Recently, the Zcash team announced the activation of the Sapling hard fork, which occurred at block 419,200. The new version of the network provides improved performance with 90 percent less time to create a transaction and 97 percent less memory consumption. One of the main reasons for such a drastic reduction in resource consumption is associated with the central element of the Zcash architecture, the hidden addresses.

Hidden Address Problems

Currently, the Zcash hidden addresses require so much computational power that most users and exchanges cannot use them and use the functionality of public transactions provided in Zcash. Initially, the private Zash cryptocurrency team deliberately introduced the option of transparent transactions, which, being less “demanding” in technical terms, promoted a wider adoption of the cryptocurrency. A significant disadvantage of public transactions in the Zcash system, however, is that they reduce the anonymity of the network as a whole. The hard fork “takes us one step closer to an open, exclusive, and private payment system,” says the project team. “To make hidden addresses universally usable is the main thing in our mission. ‘Opportunities for all’ are not just words for our team. This is the light that leads us in terms of goals and direction as we continue to innovate and experiment.”

In the future, Zcash plans to completely abandon the functionality of public transactions. “We hope to see a massive transition to private Sapling, and as this transition progresses, we hope to switch to default privacy when the right moment comes. All that Sapling does is improve performance and security. Who doesn't want that?” says Nathan Wilcox, the CTO of Zcash.

According to him, the old version of the blockchain was “too unproductive and cumbersome.” In particular, prior to Sapling activation, the hidden transaction functionality was available only to users who had the full Zcash node running. Now, hidden addresses can be used in the framework of exchanges and light wallets (which do not store the full version of the blockchain on the user device). This is possible due to the greatly reduced technical requirements for hidden transactions (they now take up about 100 times less memory and are six or more times faster).

At the same time, Wilcox notes that light clients with the support of hidden addresses “will not appear by themselves on the day of activation [hard forks],” as they will require certain development efforts. This is due to the fact that they must be implemented with reliable security mechanisms so that they could not disclose transactional information to the hosting server of the wallet. The team is currently working on a proof of concept of such a wallet. “Our goal is to make a lightweight wallet that has privacy protection even against its own provider. Our goal is to develop a full-fledged user experience specifically for Sapling and make sure that we can combine practicality and privacy well,” Wilcox said in a conversation with CoinDesk. There is a possibility that this wallet will not reach the users and will be used only as a “visual model” for third-party developers who will create their own implementations on its basis.

Hidden HD Wallets

This is another innovation implemented in the Sapling version. Hierarchically deterministic, or HD wallets, were originally offered in Bitcoin in 2012. These wallets receive private keys and addresses from seed phrases “semen” representing a random set of words. Thus, it is possible to generate an infinite number of addresses from the Seed attached to one wallet. This system allows users to have a backup copy of the wallet and completely restore it simply using a set of words, while otherwise, they would have to make new backups every time a new address is created inside the wallet.

Zcash always had not only the functionality of public transactions and addresses, but, being a fork of Bitcoin, also had an absolutely identical system of HD addresses. With the update, however, the Sapling HD wallets will be available for the new hidden Sapling addresses.

Model of a hierarchically deterministic Sapling wallet. Source.

As expected, when using HD wallets, possession of a Seed will provide access to the full key tree inside the wallet. First, a Seed installs a pair of master keys, which consists of a “key for spending” and a “key for viewing.” Unlike the traditional private and public key pair (address), both keys in the Zcash HD Wallet are private.

The key for spending allows users to sign outgoing transactions, that is, transfer funds, while the key for viewing makes it possible to selectively disclose transactional information, making the necessary transactions transparent and without compromising the anonymity of the network as a whole. “If we have a private default chain and you want to have a public account, you can simply make the viewing key publicly available,” Wilcox says.

The ability to disclose the details of incoming transactions using the key view has been available in Zcash since version 1.0.14, released in January 2018. The team noted that disclosing outgoing transaction data "is a slightly more complex problem that will be solved during the Sapling upgrade."

Anatomy of a Sapling Transaction

The basic transaction scenarios will remain available in the new version of the network, but there will be some changes with hidden addresses.

In transactions using hidden addresses of the old format, the zero-knowledge proof technology is implemented through JoinSplit. JoinSplit accepts one or two input values ​​and creates one or two transaction exit values. These input and output values ​​are called records. JoinSplit does not disclose how many values, one or two, were created in each case. And transactions that require the creation of more than two records use multiple JoinSplits. The result is a hidden transaction, about which there is no information, except that it has created or accepted several records.

Hidden transactions of the new format look different due to improved performance. As before, they create and accept records, but do not use JoinSplit. Instead, they consist of “wastes” and exits and show the exact number of records received or created. For example, in one of these transactions, one shielded spend (received entry) and two hidden outputs (created entries) are visible. It is likely that this transaction took the record to send part of the balance stored on it to another address, and forwarded the rest back to the original sending address. This transaction could also send the entire balance of the sending address to two recipients and not have a balance at all. The lack of knowledge about this data is what ensures the privacy of financial information.

User Guide

Immediately after activating the hard forks, users of the main Zcash client, the Zcashd, received new Sapling addresses. The functionality incorporated in the new version of the blockchain will become available after they transfer funds from the old version (Sprout) addresses to the new Sapling addresses. In this case, a significant drawback of this process is that it involves a procedure that will reveal the amount of user funds at hidden addresses. Wilcox notes that a similar access to the system “an audit based on the turnstile principle” was a deliberate step. His goal is to make sure that the system was not compromised in the process of setting the parameters of zk-SNARKs.

The Zcash device involves regular ceremonies, known as “Powers of Tau,” during which a narrow circle of participants under conditions of increased secrecy and in a variety of ways generates initial parameters for the zero-knowledge proof protocol. In this case, however, we are talking about the “genesis” ceremony held at the time of the launch of the network in 2016. It was criticized for being vulnerable to attack, in which case users could create an unlimited number of Zcash coins. “To test this risk, we want to do a global audit and make sure that no cheating has happened,” Wilcox says.

The team is currently developing a tool for automated transfer of funds to new addresses, which “will allow users to minimize the impact on privacy.” And although it is possible to transfer funds to the addresses of the new format and on an “individual basis” now, the Zcash team recommends, if possible, to wait for the release of a special tool, noting that it will take several months.

During this time, the system will fully support both address formats of Sapling and Sprout. And although Zcash plans to subsequently abandon the old Sprout addresses, Wilcox notes that users should not be afraid for the safety of their funds, since there will be no deadline for transferring coins from old addresses. When the protocol is fully switched to Sapling, users will not be able to accept funds to old addresses, but outgoing transactions from these addresses will still function.