8 DEC 2016 Coin Center
This recently launched cryptocurrency has received attention for its enhanced privacy features. Zooko Wilcox, the project’s lead developer, explains how these features work and what they mean for policymakers.
Zcash is a cryptocurrency network that launched in October of 2016. Like other cryptocurrency networks (e.g. Bitcoin or Ethereum), Zcash allows anyone with a computer and an Internet connection to send and receive scarce tokens that can be used like cash on the Internet. The software that powers Zcash is directly derived from Bitcoin’s core software, but it has been modified in order to enhance user privacy.
The members of the network who relay, validate, and bundle user transactions into blocks are, like in Bitcoin, commonly called miners. These miners are rewarded for honest participation with transaction fees and newly minted Zcash, and they must solve a difficult math problem (similar but distinct from Bitcoin’s mining algorithm) in order to earn the privilege of participation. As with Bitcoin, anyone can be a miner on the Zcash network, all they need is an Internet connection, a reasonably powerful computer, and the free and open source Zcash software. Zcash is an open blockchain network.
Why launch a new cryptocurrency with enhanced privacy?
Bitcoin has been around for almost a decade, and by now many people have realized that it is not nearly as private or anonymous as many initially thought. That can be a good thing when it comes to catching criminals, but it can also be a bad thing for innocent users. In fact, Bitcoin’s current specifications make it almost impossible for an unsophisticated innocent user to have any privacy.
Here’s a simple example. Most people use bitcoin by sharing a payment address that looks something like this:
Maybe that address belongs to a bartender. To accept bitcoin for cocktails the bartender puts that address on a poster behind the bar in the form of a QR code so it would look something like this (courtesy of Room77 in Berlin):
Patrons at the bar can take a picture of that code with their smartphone and use a bitcoin wallet app to pay that address for their drinks. Trouble is, anyone can look that address up in the Bitcoin blockchain and see every incoming transaction and the total amount of bitcoin sitting in that address. If we look up that information, then we have at least some idea of how rich the bartender is (good information for a would-be robber), and how successful the bar has been (good information for the competing bar next-door). Also, if we sat next to someone while they took a picture of the payment code with their phone, then we might have a good idea of how rich the customer next to us is as well by identifying the most recent incoming transaction for the bartender’s address and looking up the balance of the sending address, the customer’s address.
This poor privacy can be marginally improved by having your Bitcoin wallet generate a new payment address every time you want to be paid. So the bartender would now show each customer a new and different QR code to pay his or her individual tab. But the basic issue remains. Often those separate balances will be combined to fund an outgoing transaction. Perhaps the bartender wants to pay her rent with bitcoins she has received from patrons, but that single rent transaction is larger than any single payment from a patron. The bartender will need to use several of her receiving addresses to pay the rent, and all those addresses are then combined in a transaction message that ends up in the blockchain. By analyzing these transactions, a stranger who knows one of the bartender’s addresses can create a map of clustered addresses that are used by the bartender. So with clustering analysis, the stranger can still get a pretty good idea of the bartender’s net bitcoin worth, and learn all sorts of things about the bartender, like how much she pays in rent and how often.
To be truly private, a bitcoin user needs to take all kinds of technical precautions: never using the same payment address twice, avoiding recombining payment addresses as inputs for later transactions, sending funds to mixing services that will shuffle bitcoin balances amongst a bunch of other bitcoin users (and hopefully not run off with their money), using Tor or other private Internet services to make it harder to link geographic data from IP addresses to transaction messages; the list goes on. These are difficult steps for a technologically unsophisticated user to take, and even a sophisticated user might not take these steps if they aren’t doing anything criminal and feel that the benefits of privacy simply aren’t worth the costs.
As a result, Bitcoin as currently specified creates a perverse outcome: sophisticated criminals might be able to squeeze some anonymity out of the system, but your average innocent user gets no privacy whatsoever.
How is Zcash more private?
The Zcash network uses modified Bitcoin software to allow users a choice whenever they transact. You can get paid at a normal address that works transparently just like a Bitcoin address (we call this a transparent address, or “t-addr”) or you can use a private payment address (we call this a shielded address, or “z-addr”). If two people transact with shielded addresses, the Zcash blockchain will not record the details of that transaction publicly. All of those details are things that otherwise would be used to identify them: things like the amount of Zcash just sent and received and the addresses of the payor or payee. With Zcash shielded addresses, all of that information is encrypted or kept secret from the public.
Of course, that raises an important question. How do the users of the Zcash network know that no new money was created in a private transaction? How do we know that the sender did not just counterfeit new Zcash instead of sending you her existing balances? In Bitcoin you know that there has been no counterfeiting because the blockchain has an indelible record of all transactions that is complete with details like amount sent, sender address, and recipient address. That blockchain record goes all the way back to the beginning of the network, and if you sum up all the transactions you will get a number of Bitcoin in circulation that is only the amount of bitcoins legitimately mined so far mined. This gives us confidence that bitcoins are only being created according to the rules of the software; no fishy counterfeiting is taking place. So how can we be sure that there is no counterfeiting in Zcash if we cannot see all of the individual transaction records on the blockchain? This is where the new Zcash technology comes in.
Zcash uses cutting edge math and science to create a privacy protecting blockchain. Specifically, it uses cryptographic functions that are called zk-SNARKs. That stands for Zero-Knowledge Succinct Non-interactive Arguments of Knowledge. It’s a mouthful (computer scientists aren’t always the best at naming things), but what it means is this: with a zk-SNARK, a computer or network of computers can take some otherwise encrypted and unreadable data and prove certain limited facts are true about that data without revealing anything else about that data. So in the case of payments made to and from a shielded Zcash address, using a zk-SNARK built into the protocol software, the network can prove to any user that, on-net, all outgoing transactions equal all incoming transactions (i.e. no new money was created), but the zk-SNARK function proves it without revealing the specifics of those individual transactions, all the data that would be used to compromise your privacy.
Can regulated institutions use Zcash?
Financial institutions are legally required to comply with anti-money laundering and anti-terrorist financing laws and regulations. Can these institutions use a payment system and currency that leaves no record of individual transactions? Absolutely! That system is called cash and just about every financial institution in the world uses it. Cash transactions are still much more opaque than any cryptocurrency transaction, even a Zcash transaction from a shielded address.
If I go into a bank and hand the teller $1,000 worth of cash, the bank would have less information about that transaction—where I got the money in the first place—than if I sent them $1,000 worth of Zcash from a shielded address. At least with Zcash they know for sure that the money isn’t counterfeit. Just as financial institutions can accept and hold your cash without running afoul of the regulations, they can accept and hold Zcash as long as they continue to keep their own internal records as they are required to do by law.
The responsibility to comply with things like the Bank Secrecy Act (a financial surveillance law in the U.S.) is a responsibility borne by the institution and not by the technology behind the medium of exchange or the developers of that technology. We don’t ask the Federal Reserve to record all cash transactions, we ask that individual banks or money services businesses keep their own records, do their own Know-Your-Customer diligence, and reports things that look suspicious.
As we’ll see in the next section, financial institutions can implement compliance with Zcash, potentially even better than they can do with Bitcoin, because they can give regulators or (duly authorized, warrant-bearing) law enforcement privileged access to sensitive data in the blockchain. This approach to compliance is also arguably better than compliance using traditional pre-blockchain banking.
Does Zcash make regulation more difficult?
Zcash’s shielded addresses may make it more difficult for regulators and law enforcement to investigate using public data from the blockchain, but Zcash also has some built-in features that can help simplify regulatory compliance without compromising the privacy of innocent users. Two relevant technical concepts are view keys and memos.
Every shielded address comes with what we call a view key that is generated for the holder of the address. She can choose to share this view key with anyone else in the world. With that view key a person can get the details about the particular transactions sent from that address; they can see the recipient addresses and the amounts sent. Not only can they see these details, they can prove them with the certainty of a blockchain data structure.
(Note: at the time of this writing, the current version of Zcash — v1.0.3 — does not have complete support for users to retrieve and use view keys, even though they are effectively already included in the protocol.)
Accordingly, whenever the law demands transparency and whenever proper legal process is followed to obtain that transparency, a user or regulated firm can easily oblige by sharing the view key that un-blinds private transactions with the proper authorities. This is, in many ways, superior to the current state of affairs with Bitcoin where both law enforcement and the general public can see a wealth of private information about your Bitcoin addresses. It’s also better than the current state of affairs with pre-blockchain banking transactions because the data being shared can be verified by an open network of computers, rather than law enforcement needing to take the regulated party or the individual being questioned at their word.
Zcash transactions also have a memo field that can be used to send additional data about the transaction viewable only to the recipient. This memo could carry data between financial institutions wherever they are required by law to send that data along (e.g. the “travel rule” requirement in the Bank Secrecy Act).
Why is financial privacy technology important?
Ultimately we believe that personal privacy is necessary for core human values like dignity, intimacy, and ethics. Without privacy, people will often abstain from doing anything that is legal but also unpopular or politically incorrect. This chills free expression and leaves us with a less diverse and less resilient community. Leaked private financial data can also be used by businesses to discriminate against vulnerable populations, or people with a lot to lose. Data analytics technology is advancing rapidly and without financial privacy we run the risk of being dealt with or identified in business or even personal contexts as merely an amalgam of facts and figures, rather than as unique individuals with dignity.
Financial privacy is also essential in an institutional context. As large financial institutions like banks have begun investigating blockchain technology to streamline their business processes, one of the chief impediments has been the transparency inherent in a Bitcoin-like blockchain. When you trade and how much you trade is proprietary information that an institution like an investment bank would likely rather not share with their competitors. The zk-SNARK technology pioneered for Zcash might allow big firms to use blockchains as cost-saving infrastructure without forcing them to share that proprietary information.
At heart this is the core goal of Zcash, to build an open and trustworthy financial system that doesn’t put our privacy and freedom at risk.
Zooko Wilcox is Founder and CEO of the Zcash Electric Coin Company. He has more than 20 years of experience in open, decentralized systems, cryptography and information security, and startups. He is recognized for his work on DigiCash, Mojo Nation, ZRTP, “Zooko’s Triangle”, Tahoe-LAFS, BLAKE2, and SPHINCS.