Defining Zcash

Launched in October 2016 by Electric Coin Company (ECC), Zcash is the privacy-preserving protocol that pioneered the innovative zk-SNARK (zero-knowledge succinct non-interactive argument of knowledge) cryptographic proof. This groundbreaking technology gives users the option to fully shield their transactions, and remain completely anonymous. Developed in response to the seemingly inadequate privacy of Bitcoin, Zcash seeks to provide ultimate user protection. 

Zcash was initially devised as a privacy extension for Bitcoin, but was later considered too computationally advanced and experimental. As it was built using Bitcoin’s code, it shares a number of structural similarities with Bitcoin. Like BTC, Zcash’s native token ZEC is capped at 21 million, with new coins minted through mining. 

Since its 2016 launch, the protocol has undergone a number of upgrades, with an exciting new upgrade called Halo Arc arriving shortly. First, let’s have a closer look at the revolutionary zk-SNARKs and how they work.

Zk-SNARK Technology

What Are zk-SNARKs?

To really understand how Zcash works, you need to know what zk-SNARKs are. Zk-SNARKs are built off of ‘zero-knowledge proofs,’ which predate the creation of Bitcoin. A zero-knowledge proof is a proof whereby one party can prove to another the knowledge of a specific piece of information without actually revealing what that information is nor needing to interact with each other.

Zk-SNARKs are also ‘succinct,’ meaning they are instantly verifiable with proofs of only around a few hundred bytes in length. They also only require a single interaction between the prover and verifier. 

How Do They Work?

For Zcash’s zk-SNARKs to work, some system parameters must first be set during an initial setup phase between trusted parties. The parameters are encrypted into the protocol, and are integral to its operation. 

Cryptocurrencies operate using public key cryptography (PKC), an asymmetric encryption mechanism that generates a public key and a private key. The public key functions as an address, which is shared in order to encrypt and receive transactions. A private key is kept secret (do not share your private key with anyone!), and is used to decrypt the transaction. This arrangement between public and private keys makes it virtually impossible to figure out the private key by using the public key. 

Zcash diverges from the standard PKC properties by using a set of public and private keys to set up SNARK system parameters - then destroying the private key. This is done in order to prevent counterfeiting that could occur if a bad actor had access to the secret randomness used to produce the parameters. 

Multi-Party Computation A.K.A. The Ceremony

The private key is referred to by Zcash as “toxic waste,” a byproduct of the generation of public parameters. The Zcash team devised a solution, known as the Multi-Party Computation (MPC) Protocol, to guarantee the proper disposal of the private key. 

Informally (and infamously) known as the Ceremony, the first MPC protocol allowed a distributed group of participants to set the parameters for Zcash 1.0 (called Sprout). Made up of six trusted parties (called Witnesses), each party created a public key shard with a corresponding private key shard. The public key shards were combined to generate the parameters, while the private key shards were destroyed in a number of creative ways.

In this system, as long as one witness destroys their private key, the “toxic waste” is avoided. The process is further secured thanks to other defence tactics, like using air-gapped machines - brand new computers, called ‘Compute Nodes,’ which are fully disconnected from any kind of network. 

We should note that the Sprout MPC ultimately hinged on the integrity of the witnesses, raising questions around centralization. The second ceremony in 2017-18, Sapling MPC, addressed this by accepting a total of 177 participants to conduct the ceremony in two phases.

Zcash Addresses And Transaction Types

Now that we’ve covered the basics around zk-SNARKs, let’s look at when/ how they are implemented on Zcash. 

The Zcash protocol allows for four different transaction types, which vary based on sender and recipient addresses. There are both shielded (private) and transparent (public) addresses, the first of which leverage zk-SNARK technology to operate. Shielded addresses are known as z-addresses, while transparent (recorded on the public ledger) addresses are known as t-addresses. 

The four transaction types are: private transactions, deshielding transactions, shielding transactions, and public transactions. 

• Private: A transaction from z-address to z-address. Both addresses are shielded, making this the most private type.
• Deshielding: A transaction from z-address to t-address. The sender’s address is shielded while the recipient’s will register on the blockchain.
• Shielding: A transaction from t-address to z-address. The sender’s address is public but the recipient’s is shielded from the blockchain.
• Public: A transaction from t-address to t-address. The default setting on many Zcash wallets, same as on Bitcoin. 
   

Shielded transactions use zk-SNARKs to verify transaction requirements and conditions, without disclosing information about the transaction amount or addresses. Where Bitcoin and other protocols use unspent transaction outputs (UTXOs) to track ownership, Zcash uses ‘commitments’ and ‘nullifiers.’ 

A commitment is essentially a UTXO, while a nullifier is the value that is revealed by spending a commitment. Both commitments and nullifiers are securely stored as hashes, and are used when generating a zero-knowledge proof. Each shielded address has a private spending key and viewing key - the first allowing the user to spend from that address, and the second to view its balance and transactions. 
 

Zcash Roadmap

We mentioned Zcash’s series of upgrades earlier, the first of which made significant improvements on shielded address functionality. Let’s now have a look at Zcash’s roadmap so far, as well as its upcoming upgrade, Halo Arc. 

Zcash has released several upgrades over the years: Sapling (Oct. 2018), Blossom (Dec. 2019), Heartwood (July 2020), and Canopy (the current version, released Nov. 2020). 

Sapling improved performance on shielded addresses, with shorter transaction times and lower memory requirements (40MB versus 3GB). Legacy Sprout addresses start with “zc” and have a proving time of about 40 seconds, while Sapling addresses start with “zs” and can execute proofs in only a few seconds. This was meant to precipitate wider use of shielded transactions, which was previously offset by cost.

The next major upgrade Blossom sought to optimize transaction settlement by increasing block frequency and reducing block times. Heartwood introduced two important ZIPs (Zcash Improvement Protocols), Flyclient (ZIP-221) and Shielded Coinbase (ZIP-213). 

The fifth and current upgrade Canopy occurred alongside the first halving and outlined new mining tokenomics for the protocol. In this new configuration, 80% of the mining reward goes to miners, with the leftover 20% split between Electric Coin Company (7%), the Zcash Foundation (5%), and the new Major Grants Fund (8%). 

Halo Arc Upgrade

Set to launch at the start of October 2021, Halo Arc will introduce a handful of significant upgrades, such as the rollout of Network Upgrade 5 (NU5). This upgrade will include ECC engineer Sean Bowe’s much-awaited ‘trustless recursive’ model of zero-knowledge proofs, which allows the protocol to bypass the costly, trusted setups that were previously needed for upgrades. Halo is trustless ‘recursive’ because a single mathematical proof will be able to verify the validity of the entire blockchain up to date. 

Another key facet of Halo Arc is the adoption of Unified Addresses, which will enable the use of a single Zcash address to accommodate both shielded and transparent transaction types. This new address standard will streamline interaction between receivers and senders, while laying the groundwork for future features like cross-chain interoperability and layer-2 solutions. 

NU5-compatible wallet SDKs will support two new features, namely auto-shielding and auto-migration. The first will allow user wallets to receive funds to shielded addresses by default. The second enables wallets to move funds to the most modern shielded pool that the wallet supports, which also helps deprecate (inhibit the use of) older pools. Time between transactions will also be slashed, allowing users to send transactions quickly in succession. 

Takeaways

Zcash is a leader in its field, with privacy-preserving features that have truly set the standard across the market. The advances being made with zero-knowledge proofs also have implications beyond the crypto industry, in any domain that wrestles with security and privacy. This is especially relevant in today’s Internet age, and explains the hype behind Halo Arc’s imminent release. 

There has also been some buzz around Zcash’s potential move to a Proof-of-Stake (PoS) system. Zcash founder Zooko Wilcox recently delineated in a blog post several reasons for supporting this move. These include the advantages of staking, as it would allow validators to become long-term investors in ZEC and increase ZEC utility. He also makes a note of PoS sustainability, improved security at a lower cost, and greater decentralization. But, of course, this will be fully up to the Zcash community.