2020-07-31-goodbye-to-zf.md

July 31, 2020

Why I left the Zcash Foundation

Today I'm resigning from from my position as the Zcash Foundation's Executive Director.

This was a difficult (and bittersweet) decision for me to make. I deeply believe in the Foundation's mission, and consider private financial infrastructure for the public good a fundamental right, one that I was humbled to work toward. I loved the work. I am not being hyperbolic when I say it was the best team I've ever had the honor of working with, and I will miss them terribly. But it was the right time for me to go.

Under my stewardship I've done my best to build the Foundation into a transparent organization, and there's no reason I should change course with my farewell. I'm leaving for a number of reasons:

In open systems, those who help architect processes which grant their organizations power should refuse to wield it. As the Foundation's influence and power has grown, it's critical to set a precedent that those who helped build that influence are not singular beneficiaries. Whatever power that has vested to the Foundation should stay in check institutionally, and not accrue to a single leader.

I helped grow the Foundation from scratch over the last three years; I should not seek to lead it indefinitely. Zcash — and other cryptocurrency projects — should place their faith in their projects' institutions, rather than falling under the spell of charismatic individuals.

I am no longer the right person to lead the Foundation. This happens frequently in new organizations and businesses; a founding leader in the beginning of an organization's life may not have the right skills as it grows. Truthfully I don't know if I've reached this point, but I'm concerned enough that I believe the Foundation should find new leadership.

The Foundation's efforts to distribute power in the ecosystem, while successful, have taken a personal toll. Our landmark trademark negotiation and the successful conclusion of the dev fund debate were huge wins for the Zcash ecosystem, but they were gained at the cost of my relationship with ECC leadership and damaged my ability to collaborate with them effectively. Simply put, mutual trust was irreparably lost. Since I view it as unlikely that the ECC's top leadership would ever change (or that the structure of power would meaningfully change at any successor organization), I instead chose to leave. New leadership within the Foundation offers the opportunity to reset that relationship.

Finally, I know it's a bit trite, but I'm ready for a break and a change of pace. No that doesn't mean I have another job lined up; this isn't me queuing up my resignation and then having "some personal news" a week later. The Foundation cares deeply about life-work balance, but I haven't really lived that ideal for some time. Consequently, I plan on stepping back from contributing to the Zcash community, and promise not to use my prior position to influence or undermine the will of the Zcash community, either publicly or privately.

Unsolicited advice for Zcash and others

Since I'm by nature a verbose interlocutor, I hope you'll humor me and read these final words of advice for the Zcash (and broader cryptocurrency) community.

Beware relentless, unexamined positivism and near-religious zealotry. Such behavior, encouraged and stoked by those who wish to believe such things because they're easier (or more cynically, because it might entrench their own power), can overwhelm pragmatism and self-examination, and drown out valid feedback.

The Zcash community is fortunate to have impressive critics — folks like James Prestwich, Justin Ehrenhofer, and Sarang Noether — and the more the project welcomes serious critique, the stronger it will become. Ignoring, misinterpreting, manipulating, or dismissing valid criticism to maintain an aura of dogmatic idealism does a disservice to critics and the project itself. Do not fall into this trap, and call those out that do.

Remember that Zcash — and other efforts at private, digital money — are open protocols, not startups. Do not cargo-cult startup-ism into the core of your protocol, and resist attempts by others to do so. A protocol for private, digital money should serve the public good, not the needs of a select few business interests.

Question where influence truly lies and who wields it. If checks and balances exist, are they meaningful or purely theatrical? Consider what is and isn't being said publicly, the relationships that may exist without public knowledge, and never be afraid to question the power brokers of the Zcash ecosystem and hold them to task. One cannot simply claim "we're transparent," or "I respect your privacy"; they have to earn both through habitual action. I believe that by relinquishing my station of power, I'm sending a signal that these things matter to the Foundation; but they should matter throughout the ecosystem.

The Zcash Foundation's future is bright

In spite of these warnings, the prospects for private digital cash are bright. The Foundation's technical efforts will make a big splash this year, and while I am wont to make cryptocurrency predictions, I will make one: I expect Zebra will be the dominant node on the Zcash network by the end of 2021. :) And I'm truly grateful for the pioneering work done by the ECC's engineers and the original Zerocash researchers that made all this possible.

To the extent that the Foundation was successful, its success is owed to my phenomenal colleagues. To the extent that the Foundation made mistakes, its mistakes were my own to bear, and I hope history will judge them (and me) not too harshly. Unlike my ancestor Lucius Quinctius Cincinnatus, I have no (yield?) farm to retire to, nor is any crisis I diffused while wearing my mantle of responsibility commensurate to his own trials. But I did my best to serve the Foundation concomitant to his virtues, and I'm deeply grateful to the board and community for the opportunity to do so.

So long, and thanks for all the z2z,

Josh Cincinnati

Amazing that you don't follow your own advice about ignoring critics. I have published various articles and papers about Zcash which are completely ignored: https://eprint.iacr.org/2020/627

https://attackingzcash.com/shielded-coinbase/

We didn't ignore your supposed "ITM attack". We analysed it, and found that it's wrong.

Just like transparent UTXOs, a zUTXO can be created from the mempool (set of unconfirmed transactions), i.e. the output of a transaction in this block can be spent by another transaction, such as a t→z spending a UTXO from the mempool and creating a zUTXO. The ITM Attack does rely on the fact of a zutxo being spent from the mempool or not.

As I've said probably a dozen times before, this does not work because notes cannot be spent from the mempool (in any possible implementation of the Zcash protocol, which is what you claim to be attacking). If you want us to take your paper seriously, first remove the obvious mistakes.

As a consequence of this error, this part of the "attack" could only get off the ground if the attacker can mine many blocks at will within the block time:

Known Sapling commitments/anchors are ”swapped” into the Sapling MerkleTree one at a time, in an attempt to identify if they are being spent. If the new solution tree is invalid, then the data that was added caused it to become an invalid tree for a particular reason and that particular reason is conveniently given when consensus-level errors are emitted in Bitcoin and Zcash Protocols.

This is because the proof of work is checked first whenever a block is received, and so no other error oracles can exist unless the proof of work passes at the correct difficulty. But for the sake of argument, let's suppose that the attacker has far more mining power than the rest of the network put together. Under that assumption, they can indeed create blocks that include different subsets of the commitment tree, and have other nodes pay attention to them (again, for the sake of argument, suppose that the attacker somehow avoids all the chain forks they generate from being noticed, despite the fact that we run infrastructure at ECC to detect chain forks). But this still doesn't help the attacker. The existence of multiple blocks with different commitment trees doesn't help because a node doesn't use information about the notes it holds for verification of blocks or transactions. In general, any error oracle attack can only work against secret information that is an input to the operation(s) providing the oracle. Also, the spender of the note must commit to a particular anchor when spending a note, and then only the fact that the note output preceded that anchor is leaked.

There's one caveat here which is documented at zcash/zcash#679 : if a wallet were to try to spend the same note twice, that could leak information. But only a small amount of information (the second transaction that spends a note can be linked to the first). ECC's reference wallet, for example, will only spend notes from 10 blocks back, which effectively prevents the case where transactions fail due to a reorg. zcashd will spend more recent notes, which is a long-recognized bug: zcash/zcash#1614 You could perhaps legimately criticise us for being tardy in addressing these two bugs -- that would be the kind of legitimate criticism that I think Josh was referring to. Instead, you make false claims and refuse to engage in a serious discussion at a technical level.

Thanks @daira, for the response and your infinite patience.

To echo hir, I'm going to be blunt: @leto this was never a legitimate critique, just constant, irritating sabre-rattling to promote your own project, which wouldn't even exist if it wasn't for the pioneering research of the Zcash engineers and researchers. (to be clear, I'm not among them — they're far cleverer than me...I'm just some dude who managed a Foundation for a few years)

I am undoubtedly guilty of casting aside legitimate critiques, but this doesn't even come close to counting. Using any Zcash news as an opportunity to shout about the same flawed "attack" over and over again is sad. Since you posted here without solicitation, let me offer you some unsolicited advice: you'll be far happier if you stop picking fights you can't win for marketing points that don't matter. I hope you find peace elsewhere.