Zcash is a decentralized, open-source cryptocurrency that provides strong privacy protections thanks to state-of-the-art cryptographic components. Zcash will upgrade its protocol to a new version, called Sapling, which involves new cryptographic primitives and protocols.

Zcash hired Kudelski to perform a security assessment of the Sapling upgrade prior to activation. The assessment focused on the pairing and bellman libraries with a focus on cryptographic correctness, and so findings were considered for those libraries independently of the wider product.

Only one issue was uncovered by this assessment that resulted in Zcash making code changes to the Sapling codebase to fix directly.

We also reviewed the specification and implementation of the Sapling protocol, which relies on the aforementioned libraries. The Sapling specification is of great depth and complexity, so we focused on the most critical components, reviewing in particular (in no specific order):

The general logic of shielded transactions with Sapling

The cryptographic primitives

The RedDSA signature and RedJubJub curve logic

The relevance and correctness of security assumptions (IND-CCA security, collision resistance, and so on)

The new and critical components, in particular the Pedersen commitment constructions

Key derivation mechanisms, and potential risks of entropy loss 11

The sampling methods distribution uniformity • The randomness beacon

We did not find any shortcoming in these components. However, we did not perform a rigorous security analysis of the protocol and did not assess its provable security properties. For example, we reviewed the consistency of security levels across primitives and cryptographic constructions, but did not verify theoretical secure composition results.

We then reviewed the source code in the sapling-crypto repository. Generally the code is well structured, minimally commented but generally clear enough, although it implements complex operations. We looked for issues of the following type (in no specific order):

Language-specific security issues or unexpected behavior, such as unsafe blocks of code or panics

The processing and parsing of potentially untrusted inputs

The security of critical dependencies, such as the rand library

Discrepancies between the specification and the implementation

Issues reported by static analyzers or code linters

Coding errors or bugs in critical components, such as the Pedersen hash circuitAgain we didn’t identify any meaningful security issue, although we noticed things that we initially thought to be potential problems.

Overall, we believe that the highest risk to Zcash’s security is a flaw in its protocol logic and theoretical properties, rather than in its implementation. The most critical components (such as the Pedersen hash and circuit creation) would nonetheless benefit from a more careful review by a specialist, to ensure that the version implemented totally matches the specified logic.

Our zcash-audit is available, we would like to thank Zcash for trusting us!

To find out more about our crypto services relating to blockchain technology, visit kudelski-blockchain.com