Zcash relies on zk-SNARKs (zero-knowledge Succinct Non-interactive Argument of Knowledge), a type of non-interactive zero-knowledge proof, to prove to viewers that a commitment for a transaction on the Zcash blockchain has been satisfied, without revealing the commitment’s details. This technology, combined with technical extensions to the original Bitcoin protocol, allows a Zcash user to obscure the sender, recipient, and value of a transaction. The only information visible is a proof that a valid transaction took place. A summary of zk-SNARKs’ uses can be found here. Notably, the privacy features are optional, in contrast to Monero’s default privacy features. Like many early altcoins, Zcash is a code fork of Bitcoin but did not inherit prior Bitcoin balances at the time of fork. Zcash uses a 1.25 minute target block time (as of the December 2019 Blossom network upgrade), a max block size of 2MB, and a halving interval of four years.
Zcash is an implementation of zerocash, an extension to Bitcoin invented in 2014, and is designed to provide anonymous transactions by minting Bitcoin, or non-anonymous basecoins whose blockchain the Zerocash protocol is implemented besides, into anonymous Zerocash coins. Zerocash was an improvement over the prior zerocoin protocol meant to improve Bitcoin by allowing “users to mix their own coin”, essentially by using cryptography to conceal which outputs are linked to which inputs. Zcash supports both ‘transparent’ transfers of value, which function similarly to Bitcoin transactions, and ‘shielded’ transfers of value, which utilize zk-SNARKs to provide privacy features. Transparent addresses begin with ‘t’ and shielded addresses begin with ‘z’, though it is possible to send transactions between different address types.
Zcash privacy protections depend on the number of shielded transactions, as this determines the ‘anonymity set’ that obscures any individual transaction; throughout Zcash’s history, the overwhelming majority of transactions have not been shielded and have offered no protections beyond those on the Bitcoin network. Partially in response, the Sapling network upgrade in October 2018 improved shielded transactions’ efficiency by significantly reducing the proving time (transaction construction time) of Zcash’s zk-SNARKS and the memory required for constructing these transactions. Multi-signature transactions can also be used with transparent transactions.
Zcash transactions can contain regular inputs, outputs, and scripts to perform transparent transfer of value like in Bitcoin. This regular transaction would remain pseudonymous like in Bitcoin - the amount, sender and recipient of the transaction is visible. However, Zcash transactions can also be made to be protected, meaning that the amount, sender and recipient are hidden. Protected transactions contain what are called in the Zcash documentation JoinSplit descriptions, which describe JoinSplit transfers (similar to “Mint” and “Pour” transactions in Zerocash) which take as input a value and up to two notes, and from this produce a second value and up to two output notes.
Notes (called coins in Zerocash) are objects which specify two values: an amount and a paying key. Paying keys are components of payment addresses which are used to receive notes, generated from a spending key component (think public addresses and private keys in Bitcoin). There are also note commitments and nullifiers (known as serial numbers in Zerocash) cryptographically associated with each note. The nullifier is computed from the note’s spending key and is connected to the note commitment, though it is essentially impossible to correlate the note commitment with its corresponding nullifier without knowledge of the spending key (the private component of the paying key). In transactions, output nullifiers are concealed from anyone without the viewing key, discussed more below.
Input note nullifiers are “spent”, and therefore revealed to prevent double-spending, essentially “nullifying” the values of the transaction. This is because users are not allowed to use two same nullifier values twice on the chain without invalidating the block that tried to double spend. However, output notes are concealed until someone can prove ownership of the spending key and move those coins, in which they will create a new transaction, revealing the previously concealed nullifiers as inputs to prove the coins as spent.
Zcash transactions also include JoinSplit statements containing a zk-SNARK, which is the fundamental technology for Zcash’s anonymity. Zero-knowledge proofs are methods by which a party may prove the validity of an assertion without sharing any other details. A very simplified way to think of it is a system designed in such a way that when you observe the SNARK signature it will prove to you that said function evaluates true, even if you don’t necessarily know the input or other details. zk-SNARKs are part of the wider family of zero-knowledge proofs and have found increasing usage across blockchain projects. Zcash’s specific SNARK implementation is optimized for efficiency and performance, for which it is superior to the other major privacy-focused cryptocurrency, Monero. However, unlike Monero, Zcash’s privacy relies on a trusted setup, with the result that it does not have the same decentralization and security guarantees. However, the Electric Coin Company, the entity responsible for Zcash research and development, recently published a potential upgrade, called Halo that would overhaul the project’s SNARK implementation and which offers a more scalable and fully transparent (no trusted setup) zero-knowledge proof. Halo is currently under review with the intention of implementing it into Zcash in a future upgrade.
The SNARKs within JoinSplit descriptions provide zero-knowledge proof that the spender had knowledge of the input notes private spending keys without divulging them, that the entire transaction is signed in a way that it cannot be modified without knowing the private spending keys from the input notes and that the output notes are created in a way that collisions with other nullifiers will be impossible. This proves to outside observers who are not permissioned to see details of a transaction that this block is valid and all the details are correct. It proves that a commitment for another spend somewhere has now been satisfied; the observer just has no idea which one.
Finally, the other component of paying addresses (think Bitcoin public address) is the transmission key, whose corresponding private key is known as the viewing key. These keys are used “for a key-private asymmetric encryption scheme,” which essentially creates ciphertexts so that only those with the private key, also known as the viewing key, can know that that ciphertext was encrypted with the transmission key. This is how output notes are encrypted and kept private between users on a public blockchain. Users use their viewing key to scan for notes on the blockchain that were encrypted with their corresponding transmission key, and then decrypt them to receive their coins (equivalent to the information they need to know to create a valid spend and move those received coins).
Through zero-knowledge proofs, Zcash manages to provide evidence of the ownership of coins without being able to directly connect two transactions. When creating transactions, the spender proves through zk-SNARK’s that commitments have been validated without revealing which inputs granted the spender those coins. For attackers to establish a correlation between two transactions, they are faced with the possibility of said transaction to be any of all transactions on the blockchain that they are not directly in control of or have participated in.
For more technical insight and developer material, see the Zcash whitepaper.
Zcash uses the Equihash algorithm, developed by Alex Biryukov and Dmitry Khovratovich, that is memory intensive and supports efficient verification. Memory intensive algorithms require storing a large amount of data simultaneously as potential solutions are attempted, but can be easily verified once generated. Since Equihash is memory intensive, mining power is a function of how much RAM the machine has. Such rapid verification times are highlighted in Zash’s case in order to support the development of light clients requiring minimal hardware. Early in Zcash’s protocol development, Equihash was thought to be ASIC-resistant because of its memory-hardness, and hobbyist mining was prevalent. However, in 2018 Bitmain introduced the Antminer Z9 ASIC, which led to a significant rise in hash rate. In response, the Zcash Foundation has prioritized research into ASIC-resistance but has not taken a technical position. As of late 2019, there are multiple ASIC manufacturers including Bitmain, Innosilicon, and PandaMiner; the majority of the network hash rate is controlled by a handful of pools.
Zcash uses the Equihash Proof of Work (PoW) algorithm, which allows for very efficient memory-oriented mining optimized for CPU/RAM. The Zcash monetary base is the same as Bitcoin, but as of now, of the maximum 21 million ZEC currency units mined over time, 90% will be distributed to miners and 10% will be distributed as a Founder’s Reward over the first four years to a combination of investors, founders, and the ZCash Company, which oversees primary development of the protocol. Early investors in ZCash include Pantera Capital, Digital Currency Group, Fenbushi Capital, and Naval Ravikant among others, who purchased 131,250 ZEC for $2 million. After four years, the reward per block halves, and all of the block rewards accrue to miners. Zcash’s Founder’s Reward design is an early attempt with the cryptoasset space to align stakeholders and motivate, in particular, the core developers to continue work on the protocol through the Zcash Company. With the founder’s reward due to expire in late 2020, the community is discussing potential alternative funding mechanisms that may be formalized in a network upgrade in 2020. The network was launched in October 2016 with a trusted setup process, where the Zcash founder Zooko Wilcox and early cryptocurrency adopters such as Coin Center’s Peter Van Valkenburgh and Bitcoin developer Peter Todd participated in a transparent process to generate the cryptographic keys necessary for launching the network.