NU5 activates on mainnet, eliminating trusted setup and launching a new era for Zcash

Zcash Network Upgrade 5 (NU5) activated on mainnet today, May 31. It is the most important milestone for Zcash since the cryptocurrency launched in 2016 — and as our Electric Coin Co. (ECC) CEO Zooko Wilcox put it, “an historic step forward for human society.”

NU5, the first major upgrade since November 2020, includes the launch of the Orchard shielded payment protocol, utilizing the Halo proving system to remove reliance on complex setup ceremonies. The efficiencies built into this upgrade make possible — for the first time ever — private, trustless digital cash payments on mobile phones. Halo also paves the way for increased interoperability by providing a system that could unlock private cross-chain proofs at scale.

No more ceremonies

When Zcash launched, its zero-knowledge proofs required a setup phase to produce public parameters that allowed users to construct and verify private transactions. This was called the Ceremony, or trusted setup. This technique was pioneered by ECC, and it required multiple parties in different locations and complex security measures. A similar process was required for the Sapling upgrade in 2018 and involved more than a hundred participants. (The story of Zcash’s original Ceremony was well told by Radiolab.)
Today, many protocols rely on trusted setups, but as Joeri Cant at Cointelegraph put it, “they are difficult to coordinate, could present a systemic risk and always have to be repeated for each major protocol upgrade.” With the Halo proving system (open source), reliance on these kinds of processes is eliminated and protocols like Zcash benefit in efficiency and safety.

Zcash Media released a video about the original Ceremony, its participants (including Edward Snowden), and how Halo makes “trusted setups” obsolete.

Halo proving system in NU5

The Halo paper, authored in 2019 by ECC.’s Sean Bowe, Jack Grigg, and Daira Hopwood, introduced a new technique for creating practical, scalable, and trustless cryptographic proving systems, ending an almost decade-long pursuit by the cryptography community. 

Mike Casey, at Coindesk wrote about Halo: “If the discovery by ECC researcher Sean Bowe holds up to scientific scrutiny, it could one day unleash a host of powerful, real-world applications for the digital age that go far beyond cryptocurrency.”

Zcash NU5 implements a “2.0 version” (Halo 2) of the new zero-knowledge proving system that was first detailed in that paper. It eliminates protocol reliance on complex setup ceremonies, as mentioned above, and provides a catalyst for Zcash user confidence and scalability while making the protocol more attractive, faster, and less expensive for others to build on.

A technique called recursion, or nested amortization, also introduced in the Halo paper, is under development at ECC, bolstered by an agreement with Protocol Labs, the Filecoin Foundation, and the Ethereum Foundation. As Bowe put it, this cryptographic breakthrough “allows a single proof to attest to the correctness of practically unlimited other proofs, effectively allowing a large amount of computation (and information) to be compressed.” 

Recursion is a crucial building block for a layer 1 scalability solution on Zcash — and for many other projects in and out of the crypto space.

Unified addresses

A new address format in the Orchard payment protocol removes the complexity of a user having to juggle multiple address types. In NU5-supporting wallets, a unified address is generated from a set of multiple Zcash address types (e.g., transparent, Sapling and Orchard). Combined with auto-shielding, a feature currently supported by the ECC mobile wallet SDKs, any ZEC received to a unified address can be automatically routed to the latest shielded pool supported by the user’s wallet. So, even if the sender is only able to send ZEC transparently, it will end up in the receiver’s private storage — shielded by default.

Summary

Here’s a full list of what’s included in NU5 plus upcoming ECC releases:

Included

  • Zcashd, NU5-compatible consensus node
    Zcashd is the consensus node for Zcash. It includes the Orchard shielded payment protocol (ZIP 224), non-malleable transaction IDs (ZIP 244), a new transaction version format (ZIP 225), unified addresses (ZIP 316), and other various updates.

Coming soon

  • ECC wallet
    The ECC wallet (yet to be officially named) will become available in the Android and iOS stores later this year. Our goal is to deliver a wallet that provides an industry-leading user experience for ZEC, as well as features that will benefit crypto more broadly. Releasing a wallet of our own will allow us to deliver more features, more quickly, than is possible through the normal protocol-upgrade cadence and through our influence over third-party wallet providers.
  • Updated ECC reference wallet (iOS and Android)
    The ECC reference wallet is a reference implementation of a Zcash wallet for Android and iOS, available as open source. The next version will include the code for the ECC wallet, plus documentation. 
  • NU5-compatible wallet SDKs
    ECC maintains wallet SDKs for Android and iOS. The next major release of these SDKs will support NU5, including a new transaction format, the Orchard shielded pool, unified addresses and the following features:
    • Auto-shielding (update)
      Auto-shielding lets users (more specifically their wallets) automatically move funds from a transparent address to the latest shielded ZEC pool. Auto-shielding, along with unified addresses, will facilitate increased user privacy and a better overall user experience. Through auto-shielding, wallets can offer their users funds that are shielded by default, regardless of the originating address.
    • Auto-migration
      Auto-migration is a mechanism for wallets to seamlessly move funds to the most modern shielded pool supported by the wallet. This feature will also make it easier to deprecate older pools.
    • Improved note management
      Improved note management reduces the time users need to wait between sending transactions. This means that lightclients will be able to send one transaction immediately after another.