Zcash privacy is best in class. Zcash was the first cryptocurrency to use Zero Knowledge proofs, which allows Zcash to totally hide all information about a transaction (and therefore your spending habits, balance, and where your money comes from).
Zcash offers both shielded and transparent addresses, which means privacy is a choice users can make instead of it being mandated. This comes with several advantages and… some mudslinging, which we’ll dive into. First let’s talk about some of the awesome privacy features Zcash has.
Zcash has several ‘pools’ of ZEC. A Zcash receiving address is tied to exactly one of these pools. ZEC can switch between pools simply by transmitting them to a receiving address from another pool.
|Pool name||Shielded?||Address prefix|
|Sapling||Yes (trusted setup)||Zs|
|Orchard||Yes (trustless setup)||U|
U addresses can be specifically for Orchard or (more commonly) be a unified address (or ‘UA’ for short) that contain an Orchard address and addresses from other pools like Sapling and Transparent. This is useful for reasons I’ll go into shortly.
Why do we have several ‘pools’? Because Zcash is always innovating. The transparent pool represents the technology behind Bitcoin. Each pool beyond that represents a subsequent innovation in privacy tech. Zcash has a unique way of innovating without deprecating an entire currency. This is a powerful and (as far as I know) unique feature of Zcash.
Think about it. Bitcoin was innovative in its day, but privacy wasn’t available then. If you want privacy now, you have to sell Bitcoin and buy another cryptocurrency. That is both inconvenient and requires you to research other cryptocurrencies to bet on. But Zcash can innovate without invalidating itself, just by creating a new pool.
Will there be a pool after Orchard? I have no idea. But I’m confident that if there’s a privacy innovation to be had in the future, Zcash will be well positioned to support it without diminishing the value of existing ZEC, and folks can benefit from the innovation just by moving the ZEC to a new receiving address for the new pool.
And that brings us to Unified Addresses. With 3 pools already, and maybe more in the future, it becomes a burden for people to think and reason about. Each time a new pool is created, they come with a new address format that existing wallets can’t send ZEC to until they are updated. This is why you might need to send a U, a Z and a T address to someone today to ensure that one of the addresses will be supported by the wallet they use. But with a wallet that supports UAs, that will never be necessary again. Once all wallets support sending to UAs, a UA will be the only address you need to share in order to receive ZEC from someone. Any pool that their wallet and yours have support for in common can be used to send funds to. And preference will always be given to the newest pool.
Privacy of balance and transactions is just a couple angles of privacy. Another is correlation of receiving address. Imagine you provided your receiving address to two employers so they could pay you. Those employers might exchange their employee databases to discover that you work for both of them. Your means of payments should not provide employers with the ability to discover anything about you.
To address this, Zcash offers unlimited, unique receiving addresses that are tied to a single account. Each of these addresses funnel ZEC into the same Zcash account. There is no way for outside parties to correlate these addresses and realize they belong to the same person unless you somehow tell them so.
The YWallet app calls these ‘snap addresses’. And just one click will get you a new address you can offer to anyone that needs it, that will never be seen again so you can be sure that each time you tap it, you’ll have a fresh one.
Why have the transparent pool?
Why have both transparent and shielded addresses? If we have privacy cryptocurrencies and transparent cryptocurrencies, is there value in having one cryptocurrency with both modes? This is a hotly debated point, but I believe the answer is yes. Let’s start with the mudslingers’ arguments, as headings with responses underneath them. The mudslingers BTW always come from folks shilling their own privacy coins, and the bias is evident in their arguments.
Claim: Most ZEC is transparent, so Zcash isn’t private
At present, most ZEC is indeed in the transparent pool. I suppose most folks agree privacy is a good thing, so why then is most ZEC not in a shielded pool? Naysayers argue this proves Zcash isn’t private.
But this no more proves that Zcash isn’t private than the existence of other non-privacy coins like Bitcoin proves that ZEC isn’t private. It’s irrelevant. Zcash can be as private as you please. If Zcash came in colors of blue and red instead of privacy levels, and 90% of the world chose red and you chose blue, yours is no less blue for the sake of the red held by others.
Now the natural follow-up question might be: “So why is most ZEC held in the transparent pool?” Well, we don’t know because no one has to answer for their decision as to where to hold their ZEC. But we know two practical answers anecdotally. They are covered in the next two claims.
Claim: You can’t shield the ZEC you hold at exchanges
I’m not sure this is true at all exchanges, as some exchanges actually let you withdraw ZEC directly to a shielded address, so maybe they keep their funds in a shielded pool as well.
But it’s certainly true that most exchanges keep their ZEC in the transparent pool. Probably because that’s much easier for them (which is why ZEC shows up on far more exchanges than other privacy coins).
But this claim relies on two assumptions:
- The balance of ZEC you hold on an exchange is actually yours.
- It hurts your privacy that it isn’t shielded.
But these don’t really hold water.
You’ve likely heard the phrase “not your keys, not your coins” right? It comes from learning that exchanges that (too often) go into bankruptcy that you don’t legally have much of a claim to the coins you thought were yours. In fact, the ZEC you think you have at that exchange may not be ZEC at all. The exchange only has a ‘promise to pay’ that they fulfill when you withdraw, if you ever do. Until then, whatever ZEC they may hold is typically in a very large, central account.
And that brings us to refuting the second point, that your privacy is compromised because your ZEC at an exchange isn’t shielded. “Your” ZEC at that exchange is in an enormous account with everyone else’s ZEC. As far as the public blockchain is concerned, it isn’t your ZEC (making “not your keys, not your coins” true in a very literal sense). The exchange simply has a record somewhere that says some amount of ZEC is on your balance so that if you want to withdraw it, that amount of ZEC can be moved on the public blockchain from their central account to one that you actually control. And at that point, you can (and should) shield the funds.
An exchange knows how much ZEC they hold under your name, of course. So you have no privacy with the exchange anyway, even if it were shielded. And no one looking at the public blockchain can tell how much of the exchang’s big blob of ZEC is yours either. So this whole claim is just FUD.
Claim: You can’t shield the ZEC you hold on hardware wallets
Today, it’s true that no hardware wallet supports holding ZEC in a shielded pool (that I know of, anyway).
This is expected to be a temporary state of affairs though, as Trezor seems very close to finishing shielded address support, and Ledger has also declared their intent to support for shielded funds through 3rd party apps.
And this isn’t really that much of a hit against Zcash as a privacy coin, since hardware wallets don’t support other privacy coins either, at least not natively. Not to name names, but one oft-mudslinging privacy coin does have Trezor integration through a 3rd party app, but in my experience reliability of that app is terrible, and though I have the keys, the app can’t start and keep running long enough to give me access to those funds. Luckily, it was just an experiment and thus an acceptable loss, but one that turned me off of other privacy coins.
Claim: When privacy is an option and you use it, you immediately look suspicious
The presupposition here is that honest people won’t choose to keep their own business private. This is both a ludicrous belief and would cut their own coin to pieces. If using the privacy option in Zcash is cause for suspicion, what of folks who buy into cryptocurrencies that are nothing but private? Wouldn’t that be suspicious?
The fact is all currencies (fiat and crypto) are (or can be) used for illicit activities as well as legit ones. And at least in nations where privacy is a human right, claiming that right does not or should not lead to suspicion, whether it’s “always on” or an option.
Claim: Zcash should be ‘shielded by default’
Gah! I hate that phrase, because it is so often used to mean something it doesn’t describe. A default literally means:
the thing that exists or happens if you do not change it intentionally by performing an actionCambrige dictionary
Zcash itself is a protocol and a blockchain. It can have no default with respect to privacy or non-privacy. It either allows both or disallows one.
A wallet app can certainly have a default though. It can default to showing you a shielded receiving address, only offering a transparent address when you ask for it explicitly. A wallet app could even drop transparent address support altogether, effectively ensuring its users of total privacy by taking away their choice for transparency.
Oh wait, we already have wallets that do that! YWallet is private by default. ZECWallet offers both on equal footing. Unstoppable offers only support for shielded addresses. Then what are folks that call for Zcash to be shielded by default really calling for?
Well, depending on the crowd, either of two things:
- The naysayers are claiming that Zcash isn’t worth anything unless it removes the transparent option from the protocol itself. “Shielded by default” isn’t a good phrase for this as I explained earlier, since no option means no default either. I believe these folks don’t really want Zcash to drop transparent support though, despite their claims. Why? There are already other privacy coins out there that do nothing but privacy. In fact, at least some of them have copied zk-SNARKS from Zcash into their own cryptocurrencies! So what would it add to the ecosystem if Zcash dropped transparent support? Little or nothing, I say. As I’ll describe in a later section, transparency support is actually a strength. These naysayers want Zcash to cut off its own legs so that other cryptos will succeed at Zcash’s expense.
- When Zcash fans call for ‘Shielded by default’ what at least some of them mean is wallets that shield all incoming transparent funds automatically. Essentially pulling everyone toward the shielded pools as ZEC is transferred. This seems to me a great idea, but I haven’t seen it implemented anywhere. The closest I’ve seen a wallet come to it is offer a “Shield transparent funds” button, which isn’t quite automatic, but at least it’s very simple.
There also appears to be a part of the Zcash fanbase that wants to see Zcash drop transparency support. I believe these folks haven’t thought this idea through, however. Existing transparent funds cannot be forcibly shielded. Those with the keys would have to use them to transfer their funds to a shielded pool. The protocol could block all transactions that move funds into or around the transparent pool, but that would alienate a lot of users that depend on this ability, and they’d have a hard time selling out because most exchanges that trade Zcash today work strictly in the transparent pool.
Zcash’s duality is a strength — not a weakness
Most privacy coins are available from only a small subset of exchanges, whereas transparent coins are far more broadly available. By having a transparent side, Zcash is available at most exchanges. Once you have transparent Zcash, you can immediately shield it just by forwarding it from your transparent address to a shielded one. This is a very simple operation and most wallets today have a “Shield funds” button that does it with one tap. This is far easier than having to go back to an exchange to trade your transparent cryptocurrency for one with privacy features. If this world has a place for both transparent and privacy coins, Zcash can fill both roles and ensure that both coins have exactly the same value, because indeed it is the same cryptocurrency.
Some organizations may be more suited to transacting with transparent funds. Consider a charity or a government, which may have public transparency or auditing requirements. They may want to use T addresses to receive and hold donations. Yet a donor can send shielded funds to that T address to protect their own anonymity and keep their financial situation private. A cryptocurrency without a transparent option would require you to sell some privacy coins at an exchange to acquire transparent coins to donate to that charity. This makes usability of Zcash across different applications superior to the alternatives.
This duality of privacy and transparency gives each Zcash user a choice regarding privacy. A Zcash user that wants privacy should use a wallet that either offers only shielded addresses or that offers a button the ‘shield transparent funds’ and use it whenever someone sends ZEC to your transparent address (or ‘shields by default’). So long as you shield your own ZEC (not just as a pass-through, but to hold and spend later), you have a high level of privacy, even if you exchange ZEC with others who don’t value privacy.
Perfectly applicable to the hyper-private
There are subtleties to privacy in any cryptocurrency (some more, some less, even for those that don’t offer a transparent option). Those subtleties in Zcash are probably not of interest to the average user. But to one in a high-risk profile, e.g. government intelligence, spy, or illicit activity (which I do not condone), these subtleties may be of interest. They are beyond the scope of this article, but some links to get you started if you’re interested:
- Transaction Linkability – Electric Coin Company
- Transaction Privacy. Zcash is arguably the most private… | by Hanh Huynh Huu | Medium
One awesome feature of YWallet is that you can set the ‘minimum privacy’ level that you’re willing to accept, which can help a lot to simplify your world when you’re particularly concerned about privacy. YWallet has really done some great innovation to help keep privacy high.
In fact, this last point about YWallet’s privacy setting demonstrates that there really is nothing to those mudslinging naysayers. If you want absolute, full privacy, you can have it with Zcash, and you can have the best in class. You may find though that the highest privacy filter in YWallet severely limits who you can interact with since it requires everyone else you interact with to support shielded pools as well, and many exchanges don’t. But without these filters, you can still choose to shield all your Zcash. Others’ privacy choices shouldn’t impact your own.
A practical tip on privacy
If you must receive ZEC through a transparent address, consider using a fresh transparent address for each person or business that will send you ZEC. This prevents someone with your transparent address from learning from the blockchain how much ZEC you’ve taken in through that address beyond what they personally sent you (and therefore already have that information).
Some Zcash wallets make creating many transparent addresses easier than others. Zecwallet Lite is the easiest one I know of.
When you receive ZEC directly to a shielded address, no one can see how much ZEC was sent to it, so you can reuse the same shielded address everywhere without disclosing your income.
Zcash offers best in class privacy. So much so that other privacy coins do or wish they could copy the algorithms and even the code from Zcash into their own cryptocurrency. Zcash is truly the industry leader when it comes to privacy. Its duality leads to some misunderstanding and accusations but is actually a strength.
As more people adopt cryptocurrency and realize the importance of privacy, I anticipate Zcash’s features and broad availability will lead to Zcash’s rise as the predominant privacy coin and (if the world were rational) even the predominant cryptocurrency used for a store and exchange of value.
2 thoughts on “Is Zcash really private?”
Great post! I have one small correction:
> Once all wallets support sending to UAs (by supporting the Orchard pool),
It is not actually necessary for a wallet to support the Orchard pool in order to support sending to Unified Addresses! The Unified Address is a serialization format, and so any wallet (including transparent-only and Sapling-only) wallets can support parsing Unified Addresses. Then, the wallet can send to whatever addresses it has pool support for. The “receivers” within a Unified Address have a defined preference order, and wallets supporting UAs should always send to the most-preferred address type that the wallet supports; Orchard receivers are most-preferred, followed by Sapling receivers, and finally transparent.
This gets to the whole reason to have unified addresses in the first place: unified addresses provide wallets and their users with an upgrade path for when new pools and/or address types are added to the protocol. Suppose that you share your Unified Address with someone, and their wallet only supports sending to transparent addresses. Their wallet can still parse that Unified Address, and send funds to the transparent component, which your auto-shielding wallet can then immediately transfer into a shielded pool. If your counterparty’s wallet later upgrades to support sending to Sapling or Orchard receivers, their wallet can then immediately start using those when they send you payments, without needing for you to provide them with a new address.
I love it. Thank you. I’ll update the post with that.
Comments are closed.