| Authors | Ben-Sasson, Eli; Chiesa, Alessandro; Garman, Christina; Green, Matthew; Miers, Ian; Tromer, Eran; Virza, Madars |
|---|---|
| Year | 2014 |
| Project | Zcash |
| License | MIT |
| Official Source | https://eprint.iacr.org/2014/349 |
This page is an educational summary and analysis of an official whitepaper or technical paper, written for reference purposes. It is not a verbatim reproduction. CryptoGloss does not claim authorship of the original work. All intellectual property rights remain with the original author(s). The official document is linked above.
“Zerocash: Decentralized Anonymous Payments from Bitcoin” is a peer-reviewed academic paper by Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza, presented at IEEE Symposium on Security and Privacy 2014. It describes the Zerocash protocol — a full-anonymity payment system built on top of Bitcoin’s UTXO model using zk-SNARKs (zero-knowledge Succinct Non-interactive ARguments of Knowledge) to cryptographically prove that transactions are valid without revealing any details.
Zcash launched on October 28, 2016, as the first implementation of Zerocash. It became the reference implementation of SNARK-based privacy in cryptocurrency and inspired the zero-knowledge proof revolution in blockchain.
> PDF hosting: The Zerocash paper is at eprint.iacr.org/2014/349. The Zcash engineering documentation is at zips.z.cash.
Publication and Context
Zerocash was the successor to Zerocoin (2013) — an academic proposal to add optional denomination-blind coin mixing to Bitcoin. Zerocoin required Bitcoin consensus changes that were never accepted. The Zerocash paper went further: instead of just mixing, it proposed a completely private payment system where no transaction metadata is revealed.
The key cryptographic tool: zk-SNARKs — succinct proofs that allow a prover to convince a verifier that a computation was done correctly, revealing nothing about the inputs. Groth, Sahai, and others had done earlier work on SNARKs; the Zerocash paper applied them specifically to digital cash.
The paper’s primary authors came from Johns Hopkins University (Green, Miers, Garman), MIT (Tromer), Technion (Ben-Sasson), and UC Berkeley (Chiesa, Virza).
Core Design: Shielded Transactions
Zcash has two types of addresses:
- Transparent (t-addresses): Standard Bitcoin-style addresses; all transaction data is visible (like Bitcoin)
- Shielded (z-addresses): Fully private; sender, receiver, and amount all hidden
A shielded transaction works as follows:
- The sender “pours” funds into a shielded address — encrypted using the receiver’s incoming viewing key
- The sender generates a zk-SNARK proof that:
The input coin(s) appear in the blockchain (valid notes exist)
The sender knows the spending key for the input coins
The sum of inputs equals the sum of outputs (no money created)
The nullifier (anti-double-spend marker) is correctly computed - The proof is broadcast with the transaction; validators verify it without learning anything else
Nullifiers: Each shielded note has a nullifier — a unique value that must be published when the note is spent. The blockchain tracks spent nullifiers; a second spend of the same note publishes the same nullifier, rejected by consensus. This prevents double spending without revealing which note was spent.
Trusted Setup Ceremony
The original Zcash (Sprout) required a multi-party computation (MPC) ceremony to generate the proving and verification keys. The ceremony must be kept secure: if any participant retains their “toxic waste” (a secret from MPC), they could generate counterfeit coins indistinguishable from legitimate ones.
The “Sprout” ceremony in October 2016 involved 6 participants with elaborate procedures. A later “Sapling” ceremony in 2018 involved nearly 100 participants with dramatically improved security procedures and parameter generation.
Why this is significant: Unlike Monero (cryptographic security under no trust assumption) or STARKs (no trusted setup), Zcash’s SNARK-based privacy _requires_ trusting the ceremony. If all ceremony participants collude or are compromised, the currency supply is insecure. This is Zcash’s primary trust assumption.
Zcash Upgrade History
| Upgrade | Date | Key Changes |
|---|---|---|
| Sprout | Oct 2016 | Initial launch; Zerocash-based SNARKs |
| Overwinter | Jun 2018 | Transaction replay protection |
| Sapling | Oct 2018 | New shielded address format; 100x faster proof generation |
| Blossom | Dec 2019 | Shorter block target time (75s) |
| Heartwood | Jul 2020 | Mining to shielded addresses |
| Canopy | Nov 2020 | Dev fund governance changes; ECC/ZF/community allocations |
| NU5 (Orchard) | May 2022 | New Orchard shielded pool; Halo2 proofs (no trusted setup!) |
The Shielded Adoption Problem
Despite strong cryptographic foundations, shielded transaction adoption has been disappointing:
- Most Zcash transactions use transparent (t-to-t) addresses — public like Bitcoin
- Shielded transactions require more computation (historically slow pre-Sapling)
- Many exchanges only support transparent addresses due to regulatory compliance
- As of 2023, ~20–30% of Zcash transactions use shielded addresses — improving but still a minority
Reality Check
Zcash pioneered production zk-SNARKs in cryptocurrency. The Sapling upgrade reduced shielded transaction proving time from ~40 seconds to ~1 second — a critical usability improvement. The Halo2-based Orchard pool (NU5) eliminates the trusted setup requirement, addressing the protocol’s main trust assumption. However, Zcash’s market cap and usage have been dwarfed by Monero (which is less cryptographically elegant but achieves privacy by default for all transactions). The ECC (Electric Coin Company) founder reward of 10% of block rewards was controversial and expired in November 2020.
Legacy
The Zerocash paper is one of the most influential cryptographic papers in blockchain history. Its zk-SNARK application inspired:
- Tornado Cash (Ethereum mixing using SNARKs)
- ZK-Rollups (StarkWare, zkSync, Polygon zkEVM)
- The entire private DeFi category
- Ethereum’s own research into ZK applications
Eli Ben-Sasson went on to found StarkWare (STARKs paper, 2018). Matthew Green cofounded Zcash/ECC and remains an active cryptography researcher. The Groth16 proving system (used in Sapling) became the standard SNARK in production systems.
Related Terms
Research
- Ben-Sasson, E., et al. (2014). Zerocash: Decentralized Anonymous Payments from Bitcoin. IEEE S&P 2014.
— Primary source. Section 3 defines the pour transaction; Section 4 the SNARK instantiation.
- Sasson, E.B., et al. (2013). Zerocoin: Anonymous Distributed E-Cash from Bitcoin. IEEE S&P 2013.
— The predecessor to Zerocash; coin-mixing only (not full-anonymity payments).
- Hopwood, D., Bowe, S., Hornby, T., & Wilcox, N. (2022). Zcash Protocol Specification. zips.z.cash.
— The definitive technical specification; covers all post-Sapling protocol details.