What is Zcash? A Comprehensive Guide
What is Zcash? A Comprehensive Guide. As cryptocurrencies gain wider acceptance and the world gets more decentralized, an individual’s privacy gets heavily compromised. That happens mainly because of the way most cryptocurrencies are designed in the first place.
The thing is, the blockchain acts like an open ledger. Each and every transaction that a user has conducted can be tracked in it. While this does solve the purpose of reducing corruption and malicious practices, it completely compromises once privacy.
Is it necessary for someone to show each and every part of their life to the entire world? Is it wrong for someone to ask for a little bit of privacy?
To answer these questions, many coins have come up which offer their users complete privacy. The flag bearers of the privacy coin genre are: ZCash, Monero, and Dash.
In this guide, we are going to be covering Zcash.
Zcash is a decentralized peer-to-peer cryptocurrency. It was created as a fork of Bitcoin and quite like bitcoin it also has a hard limit of 21 million coins. But that is where the comparison ends. Unlike bitcoin, Zcash offers complete and total privacy for their users through the use of some ingenious cryptography.
So, let’s take a look under the hood and see what goes on behind the scenes.
The Origins of ZCash
As we have mentioned before. Zcash started as a fork of the bitcoin blockchain on October 28, 2016. Earlier it was called the Zerocoin protocol before it was transformed into the Zerocash system and then finally, Zcash.
As the Zcash Wikipedia page states: “Development of protocol improvements and the reference implementation is led by the Zerocoin Electric Coin Company, colloquially referred to as Zcash Company.”
The Founder, CEO, and the driving force behind Zcash is Zooko Wilcox.
Image Credit: Z.Cash
How Does Zcash Work?
“Zcash is another blockchain and cryptographic money which permits private exchanges (and by and large private information) in an open blockchain. This permits organizations, buyers, and new applications to control who gets the chance to see the points of interest of their exchanges, even while utilizing a worldwide, authorization less blockchain.” – Zooko Wilcox
How does a normal bitcoin transaction take place?
Suppose, Alice wants to send Bob 1 BTC, what will she do?
She will send 1 BTC to Bob’s public address. The miners then put the transaction details within their blocks and the transaction is deemed complete.
So, how are ZCash transactions different from the normal bitcoin ones?
First, let’s look at a pictorial representation of a Zcash transaction:
Image Credit: Fossbytes
What does that image tell us?
In Zcash, you have a choice to choose between two kinds of transactions.
You can either do the normal transparent transaction OR you can do the shielded private transaction.
Suppose Alice wants to send 1 Zec to Bob. (Zec = Zcash).
If Bob is ok with keeping the transaction transparent and open for the world to see, then she can send him the Zec to his transparent address or t-addr.
However, if he wants some privacy and does not want the transaction details to be open to public, he can simply have the money sent to his shielded address also called “z-addr”.
If both Alice and Bob use their shielded addresses to interact with each other, then all the details of the transaction would be private. This includes Alice’s identity, Bob’s identity and the details of the transaction itself.
Image Credit: Z.Cash
The reason why Z-Cash achieves such a high level of privacy is that of the utilization of zk-SNARKS or Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge.
Before we proceed, it is critical that we understand what Zero-knowledge proofs and zk-Snarks are.
What are Zero-Knowledge Proofs?
Zero Knowledge proofs came about in 1980’s thanks to the work of MIT researchers Shafi Goldwasser, Silvio Micali and Charles Rackoff. They were working on problems related to interactive proof systems, where a Prover exchanges messages with a Verifier (more on provers and verifiers later) to convince them that they have a knowledge of a certain proof without declaring what that knowledge is.
Before they made their landmark discovery, most proof systems were based on the “soundness” properties of the proof system. It was always assumed that the “prover” could be the malicious one in any scenario wherein they will try to fool the verifier. These 3 researchers flipped the idea on its head by questioning the morality of the verifier instead of the prover. The question they asked was, how can anyone know for sure that the verifier won’t leak the knowledge and there were also concerns raised as to the amount of knowledge about the prover that the verifier will get to know during the process of verification.
There are various real-world consequences of this conundrum and one of the most famous ones have to do with password protection. Suppose you want to login to a website using a password. The standard protocol is that the client (you) will write in their password and send it to the server, the server will then hash the password and equate it to the hash that they have stored in their system. If the values match up, then you can enter the system.
You can see the huge flaw in this system right? The server has the plaintext version of your password, and your privacy is at the mercy of the server (the verifier in this scenario). If the server gets compromised or attacked, then your password will be with the malicious party and the consequences could be dire. In order to counter these scenarios, zero knowledge proofs are absolutely essential and path breaking in every sense.
There are two parties when it comes to a zero knowledge proof (as stated above), the prover and the verifier. Zero knowledge states that a prover can prove to the verifier that they posses a certain knowledge without telling them what that knowledge actually is
Properties Of A Zero Knowledge Proof
For a ZKP to work it needs to satisfy certain parameters:
- Completeness: If the statement is true then an honest verifier can be convinced of it by an honest prover.
- Soundness: If the prover is dishonest, they can’t convince the verifier of the soundness of the statement by lying.
- Zero-Knowledge: If the statement is true, the verifier will have no idea what the statement actually is.
So now that we have a basic idea of what a zero-knowledge proof is, let’s checkout some examples of it before we dive deep into zk-snarks and its application in the blockchain.
Case #1 Alibaba’s Cave
In this example, the prover (P) is saying to the verifier(V) that they know the password of the secret door at the back of the cave and they want to prove it to the verifier without actually telling them the password. So this is what it looks like:
Image Credit: Scott Twombly (YouTube channel)
The Prover goes down any of the paths A and B, suppose they initially decide to go through path A and reach the secret door at the back. When they do so, the verifier V comes in at the entrance, with no knowledge of which path the prover actually took and declares that they want to see the prover appear from path B.
In the diagram, as you can see, the prover does indeed appear in path B. But what if this was dumb luck? What if the prover didn’t know the passcode, and took the path B, was stuck at the door and by sheer fortune, the verifier told him to appear from path B, the one they were originally on anyway?
So, to test the validity, the experiment is done multiple times. If the prover can appear at the correct path every single time, it proves to the verifier that the prover indeed knows the password even though the verifier doesn’t know what the password actually is.
Let’s see how the three properties of zero knowledge are satisfied in this example:
- Completeness: Since the statement was true, the honest prover convinced the honest verifier.
- Soundness: If the prover was dishonest, they couldn’t have fooled the verifier because the test was done multiple times. Eventually, the prover’s luck had to run out.
- Zero-Knowledge: The verifier never knew what the password was, but was convinced that the prover had possession of it.
Case #2 Finding Waldo
Remember finding Waldo? Of course, you do, you must have seen it somewhere, either in real life or online. For those who don’t know, Finding Waldo is a game where you have to find “Waldo” among a sea of people. It is a simple “Spot the guy” game. Just to give you a basic idea, this is what the game looks like:
Image Credit: Youtube (IntoConnection)
And the idea is to find Waldo who looks like this:
Image Credit: Pinterest
Seems pretty straightforward right? Find this guy among the sea of other people that you see in the game. Ok, so where does the concept of Zero Knowledge come in here? Imagine there are two people Anna and Carl. Anna tells Carl that she knows where Wally is but she doesn’t want to show him where exactly he is. So, how can she prove to him that she has found Wally without showing his exact position?
There was an interesting paper by Naor, Naor and Reingold which shows two Zero Knowledge solutions to this problem. There is a “Mid-Tech Solution” and a “Low-Tech Solution”. Let’s discuss both of them.
The reason why this solution is “mid-tech” is because our prover and verifier need access to a photocopy machine to make this work. So this is how it goes. First, Anna and Carl would make a photocopy of the original game. Then Anna, whilst making sure that Carl isn’t looking, will cut out Waldo from the photocopy and then destroy the leftovers. After that, she can show the Waldo cutout to Carl and prove that she did know where Waldo was after all without pinpointing his exact location to Carl.
There are problems with this solution. While it does fulfill the “Zero Knowledge” criteria, it doesn’t fulfill the “Soundness” criteria. There are many ways that Anna could have cheated here. She could have had a random Waldo cutout with her from the very beginning and could have just shown it to Carl without actually knowing where Waldo was. So what is the solution to this?
The solution to this is meticulous and careful testing. Firstly, Anna and Carl will take a photocopy of the game. Then Carl will draw a distinctive pattern at the back of the photocopy. After that, Carl will escort Anna to a room where she will be isolated and have no chance of cheating whatsoever. If Anna comes out with a cutout of Waldo, then Carl can be convinced that she actually knew where Waldo was without revealing the solution. They can repeat this experiment multiple times and Carl can compare the different cutouts of Waldo to be even further sure about the validity of Anna’s claim.
This solution required very basic equipment. The idea is simple. Get a huge cardboard, one that is twice the size of the game and cut out a small rectangle on it. Now, when carl isn’t looking, Anna can move the cardboard on the game in such a way that the rectangle is directly on top of Waldo. Now, she can tell Carl to have a look and this is what he will see:
Image Credit: Applied Kid Cryptography by Naor, Naor And Reingold
So, while Carl may get a very basic idea of where Waldo actually can be, he doesn’t know the exact location. Anna has hence proved to Carl that she knows where Waldo is without pinpointing his exact location.
How to make zero-knowledge proofs non-interactive?
With earlier zero-knowledge verification systems there was one big problem. For it to work, the prover and the verifier had to be online at the same time. In other words, the process was “interactive”. This made the entire system inefficient and almost impossible to scale up. The verifiers couldn’t possibly be online at the same time as provers all the time? There needed to be a system to make this more efficient.
In 1986, Fiat and Shamir invented the Fiat-Shamir heuristic and successfully changed the interactive zero-knowledge proof to non-interactive zero knowledge proof. This helped the entire protocol work without any interaction. The procedure behind it is very simple.
So, to give you an example, this is how zero knowledge proofs used to work before Fiat and Shamir. Let’s prove this using simple discrete logarithms.
- Anna wants to prove to Carl that she knows a value x such that y = g^x to a base g.
- Anna picks a random value v from a set of values Z, and computes t = g^v and sends t to Carl.
- Carl picks a random value c from the set Z and sends it to Anna.
- Anna computes r = v-c*x and returns r to Carl.
- Carl checks if t= g^r * y^c holds or not ( since r= v-c*x, y= g^x and by simple substitution, g^(v-c*x)* g ^ c*x = g^v = t).
- Carl doesn’t know the value of x, by merely checking if t = g^r * y^c he can verify that Anna does indeed know the value of x.
Now while the above interaction is zero-knowledge, the problem with this is that Anna and Carl need to be online and exchanging values for it to work.
How can Anna prove to Carl that she has knowledge of something without Carl being online? She can do so by using a simple cryptographic hash function, as Fiat and Shamir theorized.
Let’s look how the example above would work in a non-interactive way:
- Anna wants to prove to Carl that she knows a value x such that y = g^x to a base g.
- Anna picks a random value v from a set of values Z, and computes t = g^v.
- Anna computes c = H(g,y,t) where H() is a hash function.
- Anna computes r = v – c*x.
- Carl or anyone can then check if t = g^r * y^c.
So, as you can see, zero knowledge proofs were made non interactive. And this was what laid the foundations for Zk-Snarks.
What is the use of Zk-Snarks?
Zk-Snarks stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge”. Its use in modern blockchain technology is immense. To understand its application, it is important to know how a smart contract works. A smart contract is basically an escrow of funds which gets activated once a particular function is done.
Eg. Anna puts 100 ETH in a smart contract that she gets into with Carl. Carl has to do a particular task, on the completion of which, Carl will get the 100 ETH from the smart contract.
This gets complicated when then tasks that Carl has to do are multi layered and confidential. Suppose you have entered a smart contract with Anna. Now, you will only get the payment if you do A, B and C. What if you don’t want to reveal the details of A, B and C because they are confidential to your company and you don’t want any competitors to know what you have to do?
What Zk-Snarks does is that it proves that those steps have been taken in the smart contract without revealing what those steps actually are. It is very useful is protecting you and your company’s privacy. It can just reveal part of the process without showing the whole process itself and prove that you are being honest about your claims.
How does a Zk-Snark work?
A Zk-Snark consists of 3 algorithms: G, P and V.
G is a key generator takes an input “lambda” (which must be kept confidential and shouldn’t be revealed under any circumstances) and a program C. It then proceeds to generate two publicly available keys, a proving key pk, and a verification key vk. These keys are both public and available to any of the concerned parties.
P is the prover who is going to use 3 items as input. The proving key pk, the random input x, which is publicly available, and the private statement that they want to prove the knowledge of without revealing what it actually is. Let’s call that private statement “w”. The P algorithm generates a proof prf such that: prf = P(pk, x,w).
The verifier algorithm V is basically returns a boolean variable. A Boolean variable has only two choices, it can be TRUE or it can be FALSE. So, the verifier takes in the verifying key, public input x and proof prf as input such as:
..and returns TRUE if the prover is correct and false otherwise.
Now, about the parameter lambda. The value of the “Lambda” must be kept confidential because then anyone can use it to generate fake proofs. These fake proofs will return a value of TRUE regardless of whether the prover actually has knowledge of private statement “w” or not.
Functionality of Zk-Snark
For showing the functionality of a Zk-Snark we are going to use the same example function that Christian Lundkvist used in his article for Consensys. This is what the example program looks like:
function C(x, w)
return ( sha256(w) == x );
Basically, the function C takes in 2 values as input, a public hash value “x” and the secret statement that needs to be verified “w”. If the SHA-256 hash value of w equals “x” then the function returns TRUE otherwise it returns FALSE. (SHA-256 is the hash function that is used in Bitcoin).
Let’s bring back our old friends Anna and Carl for this example. Anna being the prover and Carl the skeptic is the verifier.
The first thing that Carl, as the verifier, has to do is to generate the proving and verifying key using the generator G. For this, Carl needs to generate the random value “lambda”. As stated above however, he needs to be super careful with Lambda because he can’t let Anna know its value to stop her from creating fake proofs.
Anyway, this is what that will look like:
- G(C, lambda) = (pk , vk).
Now that the two keys are generated, Anna needs to prove the validity of the statement by generating the proof. She is going to generate the proof using the proving algorithm P. She is going to prove that she knows the secret value “w” which hashes (on parsing through SHA-256) to give the output x. So, the proving algorithm for proof generation looks like this:
- prf = P( pk, x, w).
Now that she has generated the proof “prf”, she is going to give the value to Carl who is finally going to run the verification algorithm of Zk-Snarks.
This is what that will look like:
- V( vk, x, prf).
Here, vk is the verifying key and x is the known hash value and prf is the proof that he has gotten from Anna. If this algorithm returns TRUE then this is means that Anna was honest and she indeed had the secret value “w”. If it returns FALSE then this means that Anna was lying about knowing what “w” is.
How Is Z-Cash Mined?
Block mining in Zcash is done via the equihash.
Equihash is a Proof-of-Work algorithm devised by Alex Biryukov and Dmitry Khovratovich. It is based on Generalized Birthday Problem.
A big reason why equihash is being used is to make mining as ASIC unfriendly as possible. The problem with currencies like Bitcoin is that most of the mining pools monopolize the mining game by investing a lot of money on ASICs to mine as much bitcoin as possible.
Making your mining ASIC unfriendly means that mining will be more democratic and less centralized.
This is what the Zcash blog had to say about Equihash:
“We also think it is unlikely that there will be any major optimizations of Equihash which would give the miners who know the optimization an advantage. This is because the Generalized Birthday Problem has been widely studied by computer scientists and cryptographers, and Equihash is close to the Generalized Birthday Problem. That is: it looks like a successful optimization of Equihash would be likely also an optimization of the Generalized Birthday Problem.”
So we have heard about this “birthday problem” quite a bit now, what is it? What is the birthday problem or the birthday paradox?
If you meet any random stranger out on the streets the chances are very low for both of you to have the same birthday. In fact, assuming that all days of the year have the same likelihood of having a birthday, the chances of another person sharing your birthday is 1/365 which is a 0.27%.
In other words, it is really low.
However, having said that, if you gather up 20-30 people in one room, the odds of two people sharing the exact same birthday rises up astronomically. In fact, there is a 50-50 chance for 2 people of sharing the same birthday in this scenario!
Why does that happen? It is because of a simple rule in probability which goes as follows. Suppose you have N different possibilities of an event happening, then you need square root of N random items for them to have a 50% chance of a collision.
So applying this theory for birthdays, you have 365 different possibilities of birthdays, so you just need Sqrt(365), which is ~23~, randomly chosen people for 50% chance of two people sharing birthdays.
Zcash Coin Distribution
Since Zcash is a fork of Bitcoin there are some similarities.
Zcash also has a 21 million coins maximum supply and they are all expected to be mined by 2032. Every four years, the block reward gets halved to keep the supply in check.
Unlike most of the other coins though, Zcash wasn’t pre-mined and nor is it ICO funded.
Zcash had a group of closed investors who funded then with $1 million to kickstart their development. The investors were then promised with a 10% reward of the total supply in an incremental way over the first 4-year period. This reward is called “Founder’s Reward”.
Some of these closed investors were notable names such as Barry Silbert, Erik Voorhes, Roger Ver, and Naval Ravikant.
Is Zcash Regulation Difficult?
Zcash regulation is obviously difficult because of the added security measures, however, there is a way for law enforcement to check the regulation as and when required. This is done via two methods:
- View Key.
Every user in Zcash has their own “View Key”.
When needed, the user can share their view key with someone else. The view key then, in essence, unshields all hidden transactions. With the view key, anyone will be able to see that particular person’s transactions and the address of the recipient.
Zcash transactions also come with a memo field.
The memo field can carry additional information which is viewable only to the recipient.
According to Zooko Wilcox: “This memo could carry data between financial institutions wherever they are required by law to send that data along.”
The Zcash Counterfeiting Problem
Zcash was facing pretty serious counterfeiting problem which was a direct offshoot of their zk-snark programming.
In Zcash 1.0, the private transactions rely on SNARK public parameters for the creation and verification of zero-knowledge proofs. Generating these SNARK public parameters requires the creation of a public/private key pair and then destroying the private key and keeping the public key.
However, this is where things get tricky.
If someone gets hold of that private key, then they can create counterfeit coins!
This usually isn’t a problem in an open ledger like bitcoin where all the transactions are open for the world to see. However, in Zcash, the privacy stops anyone from checking the state of the coins.
This how Zooko Wilcox describes the private key or, as he likes to call it, “toxic waste” problem:
“We call the private key “the toxic waste”, and our protocol is designed to ensure that the toxic waste never comes into existence at all. Imagine having a bunch of different chemical byproducts in your factory, each of which is individually harmless, but if you let all of them mix together they will form a dangerous substance that’s difficult to manage safely. Our approach is to keep the individually-harmless chemicals separate until they are destroyed, so the toxic waste never comes into existence at all.”
So, in order to reduce the chance of an attacker to get their hand on the “toxic waste”, an elaborate ceremony was conducted.
The ceremony is beautifully documented in the Radiolab podcast and you can give it a listen here.
The ceremony’s purpose was as follows:
Create a secure multiparty computation in which multiple people each generate a “shard” of the public/private key pair.
Once that is created, each member destroys their shard of the private key and then come together to join the public key shards to create the public key.
So basically, if only one participant destroys their private key shard then it is impossible to recreate. The experiment fails only if all of the participants have been dishonest.
You should read Morgan Peck’s first-hand account of the ceremony. The sheer lengths to which these people went to conduct it is extremely commendable.
This is Zooko Wilcox’s statement on the bottom-line of the ceremony:
“We have performed a remarkable feat of cryptographic and infosec engineering in order to generate SNARK public parameters for Zcash 1.0 “Sprout”. The general design of this Ceremony was based on Multi-Party Computation, air-gaps, and indelible evidence trails. Six different people each took one part of the Ceremony. The Multi-Party Computation ensures that even if all five of the others were compromised, or were secretly colluding, to try to reconstruct the toxic waste, one single Witness behaving honestly and deleting their shard of the toxic waste would prevent it from ever being reconstructable. Despite the remarkable strength of this Ceremony, I intend to advocate for a major upgrade to the Zcash protocol next year which will add a layer of detection in addition to the current layer of prevention.”
Ethereum + Zcash = <3 ?
Image Courtesy: Zcash
Zcash is a cryptocurrency launched by Zerocoin Electic Coin Company on 9th September 2016 and is the first example a cryptocurrency marrying the concepts of blockchain technology with Zk-Snarks. It aims to provide completely safe and shielded transaction spaces for its users without revealing details (such as their addresses) to anyone.
Ethereum wants to integrate Zk-Snarks as it enters its Metropolis phase and the way that they are planning to do so is by creating an alliance with Zcash which will include a mutual exchange of value. The chief developer of Zcash, Zooko Wilcox, gave a presentation in DevCon2 in Shanghai which explored the future of such an alliance. According to him, there are 3 ways that Z-Cash and by extension, zk-snarks could be integrated with Ethereum.
The first method is called Baby Zoe (Zoe = Zcash on Ethereum). It adds a zk-snark pre-compiler on Ethereum and makes a mini Zcash smart contract on Ethereum. The idea is to see whether the Ethereum system can create a zk-snark enabled DAPP on top of its blockchain.
The Second method is to integrate the Ethereum computability inside the Zcash blockchain. As Wilcox puts is, the greatest asset of Ethereum is its computability and people want to see whether they can integrate it on a zk-snark based blockchain like Zcash. Can people create DAPPS on a blockchain made on zero knowledge proofs? That is something that they are waiting to see.
The third and the most exciting aspect is Project Alchemy. This is basically the connection and interoperation of the two blockchains such that one can seamlessly move between the two. The way that Zcash plans to do that is by cloning the BTC Relay. It is an Ethereum script which was written to create a Bitcoin light client inside Ethereum. The Zcash clone will use the same concept to create a Zcash light client inside Ethereum.
If this works then we will have the first, decentralized currency system in the world which facilitates the creation of DAPPS with zero knowledge ingrained in it.
Zcash is definitely one of the hottest and the most exciting coins out there right now. It has been performing pretty well since its inception.
Image Credit: CoinMarketCap
As of writing, the Zcash market cap stands at $1,734,866,483.
The cost of 1 Zec stands at $559.80.
It is pretty evident to see why people value the privacy provided by Zcash in an increasingly transparent world.
In fact, Edward Snowden himself has given his seal of approval to Zcash: