ZEC: Unmatched Privacy In a Public Blockchain

We recently spent close to 200 hours reviewing the entirety of the Zcash project and the ZEC cryptocurrency. Upon analyzing the project, it is clear to us that Zcash is one of the most important projects in the entirety of the crypto space.

In the early days of digital currency, many believed that Bitcoin transactions were fully anonymous and private. The popularity of the Silk Road, the first modern dark-net market, fueled this misconception and lead many early adopters to conflate anonymity with pseudonymity.

As most probably know by now, Bitcoin users are pseudonymous; their addresses and balances are completely public, but their real-world identity is not. While addresses cannot be tied to individuals by simply looking at the blockchain, Bitcoin’s pseudonymity is nevertheless broken when an individual proves ownership of an address, usually by using an exchange. As such, the believers of Bitcoin’s anonymity myth had a rude awakening following the demise of the Silk Road, one of the most significant events in Bitcoin’s history.

Beyond illicit use cases, the Silk Road predicament highlighted that the pursuit of privacy as a fundamental human right was incompatible with public blockchains at the time. This realization led many researchers to begin working on solutions to increase the privacy of bitcoin transactions. Greg Maxwell’s CoinJoin was one of the early attempts to increase the privacy and efficiency of Bitcoin by aggregating multiple senders of BTC in a single transaction; a method that has been generally called coin mixing.

Mixing makes it difficult to pin-point the specific senders and recipients of a transaction because balances are sent as a group. The efficiency of CoinJoin mixing has made it, by far, the most commonly-used method to hide identities in public blockchains. Although very primitive, the method is still used widely used today in cryptocurrencies such as DASH.

Like CoinJoin, Monero also uses a system called RingCT to mask the sender of a transaction. We have analyzed RingCT in the past and, relative to implementations of CoinJoin, it is a much more sophisticated method to hide data. RingCT aggregates the signatures associated with a transaction and encodes its value. Although this is an elegant and efficient system, we realize that there are problems with this approach.

Put simply, the fundamental problem of coin mixing methods is that transaction data is not being hidden through encryption. Instead, both CoinJoin and RingCT are systems of disassociation. In such systems, all information is publicly visible, but transaction-specific data, such as the amount sent, is disassociated from user-specific information, such as the addresses associated with the balance. If the heuristic used to disassociate these data points is broken, as it was the case with the majority of Monero transactions prior to Feb 2017, the privacy of the entire system is also broken.

Rather than disassociation, a sounder approach to privacy is one that uses stronger cryptography, where the entire transaction data is hidden. At first glance, this might be incompatible with public blockchains, after all, one of the value propositions of Bitcoin is a public and verifiable chain of ownership of every single balance. Hiding transactions would prevent that verification process by only allowing the bearer of a specific key to visualize a transaction.

For this reason, the only way of allowing a blockchain to be both encrypted and publicly verifiable is through highly sophisticated cryptography. Luckily, this can be achieved through one the most powerful tools cryptographers have ever devised: Zero-Knowledge Proofs.

ZERO-KNOWLEDGE MAGIC

The magical concept behind Zero-Knowledge Proofs is to cryptographically prove that something exists, without knowing what that something is.

Zcash uses a variant of Zero Knowledge Proofs called zero-knowledge Succinct Non-interactive Argument of Knowledge, or zk-SNARK, to enable private transactions in the network. This specific implementation allows encrypted transactions to be verified in milliseconds. Users can generate zk-SNARKs to selectively protect the source, destination, and amount of ZEC through four different types of transactions:

While zk-SNARKs are incredibly powerful, they also carry their fair share of shortcomings. One of the biggest hurdles of using private transactions on Zcash is that zk-SNARKs are computationally intensive and take time to produce. Such requirements prohibit the use of this technology on mobile phones, which has undoubtedly affected the adoption of private Zcash transactions. In fact, we have found that only about 13% of Zcash transactions currently use zk-SNARKs. Fully private transactions, where both sender and receiver are shielded, are only about 0.36% of total Zcash transactions.

Even though Zcash has processed more transactions in its network than Monero, 86% of them are unshielded and look exactly like a regular bitcoin transaction. On the other hand, XMR transactions are inherently mixed and Monero is private by default. If we were to compare the total number of private transactions in both networks, Monero would be the clear winner.

As the industry has come to realize, the tradeoff between inherent vs. optional privacy undoubtedly effect the likelihood that an asset is listed on a regulated exchange. As pointed out to Monero’s lead developer Riccardo “fluffypony” Spagni when he gave a talk at Coinbase, regulatory pressure makes it unlikely that an exchange of Coinbase’s proportion will be able support Monero in the near future. Regulators are warier of inherently private blockchains because they are harder to audit and regulate.

Conversely, the optionality of privacy in Zcash eases regulatory fears and allows for these institutions to list unshielded ZEC. This was exemplified in May of 2018, when the New York Department of Financial Services (NYDFS) authorized Gemini to support the trading and custody of Zcash. This is a sign that regulators might be more open to work with projects where privacy is optional. This willingness is ideal for liquidity of ZEC and fiat pairs and might not necessarily hurt the fungibility of the assets in the network; two rounds of shielded transactions to different z-addresses may be enough to completely hide the chain of custody of a specific balance.

The Guarantee of Privacy

In our report, we talked about the guarantee of privacy, or in other words, the degree to which users can be confident that past transactions will remain confidential. To many, the debate over Zcash vs. Monero boils down to the strength and sustainability of the mechanisms used by both protocols to enable privacy.

Monero’s track record in that regard was greatly tainted in April of 2017, when researchers at Princeton and the University of Illinois found a considerable vulnerability in Monero’s mixins protocol. This vulnerability enabled them to identify the true sender of most XMR transactions prior to the activation of RingCT in February of 2017. They called this exploit “chain-reaction” analysis and claimed that the heuristic put forth in the white paper enabled to pinpoint the address of certain pre-RingCT XMR transactions with 80% accuracy. While the activation of RingCT in February diminished vulnerabilities related to blockchain analysis, this raised awareness to how bad the problem was prior to its activation. As we touched upon earlier, Monero is a system of disassociation; therefore, privacy is depends upon the number of fake entities associated with a transaction.

On the other hand, the privacy guarantees in Zcash are much less subject to sophisticated blockchain analysis. In May of 2018, researchers at University College London released a comprehensive paper that evaluated anonymity in Zcash through similar blockchain analysis. Since only a fraction of transactions in Zcash are private at this point, it is possible to cluster a small fraction of transactions based on an address’ patterns of usage. In this regard, the proportion of the Zcash transactions affected by blockchain analysis pale in comparison to Monero’s. The researchers found 23 Zcash addresses in the entire study that could be partially traced by analysis, whereas over 200,000 XMR addresses were likely vulnerable to chain-reaction exploit.

For this reason, it is our opinion that the privacy guarantees provided by Zcash’s zk-SNARKs are stronger than that of Monero’s RingCT. That said, there are still many risks involved with the use of zk-SNARKs. In order for them to function properly, zk-SNARKs rely on a trusted ceremony called The Powers of Tau used to generate a set of keys required prove and verify zk-SNARKs. If compromised (and there is no indication any of the ceremonies have been compromised) it presents systematic risk to the entire project. As we explored in our report, the process of generating these keys, as well as the requirements to generate zk-SNARKs will be overhauled on October 28th, when a new version of Zcash activates.

Zcash Sapling

Sapling is a major update and it is intended to increase the usage of zk-SNARKs by adopting tools that lower their computational requirements. Sapling can reduce memory usage of the construction of zk-SNARKs by 98% and make the process of verifying these proofs 80% faster. This could allow zk-SNARKs to be constructed on smartphones, which is something that is nearly impossible to be done in the protocol’s current version. We expect the implementation of Sapling to be a catalytic event given its importance and our experience with major network upgrades on other cryptocurrencies.

The most anticipated improvement in Sapling is a new elliptic curve algorithm that is used to determine the challenges in the verification process of zk-SNARKs. While the technical name of this new curve is BLS12–381, the researchers at the Zcash foundation have decided to call it JubJub. The work on JubJub relied upon a groundbreaking framework released in 2015 called C∅C∅; a framework that can be used to build highly efficient composable Zero-Knowledge Proofs.

As we touched upon earlier, one of the problems related to the adoption of Zcash has been the difficulty to construct and verify zk-SNARKS. For context, consider that a computational instance required to verify a zk-SNARK in the protocol’s current version may use over 3GB of a node’s RAM. With JubJub, Sapling can reduce memory usage by 98% and allow zk-SNARKs to be generated and verified on smartphones. Proving time is also reduced by 80%, allowing zk-SNARKs to be verified in just seven seconds.

Funding by Coinbase

Note: We have updated our post to reflect a clarification regarding block and Founder’s rewards. Thank you to the Zcash team for clarifying this distinction.

Zcash uses an unorthodox strategy to fund protocol development and reward its team. Unlike Bitcoin, Zcash does not give 100% of the block reward to miners. Instead, part of the coinbase of every block goes directly to the Zcash team. They call this the “Founders’ Reward” and it is designed to fund the Zcash core team and early investors. This structure has been previously tested in protocols that have a masternode structure, like DASH, but it is still atypical in PoW blockchains that employ Nakamoto consensus.

Zcash block rewards are divided following the distribution below:

· 3% goes to the Zcash Foundation

· 2.8% goes to the Zcash Electric Coin Company

· 14.2% goes to Zcash employees, advisors, and founders

As such, a total of 20% of the block reward goes to these entities for the next 4 years. Given the protocol’s halving schedule, the Zcash team will have received 10% of the monetary base, or 2.1M ZEC when all ZEC have been mined. I should note that this is a much lower proportion of the total supply going to the founding team relative to the overwhelming majority of projects in the space.

This funding model has been controversial given its unorthodoxy, and has recently created an uproar on social media when more people became aware of it. Nevertheless, there is an argument to be made that it has, so far, positively contributed for the growth of Zcash and the research around zk-SNARKs over the past couple of years. Without significant resources being allocated to research, it would be difficult to imagine how the advanced cryptography employed by Sapling could have been developed in this timeframe.

Connect with Digital Asset Research

For institutional investors who would like to subscribe DAR’s research, please submit a request for information here.

If you would like to sign up for our free daily newsletter, please sign up here.