Zcash first appeared in 2016 as a further development of Zerocash project — a private initiative of scholars from MIT, John Hopkins University and University of Tel Aviv. Here and after I will structure my narrative around their paper published in 2014.

The authors started right away from the same point — Bitcoin transaction are not anonymous. Even though the users can apply some pseudonyms or create a vast number of accounts, it is not enough to prevent oneself from de-anonymized. It might be accomplished using the information in the blockchain, such as date and transaction value, and structure of the transaction graph.

In order to create a totally anonymous cryptocurrency, account balances and spending habits of users should remain private and not accessible to any other party except the person itself. In order to fulfill this requirement, the authors aim to utilize the recent advancements of zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs).

It has attracted a lot of attention in recent times — even the Ethereum Metropolis upgrade added a new cryptographic tool (zk-SNARKs) in late 2017. Vitalik Buterin himself expressed some thoughts on the subject:

At the bottom line what’s so special about zk-SNARKs?

First of all, it is a variant of a zero knowledge proof of knowledge — a protocol by which one party can prove to another party that it possesses some specific information (“X”), without specifying any additional detail apart from the very fact that it knows “X”.

There are some special things about zk-SNARKs that make it different from zero knowledge protocol. First of all, it is succinct (it stands for S in the naming) — proofs are very short and easy to verify. Besides, what is far more important, there’s no need for interaction between prover and verifier. In that sense, it is “non-interactive”.

More or less formal definition of zk-SNARKS is as follows:

Given a field F, a zk-SNARK for F-arithmetic circuit satisfiability is a triple of polynomial-time algorithms [oversimplified intentionally]:

• Key Generation — samples a proving key Pk and a verification key Vk. Both keys are published as public parameters and can be used, any number of times, to prove/verify that the transaction belongs to the selected set of transactions.

• Prove function— from input of proving key Pk and any random (x,a) ∈ Rc, the prover outputs a non-interactive proof π for the statement that transaction belongs to the selected set of transactions.

• Verification function— from input of verification key Vk, an input x and a proof π the verifier verifies the output that the transaction belongs to the selected set of transaction [formally that b=1 or true].

Other things being equal, it constructs another level of key generation and verification, that cannot be decrypted in a significant time by brute force or any form of heuristic. The underlying math includes pairing of elliptic curves and some other things.

There are three properties that zk-SNARKs sufficies: