New Empirical Research into Zcash Privacy
Zooko Wilcox & Jack Gavigan | Dec 04, 2017
A researcher from University of Michigan-Dearborn, Jeffrey Quesnelle, published a paper and blog today about the effective privacy on the Zcash blockchain over the first year of its existence. No vulnerabilities in Zcash were uncovered in this research. However, the research underscores a specific way that Zcash — like any other financial privacy technology — can fail to protect you if you use it the wrong way.
To recap, in Zcash there are both “shielded” and “transparent” addresses. Zcash stored in transparent addresses is visible in the blockchain to everyone. Zcash stored in shielded addresses is not.
The way that you can use this the wrong way is to move a certain amount of money into a shielded address, and then move that same amount out again. As we described in a blog post in January:
An observer can deduce the money that Alice sent must have been transferred to Carol. This same issue can arise with any financial privacy technique, for example if you have some Bitcoin, and you Shapeshift it to a privacy coin and then Shapeshift it back to Bitcoin.
Jeffrey Quesnelle’s paper examined the Zcash blockchain to search for patterns of usage like this. To summarize the findings, he identified a total of 10,946 transaction pairs appearing to be this pattern, accounting for 31.9% of coins being shielded. Our analysis of the list of transactions he published indicates that 84.64% of the transactions were shielding newly-mined coins, meaning that the first transaction of the pair was sent by a miner or mining pool. The Zcash protocol requires that newly-mined coins must be shielded before they can be sent to a transparent address. The fact that these coins were subsequently deshielded suggests that the recipients opted to receive their mining payouts at a transparent address.
In other words, it’s not that these coins were being shielded because the sending user sought privacy but because they are forced to shield and deshield the coins by the Zcash protocol in order to send them to another transparent address. The paper rightly cautions against users expecting strong privacy when they receive funds sent from a z-address into their t-address. If users want the best privacy, they should always receive and store funds in a z-address.
The other 15.36% of the observed pattern of usage are potentially by people who didn’t understand that shielding and then deshielding your Zcash doesn’t provide strong privacy.
To protect yourself from this sort of exposure, don’t think of shielded addresses as something you pass money through, think of them as something you store money in. Storing money in a shielded address and sending a portion of it out as needed gives you very strong privacy. Moving money into it and then immediately moving that money out again does not. (The same goes for using other financial privacy technologies such as the aforementioned example of Shapeshifting to a privacy coin and back.)
This kind of empirical scientific research is absolutely necessary to help scientists and creators learn what works and what doesn’t, and how to protect users. Previous examples of this kind of scientific research include the Monerolink paper and the paper from the National University of Singapore. The Zcash Foundation has recently awarded a grant to a team of scientists from the University of Luxemborg to further study the Zcash blockchain. This new paper by Jeffrey Quesnelle is an excellent piece of research, which adds significantly to the scientific understanding of the real-world effects of privacy technologies. We'd like to express our thanks to him for doing this research.
We welcome and encourage this kind of research into Zcash’s privacy properties, and encourage anyone who is undertaking it to reach out to us if we can assist in any way. Also, please notify us in case your results might imperil users and notifying us about them in advance can help us protect Zcash users.