The property of «total spendable money never exceeds the total that was created» is a special case of the «Balance» security property defined in the [extended version of the Zerocash paper](http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf), Appendix C.3 (with the trivial adaptation from the change from Mint+Pour to JoinSplit).
Appendix D.3 proves that this property indeed holds for the Zerocash protocol (and thus, with trivial adaptations, the Zcash protocol).
So in principle, the notion of «auditing the Zcash monetary base» is a red herring. You «audit» a property that could go wrong if someone misbehaves, to make sure they didn’t err or cheat. But here we already have a proof that the property holds.
Another way to phase it is that the Zcash protocol (and in particular its zk-SNARK proofs) already do the auditing, on-the-fly.
Of course, in practice there could be mistakes in the proof, adaptation to Zcash, implementation, or parameter generation ceremony. Or the cryptographic assumptions may be broken. So what you’re _really_ asking for is another, *redundant* way to be check the same property. And to make it useful, it needs to be sufficiently different from the existing proof so that they wouldn’t have common failure modes. Which makes sense, but let’s be clear about it and in particular not play along with the silly narrative that «Zcash is not auditable».
Запись редактировалась последний раз: May 31, 2018, 3:26 pm