An Analysis of Zcash Governance

TL;DR: Zcash governance is relatively concentrated for now, and will remain so for the near future. This could be the optimal design while the project is young and requires focus and agility. As the protocol matures and grows, stewardship responsibilities will transition over to the Zcash Foundation, which can better represent the various stakeholders in the ecosystem. The oft-maligned founder’s reward is not a traditional rent seek on end users, and actually aligns developer incentives nicely. In the short term, Zcash prioritizes rapid protocol innovation, a trait likely ideal when dealing with brand new cryptography.

Purpose of Zcash: Truly fungible cryptocurrency

Zcash is a privacy focused cryptocurrency, meant to serve as a currency for individuals and businesses alike. Through zero-knowledge proofs, Zcash aims to provide true fungibility with coins that have no “evidence trail”. If Zcash reaches its full potential, it will serve as digital money that can be used frictionlessly with no history attached.

One unique aspect of Zcash is its selective transparency. Certain transaction metadata in the blockchain is confidential by default, but can be disclosed to specific parties such as auditors or regulators. The ultimate goal is to satisfy both the openness and privacy that social structures require.

Selective transparency will make it easier for Zcash to integrate into the existing financial system compared to cryptocurrencies that have total privacy. Grayscale has a Zcash exchange traded note, and firms like JP Morgan have expressed interest in leveraging the ZK-Snarks technology for their own benefit.

History of Zcash

The history of Zcash begins with the Zerocoin whitepaper, with the original paper written in 2014 by 4 academics (3 of whom are now working on Zcash). Zerocoin was initially suggested as an addition to Bitcoin, but the technology was deemed too experimental. There was potential, but bitcoin had reached a point where it had to be conservative and move more slowly.

With the help of researchers at the SCIPR lab, improvements to zerocoin were made, and the Zerocash paper was released. Zerocash was a substantial upgrade, with 98% reduction in proof sizes and improvements in privacy, resulting in a more usable blockchain.

Zerocash was more efficient and practical than zerocoin, and there was real potential for implementation as a cryptocurrency protocol. The theory behind Zerocash was sound, but implementing it was a different story. Production grade code and implementation required a whole team, and more help was needed.

The Zcash Company

A whole team fully dedicated to the project would be needed, and this required funding and support. After the Zerocash team met Zooko Wilcox, things took off and the Zcash Company was born. The reasoning was that experimental technologies require rapid innovation, and a traditional startup is the best way to bring the necessary focus and agility to the project.

The scientists (academics) conduct research and write papers on new innovations, such as the multi-party parameter generation, and BOLT. The engineers turn the theory into production quality code, test it, and ultimately implement it into the Zcash protocol.

Like most cryptocurrencies, Zcash operates with the philosophy of “consensual currency”. As the Zcash company upgrades the protocol, it’s up to the community to opt in and use that version. Users have a strong incentive to follow and use the protocol with active developers and scientists working on it. This is especially crucial in a project as young and ambitious as Zcash. The cryptography is completely experimental, and few people are actually qualified to work on it.

As the protocol matures and usage grows, other developers and projects will leverage the code for their own use. Zooko predicts that the Zcash blockchain could eventually split into multiple forks, each led by their own faction of developers. Many projects have undergone hard forks, but it seems that Zcash especially could garner interest. This has pros and cons, but it demonstrates the novel nature of Zcash technology.

This has already happened with ZClassic, a Zcash fork with the founder’s reward removed. However, the merits of this project are questionable, and the Bitcoin Private/ZClassic airdrop resembles a giant pump and dump.

Transition to the Zcash Foundation

From the Zcash Website

As the Zcash protocol grows, having a single leader and company becomes more of a liability than a benefit. The company currently drives development, governance, operates essential Zcash infrastructure, and even owns the Zcash trademark.

Over time, these functions will be transferred over to the Zcash Foundation. If the Zcash project’s purpose is to serve the public good, it is only appropriate that the caretaker is a nonprofit responsible only to the public. Because of this, Zooko and the other founders and employees donated half of their founder’s reward to the foundation. Neither Zooko nor the company control the foundation’s personnel, funding, or decision making. It’s crucial for the foundation to establish its autonomy and independence from the company in order to maintain credibility and fairness in the eyes of the public.

However in the long run it would not be appropriate for a single for-profit company to have this much power over the evolution of the Zcash technology. Ultimately, there will need to be an independent, inclusive, non-profit body to steward the technology in the interests of all users.” — Zcash Website

The foundation is still in early stages, as it was established in June 2017 and received its 501(c)(3) designation in October 2017. They have many initiatives lined up, including funding grants, the Zcon0 conference, and onboarding more employees. The foundation is also a potential source of funding for second layer solutions on Zcash such as BOLT. The most challenging part for the foundation revolves around governance, and how to eventually create a fair and sustainable consensus process.

In the short term, the most important part is getting community input on how to design the governance process, and helping people understand the foundation’s role. This process has been quite transparent, and anyone can contribute to the discussions on Github. For a fair and equal process, stakeholders from every part of the community (miners, users, developers) should participate in this process. If the creation of the governance process comes only from a small number of people, it will inevitably favor certain groups and create an imbalance of power.

Example of an initial governance proposal — Zcash Foundation Github

When the protocol has reached a mature stage, the focus of the foundation will turn from protocol development to stewardship. The governance process will be crucial if Zcash becomes widely used — everyone’s voice must be taken into account and large changes should be slower and more difficult. The foundation’s role will be to serve as a hub of coordination and decision making in larger ecosystem.

The Founder’s Reward

First proposed by Andrew Miller, Zcash development is funded through a “founder’s reward.” For the first 4 years of the blockchain, 20% of the Zcash block reward will go to early investors, advisors, employees, etc, resulting in 10% of all Zcash ever. Practically, it’s similar to vesting proceeds from a token sale, with the added benefit of ensuring there’s a live and functioning blockchain network. This ensures that developers must have a product before receiving funding, something that’s currently quite rare in the cryptocurrency space.

Collectively, the Foundation and Company will receive 2.63% of total coins mined. At a price of ZEC = $300, this comes out to $166 million, which can be used to hire developers, fund projects, and raise awareness for Zcash.

The founder’s reward gives a strong incentive for the developers to work on the project for the first 4 years, when the protocol requires the most work and structure. It also ensures an alignment of incentives, where developer incentives won’t be captured by another corporation with their own agenda (Bitcoin/Blockstream). The company’s goals are aligned with the continued development of the protocol, and there is less risk of steering the protocol in favor of an alternate implementation (sidechains).

Critics often complain that the founder’s reward is an unfair rent seek and another example of a fee-extracting middleman, but I would argue this comparison is flawed. The company is not extracting value from end users in a way that web 2.0 companies do today with large margins.

There is still an indirect cost, however, as the founder’s reward is essentially inflation that doesn’t benefit the security of the chain. Block rewards are meant to incentivize miners to secure the network, as transaction fees alone probably aren’t enough of an incentive. The 10% tax from the founder’s reward is a lost 10% that doesn’t back up the chain from a security perspective. Users don’t feel the direct effects, but the founder’s reward still has a small, nonmeasurable impact.

I think that Zcash miners, not the average end user, bear the brunt of the cost. For the first 4 years, they receive 20% less newly issued Zcash which is a large dent in their mining revenues. However I imagine most Zcash miners would gladly trade a tax in exchange for sustained protocol development.

The founder’s award is quite a neat fundraising mechanism, but it still raises some questions: what happens when the 4 year vesting schedule ends? Obviously the original developers will still have the incentive to develop and see their holding’s values go up. However, the recipients of the founder’s reward could theoretically liquidate and abandon the project. This doesn’t seem very likely, and the foundation would step in its place, but it’s still a risk. Ideally the privacy technology behind Zcash will be relatively mature by October 28th, 2020, because after that point 100% of the block rewards go to the miners.

Trusted Setup

The trusted setup is technically not a part of protocol governance, but it’s an important topic to address.

When creating new system parameters for zkSNARKS, a setup phrase to generate the public and private key pair is required. The privkey, or “toxic waste”, is a potential security hole and must be destroyed. Holding the privkey does not compromise user privacy in any way, but it does allow for the creation of new coins.

Destroying this private key is crucial for maintaining the integrity of the entire protocol, a process documented by Radiolab. To compromise the final parameters, every participant in the ceremony would have to be compromised or act dishonestly.

The first setup is a common source of criticism, with Peter Todd detailing potential vulnerabilities that allow backdoors to be created. Additionally, only six participants participated in the ceremony, all using one implementation of randomness.

Recognizing the potential flaws in the initial setup, Sean Bowe, Ariel Gabizon, and Ian Miers introduced the Powers of Tau Ceremony, a new setup that allows anyone to participate (84 participants so far). It also uses a new Rust implementation without the prior vulnerabilities, and includes an independently constructued Golang implementation. From a security standpoint, this process seems to be superior to last year’s ceremony, with a much larger set of participants and two separate implementations instead of one. The foundation has been helping coordinate and organize this ceremony, and it’s made a clear effort to be transparent and decentralized in its approach.

The trusted setup will always be a weakness in the Zcash setup, but there are steps that can be taken to make a backdoor probabilistically impossible. Simple game theory dictates that a large and diverse enough group of participants will not all collude with each other to compromise the network. As long as a single participant in the ceremony is honest and destroys his portion of the “toxic waste”, there will be no backdoor into the network.

Understanding the Zcash/Monero Debate

At the moment, Zcash and Monero are the only 2 cryptocurrencies with any legitimate privacy technology (though Grin/Mimblewimble has potential). They have contrasting approaches and ideology, making the debate between them quite interesting.

This Tweet summarizes the debate nicely.

Monero has a huge emphasis on community and a decentralized, collaborative ideology. There is a reason for this. Monero’s privacy enhancements are entirely dependent on the size of the user base. The larger the user base is, the larger the anonymity set. User base does not mean passive holders or speculators, but people who regularly transact with Monero. Monero’s privacy quality is directly linked to the strength of the community and engagement level of its users. That is why Monero uses a two pronged approach → its users and developers are collectively responsible for increasing privacy.

Zcash’s privacy goals, on the other hand, are more dependent on technology and new cryptography. In the short term, Zcash’s success hinges on the developers’ ability to innovate and implement code. Only 31.5% of transactions are currently shielded, but the Saplings hard fork will drastically increase this number and make shielded transactions much more accessible. If Zcash can successfully implement its lofty goals, it will have theoretically have superior on-chain privacy compared to Monero.

However, privacy is multidimensional. In addition to on chain privacy, there is an off chain aspect as well. Having a central company in charge of a privacy focused cryptocurrency isn’t ideal, as this opens up the potential attack vectors dramatically. Governments and regulators could target the company or individuals in leadership positions.

Zcash aims to solve this problem by slowly transitioning governance to the foundation and the community, but this won’t be an easy process. As the original inventors and developers, it’s possible the Zcash company team will always have a disproportionate ability to influence the direction of the protocol.

Regardless, Monero and Zcash have very contrasting approaches, optimizing for their respective challenges. Monero’s community focused ideology would not work as well for Zcash, as it’s crucial for Zcash to iterate quickly and experiment, especially at this early stage. Similarly, any ring signature based project could never work without prioritizing community and ideology, even at the expense of efficiency and innovation.

Privacy is the killer use case for cryptocurrencies, and people are starting to realize its importance as Bitcoin becomes continuously deanonymized. The more teams and projects aiming to solve this problem, the better. Competition is good, and Monero and Zcash can learn from each other, enabling better privacy for all. They have very contrasting ideologies, and it will be fascinating to see how it all plays out.

Conclusion

Zcash has some very lofty privacy goals, and it makes sense why they’ve chosen a traditional startup to build the protocol. In addition, a 10% seigniorage tax in exchange for coordinated, structured development might be worth it. It’s also a good way to launch without an token sale. For Zcash to thrive in the long run, however, development and governance of the protocol must become more decentralized and driven by input from every stakeholder in the ecosystem. Governance structures are all about tradeoffs, and Zcash has choosen a unique model optimized for its own challenges. Transitioning to a more decentralized structure and process will be a long, slow process, and it will require input from many people in the ecosystem. I’m looking forward to watching the governance mechanism for Zcash evolve.

If you enjoyed this piece, check out the one on Monero governance!

Thanks to Josh Cincinnati, Gibson Ashpool, and zooko for speaking with me about Zcash.

Thanks to Nic Carter, Anders Larson, and Ash Egan for their feedback on this piece.