Zooko Wilcox: There’s a High Level of Scrutiny and Scientific Validation of What We Do in Zcash
In February 2018, the founder and CEO of ZCash, Zooko Wilcox, delivered a presentation at an event organised by Binary District regarding Zero Knowledge Proof Protocols. As the father of multiple network protocols with 20 years of experience, Wilcox is responsible for the creation of a truly privacy-oriented cryptocurrency.
Following the presentation, we spoke with him on a number of topics ranging from the development of blockchains in general to the use-cases of the future. We also discussed more specific issues such as security in ZCash, his collaboration with JPMorgan and the future of cryptography itself.
Blockchains vs. Traditional Ledgers
Margarita: What are the emerging capabilities of blockchain? What’s exciting about it? Especially for you as one of the movers and shakers of the industry.
Zooko Wilcox: The exciting thing about blockchain is decentralisation of control and that applies both to public blockchain and to private blockchains. The only reason why people might want a private blockchain is if they’re eliminating a central point of control in their private enterprise structure; that’s often potentially valuable and disruptive for improving the enterprise.
Even for permissioned blockchains where they want to exclude the public from using the blockchain and they want only members of some industrial group to use the blockchain, nonetheless the value that blockchain provides to that group is that no one within the group has power over the others.
M: There’s also the question, in the case of private blockchains, that maybe it’s just the same as a database and you don't need to make anything complicated. You just need to create a regular database or traditional ledger and it can do the same job. So you don't need to take the decentralised model and make it a bit more centralised, and position it as something decentralised that is beneficial.
ZW: That’s a good question. There may be a situation where a centralised database is sufficient. There may also be a situation where legal enforcement is sufficient to prevent one party from exploiting their power over the other parties in a permissioned private blockchain. For example, you can imagine a set of financial industry actors who want to have a shared database to settle trades among them. So they wish to tokenise ownership of an asset and they want to do their financial trading, and then they want to record onto the shared database the transfer of ownership of the tokenised asset.
There are at least two ways that you can do this. One way is by having a central trusted party, like a clearing house, which owns and manages that database that everyone relies on. Then you have legal obligations to prevent the clearing house from exploiting the private knowledge that it has access to, or from falsifying or mismanaging the data that it’s supposed to be maintaining.
That's what’s currently practiced. However, the other approach of using a blockchain instead of a database means that instead of legal constraints to prevent the exploitation or mismanagement of the data, we have technological constraints that make it so there is no central party who technically has the opportunity to exploit or mismanage.
That might be better; it’s not really proven yet because we haven’t seen large scale deployments with ‘traction’, as we call it in Silicon Valley, with repeated usage, increasing usage, increasing satisfied users, more and more money being saved or being made. We haven't seen that yet. But it is plausible because the technological solution is cheaper, more robust against hackers or corruption and, in particular, it prevents what we call ‘rent-seeking’.
Do you know what ‘rent-seeking’ is? It’s the idea that if you — not you, you’re a good person who would never do this — if someone gets into the position of being the central authority that everyone else relies on, such as a clearing house, and there are legal constraints which say that the clearing house must not use the secret information to exploit it to trade against the users, and it must not falsify or mismanage that data and case harm to the users, what the clearing house can do is raise prices.
Even if they do not exploit the data or mismanage the data, everyone that relies on them is forced to continue coming back to them for service every day. So they are monopolies and they tend to get more and more expensive and less and less high quality over time — because they’re monopolies. There are several reasons why it could be very valuable to these private consortia to replace their centralised agency with a blockchain.
M: If we can include or set the upper and lower price limits in the protocol, how can we limit the greed of those managing the database?
ZW: If you replace your centralised agency with a blockchain, then you are not relying on the centralised agency which doesn't exist anymore and you’re not paying a fee to that centralised agency which is a monopoly. Instead, you have to participate in the decentralised blockchain network within your private consortia. It’s not yet been proved that that’s better, but it plausibly better.
Blockchain in the Financial Sector
M: In terms of the type of blockchain — there’s the Ethereum blockchain, there’s the Zcash blockchain, there’s the Bitcoin blockchain or Ripple — what is the most suitable blockchain for this type of permissioned ledger?
ZW: I don’t know what will be proven to get traction in the marketplace. I do know that, so far, the financial industry players have been most interested in Ethereum because of its smart contracts.
With Ethereum, you know about how the Zcash company has a partnership with JP Morgan to improve an Ethereum-based blockchain?
I’m very proud of this because JP Morgan is the most highly valued bank in the world, or at least it was when we did this — the whole stock market just crashed two days ago and I haven't checked. But JP Morgan is a very important prestigious institution and they are making their own blockchain technology which is called Quorum.
They agreed to a technology partnership with my company — the Zcash company — to add the encryption technology from Zcash into the Quorum enterprise blockchain. I’m very happy about that because it is the validation of the quality of our technology and our team but, more importantly, it is the validation of the importance of privacy and data security for business purposes.
M: Do you plan on releasing a pilot product for them?
ZW: We already have. There is a live open-source implementation of Ethereum which has been modified by JP Morgan and the Zcash company to have various improvement that they have to make it more suitable for a permission blockchain — more suitable than the public Ethereum blockchain. One of those modification is the addition of the Zcash-style cryptography to protect the data in the permissioned blockchain.
M: On the issue of real-world solutions, do you think that the financial sector is the one benefitting the most from blockchain?
ZW: They were the first ones that started working on the technology.
M: So do you think that there are more results in that sector?
ZW: I don’t know.
M: When we spoke to Peter Todd, he said that the application of blockchain that makes the most sense is the issuance of certificates and proving the existence of certain things. He said that’s where he sees the most projects developed which prove that blockchain actually has real-world use. I don't know if you agree with that.
ZW: I guess that's a prediction about what will find the most usage in the real world and I don't know about what will find the most usage in the real world. I do know that the financial industry, so far, has been most excited about two things: tokenisation of assets with a blockchain so that you can have settlement without a trusted third party is the first thing; the second thing is smart contracts.
The Quorum enterprise blockchain technology from JP Morgan already provided the second thing by using Ethereum’s smart contract technology. The reason they partnered with Zcash was to add data security and encryption for the first thing — the settlement of tokenised assets.
The Biggest Challenges
M: In relation to this, there are applications which are groundbreaking and others that are simply just logical developments. What do you think are the biggest challenges which postpone the development of the technology or postpone the application? Could it be a lack of talent, lack of feasible projects, regulations, or is it something else, say, scalability and security?
ZW: You’ve named a really good list of challenges yourself. This is for enterprise blockchains or permissioned blockchains ledgers? This list you gave is very good.
M: Is there anything that you, as the lead at Zcash, have personally encountered? For example, not being able to find developers. You definitely have lots of ideas, such as how to improve the network and the applications it may have, but who are the people that can actually bring these ideas to life? The circle of developers is quite small and a lot of them are already involved in various projects.
ZW: That’s a big challenge in the whole cryptocurrency industry right now. Or it was until two days ago when the market crashed. This is for open cryptocurrency and token and smart contract projects, not necessarily for enterprise.
For the open projects, including the open Zcash network, it has been a big challenge recently to hire developers. I think the whole industry faced the same much throughout 2017. All the available developers who already knew the technology have been sucked up and then there were no more left. So all of the projects simultaneously… the inflow of new developers stopped because it was empty. The pool of developers had run dry.
Now, what I think we need to do is start sucking developers and other kinds of professionals — technical developers as well as business, product, marketing, customer support, organisation and everything else. We need to start sucking those people out of the traditional technology industries.
In the United States, for example, we have the big technology companies like Facebook, Google, Amazon and so forth. I think in 2018 more and more of the workers from those other kinds of technology companies will decide that they want to join the cryptocurrency industry.
On Public Scrutiny and Reputation
M: As the lead of an open network, do you think that there are more challenges on this side compared to permissions ledgers or traditional tech industries? For example, obligations and expectations.
ZW: It’s too bad about the negative aspect of the public — the very public conversation. But, at the same time, it’s really good about the positive aspects of that public conversation because that’s part of how we meet other technologists who are able to help.
We meet and we learn about each others technology and we find out ways we can cooperate to make the technology better. And it’s part of how we are kept honest; it’s a higher degree of transparency because there’s so much more scrutiny and because everything that we do is done transparently and publicly.
All of the source code and all of the transactions on the public network — well not the transactions because some of them are encrypted. Many of the players on the public ecosystem are subject to public scrutiny because of the, like you say, the fact that it’s a publicly traded coin and that attracts attention. That’s good to have that scrutiny to deter people from dishonesty or from cutting corners and misleading people about what they’re really doing.
M: You don't feel pressure from those who always expect Zcash to increase in value? Like the relationships of tech companies with shareholders is bit different — the shares are on the stock market, but they aren't that involved. Of course, they have to do their best to develop the project, to grow and things like that, but the pressure there is completely different. It isn’t them who’s reputations get damaged, for example, Samsung and their exploding phones. Other than that, I don't know if there is that much pressure. Also, they are also protected by regulators, whereas it seems you're more vulnerable.
ZW: In some ways, the opposite is true because shareholders in a company do get legal rights that they can enforce against the company or against the management, whereas users of the Zcash software don't have any legal claim against the designers of the protocol in our current laws.
On the other hand, the amount of money that has been put a risk by crypto trading concerns me personally on a moral level, even though we have no legal obligation, because it’s possible for poor and unsophisticated people to buy and sell coins. This is very good for them if they get lucky and make money that way, but it can also be very bad for them if they get unlucky and lose money that way.
M: Isn’t that part of the game in this ‘crypto casino’?
ZW: It makes me uncomfortable if I imagine vulnerable people who are risking money that they can’t afford to lose — risking their money on crypto coins. I think that they shouldn’t. No one should risk money on any of these technologies in excess of what they can afford to lose.
M: That’s pretty close to what I’ve heard in the past — ‘the best regulation is actually education’.
ZW: That’s a good idea.
“I Only Understand 1% of the Ideas”
M: As they say, in order to be a blockchain developer you need, not to be an expert, but to have an understanding of quite a few fields, so it’s a very interdisciplinary, not only computer science, maths, so it's a combination of many things.
ZW: True, but you don’t need to be an expert, so you should feel empowered to go ahead and start being a blockchain developer. You don’t need to already be an expert. You just have to be prepared to learn things from many different fields as you go.
It’s challenging for me too. Two or three years ago, I was an expert and I understood most of the ideas, but since then there have been a hundred times as many ideas that came along. I don’t even have time to – now I only understand 1% of the ideas.
M: So, let’s start with technical questions. The first one is how Zcash is going to scale.
ZW: Oh, that’s a really good question. We don’t know yet. Nobody knows how any blockchain is going to scale. Several groups have announced their theory as to how they think they are going to make their blockchain or cryptocurrency scale, but none of these theories have been proven yet.
The Lightning Network requires many more steps of development before it can actually provide value to an increasingly large-scale number of users. The sharding idea from some researchers is yet unproven as to whether it will be reliable and scalable and will it satisfy the needs of users. Although Bitcoin-NG is getting pretty close as its live on Mainnet on the Waves network.
Those improved consensus algorithms are not really scaling up to an arbitrary number of users, they are just increasing the scale. Currently, Bitcoin, Ethereum and Zcash have roughly an order of magnitude of 10 transactions per second, and with improved consistency algorithms like Bitcoin-NG, we might be able to improve that by a factor of 10 to about 100 transactions per second.
That’s great. That’s a very important change to improve your capacity by 10x and that might be sufficient to enable certain use cases. If there are those use cases, which remains to be seen, and as a rule of thumb I always expect each 10x improvement in a scale of a complex system to come with another round of bugs and failures and challenges.
So, a very plausible future scenario is that every couple of years, we increase the capacity of the network by about 10x. And that still means many years before we have reached the capacity to supply the majority of the needs of people.
On Scaling Zcash
M: So, in a certain way, do you have certain expectations on the pace of scaling, but not yet the means of how to do it?
ZW: That’s my expectation, yeah.
M: Do you think you might come up with some kind of interesting scaling solution?
ZW: Yeah, I’m working on – I, myself and various other researchers are working on the idea of applying zero-knowledge proofs to the scaling problem.
M: How’s it going?
ZW: It’s very preliminary. It might not work at all. It might not make any sense. It might be impossible, but I think we’ll be able to work it out. It might take a few years to figure it out.
It could have some real advantages. The sum of the best solutions out there fall into the realm of what Vitalik Buterin calls crypto-economics, like Plasma. The Plasma scaling solution depends on crypto-economics in which there’s an interactive adaptive behaviour of a large number of economically-motivated users.
And to successfully serve reliably even while scaling up depends on the incentivised behaviour of those users. Well, my hope is that we can replace some crypto-economics mechanisms with zero-knowledge proofs so that we get a prior one-shot cryptographically-proven guarantee of the properties that we want, instead of relying on actors to detect failure or to detect betrayal and to take corrective action to repair the system dynamically. If that works, it would be a great, great theory.
M: And what do you need to make it work?
ZW: Well, we need about three or so unsolved problems in computer science to be solved.
The first one is scalable recursive zero-knowledge proofs, and while we’re at it I’d like them to have no toxic waste and be post-quantum, so that’s the first one. Then, I think we’re also going to need scalable robust censorship-resistant private distributed storage which is an unsolved problem in computer science.
And then, as part of that, we might also need scalable distributed robust private information retrieval which is yet another difficult problem. If we solve all of those then I think we will have a great solution.
It might not work at all and if it does it will probably take years. Perhaps the Zcash network in the meantime should go ahead and start using one of these modest 10x improvements. And I think the best way to do that is to watch the other people who are doing experiments and see how well their projects go once they get them all the way to deployment of large numbers of users, and they get a large amount of usage, and then we can observe how well they function in practice.
Bitcoin-NG is the furthest along, Lightning is pretty far along, the Bitcoin Cash approach to use the same-old Nakamoto consensus, but increase the parameters is a very promising approach because it is so simple, so it will be easy to test it.
We can watch the other experiments and see how well they perform in practice and how much they can scale up. If they can reach a 10x improvement so that they can sustain 100 transactions per second for a large number of users in a decentralised robust way, then maybe the Zcash project could copy that approach as a temporary measure to get a 10x improvement before the potential for future breakthroughs that could lead to greater improvements.
It’s really great that we have so many other pioneers that we can learn from. Zcash came out after Bitcoin and after Ethereum. Bitcoin and Ethereum are both super successful, but they both have very different engineering paradigms, engineering philosophies, and that’s wonderful because it allows us to see that there are different engineering philosophies that are both viable. And it allows us to choose an engineering philosophy that falls between the caution and stability of Bitcoin and the innovation and rapid evolution of Ethereum.
On a Threat in the Zcash Setup
M: This also connects to my next question. It turns out that you can break the privacy of zk-SNARKs and have a backdoor-entrusted setup as there is some data that needs to be destroyed in the protocol and in a way it shouldn’t make the system vulnerable to this when there is some process happening. The actual question is how has it been audited and who actually audited it and how you know that multiprotocol computation was actually progressing the way you thought it was. And, finally, there are some parts built into the software to perform a certain role - how do you know that they did that?
ZW: That’s a hard one. So the first thing that is important to explain is that it’s absolutely not the case that if the cryptographic setup of Zcash were compromised that it would threaten user privacy. That’s not the case. The cryptographic design of Zcash is built to guarantee user privacy under almost any conditions.
In particular, the way the protocol is constructed trades off certain other risks. It takes greater risks of counterfeiting in order to achieve greater protection for privacy, so in fact, that is why the cryptographic setup of the Zcash protocol has a small risk of counterfeiting built into it. That is with the best science available so far. There’s no way to get maximal privacy without incurring this trade-off of a risk of counterfeiting so it’s a common mistake that people make that a compromise of the Zcash setup would threaten user privacy and in fact the opposite is true.
The reason there’s a problem, or a risk, or a threat in the Zcash setup is because we took that risk in order to eliminate threats to privacy.
M: And how do you know that it’s working?
ZW: Oh, that’s a different question. But to finish the first [auditing] question, there are several different levels of question here, but the first one has to do with the cryptographic design of the mathematics in the setup.
And I want to emphasise that Zcash is a highly science-driven project, so, for example in the Zcash project, most of what we do is more carefully studied by scientists, both the hardcore world-class scientists who are actually a core part of the Zcash team as well as other scientists from around the world who study what we’re doing in order to find flaws in it or to confirm that they have verified that there are no flaws in the mathematics.
No other scientists have done that for the mathematics of the ceremony. They have confirmed that, even if all of the participants of the Zcash ceremony colluded together and deliberately attempted to backdoor the ceremony, that they would still be unable to threaten the users’ privacy. That was independently confirmed by researchers from other research institutions. That was the design attempt by our own scientists.
So, I just want to emphasise there’s a very high level of scrutiny and scientific validation of most of what we do in Zcash because we work hard to write our results in a way that is specific and complete enough that other scientists can usefully study it, and because we welcome and encourage the scrutiny of scientists.
Now, there’s a different question which is – I’m familiar with the criticism from Peter Todd that he has raised in other venues – so I recognise the question you ask.
M: Peter Todd was very curious about this question, he’s convinced it’s possible to fix it. There is some easy solution for it so that’s why he was curious about your viewpoint and how you actually see the process, like what happens, what happened, what makes you convinced that it’s happening the way that it’s happening. So maybe he wants to see the logic behind it. He thinks it’s possible to find a solution to this probability.
Retelling the Story of Zcash
ZW: I want to retell the story and re-emphasise it because I think it’s a very interesting story and we would like people to get it through. When we set out to design the Zcash mathematics, we decided to maximise privacy for the user and make it so that the users’ privacy is protected by the mathematics itself and is not vulnerable to anything other than a cryptographic break.
But in order to do so, we needed to use this mathematical technique called snarks, and an unfortunate trade-off of snarks is that they are vulnerable to counterfeiting if a certain number of – what we call the toxic waste – is known to the counterfeiter. So, in order to maximise privacy, we decided to make an engineering trade-off which allowed this risk.
And then, people got confused, people misunderstood and they said, ‘Oh you know Zcash has a risk that could violate user privacy.’ That’s what I would like to clarify. If you’re concerned about the Zcash setup – it is a concern, and the reason it’s a concern is that we’ve nailed down privacy and made sure privacy was not a concern and therefore we allowed this concern about the risk of counterfeiting.
Now, in order to mitigate the risk of counterfeiting, I said that counterfeiting would be possible to a counterfeiter who knew a certain cryptographic number, which we call the toxic waste. In order to mitigate that concern, we designed the ceremony in which there were multiple precursors or reagents, multiple components of the toxic waste.
In the first Zcash ceremony that we did before Zcash actually launched, there were six such pieces, and each of the six is individually harmless and can’t be used to do any harm. Even if you have five out of the six, it’s still harmless and it can’t be used to do any harm. You would have to gain all six out of the six in order to reconstruct the toxic waste, or in order to construct the toxic waste – it’s never been constructed before, it’s never existed – in order to counterfeit Zcash.
Therefore, we designed this process in which there would be six separate participants in the ceremony, each of whom was difficult for an attacker to locate and take over the ceremony during the ceremony. Each of the six performed their computation during the ceremony using each of their harmless precursors and then they shared the result of their computation with the others, and then they each destroyed their precursor.
Now, another line of attack that you could use to try to compromise this ceremony and gain access to the toxic waste would be to supply all six of the participants with backdoored software so that when they performed their computation each individually, they would be unwittingly using backdoored software that would allow you as the creator of the backdoor to know what their precursor would be. If you managed to get all six of them to do this, then you could construct the toxic waste.
So that is the risk that Peter Todd is talking about. Now, the defence that we used to mitigate that risk is two-part. One is that we chose the software that we built and distributed it to all six of the participants using widely-known open-source software, starting with the Linux operating system, for example, and the Rust compiler and things like that.
So we downloaded this open-source software from the official Git repositories and so forth. We took steps to make sure we weren’t incurring an extra risk of someone else inserting a backdoor into the software that we chose. And the next way that we mitigated this risk is that each of the six participants who used that software got a copy of it on a read-only DVD. Hardly used anymore, but have the good property that to write on to the DVD you have to use a laser to burn through the surface of the disk and that means that it’s difficult to overwrite or change what’s already been burned with the laser.
Each of the six participants as well as the organiser of the project – he’s the seventh person, he didn’t run one of the six stations but he coordinated among the six stations and told each one whose turn it was and things like that and wrote some of the software that we used.
It is seven people at least that have a physical copy of the software on their DVD disk and we also then uploaded – we took the DVD disks and took a secure hash of the contents – a secure hash uniquely identifies the content so someone else later would not be able to replace different contents and still have to match the same secure hash.
During the process, we took secure hashes of that data – the software that is – we took secure hashes of all the data, including the software that we were running and we posted those hashes to Twitter and took photographs of pieces of paper with the secure hashes written on them with pen and paper.
And we kept the pieces of paper so we broadcast those secure hashes so that no one would be able to later swap in different software without people recognising that it wasn’t the same piece of software that we ran at the time.
Then, after the ceremony, we tried to make sure that the software was available to people in its original form that we actually used ourselves. I was one of the six stations and I took my disks and I travelled to the Internet Archives headquarters in San Francisco. I took the disks with me so that no one could tamper with the disks, even though them tampering with the disks should not be able to cause any deception since we’d already uploaded the secure hashes and would be unable to match the secure hashes if they did tamper with the disk.
But, nonetheless, in case there’s some other level of complication here such as that it is possible to overwrite or manipulate the surface of a DVD disk in order to deceive someone. I kept the disk physically with me from the time of the ceremony until the time I was physically in the offices of the Internet Archive in San Francisco where we uploaded the contents of the disk to the internet archive and we published the hashes and the URLs so anyone in the world can download them from the Internet Archives and can verify that the hashes match, both what we uploaded there and what we published during the execution of the ceremony earlier.
All of that is the level of mitigation we were going to do in order to make it possible for anyone in the world after the fact who studied the software that we executed. If they wanted to search for that backdoor that could exist, that could have been used to compromise the precursors during the execution.
The question of who has done this sort of research. There are several people who have looked at it – including Peter Todd himself – although it’s important to realise that there is sort of an infinite amount of study one could put into analysing such a thing. So far, as far as I am personally aware of, with only preliminary or shallow degrees of study of the data that we thus collected – I believe Peter Todd said he did some attempt to reproduce the binaries from the source which is sort of one of the steps you can do to test whether there was anything.
Andrew Miller, he was a participant in the ceremony and he’s a different security researcher and blockchain scientist, he also reported that he attempted to reproduce the binaries from the source. And Sean Bowe was the coordinator of the first ceremony and he was the author of some of the source code that we used in the first ceremony and I believe he also reproduced the binary of the source. But producing the binaries of the source is only one preliminary step if you wanted to analyse that evidence in search of a backdoor. There’s a lot more that you could do.
Now, you mentioned that it would be possible to do better. And indeed in the second ceremony – the second ceremony is currently ongoing – in the first ceremony, there were only six people; myself, Andrew Miller, Peter Valkenberg, who is the director of research for Coin Center in Washington D.C., which is a very good public policy and law and technology research and advocacy organisation.
Then there were three pseudonymous people who were going under false names and only I knew that their names were false and only I knew their real identities. At the end of the ceremony, as soon as the toxic waste precursors were reported to be destroyed then one of the three was revealed. Their identity, it was a large information security consulting firm named NCC Group. And they were performing their station of their ceremony in their information security lab in Austin, Texas under surveillance.
At the same time as they performed their part of the ceremony, they also set up a duplicate of the node separate from the actual node, and they attempted to hack into the duplicate in order to steal the toxic waste precursors out of the duplicate in order to see how difficult it would be if someone was trying to steal the toxic waste precursor out of the node while it was running.
Later, the second pseudonymous person revealed himself, and that turned out to be Peter Todd, who was driving across an unoccupied empty highway that spans thousands of miles in Canada. He ran the computation on his laptop in a tinfoil-lined cardboard box in his car while the car was moving down the highway in order to reduce the chance that someone might set up some kind of surveillance machinery in order to steal the toxic waste precursor out of his computer while it was running.
And then finally the third pseudonymous participant, his pseudonym was John Doberton, and he’s never been revealed, and nobody knows who John Doberton was but me.
M: So, several secret identities.
ZW: Well there’s only one left that’s still hidden.
A New Ceremony
M: What about the ceremony that’s happening right now?
ZW: Well, we have to do a new ceremony because we’re inventing new and improved cryptography. The Zcash scientists have come up with another break in cryptography which will increase the efficiency of the shielded transactions by 10x. This will hopefully allow for shielded transactions, even on mobile phones and hardware wallets.
In order to deploy the new improved cryptography, we need to do a new ceremony. So the new ceremony is currently ongoing. Anyone in the world can participate. So instead of six participants we now have 50 participants and still counting.
M: So are you recruiting the participants?
ZW: Yes. Everyone should go to Powers of Tau and anyone who wants to contribute can go contribute to that ceremony. You will have one of the next toxic waste precursors on your own computer, and then if you do the ceremony correctly, this will delete the toxic waste precursor out of the RAM of your computer and this will mean no one will ever be able to forge the zero-knowledge proofs of the new cryptograph because they didn’t get your toxic waste precursor out of your computer. And they would have to get all 50 or 60 or 70 of the toxic waste precursors if they wanted to counterfeit zero-knowledge proofs. Another neat thing about the new ceremony is that it’s not just for Zcash, it’s for all future zero-knowledge proofs.
And the risk of someone backdooring the software that gets used has been mitigated in the new ceremony because one of the 50 participants announced that they had produced their new public cryptographic results and that they had deleted their toxic waste precursor, and then they had announced that they had written their own software in a different programming language to implement all of the math so that they did not use the same software that all the other participants used. So it makes it even harder for an attacker who attempts to steal all the precursors by backdooring the software.
The first ceremony was already the strongest most well-defended cryptographic ceremony that’s ever been performed and there’s absolutely no realistic chance that anyone stole the toxic waste from the first ceremony, but the second ceremony is even better.
And I didn’t even tell you yet about the part where Andrew Miller, who was one of the participants in the first ceremony, is also one of the 50 or 60 or 100 of the second ceremony. He and his colleague wanted to generate random numbers for their toxic waste precursor in a very safe way and they figured, ‘Well it involves toxic waste and what could be more toxic than nuclear waste from the Chernobyl accident.’
So they took some radioactive graphite which had been collected from the Chernobyl disaster and they hooked it up to a Geiger counter that was also actually an original Geiger counter used at Chernobyl, but they turned it into Geiger counter with the addition of a microcontroller, and they programmed the microcontroller to sample random numbers from the decay of the nuclear material in the Chernobyl toxic waste and then they took that device and got into a two-seater aeroplane and they flew through the air. There’s a video.
The New Generation
M: What groundbreaking ideas or projects do you see coming from the blockchain space over the next few years?
ZW: To me, the next couple of years are all about the question of whether cryptocurrencies can provide the value that they have already promised. The imagination and the enthusiasm has outrun the development. It typically takes five years for a new innovation to be implemented, integrated and deployed, and to be used by people, and to actually start providing value.
So in the next two years, we will see how many of the visions that were spawned— or maybe we better make it the next five years because there were a lot of visions that were spawned last year and a couple of visions that were spawned a year or two before that. Zcash and Ethereum are both from that earlier generation and Bitcoin is, of course, the earliest. Bitcoin, Zcash and Ethereum are coming close to maturity.
None of the three have gotten to the point where we have proven repeated traction in which more and more value is being made for more and more users because of various limitations that they have not yet overcome, starting with the scalability problem. That’s the number one problem facing all three — Bitcoin, Ethereum and Zcash — as well as it will threaten the success of any of the new generation as well.
Zooko’s Triangle is named after Zooko Wilcox-O’Hearn, the CEO of Z-Cash and a noted computer security expert. The triangle refers to the three traits desirable in a network protocol, namely Human-meaningful, Secure and Decentralised. For a protocol to be successful, it should exhibit all three of these key tenets. Just like his namesake, the triangle, Zooko too is passionate about the same trilemma.
Zooko is the designer of many network protocols which encompass self-contained economies and secure reputation systems. As the CEO of Z-Cash, a major privacy-focused cryptocurrency on a public blockchain, he is a central figure and authority on issues that concern cryptocurrencies such as scaling and security. His work on both private and public blockchains have the potential to change the face of the cryptocurrencies as we know them today.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]