Professional Documents
Culture Documents
Shreyasi Katiyar
Banasthali Vidyapith, katiyarshreyasi2000@gmail.com
Abstract - Bitcoin’s transparent, immutable, publicly Zcash addresses are either private (z-addresses or shielded
auditable ledger allows any party to trivially verify the through zero-knowledge proofs) or transparent (t-addresses).
correctness of transactions. This transparency means A Z-to-Z transaction appears on the public blockchain, so it
that an adversary may, while obeying the rules of the is known to have occurred and that the fees were paid. But
network, trace the flow of transactions. By the addresses, transaction amount and the memo field are all
corresponding a transaction to an individual, the encrypted and not publicly visible. Using encryption on a
adversary may determine the source and destination of blockchain is only possible through the use of zero-
that user’s funds, resulting in a serious loss of privacy. knowledge proofs. The owner of an address may choose to
Several alternative cryptocurrencies ("altcoins") have disclose z-address and transaction details with trusted third
endeavored to create systems that preserve privacy. The parties — auditory and compliance needs — through the use
chief difficulty in creating such a system is devising a of view keys and payment disclosure. Transactions between
way that the correctness of transactions can be easily two transparent addresses (t-addresses) work just like
verified while obscuring the underlying details of the Bitcoin: the sender, receiver and transaction value are
transactions. Zcash is an implementation of the publicly visible. The two Zcash address types are
Decentralized Anonymous Payment scheme Zerocash, interoperable. Funds can be transferred between z-addresses
with security fixes and improvements to performance and t-addresses.
and functionality. It bridges the existing transparent
payment scheme used by Bitcoin with a shielded WHAT ARE ZK-SNARKS
payment scheme secured by zero-knowledge succinct
non-interactive arguments of knowledge (zk-SNARKs). Zcash is the first widespread application of zk-SNARKs.
It attempted to address the problem of mining The strong privacy guarantee of Zcash is derived from the
centralization by use of the Equihash memory-hard fact that shielded transactions in Zcash can be fully
proof-of-work algorithm. This specification defines the encrypted on the blockchain, yet still be verified as valid
Zcash consensus protocol at launch. under the network’s consensus rules by using zk-SNARK
proofs.
Index Terms - cryptographic protocols, electronic commerce It refers to a proof construction where one can prove
and payment, proof of work, zero knowledge. possession of certain information, e.g. a secret key, without
revealing that information, and without any interaction
WHAT IS ZCASH between the prover and verifier.
“Zero-knowledge” proofs allow one party (the prover) to
Zcash is a decentralized and open-source peer-to-peer digital
prove to another (the verifier) that a statement is true,
currency(or cryptocurrency) based on bitcoin.It was
without revealing any information beyond the validity of the
launched in October, 2016 by scientists at MIT, Johns
statement itself. For example, given the hash of a random
Hopkins and other respected academic and scientific
number, the prover could convince the verifier that there
institutions. It inherits basic properties like $21M mining
indeed exists a number with this hash value, without
limit with minor changes in incentive structure. It has many
revealing what it is. In a zero-knowledge “Proof of
core features and capabilities such as low transaction fees of
Knowledge” the prover can convince the verifier not only
0.0001 ZEC, address and transaction privacy, encrypted
that the number exists, but that they in fact know such a
memos, viewing keys and payment disclosure.
number – again, without revealing any information about the
number.
“Succinct” zero-knowledge proofs can be verified within a
HOW IT WORKS few milliseconds, with a proof length of only a few hundred
bytes even for statements about programs that are very large.
At the core of Zcash technology are zero-knowledge proofs,
In “non-interactive” constructions, the proof consists of a
which allow transaction data to be validated without
single message sent from prover to verifier, a common
revealing information about the amount and the parties
reference string shared between prover and verifier. We refer
involved. Zcash uses specific zero-knowledge proofs called
to this common reference string as the public parameters of
zk-SNARKs (zero-knowledge succinct non-interactive
the system.
arguments of knowledge).
1
How zk-SNARKs are constructed in Zcash computed and guarantee the computation was correct one
step at a time. We include as variables in our R1CS:
The function determining the validity of a transaction
according to the network’s consensus rules must return the the constant 1
answer of whether the transaction is valid or not, without all the public inputs to our original function
revealing any of the information it performed the the outputs of our original function
calculations on. the private inputs to the original function
This is done by encoding some of the network’s consensus all the auxiliary variables created during the
rules in zk-SNARKs. At a high level, zk-SNARKs work by computation
first turning what you want to prove into an equivalent form
about knowing a solution to some algebraic equations. An assignment can be divided in two parts:
Computation → Arithmetic Circuit → R1CS → QAP → Primary assignment: the constant 1, public inputs
zk-SNARK and outputs
Auxiliary assignment: private inputs and all
Arithmetic Circuit auxiliary variables
Similar to a boolean circuit where a program is compiled Example : Prove that you know (p,q) such that (p+3)(q+2) =
down to discrete, single steps like AND, OR, NOT, when a n+1. The values (p,q) are private to you, while the value n is
program is converted to an arithmetic circuit, it’s broken publicly known.
down into single steps consisting of the basic arithmetic
operations of addition, subtraction, multiplication, and v0 = = p + 3 (1)
division. Here is an example of what an arithmetic circuit v1 = = q + 2 (2)
looks like for computing the expression (a+b)*(b*c) : v2 = = v0 * v1 (3)
v3 = = n + 1 (4)
v2 = = v3 (5)
output = = 1 (6)
Primary: [1, n, output]
(7)
Auxiliary: [p, q, v0, v1, v2, v3]
(8)
Multiplication Gates :
Take (7) and (8) and put them together like this.
2
Using Polynomial Interpolation-Lagrangian
<V . [0, 0, 0, 0, 0, 0, 1, 0 ,0]> = v1 + a bunch of 0s Interpolation and Fast Fourier Transform ,this can
be implemented.
The product of these will be, naturally, v0 * v1.
Now, to test for equality, I can isolate v2, and subtract both
terms. They are equal only if the result is 0.
How zk-SNARKs are applied to create a shielded
<V . [0, 0, 0, 0, 0, 0, 0, 1 ,0]> = v2 transaction
If I use s instead of V, I will have actual values on either side The sender of a shielded transaction constructs a proof to
of the equality sign, and the condition will make perfect show that, with high probability:
mathematical sense.
Then, defining
the input values sum to the output values for each
A3 = [0, 0, 0, 0, 0, 1, 0, 0 ,0] shielded transfer.
the sender proves that they have the private
B3 = [0, 0, 0, 0, 0, 0, 1, 0 ,0] spending keys of the input notes, giving them the
authority to spend.
C3 = [0, 0, 0, 0, 0, 0, 0, 1 ,0], The private spending keys of the input notes are
cryptographically linked to a signature over the
third constraint can be written whole transaction, in such a way that the
transaction cannot be modified by a party who did
<A3.s> * <B3.s> - <C3.s> == 0 not know these private keys.
3
Alice will publish a proof-string π convincing the nodes
Hashed notes Nullifier set that whomever published this transaction knows
H2 = HASH(Note2) valuesPK1, sk1, and r1 such that
The hash of the note Note1= (PK1, r1) exists in the
H3 = HASH(Note3) set of hashed notes.
sk1 is the private key corresponding to PK1 (and
thus, whomever knows it is the rightful owner
(Zcash uses a type of mining algorithm called of Note1).
Equihash) The hash of r1 is nf2, (and thus, if nf2 – that we
now know is the nullifier of Note1 – is not
The zero-knowledge proof for a shielded transaction verifies currently in the nullifier set, Note1 still hasn’t been
that, in addition to the conditions listed above, the following spent).
assertions are also true:
For each input note, a revealed commitment exists. How to mine Zcash
The nullifiers and note commitments are computed
correctly. Each time a block is added to the Zcash blockchain, a new
It is infeasible for the nullifier of an output note to ZEC is created. In fact, new blocks are created about every
collide with the nullifier of any other note. 2.5 minutes.
4
percent of that newly created ZEC goes to the miners while profit responsible for developing on the cryptocurrency,
20 percent goes to the founders. Every four years, the rate of since its launch in 2016. Due to the technical changes
ZEC being created will halve, similar to Bitcoin. Currently, included in Sapling, exchanges and wallets will be more
the reward is set at 12.5 ZEC per block. However, each four- readily able to accept shielded transactions. Light and
year period (or 840,000 blocks mined) that reward is cut in mobile wallets will also be a possibility – meaning that users
half. can send anonymized transactions straight from their mobile
devices. Light clients are those that don’t store the full data
from the blockchain but still have the assurance of being
Determining Profitability secure. These are typically clients working on a mobile
device, which doesn’t have as much storage space or
computing power as laptop or desktop computers.The
Sapling protocol will allow shielded transfers to be
The amount of your reward will depend on a variety of completed with about 100 times less memory and probably
factors, including the equipment purchased, electricity cost
in your area, and whether you belong to a mining pool or six or more times faster.
mine alone. But regardless, you can figure out your unique It’s a notable step given currently, shielded transactions are
situation by using a profit calculator. For example, this only possible for users running a full node. And with the
calculator allows you to input the hashing power, power upgrade, the team at the Zcash Company hopes it can
consumption and cost per kW/h to determine your profit ultimately remove transparent transactions, the non-private
ratio per day and per month. Prior to purchasing equipment, zcash transactions that can be damaging to zcash anonymity
you can use this type of calculator to determine whether the when used together with shielded transactions.
initial investment is worth the potential profit. Another feature Sapling includes that will encourage more
use of shielded transactions is so-called “diversified
Setting Up a Zcash Wallet Address addresses,” which make it easier for exchanges to support
more users utilizing the transaction type.
Internet wallets. Internet wallets have apps that
you can download to your smartphone to view and References
manage your wallet. [1] https://z.cash/
[2] https://electriccoin.co//blog/anatomy-of-zcash/
Ex. Coinomi [3] http://coders-errand.com/
[4] https://dagcoin.org/
Hardware wallets. According to Zcash, a
hardware wallet is the safest method for storing your
Zcash. The drawback is that they currently support only
Zcash transparent addresses, and those costs ranges
from $40 to $99.
Ex.Ledger Nano S
Exchange wallets. The exchange wallets are
among the easiest options to set up. You simply need to
create an account with an exchange that supports Zcash.
However, check out the security of the exchange when
considering this option.
Ex.Coinbase
Future of Zcash