The Zcash (ZEC) genesis block will be launched on October 28th 2016. The new cryptocurrency will be the first to use a decentralized network to employ zero-knowledge security on an independent blockchain, as previous versions Zerocoin and Zerocash were limited to providing anonymity for other independent coins. It will be the truly anonymous ledger that has so far eluded many other cryptocurrencies.
Zcash relies on zk-SNARKs (zero-knowledge Succinct Non-interactive ARgument of Knowledge), a type of non-interactive zero-knowledge proof, to prove to viewers that a commitment for a transaction on the Zcash blockchain has been satisfied, without revealing the details of this commitment. This technology, combined with some technical extensions to the original Bitcoin protocol, allows the Zcash sender, recipient, and value of transactions on the Zcash blockchain, granting inherent anonymity in a public blockchain protocol. The only thing visible is a proof that a valid transaction took place.
Zcash is an implementation of zerocash, an extension to Bitcoin invented in 2014 designed to provide anonymous transactions by minting Bitcoins, or non-anonymous basecoins whose blockchain the Zerocash protocol is implemented besides, into anonymous Zerocash coins. Zerocash was an improvement over the zerocoin protocol of a year before meant to improve bitcoin by allowing “users to mix their own coin”, essentially by using cryptography to conceal which outputs are linked to which inputs. Zcash has improved over Zerocash in that it now has its own blockchain, making it an independent altcoin, and has a number of other technical improvements as well.
Zcash supports both transparent transfers of value, functioning essentially the same as regular Bitcoin transactions, and protected transfers of value which utilize special methods to preserve privacy.
Zcash will be using a proof-of-work algorithm called equihash, which allows for very efficient memory-oriented mining optimized for CPU/RAM. This design makes it unlikely for ASIC mining rigs which have taken over Bitcoin mining to be effective for mining ZEC, thus mitigating aspects of custom hardware mining centralization. The Beta testnet, where users can mine testnet currency (TAZ) is now live. The Zcash team has also released an open source code development contest ending on the 27th of October for the creation of open source CPU and GPU mining software to make the ZEC network “a more accessible and a truly community-supported cryptocurrency.”
Nonetheless, at time of writing, an open-source GPU miner has not been released. Cloud-mining contracts have emerged as the primary alternative.
Inflation and Distribution
Overall, the Zcash project has received 3 million dollars from 30 investors, 2 million of which was garnered this past summer by 17 investors. Because Zcash will not be premined like other Altcoins, it instead employs a founder’s reward. The ZEC monetary base is the same as Bitcoins, but of the maximum 21 million ZEC currency units mined over time, 90% will be distributed to miners and 10% (2.1 million) will be distributed to the founders of the company over the course of four years. Investors will receive 16.5% of the founder’s reward, meaning the investors this past summer paid 2 million dollars for a future return of 131,250 ZEC, which essentially values individual ZEC units at $15.24 apiece, although the Zcash team stresses that predicting the value of ZEC at launch is impossible and that original investors also purchased equity in the Zcash company.
After four years, the reward per block halves, and 100% of block rewards go to miners. This approach is designed to incentivize the founders to support the Zcash currency for at least four years, while at the same time limiting their ability to pump and dump. For more on the Zcash founders reward and funding, see here and here.
Under the hood
Zcash transactions can contain regular inputs, outputs and scripts to perform transparent transfer of value like in Bitcoin. This regular transaction would remain pseudonymous like in Bitcoin – the amount, sender and recipient of the transaction is visible. However, Zcash transactions can also be made to be protected, meaning that the amount, sender and recipient are hidden. Protected transactions contain what are called in the Zcash documentation JoinSplit descriptions, which describe JoinSplit transfers (similar to “Mint” and “Pour” transactions in Zerocash) which take as input a value and up to two notes, and from this produce a second value and up to two output notes.
|Currency/Unit of Account||Bitcoin (divisible to 8 decimal places)||same as Bitcoin|
|What’s in a transactions?||Transparent inputs and outputs which include recipient address and spender||JoinSplit descriptions and statements (containing zk-SNARKs) and heavily encrypted data|
|How prove ownership of currency?||Reveal public key and sign transaction with private key||zk-SNARKs prove ownership without providing details, nullifiers prevent double spends|
|What could someone learn about you from analyzing the blockchain?||(if they had public address): how much BTC you held, which addresses it came from, and which addresses received any transactions||Observers can see protected transactions, but don’t know the value contained, where the inputs came from, or where they are going|
Notes (called coins in Zerocash) are objects which specifies two values: an amount and a paying key. Paying keys are components of payment addresses which are used to receive notes, generated from a spending key component (think public addresses and private keys in Bitcoin). There are also note commitments and nullifiers (known as serial numbers in Zerocash) cryptographically associated with each note. The nullifier is computed from the note’s spending key and is connected to the note commitment, though it is essentially impossible to correlate the note commitment with its corresponding nullifier without knowledge of the spending key (the private component of the paying key). In transactions, output nullifiers are concealed from anyone without the viewing key, discussed more below.
Input note nullifiers are “spent”, and therefore revealed to prevent double spending, essentially “nullifying” the values of the transaction. This is because users are not allowed to use two same nullifier values twice on the chain without invalidating the block that tried to double spend. However, output notes are concealed until someone can prove ownership of the spending key and move those coins, in which they will create a new transaction, revealing the previously concealed nullifiers as inputs to prove the coins as spent.
Zcash transactions also include JoinSplit statements containing a zk–SNARK, which is the fundamental technology for Zcash’s anonymity. Zero-knowledge proofs are methods by which a party may prove validity of an assertion without sharing any other details. A similar concept is already employed in Bitcoin with asymmetric cryptography involving public/private key pairs. For example, users sign transactions with their private keys to prove they own the Bitcoins of a corresponding public key. Verifying this by processing the signature and public key with algorithms verifies this to be true, even though the private key is not known by anyone except the owner of those coins. SNARKs are more complex forms of zero knowledge proofs which can be used for more advanced implementations in special functions. A very simplified way to think of it is a system designed in such a way that when you observe the SNARK signature it will prove to you that said function evaluates true, even if you don’t necessarily know the input or other details. zk-SNARKs also have uses in Ethereum.
In the case of Zcash, the SNARKs within JoinSplit descriptions provide zero-knowledge proof that the spender had knowledge of the input notes private spending keys without divulging them, that the entire transaction is signed in a way that it cannot be modified without knowing the private spending keys from the input notes, and that the output notes are created in a way that collisions with other nullifiers will be impossible. This proves to outside observers who aren’t permissioned to see details of a transaction that this block is valid and all the details are correct. It proves that a commitment for another spend somewhere has now been satisfied; the observer just has no idea which one.
Finally, the other component of paying addresses (think Bitcoin public address) is the transmission key, whose corresponding private key is known as the viewing key. These keys are used “for a key-private asymmetric encryption scheme,” which essentially creates ciphertexts so that only those with the private key, also known as the viewing key, can know that that ciphertext was encrypted with the transmission key. This is how output notes are encrypted and kept private between users on a public blockchain. Users use their viewing key to scan for notes on the blockchain that were encrypted with their corresponding transmission key, and then decrypt them to receive their coins (equivalent to the information they need to know to create a valid spend and move those received coins).
Through zero-knowledge proofs, Zcash manages to provide evidence of the ownership of coins without being able to directly connect two transactions. When creating transactions, the spender proves through zk-SNARK’s that commitments have been validated without revealing which inputs granted the spender those coins. For attackers to establish a correlation between two transactions, they are faced with the possibility of said transaction to be any of all transactions on the blockchain that they are not directly in control of, or have participated in.
For more technical insight and developer material, see the Zcash whitepaper: https://github.com/zcash/zips/blob/master/protocol/protocol.pdf