Promoting Privacy with Bleeding Edge Cryptography
Note: This post was originally published February 4th, 2019 on the Amentum blog: https://medium.com/amentum/the-case-for-zcash-74fe4b7fbef8
Zcash is an intriguing case-study. Launched in October of 2016, almost 7+ years after bitcoin’s inception, its community possesses a deep focus on low-level cryptographic research previously pioneered and later applied by the Zcash Company.
Amentum GP, Steven McKie, played a role in the community governance vote prior to the inaugural ZCon0. He has since watched it mature and expand with the efforts of the Zcash Foundation, as the community has matured and worked toward further decentralization.
Planting the Seeds
Cryptocurrency markets have corrected in the past. It hurts morale and puts teams and communities under pressure. But, the projects that keep working diligently — while being trapped between a bear and a hard place — position themselves to flourish later. And these projects tend to be the ones with strong governance and compelling narratives. They plant the seeds that can blossom when winter is over. A project that began at the nadir of the last major bear market, Zcash has proven you can rise and grow, even in the most brutal of circumstances.
Outside of Ethereum, no project has a stronger narrative and community around it than Zcash. Simply put, it is an industry-leading product, with a world-class research team behind it, addressing a fundamental problem: on-chain privacy, while smithing a shield to protect against an onslaught of privacy erosion.
Thanks largely to institutional support from the Zcash Foundation, the Zcash Co, and to the reputation of co-founder Zooko Wilcox-O’Hearn, Zcash has avoided much of the stigma that has tarred other “privacy” coins. We think Zcash is poised well, both technologically and culturally, and will play a key role in blockchain technology’s next chapters as privacy becomes a core point of discussion across the industry.
Privacy is a Fundamental Issue for Blockchains
Let’s go back to first principles for a moment. Privacy is a real problem for blockchain technology. Blockchains let people interact behind a pseudo-anonymous address, but they also constitute a complete and immutable public ledger of all interactions between all addresses. That means they are bad places to hide, for good actors and bad ones. If a person’s name gets linked to an address, that person’s entire on-chain history is then publicly auditable by anyone, and ripe for chain-specific analysis. And if that person is a persona non grata, no one will want to transact with that address. Further, all addresses that have transacted with it in the past will be suspect (along with the ones that have transacted with those, and so on, in perpetuity).
Of course, there are both good and bad reasons someone might be a persona non grata. They might be a true bad actor, in which case one hopes that blockchain technology will provide them no assistance. Or they might be, say, a dissident living under unrelenting tyranny, looking for a lifeline, in which case one hopes that blockchain technology will be of some service in their search for freedom & privacy.
This is obviously a really unsettling problem, because it is difficult for privacy technology to serve the latter without also serving the former. Your normative view on blockchain privacy probably depends on whether you’re more worried about wicked state actors or wicked non-state actors. While there is no obvious right answer, as clouds gather over much of the political world, one might argue that the case for worrying more about the latter is getting stronger.
Image courtesy of ZCash Co (the aesthetic was so perfect)
In fact, however, this debate is increasingly beside the point. Zero-knowledge cryptography has arrived, and it will be a big partof the future. The Zcash community has done a good job of explaining the technology to authorities and to the public in an open and honest manner, noting its positive potential without denying the possibility of abuse (even garnering the support of major U.S. based exchanges such as Coinbase and Gemini).
So what is a zero-knowledge proof, briefly, and how does Zcash use it? In a nutshell, it is a cryptographic message exchanged between two parties, by which one party proves to the other that it has a secret key, but without revealing the key necessary to see the another user’s public key and the balances associated with the proof.
There is a convenient way of explaining how this is possible. Imagine for a moment you are blindfolded, and you are holding two checker pieces behind your back. You don’t know whether they are both the same color, or are of different colors. You hold out one and show it to your counter-party, who is not blindfolded. She tells you the color — but you don’t know if she is lying. You then bring the piece behind your back again — switching the pieces, or not — and repeat the process. By doing this many times, you can start to get confident about whether the other person is lying. For example, if you bring out the same piece twice and she tells you “black” the first time, and “red” the second, you know she’s lying. If her answers are consistent with your knowledge about which piece you’re revealing, you can become quite confident about whether the other person is giving you honest information — which is to say, whether she in possession of the secret key.
This kind of process can be used to shield enormous amounts of information of indefinite complexity (such as the use of recursive SNARKs to save a merkle root of a blockchain’s global state; but thats outside of scope for this particular post).
Here is another explanation of Zcash’s zk-SNARK tech, from ZCash Co itself:
The acronym zk-SNARK stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge,” and refers to a proof construction where one can prove possession of certain information, e.g. a secret key, without revealing that information, and without any interaction between the prover and verifier.
Illustration of an arithmetic circuit. Image courtesy of Decentriq
//The same above arithmetic circuit, represented in Python (courtesy of Decentriq as well).
def f(x): out_1 = x * x y = out_1 - 4
Zcash lets users transact using public (t-address) or private addresses (z-address). Unlike competitors such as Monero, private Zcash addresses shield not only the address, but the entire transaction history of that address (so that if an address a user owned were unveiled, an entire tree of transactions and counter-parties would not also be publicly revealed and auditable via blockchain-analysis). ZCash has done incredible work in making these cryptographic proofs faster and less computationally expensive. It is an immensely powerful privacy-protecting technology, one with applications that can extend beyond the ZCash chain itself, implementable on other popular public chains, such as Ethereum via pre-compiled op-codes (see: Zokrates).
Moreover, the entire network is not dark. Public addresses can transact in Zcash, seamlessly interacting with private ones, through a series of sending assets to either a transparent or shielded address.
The process of “shielding” (sending an asset to a private z-address) and de-shielding (sending an asset from a z-address to a new t-address), is illustrated below:
Image courtesy of the ZCashCo blog.
In short, Zcash knows that blockchain privacy isn’t about building some parallel world. Instead, it’s about pushing cryptographic technology forward while building bridges to efficiently and seamlessly co-operate between private and public ecosystems, so that society can integrate this powerful technology into legitimate systems, intelligently, overtime.
Impressive Social & Technical Progress
Aside from their strong narrative and community, we see several positive indicators for Zcash team. First, they have done well at achieving legitimacy and institutional credibility. Second, they have repeatedly hit ambitious technical goals, staying on the cutting edge of on-chain privacy. We therefore look at Zcash as a likely beneficiary of the huge range of possibilities that will flow from faster, more performant blockchain privacy.
The initial Zcash team has taken intelligent, moderate steps to diversify control over the product, without trying to radically decentralize things in a haphazard way. In 2017, the non-profit Zcash Foundation was spun out of the for-profit Zcash Co, and given meaningful influence over the future of the future direction of the community.
This decision has borne fruit in interesting ways. In a more recent effort, the Zcash Foundation is partnering with Parity to build a second implementation of the Zcash full node. This will increase security for everyone, because if a bug is discovered in one of the implementations, another, safer alternative will be readily available. Similarly, it is impressive that Zcash managed to become one of the early listees on Coinbase (a typically more conservative broker, not historically focused on privacy). This sent a positive message that Zcash was willing to engage with a wide, mainstream community, and deal with all the regulatory scrutiny that it might entail.
Similarly, the product’s technical progress has been exemplary. The Sapling update, which went live in November 2018, broke new ground in zero-knowledge proof efficiency. Previously, constructing a zero-knowledge proof to create a shielded transaction took as much as 3GB and several minutes. Sapling reduced the required time to several seconds, and the memory requirement to 40 MB, getting us close to viability for widespread private mobile transactions.
Image courtesy of ZCash Co.Image courtesy of ZCash Co.
As a legitimate, well-governed technical leader in blockchain privacy, Zcash is in a unique position to explore countless interesting opportunities in the coming years, flowing from the tech they’ve help to bring to the mainstream. Privacy, after all, is about so much more than evasion. As we alluded above, Zcash’s zero-knowledge proof technology may eventually be used to increase the transaction capacity of Ethereum (and many other chains) — and that is only one of countless fascinating possibilities.
Implications include not just privacy and anonymity, but also enabling it so new full network nodes do not to have to sync from the genesis block when recomputing and downloading their local version of the chain — making syncs faster and more portable on cheaper devices.
Think too, for example, about the tremendous value of economic transaction data. Big tech companies are sitting on a gold mine partly because they know who is buying what. The lion’s share of that value, of course, is in their stock prices, rather than on consumers’ balance sheets. But with transaction privacy, individuals could take interesting steps to benefit from the value of their data. Think about the possibility of a data labor union, as another potential application of Zcash’s underlying technology. Consumers might demand to transact anonymously, keeping their collective purchasing data encrypted, and then collectively negotiate the sale of that data, so that they all received a payout.
The distribution of data-generated wealth is a problem set to grow only more acute over time. The transactional privacy made possible by Zcash’s hard work just might be part of the solution.