Battle of the Privacycoins: Zcash Is Groundbreaking (If You Trust It)
Based on blockchain technology, most cryptocurrencies have an open and public ledger of transactions. While this is required for these system to work, it comes with a significant downside: privacy is often quite limited. Analytics companies and other interested parties — let’s call them “spies” — have ways to analyze the public blockchains and peer-to-peer networks of cryptocurrencies like Bitcoin, to cluster addresses and tie them to IP addresses or other identifying information.
Still, unsatisfied with Bitcoin’s privacy potential, several cryptocurrency projects have launched over the years with the specific goal of improving on Bitcoin’s privacy features. And not without success. Several of these “privacycoins” are among the most popular cryptocurrencies on the market today, with four of them taking top-50 spots in coin market capitalization rankings.
That said, Bitcoin does have some privacy features which, as this month’s cover story details, have been improving in recent months and are set to improve further in the near future. This miniseries will compare different privacycoins to the privacy offered by Bitcoin, and to the privacy offered by other privacycoins.
In part four: Zcash
The origins of Zcash (ZEC) can be traced back to Zerocoin, which was first proposed in 2013 by Johns Hopkins University professor Matthew D. Green and his graduate students Ian Miers and Christina Garman. Zerocoin was designed as a privacy-enhancing protocol extension for Bitcoin to let users “burn” coins and bring an equal amount back into circulation later. Although transaction amounts could be a giveaway, there’d be no way to link the “new” coins to the burned coins otherwise.
Later that same year, Green announced a “new version of Zerocoin,” which would come to be called Zerocash. Zerocash was not designed as a Bitcoin protocol extension but as an entirely new protocol. It improved on Zerocoin by also hiding the amounts, while at the same time offering a big efficiency gain by decreasing the size of transactions by 98 percent.
This was possible thanks to a relatively new piece of crypto-magic known as a Zero-Knowledge Succinct Non-Interactive Argument of Knowledge, or “zk-SNARK.” In short, zk-SNARKs allow users to prove possession and validity of certain information without revealing that information to anyone and without needing to interact with anyone.
One year later, in 2014, cryptography security company Least Authority, headed by former DigiCash employee and well-known cypherpunk Zooko Wilcox-O’Hearn, spun up a sibling company: the Zerocoin Electric Coin Company (or Zcash Company). With Zooko as CEO and Green, Miers, Garman and other academics as co-founders, the Zcash Company raised funds from prominent names in the cryptocurrency and privacy space. Adding more cryptographers and engineers to the team over the following years, the Zcash company ultimately forked the Bitcoin codebase in 2016 to launch an implementation of Zerocash as a new cryptocurrency: Zcash.
While there are plans to transfer governance of Zcash to the newly erected, non-profit “Zcash Foundation” at some point in the future, for now Zcash is still maintained by the for-profit Zcash Company. This company, investors in the project and the Zcash Foundation receive 20 percent from the Zcash block reward during the first four years of the coin's existence, called the “founders reward.”
Zcash currently sits in the 21st spot on altcoin market cap lists and has been hovering around there for some time. While this makes it only the third-highest ranked privacycoin by market cap, Zcash has received some notable endorsements, for example, from NSA-whistleblower Edward Snowden.
As a codebase fork of Bitcoin, Zcash works fairly similarly to Bitcoin. In Zcash, however, there are two types of addresses that do something very different. Regular addresses are called “transparent addresses” or “t-addresses” (They start with a “t”). When ZEC moves from a t-address to another t-address, it looks like a Bitcoin transaction and offers similar levels of (non-)privacy.
But there is also another type of address: “shielded addresses” or “z-addresses.” Z-addresses (really: “inputs” or “outputs”) aren’t actually visible on the blockchain: they are encrypted. Further, funds held by z-addresses are encrypted as well. The cryptographic magic of zk-SNARKS lets anyone verify that transactions with z-addresses are valid according to the Zcash protocol rules.
As such, Zcash allows for interesting types of privacy-preserving transactions. If t-addresses send money to several z-addresses, for example, it’s not revealed where the money is actually going to. At the same time, if z-addresses send money to t-addresses, it’s not revealed where the money is coming from.
But most interestingly, when only z-addresses are involved in a transaction, the whole transaction is effectively encrypted. In what is called a “shielded transaction,” where the ZEC is moving from, where it is moving to and how much is moved are all completely hidden. Except for the payer and the payee, no one learns anything apart from a minimum amount of metadata: the time of payment and the fee. (Though users do have the option to share their personal information with a “view key.”)
In effect, all this means is that when coins are sent to a z-address, they “disappear” in a pool of encryption, sometimes referred to as the “shielded pool.” Basically any and every subsequent shielded transaction could be spending (some of) the coins, and any shielded transaction after that could spend them again. Or not. The coins may also sit tight on the same address — or they could be moved back to a t-address.
When users move though the encrypted pool, Zcash offers near-perfect privacy.
Although Zcash does not offer fully perfect privacy, the weaknesses are subtle and, in some cases, temporary.
Zcash’s main weakness is probably that creating a shielded transaction is currently computationally heavy. Requiring several gigabytes of memory (RAM), it can take well over a minute to generate a shielded transaction on a good laptop, while generating a shielded transaction on a phone is practically impossible. This means that few users actually make shielded transactions which, in turn, means the anonymity set for those who do use shielded transactions is relatively small, weakening privacy overall.
That said, an upcoming Zcash protocol upgrade (hard fork) dubbed “Sapling” is set to solve the problem of heavy transactions almost entirely. Zcash researchers have found a way to cut memory usage for shielded transactions down to 40 megabytes and generation time down to a couple of seconds — still not quite as smooth and easy as creating a regular transaction, but entirely doable, even for mobile users. As such, the share of shielded transactions may increase significantly over the coming years. (Even then, however, shielded transactions won’t be mandatory like Monero’s RingCT. Therefore, similar to privacy technologies on Bitcoin, even just using shielded transaction could be considered suspect in itself.)
Another weakness is that unshielded transactions can, in some cases, leak information about shielded transactions. Specifically, if z-addresses are used as a sort of mixer, the amounts can be linked across transparent addresses. If exactly 1.65273911 ZEC move from a t-address to a z-address, and in a slightly later transaction 1.65273911 ZEC minus fees move out of a z-address to a t-address, it’s not difficult to figure out that these are probably the same coins, only “separated” by one step of encryption.
This threat is not very difficult to counter: Users just need to take care not to transact into and out of the shielded pool in equal amounts. If Zcash is used to store value and make payments instead of just for mixing purposes, this should happen naturally.
An arguably bigger issue with Zcash is all the trust that's required to make it work. Zcash users must, to some extent, trust that the math works as advertised and trust that the people that launched the project were not compromised and did not cheat.
Cryptographers generally prefer to use cryptography that has been around for a while, allowing it to be thoroughly peer reviewed and “battle tested” in the field. Zcash, however, relies on advanced math with several new assumptions. Zk-SNARKS in particular are so novel that few outside of a relatively small academic circle really understand how they work. (Zooko self-admittedly does not; nor does the author of this article.) While this does not mean that anything is wrong with Zcash’s cryptography, the newness of it all also doesn’t instill as much confidence as some would like.
This is especially risky because, in technical terms, Zcash is not “unconditionally sound.” In a worst case scenario, a weakness in the Zcash protocol could allow attackers to create money out of thin air without anyone being able to notice. (Zcoin, an implementation of the Zerocoin protocol that also lacks unconditional soundness, has already been hacked once; Monero came very close.)
Additionally, Zcash’s zk-SNARKs require a “trusted setup.” Before launch and every time the project deploys a hard fork, a secret number must be generated, a derivative of which is used in the Zcash protocol. Referred to as the Zcash Multi-Party Computation Ceremony, this number is typically created in several parts by different people (six for the first ceremony, two groups of over 80 for the second). All of them must destroy this “cryptographic toxic waste” after the ceremony without revealing it. If even one person succeeds in doing this, the ceremony should be a success. (And as part of a migration process, the former ceremony can be made obsolete by the latter over time.) But if the ceremony fails — all participants collude or someone figures out the secret otherwise — that person or group can once again create money out of thin air without anyone able to notice.
It was long believed that even if the trusted setup was compromised, Zcash privacy would still be protected. However, attesting to the newness of the cryptography, Peter Todd, a participant in and critic of the first multi-party computational ceremony, initially questioned whether this holds up if the software used in the ceremony itself is backdoored, to later find that it does not.*
There is little reason to believe that Zcash’s trusted setup has been compromised in any way, and there is definitely no evidence that it was. But calling to mind one of Bitcoin’s unofficial slogans — “Don’t trust, verify” — this is ultimately not something Zcash users can check for themselves.
*Edit Note: In response to this article, Zooko challenged the claim that a compromised trusted setup could break Zcash privacy, which in turn elicited a response from Peter Todd.
This idea that a failure or compromise of Zcash's setup could threaten user privacy is incorrect. https://t.co/Xyt81U9M98— zooko (@zooko) September 25, 2018
There's been some claims made recently that a compromise of the Zcash trusted setup can't compromise privacy.— Peter Todd (@peterktodd) September 27, 2018
I checked with one of the cryptographers working on zk-SNARKs, and these claims are false.
A compromised MPC absolutely can wreck privacy; Zooko needs to correct this. pic.twitter.com/07tfMQQurL
To the best of our understanding, Zcash privacy can indeed be broken if the trusted setup was compromised, though it should at least technically be possible to check that the trusted setup was not compromised in this way. The topic is both complex and nuanced, however; follow above Twitter threads for more discussion and detail.
This article has been updated for accuracy.