Blog – Zcash https://z.cash Privacy-protecting, digital currency built on strong science Tue, 19 Mar 2019 15:29:13 +0000 en-US hourly 1 https://z.cash/wp-content/uploads/2018/10/cropped-zcash-logo-fullcolor-512sq-32x32.png Blog – Zcash https://z.cash 32 32 Announcing the Electric Coin Company Board of Directors https://z.cash/blog/announcing-the-electric-coin-company-board-of-directors/ Tue, 12 Mar 2019 12:00:36 +0000 https://z.cash/?p=6945 The Electric Coin Company is pleased to announce we have recently formed a board of directors and seated three members: […]

The post Announcing the Electric Coin Company Board of Directors appeared first on Zcash.

]]>
The Electric Coin Company is pleased to announce we have recently formed a board of directors and seated three members: Alan Fairless, Andrew McLaughlin and Zooko Wilcox.

The board provides oversight and governance in support of the company’s mission to empower everyone with economic freedom and opportunity. The Electric Coin Company launched and supports the development of the Zcash cryptocurrency — a privacy-protecting, digital currency built on strong science. Since its launch in 2016, Zcash has quickly grown to be one of the most valued and admired cryptocurrencies in the world.

Alan Fairless

Alan Fairless is the co-founder of SpiderOak.  He has spent a decade building and bringing privacy-preserving cloud tech to market. Companies Alan founded have raised millions, served hundreds of millions, employed scores, and received acquisition offers from billion dollar public companies in the US and EU.  He has discovered serious vulnerabilities in code authored at Red Hat and Google. He was also an angel investor in the Electric Coin Company.

Andrew McLaughlin

Andrew McLaughlin is an entrepreneur and tech policy activist based in New York City. He is a co-founder & partner at Higher Ground Labs and partner and COO at the Future Company. He is chair of the board of Access Now, a member of the board of Public Knowledge, and a venture fellow at betaworks. From 2009-2011, Andrew was a member of President Obama’s senior White House staff, serving as Deputy Chief Technology Officer of the United States. He previously served as director of global public policy at Google and VP and Chief Policy Officer of ICANN. He has taught at Stanford and Harvard law schools, and been a fellow at Princeton and Columbia. Andrew holds a B.A. in history from Yale University and a J.D. from Harvard Law School.

Zooko Wilcox

Zooko Wilcox is the founder and CEO of the Electric Coin Company. He is one of the original cypherpunks. Zooko is a long-serving technologist and entrepreneur. His experience spans open, decentralized systems; cryptography; information security; and startups. In more than 25 years in the industry, Zooko has contributed to an array of projects — many of which champion privacy implementations — including DigiCash, Mojo Nation, ZRTP, “Zooko’s Triangle,” Tahoe-LAFS, BLAKE2 and SPHINCS. He is the founder of the Electric Coin Company and Least Authority Enterprises, which uniquely empower individuals with the right to consent about how, when and to whom their personal data is shared. Zooko is on the advisory board at Bolt Labs, Tezos and Brave. He serves on the board of directors for Agoric. He tweets often, about a range of topics. He used to blog about health science, as well.

“I am excited to welcome Alan and Andrew to the board of directors,” says David Campbell, Electric Coin Company COO. “They provide significant strategic, regulatory and operational expertise to the company while also bringing additional credibility to the broader cryptocurrency industry.”

The post Announcing the Electric Coin Company Board of Directors appeared first on Zcash.

]]>
People Behind Zcash Technology: Eirik Ogilvie-Wigley, Engineer https://z.cash/blog/people-behind-zcash-technology-eirik-ogilvie-wigley-engineer/ Mon, 25 Feb 2019 14:33:54 +0000 https://z.cash/?p=6886 If you ask Eirik Ogilvie-Wigley how he came to join the Electric Coin Company, he says, “My story is really […]

The post People Behind Zcash Technology: Eirik Ogilvie-Wigley, Engineer appeared first on Zcash.

]]>
If you ask Eirik Ogilvie-Wigley how he came to join the Electric Coin Company, he says, “My story is really one of luck.”

Years ago Eirik got to know Zooko while playing Magic the Gathering; every few months their paths would cross. Back then, Eirik was working as a programmer for a tax software company but was really more interested in optimization problems and decided to quit his job. Right around that same time, as fate would have it, Eirik ran into Zooko at a coffee shop and they began talking. Zooko invited Eirik to apply to what was then a relatively new company and bring his proficiency in pure mathematics to the team. Eirik’s academic experience at CU-Boulder was extensive.

“It got to a point where they wouldn’t let me do any more math classes,” he says.

Eirik realized he needed to branch out. He considered double majoring in physics or minoring in philosophy. However, since computer programming had always been a hobby of his, he settled on a minor in computer science, setting the stage for his current career.

Professional Role

Eirik was hired at Electric Coin Company in a role that he characterizes in these terms: “I like to think I’m a generalist. I work on lots of different stuff.”

Eirik’s range of knowledge offers the team the opportunity to utilize his talents with Rust code in the Zcash cryptographic libraries, ecosystem work, writing scripts for gathering data, and what Eirik describes as ‘the giant universe’ of C++ code base.”

“You really have to be a generalist [to work with] some other people who are very much the opposite; it’s such an eclectic group,” he says. “Many people at the company are highly-specialized. I help fill in the gaps and, you know, carry the coattails and that sort of thing.”

After having been an engineer at Electric Coin Company for almost a year, Eirik says that what gets him out of the bed every morning is the fact that “there’s no end to how much interesting stuff there is to research. There’s always something new to consider.”

Eirik’s commits to zcashd are bubbling up among the overall contributors. He feels proud of this “because the project is so complicated and so massive … There is a lot of slogging through many lines of code but eventually it all comes together.”

Commitment to Zcash

Regarding privacy, Eirik says it’s a complicated challenge societies will always have to deal with. He shares a recent example of privacy invasion enculturated into the fabric of everyday life that he found particularly unsettling.

“My sister was trying to join my mom’s bank account, and they had to share all of this personal information,” he says. “I remember this guy at the bank saying, ‘Watch this video about how we use your private data and how our business partners are about to use your private data.’ ”

The process required new account holders to consent to having their private data collected and shared. This prompted Eirik to ask some important questions: “Should people be allowed to have wealth? Of course, that’s something that everybody expects to be able to have. But at what cost?”

The experience reaffirmed Eirik’s commitment to Zcash, which “enables anybody anywhere to own money, wealth. It enables anybody to store value.”


Eirik’s work at Zcash is not only integral to the overall success of the project but also personally fulfilling, “What makes me happy when I go to sleep is that all these little details, all this fun that I’ve had [throughout the work day], is also doing this amazing thing.”

The post People Behind Zcash Technology: Eirik Ogilvie-Wigley, Engineer appeared first on Zcash.

]]>
Sharing Responsibility https://z.cash/blog/sharing-responsibility/ Fri, 22 Feb 2019 15:09:47 +0000 https://z.cash/?p=6883 The growing role of the Zcash Foundation To achieve sustainability and growth of the Zcash ecosystem, a diverse effort from […]

The post Sharing Responsibility appeared first on Zcash.

]]>
The growing role of the Zcash Foundation

To achieve sustainability and growth of the Zcash ecosystem, a diverse effort from a variety of organizations and individuals is essential. While the Electric Coin Company was the catalyst needed for cultivating Zcash out of its roots as academic research into a real-world, global cryptocurrency, dependence on this single organization could not suffice long-term. When the plans to create a new cryptocurrency were still in the works, an organization was conceived to serve as a complimentary, non-profit arm to represent wider interests. It would serve as part of the governance model to balance bootstrapping the engineering resources required to reach and maintain an in-production network with a forward-looking vision to incorporate interests from a growing, diverse community.

Even before its official designation as a 501(c)3 non-profit, the Zcash Foundation had been working towards supporting internet payments and privacy infrastructure for the public good. It had helped onboard charities from around the world to accept private donations and was establishing the start of a grant program, which would support other projects contributing towards building out the Zcash ecosystem. Once formally established, the Foundation was ready to hit the ground running and has been going strong ever since.

Community Growth

As a result of the Foundation’s maturing, many of the community-related efforts that the Electric Coin Company initially bore the responsibility for have settled into the purview of the non-profit. Over the last year, we’ve seen the Foundation’s ability to bring together diverse interests and perspectives towards a common goal of building better privacy infrastructure. This includes organizing the first Zcash conference, Zcon0, which not only featured presentations and workshops about the Zcash technology and ecosystem but also included much broader topics about privacy in cryptocurrencies. It was deemed a massive success and the second iteration, Zcon1, is shaping to exceed that precedent.

Beyond the conference format, the Foundation has dedicated resources towards supporting local Zcash meetups and administering online Zcash communities. The Zcash community chat and Zcash forums are central locations for engaging with the diverse community around topics that range from preferred Zcash wallets and exchanges to debates on ASIC mining in Zcash and discussions about the newest advances in zero-knowledge proof technology. Additionally, these are the primary locations for engaging with core Zcash developers at the Electric Coin Company and maintainers of ecosystem services.

Research and Development

The Foundation started their efforts to enrich the Zcash ecosystem through the aforementioned grant program which kicked off within the first year of Zcash’s existence. More recently, they have focused funding on a few key projects to enhance user adoption of Zcash including the quickly growing zec-qt-wallet and two in-progress projects: an iOS mobile wallet supporting shielded addresses and an alternative full-node implementation of Zcash.

Broadening their scope towards contributing research and stewardship to the Zcash protocol has been another recent step in taking on more responsibility. The Zcash Improvement Proposal (ZIP) process being hosted by the Foundation is a key mechanism to balance influence of the protocol given that the Electric Coin Company is currently the main contributor to engineering and protocol design. Looking ahead, the alternative node implementation and recent hire of a principle cryptographic researcher will fuel an even greater balance.

The Future of Zcash

In addition to the successes afforded to the Zcash Foundation maturing over the years, the Electric Coin Company’s accelerating progress is continuing to pave the way for a bright future. We are proud to have some of the most experienced cryptographers and engineers working on maintaining a high quality protocol while steering Zcash toward greater adoption through improved usability. Furthermore, it would be inadequate to not include the community contributors, users, miners, investors and service providers as another critical and complementary arm in Zcash governance. These groups provide indispensable ancillary support and varying use cases. We believe advancing economic freedom and opportunity cannot come from the Electric Coin Company alone and are thrilled to work with such a wide variety of interests sharing the same vision. We’ve got a lot of work to do in the months and years to come, and look forward to the continued collaboration with the Foundation and greater community.

The post Sharing Responsibility appeared first on Zcash.

]]>
Goodbye, Zcash Company. Hello, Electric Coin Company. https://z.cash/blog/goodbye-zcash-company-hello-electric-coin-company/ Thu, 21 Feb 2019 12:41:03 +0000 https://z.cash/?p=6841 The Zcash Company is now the Electric Coin Company. We’re changing the name for clarity. Our legal name has always […]

The post Goodbye, Zcash Company. <br />Hello, Electric Coin Company. appeared first on Zcash.

]]>
The Zcash Company is now the Electric Coin Company. We’re changing the name for clarity.

Our legal name has always been the Zerocoin Electric Coin Company, LLC, and we’ve been calling ourselves the ‘Zcash Company.’

But, the company isn’t “Zcash.” Zcash is the cryptocurrency we build and support, with the help of others in the community.

Also, we aren’t the Zcash Foundation. The Foundation is a separate and independent 501(c)(3) nonprofit organization. It has its own mission, team and board of directors.

So here we are: Electric Coin Company. It’ll take us a little while to get the new branding right, launch a new domain and change out the sign at the office, but the name change is public, so we wanted to make sure we were on record confirming it.

Only the name has changed. We are the same team, with the same mission: to empower everyone with economic freedom and opportunity. We developed and help steward Zcash.

You may have more questions about this move and the company in general. Follow the links to the answers.

Will the Electric Coin Company continue to be solely focused on Zcash?

What specifically does the Electric Coin Company do?

What changes are planned as a result?

Will the Electric Coin Company continue to be solely focused on Zcash?

The Electric Coin Company is focused on building and supporting Zcash. That includes research and engineering that may, or may not, ever make it into Zcash software. This has been our mission from the very beginning, and we will continue to drive innovation and adoption.

What specifically does the Electric Coin Company do?

The Electric Coin Company is a team of about 30 people from around the world. The following are some of the things the Electric Coin Company does, along with links to illustrative work:

Product Development and Support

Driving Awareness and Adoption

What changes are planned as a result?

The company will use the Electric Coin Company for all messaging and correspondence. This will happen immediately.

The following is under development and will be rolled out in the coming months:

  • The Electric Coin Company brand
  • The Electric Coin Company information will be moved from https://z.cash/ to a new domain with its own website. This includes company and team information and the company-maintained blog.
  • Company email addresses will change to the new domain.
  • Social media properties including Twitter, LinkedIn, Facebook will change to reflect the new name.


So, that’s it then — Electric Coin Company. The company name has changed but our commitment has not. The path forward is filled with both opportunity and challenges, and we thank you for your support.

The post Goodbye, Zcash Company. <br />Hello, Electric Coin Company. appeared first on Zcash.

]]>
Earn ZEC on Coinbase While You Learn About Zcash https://z.cash/blog/earn-zec-on-coinbase-while-you-learn-about-zcash/ Fri, 15 Feb 2019 19:16:31 +0000 https://z.cash/?p=6805 Zcash is now featured on Coinbase Earn, a platform that pays people in cryptocurrency to watch videos and complete tasks. […]

The post Earn ZEC on Coinbase While You Learn About Zcash appeared first on Zcash.

]]>
Zcash is now featured on Coinbase Earn, a platform that pays people in cryptocurrency to watch videos and complete tasks. Check out the Coinbase Earn ZEC Page here.

The Zcash Company has allocated 15,518 ZEC for this initiative aimed at educating millions of people globally about Zcash — a privacy-protecting, digital currency built on strong science.  Half of the ZEC will be distributed in this first campaign, while the other half is reserved for future Earn Zcash tasks. 100% of these tokens will be distributed to Coinbase Earn users.

Learn more about Zcash

The Earn ZEC campaign consists of a series of three engaging and short educational videos that are available for everybody to watch. At the start, selected Coinbase users will be invited via email to earn ZEC for watching these videos and demonstrating their knowledge of Zcash.

If you have not received an invite to earn, please join the waitlist on the Earn ZEC Page to be notified once earning opportunities are available to you.

The first video provides an introduction to the origin of Zcash and the underlying privacy design. The second video explores how Zcash combines the privacy of cash with the global reach of a cryptocurrency. The final video describes everyday applications for transparent and shielded addresses, making a case for Zcash as a decentralized global currency.

In the future

In the future, users can expect a second Earn ZEC campaign of the same magnitude, which will feature opportunities to earn and learn more about Zcash shielded transactions. Until then, we invite you to continue learning more about Zcash by exploring our website or documentation. Join the discussion on the Zcash Community Forum or Twitter.



The Zcash Company’s mission is to empower everyone with economic freedom and opportunity. We believe that everyone has a right to privacy, that the pursuit of economic freedom is virtuous, and that the future of money is an attack- and censorship-resistant digital currency. Since its launch in 2016, Zcash has quickly grown to be one of the most valued and admired cryptocurrencies in the world.

The post Earn ZEC on Coinbase While You Learn About Zcash appeared first on Zcash.

]]>
New Release: 2.0.3 https://z.cash/blog/new-release-2-0-3/ Thu, 14 Feb 2019 13:29:26 +0000 https://z.cash/?p=6802 This release is intended to address security issues in libraries used by Zcash and other outstanding tickets that were in […]

The post New Release: 2.0.3 appeared first on Zcash.

]]>
This release is intended to address security issues in libraries used by Zcash and other outstanding tickets that were in our Spring cleaning sprints.

Notable Changes in this Release

[CVE-2019-6250] Update libzmq version

A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. This update addresses the vulnerability when ZeroMQ is enabled, which is not enabled by default.

Bitcoin 0.12 Performance Improvements

This change makes sigcache faster, more efficient, and larger. It also reduces the number of database lookups when processing new transactions.

Summary of the Changes Included in this Release

  1. Update ZMQ to 4.3.1 (#3789)
  2. Fix Tx expiring soon test (#3784)
  3. ZMQ: add flag to publish all checked blocks (#3737)
  4. wallet: Skip transactions with no shielded data in CWallet::SetBestChain() (#3711)
  5. Update z_mergetoaddress documentation (#3699)
  6. Allow user to ask server to save the Sprout R1CS to a file during startup (#3691)
  7. On shutdown, wait for miner threads to exit (join them) (#3647)
  8. Update for Mac OS local rpc-tests
  9. Bitcoin 0.12 performance improvements (#3263)

For a more complete list of changes, please see the 2.0.3 milestone.

For information on specific Sapling RPC parameter changes, please see the Network Upgrade Developer guide.

The post New Release: 2.0.3 appeared first on Zcash.

]]>
People Behind Zcash Technology: Marshall Gaucher, Engineer https://z.cash/blog/people-behind-zcash-technology-marshall-gaucher-engineer/ Thu, 07 Feb 2019 15:10:44 +0000 https://z.cash/?p=6460 There are many inspiring and talented people on the Zcash Company engineering team, and Marshall Gaucher is no exception. With […]

The post People Behind Zcash Technology: Marshall Gaucher, Engineer appeared first on Zcash.

]]>
There are many inspiring and talented people on the Zcash Company engineering team, and Marshall Gaucher is no exception. With responsibility across multiple teams — including dev infrastructure, zcashd, wallet and security — Marshall’s ability to effectively communicate and collaborate is critical to the success of the project.

While a broad role like this might leave some people feeling frazzled, he leads with a calm presence and a great sense of humor. In describing the dev infrastructure team’s work he said, “We’re basically pro bono network doctors … Our system may or may not come to its appointment, but we still provide real-time treatment, with no insurance policy.”

Why Zcash

Marshall found his way to Zcash Company last year during a search for meaningful work. “I wanted something that would give me a challenge, while genuinely contributing to society, not just pumping out another product that lasts 5 to 10 years that no one really remembers,” he said. “Being a part of technology that leaves a legacy is much more fulfilling than riding along on the product popularity bus.”

The work at Zcash Company did not disappoint, he recounts: “I jumped into it, and felt like I was back in school again. It was really cool. There’s so much research and so many beautiful minds and the great thing about it is everyone was genuinely just trying to solve problems. And sometimes the problems being solved didn’t make products, it just created more opportunities to learn and contribute to society. That’s intrinsically motivating.”

Professional Focus

The work is not only personally inspiring but also academically rigorous, which suits Marshall just fine. “I’ve always wanted to learn a bunch of applied cryptography,” he said, “and until you actually have either security experience or you’re a mathematician or are at least established in the industry, there’s no way you’re going to even get your foot in the door for that job. This [job has] everything. I’m still learning every day.”

Marshall said he is inspired by a combination of the work and the people at Zcash Company. “Some people get caught up in the day-to-day and lose scope of what matters in life, and I feel that I actually … care about what I do. I’m not just punching a clock to get a paycheck or bonus. I think about what societal impacts this has long-term. I’ve been around a lot of engineers all around the world, and I don’t know if everyone really thinks that way. For me, personally, I take a lot of pride in what I do. Otherwise, I don’t really feel like I should be doing it.”

Passionate Dedication

The mission of Zcash Company is to empower everyone with economic freedom, and for Marshall, those are more than just words. “I love this company because these people are passionate … they want to move the world … I don’t think any of us really care that we work the weirdest hours all the time. We just love what we do, and so being a part of that and aligned with those people is uplifting. I can’t say that I’m unique or anything, because everyone else is like that here.”

Zcash Company is fortunate to have Marshall on the engineering team to advance Zcash’s privacy-protecting technology, which he believes is of critical importance. “Privacy [technology] is something I want to contribute to, [because without it] you’re not truly living free.”

The post People Behind Zcash Technology: Marshall Gaucher, Engineer appeared first on Zcash.

]]>
Zcash Counterfeiting Vulnerability Successfully Remediated https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/ Tue, 05 Feb 2019 14:06:40 +0000 https://z.cash/?p=6703 Document Outline: Summary Background Counterfeiting Vulnerability Details Third Party Disclosure Timeline of Events List of References Technical Details of CVE-2019-7167 […]

The post Zcash Counterfeiting Vulnerability Successfully Remediated appeared first on Zcash.

]]>
Document Outline:

Summary

Eleven months ago we discovered a counterfeiting vulnerability in the cryptography underlying some kinds of zero-knowledge proofs. This post provides details on the vulnerability, how we fixed it and the steps taken to protect Zcash users.

The counterfeiting vulnerability was fixed by the Sapling network upgrade that activated on October 28th, 2018. The vulnerability was specific to counterfeiting and did not affect user privacy in any way. Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.

The counterfeiting vulnerability was discovered by a cryptographer employed by the Zerocoin Electric Coin Company (aka The Zcash Company) on March 1st, 2018. It was not reported publicly at the time in order to protect against it being exploited prior to its remediation, and to provide information and remediated code to other projects that were also vulnerable. We employed stringent operational security measures to keep its existence a secret, even from our own engineers.

We believe that no one else was aware of the vulnerability and that no counterfeiting occurred in Zcash for the following reasons:

  • Discovery of the vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess.
  • The vulnerability had existed for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code.
  • The Zcash Company has seen no evidence that counterfeiting has occurred as might be discovered by monitoring the the total amount of Zcash held in Sprout addresses (i.e., the Sprout shielded pool). As long as the value in the shielded pools are greater than zero, no counterfeiting has been detected. Bitfly’s Zcha.in displays these values on the network statistics page, and Zcash nodes report them in the output of the getblockchaininfo command.
  • Upon discovering the vulnerability, the Zcash Company took extraordinary measures to minimize the possibility of exploitation. The specifics of our steps taken are documented in the detail below.
  • The Zcash Company studied the blockchain for evidence of exploitation: An attack might leave a specific kind of footprint. We found no such footprint.

Although we believe that no counterfeiting occurred, we are monitoring pool totals and will act in accordance with our published defense against counterfeiting in an effort to preserve the monetary supply.

Zcash makes use of the most sophisticated and novel cryptography available on a public blockchain. Pushing cryptographic boundaries is inherently risky and user safety is of highest importance for the Zcash Company. We believe that the steps we have taken to mitigate the issue while working to ensure the safety of Zcash users has been successful. More information on the specific events that transpired from the initial discovery of the counterfeiting vulnerability through this disclosure will be covered in a future post.

Key Points:

  • A counterfeiting vulnerability was discovered in Zcash by a Zcash Company cryptographer.
  • The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.
  • The successful remediation for Sprout addresses was introduced by the Zcash Company in the Zcash Sapling upgrade that occurred on the 28th of October, 2018.
  • The vulnerability was specific to counterfeiting and its exploitation would not have impacted privacy.
  • Zcash has not been susceptible to this attack since the Sapling activation.
  • We have found no evidence that the vulnerability was discovered by anyone else or that counterfeiting occurred.
  • The Zcash Company used best practices in operational security to keep this information private, and responsible disclosure to share it with two affected projects.

Background

On March 1, 2018, Ariel Gabizon, a cryptographer employed by the Zcash Company at the time, discovered a subtle cryptographic flaw in the [BCTV14] paper that describes the zk-SNARK construction used in the original launch of Zcash. The flaw allows an attacker to create counterfeit shielded value in any system that depends on parameters which are generated as described by the paper.

This vulnerability is so subtle that it evaded years of analysis by expert cryptographers focused on zero-knowledge proving systems and zk-SNARKs. In an analysis [Parno15] in 2015, Bryan Parno from Microsoft Research discovered a different mistake in the paper. However, the vulnerability we discovered appears to have evaded his analysis. The vulnerability also appears in the subversion zero-knowledge SNARK scheme of [Fuchsbauer17], where an adaptation of [BCTV14] inherits the flaw. The vulnerability also appears in the ADSNARK construction described in [BBFR14]. Finally, the vulnerability evaded the Zcash Company’s own cryptography team, which includes experts in the field that had identified several flaws in other parts of the system.

Importantly, the [BCTV14] construction did not have a dedicated security proof, as noted in [Parno15], and relied mainly on the [PGHR13] security proof and the similarity between the two schemes. The Zcash Company team did attempt to write a security proof in [BGG17], but it did not uncover this vulnerability. Zcash has since upgraded to a new proving system [Groth16] which has multiple independent proofs and significantly better analysis.

After finding the vulnerability, Ariel immediately contacted another cryptographer at the Zcash Company, Sean Bowe. After Sean confirmed the existence of the vulnerability, Zooko Wilcox (CEO of the Zcash Company) and Nathan Wilcox (CTO of the Zcash Company) were briefed. Through careful coordination, the counterfeiting vulnerability was mitigated in the Zcash network without any known further disclosure outside this group of four people.

With the activation of Sapling, Sprout transactions were moved onto the new [Groth16] proving system, fixing the issue on the Zcash network as described below.

To exploit the counterfeiting vulnerability, an attacker would have needed to possess information found in the large MPC protocol transcript that was made available shortly after the launch of Zcash. This transcript had not been widely downloaded and was removed from public availability immediately upon discovery of the vulnerability to make it more difficult to exploit. The Zcash Company adopted and maintained a cover story that the transcript was missing due to accidental deletion. The transcript was later reconstructed from DVDs collected from the participants of the original ceremony and posted following the Sapling activation.  

We have been monitoring the total of funds in the Sprout pool against time and have not found any indication that any counterfeiting activity has taken place.

Counterfeiting Vulnerability Details

The [BCTV14] parameter setup algorithm, as described by the paper, mistakenly produces extra elements that violate the soundness of the proving system. The construction described by [BCTV14] Appendix B is a variant of the [PGHR13] zk-SNARK scheme with modifications to improve performance and adapt the scheme for the asymmetric pairing setting. This scheme was used in the original launch of Zcash and has been independently implemented by several other projects.

Ariel Gabizon, a cryptographer employed by the Zcash Company at the time of discovery, uncovered a soundness vulnerability. The key generation procedure of [BCTV14], in step 3, produces various elements that are the result of evaluating polynomials related to the statement being proven. Some of these elements are unused by the prover and were included by mistake; but their presence allows a cheating prover to circumvent a consistency check, and thereby transform the proof of one statement into a valid-looking proof of a different statement. This breaks the soundness of the proving system.

The [BGG17] multi-party computation (MPC) protocol that produced Sprout parameters for the [BCTV14] construction follows the paper’s setup procedure, including the computation of the extra elements. These are not included in the actual parameters distributed to Zcash nodes since they are omitted from the parameter file format used by the proving routine implementation of [BCTV14] in the libsnark library (used by Sprout). However, these elements do appear in the MPC ceremony transcript. Consequently, anyone with access to the ceremony transcript would have been able to create false proofs.

What is affected?

While Zcash is no longer affected, any project that depends on the MPC ceremony used by the original Sprout system that was distributed in the initial launch of Zcash is vulnerable. This original Sprout system for shielded funds is comprised of the original Sprout circuit, the [BCTV14] proving system using libsnark, and the parameters generated by an MPC ceremony [BGG17]. It was used by the 1.x series of Zcash software (which also carried the “Sprout” name).

The algorithm described in [BCTV14], before the update corresponding to this disclosure, is vulnerable (though its libsnark implementation, when used with its built-in parameter generation is not). The vulnerability was included in some independent implementations of [BCTV14], such as [snarkjs], even though they do not require an MPC. Similar flaws can be found in the [BBFR14] and [Fuchsbauer17] zk-SNARK schemes.

We do not have an exhaustive list of all systems affected by this vulnerability, and we encourage all users, developers and maintainers of systems using [BCTV14] to take the time to triage this issue and check if they are affected.

Resources:

Original Sprout circuit implementation

Original Sprout zk-SNARK parameters: proving key and verifying key.

Sprout proving and verifying routines

[BCTV14]

libsnark proving system and its Zcash fork

What is not affected?

The newer Sprout-on-Groth16 system used by Zcash mainnet for Sprout addresses ever since the Sapling activation (block 419200 at 28 Oct 2018) is not affected by the counterfeiting vulnerability. It uses a new Sprout circuit, that runs on the Groth16 proving system, with new parameters, and operates on the BLS12-381 curve implemented in the Bellman library. The newer Sapling system for shielded funds, activated at the same time and using a new address format, is not vulnerable either.

The vulnerability is not present in the algorithms of [PGHR13] (which underlies [BCTV14]), nor in [BCGTV13], which used similar techniques. It is also not present in other zk-SNARKs constructions, such as [GM17] or [BG18], or in zero-knowledge proof systems that do not rely on a structured reference string. It is not present in libsnark when used with its built-in parameter generator.

Resources:

New Sprout-on-Groth16 circuit implementation

New Sprout-on-Groth16 zk-SNARK parameters

New Sprout-on-Groth16 proving and verifying routines

Groth16 proving system

Third Party Disclosure

An analysis of the market cap of affected projects revealed that we could reach more than a two thirds majority of affected capital with only two disclosures: Horizen, with whom we already had a reciprocal vulnerability disclosure agreement, and Komodo who we worked with to form a disclosure agreement in order to disclose this issue to them privately.

We established a ninety-day maximum public disclosure timeline with both parties, and provided the conditions required for a workable solution.

Further disclosure would have significantly increased the risk of exploitation of the majority of capital for much smaller gains in terms of coverage of users and capital. To protect the shielded pools of these and other projects, exact details of the cause of the vulnerability were redacted from the private disclosures. It appears that both Horizen and Komodo have taken appropriate actions per our recommendation. We recommend that third parties including affected projects, wallets, and exchanges, carefully consider how best to work through the upgrades needed to fix this issue.

Timeline of Events

01 March 2018

Ariel Gabizon, a cryptographer working for the Zcash Company, discovered the flaw while attending the Financial Cryptography 2018 conference, where he had been invited to present [BGG17] to the Bitcoin’18 workshop. Sean Bowe, a cryptographer at the Zcash Company, and Zooko Wilcox, the CEO of the Zcash Company, were also attending the conference.

The issue was discovered by Ariel the night before his presentation, and he contacted Sean to confirm. Sean met Ariel in person and the two contacted Zooko immediately. Zooko then met Sean and Ariel in person to determine a response strategy. It was quickly determined that the transcript (which would allow an adversary to create false proofs) should be deleted from where it had been publicly made available by the company, since it appeared unlikely that many had downloaded it until that point. Zooko contacted Nathan Wilcox, the CTO of the Zcash Company, to ask him to delete the transcript.

02 March 2018 – 27 October 2018

Nathan deleted the transcript under a coinciding operational security cover story.

Sean had an additional backup of the transcript, which was later transferred into the dual possession of Sean and Zooko (Sean kept an encryption key, while Zooko deposited the USB in a safe deposit box) until it was later decided to destroy the backup entirely.

Two mitigation strategies were proposed. Ariel proposed a mitigation which involved an emergency hardfork that required users to switch to new zk-SNARK parameters that did not suffer from the vulnerability, by re-randomizing or replacing the existing parameters in a subsequent ceremony. Sean proposed that the mitigation be covertly included in the Sapling network upgrade by switching to the Groth16 proving system and parameters constructed in the upcoming Sapling ceremony. The team agreed to adopt Sean’s recommendation.

Covert mitigations were developed and deployed without further known disclosures beyond these four individuals.

28 October 2018

The Sapling network upgrade activated successfully on the Zcash mainnet, removing the counterfeiting vulnerability.

01 November 2018

The director of product security at the Zcash Company, Benjamin Winston, was briefed on the vulnerability and worked with the existing team to prepare disclosure packages for other affected projects.

09 November 2018

Josh Swihart, vice president of marketing and business development at the Zcash Company was briefed on the vulnerability in order to coordinate and prepare communications for two possible scenarios: full disclosure (this and related communications), or a leak by the parties to which information was initially released prior to the full disclosure date.

13 November 2018

The Zcash Company disclosed the impact and fix path of this issue to Horizen’s (previously known as ZenCash) security team (security@zencash.com) and Komodo (ca333@komodoplatform.com) using PGP encrypted email.

The Zcash Company did not disclose the specifics of the vulnerability, only its existence and our recommendation to upgrade their proving system to Groth16. We also did not tell them who else was notified. The complete message and disclosure sent to both Horizen and Komodo is copied below.

Three hours later, Zencash responded to say that they had decrypted our message and that they were looking into the issue.

16 November 2018

Komodo responded to say that they’d received the notification. Later communication made it clear that they were working on a fix.

18 November 2018

Sean reconstructed the transcript from the DVDs collected from the participants of the original ceremony. Sean posted the reconstituted transcript.

10 December 2018

Zcash Company team members (Benjamin, Josh, Zooko) met with the Horizen team by video conference. The Horizen team members present were Alberto Garofollo, Dean Steinbeck, Maurizio Binello, Rob Viglione, Rosario Pabst. In the meeting we discussed the timeline for full disclosure. The Horizen team asked to be given the details of the full disclosure prior to posting. We did not agree to provide them these details.

20 December 2018

Zooko notified and briefed David Campbell, COO of the Zcash Company.

05 January 2019

Zooko notified and briefed Zcash founding scientists Eli-Ben Sasson, Eran Tromer, Madars Virza and Matthew Green. These founding scientists, along with Alessandro Chiesa, were the original authors of [BCTV14] and [BGG17].

08 January 2019

Zooko notified and briefed Zcash founding scientist Alessandro Chiesa.

25 January 2019

Benjamin and Josh briefed John O’Brien, partner at Strange Brew Strategies, who serves as the Zcash Company PR firm, in preparation for supporting press inquiries.

29 January 2019

Sean and Ariel briefed Zcash company cryptographers Daira Hopwood and Jack Grigg.

Benjamin filed for a CVE number for this issue, and received CVE-2019-7167 from mitre.org.

31 January 2019

Benjamin and Josh met with Steve Lee from Komodo to coordinate the public release of information.

01 February 2019

Benjamin and Josh briefed Zcash team members Brad Miller, Elise Hamdon and Paige Peterson for readiness and assistance in preparation for public disclosure. Andy Murray, Zcash Company CFO, was briefed by David Campbell.

04 February 2019   

Jack Gavigan, head of product and regulatory relations was briefed.

The Zcash Foundation and its board members were briefed.

All employees and contractors working full time at the Zcash Company were briefed on a joint conference call.

Community member and forum moderator mineZcash (pseudonym) was briefed.

Sprout ceremony participants Derek Hinch of the NCC Group and John Dobbertin (pseudonym) were briefed.

CVE-2019-7167 details were updated.

05 February 2019

The Zcash Company public disclosure through the blog post, social media channels and direct contacts with other 3rd parties.

CVE-2019-7167 released with the text as shown in this post.

List of References

[BCTV14] https://eprint.iacr.org/2013/879

[PGHR13] https://eprint.iacr.org/2013/279

[BGG17] https://eprint.iacr.org/2017/602

[Parno15] https://eprint.iacr.org/2015/437

[snarkjs] https://github.com/iden3/snarkjs

[Groth16] https://eprint.iacr.org/2016/260

Papers inheriting the soundness vulnerability from [BCTV14]:

[BBFR14] https://eprint.iacr.org/2014/617

[Fuchsbauer17] https://eprint.iacr.org/2017/587

Technical Details of CVE-2019-7167

Title
*****

BCTV14 setup produces elements that violate soundness leading to Counterfeiting Vulnerability in Zcash and others

Description
**********

The construction described by [BCTV14] in Appendix B, is a variant of the [PGHR13] zk-SNARK scheme with modifications to improve performance. This scheme was used in the original 2016 launch of Zcash and has been independently implemented by several other projects.

Ariel Gabizon, while working for the Zcash company, discovered a soundness bug in [BCTV14] that is described in this security notice:

The key generation procedure of [BCTV14], in step 3, produces various elements that are the result of evaluating polynomials related to the statement being proven. Some of these elements are unused by the prover and were included by mistake; but their presence allows a cheating prover to circumvent a consistency check, and thereby transform the proof of one statement into a valid-looking proof of a different statement. This breaks the soundness of the proof system. We refer to these elements as “bypass elements.”

The [BGG17] multi-party computation (MPC) protocol that produces parameters for the [BCTV14] construction follows the setup procedure closely, and so the bypass elements are produced. They are not included in the actual proving key distributed to Zcash nodes since they are explicitly excluded from the parameter file format used by the proving routine implementation of [BCTV14] in the “libsnark” library (used by Sprout). However, these elements do appear in the MPC ceremony transcript. Consequently, anyone with access to the ceremony transcript would have been able to create false proofs.

The vulnerability also affects an older MPC scheme [BCGTV15]. This vulnerability was also included in some independent implementations of [BCTV14], such as [snarkjs], even though they do not require an MPC. Similar flaws can be found in the [BBFR14] and [Fuchsbauer17] zk-SNARK schemes, which are adaptations of [BCTV14].

Impact
*****

The ability to break soundness in the proving system permits the creation of false proofs. Zero-knowledge proofs are used in a system like Zcash to ensure that transactions are valid, so this bug this implies the ability to create an unlimited amount of shielded coins where the verifier is affected by this bug.

Credit
******

This vulnerability was discovered by Ariel Gabizon while he was working for the Zerocoin Electric Coin Company.

What is affected?
*****************

Any project that implements [BCTV14] and does not completely dispose of the bypass elements as part of the setup process.

That includes but is not limited to any project that depends on the trusted setup used by the original Sprout system that was distributed in the initial 2016 launch of Zcash. This original Sprout system for shielded funds is comprised of the original Sprout circuit, the [BCTV14] proving system using libsnark, and the parameters generated by an MPC ceremony [BGG17]. It was used by the 1.x series of Zcash software (which also carried the “Sprout” name).

[BCTV14] is available at https://eprint.iacr.org/2013/879

The original Sprout circuit implementation is here: https://github.com/zcash/zcash/tree/32d3a3352e45457f689585cc49d554599583bbd0/src/zcash/circuit

The original Sprout zk-SNARK parameters are here: https://z.cash/downloads/sprout-proving.key (sha256sum: 8bc20a7f013b2b58970cddd2e7ea028975c88ae7ceb9259a5344a16bc2c0eef7) and https://z.cash/downloads/sprout-verifying.key (sha256sum: 4bd498dae0aacfd8e98dc306338d017d9c08dd0918ead18172bd0aec2fc5df82)

The Sprout proving and verifying routines are here: https://github.com/zcash/zcash/blob/685c0ab07fd90b244dac5e2cb1f069ac6151ec5c/src/zcash/JoinSplit.cpp

The BCTV14 proving system implementation (in libsnark) is here: https://github.com/zcash/zcash/tree/c938fb1f179d9bdefc5bc7e55fc6330a8b8d3713/src/snark/libsnark/zk_proof_systems/ppzksnark/r1cs_ppzksnark

What is not affected?
*********************

The newer Sprout-on-Groth16 system used by Zcash mainnet for Sprout addresses ever since the Sapling activation (block 419200 at 28 Oct 2018) is not affected by the counterfeiting vulnerability. It uses a new Sprout circuit, that runs on the Groth16 proving system, with new parameters, and operates on the BLS12-381 curve implemented in the Bellman library. The newer Sapling system for shielded funds, activated at the same time and using a new address format, is not vulnerable either.

The vulnerability is not present in the algorithms of [PGHR13] (which underlies [BCTV14]), nor in [BCGTV13], which used similar techniques. It is also not present in other zk-SNARKs constructions, such as [GM17] or [BG18], or in zero-knowledge proof systems that do not rely on a structured reference string. It is not present in libsnark when used with its built-in parameter generator.

The new Sprout-on-Groth16 circuit implementation is located here at time of publishing this information: https://github.com/zcash-hackworks/sapling-crypto/tree/master/src/circuit

The new Sprout-on-Groth16 zk-SNARK parameters are located here at time of publishing this information: https://z.cash/downloads/sprout-groth16.params

The new Sprout-on-Groth16 proving and verifying routines are located in the librustzcash library (at time of publishing): https://github.com/zcash/librustzcash

The Groth16 proving system is implemented in the Bellman Rust library: https://github.com/zkcrypto/bellman

Mitigation
*********

Users of projects still affected by this issue should change the zk-SNARK parameters to some that are not affected by this bug. Zcash switched to new parameters using a new “Sprout-on-Groth16” proving system as of the Sapling network upgrade on October 28th 2018, and so is not affected by the bug.

Therefore, users of Zcash do not need to take any action.

Projects still affected by this vulnerability that do not wish to switch proving systems might instead wish to perform their own parameter setup to produce replacement parameters. Projects following this path are strongly encouraged to use a large, public MPC with thorough security analysis. In the interim, they are advised to disable functionality (e.g., shielded transactions) that relies on the affected proof system.

References
**********

[BCTV14] https://eprint.iacr.org/2013/879

[PGHR13] https://eprint.iacr.org/2013/279

[BGG17] https://eprint.iacr.org/2017/602

[Parno15] https://eprint.iacr.org/2015/437

[BCGTV15] https://www.ieee-security.org/TC/SP2015/papers-archived/6949a287.pdf

[snarkjs] https://github.com/iden3/snarkjs

Papers inheriting this issue from [BCTV14]:

[BBFR14] https://eprint.iacr.org/2014/617

[Fuchsbauer17] https://eprint.iacr.org/2017/587

Correspondence to Horizen and Komodo

Hello,

There is a serious vulnerability in your software. Enclosed is a private advisory with more detail about the vulnerability. We strongly recommend keeping the impact of this issue secret until your project is able to deploy mitigations, because of the associated risks to projects that are still affected and people who know the details.

The issue was discovered internally at Zcash and extreme caution has been exercised to protect its existence from premature disclosure, to avoid exploitation anywhere and to assure the availability of our network and the safety of our people. With the activation of Sapling, our network is no longer vulnerable to this bug, but we’d like to take the right steps to provide you a similar opportunity without putting any of our people at risk.

The vulnerability allows an attacker to create very large, virtually unlimited amounts of counterfeit shielded tokens without detection.

In order to mitigate this bug, we recommend a hardfork that adopts the newer Groth16 implementation of Sprout shielded transactions, which uses a more secure circuit implementation and parameters and is not affected by this bug.

This mitigation was successfully deployed in Zcash as part of the Sapling network upgrade. This mitigation has several advantages, but among them is that it does not require alerting anyone to the existence of a security bug in order to deploy, because the upgrade has legitimate performance and security benefits beyond fixing this bug.

Other possible mitigations for this bug have been analyzed and determined to be too expensive and risky to undertake. Further, revealing those considerations would make it harder for you to protect your users, given that other projects are also affected. Our best effort has been put into developing a strong mitigation to this bug in our own software, which we believe now presents you with a far simpler upgrade path than you might otherwise face.

We have disclosed this to the largest projects who use this code by market cap in order to protect the largest possible amount of capital, however we have decided not to alert all other affected projects yet.

I would like to assign a CVE to this issue, then publish the full details of this vulnerability publicly and notify all remaining affected projects no later than ninety days from today’s date: Today is Tuesday November 13th 2018, meaning I’d like to publicly disclose full details of this issue before Monday February 11th 2019 at the latest.

I will do my best to assist you in understanding the software upgrade path.

Benjamin Winston bambam@z.cash
Director of Product Security, z.cash

Title
*****

Sprout shielded transaction bug allows for unlimited counterfeiting.

Description
***********

A fundamental cryptographic flaw exists that allows an attacker to create proofs that falsely convince the original Sprout zk-SNARK verifier of the correctness of a transaction.

Impact
******

By exploiting this bug, an attacker could create fake Sprout shielded notes containing large amounts of counterfeit funds without being detected.

Credit
******

We would like to include credit for this discovery in a coordinated public release after your software is fixed and your users are safe.

What is affected?
*****************

Any project that depends on the original Sprout system that was distributed in the initial launch of Zcash.

The original Sprout zk-SNARK system is comprised of the original Sprout circuit and parameters on the [BCTV14] proving system using libsnark and was used by the 1.x series of Zcash software (which also carried the “Sprout” name).

The original Sprout circuit implementation is here:
https://github.com/zcash/zcash/tree/master/src/zcash/circuit

The original Sprout zk-SNARK parameters are here:
https://z.cash/downloads/sprout-proving.key
https://z.cash/downloads/sprout-verifying.key

The Sprout proving and verifying routines are here:
https://github.com/zcash/zcash/blob/master/src/zcash/JoinSplit.cpp

The BCTV14 proving system implementation (in libsnark) is here:
https://github.com/zcash/zcash/tree/master/src/snark/libsnark/zk_proof_systems/ppzksnark/r1cs_ppzksnark

What is not affected?
*********************

The newer Sprout-on-Groth16 system used by Zcash mainnet for Sprout transactions on and after block 419200 is not affected by this bug. It uses a new Sprout circuit, that runs on the Groth16 proving system, new parameters and operates on the BLS12-381 curve implemented in the Bellman library.

The new Sprout-on-Groth16 circuit implementation is located here:
https://github.com/zcash-hackworks/sapling-crypto/tree/master/src/circuit

The new Sprout-on-Groth16 zk-SNARK parameters are located here:
https://z.cash/downloads/sprout-groth16.params

The new Sprout-on-Groth16 proving and verifying routines are located in the librustzcash library:
https://github.com/zcash/librustzcash

The Groth16 proving system is implemented in the Bellman Rust library:
https://github.com/zkcrypto/bellman

Mitigation
**********

We strongly recommend that you switch to the newer Sprout-on-Groth16 zk-SNARK system, as it is not vulnerable to this bug.

Publication Timeline
********************

We would like to publish this vulnerability publicly and notify all other affected projects who are not in our initial distribution list using Github’s security response system, and on our social media channels and website no later than 90 days from today’s date. Today is Tuesday November 13th 2018, meaning I’d like to publicly disclose full details of this issue before Monday February 11th 2019 at the latest.

References
**********

[BCTV14] https://eprint.iacr.org/2013/879

The post Zcash Counterfeiting Vulnerability Successfully Remediated appeared first on Zcash.

]]>
Zcash Shielded Addresses are GDPR Compliant by Default https://z.cash/blog/zcash-shielded-addresses-are-gdpr-compliant-by-default/ Fri, 01 Feb 2019 12:00:29 +0000 https://z.cash/?p=6311 The European Union’s General Data Protection Regulation (GDPR) came into force earlier this year. It establishes the rights of EU […]

The post Zcash Shielded Addresses are GDPR Compliant by Default appeared first on Zcash.

]]>
The European Union’s General Data Protection Regulation (GDPR) came into force earlier this year. It establishes the rights of EU citizens with regard to data protection and privacy, and it regulates the collection, processing and export of personal data outside the region. Sweeping data privacy regulation like the GDPR is soon to be the rule not the exception. This has sparked a necessary discussion about how blockchain-based technologies apply within the context of the regulation, due to the public nature of transaction data in most applications, where there is a credible risk of identifiable information being linked back to a specific individual.

Consumers demanding protection of data

The risks associated with storing and processing personal data result in information being stolen from millions of people each year, sometimes with life-altering consequences. As a result, consumers are increasingly demanding better protection and care of their data, and businesses are awakening to the fact that such protection is critical. With breaches leading to public outcry and revenue losses in the billions of dollars, putting the control of data back into the hands of customers reduces liability while empowering individuals.

Zcash supports regulatory requirements

As a privacy-protecting digital currency, Zcash is particularly well-positioned to support the regulatory requirements. Shielded addresses enable users to send and receive Zcash without publicly disclosing their addresses or the amount transacted. According to a recent TechGDPR report contracted by the Zcash Company to analyze the use of Zcash within a subscription payment system, these private addresses prevent publicly transmitted information from being linked back to an individual, therefore making them compliant for GDPR purposes and out of the scope of the regulatory requirements.

GDPR compliant by default

This is precisely the reason Germany-based company Least Authority (a sibling to Zcash Company) included shielded addresses as a component in their design of P4, a private periodic payments protocol, as described in a recent press release.

Shielded addresses are GDPR compliant by default, which is an important contrast to a scenario where compliance is sought after the fact. These addresses are never at risk of leaking data in a post-compliance scenario because they neither store nor transmit identifiable information at any point in the transaction process. In most other blockchain implementations transaction data is always public, and prevailing guidance suggests the destruction of private keys for compliance.

Within Zcash, users may consent to sharing transaction data with select third parties. This is permitted under GDPR as long as the third party can demonstrate that it has been authorized by the individual.

Zcash a meaningful mechanism for consent

We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology. We believe the Zcash Company is uniquely positioned to lead the charge in advocating for an individual’s right to consent to the processing and sharing of personal data. We are committed to continued exploration about where privacy-preserving blockchain technologies intersect with regulatory compliance mandates and how Zcash can serve as a meaningful mechanism for consent within the boundaries of compliance.

The post Zcash Shielded Addresses are GDPR Compliant by Default appeared first on Zcash.

]]>
2018 Security Audit Results Overview https://z.cash/blog/2018-security-audit-results-overview/ Thu, 31 Jan 2019 12:01:03 +0000 https://z.cash/?p=5066 As we embark on a new year with new goals, the Zcash Company remains committed to the security and safety […]

The post 2018 Security Audit Results Overview appeared first on Zcash.

]]>
As we embark on a new year with new goals, the Zcash Company remains committed to the security and safety of our user community. Last year, we published our schedule for security audits in 2018. Today, we are excited to announce the results. While the scope primarily pertained to the Overwinter and Sapling network upgrades, more general reviews of the protocol and code were also conducted.

The result details and our response to each issue are now available in a detailed format. Those interested in the technical details can follow along with our analysis and read the changes to our source, protocol specification and documentation.

Summary

Auditors found a few places where our implementation and specifications differed. Most of the changes that we made to fix this were to clarify the specification and bring it in line with the implementation, which was correct. For example, we added a color scheme to the protocol specification making it clearer which items referred to Overwinter and Sapling.

Two vendors identified that transaction timeouts in their original form could be used to DoS the network, and we have implemented their suggestions. Another issue that was reported to us was considered safe within our implementation, but nevertheless we adapted our application of RedDSA to make it strong for a wide range of uses and we then used it for batch verification later in the development cycle.

In addition, we’ve incorporated the general suggestions vendors made for extra documentation clarity, we’ve ramped-up retrospectives from audits (after issues have been fixed) and we formalized a network upgrade pipeline to bring more time for external security auditing without losing development pace. This year, we plan to introduce more significant security checking into our continuous integration systems.

Looking Forward

As we progress with future developments of Zcash, expect ongoing announcements of new audit rounds. Whether features are within the scope of network upgrade releases or significant developments in regular releases which do not require consensus changes, we are still committed to maintaining an open and secure engineering process with a heavy investment in security.

Any worldwide economic infrastructure such as Zcash requires comprehensive review as a fundamental component to user safety. Further, we suggest you bookmark our security information page which includes contact information to report potential security vulnerabilities and links to security announcements and user recommendations pages.

The post 2018 Security Audit Results Overview appeared first on Zcash.

]]>