Welcome back! This article continues my series on blockchain privacy. In recent articles, I’ve argued that privacy protocols are essential for token fungibility and crypto adoption and have provided a comprehensive analysis on the top privacy coin by market cap, Monero.
In this post, I’m planning to dive a little deeper on another top-three privacy coin: ZCash. Also, following this article, I’m planning to wrap up the series by discussing the Dusk protocol, which is an exciting project that is attempting to bring privacy to STOs. If you’re enjoying these posts and want future posts sent to your email, please subscribe to my distribution list! Alright, enough of the overview, let’s dive in.
So where does Zcash stack up in the privacy coin battle? As of 1/4/19, the coin was ranked as the 20th largest cryptocurrency by market cap and the third largest privacy coin by market cap (behind Monero and Dash). In this post, I’m going to briefly walk through the history, mechanics, and pros/cons of the protocol. As always, feel free to skip around if any of those sections sound particularly interesting!
A Brief History
While the Zcash protocol did not officially get up and running until 2016, its history actually dates back to 2013 and the development of the Zerocoin protocol. The Zerocoin protocol was proposed by Matthew Green, an Associate Professor of Computer Science at the Johns Hopkins Information Security Institute, and two of his graduate students, Ian Miers and Christina Garman. The protocol was initially designed to be integrated into the Bitcoin network as a way to “break the link” between Bitcoin transactions without the need for a trusted third party. Essentially, the protocol was designed to enable anonymous transactions without the need for a trusted coin mixing service. Unfortunately, the Zerocoin proposal was rejected by the Bitcoin community.
Following this rejection, the only way to get Zerocoin into circulation was to create a new altcoin that incorporated the protocol. The first cryptocurrency to do so was known as Moneta. The coin, which was created by Poramin Insom and Gary Le, was rebranded to Zcoin right before its launch in September 2016. Since then, the Zerocoin protocol has been implemented by a number of different cryptocurrencies, including PIVX, SmartCash, Zoin, and Hexxcoin. These cryptocurrencies all experienced a moderate amount of success; however, they hit a bit of a roadblock in April 2018 when a new paper was published that outlined a massive cryptographic flaw in the Zerocoin protocol. The flaw enabled nefarious attackers to “create money out of thin air and steal coins from honest users”. Luckily, ZCash does not use the Zerocoin protocol (I probably wouldn’t be writing about it if it did…).
So then what protocol does Zcash use? Let’s quickly rewind back to 2013. A few months after announcing the original Zerocoin protocol, Matthew Green and a team of six other professionals published a follow-up paper called Zerocash: Decentralized Anonymous Payments from Bitcoin. The paper proposed a new protocol that provided enhanced anonymity by shielding the transaction participants and amounts. At that time, the tradeoff was that ZCash provided enhanced privacy features but was much more computationally expensive (an issue that has since been resolved).
Similar to before, Matthew Green and Co. provided the theoretical background for Zerocash; however, they still needed somebody to take the theoretical concept and put it into practice. This occurred when the Zerocash team collaborated with Zooko Wilcox and his team from Least Authority. This collaboration was first announced in June 2015, when Zooko released an article stating that “we are working on something that we can’t announce yet, but it involves the Zerocash protocol for private bitcoin transactions”. After about six months of work, the Least Authority team set up a new company called the “Zerocoin Electric Coin Company” (which is now known as “The Zcash Company”) and announced its plans to the world. With this release, it introduced the ZCash testnet and presented a compelling argument for blockchain privacy. Over the next few months, Zooko released a plethora of articles detailing the coin’s funding, incentives, governance, protocol, consensus mechanism, alpha releases, etc.
Finally, after months of testing, iterating, and communicating, the Zcash team was ready to go live. To do so, they first needed to generate a set of public parameters that could be used to construct and verify transactions. We’ll discuss how this works in detail in our next section; however, for a little background, the process essentially consists of generating a random value (known as a private parameter) and using that random value to calculate the protocol’s public parameters. Because the private parameter could potentially be used by a third party to create counterfeit Zcash transactions, it needs to be immediately destroyed.
In order to ensure that nobody ever learned the private parameter, the Zcash team constructed an elaborate parameter generation ceremony. The ceremony is discussed in detail in this article; however, at a high level, six team members essentially went off on their own to a random location and bought a brand new computer from a random computer store. They then removed the hard drives and the wifi / bluetooth capabilities from the machine, installed a custom built operating system, used the computer to complete a series of calculations, and copied the output to append-only DVDs. After that, they took those DVDs to networked computers, shared the results with each other, and completed a three-stage round robin-type process that spit out the public parameters. On 10/23/16, after three days of work, the parameters were finally generated (you can find them here). Once the parameters were generated, the Zcash team destroyed the computers to ensure that nobody could recreate the process and counterfeit the coin. Several days after the parameter generation process was complete (on 10/28/18), the Zcash genesis block was mined and the currency went live.
So what happened from there? Zcash experienced wild price fluctuations. After going live, Zcash quickly became the most valuable cryptocurrency by market cap at a price of 3,299.99 BTC per ZEC (which translated to approximately $2.3 million per coin at the time!). However, that high didn’t last long as the price steadily declined to a low of 0.71 BTC per ZEC a couple days later. That crazy price fluctuation was attributable to a choice made by the Zcash team to use a “slow start”. This essentially means that they limited the initial supply of coins and slowly ramped it up over a one-month period in order to limit the impact of a major bug or security vulnerability. The limited supply coupled with the strong speculative demand led to significant price swings. Over time, the coin’s volatility has come down to be more in line with the broader cryptocurrency market (which is obviously still quite volatile).
Since the initial rollout, Zcash has completed two major upgrades. The first, which was dubbed the “overwinter” upgrade, occurred on June 26, 2018. According to the Zcash blog, overwinter was implemented to “strengthen the protocol for future network upgrades”. Essentially, that means that it was implemented to prepare the network for the Sapling upgrade, which occurred a few months later on October 29, 2018.
Despite its somewhat underwhelming name, the Sapling upgrade was a huge deal. While the upgrade started as a pet project in 2016, it quickly turned into a full-blown project to revamp the protocol and drastically reduce the the time and memory required to complete shielded transactions. The upgrade officially went live in October 2018 and, according to the Zcash team, was able to successfully reduce transaction construction times by 90% and memory requirements by over 97%. These improvements in memory and transaction time are important because they will likely increase the adoption of shielded transactions, which would mitigate some privacy concerns that have previously been raised by researchers at the University of London. We’ll touch on this more in the Pros / Cons section below.
Okay, bear with me, there is one last major piece of Zcash’s history that we have yet to cover. In October 2017, The Zcash Company announced a major new partnership at CoinDesk’s Consensus 2017 conference. Who did they partner with? You may have heard of them, it’s a small financial company called JP Morgan. While that may seem like an unlikely partnership, JP Morgan is actually very active in exploring blockchain technology. JP Morgan has quietly been developing a “private, permissioned version of the ethereum network” called Quorum. They decided to partner with Zcash to add a layer of anonymity to that protocol. While this does not have a direct impact on the Zcash cryptocurrency, it offers a bit of validation for the underlying technology.
So how has the price reflected the upgrades and corporate partnership? Like all cryptocurrencies, Zcash’s price has been exceptionally volatile. The coin’s market cap rose to a high of over $2.6 billion in January 2018, before losing almost 90% of its value in a span of twelve months. By December 2018, its market cap had fallen to a low of around $270 million. Although Zcash’s price has primarily been driven by overall crypto sentiment and speculation to date, it will be fun to watch how the coin performs going forward!
Now that we have a good understanding of the history, let’s discuss how the protocol actually works. We’re going to hone in on Zcash’s privacy features, focusing specifically on how it (i) enables selective transparency and (ii) uses advanced zero knowledge proofs known as zk-SNARKs to store obfuscated transaction data directly on the blockchain. Let’s start with the former.
As I mentioned above, the Zcash protocol allows for “selective transparency”. This means that Zcash is not private by default like Monero. Instead, it allows users to choose between transacting anonymously and transacting transparently. In practice, users can choose to use addresses that start with a “t” or addresses that start with a “z”. T-addresses are “transparent” addresses and function in the same pseudonymous manner as Bitcoin. Z-addresses are “shielded” addresses and obscure the inputs, outputs, and amounts from the transaction data stored on the blockchain. Naturally, as you can see below, this means that there are four types of transactions (z-to-z, t-to-t, z-to-t, and t-to-z).
As you can imagine, z-to-z transactions are fully obfuscated and t-to-t transactions are fully transparent. The other two transaction types are known as “shielding” and “deshielding” transactions. Z-to-t transactions are known as deshielding transactions because they have shielded inputs and transparent outputs. Conversely, t-to-z transactions are known as shielding transactions because they have shielded outputs and transparent inputs. Said another way, anything that is sent to or from a z-address disappears into the shielded pool.
Historically, anonymous transactions have required more computational intensity, which has led to longer transaction times and larger memory requirements. As a result, many users have opted to use transparent transactions to date. However, as we discussed before, Zcash’s Sapling update made significant strides in reducing the computational burden and associated fee load for anonymous transactions. As a result, I’d expect the adoption of shielded transactions to improve over time.
While the ability to choose between transparent and anonymous transactions is extremely useful, it’s actually not the only kind of selective transparency that Zcash enables. Zcash also allows users to selectively disclose shielded transactions to a trusted third party (like a government entity or an auditor). Zcash does this by using a two-key architecture. Essentially, each user has two private / public key pairs. If a user is so inclined, they can share their private view key with a trusted third party and allow them to see the corresponding transactions. In doing so, they can prove that a transaction took place without publicly revealing their transaction history. This is particularly useful for auditing and compliance purposes.
That leads us to our next question, how does the Zcash protocol actually obscure transactions that are sent to and from these z-addresses? It does so through zk-SNARKs. Let’s jump into that now.
While most privacy coins obscure the identity of the sender and recipient by implementing some type of mixing function (CoinJoin, Ring Signatures, etc.), Zcash uses a slightly different technique. As I mentioned above, that technique is known as a “zk-SNARK”, which stands for Zero-Knowledge Succinct Non-Interactive ARgument of Knowledge. Said another way, a zk-SNARK is an advanced type of non-interactive zero knowledge proof. If you’re still a bit confused, that’s totally understandable. I’d recommend skimming through the “Stealth Addresses” and “Ring Signatures” section of my previous article on Monero. These sections provide some detail on elliptic curve cryptography and zero knowledge proofs, respectively, which should provide enough background for this discussion on zk-SNARKs.
So how exactly do these zk-SNARKs work? It’s best to think about zk-SNARKs in two phases. The first phase is the trusted set-up phase. In the trusted set-up phase, the founding team needs to create a set of “public parameters” that can later be used to prove and verify transactions. To set up the public parameters, the team first has to choose a random value (let’s call it “s”). After choosing the random value s, they can use it to derive a string of values by taking the sequence s⁰, s¹, s², …, s^d and multiplying it by the base point G (the same way you would create a public key from a private key). That leaves us with the following set of public parameters: (s⁰*G, s*G, s²*G, …,(s^d)*G).
It’s important to note here that this phase is called the “trusted” setup phase for a reason. As we mentioned briefly before, anybody that knows the random value “s” can use it to create counterfeit coins, which completely compromises the system. Therefore, to ensure the privacy of the protocol, it’s best to add another layer of security to the parameter generation process. This can be done by using a multi-party computation protocol. While that sounds pretty fancy, it basically just means that you can split the parameter generation process up so that several people each generate one part of the private key. After doing so, you can combine each of those pieces to create the full private key. By creating the private key in this manner, nobody has access to the full key so gaming the system would require the collusion of all participating parties. Let’s walk through a simple example of how a multi-party computation process would work.
Imagine that you have two participants in the parameter generation process. Each participant generates a random value (a and b). The first participant multiplies a by G to get A. They then send A to the second participant, who multiplies it by b. This gives us M = b*A = (b*a)*G. In this scenario, the private key s is equal to b*a. By constructing the private key in this manner, both parties know M and their respective piece of the private key but do not know the full value of the private key s. Additionally, they can use the a and b values to calculate the rest of the public parameters (G, a*b*G, a²*b²*G, …, etc) without ever knowing the value of the private key s.
This demonstrates how a simple version of the multi-party computation protocol can be completed by two people; however, in practice, you can include as many participants as you want. Obviously, the more independent parties you add, the lower the odds that the process is compromised.
Okay, now we know how to create the public parameters. How do we use them to prove transactions? What’s interesting is that the public parameters can be used to prove that one polynomial is equal to another polynomial (we’ll get to why that’s important in a minute). Using an example that is similar to the one used in the Zcash blog, imagine that you have two polynomials:
Polynomial 1: P(x) = a + bx +cx²
Polynomial 2: Q(x) = d + ex + fx²
We can prove beyond a reasonable doubt that these are the same polynomial if they both evaluate to the same answer for a random x-value. With zk-SNARKs, we can use s as the random x-value because the trusted setup ensures that nobody knows the true value of s. In fact, verifiers can actually use the public parameters to check that the two polynomials evaluate to the same answer at s without actually knowing s. This is because the public parameters are just one-way transformations of the underlying s value. Therefore, if we transform both polynomials in the same way, they should still produce the same answer. Said another way, a verifier can prove that P(s) = Q(s) by checking that P(s)*G = Q(s)*G. This is particularly useful because verifiers can easily derive P(s)*G and Q(s)* G by using the public parameters as follows:
P(s)*G = a(s⁰G) + b(s¹G) + c(s²G)
Q(s)*G = d(s⁰G) + e(s¹G) + f(s²G).
You might be thinking, well that’s great but why does it matter if we can prove that one polynomial equals another polynomial? What does it have to do with Zcash? It matters because it’s possible to convert a transaction into a polynomial using a complex mathematical process (described here). After doing so, you can use the resulting polynomial to prove and verify the transaction. More importantly, you can easily apply a random shift to these polynomials, which obscures the transaction inputs and creates shielded transactions. This is what allows the Zcash protocol to store fully encrypted transactions directly on the blockchain. The ability to store transactions directly on the blockchain is important because it enables a larger anonymity set and allows for additional functionality such as the newly implemented memo field. For more information on how the process of converting transactions to polynomial equations works, I’d recommend checking out this article on the Zcash website or this article by Vitalik Buterin.
That was a lot to take in but the summary is that Zcash uses advanced non-interactive zero knowledge proofs known as zk-SNARKs to fully obfuscate transactions on the blockchain in a cryptographically secure way. In doing so, the protocol gives users the choice to operate through transparent addresses or shielded addresses and the ability to selectively reveal their transaction information to trusted third parties.
Pros / Cons
Clearly, Zcash has implemented some advanced techniques for obscuring transaction data into the protocol. So how does it stack up to other privacy-oriented cryptocurrencies? Let’s quickly walk through a few of its notable advantages and disadvantages.
The primary advantage of Zcash is the concept of selective transparency discussed above. The ability for users to decrypt their transactions for authorized parties is useful for a number of real-world applications. For instance, businesses could show their transaction histories to auditors, debtors could prove that they fulfilled their obligations, etc.
A second key advantage is that the privacy provided by Zcash is generally considered stronger than the privacy provided by other privacy coins. Zcash can store encrypted transactions directly on the blockchain and does not rely on mixing algorithms. This reduces linkability and limits the system’s vulnerability in the case of a hack. Additionally, while the anonymity set of a mixing algorithm is limited to the number of participants, Zcash’s anonymity set consists of the entire shielded pool. While Zcash has not seen meaningful adoption of shielded addresses yet, this is expected to grow over time, which would significantly increase the strength of its privacy features.
A third advantage is the strength of the Zcash team. The Zcash team consists of a number of experienced cryptographers and academics. Let’s walk through a quick highlight reel:
- Zcash’s founder, Zooko Wilcox, has over twenty years of experience with decentralized protocols, cryptography and startups, and has developed several well-known network protocols.
- The company’s CTO, Nathan Wilcox, has “over 10 years of experience in software development, performance analysis, and security audits”.
- The Zcash protocol’s founding scientists include professors and PhD students from schools like MIT, Johns Hopkins, UC Berkley, and Tel Aviv University.
- Zcash has an Advisory Board that is made up of professionals from some of the most well-respected crypto projects, including Vitalik Buterin from Ethereum, Arthur Breitman from Tezos, and Brian Warner from Agoric, among others.
- Zcash’s leadership has continued to grow the team by adding talent across a wide range of necessary functions. It has grown the core team to 31 professionals spanning functions like business development, operations, finance, design, marketing, and, of course, engineering.
This level of talent is somewhat rare in the world of crypto and has driven the success that the protocol has had to date. Going forward, this team will hopefully be able to keep the protocol on the cutting edge and successfully build out a community around it.
The Trusted Setup
A major knock against the Zcash protocol is that it relies on a trusted setup. This is the idea that you have to trust the founders of Zcash to properly destroy the private parameters (aka the “toxic waste”) created in the parameter generation process. This has been touted as a huge concern by a number of people because cryptocurrencies are supposed to be trustless systems. However, I think that people are somewhat blowing this issue out of the water. While it is clearly a potential cause for concern, I think that the Zcash team has appropriately mitigated it by using a multi-party parameter generation process and fully documenting the creation ceremony. Additionally, the team provided an additional level security when they implemented the Sapling upgrade by using a “Powers of Tau” ceremony, which included dozens of participants.
Privacy by Default
The biggest knock against Zcash is that it is not private by default (whereas Monero is). Instead, it allows users to choose between transparency and anonymity. While this provides flexibility to the end-user, it may also impact the coin’s privacy and fungibility. In fact, a group of researchers from the University of London published a paper in September 2018 that described how the protocol’s privacy could be compromised due to the lack of shielded pool adoption. They concluded that:
“…most users are not taking advantage of the main privacy feature of Zcash at all. Furthermore, the participants who do engage with the shielded pool do so in a way that is identifiable, which has the effect of significantly eroding the anonymity of other users by shrinking the overall anonymity set.”
However, as we discussed before, the Sapling upgrade has significantly reduced memory requirements and transaction times, which will likely improve the adoption of shielded transactions. Additionally, the Sapling upgrade has enabled the possibility of mobile Zcash wallets, which would further simplify the use of Zcash’s privacy features. If these solutions have the intended effect of increasing shielded adoption, they will effectively mitigate the protocol’s privacy concerns.
Governance / Economic Incentives
The last major knock against Zcash is its governance. The founding team created a for-profit company known as The Zcash Company to control the protocol’s development, operate essential Zcash infrastructure, and own the Zcash trademark. In order to pay these early stakeholders for their efforts, the Zcash team has incorporated a “Founders Reward” into the protocol. The Founders Reward is a payment to the protocol’s early stakeholders (aka founders / employees / investors / advisers). The Founder’s Reward is distributed as part of the mining process. Essentially, in the first four years of the protocol’s existence, 20% of every block reward will go to the founders and 80% will go to the miners. After the four years are up, 100% of the block reward will go to the miners. Ultimately, this reward will be worth 10% of Zcash’s total monetary base. This can be seen in the graphic below.
On the surface, this seems like a huge red flag as it centralizes the protocol’s development, allows the founders to make a substantial sum of money over a short period of time, and may dissuade miners from joining the community.
However, I think that these criticisms may be mildly overblown as well. The funding method actually does a good job of incentivizing the founding team to remain engaged and actively improve the protocol. With something as complicated / rapidly evolving as blockchain privacy and zk-SNARKs, it probably makes sense to keep the group of people that have the best understanding of the technology actively involved in the project.
Additionally, the Zcash team has made it clear that they do not intend to maintain the centralized nature of the protocol’s development and maintenance. They intend to transfer the responsibilities of The Zcash Company to an independent non-profit entity called “The Zcash Foundation” over time. The Zcash Foundation will ultimately be responsible for ensuring the protocol is developed in the best interest of the public. As you can read here, the entity’s mission is to support the protocol’s community (by sponsoring conferences, organizing mailing lists, etc.), support the protocol’s governance (by maintaining the protocol, coordinating upgrades, conducting parameter generation ceremonies if necessary, etc.), and support the underlying science (by interacting with the scientific community and encouraging relevant research). What is particularly noteworthy is that Zooko and a number of the founders are donating half of their Founder Reward to the foundation in order to fund its operating costs, salaries, etc. I think that this demonstrates the team’s commitment to the long-term success and decentralization of the protocol.
That wraps up my overview of Zcash, I hope you found it interesting! Stay tuned for my next post, which will break down the Enigma and Dusk protocols. If you enjoyed this post and would like future posts sent directly to your email, please subscribe to my distribution list or reach out to me at email@example.com.
If you have an interest in venture capital and want to read more VC-related content, please follow my publication “All Things Venture Capital” on twitter. Also, let me know if you’re interested in adding to the publication! My goal is to continue to add high quality content (articles, podcasts, videos, etc.) from aspiring and current venture capitalists that want to share their perspective. Thanks for reading!