Sapling is one of the most exciting upgrades to the ZCash protocol to date.
Set to occur in late October of 2018, Sapling will introduce a number of improvements to the process by which shielded transactions operate. It is slated to make these transactions lighter and more adaptable.
With these upgrades implemented into the ZCash protocol, shielded transactions will be easily integrated into mobile wallets, exchanges and cryptocurreny vendors. Sapling will also take ZCash one step closer to a fully private blockchain.
In this post we will take a look into the sapling upgrade and analyse exactly what it could mean for ZCash going forward.
The Need for Sapling
So why is this being touted as such an important update? Well, it has to do with the current state of the ZCash privacy transaction ecosystem.
For those who do not know, ZCash shielded transactions to shielded addresses are not mandatory. User’s must elect to use these types of addresses in order for them to be fully private.
However, for a number of reasons, there is only a small percentage of users who are actually making use of these shielded transactions. In fact, currently only about 13% of all transactions are shielded.
Percentage of all ZCash Transactions that are Shielded. Image Source
This has been a problem for privacy hawks over the past year as they have highlighted the negative externalities that come with having such a small subset of the population using private transactions.
It means that those people who do make use of their z-address’ and shield their transactions are immediately viewed with suspicion of “having something to hide”. Hence, the privacy of some users are compromised by the actions of others.
This is something the rival privacy coin, Monero, had to address too. They took the step of making all of their transactions private which immediately improved the privacy of the whole entire ecosystem.
Therefore, if the Sapling upgrade is able to increase the percentage of transactions on the network that are private then the privacy of the entire ZCash ecosystem will also improve.
z-addresses and zk-SNARKs
Shielded transactions occur when they are sent between two different z-addresses. In order to complete a private transaction between these, the ZCash protocol makes use of zk-SNARKs.
These are some highly advanced pieces of cryptography so we will not go into it here. However, we have previously covered zk-SNARKs and zero knowledge proofs if you wanted more information on the protocol.
In order to build the shielded address, the ZCash protocol will construct a zk-SNARK using the same computing resources of the device that is being used to send the transaction. This could be your desktop computer for example.
These proofs are computationally heavy. They require over 3GB of memory to perform on an average desktop and they take about 40 seconds to complete. This time will obviously also increase if you are using a smaller device like a mobile.
“Moon Math” involved in zk-SNARK computations. Source: Medium
This is perhaps one of the reasons that shielded transactions are lagging in their broader adoption. Users would rather opt for a quicker and easier to send option through the transparent t-addresses.
However, the Sapling upgrade is slated to completely change this and it’s the most ambitious update to the zk-SNARK framework to date. It is two years in the making and is ready to be implemented at block 419,200.
What Will Sapling Do?
While most of the innovation from the Sapling upgrade will be coming from the improvement in the performance and functionality of zk-SNARKs, there are a number of other features that the ZCash team has built into this update.
Let’s take a look at some of the most important updates that will be included in Sapling.
More Efficient Shielded Transactions
As we mentioned above, the computational complexity that goes into a shielded transaction is one of the reasons that they have not being used as frequently. As such, one of the major updates of Sapling will be to reduce this computational complexity.
One of the first things that you will notice is the change of shielded address type. They previously started with a “zc” and were called “Sprout z-address”. However, post sapling activation, the private address will be much shorter and will only start with a “zs”. These will be termed the “Sapling z-address”.
So, what does this mean for the ZCash ecosystem?
Well, it will greatly reduce the computational resources that are required in order to create these proofs. While you would previously need over 3GB of memory to complete the proofs, now you only require 40MB.
Sapling and Sprout Proving time and Resources. Source: Zcash Blog
This opens up a plethora of options when it comes to the types of devices that can complete these proofs and hence send these transactions. For example, it opens up mobile wallet use not to mention all of the exchange wallets and third-party vendors.
Moreover, by reducing the computational complexity required to complete these proofs, you are also reducing the amount of time that is required to complete them and send these transactions. Based on some estimates, the shielded transactions will take only a few seconds to complete.
This means that users won’t have to make a trade-off between sending a transaction with increased privacy or sending a transaction more quickly.
Improved Key Use
Currently, in order to send the private transactions, the device that constructs the zero-knowledge proof must also be in possession of the spending key. This spending key is the unique private key that will authorise the transaction.
With the Sapling upgrade, ZCash will change this by separating out the spending key from the proving key. This will mean that the spending key can be kept in a more secure environment that is separate from the machine that is doing the proving.
This will increase the security of the ZCash user.
This is because the user will only need to access their spending key when they want to send a transaction and create the proving key. Hence, if someone is able to compromise the device that is doing the proving, they can still not send out the transaction without the spending key.
Moreover, the computations that are required on the spending key are relatively minute in comparison to those that are required in order to generate the proving key. This means that the spending key can be stored on a small singular purpose device.
Relations Between Key Components in Sprout and Sapling. Source: Sapling Whitepaper
This opens up a whole new range of storage options for your ZEC.
Firstly, it means that you can easily send shielded transactions with a hardware device. In this case, the device doing the proving is your laptop or PC and the device that stores your spending key is your hardware wallet.
When you want to send a private transaction, the spending key will be used by the hardware wallet to generate the proving key. This proving key will then be sent to the laptop or other device. This ensures that the spending key is never on the less-trusted device, which provides better security.
This has implications beyond mere personal use. It means that these complicated zero-knowledge proofs can be outsourced. For example, if there is a large organisation that completes thousands of shielded transactions then they can make use of an external “untrusted” environment to complete them.
They could rent computing power from a cloud computing platform to while still keeping their spend key securely stored in their own internal environment. This means that shielded transactions can scale dramatically and have no limitations to their growth.
Increased Viewing Key Functionality
Currently, the ZCash protocol allows users of shielded addresses to make use of an incoming view key. With this viewing key they are able to see all incoming transactions and a memo field. However, they can’t see the sending address.
Sapling will add to that functionality.
The upgrade will allow users to also see outgoing transactions from these shielded addresses. Now, when a user has the viewing key they will be able to see the transaction amount, the memo field and the target address.
By having access to this viewing key, the shielded address holder will be able to monitor transactions to that address without ever exposing the private key used for spending transactions.
This means that the owner of a shielded address can share their viewing key with a trusted third party in order to audit the wallet. This could be particularly beneficial for those businesses that need constant monitoring of their funds but would prefer to keep it secret from the public.
One of the reasons that exchanges have been reluctant to include z-addresses is because of the cost needed to generate multiple unique addresses. It is currently quite expensive for them to do this and they have to pay a computational penalty.
However, with the sapling upgrade it allows them to generate trillions of these z-addresses at no extra computational cost. This means that the exchanges can create numerous different shielded addresses which will be unlinkable to each other.
Parameter Generation Event
Given that this is a fork of ZCash, the zk-SNARKs will need to start with new public parameters. As with the previous public parameters, this will mean that a parameter generation public ceremony is required.
Images from three Powers of Tau Ceremony from Participants. Source: ZCash Blog
The ZCash ceremony is done so that the private key components to the parameter are adequately destroyed and hence the risk of counterfeiting is eliminated. The ceremony for the Sapling upgrade was held earlier this year.
Implications for ZCash
If all goes according to plan, the Sapling upgrade could have immense implications for the broader ZCash ecosystem. Not only will it give ZCash users the benefit of improved privacy but it could also increase broader adoption.
One of the reasons that users of other privacy coins have been reluctant to move over to ZCash was the low levels of shielded address use. Now, given that theses z-addresses will be much cheaper and easier to make use of, the percentage of users sending shielded transactions is likely to increase.
Moreover, ZCash could have a competitive advantage over other privacy centric cryptocurrencies if these shielded transactions are quicker and less expensive that their counterparts. For example, Monero ring signature mixins are known to be expensive and computationally involved.
One also cannot underestimate the implications of the more efficient transactions on wallet use. Hardware wallets will soon be able to support shielded transactions and ZCash will be one of the first private cryptocurrencies that can easily be used on a mobile wallet.
Lastly, there are a number of benefits for exchanges and businesses to increase their use of ZEC post the sapling upgrade. This is because of the following factors:
- It will be cheap to create multiple z-addresses for customer / business use
- It will be easy and safe to store the ZEC while still being able to monitor the address
- Sending transactions will be cheap, fast and can be done in a safe and infinitely scalable way
- More people using ZCash means more clients or potential customers to make use of your service
The last point is a sort of positive feedback loop of adoption. Customers could drive merchants who could drive more business.
ZCash is a pioneering cryptocurrency that has developed some of the most innovative cryptographic technologies. These have proven themselves over the past few years as ZCash adoption has increased.
However, the low levels of shielded transactions was always a sticking point. So much so that the ZCash developers starting working on the Sapling upgrade not long after the launch of the coin in 2016.
Now, we are about to witness the fruits of their labour. If adoption does follow then the potential Coinbase listing is that much more likely.
Given that the upgrade will be open source, it will also be interesting to see how many other zk-SNARK based cryptocurrencies adopt the new protocol. These include forks of ZCash such as Horizen (ZEN) and Komodo (KMD).
It is no doubt an exciting time for ZCash and the broader community. We will keep our eyes on the project news wires.
Featured Image via Fotolia