[petertodd]

What my blog actually said about that was:

"I’ve had some experts tell me they thought the security level was 2^80 operations (very weak), while others (including Zooko himself) thought it was [more like 2^96](https://moderncrypto.org/mail-archive/curves/2016/000742.htm...). I’m not sure which figure is right, but the fact that there’s disagreement is a bad sign."

I made it very clear that it is an unsubstantiated figure, and linked to Zooko's analysis. To both yourself and the person you're replying too, please don't put words in my mouth.

> We provided participants with a reproducibly built and stripped down version of Alpine Linux, employed grsec, wrote all of our crypto software in pure Rust, etc. All of our software is reproducibly built, hashed and signed. There is nothing (software-wise) that cannot be caught in post-hoc review. All of it is open-source: https://github.com/zcash/mpc

I agree. But that's not what I said; what I said is that post-hoc review hasn't been done, even a year after the fact.

[ewillbefull]

> To both yourself and the person you're replying too, please don't put words in my mouth.

What words did I put in your mouth? I cited the 2^80 figure in your blog post and a reasonable theory for why you would bring up such a figure. "Regurgitated" came across as snide so I apologize for that.

Note that you used this unsubstantiated figure to say "the fact that there’s disagreement is a bad sign." If there isn't actually any disagreement and the figure is unsubstantiated, why is it not baseless FUD? (BTW I notified you of this error in your blog post some time ago but never heard back.)

> what I said is that post-hoc review hasn't been done, even a year after the fact.

I know, I wasn't replying to you. As I said, I believe more auditing is needed. I also don't believe some kind of one-and-done audit of the software/deterministic builds would satisfy either of us.

[petertodd]

> "Regurgitated" came across as snide so I apologize for that.

That's the thing, it didn't just come across as snide, it made it sound like I repeated the number uncritically, when in fact I made it clear to the reader where it came from and that there was disagreement.

> If there isn't actually any disagreement and the figure is unsubstantiated, why is it not baseless FUD?

The fact that competent experts could be unfamiliar with Zcash's crypto to the degree that they could disagree on basic facts like that is a sign of concern, precisely because it's yet another strong sign that the crypto is quite new. If this were "tried and tested" crypto, there wouldn't be any disagreement. Note that Zooko himself was unsure of the exact strength due to a recently found attack - tried and tested crypto wouldn't have recently found attacks.

> BTW I notified you of this error in your blog post some time ago but never heard back.

Where did you notify me? For that matter, who are you anyway? I probably know you by name from elsewhere; I don't by handle.

> I also don't believe some kind of one-and-done audit of the software/deterministic builds would satisfy either of us.

Well, I was just discussing the trusted setup with Matthew Green, and I think there's some fundamental disagreement on what kinds of vulnerabilities exist and what the risks of them are. So I really need to write a blog post on it.

[ewillbefull]

I'm Sean from Zcash, I coordinated the MPC and wrote the software. I messaged you on twitter or emailed you or something about this last year.

> it made it sound like I repeated the number uncritically

I didn't say you regurgitated it. I said the person you talked to did, presumably after looking at libsnark or an unrelated paper.

> The fact that competent experts could be unfamiliar with Zcash's crypto to the degree that they could disagree on basic facts like that is a sign of concern, precisely because it's yet another strong sign that the crypto is quite new.

I claim the person you talked to was looking at the wrong curve construction. 2^80 is quite a torch to carry into an argument and no experts that we know have ever suggested a security level less than 2^96. The only "disagreements" about security were far more subtle and reasonable than what your blog post suggested.