08
Apr
20

A step towards privacy and innovation - Zcash Full Guide

Privacy coins are a whole different subset of cryptocurrencies. The three of the most well-known privacy coins in the market are Monero, Dash, and Zcash. Today we will be telling you all about Zcash, one of the more exciting projects in the market. The coin was developed by the Electric Coin Company, which is headed by the enigmatic cypherpunk Zooko Wilcox-O’Hearn.

 
Image of the cypherpunk Wilcox-O'Hearn who envisioned Zcash
Image Credit
 

Zcash started as a fork of the Bitcoin protocol on October 28, 2016. Earlier it was called the Zerocoin protocol before it was transformed into the Zerocash system and then finally, Zcash. Wilcox describes the Zcash protocol like this:

 

“Zcash is another blockchain and cryptographic money which permits private exchanges (and by and large private information) in an open blockchain. This permits organizations, buyers, and new applications to control who gets the chance to see the points of interest of their exchanges, even while utilizing a worldwide, authorization less blockchain.”

 

The Need for Privacy Coins

 

One of the more interesting aspects of public blockchains like Bitcoin and Ethereum is its total transparency. Simply put, anyone who is part of the network can look at and trace every single transaction that has ever been made. So, if you have made your public address visible to the world (Eg. Through a donation link on your website), then anyone will be able to see every single transaction you have ever made. While there many amazing use cases of this transparency (like in the supply chain industry), it seriously compromises your privacy. Do you really want to adopt a financial system wherein every purchase you have ever made can be traced right to its very source?

 

How does Zcash Work?

 
First, let’s look at a standard bitcoin transaction. If Alice wants to send some bitcoins to Bob, she will send them to Bob while signing off the transaction with their unique signature. The miners then put the transaction details within their blocks and the transaction is deemed complete.

Simple right?

So, let’s look at how Zcash transactions work.

 
info graphic depicting the difference between zcash transparent layer and shielded layer
Image Credit: Fossbytes
 

  • Normal transactions: These are transactions that are quite similar to Bitcoin’s.
  • Shielded transactions: These transactions are private and will not be visible over the blockchain.
  •  
    So, how exactly do these shielded transactions work?
     

    Both Alice and Bob interact with each other using their shielded addresses. By doing this, the following happens:

     

  • Alice’s identity remains a secret.
  • Bob’s identity remains a secret.
  • The details of the transaction itself remains a secret.
  •  

    Zcash manages to achieve such a high level of privacy via the implementation of zk-SNARKS or Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge. So, to understand zk-SNARKs, you need to know what zero-knowledge proofs are.

     

    What are Zero-Knowledge proofs?

     

    Back in the 1980s, three MIT researchers – Shafi Goldwasser, Silvio Micali, and Charles Rackoff – came up with zero-knowledge proofs(ZKPs) while working on the problems of interactive proof systems.

     

    Image Credit
     

    Before we continue, there are two terms that you should familiarize yourself with:

     

  • Prover: Someone who wants to prove a hypothesis.
  • Verifier: Someone who checks if the Prover is correct or not.
  •  

    The core idea behind ZKP is this – The prover convinces the verifier that they own a particular proof without actually telling them what that proof is. Eg. Proving that you are adult by just showing the last two digits of the birth date given in your driver’s license, without showing any of the other details.

     

    Before Goldwasser, Micali, and Rackoff came along – proof systems were traditionally based on the “soundness” property, which assumed that the “prover” could be the malicious one in any scenario wherein they will try to fool the verifier. But this begs the question, how can we know for sure that the verifier is honest at all? What if they leak information surrounding the proof?

     

    Let’s take a real-world example to illustrate this point. When you log in to your social media account, you use a password, right? When you send a password to a server to access a site, it hashes it and then compares it with the rest of the hashes that it has stored in its system. If there is a match, you will be allowed to log in.

     

    The problem with this approach is that the server still knows your password. Anyone can hack into the server and get their hands on the password. This is where ZKPs can find immense utility.

     

    The three cryptographers created ZKP based on the following premise:

     

  • Question the morality of the verifier instead of the prover.
  • How can the prover prove a premise without exposing it to the verifier?
  •  

    Properties and Examples of Zero-Knowledge Proofs

     
    A ZKP has the following properties:
     

  • Completeness: A statement is true if an honest prover can convince an honest verifier.
  • Soundness: If the prover is dishonest, they can’t fool the verifier.
  • Zero-knowledge: The verifier will not know what the statement actually is.
  •  

    Now that you have a brief idea about how ZKP works, let’s look at some examples.

     
    #1 Color blindness and billiard balls
     

    Consider this scenario – we have a prover and a verifier, but the latter is color-blind. Before we continue a quick lesson. This is the difference between healthy vision and color-blind vision.

     

     

    Anyway, the prover has two billiard balls – red and green. The verifier believes that both the balls are of the same color while the prover wants him to think otherwise. How are they going to do this?

     

    The verifier will first show the balls to the prover. Then he hides his hands behind his back and switches the balls or keeps them as is. Following that, he presents them to the prover. The prover can see the actual color of the balls and will know instantly whether the switch has been made or not.

     

    The verifier can repeat the test as many times as they want to before he is satisfied. So, how does this experiment satisfy the three ZKP properties?

     

  • Completeness: The honest prover convinced the honest verifier.
  • Soundness: The verifier conducted the test multiple times to confirm that the test was sound.
  • Zero-Knowledge: The verifier never knew exactly what color the balls were. He just knows that they are of different colors.
  •  
    #2 Alibaba’s Cave
     
    One of the most famous ZKP examples is the magical Alibaba’s cave.
     

     
    So, what’s going on here?
     

    We have a magical cave with a secret door in the back. The prover (P) wants to prove to the verifier (V) that they know the secret password to the door without telling them what the password actually is. How are they going to do that? Let’s take a look:

     

  • The prover first goes down path A and then reaches the secret door at the back.
  • Following that, they call out to the verifier. The verifier doesn’t know which path the prover has taken.
  • If the prover indeed knows the password, he should come from path B.
  • The verifier, however, will not be convinced the first time. After all, the prover could have taken path B instead of A.
  • The verifier will hence conduct the test multiple times to be thoroughly convinced of the prover’s honesty.
  •  
    Let’s see how the three properties of zero-knowledge are satisfied in this example:
     

  • Completeness: The honest prover successfully proved their statement to the verifier.
  • Soundness: The repeated tests prove the soundness of the prover’s statement.
  • Zero-Knowledge: The prover didn’t need to disclose the password to the verifier.
  •  

    Can Zero-Knowledge Proofs be Non-Interactive?

     

    Look at the definition of zk-SNARKS once again – Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge. The non-interactive part is important, but interestingly enough, ZKPs were interactive when it started out. In other words, both the prover and the verifier needed to be online at the same time for this to work. Obviously, this isn’t a scalable technique.

     

    Thankfully in 1986, the Fiat-Shamir heuristic was successful in changing ZKP from interactive to non-interactive. To understand how non-interactive ZKP works, let’s look at a pre-heuristic interactive ZKP via discrete logarithms.

     

  • Alice, the prover, wants to prove Bob, the verifier, about her knowledge for a value x such that y= g^x to the base g.
  • Alice picks a random value v from a set of values Z. She then computes t = g^v and sends the t to Bob.
  • Bob uses the set Z to pick up a random value c and sends it to Alice.
  • Alice proceeds to calculate a value r where r = v-c^x and returns r to Bob.
  • Bob checks g^r * y^c and sees if it is equal to “t” or not. (NOTE: Since r= v-c*x, y= g^x and by simple substitution, g^(v-c*x)* g ^ c*x = g^v = t).
  • Bob doesn’t know what the value of x, but he can just check if t = g^r * y^c, or not. If it’s correct, he can verify that Alice is not lying about her knowledge of x even though he doesn’t know the value of x itself.
  •  

    The exchange above satisfies the properties of ZKP. However, for it to work, both Alice and Bob need to be present and online to exchange values.

     

    However, how can the Fiat-Shamir principles be used to make ZKP non-interactive? Let’s take another interaction between Alice and Bob and see how a simple hash function can change everything.

     

  • Alice, the prover, wants to prove Bob, the verifier, about her knowledge for a value x such that y= g^x to the base g.
  • Alice picks a random value v from a set of values Z. She then computes t = g^v and sends t to Bob.
  • She computes c such that c = H(g,y,t) where H() is a hash function.
  • Alice computes r = v – c*x and sends this to Bob.
  • Bob can then check if t = g^r * y^c, or not.
  •  

    This interaction is zero-knowledge as well, but this time the exchange is non-interactive. This is one of the key innovations that lays down the foundations for zk-SNARKs.

     

    How does zk-SNARKs work?

     

    A standard zk-SNARK consists of three algorithms – P, V, and G.

     

    P is the prover. They are going to be using three items as input – The proving key pk, the publicly available random input x, and the statement that they want to prove “w.” The prover sends the proof of statement prf to the verifier.

     

    V is the verifier function that returns a boolean variable – TRUE or FALSE. The function takes in the following parameters – the verifying key vk, the input x, and prf. If the prf is correct, the function returns TRUE, otherwise, it returns FALSE.

     

    G is the key generator that takes an input lambda and a program C. The generator creates the proving and verifying keys pk and vk, which are used by the prover and verifier, respectively.

     
    The importance of keeping lambda private
     

    The value of “Lambda” must be kept confidential at all costs. It happens to be the backbone of Zcash’s entire architecture. If anyone gets their hands on lambda, they could generate counterfeit proofs, which undermines Zcash’s system. The developers believed that the best way to take care of this issue was by creating a public/private key pair. The public parameters were built into Zcash’s system for everyone to see. Following that, the developers proceeded to destroy the original private key via an elaborate “ceremony.”

     
    This is what happened during the ceremony:
     

  • Firstly, the public parameters behind zk-SNARKs were compiled.
  • Six different computers were responsible for compiling the final part of the algorithm.
  • The six parts were then put together.
  • Following this, the computers were wiped clean and physically destroyed with a blowtorch.
  •  

    The primary issue with the ceremony was that if the computers weren’t fully destroyed or if someone records the ceremony, the entire network will be at risk. The Zcash community called these two possibilities “toxic waste.” Plus, any remnants of the original private key was considered a “toxic waste product.”

     

    Radiolab did a fascinating podcast episode about the whole ceremony. We highly recommend that you give it a listen here.

     

    zk-SNARKs functionality

     

    Consensys’s Christian Lundkvist showed a simple demonstration of how zk-SNARKs may work in real-time. Consider the following example program:

     
    function C(x, w)

    {

    return ( sha256(w) == x );

    }
     
    In the code above, we have a function C that takes in 2 input values:
     

  • A public hash value “x.”
  • A secret statement “w” that needs to be verified.
  •  

    If the SHA-256 hash value of w equals “x,” then the function returns TRUE, otherwise, it returns FALSE. (SHA-256 is the hash function that is used in Bitcoin).

     

    Now, if Alice and Bob want to interact with each other through this program, wherein the former is the prover and the latter verifier, let’s see how it will work.

     

  • Bob, as the verifier, needs to generate the proving and verifying keys using generator G.
  • To do this, he has to first generate a random value “lambda,” which he must keep private at all costs.
  • The generator creates the keys like this – G(C, lambda) = (pk, vk).
  • Alice will get pk and must now prove the validity of the statement by generating a proof prf.
  • The prf will be created via the proving algorithm P.
  • The prf will be created like this – prf = P(pk, x, w) where x is the SHA-256 hash of secret value w.
  • Alice will send over prf to Bob.
  • Bob runs his verifying algorithm on prf which looks like V( vk, x, prf).
  • If this algorithm returns TRUE then Alice does indeed have the knowledge of “w.” Otherwise if it returns FALSE, she is lying.
  •  

    The Zcash Blockchain

     

    Since Zcash is a hard fork of the original Bitcoin protocol, it has a total token supply of 21 million coins and also uses the proof-of-work consensus protocol to power its blockchain. However, unlike Bitcoin, Zcash utilizes several anti-ASIC protocols to prevent mining centralization.

     

    Zcash’s block time is 2.5 mins as opposed to Bitoin’s 10 mins. Plus, the block reward is currently 6.25 ZEC. Of this, the miners receive 80% (5 ZEC). The remaining 20% is is divided like this:

     

  • ECC (Electric Coin Company) founders and vested employees receive 9.85%.
  • The Zcash foundation receives 2.2%.
  • The ECC receives 5.75%.
  • 2.2% gets an additional ECC employee compensation.
  •  

    Examples of Zcash’s Usecases

     

    Zcash’s primary use case lies in creating a system where you can divulge necessary data without revealing any critical information that may compromise the user. As such, Zcash has already partnered up with several powerhouse companies. JPMorgan Inc. has partnered up with Zcash to boost Quorum, its enterprise-ready distributed ledger.

     

    Zcash’s ZKPs can be used by users to prove the information related to the transaction without needing to reveal the transaction itself. Eg. Users can make tax payments without displaying details such as deductions and the actual amount paid.

     

    Conclusion

     

    So, there you have it. At the very heart of Zcash lies zk-SNARKs, one of the most innovative privacy techniques in the blockchain space. It’s backed by a really talented team and has already made several key partnerships. If you are interested to know more, then checkout their whitepaper and blog.

    disclaimer

    CHAIA.iO is not a registered investment, legal or tax advisor or a broker/dealer. All investment/financial opinions expressed by CHAIA.iO or the authors of the respective articles on www.chaia.io are from personal research and experience of the owner of the site or the authors and are intended as educational material. Although best efforts are made to ensure that all information is accurate and up to date, occasionally unintended errors or misprints may occur. You should take independent financial advice from a professional in connection with, or independently research and verify, any information that you find on our Website and wish to rely upon, whether for the purpose of making an investment decision or otherwise.

    Rajarshi Mitra
    Blockchain Researcher