Privacy is a core characteristic of cryptocurrencies. Despite mainstream conception, however, it is not the primary goal of cryptocurrencies like Bitcoin (BTC) or Ether (ETH), and is more of an ancillary benefit of using cryptography. The situation is altogether different for cryptocurrencies that seek to maximize anonymity when transacting on the network.
Networks like Monero (XMR) and ZCash (ZEC) have soared in popularity, making up part of the handful of leading cryptocurrencies by market cap based on strong guarantees of privacy. Both blockchains offer users virtually complete privacy assurances — Monero with the CryptoNote technology suite, and ZCash deploying the powerful cryptographic primitive zk-SNARKs, offer users virtually complete privacy assurances.
But privacy is more than a technology that obfuscates transaction details. In particular, one of the tricky parts of bootstrapping a network with zero-knowledge proof privacy like ZCash was the problem of the setup.
Known as a “trusted setup,” this process is the initial key parameter generation ceremony for a network that taps zk-SNARKs or other ZKPs for its privacy assurances. Many users of networks that have trusted setups, including ZCash and Zcoin (XZC), are entirely unaware of the vulnerability that trusted setups create. As a consequence, they have gone overlooked.
Let’s revisit the trusted setup and how efforts to move beyond it are succeeding.
Introduction to trusted setups
A trusted setup, or what ZCash calls the “Parameter Generation Event” is a process at the launch of a network where an explicit group of figures tinkers with random numbers that function as the public parameters for creating private transactions on the network. In the case of ZCash, these public parameters are used by anyone sending shielded transactions to construct and verify a zk-SNARK.
The reason a setup phase is necessary is because of the powerful anonymity of zk-SNARKs themselves. The finalized public parameters, determined by a group of participants, serves as the standard from which users extract the privacy assurances of the network. Observers in ZCash cannot view any transaction details, so auditing the initial supply and parameter setup requires a trusted setup as the original launch point.
However, there is a critical problem.
The word “trust” conveys a notion of trusting a group of participants (i.e., a third party) to not act maliciously during and after the ceremony. During the ceremony, the parameters are decided upon, but the “toxic waste” that encompasses the random numbers used must be destroyed by each participant. If not, the party retaining the toxic waste can covertly print counterfeit tokens of the network without raising any eyebrows because it would be entirely anonymous.
Notably, the network (e.g., ZCash) would continue operating as normal, and privacy wouldn’t be sacrificed. However, a worse outcome would ensue: The network’s monetary policy would be subject completely to the caprices of a malicious party. Devalued tokens would result due to outsized inflation, and the network’s token price would crash.
Crypto as a whole runs contrary to the notion of trust in a third party because they are security holes. As you can see, the idea of trusted setups is a Black Swan lurking beneath what seems like calm waters, potentially capable of disrupting the network’s legitimacy at any point — even if it has cutting-edge privacy guarantees. As Nassim Taleb said:
“Never cross a river if it is on average four feet deep.”
Networks that have strong privacy assurances (e.g., zk-SNARKs) yet use a trusted setup can have negative convex events hidden beneath a facade of calm and steady supply issuance. Should a ceremony participant discover a way to furtively manipulate a key parameter from other participants, he can print the native token with impunity and nobody would know.
No matter the degree of privacy, this characteristic of trusted setups makes them irreconcilable with the ethos of cryptocurrencies.
Moving beyond the trusted setup
Early privacy networks attempted to gloss over the significance of trusted setup ceremonies. They would publicly feign a resolute stance while advocating stories about key generation participants coming up with clever methods for ensuring nobody would steal the key parameters during the ceremony.
Some ceremony participants took public transport out of their cities all day during the ceremony, then burned USB drives holding the keys. Such strange tactics only distracted from the crux of the issue — trust.
Now, the narrative is changing.
Once users and developers became more acutely aware of the incompatibility of a trusted setup with the long-term viability of a cryptocurrency, research to uncover an implementation of zk-SNARKS without the setup became a top priority.
To this end, Networks like Zcoin designed the Sigma protocol, while Suterusu created constant-sized zk-ConSNARKs with no trusted setup and an efficient key parameter generation. Moving beyond the trusted setup returns accountability and auditability assurances back to privacy-oriented cryptocurrencies. A Black Swan no longer lurks around the corner, waiting to crash the token into obscurity.
Instead, these types of networks are much more robust than their predecessors. Users can be assured of both their transactional privacy and the notion that the monetary policy is ingrained in the protocol — not subject to the vagaries of malicious generation event participants. Those assurances go a long way in attracting user adoption.
As we prepare for the next wave of crypto users, it is important to be transparent about the flaws and advantages of cryptocurrencies. When it comes to privacy-oriented networks, the setup matters. If there’s a trusted setup, users cannot be guaranteed that high rates of inflation are churning away in the dark.
Just like they can’t be sure that the Fed isn’t doing quantitative easing in the repo market when it’sclearly doing so, solely because of its public effacement of the ongoing process.
Trusted setups are antithetical to the primary reason people adopt cryptocurrencies, specifically Bitcoin, as a viable alternative to the legacy financial system.
Don’t trust — verify. Don’t invest in trusted setups.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Dr. Huang Lin is the co-founder of Suterusu, a project developing trustless privacy technology. He holds Ph.D. degrees in applied cryptography and privacy-preserving distributed systems from Shanghai Jiao Tong University, and the University of Florida. He has worked as a postdoctoral researcher at Ecole Polytechnique Federale de Lausanne on applied cryptography for genomic privacy and blockchain-based data monetization.
Joseph Spezzano received a Masters Degree in computer science from The University of Massachusetts. Joseph has been working as a full-time blockchain programmer for the past 5 years. In his spare time, Joseph enjoys writing for CryptocurrencyInvestments.com and traveling.