History of Zcash
One of the key features of Bitcoin is its peer-to-peer network that allows users to send and receive Bitcoins without the need for any intermediary. It has redefined what money is and how it works.
But making payments in Bitcoin also means that all the balances and your transaction history are revealed to the public. While this feature makes Bitcoin transparent, it also means that you have no financial privacy. It is easy to look up the balance and past transactions of any Bitcoin address on any block explorer.
Most cryptocurrencies designed before Zcash were pseudonymous like Bitcoin. While the addresses are pseudonymous, it does not take much time to trace the real owner of these open-source public blockchains. Zooko Wilcox, the founder and CEO of The Zcash Company realised the need for a privacy coin that would prevent others from knowing your transaction history and also your behaviour to the people.
He founded a startup in 2015 to explore the ideas behind Zerocoin (a token that had similar goals). The white paper of Zerocoin was authored by professors Matthew Green and Eli Ben-Sasson, among a larger group of cryptographers and academics. While the paper offered new solutions to the problems related to privacy, there were a few challenges that could not be met. After a lot of research, Zcash was launch and released in 2016.
The Zcash ecosystem is managed by two main protagonists namely the Electric Coin Company and the Zcash Foundation. The Company is made up of developers and educators that exists to support the Zcash developments and its education. It does not even control the cryptocurrency, its miners or the distribution of the token as it is a decentralized blockchain with Proof of Work (PoW) on-chain governance.
Some of the functions of the Zcash Foundation include funding of research and development, distribution of grants to developers, community management and the protocol governance,
What is Zcash?
Zcash is a decentralized private cryptocurrency that was created as a fork of Bitcoin. A lot of Zcash is ported over from Bitcoin’s original open-source code but with one big difference and that is the fact that Zcash uses encryption to conceal payments on the blockchain. Similar to modern-day encryption, Zcash uses the same technique to protect the information of who is transacting with whom and how much each individual owns.
Along with offering public addresses, Zcash offered this feature of encryption by introducing shielded addresses for its users. While the initial plan was to go ahead with the shielded address only, Zcash let its users choose between the level of anonymity by offering both — the public address (similar to that of Bitcoin) and the shielded address (as discussed above). Shielded transactions can be verified without disclosing the sender’s nor receiver’s balance or transaction history.
Why is it valued?
Privacy is an integral part of the financial markets. Having access to others’ information helps to predict the future which affects the functioning of these markets. Maintaining privacy is necessary for businesses to prevent their competition to see their trades. If you are in a business that takes care of information about a lot of people, for example, health care, child safety, etc. then maintaining the privacy of such people is extremely important.
Having copied the open-source codes of Bitcoin also means that Zcash can also serve as digital money.
How does it work?
Zcash offers a shielded address to its user by employing a cryptographic breakthrough called the Zero-Knowledge Proofs or zk-SNARKs that allows anyone to prove they know something without sharing what they know. Zcash allows the ledger to be still auditable while maintaining the privacy of the shielded addresses. This is done using encryption on the blockchain.
It can therefore be proved that the transaction was correct and was legitimately transferred from the sender, without anyone else having any knowledge about the transaction.
Other than the privacy features, the cryptocurrency operates similarly to other cryptocurrencies. Each transaction is verified by the nodes and recorded on the blockchain. Each block is added to the open network of computers using an algorithm called Equihash which calculates the amount of RAM a miner is devoting to securing the blockchain.
Tokenomics of Zcash
Zcash has the same maximum supply of 21 million similar to that of Bitcoin. It is said that Zcash’s coins will be mined by 2032 and just like Bitcoin, block rewards of Zcash get halved every four years as a deflationary measure. For the first four years of the blockchain’s operation, 80% of its block reward was programmed to go to miners, with 20% allocated to the Electric Coin Company, the Zcash Foundation as well as some of their key employees and stakeholders.
Zcash’s first halving is supposed to happen at block 1,046,400, which might happen anytime during November this year. This will cut the rewards per block mined from the current 6.25 ZEC to 3.125 ZEC.
At the time of writing, the ZEC/USDT pair is trading at $64.39 on CoinDCX and a circulating supply of 10,184,550 ZEC. With a current market capitalization of $678,272,599, it is ranked 30th on CoinMarketCap.
What are zk-SNARKs?
The acronym zk-SNARK stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge,” and refers to the situation where one can prove the possession of certain information, for example, a secret key or transaction information, without revealing the information or interacting with the prover or the verifier.
“Zero-Knowledge” proofs allow one party (the prover) to prove to another (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. For example, given the hash of a random number, the prover could convince the verifier that there indeed exists a number with this hash value, without revealing what it is.
In a zero-knowledge “Proof of Knowledge,” the prover can convince the verifier not only that the number exists, but that they know such a number — again, without revealing any information about the number. The difference between “Proof” and “Argument” is quite technical and we don’t get into it here.
“Succinct” zero-knowledge proofs can be verified within a few milliseconds, with a proof length of only a few hundred bytes even for statements about programs that are very large. In the first zero-knowledge protocols, the prover and verifier had to communicate back and forth for multiple rounds, but in “non-interactive” constructions, the proof consists of a single message sent from prover to verifier. Currently, the most efficient known way to produce zero-knowledge proofs that are non-interactive and short enough to publish to a blockchain is to have an initial setup phase that generates a common reference string shared between prover and verifier. We refer to this common reference string as the public parameters of the system.
If someone had access to the secret randomness used to generate these parameters, they would be able to create false proofs that would look valid to the verifier. For Zcash, this would mean the malicious party could create counterfeit coins. To prevent this from ever happening, Zcash generated the public parameters through an elaborate, multi-party ceremony.
The features of zk-SNARKs ensure that the verifier learns nothing about the data other than whether it is true or not. The proof given for verification is also so small that it can be verified quickly. This encryption between the two parties prevents them to communicate with each other. Moreover, there is no way a prover can force a verifier to accept false information. Lastly, a prover cannot prove information unless there is verifiable information to prove.
Working of a Zcash Transaction
The added choice between shielded and transparent addresses is an important factor when sending and receiving ZEC. Understanding how these two types are used in a transaction is a suitable place to start to make the most informed choices.
This is what the details for a transparent address look like –
The Building Blocks of A Zcash Transaction
The user-facing building blocks of a Zcash transaction can be broken down into sending and receiving addresses, account balances and transaction fees. A high level view of the Zcash transaction can be viewed below.
Source: Electric Coin Company blogs
The diagram above shows the process of sending and receiving ZEC as part of a transaction. The use of shielded addresses — whether sending or receiving — requires the generation of a zero-knowledge proof which allows others to verify a transaction’s encrypted data without it being revealed.
A more detailed explanation of how this works is discussed in this blog of the Electric Coin Company.
These addresses always start with a “z” and are sometimes referred to as “z-addrs”. Similarly, the use of transparent addresses require interaction with what is known as a “Transparent Value Pool” (or TVP) and publicly reveals transaction data. These addresses always start with a “t” and are sometimes referred to as “t-addrs”. The transaction fee also passes through the TVP and is therefore always visible on the blockchain. Even though fees are always revealed in a transaction, shielded addresses and value are not affected as shown in the following real Zcash transaction.
Like other blockchain protocols, spending from a balance in an address requires sending all of the balance. Therefore, unless you want to send the exact balance to another party, you must split the balance by including a second receiving address you control to accept any balance change. It is possible to simply use the sending address as the change address to prevent the added management of multiple addresses. This, however, is not normally recommended since it would be trivial for someone to build an identity profile based off of transactions sent to and from that single public address. Creating a new address for each transaction has become recommended standard practice to obfuscate a user’s transactions. Since public transactions link sending and receiving addresses, however, this level of obfuscation is still quite trivial to navigate around and does not provide a meaningful level of privacy.
Thankfully, when sending ZEC from a shielded address, that data is kept private so sending change back to the sending address is permissible. In Zcash, all transactions between shielded addresses look identical so the reuse of shielded addresses is not vulnerable in the same way that transparent addresses are.
Sending Between Shielded and Transparent Addresses
Source: Electric Coin Company blogs
Properties of sending ZEC between shielded and transparent addresses
In Zcash, ZEC is the balance unit for how much value an address contains. It differs from purely public blockchain currencies in that a ZEC balance has a different set of properties depending on what address type it is currently held in and the previous address(es) it was sent from. If ZEC is held in a transparent address, its unspent balance is publicly viewable. Regardless of that balance being sent to one or more transparent addresses, shielded addresses or a combination of these types, the output ZEC from a transparent address will be visible. A benefit of sending transparent ZEC to a shielded address is breaking the linkability between future transparent addresses if that’s where it ends up again. The action of shielding ZEC is particularly important at these early stages where many wallets (such as mobile wallets) may not yet support shielded addresses due to the resource requirements for hardware and software.
A screenshot from the Zchain block explorer of a transaction shielding ZEC.
In the transaction above where a transparent address sends to a shielded address, you can see that this process of shielding ZEC reveals the balance sent and that it is held by shielded addresses. The shielded addresses involved and whether it was sent to one or two shielded addresses remains confidential.
To contrast, a ZEC balance in a shielded address keeps the balance and account address private. If spending to one or more shielded addresses, the value stays private but any transparent addresses on the receiving end will deshield the ZEC and reveal the value received on the blockchain. When deshielding ZEC, the input shielded addresses and whether the value was sent from one or two of these remains confidential.
It should be noted that these examples do not detail the properties of more complex transactions where both transparent and shielded addresses are sending or receiving. With this overview of the basic properties of addresses and spending ZEC balances, however, users can hopefully gain a better perspective on how the transactions work when transacting between any two addresses.
Having the two types of addresses within Zcash (transparent and shielded) is an advantage which allows users to have more flexibility with how they store and transact ZEC. The dynamic between transparent and shielded addresses, however, presents a level of increased complexity for transactions containing both types (i.e. shielding ZEC by sending from a transparent to a shielded address or deshielding ZEC by sending from a shielded to a transparent address).
If all Zcash transactions used shielded addresses, then the complexities introduced with the two types of addresses disappear and privacy would strengthen for everyone in the ecosystem. Until then, understanding privacy implications such as transaction linking will be helpful for users interested in maintaining maximum control over the visibility of their transaction details.
We will now discuss some privacy considerations while using Zcash with its current support for both transparent and shielded addresses and some solutions users can employ in such situations.
Knowing that transparent addresses publicly disclose transaction details on the Zcash blockchain, we can assume a degree of linkability between a string of transactions using this type of address, similar to the linkability seen in bitcoin transactions.
But what happens when shielded addresses are sprinkled into the mix? Thankfully, shielded addresses in Zcash indeed break linkability when used properly.
Source: Electric Coin Company blogs
Shielded addresses can de-link transparent addresses. In transaction series b, we use a question mark to indicate the value received by Bob’s shielded address even though it seems exactly 14.9999 ZEC would have been received. This is because it’s possible that an additional shielded input and/or output was included in the transfer but we would not be able to see this on the blockchain.
The mere use of shielded addresses by merchants accepting ZEC payments and by your friends provides an increased level of privacy for you, too! In the above example, the transaction series where Bob uses a shielded address (b) breaks the link between Alice and Carol. To help understand these properties, we created the following transactions which mimic the examples above: Alice sends 15 ZEC (minus fee) to transparent Bob and transparent Bob sends 10 ZEC to Carol compared with Alice sends 15 ZEC (minus fee) to shielded Bob and shielded Bob sends 10 ZEC to Carol.
So even if you or your friends must use transparent addresses for one reason or another, others using shielded addresses (whether they mean to or not) break down the direct linkability that would otherwise exist with exclusively transparent addresses.
The above method where Bob de-links Alice and Carol simply by using a shielded address isn’t 100% reliable for every situation, however.
To explain why, let’s first highlight a property of transactions which include both address types: when transparent addresses shield ZEC (t → z) or when shielded addresses deshield ZEC (z → t), the values sent to or received from transparent addresses are public even though those values are masked in the shielded address part of the transaction. We can observe this property in the transaction series above where Bob uses a shielded address but the transparent addresses used by Alice and Carol still reveal the value sent and received.
Source: Electric Coin Company blogs
A shielded address might not protect against value linkability in some cases
Now, let’s consider the condition where Bob sends the full balance received from Alice to Carol and therefore has no change output. If Alice’s public output X and Carol’s public input Y are equal (or X equals Y minus two standard transaction fees) and that value is unique enough to other public values stored in the Zcash blockchain, there is a degree of association between Alice and Carol. You can see this example in the following transactions: Alice sends 15 ZEC (minus .0001 ZEC fee) to shielded Bob and shielded Bob sends 14.9999 ZEC (minus .0001 ZEC fee) to Carol.
Further, this association increases the closer in block time Alice’s public output and Carol’s public input are recorded. For example, in the above transactions, Alice sends ZEC to Bob in block number 50374 and Bob sends ZEC to Carol in block number 50378. This makes it easier to link the values than if Bob instead transacted with Carol in block number 111583.
To mitigate this, Bob should be aware when deshielding a value equal to one recently received from a transparent address. Zcash wallets might even consider implementing a feature to allow automatic detection of the potential of linking past and future transactions when deshielding ZEC.
This value linkability is much more likely in situations where users are sending between their addresses rather than between different users. In the example used, Alice and Bob might be the same person sending between their own transparent and shielded addresses.
Unique Transaction Fees
Another linking possibility regards the use of transaction fees. Most wallets use a standard fee to pay miners (.0001 ZEC). While this doesn’t reveal much to the public if a standard fee value is used, addresses that consistently pay unique fees could be linked.
The solution here is to simply use standard transaction fees!
Reducing Linkability By Reducing Complexity
While the advantages of supplying both transparent and shielded addresses to users allow for more options, no doubt sending ZEC between them introduces complexities that affect an individual’s financial privacy.
While shielded addresses offer the privacy features which distinguish Zcash from purely public blockchain networks, the transparent addresses provide (at least for now) a relief in resource requirements along with familiar functionality to previously launched cryptocurrencies.
The most concrete solution to avoiding transaction linkability is simply using and requesting others to use shielded addresses, which in turn strengthens the community’s overall privacy. The Zcash core development team has priorities to support growth in shielded address use and call on third-party services to consider ways that make shielded addresses easier to use as well.
Why use ZEC?
While the launch of Bitcoin led to the creation of other use cases of blockchain technology, the idea of creating a privacy coin like Zcash allowed users to make payments without disclosing their identity or transaction history to the rest of the world.
Major financial institutions, like JP Morgan, have also incorporated Zcash’s tech into various blockchain software, the idea being it could allow them to remain compliant with business requirements and regulations when using blockchains.
The idea of Zero-Knowledge Proofs could further help create new applications for businesses that want to keep their actions hidden from their competitors.
But Zcash is not alone in the race, there are other privacy tokens like Monero and Dash that exist in the market and are quite popular.