ZCASH
Shreyasi Katiyar
Banasthali Vidyapith, katiyarshreyasi2000@gmail.com
Abstract - Bitcoin’s transparent, immutable, publicly
auditable ledger allows any party to trivially verify the
correctness of transactions. This transparency means
that an adversary may, while obeying the rules of the
network, trace the flow of transactions. By
corresponding a transaction to an individual, the
adversary may determine the source and destination of
that user’s funds, resulting in a serious loss of privacy.
Several alternative cryptocurrencies ("altcoins") have
endeavored to create systems that preserve privacy. The
chief difficulty in creating such a system is devising a
way that the correctness of transactions can be easily
verified while obscuring the underlying details of the
transactions. Zcash is an implementation of the
Decentralized Anonymous Payment scheme Zerocash,
with security fixes and improvements to performance
and functionality. It bridges the existing transparent
payment scheme used by Bitcoin with a shielded
payment scheme secured by zero-knowledge succinct
non-interactive arguments of knowledge (zk-SNARKs).
It attempted to address the problem of mining
centralization by use of the Equihash memory-hard
proof-of-work algorithm. This specification defines the
Zcash consensus protocol at launch.
Index Terms - cryptographic protocols, electronic commerce
and payment, proof of work, zero knowledge.
WHAT IS ZCASH
Zcash is a decentralized and open-source peer-to-peer digital
currency(or cryptocurrency) based on bitcoin.It was
launched in October, 2016 by scientists at MIT, Johns
Hopkins and other respected academic and scientific
institutions. It inherits basic properties like $21M mining
limit with minor changes in incentive structure. It has many
core features and capabilities such as low transaction fees of
0.0001 ZEC, address and transaction privacy, encrypted
memos, viewing keys and payment disclosure.
HOW IT WORKS
At the core of Zcash technology are zero-knowledge proofs,
which allow transaction data to be validated without
revealing information about the amount and the parties
involved. Zcash uses specific zero-knowledge proofs called
zk-SNARKs (zero-knowledge succinct non-interactive
arguments of knowledge).
Multiple transaction types
1
Zcash addresses are either private (z-addresses or shielded
through zero-knowledge proofs) or transparent (t-addresses).
A Z-to-Z transaction appears on the public blockchain, so it
is known to have occurred and that the fees were paid. But
the addresses, transaction amount and the memo field are all
encrypted and not publicly visible. Using encryption on a
blockchain is only possible through the use of zero-
knowledge proofs. The owner of an address may choose to
disclose z-address and transaction details with trusted third
parties — auditory and compliance needs — through the use
of view keys and payment disclosure. Transactions between
two transparent addresses (t-addresses) work just like
Bitcoin: the sender, receiver and transaction value are
publicly visible. The two Zcash address types are
interoperable. Funds can be transferred between z-addresses
and t-addresses.
WHAT ARE ZK-SNARKS
Zcash is the first widespread application of zk-SNARKs.
The strong privacy guarantee of Zcash is derived from the
fact that shielded transactions in Zcash can be fully
encrypted on the blockchain, yet still be verified as valid
under the network’s consensus rules by using zk-SNARK
proofs.
It refers to a proof construction where one can prove
possession of certain information, e.g. a secret key, without
revealing that information, and without any interaction
between the prover and verifier.
“Zero-knowledge” proofs allow one party (the prover) to
prove to another (the verifier) that a statement is true,
without revealing any information beyond the validity of the
statement itself. For example, given the hash of a random
number, the prover could convince the verifier that there
indeed exists a number with this hash value, without
revealing what it is. In a zero-knowledge “Proof of
Knowledge” the prover can convince the verifier not only
that the number exists, but that they in fact know such a
number – again, without revealing any information about the
number.
“Succinct” zero-knowledge proofs can be verified within a
few milliseconds, with a proof length of only a few hundred
bytes even for statements about programs that are very large.
In “non-interactive” constructions, the proof consists of a
single message sent from prover to verifier, a common
reference string shared between prover and verifier. We refer
to this common reference string as the public parameters of
the system.
 How zk-SNARKs are constructed in Zcash
The function determining the validity of a transaction
according to the network’s consensus rules must return the
answer of whether the transaction is valid or not, without
revealing any of the information it performed the
calculations on.
This is done by encoding some of the network’s consensus
rules in zk-SNARKs. At a high level, zk-SNARKs work by
first turning what you want to prove into an equivalent form
about knowing a solution to some algebraic equations.
computed and guarantee the computation was correct one
step at a time. We include as variables in our R1CS:
 the constant 1
 all the public inputs to our original function
 the outputs of our original function
 the private inputs to the original function
 all the auxiliary variables created during the
computation
An assignment can be divided in two parts:

Computation → Arithmetic Circuit → R1CS → QAP →  Primary assignment: the constant 1, public inputs
zk-SNARK and outputs
 Auxiliary assignment: private inputs and all
Arithmetic Circuit auxiliary variables

Similar to a boolean circuit where a program is compiled Example : Prove that you know (p,q) such that (p+3)(q+2) =
down to discrete, single steps like AND, OR, NOT, when a n+1. The values (p,q) are private to you, while the value n is
program is converted to an arithmetic circuit, it’s broken publicly known.
down into single steps consisting of the basic arithmetic
operations of addition, subtraction, multiplication, and v0 = = p + 3 (1)
division. Here is an example of what an arithmetic circuit v1 = = q + 2 (2)
looks like for computing the expression (a+b)*(b*c) : v2 = = v0 * v1 (3)
v3 = = n + 1 (4)
v2 = = v3 (5)
output = = 1 (6)
 Primary: [1, n, output]
(7)
 Auxiliary: [p, q, v0, v1, v2, v3]
(8)

How Constraints Work

Multiplication Gates :
Take (7) and (8) and put them together like this.

V = [1, n, output, p, q, v0, v1, v2, v3]

An assignment is just a vector with these variable names

FIGURE 1
EXAMPLE ARITHMETIC CIRCUIT
R1CS
A Rank 1 Constraint System, or R1CS, to check that the
values are “traveling correctly”. The verifier has to check
many constraints — one for almost every wire of the circuit.
The R1CS must receive as input an assignment of the full
state of the computation. This is defined by the value of all
the variables used in the process, and because each was set
only once, its final value is equal to what it was when it was
used. Therefore, by getting a snapshot of the values of all
variables we can verify they have all been properly
replaced by values. For example for p =3 , q = 5, a
successful computation will look like this (n = 41):
s = [1, 41, 1, 3, 5, 6, 7, 42, 42]
Now for example, to encode the third constraint, we want to
express (3).
We can do this by taking two copies of V, filtering out the
only terms we care about, and multiplying them. We do that
using the dot product. So, if we want to isolate v0 only, we
do:
<V . [0, 0, 0, 0, 0, 1, 0, 0 ,0]> = v0 + a bunch of 0s
and to isolate v1 we do

2

<V . [0, 0, 0, 0, 0, 0, 1, 0 ,0]> = v1 + a bunch of 0s
The product of these will be, naturally, v0 * v1.
Now, to test for equality, I can isolate v2, and subtract both
terms. They are equal only if the result is 0.
<V . [0, 0, 0, 0, 0, 0, 0, 1 ,0]> = v2
If I use s instead of V, I will have actual values on either side
of the equality sign, and the condition will make perfect
mathematical sense.
Then, defining
A3 = [0, 0, 0, 0, 0, 1, 0, 0 ,0]
B3 = [0, 0, 0, 0, 0, 0, 1, 0 ,0]
C3 = [0, 0, 0, 0, 0, 0, 0, 1 ,0],
third constraint can be written
<A3.s> * <B3.s> - <C3.s> == 0
Addition Gates :
All the constraints in the R1CS specify a term is equal to the
product of two other terms. Each term is a linear
combination of the system’s variables. We can add any
multiple of each variable before multiplying them. Even if
we have an addition gate we have to craft the constraint as a
product of something.
In the previous example, taking (1), the righthand side can
be encoded as
V0= =1 * (p + 3)
A1 = [1, 0, 0, 0, 0, 0, 0, 0, 0]
B1 = [3, 0, 0, 1, 0, 0, 0, 0, 0]
C1 = [0, 0, 0, 0, 0, 1, 0, 0, 0]
QAP
To “bundle all these constraints into one”, the method uses a
representation of the circuit called a Quadratic Arithmetic
Program (QAP).
Once we have the full set of constraints, we can create the
QAP. Our goal is to devise a set of polynomials that
simultaneously encode all of the constraints, so that we can
verify the satisfiability thereof with a single check on the
polynomials instead of a check over each constraint. The
clever trick is to build the polynomials in a way that they can
generate all of the constraints.
3
Using Polynomial Interpolation-Lagrangian
Interpolation and Fast Fourier Transform ,this can
be implemented.
How zk-SNARKs are applied to create a shielded
transaction
The sender of a shielded transaction constructs a proof to
show that, with high probability:
 the input values sum to the output values for each
shielded transfer.
 the sender proves that they have the private
spending keys of the input notes, giving them the
authority to spend.
 The private spending keys of the input notes are
cryptographically linked to a signature over the
whole transaction, in such a way that the
transaction cannot be modified by a party who did
not know these private keys.
Bitcoin tracks unspent transaction outputs (UTXOs) to
determine what transactions are spendable. In Zcash, the
shielded equivalent of a UTXO is called a “commitment”,
and spending a commitment involves revealing a “nullifier”.
Commitments and nullifiers are stored as hashes, to avoid
disclosing any information about the commitments, or which
nullifiers relate to which commitments. Each unspent
transaction output (UTXO) can be thought of as an unspent
‘note’ that is described by the address/public key of its
owner and the amount of ZEC it contains. dFor each new
note created by a shielded payment, a commitment is
published which consists of a hash of the address to which
the note was sent, the amount being sent, a number “rho”
which is unique to this note and a random nonce.
Commitment = HASH(recipient address, amount, rho, r)
When a shielded transaction is spent, the sender uses their
spending key to publish a nullifier which is the hash of the
secret unique number (“rho”) from an existing commitment
that has not been spent, and provides a zero-knowledge
proof demonstrating that they are authorized to spend it.
This hash must not already be in the set of nullifiers tracking
spent transactions kept by every node in the blockchain.
Nullifier = HASH(spending key, rho)
TABLE 1
COMMITMENT AND NULLIFIERS STORED AS HASH
Hashed notes Nullifier set
H1 = HASH(Note1) nf1 = HASH(r2)
 Alice will publish a proof-string π convincing the nodes
Hashed notes Nullifier set that whomever published this transaction knows
H2 = HASH(Note2) valuesPK1, sk1, and r1 such that
 The hash of the note Note1= (PK1, r1) exists in the
H3 = HASH(Note3) set of hashed notes.
 sk1 is the private key corresponding to PK1 (and
thus, whomever knows it is the rightful owner
(Zcash uses a type of mining algorithm called of Note1).
Equihash)  The hash of r1 is nf2, (and thus, if nf2 – that we
now know is the nullifier of Note1 – is not
The zero-knowledge proof for a shielded transaction verifies currently in the nullifier set, Note1 still hasn’t been
that, in addition to the conditions listed above, the following spent).
assertions are also true:
 For each input note, a revealed commitment exists. How to mine Zcash
 The nullifiers and note commitments are computed
correctly. Each time a block is added to the Zcash blockchain, a new
 It is infeasible for the nullifier of an output note to ZEC is created. In fact, new blocks are created about every
collide with the nullifier of any other note. 2.5 minutes.

How a transaction is made

Now suppose Alice owns Note1 and wishes to send it to
Bob, whose public key is PK4. We will assume for
simplicity that Alice and Bob have a private channel
between them although this is not actually necessary in
Zcash. Basically, Alice will invalidate her note by
publishing its nullifier, and at the same time create a new
note that is controlled by Bob.
 She randomly chooses a new serial number r4 and
defines the new note  Note4= (PK4,r4).
 She sends Note4 to Bob privately.
 She sends the nullifier of  Note1,  nf2= HASH(r1)
to all nodes.
 She sends the hash of the new note  H4=  very hot during mining.
HASH(Note4) to all nodes.
Now, when a node receives nf2 and  H4, it will check
whether the note corresponding to nf2 has already been
spent, simply by checking if nf2 already exists in the
nullifier set. If it doesn’t, the node adds nf2 to the nullifier
set and adds H4 to the set of hashed notes; thereby validating
the transaction between Alice and Bob.
TABLE 2
HASH TABLE AFTER A TRANSACTION
Selecting the Right Hardware
Zcash uses the Equihash algorithm, which relies on high
RAM requirements, so miners can’t use the
ASIC(application-specific integrated circuit) setup for
mining(large upfront investment) the cryptocurrency. As a
result, you have two options to consider - CPUs and
GPUs(Graphics Processing Unit).
CPU equipment. The benefit of mining Zcash is that we can
use your existing CPU, which we can’t do with other
options, such as Bitcoin If you’re purchasing a new CPU,
make sure that it has adequate cooling because units can get
GPU equipment. The benefit of GPU mining is that it’s
faster and more efficient than CPU mining. But it’s also a
more expensive investment. When looking to purchase this
type of equipment, check the hashing power of the unit
(which is directly tied to how much you’ll earn). Some
miners decide to purchase a used setup, which is fine, but
GPUs get hot and if the cooling isn’t working properly, it
could quickly destroy your investment. As with the CPU
units, ensure that all fans are working correctly upon
receiving the equipment.

Hashed notes Nullifier set

H1= HASH(Note1) nf1= HASH(r2) Mining Reward
H2= HASH(Note2) nf2= HASH(r1)
H3= HASH(Note3) However, 10 percent of that reward is distributed to the
H4= HASH(Note4) stakeholders in the Zcash company, which includes the
founders, investors, advisors and employees. Zcash calls this
the "Founders Reward". For the first four years of
operation, 50 ZEC will be created every 10 minutes, and 80

4
percent of that newly created ZEC goes to the miners while
20 percent goes to the founders. Every four years, the rate of
ZEC being created will halve, similar to Bitcoin. Currently,
the reward is set at 12.5 ZEC per block. However, each four-
year period (or 840,000 blocks mined) that reward is cut in
half.
Determining Profitability
The amount of your reward will depend on a variety of
factors, including the equipment purchased, electricity cost
in your area, and whether you belong to a mining pool or
mine alone. But regardless, you can figure out your unique
situation by using a profit calculator. For example, this
calculator allows you to input the hashing power, power
consumption and cost per kW/h to determine your profit
ratio per day and per month. Prior to purchasing equipment,
you can use this type of calculator to determine whether the
initial investment is worth the potential profit.
Setting Up a Zcash Wallet Address
 Internet wallets. Internet wallets have apps that
you can download to your smartphone to view and
manage your wallet.
Ex. Coinomi
 Hardware wallets. According to Zcash, a
hardware wallet is the safest method for storing your
Zcash. The drawback is that they currently support only
Zcash transparent addresses, and those costs ranges
from $40 to $99.
Ex.Ledger Nano S
 Exchange wallets. The exchange wallets are
among the easiest options to set up. You simply need to
create an account with an exchange that supports Zcash.
However, check out the security of the exchange when
considering this option.
Ex.Coinbase
profit responsible for developing on the cryptocurrency,
since its launch in 2016. Due to the technical changes
included in Sapling, exchanges and wallets will be more
readily able to accept shielded transactions. Light and
mobile wallets will also be a possibility – meaning that users
can send anonymized transactions straight from their mobile
devices. Light clients are those that don’t store the full data
from the blockchain but still have the assurance of being
secure. These are typically clients working on a mobile
device, which doesn’t have as much storage space or
computing power as laptop or desktop computers.The
Sapling protocol will allow shielded transfers to be
completed with about 100 times less memory and probably
six or more times faster.
It’s a notable step given currently, shielded transactions are
only possible for users running a full node.  And with the
upgrade, the team at the Zcash Company hopes it can
ultimately remove transparent transactions, the non-private
zcash transactions that can be damaging to zcash anonymity
when used together with shielded transactions.
Another feature Sapling includes that will encourage more
use of shielded transactions is so-called “diversified
addresses,” which make it easier for exchanges to support
more users utilizing the transaction type.
References
[1] https://z.cash/
[2] https://electriccoin.co//blog/anatomy-of-zcash/
[3] http://coders-errand.com/
[4] https://dagcoin.org/

Your money isn’t backed with insurance and if the location

where it’s stored gets hacked or the coins get stolen - you’re
out of luck. Once they’re stolen, you can’t get the coins
back.

Future of Zcash

Zcash’s core differentiator, shielded transactions, are

computationally heavy – so much so that most users and
exchanges can’t support it. Sapling, the hard fork upgrade
has been the primary focus of the Zcash Company, the for-