When Zcash upgraded from Sprout to Sapling, they introduced a requirement for a transparent migration, or a “turnstile” as they call it. Users who have funds in the Sprout shielded pool must first make the amount visible before they are able to use the new Sapling shielded pool.

Transparent migration in action

The Electric Coin Company (ECC), and largely the Zcash Foundation (ZF) too, support transparent migrations to help verify the integrity of the supply. As Sarang Noether, Ph.D and I have written about before, shielded pools such as Zcash’s Sprout and Sapling pools and Monero can be susceptible to implementation errors, including detectable or undetectable inflation. Zcash Sprout was susceptible to an undetectable inflation bug. The ECC has said that should the visible funds exceed the expected supply, all remaining Sprout coins will be frozen permanently.

Unfortunately, there are severe downsides to privacy by requiring the passing of funds through transparent pools. Users often hold unusual amounts of funds, as shown in this research paper. By making these amounts public, even when steps are taken to mitigate these risks, the privacy of users is reduced. It’s difficult to calculate the exact magnitude of these risks. At the time of the Sapling upgrade, no mitigation tool was available, and users who wanted to continue to transact with some privacy were forced to make transparent migrations without hand-holding.

I’m going to break down who (potentially) benefits and who is harmed by these transparent migrations. In short, Zcash z-address users are negatively harmed by reducing their privacy (to a difficult-to-quantify degree), and only t-address users realistically benefit from the migration(s) if shielded pools are exploited.

The privacy risks associated with passing funds through the transparent pool are extremely difficult to understand and quantify. Risks could include sharing the real identity behind the transaction to specific parties or the public, associating transactions together, and other unfortunate side effects. Even though there may not be an on-chain link between funds, the amounts may be unique, and the additional leaked network metadata could help pinpoint users. There is now early research showing that, in general, timing data can be very useful to adversaries.

With proper migration tools, these risks can be mitigated somewhat. This depends on a huge number of factors, including the effectiveness and adoption of the tool. In short, it essentially requires some interactivity among participants, which the current tool tries to emulate.

While migration tools help mitigate these risks, they still remain. It is extremely unrealistic to claim users will act appropriately when the ideal process is ever-changing, and when heuristics can be adapted and improved at any time. An ideal tool now may not protect users from heuristics discovered later.

It is most accurate to say that Zcash z-address users have lessened privacy from these transparent migrations. Zcash t-address users are unaffected, since they have practically zero privacy already. They aren’t worse off.

Like transparent migrations disproportionally harm some users, they also disproportionally benefit other users.

T-address users will not have their funds frozen in cases of supply counterfeiting, so they benefit from periodic transparent migrations. Conversely, z-address users may have their funds permanently frozen to prevent the total transparent coin supply from exceeding the desired threshold.

Transparent migrations, in short, require z-address users to reduce their privacy to benefit t-address users. Z-address users don’t get the benefit.

The Zcash community should reconsider if its desire to better protect the funds of t-address users outweighs its desire to protect the privacy of z-address users. While it is accurate to say that transparent migrations help detect supply risks, they do not help protect the funds of z-address users. In cases where z-addresses are not commonly used, perhaps this is an appropriate tradeoff. However, if z-addresses are more commonly used (and perhaps if the Zcash community wants to incentivize using z-addresses by offering greater privacy), the Zcash community should consider ceasing transparent migrations.

The Zcash blockchain does not exist in a vacuum, and worldwide users may be exposed to a wide range of risks and adversarial conditions. The use of common network-level tools like VPNs and the Tor network may not be sufficient against more extreme threat models. If the ECC and the ZF wish to continue requiring users to take on the added risk of exposing amounts on a semi-regular basis, the community should demand a much more comprehensive treatment of its effects and appropriate mitigations. The community has only a single data point on how to handle such a migration, and it involved no tools or built-in network-level risk mitigation. Demand better should another migration occur.

The ZF has prioritized research toward greater network-level privacy for 2020, but they have not published any of their work yet. Daira Hopwood stated that ze hoped other researchers would assess the transparent migration tool, but that this hasn’t happened to hir knowledge. The best time to do this research was a over year ago before the first migration, but the next best time is now.

Justin Ehrenhofer

Twitter: @JEhrenhofer