Presentation

on
ZCASH
B.Tech. (CS) –V Semester-B Batch
Session : July-Dec’2019

Submitted To Submitted By
AIM & ACT Department Shreyasi Katiyar
1712568
Banasthali Vidyapith
Outlines

 What is Zcash
 How it works
 What are zk-SNARKs
 How zk-SNARKs are constructed in Zcash
 How zk-SNARKs are applied to create a
shielded transaction
 How to mine Zcash
 Future of Zcash
 References
What is Zcash?
•Zcash is a P2P
Cryptocurrency
•Forked out of Bitcoin
•Launched in October,
2016
•Inherits basic
properties like $21M
mining limit
•Low transaction fees
-0.0001 ZEC
How it works?

Its based on special

cryptographic
zero-knowledge proof
(zk-SNARK)
protocol that ensures
privacy,
anonymity, and fungibility
of Zcash
coins.
How it works?
Sample Transaction
 What are zk-SNARKs?
Zero-Knowledge Succinct Non-interactive Arguments of Knowledge
 One can prove possession of certain information, e.g. a secret key, without
revealing that information, and without any interaction between the prover and
verifier.
 The function determining the validity of a transaction according to the network’s
consensus rules must return the answer of whether the transaction is valid or not,
without revealing any of the information it performed the calculations on.
Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK
How zk-SNARKs are constructed in
Zcash
Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK
ArithmeticCircuit

Similar to a boolean circuit where a program is compiled

down to discrete, single steps like AND, OR, NOT, when a
program is converted to an arithmetic circuit, it’s broken
down into single steps consisting of the basic arithmetic
operations of addition, subtraction, multiplication, and
division .
How zk-SNARKs are constructed in
Zcash
Here is an example of what an arithmetic circuit looks like for computing
the expression (a+b)*(b*c) :
How zk-SNARKs are constructed in
Zcash
Computation → Arithmetic Circuit → R1CS
R1CS → QAP → zk-SNARK

Rank 1 Constraint System, or R1CS, to check that the values are “traveling
correctly”.
 R1CS must receive as input an assignment of the full state of the
computation. By getting a snapshot of the values of all variables we can
verify they have all been properly computed and guarantee the
computation was correct one step at a time.
Variables in our R1CS:
 the constant 1
 all the public inputs to our original function Primary Assignment
 the outputs of our original function
 the private inputs to the original function
Auxiliary
 all the auxiliary variables created during the computation Assignment
 How zk-SNARKs are constructed in
Zcash
Prove that you know (p,q) such that (p+3)(q+2) = n+1. The values (p,q) are private to you, while the value n is
publicly known.
v0 == p + 3
v1 == q + 2
v2 == v0 * v1
v3 == n + 1
v2 == v3
output == 1
Multiplication Gates
V = [1, n, output, p, q, v0, v1, v2, v3]
s = [1, 41, 1, 3, 5, 6, 7, 42, 42] (for p=3;q=5)
To express v2 = v0 * v1.
A3 = [0, 0, 0, 0, 0, 1, 0, 0 ,0]
B3 = [0, 0, 0, 0, 0, 0, 1, 0 ,0]
C3 = [0, 0, 0, 0, 0, 0, 0, 1 ,0]
constraint can be written
 <A3.s> * <B3.s> - <C3.s> == 0
Addition Gates
v0 == p + 3
v0==1 * (p + 3)
 How zk-SNARKs are constructed in
Zcash
Computation → Arithmetic Circuit → R1CS → QAP QAP → zk-SNARK
To “bundle all these constraints into one”, this method uses a
representation of the circuit called a Quadratic Arithmetic Program
(QAP).
A Quadratic Arithmetic Program (QAP) is derived from an R1CS.
 Our goal is to devise a set of polynomials that simultaneously
encode all of the constraints, so that we can verify the satisfiability
thereof with a single check on the polynomials instead of a check
over each constraint.
 Using Polynomial Interpolation-Lagrangian Interpolation and Fast
Fourier Transform ,this can be implemented.
 How zk-SNARKs are applied to create a shielded
transaction

 Unspent transaction ouput(UTXO)

 Commitment = HASH(recipient address, amount, rho, r)
 Nullifier = HASH(spending key, rho)

(PK1, balance) => Note

Note-1 = (PK1, balance, r1)

H1 = HASH(Note-1)

nf1 = HASH(r1)
How zk-SNARKs are applied to create a
shielded transaction

Alice sends 1 ZEC to Bob

Alice randomly chooses a new
serial number
r4
Note4 = (PK4, r4)
Assume She sends Note4 to Bob
privately.
She sends the nullifier of Note-1
nf2 = HASH(r1)
to all nodes
She sends the hash of the new
note
H4 = HASH(Note4)
to all nodes.
HOW TO MINE ZCASH

•Hardware
•Mining reward
•Profit calculator
•Zcash wallets
Future of Zcash

•Proving time improvements

from 40 sec to 4sec

•Reduction in RAM usage

from 3GB to few 10s of MB

•Improvement MPC(Multi-
party computation) protocol
called “Powers of Tau”,
which allows dynamically
choose parties on the
network
References

 https://z.cash/
 https://electriccoin.co//blog/anatomy-of-zcas
h/
 http://coders-errand.com/
 https://dagcoin.org/