Cryptocurrencies are already steeped in unfathomable depths for some. The idea of a cryptographic currency just too deep to comprehend for some, and seeming like “magic” to others.

To create even more mystery, the privacy focused coin Zcash was born through a mysterious Ceremony meant to ensure that the blockchain remains secure, and that it isn’t possible for anyone to ever create counterfeit Zcash.

The original genesis ceremony occurred on October 23, 2016, birthing Zcash. It was recorded live on YouTube and was also uploaded on RadioLab. Both are an interesting look into cryptocurrency in general and the creation of a privacy-entered cryptocurrency specifically.

But just what is The Ceremony, and what does it achieve? Below I’m taking a deep dive into the Zcash ceremony, and how it works to secure Zcash from the creation of counterfeit tokens

Toxic Waste and Counterfeiters



Image via Fotolia

The private transactions of Zcash rely on zk-snark public parameters to construct and verify the zero-knowledge proofs of the Zcash blockchain.

While the inner workings of zk-snark are probably understood by about as many people as truly understand quantum physics, in the most basic sense generating public snark parameters is akin to creating a public/private keypair, where the public key is retained, but the private key is destroyed.

The private key must be destroyed because if anyone had possession of it they could use it to create as much counterfeit Zcash as they like. There’s nothing else they could do with it, like steal someone else’s coins or violate their privacy, but I think the ability to create millions or even billions of dollars worth of Zcash is quite dangerous enough.

The Zcash developers have called this private key “the toxic waste”, and The Ceremony was designed to ensure that the toxic waste is not only destroyed, but that it never even comes into existence.

Zooko Wilcox, the creator of Zcash, is very clear in noting that the destruction of the toxic waste doesn’t make it impossible to counterfeit Zcash, although they are working on a solution to that problem with the Sapling hard fork that is scheduled to occur in September 2018.

Even Bitcoin faced the counterfeiting problem. Back in August 2010 a transaction took advantage of a flaw in the Bitcoin code to create more than 184 billion counterfeit Bitcoin. The transaction was quickly noticed, and Bitcoin was forked to remove the transaction and the code flaw, but nothing says Zcash might not have a similar flaw unrelated to the toxic waste private key.

In fact, Zcash would be more vulnerable than Bitcoin, which easily found the counterfeit coins because its transactions are publically exposed. Because Zcash hides transaction amounts, any counterfeiting would likely go undetected.

Designing a Secure Ceremony

The Zcash developers decided to reduce the risk of someone acquiring the toxic waste through the creation of a Multi-Party Computation (MPC) protocol – now known as The Ceremony. It’s kind of like multi-sig for the creation of a zk-snark protocol. Six participants were chosen and each was tasked with generating one shard of the public/private key set.



Image via Fotolia

These six were geographically dispersed, and were also unknown to each other prior to the conclusion of The Ceremony. Once the public/private pair shards were complete the six combined their public key shards to generate the public parameters of Zcash, and then each destroys their shard of the private key.

This MPC protocol ensures that as long as at least one of the six shards is destroyed the toxic waste will be impossible to recreate. The only way the toxic waste could be constructed is if all six of the participants were in collusion.

The genesis ceremony was conducted by Zooko Wilcox and five others who he considered to be ethical and who also possessed what he considered to be good information security practices. Five of those participants are now known, but the sixth remains anonymous.

Since the genesis block Ceremony in October 2016 there has been a second Zcash ceremony which was called the “Powers of Tau” ceremony. It was expanded to include approximately 90 different individuals and organizations, making it even more secure against collusion. The first stage was held in January 2018 as preparation for the Overwinter fork scheduled to occur in June 2018 and the following Sapling fork in September 2018.

The Ceremony is comprised of three separate core defenses that work together to provide the full security. These are the above mentioned Multi-Party Computation, air gaps, and evidence trails.

Multi-Party Computation

The benefit of using Multi-party computation is that only one of the people involved needs to destroy their private key shard to make the Ceremony a success. The moment that just one participant destroys their private key shard it becomes impossible for the toxic waste to be created.

This is the core of the design, and it meshes with the other defenses as you’ll see below.

Air Gaps

Air-gapping is when a computer is physically disconnected from any network. All the participants private keys are used only on air-gapped machines.

Additionally, only brand new computers are used. Bought exclusively for the purpose of The Ceremony, these machines are never connected to any network, and the wifi and Bluetooth cards are physically removed from the machines before they are powered on for the first time.

These computers are called “Compute Nodes” for the purposes of The Ceremony.

By air-gapping the machines most of the attack vector is removed, since the machines are physically incapable of any network connections.

Evidence Trails



Image via Fotolia

Obviously, with multiple participants, there needs to be a way to send messages back and forth between the Compute Nodes to complete the creation of the public parameters.

This is accomplished by the addition of an internet connected machine for each participant, known as the “Network Node”. The Network Node was used for receiving messages, which were then burnt to disc and physically moved to the Compute Node.

Unfortunately this introduced the potential for a surface attack via DVD reading. While this attack type is much harder to pull off, there is never 100% certainty in protecting from an attack. There are several, albeit very difficult and improbable, methods that could be used to exploit this transfer method.

To protect from this, append-only optical discs were used, because they provide an indelible evidence trail of what was written to them and what was passed during The Ceremony. These discs can be examined at a later date if necessary to see if they passed any vulnerable data.

It is important that the optical discs are not overwriteable — they are DVD-R’s, not DVD-RW’s — because that way even if an attacker succeeded at taking over the Compute Node, that wouldn’t have given them the ability to erase the evidence of them doing so.

Additional Defenses

The Ceremony members used several additional techniques to harden their defenses further. For example, all the details of The Ceremony, including when it would occur, who was participating, and the source code, were kept secret until it was completed.

The security conscious language Rust was used to write all the code necessary for computing and networking, and a security-hardened version of Linux was running on the Compute Nodes. A secure hash chain of all messages was compiled and has been posted to Twitter (below) and to the Internet Archive as well as being time-stamped into the Bitcoin blockchain.

Additionally, all the participants had their own personally chosen local defenses, and the machines used in The Ceremony were subsequently destroyed to avoid the possibility of some remnants being read from system RAM.

Future Plans

Upgrades are in the works for Zcash, which began with the first stage of the Powers of Tau Ceremony. That Ceremony had roughly 90 participants, making it even more secure, and it lays the groundwork for the upcoming Overwinter and Sapling forks. Details of the roadmap can be seen here.

The coin’s developers stated in their blog post.

The purpose of Overwinter is to strengthen the protocol for future network upgrades, paving the way for the Zcash Sapling network upgrade later this year

The team reports that the Overwinter software will include the new features like transaction expiry, version control, replay attack protection for network upgrades, and general improvements for transactions transparency.

The Overwinter upgrade is scheduled to go live in June 2018, followed by the September 2018 release of the Sapling upgrade, which will feature a set of groundbreaking performance improvements for our shielded transactions. This will make it feasible to create a mobile wallet for Zcash.

While there is no roadmap yet for the post-Sapling era, the following improvements have been hinted at by the Zcash development team:

A shift from Proof-of-Work to Proof-of-Stake

Private and scalable smart contracts

Scalability improvements to allow for nearly infinite transactions

Further security upgrades to tackle the counterfeit problem, such as the inclusion of a method that will allow anyone to measure the total monetary base of Zcash in circulation.

Wallets and ports for Windows, Mac and mobile

In Conclusion

The Zcash team has created an amazing privacy-centered coin, by creating the cryptographic and infosecurity protocol to generate the zk-snark public parameters necessary for Zcash.

By combining Multi-party computation, air gaps and evidence trails a six person Ceremony was able to generate a blockchain that remains fully anonymous. And by using a six person MPC it is almost certain that the toxic waste, or public key can never be reconstructed.

Then they went even further and created the latest snark public parameters with 90 people, making it almost impossible to imagine enough collusion to ever reconstruct the toxic waste. Just 1 of those 90 needs to destroy their private key shard, and it ensures the private key cannot be reconstructed.

With infinite scalability, private smart contracts, and additional security on the way, it seems that a Ceremony is a good way to introduce a new cryptocurrency to the world.

Featured Image via Fotolia