Below is a list of topics with the most frequently asked questions about Zcash and its technology. For troubleshooting the Zcash client, please see our troubleshooting documentation.
How can I acquire Zcash (ZEC)?
You can buy ZEC from participating online exchanges and markets with another cryptocurrency or fiat currency (depending on which exchange you use). There are also community maintained lists such as the Zcash community site. You might also have luck finding someone to buy Zcash from in-person at meetups or offering services/products to be paid for in Zcash. And of course, you are highly encouraged to mine Zcash to earn tokens for taking part in securing the decentralized network!
How do I install a Zcash wallet?
There are a variety of third-party wallets for storing and sending ZEC, in addition to the officially supported core client, zcashd. You can also browse options in alternative lists such as the Zcash community site. Currently, many of these third-party options have limitations in their support for Zcash; in particular supporting shielded addresses.
What is the difference between addresses that start with t and z?
Addresses which start with "t" behave similarly to Bitcoin, exposing addresses and balances on the blockchain and we refer to these as "transparent addresses". Addresses which start with "z" include the privacy enhancements provided by zero-knowledge proofs and we refer to these as "shielded addresses". It is possible to send ZEC between these two address types.
The Sapling network upgrade introduces a new shielded address for improved efficiency and functionality. The legacy shielded addresses start with a "zc" and the new Sapling shielded addresses start with a "zs".
Why does Zcash have both transparent and shielded addresses?
Privacy is about choice, and having both transparent and shielded addresses gives you the power to decide what information you’ll share and with whom.
Shielded addresses provide user and transaction-data privacy, but in some scenarios — for tax or business purposes, political or charitable donations, situations that require public proof of purchase — transparent transactions may be preferable. Furthermore, transparent addresses have opened the door for Zcash adoption and paved the way for shielded addresses at wallets and exchanges. Transparent addresses have also allowed the Zcash community to have conversations with regulators and public policy makers all over the world.
The Electric Coin Co. and other development teams are working to grow the adoption of both shielded addresses and transparent addresses.
Further reading: Transaction linkability
Does Zcash have multi-signature transactions?
Yes, transparent addresses support multi-signature transactions but shielded addresses do not yet (see FAQ: difference between t and z addresses). You can see the difference between single-signature and multi-signature transparent addresses with their starting characters: "t1" and "t3" respectively.
Note that it's possible to sandwich any transaction using transparent addresses — e.g. a multi-signature transaction — between private Zcash spends. For example, do a private Zcash spend to yourself, then do a globally transparent multi-signature transaction and then the new holder of the funds (possibly you or possibly someone else) does another private Zcash spend to themselves.
Please consider the privacy and security recommendations before implementing such a strategy. Some privacy benefits may be preserved from that technique. We would caution against assuming this gives blanket privacy in general for any use, though, so this is an area for future study.
What is the difference between Zcash and Bitcoin?
Zcash is a code fork of the bitcoin protocol and maintains its own blockchain and currency token. Zcash builds on the existing work from the Bitcoin core team to enable privacy preserving transaction data using zero-knowledge proofs. It also includes some non-privacy changes to bitcoin, including its proof of work algorithm (see FAQ: "What are you changing from Bitcoin's Design? What parts of the Bitcoin network remain?" for more detail on technical differences).
What do I do if my transaction is not being mined?
All transactions expire by default after ~50 minutes / 40 blocks and funds are returned to the original sending address. If your transaction expires, the best thing to do is to try your transaction again with some possible modifications.
There may be various reasons why your transaction is not included in a block
- Loss of connectivity
- Transaction fee too low
- Network overload
- Too many transparent inputs (transaction size too large)
We suggest trying your transaction again with:
- Try again with a better connection
- Use the standard fee (0.0001 ZEC)
- Try again later, or increase the fee for high priority transactions
- Use a minimal amount of inputs to limit the size, or increase the fee for large transactions
How do I get my ZEC into a Sapling shielded address?
Until then, contact the makers of your favorite wallet and ask them to support Zcash Sapling shielded addresses.
Zcash Client (zcashd)
Is there a version for Windows, Mac, Android, or iOS?
Currently, Electric Coin Company only provides official support with Linux for zcashd. Since we do not have the resources to review software we do not build ourselves, we encourage users to do due diligence on the legitimacy and safety of software built by third-parties before downloading and installing.
What is a network upgrade for Zcash?
These are non-backward compatible updates that require an upgrade to all Zcash full nodes and wallets. Each network upgrade has a name and associated versions. The network launched with the 1.0.x Sprout protocol. Upgrade versions include 1.1.x Overwinter and 2.0.x Sapling.
When is the next one happening?
Check the network information page for upcoming and past upgrades. Electric Coin Company plans for regular network upgrades approximately two times a year.
Once the code is finalized for a network upgrade, the next release of zcashd has that block height hard-coded in. The activation date is selected to be at least 3 months after the first code release with the upgraded protocol. This means users have a 3-month window in which to update their zcashd software.
What do I need to do as a user?
If you use a third party service, such as an exchange or hosted wallet, verify with them that they support the new network upgrade.
If you use zcashd directly and you have upgraded within three months of a network upgrade, there are no further actions to take. If you issued transactions near the time of the upgrade, you may need to resubmit them.
If you use zcashd but have not upgraded within three months of a network upgrade, it will reach the end-of-support (EOS) halt and exit with an error message prior to the upgrade.
If you have set disabledeprecation in your configuration file or you are using third party software which has done so, you are in danger of splitting off from the upgrade and remaining on the old protocol.
Are my funds safe during the transition?
If your wallet has upgraded, you don’t need to do anything to 'transfer' your money. For safe keeping of funds during any version upgrade and as a general practice, we highly recommend making and keeping regular backups of your wallet.
It is best practice to stop sending transactions near the network upgrade activation height; we recommend not sending transactions an hour or so beforehand. Transactions that are not mined before the activation height will need to be resent after the upgrade.
If you have sent a transaction after the upgrade and it has not been mined, wait for the transaction to expire and try your transaction again. For understanding various situations and responses to unmined transactions, see this question.
What if there is a critical vulnerability in the protocol?
In case a critical vulnerability is discovered in the protocol which would place user funds at risk, potentially compromise privacy, or present some other substantial danger, an emergency upgrade will be activated as quickly as safely possible. We will coordinate an emergency protocol upgrade process through our standard security announcements page.
About Electric Coin Company
What is the mission of Electric Coin Company?
Our mission is to empower everyone with economic freedom and opportunity.
We believe that personal privacy is essential for core human values like dignity, intimacy, and ethics. Companies need privacy in order to conduct business. Privacy strengthens social ties and social institutions, enables democracy and civil political processes, protects societies against their enemies, and helps societies to be more peaceful and more prosperous.
We are a science-driven team. We are the discoverers of the underlying scientific techniques and the designers of the technology but we are not the ultimate controllers of the network — that power lies in the hands of the users. We believe in decentralization, which promotes security and fairness. Every user of Zcash is a part of the network, and helps protect it against failure and corruption.
Read more about Electric Coin Company.
When did Zcash launch?
The Zcash block chain launched on October 28, 2016, bringing into existence the first Zcash monetary units. This software release and the initial phase of the block chain is called ‘Sprout’ to emphasize that it is a young, budding block chain with great potential to grow.
Please read our launch blog post for more details.
Who are your investors? How is Electric Coin Company funded?
Electric Coin Company has raised capital in a non-traditional way; there have not been the same clearly delineated “Series A” or “Seed” round nominations like other similar technology companies. The first public investors included: Pantera Capital, Digital Currency Group, Fenbushi Capital, London Trust Media, Evolve VC, Naval Ravikant, Niraj Mehta, David Dacus, Roger Ver, Alan Fairless, Ben Davenport, Brian Cartmell, James Nicholas, Jonathan Perlow, Charlie Songhurst, Adam Ludwin, Devon Gundry, Ryan Smith, and Rop Gonggrijp.
In the summer of 2016 there was a private raise that included the following new and already established funders: Aaron Grieshaber, Branson Bollinger, Maple Ventures (Amir Chetrit and Steven Nerayoff), Brian Cartmell, Vlad Zamfir, Roger Ver, Digital Currency Group, Barry Silbert, Charles Songhurst, Fenbushi, Shapeshift, Erik Voorhees, David Lee Kuo Chuen, Fred Ehrsam, Sebastian Serrano, and Li Xiaolai.
Electric Coin Company is currently funded by a strategic reserve portion of the Founders’ Reward.
Who is the Electric Coin Company team?
Our team includes the scientists who invented the Zerocash protocol, engineers and communicators with a specialized track record in open privacy technology, advisors who are leaders in the Bitcoin, Ethereum, and academic communities, and well-regarded investors. See our team page for details.
What is the Zcash Foundation?
The Zcash Foundation is a non-profit entity for maintaining and improving the Zcash protocol in the interests of all users, present and future. It currently receives funding thanks to pledges from some of the stakeholders to donate part of their share of the Founders’ Reward.
If the Zcash cryptocurrency provides transactional privacy, won’t bad people use it?
Yes, but bad guys will use anything. Bad guys use cars, bad guys use the Internet, bad guys use cash, and bad guys use the current banking system. Our goal is not to invent something that bad guys can't use, it is to invent something that can empower and uplift the billions of good people on this planet.
For more context about our values, see the Hello World blog post.
What is Zcash's approach to governance?
Our fundamental philosophy is consensuality. Currently Electric Coin Company is effectively leading development of the science, the protocol, and the reference client, as well as public communications and many other important tasks. In the long run the newly formed Zcash Foundation is expected to take over some of these roles, especially education, consumer protection, and the advancement of science. For now they say that they intend to keep letting Electric Coin Company do its thing.
What are the economics of Zcash? Is there going to be a fixed monetary base?
Zcash's monetary base is the same as Bitcoin's — 21 million Zcash currency units (ZEC, or ⓩ) and is mined over time. It is a scarce token just like Bitcoin which can be transferred globally and exchanged to/from other cryptocurrencies or fiat currencies via online exchanges, in-person transactions, etc.
10% of the mining reward will be distributed to the stakeholders in Electric Coin Company — founders, investors, employees, and advisors. We call this the “Founders’ Reward”.
For more information about distribution, see the Funding, Incentives, and Governance blog post.
Since the value sent between shielded addresses is private, how can we determine the number ZEC in circulation?
Currently, we know that every miner validates every transaction, and each transaction comes with a zero-knowledge proof that it doesn't violate conservation-of-money (i.e. a proof that the money coming out of the transaction is ≤ the money going into the transaction).
This reasoning depends on the soundness of the zero-knowledge proofs. If someone could get the miners to accept a transaction that created new money — if you could somehow forge a zero-knowledge proof or defeat the zero-knowledge-proof-verifier software in the miners — then you could counterfeit money.
We have introduced a turnstile migration for shielded funds between legacy shielded addresses and Sapling shielded addresses which will give insight into the current shielded Zcash in circulation. Learn more about the Sapling turnstile migration in our blog.
What is the Founders Reward?
The Founders Reward (FR) funds Zcash development. It was implemented at launch, in 2016, and stipulates 20 percent of Zcash issuance is distributed to the Electric Coin Co., the Zcash Foundation, and to reward or repay original investors and contributors. Because the FR is distributed incrementally, it provides continued resources and incentive for developers to improve and support the Zcash protocol.
The Founders Reward will expire, by design, in November 2020 and be replaced with a new Zcash development fund.
Who will receive the Founders Reward?
Currently, the Zcash block reward is 6.25 Zcash (ZEC). Miners receive 80 percent (5 ZEC) plus transaction fees as a block reward. The remaining 20 percent of the reward is split among various parties: 9.85 percent of the total reward to ECC founders and vested employees, 2.2 percent to the Zcash Foundation, 5.75 percent to ECC, 2.2 percent to additional ECC employee compensation.
Is the Founders Reward a pre-mine?
No. The Founders Reward is distributed to beneficiaries over time with each Zcash block mined.
Does the Founders Reward expire?
Yes. The Zcash community proposed, vetted and approved a new Zcash development fund, which will be implemented in Q4 2020 and sunset four years later.
At NU4, 80 percent of Zcash issuance will continue to be distributed to miners, while 20 percent will be devoted to Zcash development funding. Importantly, the largest distribution, 8 percent of the total block reward (or about 35 percent of the new dev fund), will go into a grant program that will exclusively fund independent third-party developers. ECC will receive 7 percent of the total rewards, and the remaining 5 percent of rewards will go to support the work of the Zcash Foundation.
Further reading: Dev fund poll shows consensus
Why did the price of Zcash fall so much after it was launched? Was it because the founders/investors were selling their coins?
Nobody knows why buyers and sellers choose the prices they do. One fact to bear in mind is that the supply of Zcash immediately after launch was limited as described here. For example, on October 29 (one day after the blockchain was created) there were 450 coins and on October 31 there were 1950. One thing that we can be sure of is that it had nothing to do with the Founders' Reward. The Founders' Reward coins are distributed incrementally over the first four years of the blockchain, and none of them were moved until December 21, as we wrote about here and as you can see on the blockchain here.
Are there any local Zcash communities? How do I find local Zcash enthusiasts and traders?
The Zcash Foundation is officially supporting independent Zcash meetup groups throughout the world to make it easier for community members to meet each other and learn together in person. Read more about meetups and how the Foundation supports them on their website.
Simply put, what is a zero-knowledge proof? How does Zcash integrate it?
Zero knowledge proofs are a scientific breakthrough in the field of cryptography: they allow you to prove knowledge of some facts about hidden information without revealing that information. The property of allowing both verifiability and privacy of data makes for a strong use case in all kinds of transactions, and Zcash integrates this concept into a blockchain for shielding the address, amount and memo field. A blockchain that protects transaction data and lacks zero-knowledge proofs also lacks the assurance that all the transactions are valid. This is because the nodes in the network can’t determine whether the sender really had that money or whether they previously sent it to someone else, or never had it in the first place. The transaction data becomes unverifiable by network nodes.
In Zcash, we use a particular type of zero-knowledge proof called zk-SNARKs (or “zero-knowledge succinct non-interactive arguments of knowledge”). Within a shielded Zcash transaction, there exists a string of data that the sender of a transaction provides –the “zero-knowledge proof”– along with the shielded transaction data which proves properties of the data cryptographically, including that the sender couldn’t have generated that string unless they had ownership over the spending key and unless the input and output values are equal. The proof also guarantees creation of a unique nullifier which is used to mark tokens as spent, when they are, in fact spent. This allows for verification that the transaction is valid, while preserving privacy of the transaction details.
Dive deeper into zk-SNARKs and how they work in Zcash on the explainer page.
What is the difference between Zerocoin, Zerocash, Zcash and ZEC?
Zerocoin is a cryptographic currency protocol invented by Ian Miers, Christina Garman, Matthew Green, and Aviel D. Rubin in 2013. Zerocash is an improved cryptographic currency protocol invented by Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza in 2014. Zcash is an implementation of the Zerocash protocol, with certain improvements as described in our protocol specification (all of the scientists who designed the Zerocash protocol are members of the Zcash team). We have adopted ZEC as the informal three letter currency code for the Zcash currency, and ⓩ as its currency symbol.
Does Zcash offer complete anonymity for transactions?
Zcash enhances privacy for users by encrypting sender, amount and recipient data within single-signature transactions published to its public blockchain ledger.
Zcash does not: encrypt data for multisignature, protect against correlations made with public transactions (for example, when Zcash is traded to/from another cryptocurrency) or obfuscate IP addresses. It is possible to use it in conjunction with an anonymizing network such as Tor, in order to obtain protection against network eavesdropping which is complementary to transaction privacy. Read more about the privacy and security recommendations when using Zcash.
It should be noted that while Zcash facilitates anonymization for its users amongst a wide pool of individuals, we align more with the term “privacy” to describe what Zcash technology aims to provide. While related in scope, the terms have subtle differences. Anonymity relates to removing personal identifiers linked to potentially public data such as sending an anonymous tip to law enforcement or wearing a mask during a protest. Privacy considers the data itself in need of protection such as a discussion during a private meeting and more relevant, the encryption of information - whether for keeping personally or sharing with a select number of others. Anonymity methods can enhance privacy goals, such as defending against targeted attacks on private data, and vice versa if the protected data relates to personally identifiable information. The encryption of data in private Zcash transactions aligns with the latter as it is foremost a tool for financial privacy with the added benefit of increased anonymity.
For more information on anonymity properties in Zcash, see How does Zcash compare to other cryptocurrencies with anonymizing properties?
Will Zcash contain a backdoor?
Neither Zcash nor any other cryptographic algorithms or software we've made contains a backdoor, and they never will.
Is Zcash peer reviewed?
Yes. Zcash is based on the peer-reviewed Zerocash protocol, which was published in the IEEE Security & Privacy conference in 2014. The Zerocash paper provides a detailed technical overview of the specification. Our changes to the protocol are not peer-reviewed, but they are described and justified comprehensively in our protocol specification. Those changes have been subjected to several independent security audits.
Is Zcash built on the Bitcoin blockchain?
No. Zcash is its own separate blockchain.
Have you considered sidechains, Ethereum, or embedding into the Bitcoin protocol?
Yes, we've explored all of those ideas in varying degrees. What we're doing right now is the simplest thing that can make Zcash a real, live, permanent medium of exchange and store of value, and that is to create a separate block chain.
What's the point of Zcash if Ethereum is going to have SNARKs?
It's hard to say in advance how the privacy features of Zcash will compare to the analogous future planned features for Ethereum. Given that the Zcash blockchain and team are focused primarily on privacy, there's an advantage to this specialization in terms of efficiency, security, and usability.
While we cannot provide advice for investors deciding where to place bets, the Zcash blockchain does provide users with a means for private, decentralized payments right now. Further, the Zcash team will be working to ensure that any such improvements to Ethereum benefit Zcash users and vice versa.
When asked this question, Vitalik Buterin of Ethereum points out that Zcash can more easily make development tradeoffs to optimize use of zk-SNARKs.
What are you changing from Bitcoin's Design? What parts of the Bitcoin network remain?
We're following a general principle of "conservative innovation". Aside from the Zerocash privacy protocol (itself already a massive technological achievement), we wish to avoid making changes from Bitcoin's design without a strong rationale.
We’ve decided to make a number of relatively conservative changes to Bitcoin’s consensus rules:
- We’ve adopted a “smooth” difficulty adjustment algorithm, based on DigiShield v3.
- We’ve adopted a memory-hard proof of work, Equihash, which involves adding a memory-hard problem to be solved in valid blocks.
- We’ve changed the block interval target from 10 minutes to 1.25 minutes, and modified other constants in order to preserve the monetary base of roughly 21 million coins and halving interval of 4 years.
- We’ve increased the block size limit to 2MB.
- We require coinbase transactions to contain an output to our Founders’ Reward P2SH address during the first 4 years before the first halving.
- We require transactions spending coinbase outputs to contain no “transparent” outputs (vout should be empty).
- We’ve removed activation rules for softforks in Bitcoin and made them enabled by default.
- We've added a transaction expiry feature.
Zcash embeds a confidential value transfer scheme alongside the traditional Bitcoin infrastructure; for most purposes, it simply adds additional behavior to the existing primitives.
For further detail, see the 'Consensus Changes from Bitcoin' section of our protocol specification.
How does Zcash compare to other cryptocurrencies with anonymizing properties?
As mentioned in the FAQ Does Zcash offer complete anonymity for transactions?, the protection of data in shielded Zcash transactions aligns more with the term "privacy" as it is foremost a tool for financial privacy with the added benefit of increased anonymity.
That said, in situations where anonymity can defend against targeted attacks on private data, you're better off being one of 2 million people who could have made a payment for a private medical procedure in San Francisco versus being one of 3 people, two of which live on the other side of the world. The size of this set matters, and the mixing strategies that other cryptocurrencies use for anonymity provide a rather small one in comparison to Zcash. This is not to say these other methods are worthless, there are tradeoffs between the two, but Zcash has a distinct advantage in terms of transaction privacy and as a result, anonymity.
If you want to avoid companies building profiles of people (especially those who pay for personal services such as psychiatry, drug rehabilitation, etc.) based on public blockchain data, using Zcash can help. Shielded addresses are indistinguishable from all other shielded addresses in the system.
For more information on these concepts, see A Shielded Ecosystem blog post.
What are SNARK public parameters? How did the Zcash Ceremony generate the SNARK parameters securely?
A set of public parameters are required for generating the proofs required to validate private transactions. The process of generating these public parameters (commonly referred to as “paramgen”) also produces a by-product (which we have nicknamed the “toxic waste”) that could be used to subvert the block chain by creating fake coins that are indistinguishable from real ones (the relationship between the public parameters and this toxic waste is similar to that between a public key and a private key). It is therefore important that this toxic waste be securely destroyed.
We designed a process whereby the job of generating the public parameters was split between a number of people, each of whom generated a piece of the parameters during what we refer to as the Zcash Ceremony. These pieces were then brought together and combined to create the public parameters. As long as one of the people involved in generating the parameters destroyed their portion of the “toxic waste”, there is no way to subvert the parameters.
For technical details on these parameters and documentation of the Ceremony including participants' destruction of "toxic waste" shards, see our Parameter Generation explainer page.
If the Zcash Ceremony was compromised, could the attacker compromise user privacy?
No, even if an attacker completely compromised the Zcash Ceremony, this would not give them the ability to penetrate the privacy of Zcash shielded addresses. Shielded addresses are protected solely by mathematics (modern encryption) and do not rely on anything else for their privacy. (On the other hand, such an attacker could counterfeit Zcash. See the FAQ entry "What are SNARK public parameters?" about that.)
What functionality do shielded addresses have? What are the limitations?
Shielded addresses (addresses that start with a "z") are the component of Zcash which offers privacy by shielding address, balance and memo fields from the public. The zk-SNARKs technology used for shielding this data introduced limitations on usability which those familiar with other cryptocurrencies may notice.
The Sapling network upgrade introduces a new shielded address type with significant improvements in most of these legacy usability limitations. Multi-signature support is still in the works.
Note that coinbase transactions which pay out block rewards and transaction fees to miners require transparent addresses for accounting purposes. These coinbase transactions to miners do, however, include an additional requirement that their subsequent spend goes to a shielded address.
For technical details about shielded addresses, check out our blog post How Transactions Between Shielded Addresses Work and for details on legacy resource requirements at launch, check out User Expectations at Sprout Pt. 2: Software Usability and Hardware Requirements.
Are only a small fraction of Zcash users using shielded addresses? Does anyone use Zcash's privacy features?
Since most third-party wallets only support transparent addresses, we're seeing an effect on the number of shielded addresses in use. We expect the number to increase significantly with Sapling activated and the subsequent adoption of shielded addresses by ecosystem services.
Here is a table showing the number of shielded and unshielded transactions per hour/day/week/month. And here are historical stats about shielded and unshielded transactions in the most recent 100 blocks over the life of the blockchain so far.
Note that a big part of the shielded addresses used are due to the consensus rule requirement of coinbases to be shielded when first spent. This was in order to provide a guaranteed privacy-set. If you make a shielded Zcash transaction today there is actually a very large privacy-set of possible previous transactions which could be inputs to your transaction.
Could quantum computers break Zcash?
Large quantum computers, if and when built, would be capable of breaking an encryption scheme used by Zcash. As a result, an attacker with access to such a computer could check if a transaction's recipient matches some given address. In case it does, the attacker could now discover the amount and encrypted memo attached to the transaction (but not the sender). It could also compute the note's nullifier, which means it could track when the recipient subsequently spent this note. Note that shielded addresses don't appear on the blockchain, and those shared privately and unknown to an adversary would not be vulnerable. (Again, no information on the sender address of a transaction can be extracted, even if the address were known to the attacker.)
In addition, large quantum computers would be able to fool zk-SNARK verification, and thus counterfeit ZEC.
Both of these attacks would require quantum computers with thousands of qubits (capable of solving the discrete-logarithm problem), which are at least decades away from today's state of the art by most experts' estimates.
Scientists at Electric Coin Company, and academia, are actively researching postquantum-secure alternatives to the affected cryptographic components (see issue #805). We plan to monitor developments in postquantum-secure components, and if/when they are mature and practical, update the Zcash protocol to use them.
What is a “trusted setup”?
A trusted setup is the result of a multiparty computation exercise (parameter generation) used to create a long key around which cryptographic proofs can be based.
Zcash is different than most other cryptocurrencies in that it uses zk-SNARKs, a type of zero-knowledge proof, to verify transaction details and then add them to the blockchain without revealing any details of these transactions to the public. This system requires a parameter-generation ceremony for some types of network upgrades. There have been two of these trusted setups since Zcash was launched. After the setup phase, the long number, or key, that is generated, sometimes referred to as toxic waste, must be destroyed so that no one can counterfeit new Zcash. (Note that user privacy is always protected even if a setup phase were to fail or the toxic waste was not destroyed.)
These elaborate ceremonies, the first of which was famously detailed in this Radiolab story, are designed to ensure that no single person ever has access to the full key. The last ceremony included a large number of unrelated people from around the world to ensure the probability of compromise is near zero. Only a single ceremony participant has to remain honest to protect Zcash from compromise.
Halo, a recent cryptographic breakthrough by ECC’s Sean Bowe, creates a practical, scalable and trustless cryptographic proving system which might eliminate the need for trusted setup in a near-future network upgrade of Zcash.
Further reading: Parameter generation
How can anyone be sure Zcash hasn’t been counterfeited?
All evidence suggests Zcash has never been counterfeited.
In Zcash, all ZEC resides within “value pools,” determined by the type of address holding the ZEC. There are currently three value pools: the transparent value pool, the Sprout value pool, and the Sapling value pool. Because Zcash’s Sprout and Sapling shielded addresses are designed with strong privacy protections, a counterfeiting compromise cannot be directly detected in either of those value pools.
However, by design, ZEC may only enter or exit shielded value pools by transparently revealing the value of the transfer. This is called the “turnstile.” See the documentation on value pools, turnstiles and the Sprout to Sapling migration for more details. If a counterfeiting compromise generated illegitimate ZEC within a shielded value pool and more ZEC exited the pool than entered, then the publicly tracked value pool total would become negative. This has not occurred.
What was the counterfeiting vulnerability in Zcash?
In October 2018, with the release of Sapling (NU1), ECC developers fully remediated a counterfeiting vulnerability, CVE-2019-7167, that had existed in the previous version of the protocol and would have allowed an attacker to create Zcash. Data indicates no counterfeiting ever took place, because there has never been more ZEC coming out of the Sprout shielded pool than there should be (see answer above).
Further reading: Zcash counterfeiting vulnerability remediated
What is the Zcash emission schedule?
Every 75 seconds, 6.25 new ZEC are created, and the rate at which they are generated drops by half about every four years until all 21 million ZEC are in circulation. Some have worried that Zcash inflation is high, but it almost precisely mimics that of Bitcoin’s first 3-4 years. It’s important to note that as new coins are created inflation goes down, and at each halvening the rate drops significantly.
Further reading: Coinmetrics charts
How will Zcash be created?
Like Bitcoin, Zcash is a mined cryptocurrency, which means that new ZEC are created each time a block is added to the Zcash blockchain. New blocks are created roughly every 75 seconds (1.25 minutes). The monetary supply curve mirrors Bitcoin’s, except that, because Zcash’s blocks will be mined 4 times as frequently as Bitcoin’s, the number of ZEC created per Zcash block are a quarter the number of BTC created per Bitcoin block. The first weeks after Zcash launch were a "slow-start" mining period.
Is Zcash proof-of-work? What mining algorithm do you use? Is it ASIC resistant?
Since launch, Zcash has been based on proof-of-work. Perhaps the community will choose to change it to proof-of-stake someday, but we cannot predict. However, we are very much open to improvement and evolution.
We are currently using Equihash as the proof-of-work for block mining in Zcash. Equihash is a proof-of-work algorithm devised by Alex Biryukov and Dmitry Khovratovich. It is based on a computer science and cryptography concept called the Generalized Birthday Problem. Please read the Why Equihash blog post for more details.
As of May 2018, Zcash's Equihash parameters have been implemented in custom hardware ("ASIC") miners. We're still evaluating whether Equihash will resist ASIC implementation long-term. See the Electric Coin Company Statement on ASICs for more information.
What will the average block time be?
1.25 minutes (75 seconds)
How many ZEC will be made per block?
12.5 ZEC are mined per block. Each 4 year period, the ZEC creation amount will halve (from 12.5 to 6.25 to 3.125 to 1.5625 and so on). The exact block count for these halving periods is 840,000 with the exception of the first period which is 850,000 due to slow-start mining.
What is the maximum block size?
What is the difference between Solutions and Hashes?
Sol/s measures the rate at which Equihash solutions are found. Each one of those solutions is tested against the current target (after adding to the block header and hashing), in the same way that in Bitcoin each nonce variation is tested against the target. That is what we mean by Sol/s === H/s - they are measuring the same thing, and it is the same metric that everyone already uses for other PoW algorithms.
Put another way, measuring Sol/s in Zcash is exactly the same as measuring TH/s in Bitcoin (ignoring the "T" scaling factor, which is merely a product of the relative speeds of the PoWs and the relative numbers of miners).
What is slow-start mining?
In order to minimize the impact of any unforeseen problems during the launch of Zcash, the amount of ZEC each time a block was mined started at zero and gradually ramped up to 12.5 ZEC after 34 days. The slow-start period ended on December 1st, 2016.