Science Roundup

Zcash is a science-driven company, and our team is always working on advancing the forefront of human knowledge. Here is a round-up of science news from our team.

Side Channel Attacks on Everyday Applications

Zcasher Taylor Hornby will be presenting on Side Channel Attacks on Everyday Applications at the Black Hat conference on August 3.

In this talk, Taylor will briefly describe how the FLUSH+RELOAD attack works, and how it can be used to build input distinguishing attacks. In particular, he’ll demonstrate how when the user Alice browses around the top 100 Wikipedia pages, the user Bob can spy on which of those pages she’s visiting. This isn’t an earth-shattering attack, but as the code he’ll release shows, it can be implemented reliably. The goal is to convince the community that side channels, FLUSH+RELOAD in particular, are useful for more than just breaking cryptography.

Known for his carefully written security tools, including a side-channel-free password generator and a cryptography library for PHP, Taylor regularly contributes to a number of open-source projects by security auditing and reviewing source code. This work builds on the foundations laid in part by Zcash scientist Eran Tromer (

The event is in Las Vegas, USA from July 30-Aug 4, 2016. Full info here:

Image Authentication

Zcash scientist, Eran Tromer, presents an application of SNARKs in the area of image authentication.

Authenticity of digital photographs is important in many contexts, including social websites, dating, news reporting, and legal evidence. In principle, authenticity could be ensured by secure in-camera signing of images, as offered by some cameras. However, users often need to apply some legitimate editing operations to images (e.g., cropping, downscaling and brightness adjustment), in order to prepare them for publication. Creating an image authentication scheme that allows some editing operations, but not others, has been a subject of active research for decades.

Eran and his student have created a new image authentication scheme, PhotoProof, which is the first to allow complete flexibility in the choice of what editing operations are permissible, and is also more robust to forgery. The scheme is based on the same zero-knowledge SNARK proof systems that underlie Zcash. Whereas Zcash reasons about the provenance of digital currency across payment operations, PhotoProof reasons about the provenance of images across editing operations.

There is more information about this here:

Lawsuit on DMCA Section 1201: Research & Technology Restrictions Violate 1st Amendment

The Electronic Frontier Foundation (EFF) is suing the U.S. government on behalf of technology creators and researchers to overturn onerous provisions of copyright law that violate the First Amendment, as stated in this blog post.

Zcasher Matthew Green is a plaintiff in the trial “who wants to make sure that we all can trust the devices that we count on to communicate, underpin our financial transactions, and secure our most private medical information. Despite this work being vital for all of our safety, Green had to seek an exemption from the Library of Congress last year for his security research.”

Blind Off-Chain Lightweight Transactions

Matthew Green and Ian Miers, two of the seven founders/scientists of the Zcash company, have a paper on BOLT (Blind Off-chain Lightweight Transactions). It’s roughly a privacy preserving version of payment channels like Lightning for Zcash. We will be publishing a more in-depth blog post about it early next week.

Private payment channels are important because they allow you to pay someone without waiting for block confirmation and they greatly reduce the volume of transactions that must be recorded in the blockchain. Payment channels work by creating blockchain-backed IOUs between two parties, which they can then update without using the blockchain to reflect the balance of funds between them. But this process isn’t private since the IOU serves as a unique identifier the merchant can use to link multiple payments together. So for example, if you are using a payment channel to pay for page views on a website, it’s effectively a tracking cookie.

BOLT uses blind signatures and commitments to make private IOUs. When you present one to a merchant, these record the fact that the merchant’s balance in the IOU has increased, but without actually revealing which IOU it is you are using and thus who you are. BOLT even supports payments via an intermediary when there is no direct channel between two parties. And the intermediary learns nothing, not even the amount that is paid.

Towards Trapdoor-Free Zero Knowledge Proving Systems

The strong privacy guarantees of Zcash are made possible by significant computer science breakthroughs from the last few years. These breakthroughs circumvent the use of Probabilistically Checkable Proofs (PCPs).

PCPs are a powerful theoretical computer science tool, and until recently were considered essential for efficient Zero-Knowledge proof systems. The reason for wanting to avoid the use of PCPs is that although they are efficient from a theoretical standpoint, they are considered notoriously inefficient and too complex in practice.

This avoidance comes at a cost: in these new systems there is always trapdoor information that should be destroyed after the system is initialized, and which could compromise the system if ever discovered.

In a recent work, SCIPR Lab has made a significant first step towards making PCP-based systems, in which no such trapdoor exists, closer to practice. Currently they are able to generate proofs about programs that use a million machine cycles. The team working on this includes five Zcashers: Eli Ben-Sasson, Alessandro Chiesa, Ariel Gabizon, Eran Tromer and Madars Virza.

Ciphertext Attacks on iMessage

The Washington Post published the story: “Johns Hopkins researchers poke a hole in Apple’s encryption,” which describes the results of research that Zcashers Matthew Green, Ian Miers, and Christina Garman (along with others) have been working on over the past few months. Below is part of Matthew Green’s blog post to describe the research and implications. For more technical reading, the academic paper can be found here: “Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage.

From Matthew Green’s blog post (full text here)…
“As you might have guessed from the headline, the work concerns Apple, and specifically Apple’s iMessage text messaging protocol. Over the past months my students Christina Garman, Ian Miers, Gabe Kaptchuk and Mike Rushanan and I have been looking closely at the encryption used by iMessage, in order to determine how the system fares against sophisticated attackers. The results of this analysis include some very neat new attacks that allow us to –under very specific circumstances– decrypt the contents of iMessage attachments, such as photos and videos.”

iMessage research team

The research team. From left: Gabe Kaptchuk, Mike Rushanan, Ian Miers, Christina Garman

Connect to the Zcash conversation by joining our Slack channel or get infrequent email notifications by signing up.