Frequently Asked Questions
For troubleshooting, please see our Github wiki.
How can I acquire Zcash (ZEC)?
You can buy ZEC from participating online exchanges/markets with another cryptocurrency or fiat currency (depending on which exchange you use). We put together a list of exchanges supporting Zcash trades at launch here but these are just a few of the first exchanges and wallets that supported Zcash at launch. There have been many more that have come into existence. We encourage the community to host their own lists and repositories of successful providers such as in this Zcash community blog. You might also have luck finding someone to buy Zcash from in-person or offering services/products to be paid for in Zcash. And of course, you are highly encouraged to run a Zcash mining node to earn tokens for taking part in securing the decentralized network!
You can get more info on installing a node and sending ZEC in our 1.0 Guide.
How do I install a Zcash wallet?
There are already a variety of third-party options for storing and sending ZEC, in addition to the officially supported core client, zcashd. Many of these third-party wallets have limitations in their support for Zcash; in particular including shielded addresses in a transaction requires a large amount of computer memory and most wallets (both hardware and web-based) have yet to integrate this feature.
You can browse a list we put together of third-party support at launch here. As mentioned in the above question, these are a few of the first exchanges and wallets that supported Zcash at launch. There have been many more that have come into existence. We encourage the community to host their own lists and repositories of successful providers such as in this Zcash community blog.
What is the difference between addresses that start with "t" and addresses that start with "z"?
Zcash is built upon and extends the Bitcoin protocol. Addresses which start with "t" behave exactly like Bitcoin, including their globally public properties and we refer to these as "transparent addresses". Addresses which start with "z" include the privacy enhancements provided by zero-knowledge proofs (see FAQ: what is a zero-knowledge proof?) and we refer to these as "shielded addresses". It is possible to send ZEC between these two address types.
See our blog postAnatomy of a Zcash Transaction for more details.
Does Zcash have multi-signature transactions?
Yes, but not with privacy. Zcash supports all of the same kinds of transactions that Bitcoin supports, such as multi-signature transactions, but all of those don't have any added privacy — they have the same privacy properties as in Bitcoin, i.e. global transparency. You can see the difference between single-signature and multi-signature transparent addresses with their starting characters: "t1" and "t3" respectively.
Note that it's possible to sandwich any transaction using transparent addresses — e.g. a multi-signature transaction — between private Zcash spends. For example, do a private Zcash spend to yourself, then do a globally transparent transaction (which could be a multi-signature transaction), and then the new holder of the funds (possibly you or possibly someone else) does another private Zcash spend to themselves.
Some privacy benefits may be preserved from that technique. We would caution against assuming this gives blanket privacy in general for any use, though, so this is an area for future study.
What is the difference between Zcash and Bitcoin?
Zcash is a fork of the bitcoin protocol, the first and most widely used blockchain cryptocurrency. This means it maintains its own blockchain and currency token. Zcash builds on the existing work from the Bitcoin core team to enable privacy preserving transaction data using zero-knowledge proofs (see FAQ: what is a zero-knowledge proof?). It also includes some non-privacy changes to bitcoin, including its proof of work algorithm (see FAQ: "What are you changing from Bitcoin's Design? What parts of the Bitcoin network remain?" for more detail on technical differences).
Zcash Client (zcashd)
How should I run Zcash?
To join the network, the 1.0 Guide is the best place to start. Keep updated with the information we post on our blog to know the current phase and stay updated on zcashd, the core Zcash client.
Is there a version for Windows, Mac, Android, or iOS?
The Zcash company has official support for only Linux. While we have no intentions to officially support other operating systems, a third-party has already ported the client for MacOS and you can keep an eye on our community forum for future third-party Windows and mobile support. Since we do not have the resources to review software we do not build ourselves, we encourage users to do due diligence on the legitimacy and safety of software built by third-parties before downloading and installing.
What is the mission of Zcash?
Our mission is to create an open financial technology platform that everyone in the world can use.
We believe that personal privacy is necessary for core human values like dignity, intimacy, and ethics. Companies need privacy in order to conduct their business; and we believe that privacy strengthens social ties and social institutions, protects societies against their enemies, and helps societies to be more peaceful and more prosperous. Finally, in an open and programmable financial system, privacy is the only way to ensure fungibility.
We are a science-driven team. We are the discoverers of the underlying scientific techniques and the designers of the protocol; we are not the controllers or the power-holders. We believe in the value of decentralization, which promotes security and fairness. Every user of Zcash is a part of the network, and helps protect it against failure and corruption. We created Zcash, but its ultimate destiny lies not in our hands, but in yours.
When did Zcash launch?
The Zcash block chain launched on October 28, 2016, bringing into existence the first Zcash monetary units. This software release and the initial phase of the block chain is called ‘Sprout’ to emphasize that it is a young, budding block chain with great potential to grow.
Please read our launch blog post for more details.
Who are your investors? How is Zcash funded?
A full list of Zcash investors can be found on our team page.
Zcash has raised capital in a non-traditional way; there have not been the same clearly delineated “Series A” or “Seed” round nominations like other similar technology companies. The first public investors included: Pantera Capital, Digital Currency Group, Fenbushi Capital, London Trust Media, Evolve VC, Naval Ravikant, Niraj Mehta, David Dacus, Roger Ver, Alan Fairless, Ben Davenport, Brian Cartmell, James Nicholas, Jonathan Perlow, Charlie Songhurst, Adam Ludwin, Devon Gundry, Ryan Smith, and Rop Gonggrijp.
In the summer of 2016 there was a private raise that included the following new and already established funders: Aaron Grieshaber, Branson Bollinger, Maple Ventures (Amir Chetrit and Steven Nerayoff), Brian Cartmell, Vlad Zamfir, Roger Ver, Digital Currency Group, Barry Silbert, Charles Songhurst, Fenbushi, Shapeshift, Erik Voorhees, David Lee Kuo Chuen, Fred Ehrsam, Sebastian Serrano, and Li Xiaolai.
There will not be a crowdfunding round.
Who is the Zcash team?
Our team includes the scientists who invented the Zerocash protocol, engineers and communicators with a specialized track record in open privacy technology, advisors who are leaders in the Bitcoin, Ethereum, and academic communities, and well-regarded investors. See our team page for details.
What is the Zcash Foundation?
The Zcash Foundation is a non-profit entity for maintaining and improving the Zcash protocol in the interests of all users, present and future. It will receive 1.44% of the monetary base (over four years) to support this work, thanks to pledges from some of the stakeholders to donate part of their share of the Founders’ Reward.
Read our announcement of the Zcash Foundation on our blog.
If the Zcash cryptocurrency provides transactional privacy, won’t bad people use it?
Yes, but bad guys will use anything. Bad guys use cars, bad guys use the Internet, bad guys use cash, bad guys use the current banking system. Our goal is not to invent something that bad guys can't use, it is to invent something that can empower and uplift the billions of good people on this planet.
For more context about our values, see the Hello World blog post.
What is Zcash's approach to governance?
Our fundamental philosophy is consensuality. Currently the Zcash Company (CEO: Zooko Wilcox) is effectively leading development of the science, the protocol, and the reference client, as well as public communications and many other important tasks. In the long run the newly formed Zcash Foundation is expected to take over some of these roles, especially education, consumer protection, and the advancement of science. For now they say that they intend to keep letting the Zcash Company do its thing.
What are the economics of Zcash? Is there going to be a fixed monetary base?
Zcash's monetary base is the same as Bitcoin's — 21 million Zcash currency units (ZEC, or ⓩ) and is mined over time. It is a scarce token just like Bitcoin which can be transferred globally and exchanged to/from other cryptocurrencies or fiat currencies via online exchanges, in-person transactions, etc.
10% of the mining reward will be distributed to the stakeholders in the Zcash Company — founders, investors, employees, and advisors. We call this the “Founders’ Reward”.
Since the value sent between shielded addresses is private, how can we determine the number ZEC in circulation?
Currently, we know that every miner validates every transaction, and each transaction comes with a zero-knowledge proof that it doesn't violate conservation-of-money (i.e. a proof that the money coming out of the transaction is ≤ the money going into the transaction).
This reasoning depends on the soundness of the zero-knowledge proofs. If someone could get the miners to accept a transaction that created new money — if you could somehow forge a zero-knowledge proof or defeat the zero-knowledge-proof-verifier software in the miners — then you could counterfeit money.
We are investigating options for the future which would enable accounting for all ZEC in existence. Stay tuned to our blog for any proposals on this matter.
What is the Founders’ Reward?
10% of the eventual monetary base goes to the founders. The Founders’ Reward is distributed incrementally over the first four years of mining, so that there is continued incentive and continued resources for the founders to improve the value of the coin. Unlike a pre-mine or an Initial Coin Offering, this structure offers little or no opportunity for the founders to pump-and-dump.
After four years, the Founders’ Reward ends and all of the mining rewards after that go to the miners.
Read more in the blog post Funding, Incentives, and Governance.
Who will receive the Founders’ Reward?
The investors who funded the creation of Zcash will collectively receive 1.65% of the ultimate Zcash monetary base. The founders, employees, and advisors will collectively get 5.72%.
The two biggest single beneficiaries of the Founders' Reward are the “Zcash Company strategic reserve” receiving 1.19% and the non-profit Zcash Foundation receiving 1.44%. The strategic reserve fund will go towards new projects to increase the value of the Zcash Company and the Foundation fund will benefit the maintenance and evolution of the Zcash protocol in the interests of all users, present and future.
Read more in Continued Funding and Transparency.
Is the Founders' Reward a pre-mine?
I (Zooko) don’t call it that because it’s not “pre”. (And it’s not mining.) Also, unlike a typical “pre-mine”, the Zcash Founders' Reward is transparent and it aligns the incentives of the creators and the users of the system.
What markets are supporting Zcash?
Why did the price of Zcash fall so much after it was launched? Was it because the founders/investors were selling their coins?
Nobody knows why buyers and sellers choose the prices they do. One fact to bear in mind is that the supply of Zcash immediately after launch was limited as described here. For example, on October 29 (one day after the blockchain was created) there were 450 coins and on October 31 there were 1950. One thing that we can be sure of is that it had nothing to do with the Founders' Reward. The Founders' Reward coins are distributed incrementally over the first four years of the blockchain, and none of them were moved until December 21, as we wrote about here and as you can see on the blockchain here.
Are there online Zcash communities?
Are there any local Zcash communities? How do I find local Zcash enthusiasts and traders?
You might find some Zcash enthusiasts and traders at local cryptocurrency meetups. Get in touch if you’re thinking about or interested in starting a Zcash meetup in your community, we’d love to hear from you! firstname.lastname@example.org
Simply put, what is a zero-knowledge proof? How does Zcash integrate it?
Zero knowledge proofs are a scientific breakthrough in the field of cryptography: they allow you to prove knowledge of some facts about hidden information without revealing that information. The property of allowing both verifiability and privacy of data makes for a strong use case in all kinds of transactions, and we’re integrating this concept into a block chain for encrypting the sender address, the recipient address, and the amount. A block chain that encrypts transaction data (making it private) and lacks zero-knowledge proofs also lacks the assurance that all the transactions are valid. This is because the nodes in the network can’t determine whether the sender really had that money or whether they previously sent it to someone else, or never had it in the first place. The encrypted data becomes unverifiable by network nodes.
In Zcash, we use a particular type of zero-knowledge proof called zk-SNARKs (or “zero-knowledge succinct non-interactive arguments of knowledge”). Within a Zcash transaction, there may exist a string of data that the sender of a transaction provides –the “zero-knowledge proof”– along with the encrypted transaction data which proves properties of the encrypted data cryptographically, including that the sender couldn’t have generated that string unless they had ownership over the spending key and unless the input and output values are equal. The proof also guarantees creation of a unique nullifier which is used to mark tokens as spent, when they are, in fact spent. This allows for verification that the transaction is valid, while preserving privacy of the transaction details.
What is the difference between Zerocoin, Zerocash, Zcash and ZEC?
Zerocoin is a cryptographic currency protocol invented by Ian Miers, Christina Garman, Matthew Green, and Aviel D. Rubin in 2013. Zerocash is an improved cryptographic currency protocol invented by Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza in 2014. Zcash is an implementation of the Zerocash protocol, with certain improvements as described in our protocol specification (all of the scientists who designed the Zerocash protocol are members of the Zcash team). We have adopted ZEC as the informal three letter currency code for the Zcash currency, and ⓩ as its currency symbol.
Does Zcash offer complete anonymity for transactions?
Zcash enhances privacy for users by encrypting sender, amount and recipient data within single-signature transactions published to its public block chain ledger.
Zcash does not: encrypt data for multisignature, protect against correlations made with public transactions (for example, when Zcash is traded to/from another cryptocurrency) or obfuscate IP addresses. It is possible to use it in conjunction with an anonymizing network such as Tor, in order to obtain protection against network eavesdropping which is complementary to transaction privacy.
It should be noted that while Zcash facilitates anonymization for its users amongst a wide pool of individuals, we align more with the term “privacy” to describe what Zcash technology aims to provide. While related in scope, the terms have subtle differences. Anonymity relates to removing personal identifiers linked to potentially public data such as sending an anonymous tip to law enforcement or wearing a mask during a protest. Privacy considers the data itself in need of protection such as a discussion during a private meeting and more relevant, the encryption of information - whether for keeping personally or sharing with a select number of others. Anonymity methods can enhance privacy goals, such as defending against targeted attacks on private data, and vice versa if the protected data relates to personally identifiable information. The encryption of data in private Zcash transactions aligns with the latter as it is foremost a tool for financial privacy with the added benefit of increased anonymity.
For more information on anonymity properties in Zcash, see How does Zcash compare to other cryptocurrencies with anonymizing properties?
Will Zcash contain a backdoor?
Neither Zcash nor any other cryptographic algorithms or software we've made contains a backdoor, and they never will.
Is Zcash peer reviewed?
Yes. Zcash is based on the peer-reviewed Zerocash protocol, which was published in the IEEE Security & Privacy conference in 2014. The Zerocash paper provides a detailed technical overview of the specification. Our changes to the protocol are not (yet) peer-reviewed, but they are described and justified comprehensively in our protocol specification. Those changes are also in the process of being subjected to several independent security audits.
Have you considered sidechains, Ethereum, or embedding into the Bitcoin protocol?
Yes, we've explored all of those ideas in varying degrees. What we're doing right now is the simplest thing that can make Zcash a real, live, permanent medium of exchange and store of value, and that is to create a separate block chain.
What's the point of Zcash if Ethereum is going to have SNARKs?
It's hard to say in advance how the privacy features of Zcash will compare to the analogous future planned features for Ethereum. It depends on the exact way Ethereum will implement zk-SNARK based privacy, which is hard to predict. It does seem possible, given that the Zcash blockchain and team are focused primarily on privacy, that there will be some advantage; e.g., in terms of efficiency, security, and usability.
What are you changing from Bitcoin's Design? What parts of the Bitcoin network remain?
We're following a general principle of "conservative innovation". Aside from the Zerocash privacy protocol (itself already a massive technological achievement), we wish to avoid making changes from Bitcoin's design without a strong rationale.
We’ve decided to make a number of relatively conservative changes to Bitcoin’s consensus rules:
- We’ve adopted a “smooth” difficulty adjustment algorithm, based on DigiShield v3.
- We’ve adopted a memory-hard proof of work, Equihash, which involves adding a memory-hard problem to be solved in valid blocks.
- We’ve changed the block interval target from 10 minutes to 2.5 minutes, and modified other constants in order to preserve the monetary base of roughly 21 million coins and halving interval of 4 years.
- We’ve increased the block size limit to 2MB.
- We require coinbase transactions to contain an output to our Founders’ Reward P2SH address during the first 4 years before the first halving.
- We require transactions spending coinbase outputs to contain no “transparent” outputs (vout should be empty).
- We’ve removed activation rules for softforks in Bitcoin and made them enabled by default.
Zcash embeds a confidential value transfer scheme alongside the traditional Bitcoin infrastructure; for most purposes, it simply adds additional behavior to the existing primitives.
For further detail, see the 'Consensus Changes from Bitcoin' section of our protocol specification.
How does Zcash compare to other cryptocurrencies with anonymizing properties?
All anonymity is not created equal: you're better off if we can only figure out that one out of 6 billion people bought a Nickelback album, than if we know it was either you or one guy in Tristan da Cunha. The size of your anonymity set matters and the mixing strategies which other cryptocurrencies use for anonymity provides a rather small one in comparison to Zcash. This is not to say these other methods are worthless, there are tradeoffs between the two, but Zcash has a distinct advantage in terms of anonymity and we think it matters.
If you are worried about maintaining privacy given repeated interactions with merchants or others who already have some partial information about you, the size of the anonymity set matters considerably. Long term intersectional attacks are a major problem with anonymity systems. The smaller the set you mix with on any given transaction, the easier it is for some third party to use outside information to eliminate everyone else in the mixing set (e.g because she knows no one else in the set was online at the time of the transaction or was in your approximate geographic area), and determine the true spender. One of the few effective defenses we have for this is to simply include as many people as possible in the anonymity set. If you want to avoid companies building financial profiles of users from the block chain, this is precisely the type of attack you need to thwart. When you perform a transaction in Zcash, you effectively mix with all transactions ever performed (except those where the sender chose to be transparent).
What are SNARK public parameters? How did the Zcash Ceremony generate the SNARK parameters securely?
A set of public parameters are required for generating the proofs required to validated private transactions. The process of generating these public parameters (commonly referred to as “paramgen”) also produces a by-product (which we have nicknamed the “toxic waste”) that could be used to subvert the block chain by creating fake coins that are indistinguishable from real ones (the relationship between the public parameters and this toxic waste is similar to that between a public key and a private key). It is therefore important that this toxic waste be securely destroyed.
We designed a process whereby the job of generating the public parameters was split between a number of people, each of whom generated a piece of the parameters during what we refer to as the Zcash Ceremony. These pieces were then brought together and combined to create the public parameters. As long as one of the people involved in generating the parameters destroyed their portion of the “toxic waste”, there is no way to subvert the parameters.
For technical details on these parameters and documentation of the Ceremony including participants' destruction of "toxic waste" shards, see our Parameter Generation explainer page.
If the Zcash Ceremony was compromised, could the attacker compromise user privacy?
No, even if an attacker completely compromised the Zcash Ceremony, this would not give them the ability to penetrate the privacy of Zcash shielded addresses. Shielded addresses are protected solely by mathematics (modern encryption) and do not rely on anything else for their privacy. (On the other hand, such an attacker could counterfeit Zcash. See the FAQ entry "What are SNARK public parameters?" about that.)
What functionality do shielded addresses have? What are the limitations?
Shielded addresses (addresses that start with a "z") are the component of Zcash which offer privacy by encrypting sender, receiver, balance and a memo field. The introduction of our encryption scheme introduced some limitations on usability which those familiar with other cryptocurrencies may notice. One limitation in the current version the Zcash client includes a restriction on spending inputs: for any transaction involving one or more shielded address, there can be only one input (however, outputs are not restricted). Additionally, shielded addresses have higher resource requirements (RAM) and no multi-signature support. Overtime, we intend to improve on these limitations and will explain any upgrades in our release announcement updates.
Note that coinbase transactions which pay out block rewards and transaction fees to miners require transparent addresses for accounting purposes and we do not intend to change this in the future. These coinbase transactions to miners do, however, include an additional requirement that their subsequent spend goes to a shielded address.
For technical details about shielded addresses, check out our blog post How Transactions Between Shielded Addresses Work and for details on resource requirements, check out User Expectations at Sprout Pt. 2: Software Usability and Hardware Requirements.
Are only a small fraction of Zcash users using shielded addresses? Does anyone use Zcash's privacy features?
Since some third-party wallets only support transparent addresses, we're seeing an effect on the number of shielded addresses in use. While the ratio has been steadily improving since launch, we expect the number to increase even faster over the future as we continue to improve usability of shielded addresses.
Here is a table showing the number of shielded and unshielded transactions per hour/day/week/month. And here are historical stats about shielded and unshielded transactions in the most recent 100 blocks over the life of the blockchain so far (about 6 months).
Note that a big part of the shielded addresses used are due to the concensus rule requirement of coinbases to be shielded when first spent. This was in order to provide a guaranteed privacy-set. If you make a shielded Zcash transaction today there is actually a very large privacy-set of possible previous transactions which could be inputs to your transaction.
In the long run we intend to improve the functionality of Zcash shielded addresses and to deprecate Zcash transparent addresses, so that all transactions are shielded and so that the user experience is simpler.
Could quantum computers break Zcash?
Large quantum computers, if and when built, would be capable of breaking an encryption scheme used by Zcash. Consequentially, an attacker with access to such a computer could identify the amount and encrypted memo (but not the origin) of transactions sent to shielded addresses that the attacker knows. Note that shielded addresses don't appear on the blockchain, and those shared privately would not be vulnerable. In addition, large quantum computers would be able to fool zk-SNARK verification, and thus counterfeit ZEC.
Both of these attacks would require quantum computers with thousands of qubits (capable of solving discrete-logarithm problem), which are at least decades away from today's state of the art by most experts' estimates.
Scientists at the Zcash company, and academia, are actively researching postquantum-secure alternatives to the affected cryptographic components (see issue #805). We plan to monitor developments in postquantum-secure components, and if/when they are mature and practical, update the Zcash protocol to use them.
How will Zcash be created?
Like Bitcoin, Zcash is a mined cryptocurrency, which means that new ZEC will be created each time a block is added to the Zcash block chain. New blocks will be created roughly every 150 seconds (2.5 minutes). The monetary supply curve will mirror Bitcoin’s, except that, because Zcash’s blocks will be mined 4 times as frequently as Bitcoin’s, the number of ZEC created per Zcash block will be a quarter the number of BTC created per Bitcoin block. The first weeks after Zcash launch will be in a “slow-start” mining period.
Is Zcash proof-of-work? What mining algorithm do you use? Is it ASIC resistant?
Yes, since launch, Zcash has been based on proof-of-work. Maybe the community will choose to change it to proof-of-stake or something someday. We cannot predict what the community or communities will ultimately decide about such things but are very much open to improvement and evolution.
We are currently using Equihash as the proof-of-work for block mining in Zcash. Equihash is a proof-of-work algorithm devised by Alex Biryukov and Dmitry Khovratovich. It is based on a computer science and cryptography concept called the Generalized Birthday Problem. Please read the Why Equihash blog post for more details.
The algorithm is currently not economically implementable in ASIC. We’re still evaluating whether we think it will resist custom hardware (“ASIC”) implementation long-term.
How many ZEC will be made per block?
After the slow-start period, 12.5 ZEC will be mined per block. Each 4 year period (or 840,000 mined blocks), the ZEC creation amount will halve (from 12.5 to 6.25 to 3.125 to 1.5625 and so on).
See the question What is slow-start mining? for details on the slow-start period.
What is the difference between Solutions and Hashes?
Sol/s measures the rate at which Equihash solutions are found. Each one of those solutions is tested against the current target (after adding to the block header and hashing), in the same way that in Bitcoin each nonce variation is tested against the target. That is what we mean by Sol/s === H/s - they are measuring the same thing, and it is the same metric that everyone already uses for other PoW algorithms.
Put another way, measuring Sol/s in Zcash is exactly the same as measuring TH/s in Bitcoin (ignoring the "T" scaling factor, which is merely a product of the relative speeds of the PoWs and the relative numbers of miners).
Where should I ask a question that is not answered on this page?
The best place to ask questions is our community forum. We'll add more common questions to this document as we become aware of them.