Linkability of Zcash Transactions Study Precipitates Debate on “Opt-in Privacy”

On December 4, new research showed that zcash transactions are largely unshielded and linkable. The paper sparked interesting discussions in the Twittersphere between monero and zcash advocates. While known for a long time by many, the research quantified the risk borne by users due to the opt-in nature of zcash’s privacy.

Over One Year After ‘MoneroLink,’ Zcash Linkability is Studied

Zcash, a fork of bitcoin, is one of the leading altcoins in the privacy space, along with Monero. While privacy is default with monero, zcash has two types of addresses; t-addresses and z-addresses. A z- to t-address transaction and vice versa, can be uncovered potentially, whereas transactions strictly involving z-addresses, are known as ‘shielded.’

While sending zcash from a t- to z-address was acknowledged to raise the potential for linkability, since it does not obscure the transaction amount, Jeffrey Quesnelle’s recent research has quantified the risk. Also, in contrast to the MoneroLink paper, the study was sent to the Zcash team before publication. While Monero advocates argue that the research on Zcash is relevant here and now, the MoneroLink studies were focused on issues the community were already aware of, the paper was released immediately prior to a hard fork and without recourse to the Monero developers.

First of his findings was that shielded transactions are underutilized in zcash, with just under 20 percent of transactions involving a z-address:

“To begin, I looked into exactly how prevalent the use of z-addrs really is. I found that only 19.6 percent of transactions involve any use of a z-addr. Furthermore, 98.1 percent of these transactions performed either a t → z transaction or a z → t transaction. The conclusion is that the use of true private transactions (z → z) is fairly rare.”

Coins in shielded addresses are known to be in the shielded pool, but the paper explains that only 3.5 percent of the total supply (or less than 100,000 ZEC) are associated with z-addresses. Given that 19.6 percent of transaction involve z-addresses, this means that many of the coins in the shielded pool were sent back to a t-address, named ‘round-trip transactions.’

Quesnelle also published a list of the round-trip transactions, which are a chink in the armor of zcash’s privacy offering, finding more than 10,000 instances (all of which occurred within two hours). Used incorrectly, zcash could compromise privacy due to its approach permitting transparent addresses; some may believe that sending to a z-addresses then sending back to a t-address will obscure the origin of their funds, but it does not. While some argue this is down to the user to be in charge of their ‘OpSec,’ others believe that it permits a false sense of security.

Of course, it took many years for services to start accepting monero, and it is reckoned zcash’s z-addresses will experience the same fate. The research notes that no exchanges or web wallet support shielded transactions, which opens up the potential for linkability:

“Since no exchanges or web wallets support z-addrs, users are forced to operate mainly through t-addrs if they want to use their coins. However, if they wish to obscure the source of these coins, they may pass them through the shielded pool. But, if they are not careful and make the amounts identical, the transaction may not be as private as they thought.”

Quesnelle presents a real-world scenario where the linkability might have repercussions. For instance, those mining zcash are sent their payouts from a z-address, but by default that does not make the transaction private. With the limited lack of adoption of z-addresses, they will always be a way to uncover the transaction history, unless the amounts sent out of the z-address are different than those received when using shielding transactions.

Nevertheless, the Zcash team responded with a blog post, commending the research, and mentioned they highlighted in a January 2017 blog post clearly that z-addresses should not be used as a way to ‘launder’ funds to obfuscate their origin, but rather as a ‘storing addresses.’

‘Shiny New Maths’

Peter Todd, Bitcoin Core developer, reacted to the research by stating that Zcash seemed too focused on ‘shiny new math,’ a criticism raised repeatedly by many in the space, and even went as far to say that zcash failed to be honest by advancing their own cause through opt-in privacy.

Failing to mandate private txs was also dishonest: it's significantly helps Zcash adoption, directly benefiting the founders who receive 20% of coins generated, while failing to provide users the privacy they expected (esp those mistakingly using wallets w/o shielded tx support). — Peter Todd (@peterktodd) December 5, 2017

"Nothing can help you" Bullshit. Making shielded txs mandatory – as Monero did – makes that traffic analysis impossible. Don't believe me? Just look at a Monero block explorer. No values to be seen at all. https://t.co/O0gtZLe62b — Peter Todd (@peterktodd) December 5, 2017

BTCManager asked Peter Todd for more on his thoughts, specifically Zcash’s launch.

Waiting for zk-STARKs could have been a feasible option according to the Bitcoin developer, instead of relying on a trusted setup, another major criticism leveled at zcash as well as its opt-in privacy. Even though zk-STARKs are inefficient compared to zk-SNARKs, the former does not require a trusted setup. Todd did state, however, it could be a long time until such a setup is feasible. He also revealed that zcash could have built a sidechain on top of Bitcoin.

But instead, they launched an altcoin, which is suggested by some to be driven by profit-seeking motives rather than by the inspiration of “Satoshi’s Vision.” The 20 percent founder’s reward deviates substantially from free market economics. Furthermore, the corporate connections are questionable and animosity toward blockchain analytics companies ironic; without such analytics companies, bitcoin would not be where it was today (and neither would zcash, by extension).

But then again, as one Twitter user notes, zcash might be appealing to banks like JPMorgan with their technology, and these companies might find it useful to turn privacy on and off.

That depends on who the ZCash devs are trying to appeal to. If they're partnering with banks, banks might want/need the option to turn on/off a privacy feature. That's not ideal for the average person, perhaps, but it might work from a business standpoint – not that I like it. — CarbonChris⚡️ (@chrispalasz) December 6, 2017

The Debate on Opt-in Privacy

The sentiment that Zcash was rushed was made clear in an exchange between Matthew Green and Roeland Creve, as well as others. While research was published in 2016 on the potential linkability of Monero transactions, Creve argued in defense of monero, saying that the technology was inherited and they needed time to study attack vectors (see here for the history of Monero) while zcash was “launched too early” in his opinion:

Don't forget that we didn't invent Monero. We needed to study the codebase and come up with attack vectors ourselves. So you can't expect us to have everything working right from the start. #zcash on the other hand just launched too early (imho) because of profit driven investors — Roeland Creve (@Creveroeland) December 5, 2017

However, Green replied that in 2012, a Monero-type system in was considered when writing the Zerocoin paper, but felt that the proofs were too large to maintain a large anonymity set and that an opt-in system (with warnings) would be better.

The new version of ZCash is a lot faster. We’re working on mobile support, scripting, multisig etc for shielded transactions. Then in the long run we plan to kill off T addresses. Better to not have them then have a weak system. — Matthew Green (@matthew_d_green) December 5, 2017

Green also went onto state that Zcash were working on phasing out t-addresses and that transactions would be getting quicker, echoing a similar announcement from Paige Peterson at Hacker’s Congress in October 2017.

However, Creve made clear that the risks of ‘hidden inflation’ should be quarantined in a sidechain, as the zcash supply will still bear the trusted setup. If the trusted setup is compromised, because the fresh coin supply is not auditable, an attacker could create an infinite amount and sell them off slowly on exchanges (amounting to free money). He also gave an invitation to build an anonymous sidechain on top of monero, to which Green offered a helping hand.

With that said, I’m happy to assist if anyone wants to do the engineering to add ZCash to Monero in any form, including as a sidechain 😉 — Matthew Green (@matthew_d_green) December 5, 2017

Monero lead maintainer Riccardo Spagni also chimed in, claiming the linkability is an inherent flaw in the design of Zcash. He also went on to say that, while education of users is one way of attempting to ensure preservation of privacy, there are two other ways to prevent such a flaw; firstly, Spagni said that the wallet could detect an unshielding transaction of a roughly similar amount to a previously shielded amount and warn the user. Secondly, privacy could be mandatory for all transactions.

Performing multiple transactions of the same amount on Monero doesn't lead to traceability. This is a problem inherent in the design of ZCash, and should be highlighted, otherwise users might think their transactions are private when they're not. — Riccardo Spagni (@fluffypony) December 5, 2017

There no such thing as absolute privacy; naturally the differing approaches of Monero and Zcash means that they are going down divergent paths. Of course, mandatory privacy seems like a no-brainer, but obviously the founder’s reward will enable zcash to fund a long-term plan. Monero has a long-term vision too, but never started by adhering the concept of opt-in privacy, with Kovri to make the offering complete by masking IP addresses. The latest exchange regarding opt-in privacy shows the rivalry between the two is becoming a bit less hostile and bit more friendly.

With strong support from large news outlets like CoinDesk and corporate partners like JPMorgan, scrutiny of zcash is highly welcomed in a space that mostly resembles an echo chamber. Many are of the opinion that the altcoin is highly flawed, is driven by investors rather than security and has already lost the battle to dominate the privacy space. Others are not so concerned. Nevertheless, Quesnelle’s research goes some way toward informing crypto users and improving privacy-focused technologies; cross-community engagements such as this will no doubt benefit the ecosystem as a whole.

The author owns monero but does not own any zcash.