Zcash Guide

As cryptos achieve broader recognition and society is more decentralized, the privacy of the user becomes seriously undermined. This is mainly due to the way most cryptos are designed in the first place.

The truth is, the blockchain is behaving as an open ledger. Every purchase a user has made can be traced via it. Although this does solve the goal of eliminating abuse and malicious activity, privacy is completely undermined.

Is it an imperative for someone to expose every aspect of their life to the entire world? Is it wrong for someone to ask for a little privacy?

To answer these questions, a number of coins have come up that offer their users full privacy. The flag bearers of the class of anonymity coins are: ZCash, Monero, and Dash.

We’re going to be covering Zcash in this guide.

Zcash is a decentralized peer-to-peer crypto. It was developed as a Bitcoin fork and, like Bitcoin, it also has a hard limit of 21 million coins. But that’s where the connection stops. Unlike bitcoin, Zcash provides complete and absolute anonymity to its users with the use of some clever cryptography.

Yeah, let’s take a look under the hood and see what’s going on behind the scenes.

Is Zcash a Bitcoin Fork?

Zcash was launched as a bitcoin blockchain fork on October 28, 2016. Earlier, the Zerocoin protocol was its name until it was converted into the Zerocash system, and then eventually, Zcash.

The Zcash Wikipedia article states that the Zerocoin Electric Coin Company, colloquially known as Zcash Group, leads the development of protocol enhancements and comparison implementation.

Zooko Wilcox is the founder, CEO, and guiding force behind Zcash.

Zooko Wilcox is the founder, CEO, and guiding force behind Zcash.
Image Credit: Z.Cash

How Does Zcash Work?

Zcash is another blockchain and cryptographic money that makes private (and big private) transactions in an transparent network. This helps companies, customers and innovative apps to monitor who gets the chance to see the points of interest in their markets by using a less blockchain worldwide authorization.

How’s does a regular bitcoin transaction go over?

Suppose that Alice wants to send Bob 1 BTC, what is she going to do?

She’s going to send 1 BTC to Bob’s public address. The miners then put the specifics of the transaction within their blocks and the transaction is assumed to be complete.

So, how are ZCash transactions different from usual bitcoin transactions?

Firstly, let’s take a look at the representation of the Zcash transaction:

Zcash Work Flow
Image Credit: Fossbytes. Zcash Transaction Flow

What does the photo tell us?

In Zcash, you have an option of two forms of transactions.

You can either make a standard open transaction, OR you can make a secret shielded transaction.

Suppose that Alice wants to send 1 Zec to Bob. (Zec = Zcash).

When Bob is content to keep the exchange transparent and accessible for the world to see, she should be able to send Zec to his transparent address or t-addr.

However, if he needs some anonymity and does not want the transaction information to be open to the public, he will easily have the money sent to his shielded address, sometimes named “z-addr.”

If both Alice and Bob use their shielded addresses to communicate with each other, then all contact data would be confidential. That includes the identity of Alice, the identity of Bob and the specifics of the transaction itself.

Zcash specifics of the transaction
Image Credit: Z.Cash

The reason Z-Cash maintains such a high level of privacy is the use of zk-SNARKS or Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge.

Before we continue, it is important that we understand what the Zero-Knowledge and Zk-Snarks are that make Zcash a privacy coin.

What are Zero-Knowledge Proofs?

Zero-Knowledge Proofs was developed in the 1980s thanks to the work of MIT researchers Shafi Goldwasser, Silvio Micali and Charles Rackoff. They focused on problems related to dynamic proofing systems, where a Prover exchanged messages with the Verifier (more on the provers and verifiers later on) to persuade them that they had knowledge of some proof without mentioning what that knowledge was.

Until they made their seminal breakthrough, most of the proofing systems were based on the soundness properties of the proofing method. It has always been believed that the “prover” could be a dishonest one in any situation in which they try to fool the verifier. These 3 researchers turned the theory on its head by challenging the validity of the verifier instead of the prover. The question they asked was how anyone could know for sure that the verifier would not leak the information, and there were also questions about the amount of knowledge the verifier would have to have during the verification process.

There are several real-world implications of this conundrum, and one of the most famous has to do with password protection. Suppose you want to sign in to a website using your email. The standard protocol is that the recipient (you) fills down their password and sends it to the server, then the server has the password and compares it to the hash they have saved in their code. If the values match, you can enter the system.

You can see the big flaw in this system right now? The computer has a plain-text version of your password, and your anonymity is at the hands of the system (the verifier in this scenario). If the server is compromised or attacked, your password will be with the malicious party, and the consequences could be dire. In order to counter these cases, zero knowledge proofs are absolutely essential and path breaking.

There are two groups, the prover and the verifier, when it comes to zero  knowledge proof (as mentioned above). Zero knowledge says that a prover can prove to the verifier that they have certain information without asking them what the information is really

Properties Of A Zero Knowledge Proof

For ZKP to function, it has to fulfill some parameters:

So now that we have a clear understanding of what zero-knowledge proof is, let’s test out some examples of it before we plunge deep into zk-snarks.

Case #1 Alibaba’s Cave

In this example, the prover (P) tells the verifier (V) that they know the password of the hidden door located on the back of a cave. Their goal is to prove the validity of their claim without giving away the password. And here is just what it looks like:

Alibaba's Cave: Intuitive example
Image Credit: Scott Twombly (YouTube channel)

The Prover goes down any of the paths A and B, meaning they first want to go through the path A and enter the secret door at the end. When they do so, the V verifier arrives in at the start, with no idea of the direction the prover actually took, and announces that they want to see the prover emerge from path B.

In the picture, as you can see, the prover actually appears in direction B. But what if that had been sheer luck? What if the prover didn’t know the passcode, so took the path B, got trapped at the entrance, and through pure chance, the verifier asked him to come out of the path B, the one they were originally on anyway?

To test the validity of the experiment, it is done multiple times. If the prover is able to appear on the right path any single time, it proves to the verifier that the prover really knows the password even if the verifier does not know what the password really is.

Let’s see if the three properties of zero knowledge are met in this example:

Case #2 Finding Waldo

Remember Waldo? You must have seen him earlier, either in real life or online. For those who don’t know, Finding Waldo is a game where you have to find Waldo among a sea of crowds. It’s a easy and fun game. Just to give you a basic idea, that’s what the game looks like:

And the idea is to find Waldo who looks like this:

the idea is to find Waldo
Image Credit: Pinterest

Looks pretty straightforward, right? Find this guy in the sea of other people you see in the game. Okay, so where is the Zero Knowledge concept coming in here? Imagine there are two men, Anna and Carl. Anna informs Carl that she knows where Wally is, but she doesn’t want to pinpoint to him exactly where he is. So, how can she prove to him that she noticed Wally without revealing his exact position?

An interesting paper by Naor, Naor and Reingold showed two Zero Knowledge solutions to this problem. There’s a “Mid-Tech Solution” and a “Low-Tech Solution.” Let’s think about both of them.

Mid-Tech Solution

The reason why this solution is “mid-tech” is that our prover and verifier need access to a photocopy machine to do this. So this is precisely how it goes. First, Anna and Carl were going to make a photocopy of the original game. Then Anna, while making sure that Carl doesn’t see, should cut Waldo off the photocopy and ruin the leftovers. After that, she could give the Waldo cutout to Carl and prove that she knew where Waldo was, after all, without pointing out his exact location to Carl.

There are some issues with this approach. Although it meets the “zero knowledge” criterion, it does not follow the “soundness” criterion. There are a lot of ways Anna might have lied here. She should have taken a random Waldo cutout with her from the very beginning, and she should have only showed it to Carl without even realizing where Waldo was. And, what’s the solution to that?

The approach is systematic and thorough research. First, Anna and Carl are going to take a photocopy of the game. Then Carl sketches a distinctive pattern at the back of the photocopy. After that, Carl is going to escort Anna to a room where she’s going to be alone and has no risk of cheating. If Anna comes out with a Waldo cutout, Carl will be persuaded that she really knew where Waldo was without disclosing a solution. They can replicate this experiment a lot of times, and Carl will compare Waldo’s various cuts in order to be much more sure of the validity of Anna’s argument.

Low-Tech Solution

This solution needs simple equipment. It’s a simple notion. Get a big cardboard, one that’s twice the size of the game, and cut a tiny rectangle on it. Now, when Carl doesn’t look, Anna will transfer the cardboard to the game in such a way that the rectangle is right at the top of Waldo. Now, she should tell Carl to take a look, because that’s what he’s going to see:

Zcach Low-Tech Solution
Image Credit: Applied Kid Cryptography by Naor, Naor And Reingold

So, while Carl might get a very basic idea of where Waldo might possibly be, he doesn’t know the exact location. Anna has now proven to Carl that she knows where Waldo is, without revealing his precise location.

How to make zero-knowledge proofs non-interactive?

There was one major problem with earlier zero-knowledge testing schemes. The prover and the verifier had to be online at the same time for it to work. In other words, it was a “interactive” operation. This made the whole program inefficient and difficult to scale up. Can’t the verifiers be online at the same time as the provers? There was a need for a program to make this more effective.

In 1986, Fiat and Shamir invented the Fiat-Shamir heuristic and successfully converted the interactive zero-knowledge proof to the non-interactive zero-knowledge proof. This allowed the whole system to function without any interference. The method behind this is very simple.

So, to give you an example, this is how zero knowledge proofs used to operate in front of Fiat and Shamir. Let’s prove this by using plain, discreet logarithms.

Now, although the above connection is zero-knowledge, the trouble with this is that Anna and Carl need to be online and share values for it to function.

How will Anna show to Carl that she knows something without Carl being online? It can do so by using a basic cryptographic hash function, as theorized by Fiat and Shamir.

Let’s look how the example above would work in a non-interactive way:

As you can see, zero knowledge proofs have been rendered non-interactive. And that’s what laid the groundwork for Zk-Snarks.

What’s the use of Zk-Snarks?

Zk-Snarks stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge”. Its use in new blockchain technology is immense. It is important to know how a smart contract works to understand its use. In practice, a smart contract is an escrow of funds that is triggered once a given task has been completed.

Eg. Anna is adding 100 ETH into a smart contract she’s going to enter into with Carl. Carl has to do a specific task, after which Carl will get the 100 ETH from the smart contract.

This gets complicated when the things Carl has to do are multi-layer and security-sensitive. Suppose you have entered into a smart contract with Anna. Now, you’re just going to get the payment if you do A, B and C. What if you don’t want to share the specifics of A, B and C because they are proprietary to your business and you don’t want your customers to know what you need to do?

What Zk-Snarks does is that it proves that these steps have been taken in the smart contract without disclosing what those steps really are. It is very helpful to protect the privacy of you and your business. It can only expose part of the process without revealing the whole process itself, so prove that you are truthful about your statements.

How does a Zk-Snark work?

A Zk-Snark consists of three algorithms: G, P and V.

G is a main generator that uses the input “lambda” (which must be kept secret and can not be disclosed in any circumstances) and program C. It then continues to produce two publicly accessible keys, the PK check key, and the VK verification key. Such keys are both transparent and open to all of the parties concerned.

P is the prover that will use 3 items as input. Proving key pk, random feedback x, which is freely accessible, and a private declaration that they want to prove knowledge without disclosing what it really is. Let’s mark the private comment “w.” The P algorithm produces proof prf in such a way that: prf = P(pk, x, w).

Verifier algorithm V essentially returns a boolean value. The Boolean variable has only two possibilities, it can be TRUE or it can be FALSE. So, the verifier uses the authentication key, public input x, and proof prf as input such as:

V(vk, x, prf)

… and returns TRUE if the prover is right and false otherwise.

Finally, the lambda function. The meaning of the “Lambda” must be kept secret as someone may use it to generate false proofs. This bogus proofs should return a validity of Truth irrespective of whether or not the prover really has knowledge of the private statement “w”.

Functionality of Zk-Snark

In order to demonstrate the functionality of Zk-Snark, we should use the same example function that Christian Lundkvist used in his article for Consensys. Here is what the sample program looks like:

function C(x, w)


return (sha256(w) = = x);


Essentially, function C takes 2 variables as input, a public hash value “x” and a hidden statement that needs to be verified “w.” If the SHA-256 hash value of w equals “x,” the function returns TRUE otherwise it returns FALSE. (SHA-256 is a hash function used in Bitcoin).

Let’s carry back to this example our old friends Anna and Carl. Anna is the prover, and Carl the skeptic is the verifier.

The first thing that Carl, as a verifier, has to do is create a check and verification key using the G generator. Carl needs to produce the random value “lambda” for this. However, as mentioned above, he has to be very cautious hen it comes to Lambda because he can’t let Anna know the meaning of it in order to stop her from making false claims.

Anyway, this is what it’s going to look like:

G(C, lambda) = (pk, vk).

Now that the two keys have been produced, Anna has to prove the truth of the statement by producing the proof. She’s going to produce the proof using the P-proof algorithm. She’s going to show that she knows the hidden value “w” that hashes (on decoding by SHA-256) to send the output x. So, the proof-generation algorithm looks like this:

prf = P(pk, x, w).

Now that she’s created the “prf” proof, she’s going to give the value to Carl who’s finally going to run the Zk-Snarks verification algorithm.

This is what that will look like:

V(vk, x, prf).

Here, vk is the authentication key, and x is the known hash value, and prf is the evidence that he’s received from Anna. If this algorithm returns TRUE, this means that Anna was truthful and that she really had the hidden value “w.” When it returns FALSE, that means that Anna was misleading about realizing what “w” is.

How Is Z-Cash Mined?

Block mining in Zcash is performed via the equihash.

Equihash is a Proof-of-Work algorithm developed by Alex Biryukov and Dmitry Khovratovich. This is based on the Generalized Birthday Problem.

A big reason why equihash is being used is to make mining as unfriendly as possible to ASIC. The trouble with currencies like Bitcoin is that most mining pools monopolize the mining market by spending a lot of money on ASICs to mine as much bitcoin as possible.

Having the mining ASIC-unfriendly ensures that mining will be more decentralized and less authoritarian.

When describing equihash, Zcash thinks it is impossible that any big Equihash improvements will offer an edge to the miners who learn the optimization. It is because computer scientists and cryptographers studied the Generalized Birthday Problem extensively, and Equihash is similar to the Generalized Birthday Problem. That is: a good optimization of Equihash will possibly also be an optimization of the Generalized Birthday Problem.

So we’ve learned a little bit about this “birthday issue”. Now, what is it? What is the birthday conundrum or paradox?

If you meet a random stranger out on the streets, the odds are very small for both of you to have the same birthday. In fact, given that every day of the year has the same chance of having a birthday, the odds of another person sharing your birthday are 1/365, which is 0.27 per cent.

In other words, it’s very weak.

Having said that, however, if you gather 20-30 people in one room, the probability of two people sharing exactly the same birthday would increase astronomically. In reality, in this situation, there is a 50-50 chance for two people to share the same birthday!

The Birthday Paradox
Zcash Review: The Birthday Paradox

Why? It’s because of a simple probability law that goes as follows. Suppose you have N different options for an occurrence to happen, so you need a square root of N random objects to have a 50 percent probability of a collision.

So following this birthday principle, you have 365 separate birthday options, and you only need Sqrt(365), which is ~23~, randomly selected people with a 50 percent chance of two people sharing birthdays.

Zcash Coin Distribution

Since Zcash is a Bitcoin fork, there are some parallels.

Zcash now has a projected supply of 21 million coins and is scheduled to be mined by 2032. Every four years, the block incentive is halved to hold the stock in line.

However, unlike most other coins, Zcash was not pre-mined, nor is ICO funded.

Zcash had a group of closed investors who then financed $1 million to kick off their growth. The investor were then given an annual 10 percent incentive for the overall supply for the first 4-year term. This recognition is considered the “Founder’s Award.”

Some of these closed investors were well-known names such as Barry Silbert, Erik Voorhes, Roger Ver and Naval Ravikant.

Is it difficult to control Zcash?

Zcash regulation is clearly complicated due to the additional security controls, but there is a way for law enforcement to test the rule if and when necessary. This is achieved using two methods:

Every user in Zcash has his own “View Key”

When required, the user can share a view key with someone else. The key instead, basically, unshields all secret transactions. With the view key, everyone would be able to see the activities of that individual person and the address of the recipient.

Zcash transactions come with a memo area, too.

The memo area can contain additional details that can only be accessed by the receiver.

According to Zooko Wilco, the memo could bring data between financial institutions anywhere necessary by law to submit data.

Does Zcash have a future?

Zcash was faced with a very bad counterfeit crisis, which was a direct offshoot of their zk-snark programming.

In Zcash 1.0, private transactions depend on SNARK’s public criteria for the development and verification of zero-knowledge proof. Generating these shared SNARK requirements involves establishing a public/private key pair and then deleting the private key and preserving the public key.

But here is when things get complicated.

If someone gets hold of the private key, they can make counterfeit coins!

Typically, this isn’t a issue with an open ledger like bitcoin, where all transactions are available for the world to see. However, in Zcash, privacy prevents anyone from checking the state of the coins.

Zooko Wilcox’s explanation of the private key is coined the “toxic waste” problem. Their policy is built to guarantee that toxic waste rarely happens at all. Imagine finding a lot of various chemical by-products in your warehouse, each independently harmless, but if you let them all blend together they can create a toxic mixture that is impossible to handle safely. Their solution is to keep the individually innocuous contaminants apart until they are put away, and the hazardous waste rarely comes into being at all. And, to minimize an attacker’s chance to get his hand on the toxic waste, an elaborate ceremony was performed.


The ceremony is perfectly recorded in the Radiolab podcast.

The aim of the ceremony was as follows:

To create a stable multi-party computing in which multiple individuals each produce a “shard” of the public/private key pair.

When that is created, each user must break their private key shard and then come together to enter the public key shards and create the public key.

So essentially, if only one person loses his secret key, it’s impossible to recover. The experiment would only fail if all the participants have been unethical.

You ought to read Morgan Peck’s first-hand account of the ceremony. It is incredibly commendable, the sheer extent to which these individuals go to conduct themselves.

Concerning the ceremony’s bottom line, Zooko Wilcox’s said that they have done a phenomenal feat of cryptographic and infosec engineering to create SNARK public parameters for Zcash 1.0 ‘Sprout.’ The ceremony’s general architecture was based on Multi-Party Computing, air-gaps, and indelible evidence paths. Six people each took part in the Ceremony. The Multi-Party Computation means that even if all five of the participants were corrupted or knowingly colluded to attempt and recreate toxic waste, one single person behaving freely and eliminating their toxic waste shard will prevent it from ever being reconstructable. Given the extraordinary strength of this ceremony, they plan to recommend a big update to Zcash protocol that will add a tracking component to the existing mitigation system.

Ethereum + ZCash = <3?

Zcash is a cryptocurrency introduced by Zerocoin Electic Coin Company on 9 September 2016 and is the first case of a cryptocurrency combining blockchain development ideas with Zk-Snarks. It strives to provide its users with fully safe and secure transaction spaces without revealing details (such as their addresses) to anyone.

Ethereum needs to incorporate Zk-Snarks as it reaches its Metropolis phase and the way they intend to do so is by forming an agreement with Zcash that will require a shared exchange of interest. Zcash’s chief, Zooko Wilcox, gave a presentation at DevCon2 in Shanghai discussing the possibility of such a partnership. According to him, there are three ways that Z-Cash and, by default, zk-snarks could be combined with Ethereum.

The first form is Baby Zoe (Zoe = Zcash on Ethereum). It adds a zk-snark pre-compiler to Ethereum and renders a mini Zcash smart contract to Ethereum. The aim is to see if the Ethereum network will build zk-snark allowed DAPPs.

The second approach is to incorporate the Ethereum computability into the Zcash. As Wilcox puts it, the greatest advantage of Ethereum is its computability and people want to see how they can turn it into a blockchain based zk-snark like Zcash. Could people make DAPPS with zero knowledge proofs? That’s what they’re hoping to see.

The third and most interesting thing is the Project Alchemy. That is essentially the relation and the interoperation between the two blockchains, so that one can switch smoothly between the two. The way Zcash plans to do so is to clone the BTC Relay. It’s an Ethereum script that was written to build a Bitcoin light client within Ethereum. The Zcash clone uses the same principle to build a Zcash light client within Ethereum.

If this succeeds, we will have the first decentralized currency network in the world to promote the development of a zero-knowledge DAPPS.

How much is Zcash worth today?

Zcash is definitely one of the best and most thrilling coins out there right now. It’s been doing pretty well since its inception.

Zcash worth graph
Image Credit: Nomics. Zcash Graph

The Zcash market cap was, as of writing this article, $6348,866,483.

The expense of 1 Zec is $70.80.

It’s pretty clear that people trust Zcash’s privacy in an increasingly open environment.

Edward Snowden himself gave Zcash his seal of approval.
Edward Snowden himself gave Zcash his seal of approval.