ZCash is one of the most popular privacy-oriented cryptocurrencies available today. It is an open-source project that is the first large-scale cryptocurrency implementation of zk-SNARKs, the advanced zero-knowledge proof (ZKP) technology enabling anonymous shielded transactions in the network.
One of the significant problems that privacy-oriented cryptocurrencies like ZCash and Monero face are that their enhanced cryptographic designs for obfuscating transaction information on a public ledger are much more cumbersome than typical cryptographically signed transactions. As such, their blockchains are more burdensome on memory, and they are not as practical for users, particularly mobile users.
Sapling is an impressive upgrade for the ZCash network that primarily focuses on improving the efficiency of zk-SNARKs for shielded transactions. Sapling was activated on at block 419,200 on October 29th, 2018 and has been humming along since.
Background on ZCash and zk-SNARKs
ZCash was released in 2016 by founder Zooko Wilcox and has rapidly emerged as one of the leading privacy cryptocurrencies along with Monero. ZCash is predicated on some of the most advanced cryptography available, known as zero-knowledge proofs. ZCash’s ZKP integration focuses explicitly on a form known as zk-SNARKs, which have become a popular topic among a variety of groups and have been dubbed “crypto magic.”
ZCash is the first major network-scale implementation of zk-SNARKs. The abbreviation zk-SNARKs stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge,” and they are a particular form of zero-knowledge proofs. Using a zk-SNARK enables a prover to prove to a verifier that a statement about specific information is true without having to reveal any details about the information to the verifier.
ZCash’s implementation of zk-SNARKs is with cryptographic transactions. In a public and transparent blockchain like Bitcoin, transactions are validated using the sender/receiver addresses along with the input and output values as part of the UTXO model. ZCash is also a public blockchain but allows for shielded transactions that use zk-SNARKs to prove that the conditions necessary for a transaction to be valid have been satisfied, without revealing any details about the sender, receiver, or amount transferred.
Read: What is zk-SNARKs?
It is important to note that shielded transactions are not the default setting in ZCash and need to be selected deliberately instead of the default transparent addresses.
For a zk-SNARK proof to be considered valid, it needs to contain three properties:
- Input values sum to the outputs for the shielded transaction.
- Sender proves he/she has the corresponding private key of the inputs.
- Private spending keys are linked to the whole transaction, removing the ability of a third-party to modify the transaction if they do not know the private spending keys.
Shielded transactions also need to satisfy the commitment scheme used for zk-SNARKs where — similar to the concept of key images in Monero — nullifiers of commitments cannot be re-used, and each unique nullifier is stored in every node in the blockchain network to ensure this. Several other assertions also need to be proven true such as each input note requiring a revealed commitment and that collisions between output nullifiers with any other nullifiers are computationally infeasible.
ZCash also employs a set of proving and verifying keys for checking and creating proofs. Controversially, this requires a trusted setup (called a public parameter ceremony in ZCash) where the keys are generated publicly and shared with all network participants. ZCash’s trusted setup required participants to generate a public/private key pair concurrently and subsequently destroy the private key. The public key is the public parameter key that miners use to verify shielded transactions and users employ to create shielded transactions. The issue with the trusted setup design is that if an attacker used the private key, then the malicious entity could create counterfeit ZCash that would look valid to the network. The attacker would not be able to compromise anonymity on the network, however.
Naturally, such a problem is cause for concern by many, which is why ZCash has been comprehensive in detailing the ceremony to provide the highest level of assurance.
The proof generation model in ZCash with zk-SNARKs is verified easily, but it offloads the vast majority of computation to the creator of a shielded transaction. As a result, shielded transactions are very cumbersome, where the process can take 40 or more seconds and can require 1 GB of memory. Severe cases of creating shielded transactions have taken as long as 7 minutes and needed 3 GB of memory. It is important to note that shielded transactions are not the default setting in ZCash largely because of this consideration. Transparent addresses are the default setting, and users need to select shielded transactions to utilize zk-SNARKs deliberately.
The major takeaway from analyzing the use of zk-SNARKs in ZCash is that transaction details are entirely anonymous and encrypted on the public blockchain. The implications of this are enormous and can be useful in everything from anonymous blockchain-based voting schemes to decentralized identity verification.
Sapling was conceived in 2016 and started as a pet project that developed into a full-blown innovative upgrade to a sophisticated anonymity technology in the ZCash blockchain network. The primary problem that Sapling addresses are the bulky nature of zk-SNARKs, and correspondingly, shielded transactions on the network. Sapling improves the efficiency of zk-SNARK proof creation to broaden the potential adoption of the cryptocurrency.
Notably, Sapling required another trusted setup (public parameter generation ceremony) which is also what the ZCash team was looking to improve upon. The Powers of Tau ceremony was held between November 2017 and April 2018 and ZCash completed the Multi-Party Computation (MPC) for Sapling in May to finalize the Sapling zk-SNARK parameters.
Sapling drastically reduces the amount of time and memory needed for constructing zk-SNARKs. According to ZCash, the time requirements for constructing a shielded transaction decreased by 90 percent and the memory requirements by 97 percent. This means shielded transactions can be conducted in several seconds with only 40 MB memory.
Sapling also allowed for the hardware that constructs the zk-SNARK proof to be independent of the hardware that signs the transaction, providing much more flexibility to users in sending shielded transactions. Improved keys known as full viewing keys also allow shielded address owners to view incoming and outgoing transaction details without compromising their private spend key. Finally, Sapling also integrated the BLS12-381 elliptic curve that improves upon the existing Barreto-Naehrig elliptic curve construction. The new elliptic curve implementation is more efficient than the previous one used, improving the performance and verification time of zk-SNARK proofs.
The successful upgrade to Sapling has some vital implications for the future of the ZCash cryptocurrency network. One of the primary goals of the ZCash developers — as articulated by Sean Bowe — is to make shielded transactions cheap and practical enough for all users to be able to leverage them as the default setting of ZCash. Doing so would enable ZCash to have a greater design space –like in Bitcoin –, where better applications and features can be built on top of the protocol layer.
Sapling is a major step in reducing the barriers to using ZCash and emphasizing its strengths with privacy. The efficiency enhancements of Sapling make ZCash shielded transactions viable on mobile devices and does not limit them to specific desktop hardware users. Moreover, integrating shielded ZCash transactions on exchanges and for vendors is now much more viable.
Privacy-Oriented Coins Trending Towards Increased Practicality for Users
ZCash’s Sapling upgrade mirrors a similar efficiency improvement for privacy-oriented cryptocurrency network Monero. Monero recently integrated bulletproofs — a form of zero-knowledge proofs — into its protocol, and the resulting improvements in transaction size and fees were immense. Transaction sizes and fees dropped by more than 95 percent, and the upgrade was a resounding success, similar to Sapling.
The Sapling upgrade and Monero’s bulletproof upgrade represent a growing trend of privacy-oriented cryptocurrencies increasing the efficiency of their once-cumbersome anonymity-preserving transactions. By reducing the problems in transaction size, creation speed, and transaction fees, these networks are transitioning to a new stage of development where they are focusing on building the foundation for user-friendly applications and mobile ubiquity.
The consequences of this cannot be understated. Improving the design space of these anonymous cryptocurrencies is exceptionally appealing to many users who are not familiar with how to use more complex cryptocurrencies but share the same privacy values as the developers. Further, merchant vendors can interact with anonymous transactions, and fees may drop low enough for anonymous micropayments to become a reality.
Privacy and security will likely be the main focus of anonymous cryptocurrencies as it is a continually evolving effort, but their recent inclination to focus on efficiency is a promising sign.