Don’t let fancy whitepapers fool you, the “at least one honest participant” thing in Zcash’s trusted setup is security theater.
I wanted an explanation about this claim so I clicked the link. That goes to a post the author made on twitter which repeats the assertion that it’s security theater and links to a post the author made on their blog which again just repeats that it’s security theater.
So no explanation or context given, but they wrote it on the internet three times so therefore it must be true.
That is untrue:
The link goes to a series of comments that give specific details.
Is that link going to a different place for you? I’m seeing a comment that simply repeats “Again, this “one honest participant” thing is nonsense security theater.” and a vague handwave towards that the code could be compromised and then two comments about Bitcoin vs Zcash. No specific details at all.
The post itself expands on those details, which you ignore entirely.
What post? The link was anchored to a specific comment. There are exactly two references to “security theater” on that page, one is in the comments and the other is an update to the post that links into the comments. It’s circular references all the way down.
The post that’s linked here. It’s not circular references if you continue to read past the period to the enumerated list of specific details under the section titled “Step-By-Step Instructions For World Domination”.
My mind stopped on the articles when I encountered a statement of faith:
“Again, this “one honest participant” thing is nonsense security theater. As long as there is a central point of failure (the code) all participants can easily get compromised”
That statement is false. I can think of many counterexamples. He’s conflating the myriad possibilities of what can happen to a central location or provider with what does happen. What does is usually small subset of what can… or nothing. I’d say the vast majority of software developed centralized continues to do its job without sabotage. Most security software appears to as well with nation-states mostly looking for bad configurations or 0-days. The quality is low as most INFOSEC is fake. No subversion required. :) Some subversions exist. Yet, even mighty NSA has to pay off companies, use FBI, or ask CIA for help if foreign. Their slides even showed they couldn’t stop GPG despite the fact that one, broke man with little to no OPSEC was developing it in unsafe language. I think NSA’s $200+ million operation failing vs one, broke man by itself counter’s Greg’s claim I quoted.
The truth is that one or more people in a centralized source can be highly trustworthy. It depends if the people and their methods are trustworthy. Many ways to evaluate that. I know quite a few that are under most scenarios. My own work on secure SCM starts with that. The next, easiest step is also a distributed computation by diverse, mutually-suspicious parties. Preferably one that works just like a single machine with distributed checking of results. Maximizes efficiency and ability to verify the code vs blockchains, etc. I also tell people to do it across OS’s, ISA’s, and hardware from various fabs/countries. So, that concept is valid.
None of this helps Zcash, though. The reason is we have to use a different baseline if we’re empirical: most people writing software screw it up; most security protocols start out wrong; most people doing INFOSEC can’t do it well; most startups fail; currency startups fail more; some currency startups folded due to collusion/robbery. These establish a baseline of requiring strong visibility, simplicity, verification, and distributed checking in these currency schemes or esp startups. Author is right to complain about Zcash lacking these. We shouldn’t trust them on that basis simply betting on the odds that say they’ll fail. Always play the odds if money is involved.
Extra note is the link on verification. They don’t know anything about verifying the security of software. Most in INFOSEC don’t know much despite methods developed back in the 70’s-80’s. Solar Designer apparently missed it too based on his statements. With $250,000, they could easily pay one or more experienced people to specify the cryptographic protocols, their properties, and check the spec maintains them. Galois' people do this in afternoons for simple ones using CRYPTOL language they open-sourced with automatic extraction to working code. Team could also code it in C subset or SPARK Ada with protocol specs automatically checked against the code. Use Kemmerer’s Shared Resource Matrix for a covert, channel analysis on protocol and code with basic mitigations. Compile with minimal, safe optimizations or license CompCert from AbsInt. They’re done in under a year with less than $250,000 spent with a scheme verified from protocol description to code. If CompCert, then down to the assembly. Alternatively, they pay the money to Altran/Praxis to do this for them with Z and SPARK at a cost of about 50% above a normal development with a warranty supplied at the end.
Instead, they did… who knows. It’s probably some garbage full of protocol and coding errors like usual. A pile of code combined with three sets of eyeballs isn’t a proven approach to assuring correctness of systems. Quite the opposite given state of FOSS “security.” ;)
So the article mentions 5 solutions to this advanced persistent threat. Is the Zcash project refusing to solve the APT?