Zcash, the secret money

With the birth of bitcoin, a hitherto unknown monetary system based on a completely new principle came into being in 2009. Its main characteristic is that it’s decentralized, meaning it functions without a central authority. In contrast to the forint, euro or dollar, which are issued by respective central institutions (the central banks), bitcoins are created by an open community based on consensual decisions, according to a previously established set of rules. The same community deals with the settlement of transactions.

Bitcoin’s technology is a revolutionary invention because previously the reliable operation of a virtual monetary system without a central institution couldn’t be guaranteed. Bitcoin has proved over the last eight years that this is possible. Despite its innovation, however, it has a number of weak points.

Bank secrecy is compromised

One of its major weaknesses has to do with maintaining “bank secrecy”. No one would be pleased if anyone could freely and easily view, download from the net and cherry pick their bank account balance and transactions; that is, their entire account history. This is not possible in the traditional banking system; bank secrecy is the foundation of trust.

In the world of bitcoin, however, each and every transaction is recorded in the public ledger, the blockchain, meaning every bitcoin account’s history is public. The public ledger is required to ensure decentralized operation. Although by default no one knows which account belongs to whom besides its owner, thus account histories can’t be linked to people, if for some reason the identity of the account holder is revealed, that person’s financial movements on that account become retrievable and traceable. And account holders’ identities can become known; if the owner is expecting a transfer, they can give their account number to a business partner themselves.

This is an unpleasant feature of bitcoin, even if otherwise everyone has the option to use as many accounts as they like. It’s possible to give each business partner a different account number, or even to use a new one for each transaction (the wallet programs perform the joint handling of the numerous accounts precisely). However, connections between respective accounts can still be demonstrated with statistical data analysis methods, meaning bank secrecy can’t be reassuringly protected even with this method.

Traceable money

The traceability of money presents a systemic problem, too, in the operation of any monetary system, and therefore in that of bitcoin as well. The root of the problem is that bitcoins connected to crimes are also traceable. Although this assists the work of law enforcement authorities, it can infinitely complicate the operation of the monetary system. The reason is that an honorable person is reluctant to accept bitcoin that comes from a robbery. And if it’s widely known that a bitcoin was previously stolen, it becomes “dirty” and “bloodstained”, which makes using it cumbersome. Many robberies involving considerable sums have already received major publicity; most recently 120,000 bitcoins were stolen from the Bitfinex stock exchange in August, and their route can be traced in the public ledger. These bitcoins may be worth less than “clean” ones.

However, it creates enormous difficulties and can completely undermine the operation of the monetary system if participants constantly have to check the past of the money they intend to accept, otherwise they risk obtaining bitcoin that’s worth less. In a well-functioning monetary system, a unit has to be indistinguishable from another unit, precisely so that their value is exactly the same. This is the basis of simple usability.

Erasing traces

A group of scientists suggested a solution to these problems in 2013. They created the Zerocoin protocol, which can hide the route of money on the public blockchain of a decentralized network, too. If we don’t know the money’s past, nothing bad can be revealed about it, so one monetary unit will indeed be worth as much as any other. There’s no need to worry about account histories becoming public either, since unauthorized people can’t learn anything about the transactions. The protocol’s name refers exactly to this zero knowledge. (It should be noted that others are trying to solve this problem using different technology; see for example the Monero cryptocurrency.)

A year later, they perfected Zerocoin and named the improved version Zerocash. It’s important to note that neither version functions as money on its own; they can merely connect to the blockchains of existing decentralized currencies. For example, by using the Zerocash protocol while connected to bitcoin’s blockchain, we have the option to convert a bitcoin to a zerocash, which afterwards we can transfer “invisibly” and can convert back to the original bitcoin at any time.

Zcash is born

It was all but guaranteed, however, that if the invention worked out, it would get its own blockchain sooner or later, meaning an independent decentralized currency would be born based on the Zerocash protocol. It did work out. So, on 28 October 2016, with the start of mining for the new currency, Zcash (ZEC), came into being. But how exactly does the accounting work for transactions that are recorded in the public ledger (blockchain) and yet are untraceable? This sounds quite mystical, since these qualities seemingly contradict each other.

Similarly to bitcoin, in the case of Zcash we also call those who operate the system and perform the accounting of the transactions miners. Obviously they don’t do this by hand, but a computer program does it automatically. When a transfer request comes in, the program has to check two important things. First, the authenticity of the digital signature; that is whether it was really the authorized person who initiated a transfer from the given account. Second, it has to check whether the account balance is sufficient to cover the amount of the intended transfer.

In the case of bitcoin, these procedures are easy to perform. The initiated transfer clearly includes the number of the account to be charged and the amount, and the public ledger includes the current balance of the given account. In order to check if the account has sufficient funds, these only have to be compared, and the digital signature can be easily tested based on the account number (the account’s public key).

In the case of Zcash, however, the procedure is a lot more complicated. An initiated transfer does not explicitly include either the number of the account to be charged or the amount, and neither are the balances directly in the public ledger. To be precise, the information is there, only it’s hidden from unauthorized people and well encrypted. Miners have to decide whether the digital signature and the balance are OK based on the encrypted information.

It gets out, but it doesn’t

For the sake of clarity, it’s worth illustrating how this is possible with an example. A famous puzzle from the science of encryption (cryptography) is the problem of Yao’s millionaires. In the puzzle, two millionaires wish to find out who’s richer. They want to do this without either of them telling the other or a third party exactly how much money they have. The puzzle can be solved, but we won’t go into the details of the non-trivial solution here. The main point is that one of the millionaires takes the number characterizing his wealth (expressed in the form of millions of dollars, for example), performs all kinds of complicated mathematical operations on it, then sends the result (which says nothing specific about his wealth) to the other millionaire. The other millionaire performs further complicated mathematical operations using this number and the number that characterizes his wealth, and the millionaires will know who’s richer based on the result.

Yao’s millionaires therefore eventually get an answer to the question of who’s richer without the specific extent of their wealth being revealed. Similarly, Zcash miners get an answer to the question of whether the digital signature and the balance are OK when authenticating a transaction, but it isn’t revealed which specific wallet’s data they examined and what the amount of the transfer is. They get just the information that’s necessary for authentication; not more and not less. This amount of information is crucial in terms of the system’s operation, but from the perspective of compromising bank secrecy, it’s nothing.

Built-in secrecy

In traditional monetary systems, maintaining bank secrecy is the bank’s task. Usually there’s no problem with this, but sometimes the bank’s server is hacked and customer data is stolen, or a bank employee abuses their access. In the case of Zcash, however, keeping secrets is a built-in feature. Obviously anyone possessing their password (secret key) can see their own wallet’s balance and history, but there’s no person and no computer that has information about the wallets of others besides their own. This is a much higher level of confidentiality than that of the traditional monetary system, or even bitcoin.

Risks

Using new technology is a great step forward compared to the operating model of bitcoin, but at the same time it comes with serious dangers. This is because no one has any idea from the first moment what exactly is going on in the world of Zcash. When the Bitfinex bitcoin stock exchange was robbed in August, it was immediately clear that something wasn’t right. Everyone could see on the public blockchain that a huge amount of bitcoins was transferred in an enormous sum and at the same time from accounts linked to the stock exchange, and it wasn’t likely that all customers were withdrawing their money exactly at the same time. Bitcoin’s exchange rate reacted immediately to the events with a huge fall. Since in the case of Zcash transactions are recorded on the public blockchain only in encrypted form, a similar robbery would remain a secret until the stock exchange itself announced it. It’s questionable whether it could be kept secret so easily, would it reveal the robbery at all? To be precise, the thief could also announce it, but it’s definitely not in their interest to trigger the price drop that would ensue.

However, an even greater risk would emerge if someone found a critical fault in Zcash’s program and exploited it in secret. A similar case actually occurred in the early days of bitcoin. In 2010, someone created 184 billion bitcoins by exploiting a fault found in the code. The community, however, immediately noticed this on the blockchain as usual; they fixed the fault in the program and mining continued from before the affected block. In practice this meant that, since they noticed it in time, they managed to undo the incident.

On Zcash’s blockchain, however, it would be impossible to notice money created in an unauthorized manner due to a program fault, and therefore the community couldn’t react to it either. If the attacker was malicious and sold the “fake” Zcash gradually and slowly on the stock exchanges, they could do this for a very long time before any suspicion arose. We can only trust the fact that many smart people worked thoroughly on the program for a long time and that they tested the protocol for years before launching it as their own currency.

What remained unchanged

To be fair, Zcash’s super-secret register and invisible transfer method explained in detail here is just one option in the system. Aside from it, there is the option of public transfer and register typical of bitcoin. If we choose this transfer method, we can easily see on the blockchain how much money we’re transferring between which accounts, similarly to bitcoin. Its advantage is that, in comparison to the secret transfer method, starting and receiving a transaction both require a much smaller computing capacity in our computer.

Besides this, Zcash has kept some of bitcoin’s other familiar features, for example that there will be 21 million of it in total and the rate of its creation shall be halved every four years. However, they decreased the block time of ten minutes to two and a half minutes. This practically means that transfers take this long to complete on average.

The success fee of the inventors

The team of developers came up with an interesting model for its own remuneration and further motivation. One of the features embedded in Zcash’s program is that 20 percent of the mined money automatically goes to the team members in the first four years (after which they no longer get any remuneration). This is the fee for their work, and since it’s a prolonged payment, they remain interested in the stability and further development of the system.

So far it appears that they won’t be badly off. The first zcash were created after the start on 28 October and several stock exchanges immediately listed the currency. The first transactions happened at astonishing prices; for example, on the Poloniex stock exchange the currency opened at the price of 2500 bitcoins ($1,700,000), although they only traded in it in tiny amounts. Even though in all likelihood a significant part of these transactions was done by the miners themselves who wanted to raise initial expectations, the current exchange rate of $45 is also an impressive accomplishment for a new cryptocurrency. Of course, the current price can also change very quickly.

The state won’t like it

The option of secret money transfers provided by Zcash is guaranteed to attract the attention of arms dealers and terrorists, too. The question of banning or limiting Zcash might arise on the part of legislators in reference to this. However, it’s worth realizing that the preferred payment method of criminals won’t be zcash, or even bitcoin, but cash. This is because cash finds its way in the real world in the same untraceable manner as zcash does in its own virtual world. And yet no one wants to ban cash. No wonder, given the overwhelming majority of people using cash is honorable. And it’s the same with bitcoin and zcash too; in this regard, there’s no difference between them.

The real difference between cash and decentralized currencies is that the former is issued by a state institution, while the latter is created by a community. This is exactly the real reason behind the state’s moderate enthusiasm for cryptocurrencies, since it feels that its monopoly on issuing money is increasingly in danger. Following bitcoin, Zcash is yet another milestone on the long-long road towards creating a well-functioning monetary system which can be accomplished by the private sector that is, in contrast to the state, capable of innovation. Hopefully, sometime in the future we’ll exchange our current obsolete monetary system of the past century that is imposed on us by the state (and is full of absurdities) for this system.

Original date of Hungarian publication: January 16, 2017