Zcash

Apr 21, 2026 - 21:44
0 0
Zcash

Add design section (using primary source as this concerns the factual design of the protocol)

← Previous revision Revision as of 16:13, 21 April 2026
Line 55: Line 55:
== Design ==
== Design ==


Zcash is modeled on [[bitcoin]], sharing its 21 million coin supply
Zcash is modeled on [[bitcoin]], sharing its 21 million coin supply cap and [[proof-of-work]] consensus mechanism.{{Cite news |last=Popper |first=Nathaniel |date=2016-10-31 |title=Zcash, a Harder-to-Trace Virtual Currency, Generates Price Frenzy |url=https://www.nytimes.com/2016/11/01/business/dealbook/zcash-a-harder-to-trace-virtual-currency-generates-price-frenzy.html |url-status=live |archive-url=https://web.archive.org/web/20190111120448/https://www.nytimes.com/2016/11/01/business/dealbook/zcash-a-harder-to-trace-virtual-currency-generates-price-frenzy.html |archive-date=11 January 2019 |access-date=26 January 2017 |work=The New York Times}}{{cite web |last1=Elaine |first1=Ou |title=Bitcoin Isn't Anonymous Enough |url=https://www.bloomberg.com/opinion/articles/2016-11-01/bitcoin-isn-t-anonymous-enough?sref=UsAjUhBb |website=Bloomberg.com |publisher=Bloomberg |access-date=17 November 2020 |date=November 1, 2016 }} Zcash uses the [[Equihash]] memory-hard proof-of-work algorithm, which was chosen to resist centralization of mining by specialized hardware.{{Cite web |title=Zcash Protocol Specification |url=https://zips.z.cash/protocol/protocol.pdf |access-date=31 March 2026}} Unlike bitcoin, where all transaction details are publicly visible on the blockchain, Zcash offers an optional privacy layer using a cryptographic technique called [[Zk-SNARK|zk-SNARKs]] (zero-knowledge succinct non-interactive arguments of knowledge).{{Cite web |last=Orcutt |first=Mike |date=2017-11-24 |title=Why America's Biggest Bank Digs Anonymous Cryptocurrency |url=https://www.technologyreview.com/2017/11/24/148040/why-americas-biggest-bank-digs-anonymous-cryptocurrency/ |website=MIT Technology Review}}{{Cite web |last=Hackett |first=Robert |date=2018-01-31 |title=One of Bitcoin's Biggest Asset Managers Says Zcash Could Hit $60,000 in 2025 |url=https://fortune.com/2018/01/31/zcash-privacy-cryptocurrency-grayscale/ |website=Fortune}} This method allows transactions to be quickly verified as valid without revealing the sender, recipient, or amount transferred.{{Cite web |last=Heaven |first=Will Douglas |date=2018-04-19 |title=Sitting with the cyber-sleuths who track cryptocurrency criminals |url=https://www.technologyreview.com/2018/04/19/143375/sitting-with-the-cyber-sleuths-who-track-cryptocurrency-criminals/ |website=MIT Technology Review}}{{Cite web |last=Orcutt |first=Mike |date=2020-04-02 |title=Perfect Online Privacy |url=https://www.technologyreview.com/2020/01/29/276028/a-new-tool-that-lets-you-prove-something-online-without-risking-your-privacy/ |website=MIT Technology Review}} Unlike mixing-based privacy systems, which obscure transactions among a limited set of participants, Zcash's shielded transactions make each spent note indistinguishable from all other unspent notes on the network.
cap and [[proof-of-work]] consensus mechanism.{{Cite web |title=Zcash Protocol Specification |url=https://zips.z.cash/protocol/protocol.pdf |access-date=31 March 2026}}
Zcash uses the [[Equihash]] memory-hard proof-of-work algorithm,
which was chosen to resist centralization of mining by specialized
hardware. The protocol bridges the transparent
payment scheme used by bitcoin with a shielded payment scheme
secured by [[Zk-SNARK|zk-SNARKs]] (zero-knowledge succinct
non-interactive arguments of knowledge).
Shielded transactions can be verified as valid without revealing
the sender, recipient, or amount transferred.


Zcash supports two types of addresses: transparent addresses,
Zcash supports two types of addresses: transparent addresses, which function similarly to bitcoin addresses with publicly visible transactions, and shielded addresses, which use zero-knowledge proofs to encrypt transaction data.{{Cite web |last1=Silfversten |first1=Erik |last2=Favaro |first2=Marina |last3=Slapakova |first3=Linda |last4=Ishikawa |first4=Sascha |last5=Liu |first5=James |last6=Salas |first6=Adrian |date=2020-05-06 |title=Exploring the use of Zcash cryptocurrency for illicit or criminal purposes |url=https://www.rand.org/pubs/research_reports/RR4418.html |language=en |access-date=5 September 2020 |archive-date=21 September 2020 |archive-url=https://web.archive.org/web/20200921065603/https://www.rand.org/pubs/research_reports/RR4418.html |url-status=live }} Users can transact between the two types, allowing funds to move between the transparent and shielded pools. The shielded transaction system has undergone three generations, known as Sprout, Sapling, and Orchard, each improving the efficiency and security of shielded transactions. This optional privacy model is intended to preserve [[fungibility]], ensuring that all units of the currency are treated equally regardless of their transaction history. Users also have the option to share private viewing keys, allowing designated third parties to see their transaction details for auditing purposes.{{Cite web |last=Peck |first=Morgen E. |date=2016-11-18 |title=A Blockchain Currency That Beats Bitcoin On Privacy |url=https://spectrum.ieee.org/a-blockchain-currency-that-beats-bitcoin-on-privacy |website=IEEE Spectrum}} Since the Sapling upgrade, each spending key has an associated full viewing key that allows recognizing both incoming and outgoing transactions without granting spending authority.
which function similarly to bitcoin addresses with publicly visible
transactions, and shielded addresses, which use zero-knowledge
proofs to encrypt transaction data.
Users can transact between the two types, allowing funds to move
between the transparent and shielded pools.

Value held in a shielded address is represented by a ''note'',
which records an amount and a recipient address.
When a note is created, only a cryptographic commitment to the
note is published on the blockchain, and the commitment is added
to an append-only Merkle tree of all note commitments.
When a note is spent, the sender publishes a unique value called
a ''nullifier'' and a zero-knowledge proof that the nullifier
corresponds to some previously committed note, without revealing
which one. Nullifiers are recorded in a set
shared across the network, and a transaction is rejected if it
would add a nullifier already present in the set, which prevents
double-spending. Because a spent note
cannot be linked to the transaction that created it, the set of
notes from which any given spent note could have originated
includes all previously created notes that have not been spent.
Unlike mixing-based privacy systems, which obscure transactions
among a limited set of participants, this approach makes each
spent note indistinguishable from all other unspent notes on
the network.

The shielded transaction system has undergone three generations,
known as Sprout, Sapling, and Orchard, each modifying the
cryptographic constructions used for shielded transfers.

This optional privacy model is intended to preserve [[fungibility]],
ensuring that all units of the currency are treated equally
regardless of their transaction history.
Users also have the option to share private viewing keys, allowing
designated third parties to see their transaction details for
auditing purposes.
From the Sapling upgrade onward, each spending key has an
associated full viewing key that allows recognizing both incoming
and outgoing transactions without granting spending authority.


== History ==
== History ==
Read More