# Zcash Parameters And How They Will Be Generated

### Ariel Gabizon | Sep 25, 2016

At its core, Zcash's privacy technology relies on a novel cryptographic
tool called a zkSNARK - a small zero-knowledge proof that is cheap to
verify. Zcash will be the first to employ this powerful tool on a large scale.
For these zkSNARKs to work, a setup phase is required
where the "system parameters" are generated.
This setup phase is similar to the setup phase of a public-key cryptosystem, but with a catch:
As in the public-key cryptosystem, a pair (\(\mathsf{privkey},\) \(\mathsf{pubkey)}\) is generated, but then \(\mathsf{privkey}\) is *destroyed*.
Indeed, it will be essential for the integrity of the system that after the setup phase *nobody* possesses \(\mathsf{privkey}.\)

\(\mathsf{pubkey}\) corresponds to the required system parameters. \(\mathsf{privkey}\) corresponds to what has been called the "toxic waste" here, and possessing it enables counterfeiting new coins (but does not enable violating the privacy of other users' transactions).

To reduce risk, Zcash has designed a multi-player protocol where \(\mathsf{pubkey}\) will be generated. The protocol has the property that \(\mathsf{privkey}\) now corresponds to the concatenation of all participants' secret randomness. Thus, \(\mathsf{privkey}\) will be destroyed unless *all* of the participants are dishonest or compromised.

The purpose of this post is to give a simplified explanation of what \(\mathsf{pubkey}\) looks like, and how the protocol for generating it works.

## What \(\mathsf{pubkey}\) looks like

Suppose \(g\) is a generator of a group \(G\) where the discrete log is hard. We assume \(G\) has order \(r\) for some prime \(r,\) and we write group operations additively. So for \(s\in \mathbb{F}\), where \(\mathbb{F}\) is the field of size \(r\), we can write \(s\cdot g\) to denote scalar multiplication of \(g\) by \(s\); i.e. \(s\cdot g\) is obtained by adding \(s\) copies of \(g\). A simplified version of (\(\mathsf{privkey},\) \(\mathsf{pubkey)}\) is that \(\mathsf{privkey}\) is simply a uniformly random element \(s\in \mathbb{F}^*\) and \(\mathsf{pubkey}\) is the sequence of group elements

\(\mathsf{pubkey}=\) \((g,s\cdot g, s^2\cdot g,\ldots, s^d\cdot g)\)

Above, \(\mathbb{F}^*\) denotes the set of all non-zero elements of \(\mathbb{F}.\)

## How \(\mathsf{pubkey}\) is generated

We'll say a few words later about *why* \(\mathsf{pubkey}\) looks like this and how it is used,
but let's concentrate for now on designing the protocol for generating \(\mathsf{pubkey}.\)

Let's fix \(d=2\) for simplicity; and also omit the first \(g\) element from \(\mathsf{pubkey}\), as it's straightforward to generate that. Suppose we have two parties, Alice and Bob, that wish to generate a valid public key \(\mathsf{pubkey}=\) \((s\cdot g, s^2\cdot g)\) for the system. They wish to do so in a way that will ensure neither of them will know \(s.\) Let's make it simpler first: suppose they just want to generate \(s\cdot g\) (again, in a way that neither will know \(s)\). They use the following protocol:

- Alice chooses a random \(a\in \mathbb{F}^*\), and sends \(M_1:= a\cdot g\) to Bob.
- Bob then chooses a random \(b\in \mathbb{F}^*\) and multiplies \(M_1\) by \(b\). He sends back the message \(M:= b\cdot M_1\) as their joint output.

At the end of the protocol, we have \(M=b\cdot a \cdot g = (a b)\cdot g\). Let's denote \(s:= a b\).

Note that

- Bob does not learn \(a\) from the message \(M_1,\) as we are assuming the discrete log is hard in \(G\). Same for Alice and \(b.\) In particular, neither knows \(s\) which is the product of \(a\) and \(b\).
- For any fixed \(a\in \mathbb{F}^*\), \(a b\) is a random element of \(\mathbb{F}^*\) when \(b\) is random. So even if Alice cheats in the sense that she didn't choose \(a\) randomly as she was supposed to, e.g. she always chooses \(a=4\), \(s\) will be random. Same is true for Bob cheating and not choosing a random \(b.\)

So as long as *one of them* follows the protocol correctly, \(M=s\cdot g\) will be of the right form.

Now let's try to use a similar idea for generating \((s\cdot g, s^2\cdot g)\):

- Alice chooses a random \(a\in \mathbb{F}^*,\) and sends \((A,B)\) where \(A:= a\cdot g\) and \(B := a^2\cdot g.\)
- Bob chooses a random \(b\in \mathbb{F}^*,\) and sends \(M=(b\cdot A, b^2\cdot B).\)

If Alice and Bob follow the protocol, we get \(M= (b a \cdot g, b^2 a^2 \cdot g) = ( a b\cdot g, (a b)^2\cdot g).\) So this vector is of the right form for \(s:= ab.\)

Here's one problem:
What if Bob cheats and multiplies \(B\) by some \(c\neq b^2\)?
So we get \((ab\cdot g, a^2 c \cdot g),\)
which is not of the form \((s\cdot g, s^2\cdot g)\) for any \(s.\)
We need to somehow check that our output vector *is* of the form \((s\cdot g, s^2\cdot g)\)
for some \(s.\)
In many groups, this is conjectured not to be efficiently doable - this is what's called the square decisional Diffie-Hellman assumption.
However, in our setting we are working with a group that has a *bilinear pairing*.
This is a map \(e:G\times G\to G_T,\) into a group \(G_T\) also of order \(r\) with generator \(\mathbf{g},\) written multiplicatively, such that

\(e(a\cdot g, b\cdot g) = \mathbf{g}^{ab}\)

for any \(a,b\in\mathbb{F}.\) This gives us the following way to check the output \(M\) has the right form. We simply check if

\(e(g,B) = e(A,A).\)

Let's see that if nobody cheated, this check will pass. When nobody cheats we have \(A=s\cdot g,\) and \(B=s^2\cdot g.\) So

\(e(g,B) = e(g,s^2\cdot g) =\mathbf{g}^{s^2}\),

and also

\(e(A,A) = e(s\cdot g,s\cdot g) = \mathbf{g}^{s^2}.\)

One can do a similar computation to see that when \(M\) is not of this form, these two values will differ and the test will fail.

## How \(\mathsf{pubkey}\) is used

Recall that a *polynomial* \(P\) of degree \(d\) over \(\mathbb{F}\) is an expression of the form

\(P(X) = a_0 + a_1\cdot X + a_2\cdot X^2 + \ldots + a_d\cdot X^d\)

We can *evaluate* a polynomial at a point \(s\in \mathbb{F}\) by substituting \(s\) for \(X,\) and computing the resultant sum.
A useful fact is that if \(P\) and \(Q\) are different polynomials of degree at most \(d,\) they can agree on at most \(d\) points.
In Zcash the sender needs to construct two degree \(d\) polynomials \(P\) and \(Q\) in a certain way,
and a lot of mathematical magic ensures that they can make them the same polynomial, i.e., get \(P=Q,\) only if the transaction
is valid.

\(\mathsf{pubkey}\) can now be used to test if \(P\) and \(Q\) are equal at a point \(s\) *not known by the sender*.
Say

\(P(X) = a_0 + a_1\cdot X + a_2\cdot X^2 + \ldots + a_d\cdot X^d\)

and

\(Q(X) = b_0 + b_1\cdot X + b_2\cdot X^2 + \ldots + b_d\cdot X^d\)

Using \(\mathsf{pubkey}=\) \((g,s\cdot g, s^2\cdot g,\ldots, s^d\cdot g),\) the verifier can compute

\(P(s)\cdot g = a_0\cdot g + a_1 s \cdot g + a_2s^2 \cdot g + \ldots + a_d s^d\cdot g\)

and compute \(Q(s)\cdot g\) similarly. The verifier can then check if they are equal.

Since the sender of a non-valid transaction has to construct distinct \(P\) and \(Q\) without knowing \(s,\) the chance that \(P(s)=Q(s)\) is very small.

## Disclaimer

Please note, this post is a significantly simplified presentation of the underlying protocol. A detailed description can be found in the whitepaper.

## References

Our zkSNARKS use SCIPR Lab's implementation of the Pinnochio protocol, which in turn is based on the work of Gennaro, Gentry, Parno and Raykova. Our protocol for parameter generation builds on a previous work of Ben-Sasson, Chiesa, Green, Tromer and Virza.