Keeping with Privacy November, todays review is looking at the ZCash project which is often touted as the most advanced privacy preserving blockchain on the market. ZCash is an interesting case study for a number of features of cryptocurrency. In many regards, I actually consider ZCash the perfect example of what not to do if you want a long term sustainable project.

Zcash Monetary Policy

The core ZCash blockchain is very similar to Bitcoin in that it preserves the 21M hard cap supply, has a proof-of-work security mechanism and the blockchain functions using the UTXO model. The block structure remains similar to Bitcoin with 2.5min block times, 12.5 ZEC starting block subsidy and a halving schedule every 840,000 blocks (4 years).

 

The primary difference in the monetary supply distribution is the inclusion of a ‘temporary’ founders reward of 20% of the block subsidy. For the first 4 years of ZCash, 20% of the mined coins will be distributed to the Electric Coin Company (ECC) as a reward for developing the protocol. This equates to a total of 10% of the final 21M supply.

 

Now from a monetary standpoint, we cannot expect projects to replicate the ‘immaculate conception’ of Bitcoin with the protocol bootstrapped solely by open source developers. The GRIN project is experimenting with this path and the inevitable outcome is that GRIN developers cannot afford to buy themselves a sandwich and rely solely on donations from external parties, the dominant one being Bittrex. Why would Bittrex donate on an ongoing basis? They are getting value from the arrangement and over the direction of the project, not least a preference when it comes to exchanges hosting the coin for trading. It is a classic donation with benefits arrangement.

 

Given that ZCash launched in Oct 2016 this means that in Oct 2020, the first ZCash halving will occur, dropping the founders reward to zero. In an ideal scenario, this would result in an efficient bootstrapping of the protocol in the first four years followed by a prioritisation of PoW security with the block reward for miners jumping to 100%.

 

Not quite…

 

Welcome to lesson #1, governance is really important to overcome the governance trilemma.

ZCash Governance

In order to help split the governance of Zcash away from singular ownership by ECC, 10% of the 20% founders reward has been ‘donated’ by ECC to create the ZCash foundation. The ZF is intended to be an arm of the project which represents the users of the protocol and represent their best interest…yet are funded by ECC donation…no conflicts of interest anywhere to be seen.

 

In a way, we can look at the ECC as the equivalent to the Blockstream/Bitcoin Core organisation in ZCash who are the engineering arm of the protocol. However, as a private company (like Blockstream), ECC still needs to make revenue by exploiting the protocols capacities or leveraging their skills to create new cryptographic solutions for businesses.

 

When the founders reward runs out, there is no incentive for ECC to continue development on the protocol. The ZF has commented on this given that ECC are a team of exceptional engineers and to date have built cutting edge technology for the protocol.

 

However…ECC have also missed a good number of deadlines, have not delivered on their 4 year roadmap to date and Zooko Wilcox, the CEO of ECC earns 2,033 ZEC per month, somewhere on the order of $74,000/month at today’s prices. Much critique has been drawn to the poor management of ZCash funds by the ECC with significant sell pressure and poorly timed liquidations leading to massively depressed prices (an unfortunate loop exacerbated by miners in a bear market).

The logic behind the original 4 year founders reward was that it provided sufficient runway to bootstrap the technology and the governance system could be established at a later date. Add to this the fact the until recently, ECC held rights to the ZCash logo and trademark which would mean ownership over any fork. What we have here is a fairly centralised governance system where the users really have very little say in the matter.

 

ECC originally promised and published on its website that donating the trademark was on the future agenda, however, when the time came to do so, it claimed that an alternative governance model was required before the transition. No such governance model exists and the main demand was for an extension of the founders reward for a further 4 years. Centralised much?

 

The other day (6 Nov), the ECC has now finally dropped their position after lengthy negotiations and donated the trademark to the ZF however, much of the damage has already been already done.

 

Further debate continues as to whether to extend the founders reward for a further 4 years resulting in a total of 15% of the ZCash supply. The alternatives expressed by the ZF are to engage an alternative development firm on a reduced spend such as the Parity team who work on Ethereum. Again, this is not ideal given ECC familiarity and expertise over the project codebase.

 

Amidst all of this, the best method for gauging community sentiment is the ZF undertaking surveys…literally surveying users. This is the best governance model the ZCash project has.

 

To summarise the overall governance and monetary policy of ZCash: The ECC is a centralised and somewhat authoritarian, for-profit organisation who is very fortunate to house some of the best cryptographers in the world. Otherwise, I can see absolutely no tangible path for success long-term as the whole project relies on their tech.

Privacy technology

Onto the good stuff.

 

Where ZCash attempts to iterate on Bitcoins model is by providing optional coin fungibility by implementing a pool of shielded transactions of which the addresses involved, amount transferred and metadata are all hidden and encrypted. ZCash uses zero-knowledge proofs called zk-snarks that really are cutting edge and some of the most advanced cryptography out there.

 

 

ZCash has two address types, transparent t-address and shielded z-address. Transactions can have inputs and outputs on either side of this with the shielded transactions unable to be seen on the public blockchain. The proof exists that they occurred but no data about sender, receiver or transferred amount can be observed.

 

The best thought experiment I have heard regarding how zk-snarks work is the following. Imagine your friend is colour blind and is holding a red and a blue ball, one in each hand. Your friend shows you their hands and then puts them behind their back to either swap them or not. Once revealed, you are able to tell whether the balls were swapped or not as you can see colour.

 

Now whilst your friend cannot see the actual colour, they know if they swapped or kept them in the same hand. You are able to verify that they have been swapped because you can see the colour. Thus, without knowing a common piece of information (ball colour) you can both verify that the same truth occurred.

 

Now an outcome of this experiment is that it needs to be carried out many many many times to ensure it wasn’t just a series of lucky guesses. It is an entirely probabilistic outcome as it is possible to have an extremely lucky string and guess correctly millions of times in a row. Its possible but unlikely. Conversely, it is extremely easy to verify the result.

 

The result of this is that ZCash transactions are notoriously large, computationally complex and expensive. The minimum transaction fee is 0.0001 ZEC which if the network were as large as Bitcoin is a $1 minimum fee. It also means that the blockchain size will grow rapidly with adoption which can be problematic for decentralisation of nodes. Not an issue yet but perhaps in the future. It also means mobile wallets are challenged as they MUST trust another node. The blockchain cannot be pruned and thus trust and node centralisation is baked in the cake.

 

The last component of ZCash privacy is that it is optional. This means that people can move between regular Bitcoin style transactions and fully private transactions. Unfortunately, that means that for all private transactions, you are only mixed in with all the other users of shielded addresses. That is your anonymity set or the group of people with which you could claim plausible deniability regarding who owns what. At this stage, no exchanges allow for depositing shielded addresses which means that to date, around 7% to 15% of transactions are shielded. However it gest worse.

 

A study undertaken here indicates that by developing a set of heuristics (common transaction behaviour) of these shielded transactions, 87% of them are linked to miners and the founders…That leaves, in the most optimistic scenario, only 2% of all ZEC in the anonymity set. Compare that the Monero with 100% and Decred with up to 20% of the supply to date (not even with public release yet) and ZCash optional privacy looks a bit sad right now.

 

In summary, ZCash houses arguably the strongest privacy technology of any cryptocurrency. It is computationally expensive and has heavy data footprint. That said, the centralised nature of protocol development should allow for efficiencies to be rolled out in time. Optional privacy was a mistake in my eyes.

The tradeoff

Now for the final piece of the puzzle, what is the trade-off for such strong privacy?

 

Unfortunately, the underlying zero day of ZCash and the reason I will never support it is the combination of the ECC governance system with the slim possibility that a critical inflation bug has already been exploited.

 

The other week I described the privacy trade-off of between perfectly binding (Bitcoin, Decred, fully auditable supply) and perfectly blinding (Zcash, Monero, private but hard to audit). Zcash has opted for perfectly blinding which means the supply of coins in the shielded portion cannot be audited. On 5 Feb 2019, ECC released a blog post indicating that they had remedied a critical inflation bug found in the codebase. What is worse, they identified the bug 11 months prior, remedied on Oct 2018 in the Sapling upgrade but did not disclose it for a further 5 months…

 

…During which time they were liquidating founders reward…

 

No evidence is reported regarding whether this bug was exploited however this highlights two major risks: 1) perfectly blinding cryptography preventing full verification and 2) Incentives of centralised organisations operating these projects.

 

Now given the complexity of exploiting the bug required an extremely high level of skill, it is unlikely that ZCash was falsely minted. However it is the actions of ECC speak loudly by not disclosing the bug for almost half a year following the patch shipping. This bug also affected other mid-tier projects Horizen and Komodo along with the many small forks of those projects.

 

The upside potential

Upside potential for the ECC is very good. I expect that after draining the coffers of the ZCash founders reward, the company will go on to create technology that benefits society in many ways. From financial applications to furthering privacy tech in cryptocurrency, skilled people create valuable technology.

 

Similar to Ripple and XRP, I have no idea how they can fit ZCash into the picture. Bitcoin remains ZCash biggest competitor and I don’t think privacy as an optional feature is going to cut the orange mustard.

Concluding thoughts

Zcash is a powerhouse of privacy technology that could not be pulled off in a more dysfunctional way it they tried. The lack of foresight that governance is of high importance and can be left for a later date is apparent.

 

There is a question regarding how private technology can be if it is created solely by a centralised organisation who clearly has profit motives. ECC has a stranglehold on the project which it is generally worthless without their talent at the helm. I think the funding outcome will resolve in favour of ECC with a further 20% of the block reward extended for another 4 years.

 

Important technology that I am glad exists and is pushing boundaries. Would I ever suggest parking capital in it…no.