What is Zcash? This recently launched cryptocurrency has received attention for its enhanced privacy features. Zooko Wilcox, the project's lead developer, explains how these features work and what they mean for policymakers. By Zooko Wilcox & Peter Van Valkenburgh / December 8, 2016
Zcash is a cryptocurrency network that launched in October of 2016. Like other cryptocurrency networks (e.g. Bitcoin or Ethereum), Zcash allows anyone with a computer and an Internet connection to send and receive scarce tokens that can be used like cash on the Internet. The software that powers Zcash is directly derived from Bitcoin’s core software, but it has been modified in order to enhance user privacy. The members of the network who relay, validate, and bundle user transactions into blocks are, like in Bitcoin, commonly called miners. These miners are rewarded for honest participation with transaction trans action fees and newly minted Zcash, Zcash , and they must solve a difficult di fficult math problem (similar but distinct from Bitcoin’s mining algorithm) in order to earn the privilege of participation. particip ation. As with Bitcoin, anyone can be a miner min er on the Zcash network, all they need is an Internet connection, a reasonably powerful computer, and the free and open source Zcash software. Zcash is an open blockchain network.
Why launch a new cryptocurrency with enhanced privacy? Bitcoin has been around for almost a decade, and by now many people have realized that it is not nearly as private or anonymous as many initially thought. That can be a good thing when it comes to catching criminals, criminals, but it can also be a bad thing for innocent users. In fact, Bitcoin’s current specifications make it almost impossible for an unsophisticated innocent user to have any privacy.
Here’s a simple example. Most people use bitcoin by sharing a payment address that looks something like this:
1CPwNACt62wts2yGbz1vUuqeGD58SzzeAL Maybe that address belongs to a bartender. To accept bitcoin for cocktails the bartender puts that address on a poster behind the bar in the form of a QR code so it would look something like this (courtesy of Room77 of Room77 in Berlin) Berlin):
Patrons at the bar can take a picture of that code with their smartphone and use a bitcoin wallet app to pay that address for their drinks. Trouble is, anyone can look that address up in the Bitcoin blockchain and see every incoming transaction and the total amount of bitcoin sitting in that address. If we look up that information, then we have at least some idea of how rich the bartender is (good information for a would-be robber), and how successful the bar has been (good information for the competing bar next-door). Also, if we sat next to someone while they took a picture of the payment code with their phone, then we might have a good idea of how rich the customer next to us is as well by identifying the most recent incoming transaction for the bartender’s address and looking up the balance of the sending address, the customer’s address. This poor privacy can be marginally improved by having your Bitcoin wallet generate a new payment address every ever y time you want to be paid. So the bartender bartend er would now show each customer a new and different QR code to pay his or her individual tab. But the basic issue remains. Often those separate balances will be combined to fund an outgoing transaction.
Perhaps the bartender wants to pay her rent with bitcoins she has received from patrons, but that single rent transaction is larger than any single payment from a patron. The bartender will need to use several of her receiving addresses to pay the rent, and all those addresses are then combined in a transaction message that ends up in the blockchain. By analyzing these transactions, a stranger who knows one of the bartender’s addresses can create a map of clustered addresses that are used by the bartender. So with clustering analysis, the stranger can still get a prett y good idea of the bartender’s net bitcoin worth, and learn all sorts of things about the bartender, like how much she pays in rent and how often. To be truly private, a bitcoin user needs to take all kinds of technical precautions: never using the same payment address twice, avoiding recombining payment addresses as inputs for later transactions, sending funds to mixing services that will shuffle bitcoin balances amongst a bunch of other bitcoin users u sers (and hopefully hopefull y not run off with their money), using usin g Tor or other private Internet services servic es to make it harder to link lin k geographic data from IP addresses to transaction messages; the list goes on. These are difficult steps for a technologically unsophisticated user to take, and even a sophisticated user might not take these steps if they aren’t doing anything criminal and feel that the benefits of privacy simply aren’t worth the costs. As a result, Bitcoin as currently specified creates a perverse outcome: sophisticated criminals might be able to squeeze some anonymity out of the system, but your average innocent user gets no privacy whatsoever.
How is Zcash more private? The Zcash network uses modified Bitcoin software to allow users a choice whenever they transact. You can get paid at a normal address that works transparently just like a Bitcoin address (we call this a transparent address, or “t-addr”) or you can use a private payment address (we call this a shielded address, or “z-addr”). If two people transact with shielded addresses, the Zcash blockchain will not record the details of that transaction publicly. All of those details are things that otherwise would be used to identify them: things like the amount of Zcash just sent and received and the addresses of the payor or payee. With Zcash shielded addresses, all of that information is encrypted or kept secret from the public. Of course, that raises an important question. How do the users of the Zcash network know that no new money was created in a private transaction? How do we know that the sender did not just counterfeit new Zcash instead of sending you her existing balances? In Bitcoin you know that there has been no counterfeiting because the blockchain has an indelible record of all transactions that is complete with details like amount sent, sender address, and recipient address. That blockchain record goes all the way back to the beginning of the network, and if you sum up all the transactions you will get a number of Bitcoin in circulation that is only the amount of bitcoins legitimately mined so far mined. This gives us confidence that bitcoins are only being created according to the rules of the software; no fishy counterfeiting is taking place. So how can we be sure that there is no n o counterfeiting counterfeitin g in Zcash if we cannot see all of the individual transaction records on the blockchain? This is where the new Zcash technology comes in. Zcash uses cutting edge math and science to create a privacy protecting blockchain. Specifically, it uses cryptographic functions that are called zk-SNARKs. That stands for
Zero-Knowledge Succinct Non-interactive Arguments of Knowledge. It's a mouthful (computer scientists aren’t always the best at naming things), but what it means is this: with a zk-SNARK, a computer or network of computers can take some otherwise encrypted and unreadable data and prove certain limited facts are true about that data without revealing anything else about that data. So in the case of payments made to and from a shielded Zcash address, using a zk-SNARK built into the protocol software, the network can prove to any user that, on-net, all outgoing transactions equal all incoming transactions (i.e. no new money was created), but the zk-SNARK function proves it without revealing the specifics of those individual transactions, all the data that would be used to compromise your privacy.
Can regulated institutions use Zcash? Financial institutions are legally required to comply with anti-money laundering and antiterrorist financing laws and regulations. Can these institutions use a payment system and currency that leaves no record of individual transactions? Absolutely! That system is called cash and just about every financial institution in the world uses it. Cash transactions are still much more opaque than any cryptocurrency transaction, even a Zcash transaction from a shielded address. If I go into a bank and hand the teller $1,000 worth of cash, the bank would have less information about that transaction — where where I got the money in the first place — than than if I sent them $1,000 worth of Zcash from a shielded address. At least with Zcash they know for sure that the money isn’t counterfeit. Just as financial institutions can accept and hold your cash without running afoul of the regulations, they can accept and hold Zcash as long as they continue to keep their own internal records as they are required to do by law. The responsibility to comply with things like the Bank Secrecy Act (a financial surveillance law in the U.S.) is a responsibility borne by the institution and not by the technology behind the medium of exchange or the developers of that technology. We don’t ask the Fe deral Reserve to record all cash transactions, we ask that individual banks or money services businesses keep their own o wn records, do their own Know-Your-Customer Kno w-Your-Customer diligence, and reports things that look suspicious. As we’ll see in the next section, financia l institutions can implement compliance with Zcash, potentially even better bett er than they can do with Bitcoin, Bitco in, because they can give regulators re gulators or (duly authorized, warrant-bearing) law enforcement privileged access to sensitive data in the blockchain. This approach approac h to compliance is also arguably arguab ly better than compliance compli ance using traditional pre-blockchain banking.
Does Zcash make regulation more difficult? Zcash’s shielded addresses may make it more difficult dif ficult for regulators and law enforcement to investigate using public data from the blockchain, but Zcash also has some built-in features that can help simplify regulatory compliance without compromising the privacy of innocent users. Two relevant technical concepts are view keys and memos.
Every shielded address comes with what we call a view key that is generated for the holder of the address. She can choose to share this view key with anyone else in the world. With that view key a person can get the details about the particular transactions sent from that address;
they can see the recipient addresses and the amounts sent. Not only can they see these details, they can prove them with the certainty of a blockchain data structure. (Note: at the time of this writing, the current version of Zcash — v1.0.3 v1.0.3 — does does not have complete support for users to retrieve and use view keys, even though they are effectively already included in the protocol.) Accordingly, whenever the law demands transparency and whenever proper legal process is followed to obtain that transparency, a user or regulated firm can easily oblige by sharing the view key that un-blinds private transactions with the proper authorities. This is, in many ways, superior to the current state of affairs with Bitcoin where both law enforcement and the general public can see a wealth of private information about your Bitcoin addresses. It’s also better than the current state st ate of affairs with pre-blockchain pre-bl ockchain banking bankin g transactions because the th e data being shared can be verified by an open network of computers, rather than law enforcement needing to take the regulated party or the individual being questioned at their word. Zcash transactions also have a memo field that can be used to send additional data about the transaction viewable only to the recipient. This memo could carry data between financial institutions wherever they are required by law to send that data along (e.g. the “travel rule” requirement in the Bank Secrecy Act).
Why is financial privacy technology important? Ultimately we believe that personal privacy is necessary for core human values like dignity, intimacy, and ethics. Without privacy, people will often abstain from doing anything that is legal but also unpopular or politically incorrect. This chills free expression and leaves us with a less diverse and less resilient community. Leaked private financial data can also be used by businesses to discriminate discr iminate against vulnerable vulnerab le populations, or people peo ple with a lot to lose. Data analytics technology is advancing rapidly and without financial privacy we run the risk of being dealt with or identified identi fied in business or even personal p ersonal contexts as merely merel y an amalgam of facts and figures, rather than as unique individuals with dignity. Financial privacy is also essential in an institutional context. As large financial institutions like banks have begun investigating blockchain technology to streamline their business processes, one of the chief chi ef impediments has been the transparency tran sparency inherent in a Bitcoin-like blockchain. When you trade tr ade and how much you trade trad e is proprietary information informat ion that an institution like an investment bank would likely rather not share with their competitors. The zk-SNARK technology pioneered for Zcash might allow big firms to use blockchains as costsaving infrastructure without forcing them to share that proprietary information. At heart this is the core goal of Zcash, to build an open and trustworthy financial system that doesn’t put our privacy and freedom at risk. Zooko Wilcox is Founder and CEO of the Zcash Electric Coin Company. He He has more than 20 years of experience in open, decentralized systems, cryptography and information security, and startups. He is recognized for his work on DigiCash, DigiCash, Mojo Nation, ZRTP, “Zooko's Triangle”, Tahoe-LAFS, Tahoe -LAFS, BLAKE2, and SPHINCS.
The weekly briefing from Coin Center. Everything you need to know about cryptocurrency and public policy in one entertaining read.
Based in Washington, D.C., Coin Center is the leading non-profit research and advocacy center focused on the public policy issues facing cryptocurrency and decentralized computing technologies like Bitcoin and Ethereum. Our mission is to build a better understanding of these technologies and to promote a regulatory climate that preserves the freedom to innovate using permissionless blockchain technologies.
What is “Blockchain” anyway? Everyone loves tech's hottest buzzword but no one seems to know what it means. By Peter Van Valkenburgh / April 25, 2017 “Blockchain” has become a buzzword in the technology and financial industries. It is often cited as a panacea for all manner business and governance problems. “Blockchain’s” popularity may be an encouraging enc ouraging sign for innovation, innov ation, but it has also resulted res ulted in the word coming to mean too many things to too many people, and — ultimately ultimately — almost almost nothing at all.
The word “blockchain” is like the word “vehicle” in that t hey both describe a broad class of technology. But unlike the word “blockchain” no one ever asks you, “Hey, how do you feel about vehicle?” vehicle?” or excitedly exclaims, “I’ve got it! We can solve this problem with vehicle.” vehicle.” And while you and I might talk about “vehicle technology,” even that would be a strangely abstract conversation. We should probably talk about cars, trains, boats, or rocketships, depending on what it is about vehicles that we are interested in. And “blockchain” is the
same. There is no “The Blockchain” any more than there is “The Vehicle,” and the category “blockchain technology” is almost hopelessly broad. There’s one thing that we definitely know is blockchain is blockchain technology, and that’s Bitcoin. We know this for sure because the word was originally invented to name and describe the distributed ledger of bitcoin transactions that is created by the Bitcoin network. But since the invention of Bitcoin in 2008, there have been several individuals, companies, consortia, and nonprofits who have created new networks or software tools that borrow something from Bitcoin —maybe directly borrowing code from Bitcoin’s reference client or maybe just building on technological technolo gical or game-theoretical ideas that Bitcoin’s emergence uncovered. You’ve probably heard abou t some of these technologies and companies or seen their logos.
Aside from being in some way inspired by Bitcoin what do all of these technologies have in common? Is there anything we can say is always true about a blockchain technology? Yes.
All blockchains have... All blockchain technologies should have three constituent parts: peer-to-peer networking, consensus mechanisms, and (yes) blockchains, A.K.A. hash-linked data structures. You might be wondering why we call them blockchain technologies if the blockchain is just one of three essential parts. It probably just comes down to good branding. Ever since Napster and BitTorrent, the general public has unfortunately come to associate peer-to-peer networks with piracy and copyright infringement. “Consensus mechanism” sounds very academic and a little too hard to explain a little too much of a mouthful to be a good brand. But “blockchain,” well that sounds interesting and new. It almost roll s off the tongue; at least compared to, say, “cryptography” which s ounds like it happens in the basement of a church. But understanding each of those three constituent parts makes blockchain technology suddenly easier to understand. And that’s because we can write a simple one sentence explanation about how the three parts achieve a useful result:
C onnected compute computerr s rea r each ch agr ag r eeme eement nt over over shar shared ed data. data. connected d computer computerss to That’s what a blockchain technology should do; it should allow connecte over sha r each agr eement ment over shar ed data. And each part of that sentence corresponds to our three constituent technologies. Connected Computers. The computers are connected in a peer-to-peer network. If your computer is a part of a blockchain network it is talking directly to other computers on that network, not through a central server owned by a corporation or other central party.
Reach Agreement. Agreement between all of the connected computers is facilitated by using a consensus mechanism. That means that there are rules written in software that the connected computers run, and those rules help ensure that all the computers on the network stay in sync and agree with each other. Shared Data. And the thing they all agree on is this shared data called a blockchain. “Blockchain” just means the data is in a specific format (just like you can imagine data in the form of a word document or data in the form of a image file). The blockchain format simply makes data easy for machines to verify the consistency of a long and growing log of data. Later data entries must always reference earlier entries, creating a linked chain of data. Any attempt to alter an early entry will necessitate altering every subsequent entry, otherwise digital signatures embedded in the data will reveal a mismatch. Specifically how that all works is beyond the scope of this backgrounder, but it mostly has to do with the science of cryptography and digital signatures. Some people might tell you that this makes blockchains “immutable,” that’s not really accurate. The blockchain data structure will make alterations evident, but if the people running the connected computers choose to accept or ignore the alterations then they will remain.
Bitcoin as illustration. Explaining how this all works in Bitcoin provides a helpful example. So, what are the connected computers in the Bitcoin blockchain technology? They are any devices on the Internet running Bitcoin-compatible software. That software could be a wallet app or it could be software for “mining” bitcoin. If, for example, you run a Bitcoin software wallet on your phone, then whenever you send or receive Bitcoin transactions your phone will be talking directly to any other nearby computers that are running Bitcoin software; it’s peer-to-peer. Some people peopl e are uncomfortable running runn ing important software on their th eir personal devices and that’s reasonable because if you are not careful when you run that software, you could accidentally lose your bitcoins. So some people might use a Bitcoin wallet that is
created and maintained by a company. In this case, the wallet app on your smartphone will talk to a server that the company maintains, and it's that server that connects to the peer-to peer network on your behalf. be half. What about the consensus mechanism in Bitcoin? Well, as with any consensus mechanism, it’s a series of rules written in computer code. To be compatible with the Bitcoin network any software you run on your Internet-connected device must follow these rules. If your software is modified to try and break the rules, then the messages it sends on the Internet will be ignored by all the other computers running honest, rule-obeying Bitcoin software. There are a bunch of rules in the Bitcoin consensus mechanism, but we can highlight two of them here and transcribe them roughly from computer code into natural language: 1. Nobody can send bitcoins bitcoin s that they have not first received r eceived from someone else or a coinbase transaction. 2. Every 10 minutes one of the connected computers will be selected to choose the order of valid transactions for that period; that computer can write itself a coinbase transaction. That first rule is pretty self-explanatory. It’s a rule against counterfeiting. counterfeiti ng. The only exception is when someone sends themselves brand new bitcoins (known as a coinbase transaction) according to the network’s rules for new money creation. The second one isn’t very hard to understand either once we have some context. Recall that the connected computers are talking directly to one another, and keep in mind that those computers could be anywhere in the world because it all works on top of the global Internet. If some computers are in, for example, China, and others are in the U.S., it’s likely they will get out of sync because messages about transactions will originate in different parts of the world and propagate across the Internet at different rates. A connected computer in China might think the most recent transactions came in this order: A, B, C. While a computer in the U.S. may have seen them come in the reverse order C, B, A. How do we make sure all the computers agree on the order? Well, as rule 2 specifies, every 10 minutes one computer will be chosen to state the authoritative aut horitative order of transactions transa ctions for that period of o f time, and then another will be chosen, and so on. In computer science this arrangement is called a repeated leader election, but unlike a normal political election the periodic leader is simply chosen at random.
Notice also that our rule 2 specifies sp ecifies that the leader can only o nly give the order of valid transactions. If the chosen leader tried to include a transaction where they gave themselves millions of counterfeit bitcoins, then they would have broken rule one. Their scammy messages are simply ignored by the rest of the computers as per the rules of the consensus mechanism. The chosen leader can, however, write themselves a coinbase transaction that will reward them for their honest work in maintaining the network. This transaction creates new bitcoins out of thin air as a reward, but it must match a predefined money creation schedule (you can’t just choose the size siz e of your reward). That money creation schedule sc hedule is just another anoth er rule within the Bitcoin consensus mechanism software.
Finally, there’s Bitcoin’s shared data, its it s blockchain. This is just a list of all Bitcoin transactions that have occurred since the network star ted in 2009. Here’s a stylized illustration:
Of course the real Bitcoin blockchain has many more transactions in it, millions since the network started. Also, the transactions don’t have human -readable names in them like the illustration above suggests. Instead, the sender and recipient are represented by what’s called a public address. It’s a pseudorandom but unique string of letters and numbers that is generated locally on the smartphone or computer of a particular Bitcoin user. It looks like this, 1CPw NACt62wts2yGbz1vUu NACt62wts2yGbz1vUuqeGD58SzzeAL, qeGD58SzzeAL, and the user’s device will also generate a matching secret key (another pseudorandom but unique string of numbers and letters) that must be used to sign transactions spending funds from that address. Think of it like a password. All in all, however, the blockchain is pretty simple in that sense, it’s just a list of transactions between addresses that’s presented in a way that makes it easy for computers to verify the data.
How various blockchain technologies may differ. What about other, non-Bitcoin blockchain technologies? Well they all follow the same design pattern. They will have peer-to-peer peer-t o-peer networking, a consensus cons ensus mechanism, and a blockchain, blockch ain, and they will enable connected computers to reach agreement over over shared data. There are two things that can differ from Bitcoin, however. The shared data may be different, and the consensus mechanism may be engineered with different design choices. Here’s how the data can differ. Instead of being a list of bitcoin transactions, transacti ons, the shared data could be votes in an election, or identity credentials (think of it like a tokenized driver’s license or proof of a credit score). Or the data could be the current state of a running computation. In other words the data could be related to a global computer that anyone is
Ethereum,, another open allowed to write and read data from; that’s one way to describe Ethereum blockchain network inspired insp ired by Bitcoin. The consensus mechanism could also be different than Bitcoin’s. These differences aren’t necessarily good or bad; remember that “blockchain” is like “vehicle.” Sometimes you might need a boat, other times a rocketship. Not all vehicles are good for all use cases. There are three big design choices that might make the consensus mechanism different from Bitcoin’s. These tradeoffs and choices merit a much longer discussion, but here’s a basic overview: 1. Open or Closed? Does the consensus mechanism allow anyone to join and participate, or is participation partici pation limited to identified iden tified parties on the network who w ho were previously provisioned provisio ned with an access credential credent ial by a company, consortium, consort ium, or other central party that is creating or implementing the blockchain technology? In other words is it an open network (like the Internet) or a closed or permissioned network (like a company intranet)? 2. Private or Transparent? Does the consensus mechanism privilege data privacy above data transparency and auditability? Or vice versa? To some extent this is an iron trade-off. Recall that all the computers must reach agreement on the shared data. If the data was private to a handful of individuals then only those individuals on the network would be able to verify and agree on the data. There may be a way around this tradeoff in consensus design thanks to some new research into “zero -knowledge Zcash.. proofs,” and the launch of a new privacy-protecting public network called Zcash 3. Edge or Center? Does the consensus mechanism put security at the edge of the network or at the center. Open blockchain networks like Bitcoin have consensus mechanisms that push the responsibility for security to the edge, to the individual computers owned and controlled by users. So if you receive bitcoins on your smartphone using a software wallet, for example, your device is the only device on the whole network that can now spend those bitcoins. Without the secret key generated on your phone, the bitcoins can never move. This is in sharp contrast to preBitcoin electronic payment systems where an intermediary like a credit card company could step in and reverse a transaction or move funds out of your account without needing you to take any action with your card or banking app. Having security at the edge may be a disadvantage for someone who loses their phone and failed make a backup of their credentials, but it’s also an advantage system -wide because there’s no longer a central party who could be hacked hacked or be dishonest and thereby put everyone’s money or data at risk. Permissioned blockchain technologies retain some power at the center of the network because — at at the very least — there will be one party who is relied upon to identity — there permitted member computers and provision pro vision them with an access acces s credential. Those are the primary possible differences between blockchain technologies. There’s still plenty of room for elaboration, details, and future possibilities, possibilities, but hopefully you’ve got a better handle on the fundamental fu ndamental architecture of o f these exciting new tools. tool s. Just remember, blockchain technology technolo gy means that connected computers reach agreement over shared data .
The weekly briefing from Coin Center. Everything you need to know about cryptocurrency and public policy in one entertaining read.
Based in Washington, D.C., Coin Center is Center is the leading non-profit research and advocacy center focused on the public policy issues facing cryptocurrency and decentralized computing technologies like Bitcoin and Ethereum. Our mission is to build a better understanding of these technologies and to promote a regulatory climate that preserves the freedom to innovate using permissionless blockchain technologies.