Last Friday, I was in a van in Denver, Colorado with Zooko Wilcox the CEO of ZCash, a company that on 28 October will launch a new blockchain-based digital currency of the same name. On the floor next to me was a bunch of newly purchased computer equipment. I knew we were going to a hotel, but didn’t know where. I only knew that I’d be there for the next two days straight and that it would be my job to watch, ask questions, stave off sleep, and document as much as I possibly could.
That day began a cryptographic ceremony of sorts, one that will make or break a new digital currency. ZCash is identical to Bitcoin in a lot of ways. It’s founded on a digital ledger of transactions called a blockchain that exists on an army of computers that can be anywhere in the world. But it differs from Bitcoin in one critical way: It will be completely anonymous. Although privacy was a motivating factor for Bitcoin’s flock of early adopters, it doesn’t deliver the goods. For those who want to digitally replicate the experience of slipping on a ski mask and handing over an envelope of unmarked bills, ZCash is the new way to go.
To deliver on this anonymity, however, the ZCash protocol requires an initial dose of randomness, a set of parameters that functions as a reference point for the rest of the software. But, the process comes with an unfortunate byproduct. The software that generates the parameters also creates pieces of a cryptographic key, which if combined could be used to generate new coins out of thin air. The ceremony that I was carted off to will serve as a public demonstration that the cryptographic fragments were created and disposed of in such a way that the complete key never came into existence.
But why make a currency that faces its first existential threat at the very moment of its creation? Because for the subset of people who like their currency digital and free from government control, anonymity really matters.
“ZCash is really exciting because it’s the first combination of the blockchain properties with the encryption properties,” says Wilcox. This layer of encryption means that in ZCash, transactions will leave no trace on the blockchain of who spent a coin or in what digital pocket it landed. All that will be visible is the fact that a transaction occurred.
Bitcoin, the first and most widely used digital currency established the blockchain as a revolutionary technology. Blockchains provide a way for disparate, mistrustful parties to jointly maintain a public ledger of transactions and to do so in a way that renders all entries permanent.
The problem with Bitcoin as it is implemented today is that the entire history is public. Transactions are attributed to random identifiers that in themselves carry no information about the person controlling the accounts. But if users are not extremely careful, network analysis can reveal both the financial behavior and the real identities of the people behind the accounts. (Several companies, such as Chainalysis, now provide such a service.)
ZCash too has a blockchain that records and publicly broadcasts every transaction ever made with it. But it hides all identifying information about who made the transactions and how much was spent.
“ZCash solves this privacy problem by encrypting each transaction. We use standard, modern, high-tech encryption, which is the same kind of encryption that is used to protect websites and emails and everything on the Internet,” says Wilcox.
This, however creates a new problem. In Bitcoin, having all the details of transactions available in cleartext enables miners—the people running the software that updates and secures the blockchain—to validate new spending requests by referencing previous transactions in the record. When that data is hidden from view, validation becomes more complex and requires a special kind of computation called a zero-knowledge proof. That computation enables users to prove that that they own the coins they want to spend without revealing any information about where the coins came from or where they are going. Such proofs are used in many other contexts around the Internet. For instance, zero-knowledge proofs allow you to type in a password on a website and have it verified by the site’s server without actually transmitting the password.
The broad strokes for ZCash were designed in 2013 at a Johns Hopkins University applied cryptography lab led by Matthew Green. He later joined forces with Eli Ben-Sasson, a computer scientist at the Israel Institute of Technology, and a group of researchers [pdf] at MIT and Tel Aviv University—all of whom now work for the Zcash company. Together they developed a new zero-knowledge proof, called a zk-SNARK, that is much less computationally intensive and thus crucial for scaling the currency.
Now ZCash, is in the hands of Wilcox. Privacy is an issue that is near to his heart. As a teenager, he delayed going to college to work with cryptographer David Chaum on DigiCash, the first implementation of a privacy-centric digital cash. When that project crashed in the 1990s, he continued the crusade.
Enhancing financial privacy will likely enhance the ability of criminals to go about their business undetected, and that’s a legitimate fear. Bitcoin itself found its first, and arguably thus far only, killer app when sellers and buyers realized that they could use it for illegal purchases in Dark Web markets.
But Wilcox, who regards privacy as a right, argues that there are important, legitimate reasons why someone would want to use an anonymous currency.
“There are regulatory and commercial and moral reasons for privacy from all sectors,” he says. To give a commercial example: Apple wouldn’t want Samsung to be able to track its transactions and gain valuable competitive intelligence.
Or the motivating factor could be regulatory compliance. Multiple laws in the United States and the U.K., such as the data privacy rules of the Health Insurance Portability and Accountability Act of 1996 , require companies to keep consumer information hidden from view, a feature ZCash can reliably offer.
There are also strictly technical considerations that make strong privacy a necessary feature in a digital currency. Ideally, for the system to function, coins should be fungible, which is to say, each coin should be indistinguishable from the next. When a coin carries the history, and potentially the smear, of every past transaction—as bitcoins do—this can be difficult to achieve.
“The laws of economics are almost as immutable as the laws of physics. And good money means that every unit of that money is the same as any other unit of that money. The only way to have that be the case for digital currencies is to have it be private,” says Roger Ver, a ZCash investor for whom fungibility is a central concern.
But perhaps the most intriguing feature of ZCash is that users can toggle the level of privacy that it provides. Although the ZCash protocol encrypts all information about transactions by default, people will be able to selectively disclose this data and they will have control over what parts get revealed as well as who gets to see them.
Let’s say I’m in college and my parents are funding my studies. They could send me ZCash and then I could lift the veil on all the transactions I make with that money in a way that only they could see.
Adam Back, a cryptographer who has himself endeavored to strengthen Bitcoin’s privacy guarantees with a scheme called Confidential Transactions, says that ZCash is able to offer this degree of flexibility because, unlike Bitcoin, it starts with the strongest privacy-guaranteeing tools available.
“It’s very hard to build something stronger on something that’s weak,” he says. “If you start with a perfect electronic cash system building block, then you can build an electronic cash system with selective weakening in a way that makes sense for society.”
But cryptographers like Back do have reservations.
There is, of course, the problem of it requiring that one moment of infallibility on the part of human beings—the destruction of the key fragments—to guarantee its security.
Also, the zk-SNARK computations that validate transactions are quite exotic, at least in comparison to the well-worn standards used in Bitcoin.
“The number of people who understand and have read the math and could develop an attack would be very small, maybe a dozen researchers worldwide. And so, you run the risk that maybe not enough people have looked at it to have the insight of what’s wrong with it,” says Back.
The ZCash company, which developed the open source software is itself a bit of an experiment. It has a direct stake in the coins that are generated by the ZCash protocol. As in Bitcoin, miners periodically create new coins. But in ZCash, the miners only get to keep ninety percent of those coins. The rest gets dumped into accounts controlled by the ZCash company, which has stated that it will divvy up these earnings between founders, private investors, and a non-profit foundation responsible for working on future versions of the protocol. But it is up to the company to report transparently on where that money flows.
One of the biggest unknowns is whether enough people care deeply enough about privacy to bring ZCash into the mainstream. When DigiCash declared bankruptcy in 1998, the failure was partially attributed to a lack of interest in financial privacy on the part of the everyday consumer.
Wilcox is confident that it will be different this time around. “I feel that privacy is an important personal and social value, that it uplifts individuals and communities, that it protects them,” he says. “And it’s been really gratifying that once word got out about the ZCash project there have been people approaching me either over the Internet or in real life, in person, at conferences just to tell me that they feel this too and that they care about this and that they’re glad we’re working on it and they want us to succeed.”