ZCash: the cryptocurrency that has nothing to hide

But it’s not for lack of trying – e 8 May 2018, a team of researchers from the University College of London published a detailed study sought to analyze in detail the actual degree of anonymity and confidentiality achievable in practice when using ZCash. From previous research  seemed to show that a relatively high level of confidentiality could be achieved using ZeroCoin , the name of ZCash at the fork original with Bitcoin.

Preamble to ZCash study

Beyond the ideological bases that would justify the use of an anonymizing crypto-currency –  we prefer the term cryptocurrency sibylline  – in everyday routine spending , the authors of the study begin by explaining that the most documented uses are mainly four types: the founders of ZCash that currently affect 20% of coingen (block reward) minors who receive 80% of coingen, legal non-governmental organizations or not (who use ZCash to receive donations or sell data), and more commonly the various black markets . For the authors of the study, it should be noted that most users of cryptocurrency sibyllinesare rather attracted by the prospect of using it when purchasing second necessities, with the perspective to make their illegal activities more easily traceable by police .

As a reminder, the strategy is rarely paid, as recently shown the closure of the forum of the Black Handand the arrest , breaking the codes , the mother of the family a priori administrator of the site. The study presented focuses on ZCash, which tries to achieve confidentiality by means of its own and that we will detail in following, but note that other cryptocurrencies aim for the same purpose, among which it is possible to mention in particular DASH (spending techniques in CoinJoin) or Monero (with ring-signatures, to mix the keys of different users in their transactions to obscure them).

In the case of ZCash, the main stealth feature is the Shielded Pool, which we will discuss in more detail below, but which we can summarize as follows: a common pool where ZCash users would pass ZECs before spending them, allowing obscure them and then spend them without revealing precisely which ZECs from the pool were . A kind of anonymizing firewall for ZEC transactions, so to speak . All of this is therefore very interesting on the paper, and even better, a priori, it works.

If you are a reader of my articles, there you see me coming big as a house, and you’re saying you “What will get us out again, guys?”, And you good.

So I’m going to be abrupt and summarize the purpose of the article all of a sudden:

  • Virtually all traditional ZEC transactions are not more anonymized than usual BTC transactions , being only pseudonymic themselves, and only a tiny fraction of ZEC transactions are actually more difficult to trace and identify, but ultimately not really a challenge for a motivated ( probably state ) stakeholder ;
  • Using relatively simple heuristics , it is possible to identify at least the different groups of users mentioned above, by extension most likely to identify a lambda user whose ZEC transactions would be simply conventional, and even to arrive to identify in the absolute an individual who would take the trouble to use the entire available panel hoping to ensure total anonymity in the context of illegal activities.
On the right, you are in a dubious state but waiting with hope to discover that I exaggerate a tad; in the background, a buyer of second-hand goods on Dream Market slightly more anxious. (Allegory)

So it’s time to get into the thick of it: but how does ZCash work, and how is the use of ZEC supposed to be confidential  ?

How ZCash works

To summarize briefly, 4 types of transactions can take place on the ZCash network  :

  • Transparent (t-to-t)  : the transaction takes place between two visible addresses , operating roughly like a transaction denominated in classic bitcoins , with a pseudonym as a base, but in clear for the designations of these addresses and the amount of ZEC which transits between the two addresses,
  • Shielded (t-to-z)  : the entry transaction in the Shielded Pool , which always communicates in clear the amount of ZEC sent as well as the sender’s t-address ,
  • Private (z-to-z)  : within the Shielded Pool, between two z-addresses, the z-addressesof the sender and recipient are theoretically hidden, just like the amount transiting between them,
  • Deshielded (z-to-t)  : the transaction leaves the Shielded Pool to join a transparent t-address, the amount of ZEC is initially hidden but not on arrival, the receiving recipient’s transparent address is necessarily visible .

Simply from this illustration, it is possible to imagine several ways to track illegal transactions and / or to try to identify individuals using ZECs for illegal acts . First of all, all transparent t-to-t transactions are as easily traceable as any Bitcoin transaction , which has already been studied and demonstrated many times , with now companies that have dedicated themselves to this kind of transaction . activities, in more or less close collaboration with the police. Then special heuristics, developed by the team at University College London (which we will detail later), will show that it is possible to undermine the other types of transaction supposedly more sibylline.

And before your eyes amazed, by modeling the different transactions taking place on the ZCash network, let us already observe this: in practice, almost nobody uses the Shielded Pool .

Breakdown of the number of transactions by type since the ZEC block genesis

Distributions and Percentage Evolution of Transaction Types Since Block Genesis

Available data shows that nearly 73.5% of transactions are transparent and therefore just as identifiable as any Bitcoin transaction. 
Only 0.3% of transactions are truly private by taking full and end-to-end positions in the Shielded Pool . The coingen transactions are a bit peculiar, in that it is the reward block shared between founders and miners, and that the consensus rules require that these transactions transit through the Shielded Pool before being spent then: they are therefore partly private, since they are more difficult to follow, but we will see later that valiant heart, nothing impossible.

In addition, with the growing adoption of ZCash by more and more users, in part because of the promise of anonymity, they are using the network almost exclusively in transparent mode, and the current evolution is exponential way. In other words, the more time passes and the more ZCash is used , the more transparent transactions gain in volume relative to residual confidential transactions. This can be explained by the fact that few or no general-purpose wallets support Shielded Pool passes by default, and only broadcast transparent transactions.

Clustering ZCash addresses and typology of participants’ attitudes

By looking at only t-addresses, we note that only 25% of them have a non-zero balance, which limits the ambient noise for the analysis. By classifying these t-addresses by wealth, we observe moreover that the top 1% holds 78% of all ZECs in circulation (and therefore on transparent addresses). The richest address holds more than 118,000 ZEC. The authors of the study rely on an axiom to identify the corresponding addresses: if several addresses appear as being the inputs of the same transaction, it is reasonable to consider that these addresses are controlled by the same entity. From this axiom, the authors have targeted the transparent addresses used by the exchanges (after the authors have made ZEC deposits and withdrawals to and from the exchanges in question), certain entities such as ShapeShift , and known public addresses. founders.

ZEC exchange identification clusters

Using this simple heuristic, the authors of the study have already been able to link and identify 123 t-addresses as belonging to the founders and 111000 t-addresses as belonging to mining pools,for example. As regards exchanges, which therefore manage 11.21% of all ZEC transactions in the clear, these transactions can be used to identify addresses of both individual minors (who will withdraw their funds from the coingen received, after it has passed by the Shielded Pool) but also some founders. These data can be used later to help identify them. Regarding mining pools and founders, apart from the few t-addresses identified on the exchanges, 99.8% of their ZECs are shipped directly to the Shielded Pool. Regarding NGOs, it was possible for authors to identify several, for example Wikileaks or The Internet Archive, groups whose majority of transactions take place in clear by transparent transactions.

Regarding the “shielded” transactions, incoming and outgoing Shielded Pool, however, it is not exactly the same lemonade . By aggregating all the recoverable transactions on the ZCash blockchain, the study authors were able to quantify the total amount of ZEC contained in the Shielded Pool, equivalent to 3.6% of the total money supply of ZEC in circulation at the time. writing the article.

Breakdown in time and order of magnitude of the different deposits (red) and withdrawals (blue) of the Shielded Pool

From the study of the flows between protected transactions  (deposits to Shielded Pool) and de-protected transactions (withdrawals to transparent addresses), the authors have identified four particular events: two deposits and two withdrawals, massive and coordinated over time , to lift the veil of anonymity on the transactions involved in the Shielded Pool.
Regarding the founders and the miners, it is easy to identify their deposits, since paradoxically, being forced to pass their funds through the Shielded Pool before disposing of them, they fall into the trap of this cross identification. in and out of Shielded Pool. The founders are mainly identified because some of their addresses are specified in the consensus rules and by the technique described above; while the miners are the only other recipients of the initial coingen.

Note that from the study of the Shielded Pool, we observe that the main depositors of the pool are minors at 76.7%, while the founders pass the rest of the volume, but in larger quantities and punctually, which explains the four events identified earlier.

Through other heuristics, the authors manage to link some of the transparent addresses used for deposits to the Shielded Pool with some of the transparent addresses used for withdrawals from the Shielded Pool .

Identification and valuation of the assets of the different actors within the Shielded Pool

The authors start by checking if t-addresses are used both as a depositant to the pool and as a recipient from the pool, which is a very naive test, since it seems almost a waste to go through a common firewall pool if it is to immediately pass through the same transparent addresses. Yet, surprisingly, this simple technique already identifies 13.3% of the total value of the Shielded Pool as belonging to minors . Then, using other more advanced heuristics that we will not develop, the authors identify an additional 52% also belonging to minors and 13.5% belonging to the founders.





Behavior of deposits and subsequent withdrawals of the Shielded Pool by the founders


Identifying mappings between t-to-z and z-to-t addresses for mining pools

At this point in the process, note that there is only 30 to 35% of the private z-to-z transactions in the Shielded Pool that can actually be considered private, so the others can be associated with a type of by certain specific analysis methods from the t-to-z input and z-to-t output transactions.

As a result, 30% to 35% of the 0.3% of transactions that are supposed to be for the entire network remain as truly private.

In sum, only 0.105% of ZCash network transactions are truly end-to-end.

The specificity of the amounts identified and tracked for each of the groups, as well as their movements (which have temporally identifiable sequences), allow the authors of the study to further identify the movements in detail, and to develop further other heuristics, related to the specificities of the ZCash transaction structure , which include a number of deceptive inputs and outputs, both t-address and z-address, to deceive an investigator. In fact, these techniques are then far from sufficient to lose the thread to a fierce investigator. We will not go into the details of these last heuristics in this article, for the sake of simplification.

Shielded Pool and internal ZCash transactions z-to-z assumed residual private

The previously mentioned structure concerning ZCash transactions is based on a substructure called vJoinSplits, which defines whether a transaction is transparent, shielded, deshielded or private, depending on the variations between the different parameters contained in these vJoinSplits. Regarding the private z-to-z transactions, this is the point of weakness chosen by the authors of the study  : they have selected and investigated a series of nearly 7000 private transactions containing 8444 vJoinSplits in total. The information obtained from these vJoinSplits are various  : the share of fees paid to minors, the time of the transaction, and the number of vJoinSplits used as input.

Now … 93% of private z-to-z transactions have only one vJoinSplit .

So, you still see me arrive with my big hooves: if there is only one input vJoinSplit on these transactions, these transactions are more likely to be reported . And this is the case, ultimately: it is found that relatively few users in total use this function, and often to the same services, which are also identifiable.

I give you thanks for possible correlations between all the heuristics, which will probably be the subject of further studies, and end up tapering to our headquarters before such a level of effective confidentiality.

Case Study: The Shadow Brokers

The study concludes with an application of various heuristics exposed and tested during the study, to study the case of the group The Shadow Brokers , a famous group of hackers who allegedly targeted and then auctioned at the auction Black NSA tools (in BTC then in ZEC exclusively) .

The authors, by identifying the transactions that seem to correspond to the known amount of past auctions and fixed prices (500 ZEC) subsequently set by TSB from October 2017, have managed to identify 34 clusters corresponding to 34 customers having made a purchase from TSB. To make it very simple, one of these customers is a regular who made several purchases from TSB, after having provided ZEC against currency fiat on a classic exchange top tier, having had to meet the requirements of KYC. So you can imagine what can happen in these conditions: if “simple” researchers are able to identify a TSB customer, whose transactions have passed through the Shielded Pool in z-to-z private transactions, how much time would be needed for a dedicated and expert cybercrime unit to go directly to the buyers and to find their identities?

And by extension, if you use ZCash daily without being able to even take the semi-protected path of the Shielded Pool, do you really consider yourself anonymous?

ZCash Foundation Roadmap as a result of the study

The authors of the study state that they have always communicated with the ZCash Foundation and its members, to present their findings, and that behavioral changes have been observed thereafter concerning in particular the movement of funds involving the founders. The ZCash Foundation has since communicated here in a concern of transparency about modifications and future evolutions for ZCash, with the aim of allowing the generalization of the spontaneous and systematic use of private z-to-z transactions with passage through the Shielded Pool, for example by incorporating these transactions into default use in consumer wallets .

Also, the Foundation has announced changes to the consensus rules to switch to a 100% pay for minors from October 2020 according to previous announcements , and thus stopping at that date rewards to founders. The future promises to be interesting for ZCash, as some questions may arise in particular regarding the attitude that will be adopted by the public exchanges or the public authorities, if private z-to-z transactions ever come to be widely democratized.

Related posts