We foresee a day when the world’s financial systems run on top of and interoperate with Zcash. Just as HTTPS is now ubiquitous, we believe Zcash is uniquely positioned to serve as a foundational layer for a global and digital economy. Among other attributes, this will require privacy, scalability, security and confidence in its foundational economics.
We’re proud to introduce a potential new Zcash protocol feature built using the Halo 2 zero-knowledge proving system (“Halo”), invented and developed at Electric Coin Co. (ECC). We have reserved ZIP 224 as a placeholder. As the first implementation of Halo within Zcash, this would serve as a catalyst for Zcash user confidence and scalability, while making the protocol more attractive, faster and less expensive for others to build on, accelerating Zcash’s use and growth.
Halo on Zcash would enable circuit upgrades without the need for trusted setups, making the Zcash shielded protocol more agile for future improvements, such as supporting additional assets like user-defined assets (UDAs). We want to make it easy for other projects and tokens to benefit from Zcash features, such as privacy through encryption. Trusted setup will become a remnant of the past.
In addition, this upgrade would pave the way for shielded Zcash scale through proof aggregation and blockchain succinctness, two scalability improvements. This would improve the user experience by eliminating frustrating synchronization time that plagues all blockchains today, reducing the traditional blockchain bloat, and allowing for non-escalating fees as usage increases. In conversations with large social platforms who expressed interest in native Zcash support, a viable path to scalability was given as a requisite near-term consideration.
We are currently in development, and believe it can be successfully and safely deployed — with a security proof and audits — in Zcash Network Upgrade 5 (NU5), the next Zcash upgrade, set to activate in the summer of 2021. For more technical information about Halo on Zcash, its performance and implications for third-party support, please see our accompanying blog post, Technical explainer: Halo on Zcash.
Background
Building a fully decentralized, privacy-preserving, interoperable and well-functioning digital currency is ambitious, but we’ve always been ambitious.
The ECC team was the first to animate zero-knowledge proofs in software since zero-knowledge cryptography was conceived in the 1980s. That ECC accomplishment was deemed by many to be extraordinary, or “mind boggling,” as Google co-founder Sergey Brin remarked.
However, as with most novel technology, Zcash was constrained by limitations of the day. It was derived from the Bitcoin code base and therefore inherently not scalable. Creating proofs was computationally intensive, and its privacy features required the use of something called the “trusted setup.”
ECC further improved Zcash performance with another breakthrough called Sapling, which successfully activated in October 2018. This allowed third-party wallets and exchanges to adopt Zcash’s shielded technology for the first time.
Sapling was an incredibly important discovery, but its benefits are not enough to meet the needs of a global market made up of billions of people and organizations. At Zcon1, Nathan Wilcox outlined ECC’s ambitious plans to deliver an L1 scalable Zcash. Though at the time we weren’t sure how to get there, less than two months later, we announced another ECC cryptographic discovery called Halo. Since it was announced to the world, Halo has been recognized as a breakthrough, not just for cryptocurrencies but for the field of applied cryptography as a whole. It has been built on and extended by subsequent scientific work: [BCMS2020] [BDFG2020] [BCLMS2020].
With Halo, we unlocked the potential for scalable Zcash at Layer 1, and we found a solution for eliminating the trusted setup and bolstering broad community confidence — not just for Zcash, but for things being built on Zcash, such as UDAs. It may also prove beneficial for other purposes, such as interoperability with other chains.
If adopted, Halo on Zcash would create fertile ground for new Zcash-inclusive solutions, with the potential to equal or surpass the import of our previous work with zero-knowledge proofs and improvements. It’s an evolution in cryptography and creates a new baseline for interoperability, UDAs, scale and adoption.
Ecosystem response
In addition to research and development, ECC has engaged with industry stakeholders for their perspective on Halo and its potential for Zcash. The following are a few of the responses we received:
“Halo is a phenomenal step in the progression of Zcash development. By removing the need for trusted setup, Zcash will jettison ancient baggage and become more nimble in the future. The Sapling upgrade made it possible to build delightful user experiences and maintain a high level of privacy with efficient verification; the Halo upgrade will give the community greater confidence in the security and scalability of Zcash while maintaining its superior performance. Halo also introduces incremental verification, which would allow for trustless checkpointing and empower light clients even further.
“From a miner’s perspective, there is very little impact on day-to-day operation. We’re happy to be on board in supporting this upgrade and are eagerly waiting to launch on day 1!”
Nick Hansen, Luxor Mining CEO
“I think Halo is valuable for two reasons. First, it has some important immediate benefits. It removes the trusted setup, completely removing an issue that has been the source of many people’s misgivings about ZK-SNARK technology.
“But second, and more importantly, it moves Zcash onto a fundamentally more adaptable and future-friendly cryptography stack, and this will have benefits for years or even decades to come. Other projects are already exploring or migrating to PLONK, Halo or other polynomial-based techniques that avoid the need for an application-specific trusted setup, and Zcash would benefit from being able to leverage that ecosystem instead of staying with increasingly outdated technology.
“The ‘incrementally verifiable computation’ nature of Halo sets that stage for future upgrades that use Halo’s aggregation capabilities to combine proofs within blocks and even between blocks, massively reducing verification costs and paving the way toward a long-term ideal of Zcash having a Mina-like ‘self-verifying’ property. The adaptable nature of Halo also opens the door for Zcash to interface with Ethereum and other blockchains, allowing for layer-2 protocols to easily go between them. So I think there are many advantages to Zcash incorporating Halo, and it’s an excellent upgrade to pursue in parallel with the other excellent work being done to make it easier to use privacy-preserving transactions at the UX layer.”
Vitalik Buterin, Ethereum co-founder and Zcash community member
“Halo is a huge step forward for Zcash. A zero-knowledge system without a trusted setup will ensure privacy and future scalability that is available to everyone!”
Zaki Manian, Cosmos co-founder and Zcash community member
“ECC team has finally delivered bleeding-edge, zero-knowledge technology without requiring a trusted setup for use in real world P2P applications on Layer 1!
“Halo 2 innovation enables efficient, reliable and private transactions on a distributed ledger powered by the Proof-of-Work Zcash chain. This is unlike any other cryptocurrency where all the transactions are as public as a Twitter feed.
“Nighthawk Team is looking forward to integrating the Halo upgrade in our Android and iOS apps.”
Aditya Bharadwaj, Nighthawk wallet creator:
“With Halo, Zcash and ECC prove themselves now and again at the vanguard of privacy-preserving technologies. Finally, the controversial case of toxic waste will be a thing of the past(a). At Zondax, we are looking forward to supporting the Halo upgrade in any way we can!”
Juan Leni, Zondax CEO
“While significant scalability improvements are yet to be seen, the area of privacy went through some major advancements with Zcash in the lead. Note that Zcash already enables on-demand private transactions despite being exposed to massive pressure from status quo regulatory institutions.
“We are excited to hear about planned protocol updates on Zcash blockchain to achieve stronger privacy and higher throughput. Being privacy conscious bunch we at Horizontal Systems are keen to integrate these upcoming updates to Unstoppable wallet app as soon as they are out.”
Aibek Esengulov, Founder Horizontal Systems