Parameters in set up phase for Zerocoin in Zcoin

reubenyap edited this page Sep 30, 2017 · 5 revisions

Zcoin uses RSA 2048 parameters generated 25 years ago from the RSA Factoring Challenge. These parameters are basically two large primes N=pq where p and q need to be destroyed.

At projected computing capacity, it will be safe to use for many more decades. By then, Zcoin can port its parameters to a new cryptographic scheme.

Admittedly, the RSA has not been a great company in recent years, with revelations that RSA has collaborated with NSA to weaken cryptographic protocols. But these RSA 2048 keys were generated in 1991 as part of an academic endeavor to learn about the difficulty of factoring numbers, early in the RSA days when the creators of the RSA algorithm still had a high amount of control over their company. The company then was a vocal advocate of strong cryptography for public use and had an adversarial relationship with the NSA.

For example, in the mid-1990s, RSA and Bidzos led a "fierce" public campaign against the Clipper Chip, an encryption chip with a backdoor that would allow the U.S. government to decrypt communications. The Clinton administration pressed telecommunications companies to use the chip in their devices, and relaxed export restrictions on products that used it. (Such restrictions had prevented RSA Security from selling its software abroad.) RSA joined civil libertarians and others in opposing the Clipper Chip. RSA Security also created the DES Challenges to show that the widely used DES encryption was breakable by well-funded entities like the NSA. It was only in 1999, with Bidzos stepping down as CEO, did the RSA have a more cooperative nature with the NSA.

Therefore, it is highly unlikely that someone had foreseen that these keys generated for an academic challenge would be used to do a trusted setup in a cryptocurrency.

It is noted that in the event of someone knowing the initial parameters, anonymity is still preserved, though it means that someone can forge Zerocoin spend transactions without actually burning a coin.

However, there is a strong mitigating factor in the unlikely scenario of a compromised Zcoin setup: because output values are unencrypted by default, everybody can still audit the full Zcoin money supply to ensure that no one is secretly creating coins, so if the total supply doesn't check out, we are alerted that something is amiss as elaborated below:

Total supply of coins that should exist = (block number x block reward)

OP_ZEROCOINMINT function shows all mints + 0.1 mint fee

OP_ZEROCOINSPEND shows all spends of Zerocoin

Total supply >= all circular money - (#zerocoin_mint_tx + 0.1 for each tx) + #zerocoin_spend_tx

So you know exactly how many Zerocoins have entered the Zerocoin pool and how many Zerocoins have exited the Zerocoin pool.

Below is an explanation of how these RSA 2048 parameters were generated:

The RSA challenge numbers were generated using a secure process that guarantees that the factors of each number cannot be obtained by any method other than factoring the published value. No one, not even RSA Laboratories, knows the factors of any of the challenge numbers.

The generation took place on a Compaq laptop PC with no network connection of any kind. The process proceeded as follows:

  • First, 30,000 random bytes were generated using a ComScire QNG hardware random number generator, attached to the laptop's parallel port.
  • The random bytes were used as the seed values for the B_GenerateKeyPair function, in version 4.0 of the RSA BSAFE library. The private portion of the generated keypair was discarded. The public portion was exported, in DER format to a disk file.
  • The moduli were extracted from the DER files and converted to decimal for posting on the Web page.
  • The laptop's hard drive was destroyed.

It is in Zcoin's roadmap to explore implementing a trustless setup for Zerocoin through the Sigma protocol.