same goes for the creation of the public key. Thus, in this multi-party computation ceremony each creator of a shard destroys their shard of the private key individually, after which they all bring together their shards of the public key to form the SNARK public parameters.
Since the toxic waste private key cannot be formed even if one shard is missing, this protocol has the property that, in order to compromise the final parameters, all of the participants would have to be compromised or dishonest. This means that even if only one of the participants has honestly and successfully destroyed their private key shard, the toxic waste byproduct will never and can never come into existence at all.
To this date, Zcash has created two distinct sets of public parameters. The first ceremony happened in October 2016, just before the launch of Zcash ‘Sprout’. The general design of this ceremony was based on multi-party computation, air-gaps, and indelible evidence trails and involved six different people that were separated geographically.
Since the Sapling protocol upgrade was a hard fork of Zcash, the zk-SNARKs needed new public parameters. Thus, a second set of public parameters were generated in 2018, anticipating the Sapling network upgrade and the release of Zcash 2.0.0. This second setup phase consisted of two distinct phases and added some additional security features, but we won’t go into detail on these too much. However, it is important to note that in the first phase, 87 participants took part in the computations, while in the second phase 90 participants took part in the computations. Thus, the Zcash team has gone through great efforts to gather a large group of participants to generate its system parameters and to include many additional security features.
However, we have to note that despite all the efforts that the Zcash team and the other participants have gone through, some believe that the setup phase remains a weakness in Zcash’s security. Game theory would suggest that a large and diverse enough group of participants would not all collude with each other to compromise the network, but at this moment it can not be excluded that there might at some time be a problem with counterfeited Zcash.
Thus, despite the strength of the most recent ceremony, the Zcash team intends to advocate for a major upgrade to the Zcash protocol which will add a layer of detection in addition to the current layer of prevention. Since the transaction amounts in shielded transactions are encrypted on the blockchain, it is currently impossible to detect what the total amount of coins really is and if there have been any new coins created in a malicious manner. In the future, the Zcash team wants to be able to detect any possible counterfeiting, despite the encrypted transaction amounts.