What is Zcash?

This recently launched cryptocurrency has received attention for its enhanced privacy
features. Zooko Wilcox, the project's lead developer, explains how these features work and
what they mean for policymakers.

By Zooko Wilcox & Peter Van Valkenburgh / December 8, 2016

Zcash is a cryptocurrency network that launched in October of 2016. Like other

cryptocurrency networks (e.g. Bitcoin or Ethereum), Zcash allows anyone with a computer
and an Internet connection to send and receive scarce tokens that can be used like cash on the
Internet. The software that powers Zcash is directly derived from Bitcoin’s core software, but
it has been modified in order to enhance user privacy.

The members of the network who relay, validate, and bundle user transactions into blocks
are, like in Bitcoin, commonly called miners. These miners are rewarded for honest
participation with transaction fees and newly minted Zcash, and they must solve a difficult
math problem (similar but distinct from Bitcoin’s mining algorithm) in order to earn the
privilege of participation. As with Bitcoin, anyone can be a miner on the Zcash network, all
they need is an Internet connection, a reasonably powerful computer, and the free and open
source Zcash software. Zcash is an open blockchain network.

Why launch a new cryptocurrency with enhanced

privacy?
Bitcoin has been around for almost a decade, and by now many people have realized that it is
not nearly as private or anonymous as many initially thought. That can be a good thing when
it comes to catching criminals, but it can also be a bad thing for innocent users. In fact,
Bitcoin’s current specifications make it almost impossible for an unsophisticated innocent
user to have any privacy.
Here’s a simple example. Most people use bitcoin by sharing a payment address that looks
something like this:

1CPwNACt62wts2yGbz1vUuqeGD58SzzeAL

Maybe that address belongs to a bartender. To accept bitcoin for cocktails the bartender puts
that address on a poster behind the bar in the form of a QR code so it would look something
like this (courtesy of Room77 in Berlin):

Patrons at the bar can take a picture of that code with their smartphone and use a bitcoin
wallet app to pay that address for their drinks. Trouble is, anyone can look that address up in
the Bitcoin blockchain and see every incoming transaction and the total amount of bitcoin
sitting in that address. If we look up that information, then we have at least some idea of how
rich the bartender is (good information for a would-be robber), and how successful the bar
has been (good information for the competing bar next-door). Also, if we sat next to someone
while they took a picture of the payment code with their phone, then we might have a good
idea of how rich the customer next to us is as well by identifying the most recent incoming
transaction for the bartender’s address and looking up the balance of the sending address, the
customer’s address.

This poor privacy can be marginally improved by having your Bitcoin wallet generate a new
payment address every time you want to be paid. So the bartender would now show each
customer a new and different QR code to pay his or her individual tab. But the basic issue
remains. Often those separate balances will be combined to fund an outgoing transaction.
Perhaps the bartender wants to pay her rent with bitcoins she has received from patrons, but
that single rent transaction is larger than any single payment from a patron. The bartender
will need to use several of her receiving addresses to pay the rent, and all those addresses are
then combined in a transaction message that ends up in the blockchain. By analyzing these
transactions, a stranger who knows one of the bartender’s addresses can create a map of
clustered addresses that are used by the bartender. So with clustering analysis, the stranger
can still get a pretty good idea of the bartender’s net bitcoin worth, and learn all sorts of
things about the bartender, like how much she pays in rent and how often.

To be truly private, a bitcoin user needs to take all kinds of technical precautions: never using
the same payment address twice, avoiding recombining payment addresses as inputs for later
transactions, sending funds to mixing services that will shuffle bitcoin balances amongst a
bunch of other bitcoin users (and hopefully not run off with their money), using Tor or other
private Internet services to make it harder to link geographic data from IP addresses to
transaction messages; the list goes on. These are difficult steps for a technologically
unsophisticated user to take, and even a sophisticated user might not take these steps if they
aren’t doing anything criminal and feel that the benefits of privacy simply aren’t worth the
costs.

As a result, Bitcoin as currently specified creates a perverse outcome: sophisticated criminals

might be able to squeeze some anonymity out of the system, but your average innocent user
gets no privacy whatsoever.

How is Zcash more private?

The Zcash network uses modified Bitcoin software to allow users a choice whenever they
transact. You can get paid at a normal address that works transparently just like a Bitcoin
address (we call this a transparent address, or “t-addr”) or you can use a private payment
address (we call this a shielded address, or “z-addr”). If two people transact with shielded
addresses, the Zcash blockchain will not record the details of that transaction publicly. All of
those details are things that otherwise would be used to identify them: things like the amount
of Zcash just sent and received and the addresses of the payor or payee. With Zcash shielded
addresses, all of that information is encrypted or kept secret from the public.

Of course, that raises an important question. How do the users of the Zcash network know
that no new money was created in a private transaction? How do we know that the sender did
not just counterfeit new Zcash instead of sending you her existing balances? In Bitcoin you
know that there has been no counterfeiting because the blockchain has an indelible record of
all transactions that is complete with details like amount sent, sender address, and recipient
address. That blockchain record goes all the way back to the beginning of the network, and if
you sum up all the transactions you will get a number of Bitcoin in circulation that is only the
amount of bitcoins legitimately mined so far mined. This gives us confidence that bitcoins are
only being created according to the rules of the software; no fishy counterfeiting is taking
place. So how can we be sure that there is no counterfeiting in Zcash if we cannot see all of
the individual transaction records on the blockchain? This is where the new Zcash technology
comes in.

Zcash uses cutting edge math and science to create a privacy protecting blockchain.
Specifically, it uses cryptographic functions that are called zk-SNARKs. That stands for
Zero-Knowledge Succinct Non-interactive Arguments of Knowledge. It's a mouthful
(computer scientists aren’t always the best at naming things), but what it means is this: with a
zk-SNARK, a computer or network of computers can take some otherwise encrypted and
unreadable data and prove certain limited facts are true about that data without revealing
anything else about that data. So in the case of payments made to and from a shielded Zcash
address, using a zk-SNARK built into the protocol software, the network can prove to any
user that, on-net, all outgoing transactions equal all incoming transactions (i.e. no new money
was created), but the zk-SNARK function proves it without revealing the specifics of those
individual transactions, all the data that would be used to compromise your privacy.

Can regulated institutions use Zcash?

Financial institutions are legally required to comply with anti-money laundering and anti-
terrorist financing laws and regulations. Can these institutions use a payment system and
currency that leaves no record of individual transactions? Absolutely! That system is called
cash and just about every financial institution in the world uses it. Cash transactions are still
much more opaque than any cryptocurrency transaction, even a Zcash transaction from a
shielded address.

If I go into a bank and hand the teller $1,000 worth of cash, the bank would have less
information about that transaction—where I got the money in the first place—than if I sent
them $1,000 worth of Zcash from a shielded address. At least with Zcash they know for sure
that the money isn’t counterfeit. Just as financial institutions can accept and hold your cash
without running afoul of the regulations, they can accept and hold Zcash as long as they
continue to keep their own internal records as they are required to do by law.

The responsibility to comply with things like the Bank Secrecy Act (a financial surveillance
law in the U.S.) is a responsibility borne by the institution and not by the technology behind
the medium of exchange or the developers of that technology. We don’t ask the Federal
Reserve to record all cash transactions, we ask that individual banks or money services
businesses keep their own records, do their own Know-Your-Customer diligence, and reports
things that look suspicious.

As we’ll see in the next section, financial institutions can implement compliance with Zcash,
potentially even better than they can do with Bitcoin, because they can give regulators or
(duly authorized, warrant-bearing) law enforcement privileged access to sensitive data in the
blockchain. This approach to compliance is also arguably better than compliance using
traditional pre-blockchain banking.

Does Zcash make regulation more difficult?

Zcash’s shielded addresses may make it more difficult for regulators and law enforcement to
investigate using public data from the blockchain, but Zcash also has some built-in features
that can help simplify regulatory compliance without compromising the privacy of innocent
users. Two relevant technical concepts are view keys and memos.

Every shielded address comes with what we call a view key that is generated for the holder of
the address. She can choose to share this view key with anyone else in the world. With that
view key a person can get the details about the particular transactions sent from that address;
they can see the recipient addresses and the amounts sent. Not only can they see these details,
they can prove them with the certainty of a blockchain data structure.

(Note: at the time of this writing, the current version of Zcash — v1.0.3 — does not have
complete support for users to retrieve and use view keys, even though they are effectively
already included in the protocol.)

Accordingly, whenever the law demands transparency and whenever proper legal process is
followed to obtain that transparency, a user or regulated firm can easily oblige by sharing the
view key that un-blinds private transactions with the proper authorities. This is, in many
ways, superior to the current state of affairs with Bitcoin where both law enforcement and the
general public can see a wealth of private information about your Bitcoin addresses. It’s also
better than the current state of affairs with pre-blockchain banking transactions because the
data being shared can be verified by an open network of computers, rather than law
enforcement needing to take the regulated party or the individual being questioned at their
word.

Zcash transactions also have a memo field that can be used to send additional data about the
transaction viewable only to the recipient. This memo could carry data between financial
institutions wherever they are required by law to send that data along (e.g. the “travel rule”
requirement in the Bank Secrecy Act).

Why is financial privacy technology important?

Ultimately we believe that personal privacy is necessary for core human values like dignity,
intimacy, and ethics. Without privacy, people will often abstain from doing anything that is
legal but also unpopular or politically incorrect. This chills free expression and leaves us with
a less diverse and less resilient community. Leaked private financial data can also be used by
businesses to discriminate against vulnerable populations, or people with a lot to lose. Data
analytics technology is advancing rapidly and without financial privacy we run the risk of
being dealt with or identified in business or even personal contexts as merely an amalgam of
facts and figures, rather than as unique individuals with dignity.

Financial privacy is also essential in an institutional context. As large financial institutions

like banks have begun investigating blockchain technology to streamline their business
processes, one of the chief impediments has been the transparency inherent in a Bitcoin-like
blockchain. When you trade and how much you trade is proprietary information that an
institution like an investment bank would likely rather not share with their competitors. The
zk-SNARK technology pioneered for Zcash might allow big firms to use blockchains as cost-
saving infrastructure without forcing them to share that proprietary information.

At heart this is the core goal of Zcash, to build an open and trustworthy financial system that
doesn’t put our privacy and freedom at risk.

Zooko Wilcox is Founder and CEO of the Zcash Electric Coin Company. He has more than
20 years of experience in open, decentralized systems, cryptography and information
security, and startups. He is recognized for his work on DigiCash, Mojo Nation, ZRTP,
“Zooko's Triangle”, Tahoe-LAFS, BLAKE2, and SPHINCS.
The weekly briefing from Coin Center.
Everything you need to know about cryptocurrency and public policy in one entertaining
read.

Based in Washington, D.C., Coin Center is the leading non-profit research and advocacy center
focused on the public policy issues facing cryptocurrency and decentralized computing technologies
like Bitcoin and Ethereum. Our mission is to build a better understanding of these technologies and
to promote a regulatory climate that preserves the freedom to innovate using permissionless
blockchain technologies.

What is “Blockchain” anyway?

Everyone loves tech's hottest buzzword but no one seems to know what it means.

By Peter Van Valkenburgh / April 25, 2017

“Blockchain” has become a buzzword in the technology and financial industries. It is often
cited as a panacea for all manner business and governance problems. “Blockchain’s”
popularity may be an encouraging sign for innovation, but it has also resulted in the word
coming to mean too many things to too many people, and—ultimately—almost nothing at all.

The word “blockchain” is like the word “vehicle” in that they both describe a broad class of
technology. But unlike the word “blockchain” no one ever asks you, “Hey, how do you feel
about vehicle?” or excitedly exclaims, “I’ve got it! We can solve this problem with vehicle.”
And while you and I might talk about “vehicle technology,” even that would be a strangely
abstract conversation. We should probably talk about cars, trains, boats, or rocketships,
depending on what it is about vehicles that we are interested in. And “blockchain” is the
same. There is no “The Blockchain” any more than there is “The Vehicle,” and the category
“blockchain technology” is almost hopelessly broad.

There’s one thing that we definitely know is blockchain technology, and that’s Bitcoin. We
know this for sure because the word was originally invented to name and describe the
distributed ledger of bitcoin transactions that is created by the Bitcoin network. But since the
invention of Bitcoin in 2008, there have been several individuals, companies, consortia, and
nonprofits who have created new networks or software tools that borrow something from
Bitcoin—maybe directly borrowing code from Bitcoin’s reference client or maybe just
building on technological or game-theoretical ideas that Bitcoin’s emergence uncovered.
You’ve probably heard about some of these technologies and companies or seen their logos.

Aside from being in some way inspired by Bitcoin what do all of these technologies have in
common? Is there anything we can say is always true about a blockchain technology? Yes.

All blockchains have...

All blockchain technologies should have three constituent parts: peer-to-peer networking,
consensus mechanisms, and (yes) blockchains, A.K.A. hash-linked data structures. You
might be wondering why we call them blockchain technologies if the blockchain is just one
of three essential parts. It probably just comes down to good branding. Ever since Napster
and BitTorrent, the general public has unfortunately come to associate peer-to-peer networks
with piracy and copyright infringement. “Consensus mechanism” sounds very academic and
a little too hard to explain a little too much of a mouthful to be a good brand. But
“blockchain,” well that sounds interesting and new. It almost rolls off the tongue; at least
compared to, say, “cryptography” which sounds like it happens in the basement of a church.

But understanding each of those three constituent parts makes blockchain technology
suddenly easier to understand. And that’s because we can write a simple one sentence
explanation about how the three parts achieve a useful result:

Connected computers reach agreement over shared data.

That’s what a blockchain technology should do; it should allow connected computers to
reach agreement over shared data. And each part of that sentence corresponds to our three
constituent technologies.

Connected Computers. The computers are connected in a peer-to-peer network. If your

computer is a part of a blockchain network it is talking directly to other computers on that
network, not through a central server owned by a corporation or other central party.
Reach Agreement. Agreement between all of the connected computers is facilitated by using
a consensus mechanism. That means that there are rules written in software that the
connected computers run, and those rules help ensure that all the computers on the network
stay in sync and agree with each other.

Shared Data. And the thing they all agree on is this shared data called a blockchain.
“Blockchain” just means the data is in a specific format (just like you can imagine data in the
form of a word document or data in the form of a image file). The blockchain format simply
makes data easy for machines to verify the consistency of a long and growing log of data.
Later data entries must always reference earlier entries, creating a linked chain of data. Any
attempt to alter an early entry will necessitate altering every subsequent entry, otherwise
digital signatures embedded in the data will reveal a mismatch. Specifically how that all
works is beyond the scope of this backgrounder, but it mostly has to do with the science of
cryptography and digital signatures. Some people might tell you that this makes blockchains
“immutable,” that’s not really accurate. The blockchain data structure will make alterations
evident, but if the people running the connected computers choose to accept or ignore the
alterations then they will remain.

Bitcoin as illustration.
Explaining how this all works in Bitcoin provides a helpful example.

So, what are the connected computers in the Bitcoin blockchain technology? They are any
devices on the Internet running Bitcoin-compatible software. That software could be a wallet
app or it could be software for “mining” bitcoin. If, for example, you run a Bitcoin software
wallet on your phone, then whenever you send or receive Bitcoin transactions your phone
will be talking directly to any other nearby computers that are running Bitcoin software; it’s
peer-to-peer. Some people are uncomfortable running important software on their personal
devices and that’s reasonable because if you are not careful when you run that software, you
could accidentally lose your bitcoins. So some people might use a Bitcoin wallet that is
created and maintained by a company. In this case, the wallet app on your smartphone will
talk to a server that the company maintains, and it's that server that connects to the peer-to-
peer network on your behalf.

What about the consensus mechanism in Bitcoin? Well, as with any consensus mechanism,
it’s a series of rules written in computer code. To be compatible with the Bitcoin network any
software you run on your Internet-connected device must follow these rules. If your software
is modified to try and break the rules, then the messages it sends on the Internet will be
ignored by all the other computers running honest, rule-obeying Bitcoin software.

There are a bunch of rules in the Bitcoin consensus mechanism, but we can highlight two of
them here and transcribe them roughly from computer code into natural language:

1. Nobody can send bitcoins that they have not first received from someone else or a
coinbase transaction.
2. Every 10 minutes one of the connected computers will be selected to choose the order
of valid transactions for that period; that computer can write itself a coinbase
transaction.

That first rule is pretty self-explanatory. It’s a rule against counterfeiting. The only exception
is when someone sends themselves brand new bitcoins (known as a coinbase transaction)
according to the network’s rules for new money creation. The second one isn’t very hard to
understand either once we have some context.

Recall that the connected computers are talking directly to one another, and keep in mind that
those computers could be anywhere in the world because it all works on top of the global
Internet.

If some computers are in, for example, China, and others are in the U.S., it’s likely they will
get out of sync because messages about transactions will originate in different parts of the
world and propagate across the Internet at different rates. A connected computer in China
might think the most recent transactions came in this order: A, B, C. While a computer in the
U.S. may have seen them come in the reverse order C, B, A. How do we make sure all the
computers agree on the order? Well, as rule 2 specifies, every 10 minutes one computer will
be chosen to state the authoritative order of transactions for that period of time, and then
another will be chosen, and so on. In computer science this arrangement is called a repeated
leader election, but unlike a normal political election the periodic leader is simply chosen at
random.

Notice also that our rule 2 specifies that the leader can only give the order of valid
transactions. If the chosen leader tried to include a transaction where they gave themselves
millions of counterfeit bitcoins, then they would have broken rule one. Their scammy
messages are simply ignored by the rest of the computers as per the rules of the consensus
mechanism.

The chosen leader can, however, write themselves a coinbase transaction that will reward
them for their honest work in maintaining the network. This transaction creates new bitcoins
out of thin air as a reward, but it must match a predefined money creation schedule (you can’t
just choose the size of your reward). That money creation schedule is just another rule within
the Bitcoin consensus mechanism software.
Finally, there’s Bitcoin’s shared data, its blockchain. This is just a list of all Bitcoin
transactions that have occurred since the network started in 2009. Here’s a stylized
illustration:

Of course the real Bitcoin blockchain has many more transactions in it, millions since the
network started. Also, the transactions don’t have human-readable names in them like the
illustration above suggests. Instead, the sender and recipient are represented by what’s called
a public address. It’s a pseudorandom but unique string of letters and numbers that is
generated locally on the smartphone or computer of a particular Bitcoin user. It looks like
this, 1CPwNACt62wts2yGbz1vUuqeGD58SzzeAL, and the user’s device will also generate a
matching secret key (another pseudorandom but unique string of numbers and letters) that
must be used to sign transactions spending funds from that address. Think of it like a
password. All in all, however, the blockchain is pretty simple in that sense, it’s just a list of
transactions between addresses that’s presented in a way that makes it easy for computers to
verify the data.

How various blockchain technologies may differ.

What about other, non-Bitcoin blockchain technologies? Well they all follow the same design
pattern. They will have peer-to-peer networking, a consensus mechanism, and a blockchain,
and they will enable connected computers to reach agreement over shared data.

There are two things that can differ from Bitcoin, however. The shared data may be different,
and the consensus mechanism may be engineered with different design choices.

Here’s how the data can differ. Instead of being a list of bitcoin transactions, the shared data
could be votes in an election, or identity credentials (think of it like a tokenized driver’s
license or proof of a credit score). Or the data could be the current state of a running
computation. In other words the data could be related to a global computer that anyone is
allowed to write and read data from; that’s one way to describe Ethereum, another open
blockchain network inspired by Bitcoin.

The consensus mechanism could also be different than Bitcoin’s. These differences aren’t
necessarily good or bad; remember that “blockchain” is like “vehicle.” Sometimes you might
need a boat, other times a rocketship. Not all vehicles are good for all use cases.

There are three big design choices that might make the consensus mechanism different from
Bitcoin’s. These tradeoffs and choices merit a much longer discussion, but here’s a basic
overview:

1. Open or Closed? Does the consensus mechanism allow anyone to join and
participate, or is participation limited to identified parties on the network who were
previously provisioned with an access credential by a company, consortium, or other
central party that is creating or implementing the blockchain technology? In other
words is it an open network (like the Internet) or a closed or permissioned network
(like a company intranet)?
2. Private or Transparent? Does the consensus mechanism privilege data privacy
above data transparency and auditability? Or vice versa? To some extent this is an
iron trade-off. Recall that all the computers must reach agreement on the shared data.
If the data was private to a handful of individuals then only those individuals on the
network would be able to verify and agree on the data. There may be a way around
this tradeoff in consensus design thanks to some new research into “zero-knowledge
proofs,” and the launch of a new privacy-protecting public network called Zcash.
3. Edge or Center? Does the consensus mechanism put security at the edge of the
network or at the center. Open blockchain networks like Bitcoin have consensus
mechanisms that push the responsibility for security to the edge, to the individual
computers owned and controlled by users. So if you receive bitcoins on your
smartphone using a software wallet, for example, your device is the only device on
the whole network that can now spend those bitcoins. Without the secret key
generated on your phone, the bitcoins can never move. This is in sharp contrast to pre-
Bitcoin electronic payment systems where an intermediary like a credit card company
could step in and reverse a transaction or move funds out of your account without
needing you to take any action with your card or banking app.

Having security at the edge may be a disadvantage for someone who loses their phone
and failed make a backup of their credentials, but it’s also an advantage system-wide
because there’s no longer a central party who could be hacked or be dishonest and
thereby put everyone’s money or data at risk.

Permissioned blockchain technologies retain some power at the center of the network
because—at the very least—there will be one party who is relied upon to identity
permitted member computers and provision them with an access credential.

Those are the primary possible differences between blockchain technologies. There’s still
plenty of room for elaboration, details, and future possibilities, but hopefully you’ve got a
better handle on the fundamental architecture of these exciting new tools. Just remember,
blockchain technology means that connected computers reach agreement over shared data.
The weekly briefing from Coin Center.
Everything you need to know about cryptocurrency and public policy in one entertaining
read.

Based in Washington, D.C., Coin Center is the leading non-profit research and advocacy
center focused on the public policy issues facing cryptocurrency and decentralized computing
technologies like Bitcoin and Ethereum. Our mission is to build a better understanding of
these technologies and to promote a regulatory climate that preserves the freedom to innovate
using permissionless blockchain technologies.