Gantry 5 Framework is the powerhouse behind the Reiko theme

zk-snarks Sapling Explained


Many have heard about Zcash’s long-anticipated network upgrade, Sapling, but what the fuck is it?


In a nutshell, it significantly improves the efficiency of shielded transactions and allows for broad adoption of shielded addresses by vendors and exchanges. But how does Sapling accomplish this?


Trusted Setup of Parameter Generation


The foundation of the Zcash protocol relies on zk-SNARKs, a form of zero-knowledge cryptography. This proof allows for private transactions by proving the necessary parameters, such as ownership, without revealing addresses or the amount transacted.


But what do zero-knowledge proofs rely on to construct and verify private transactions? A set of public parameters have been generated twice in the history of Zcash. Both parameters were created in ceremonies, once before the genesis block in 2016 and the second instance in 2018.


These public parameters are the verifying keys for each account. Each parameter holds the verifying signature to create private transactions on the Zcash blockchain.


The underlying question is: What happens if a malicious player during the parameter generation creates false parameters to generate counterfeit Zcash?


Multi-Party Computation Ceremonies (MPC) & The Sprout MPC


The solution to the trusted setup of public parameters is through multi-party computation ceremonies. MPCs allow for independent parties to work together to construct parameters.


Each party verifies the other to ensure that all participants are honest. The only way that the public parameters could be compromised is if all participants are dishonest.


The first set of public parameters were generated during the Sprout MPC. During the Sprout MPC, only six participants were able to join the ceremony. These six individuals each made “toxic waste,” a secret random number. These random numbers collectively create a sample list of numbers to then create public parameters.


To ensure no single user could ever compromise public parameters once they’re generated, all toxic waste is destroyed. Even if one participant destroys their contributed share of toxic waste, no other participant could ever re-generate a new set of parameters due to their randomness.


The ceremony took months to plan and coordinate and required expensive calculations. Considering the network could only handle six participants, an upgraded ceremony needed to go into effect to provide for future parameter generations, such as that for Sapling.


The Powers of Tau & the Sapling MPC


The updated MPC procedure came to be known as the Powers of Tau. The Powers of Tau can scale hundreds to thousands of participants, significantly lowering the plausibility of malicious actors compromising the parameters.


The Sprout MPC saw six participants verifying each other to ensure honesty. The Sapling MPC had 87.


Each of the 87 participants took turns on the network to sample some randomness and perform a calculation. In the example that Zcash gave: “You can think of this process as a bit like shuffling a deck of cards in public. Each participant shuffles the deck, proves that they did not modify or add any of the cards, and then hands the deck to the next participant.”


Each computation is sent to a public transcript to give the community the ability to verify the protocol. Just as with the Sprout MPC, only one participant needs to destroy their toxic waste to ensure the public parameters safety.


What Does Sapling Improve?


The four main improvements are the performance for shielded transactions, decoupled spend authority, improved keys, and efficient wallets with many Z-addresses.


Performance for Shield Addresses


Before Sapling, each address started with zc, known as Sprout-zc addresses because of their introduction during the Sprout release.


With the release of Sapling, users are able to generate completely shielded transactions using the zs address. This new address is called a Sapling address.


This new feature allows for completely private transactions to be made within a few seconds and requires only 40mb of computational memory. Sapling effectively reduces transaction time and memory requirements by a staggering 90-97%


Considering the rapid generation of shield transactions and low requirements, vendors and exchanges are incentivized to adopt shield addresses. This increased use of shield addresses will only help to improve the privacy of the entire network.


Decoupled Spend Authority


In the prior Sprout release, the hardware that constructed the zk-SNARK proof needed to also be in possession of the spending key (parameter).


In the Sapling release, these two are decoupled. The implication of decoupled spend authority allows for integration with hardware wallets.


Improved Keys


In the previous Sprout release, shielded addresses support an incoming viewing key. These allow for holders of incoming viewing keys to monitor all incoming transactions. Although they can see the transaction, the sending address remains anonymous and the funds can’t be spent.


Sapling improves upon this by allowing holders of incoming viewing keys to monitor outgoing transactions. Overall, these keys enable users to track incoming and outgoing transactions without exposing private keys or compromising the sender or destination address.


Efficient Wallets With Many z-Addresses


Zcash’s Sapling z-addresses allow for trillions of wallets to simultaneously receive funds without incurring additional costs. Each address is unlinkable to the other because of the nature of zk-SNARKs.


This is meaningful for merchants and z-address users in general because transactions are efficient and lightweight.


Original Article: