Zcash – privacy, attestations and the power of defaults

State of play |Privacy, and Anonymity of Zcash | Implications of Control |Forces acting on Privacy Coins | Red teaming | To whose benefit this all this?

State of Play

Privacy and Anonymity of Zcash

There are two kinds of addresses in Zcash, T- addresses, and Z-addresses. From Kappos et-al UCL https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-kappos.pdf


Transactions within this shielded pool are private (and can be viewed only by a per-transaction viewkey).

Problem is, very few people transact via the shielded pool. Here is a graph by researchers from the University of Luxembourg.  https://cryptolux.org/images/d/d9/Zcash.pdf

fraction of zcash transactions that are in the shielded pool

Less than 1% of transactions are fully shielded.

Implications of Control

The Rand report commissioned by Electric Coin Company states that

Clear branding of Zcash and the ECC as compliant with
relevant regulations could reduce the incentives for its
use in illicit purposes in contrast to other privacy coins.127
Signalling compliance with AML/CFT regulation may be a
key factor in differentiating Zcash from other privacy coins
in the minds of criminal actors and refuting the reputation
of privacy coins such as Zcash for harbouring illicit

From the RAND report

So one of the factors for non-illicit-ness of Zcash transactions comes from compliance signalling by the ECC. The ECC could update wallets or the protocol to use z-addresses easily.

To preserve current transaction levels, Zcash ( via The Electric Coin Compny or the Foundation) would have to ensure exchanges let people transact via the shielded pool.

Forces acting on Privacy Coins

Blockchain native tokens with privacy as a key feature suffer from a dilemma –

  • If transactions are truly private – then categorizing illicit transactions is difficult
  • If any entity can truly differentiate(at scale) illicit vs licit transactions, then they are not truly private.

Zcash tries to get around this problem by having a shielded pool and view keys that enable users to comply with regulations while not being susceptible to mass surveillance.

The fact that most people choose to transact in public, does not make Zcash(the protocol) in theory any more or less private. In practice however, the bigger the set of people transacting in public, the less private the network appears to be.

Red teaming this report

If I want to transact in illicit things, I would like the following

  • The transaction to be known to as few parties as possible.
  • The proceeds are easily convertible to FIAT money directly or via other tokens.

So assuming I want to use Zcash, I would like to transact via the shielded pool and convert to fiat.

There are no exchanges that let me trade my shielded pool z-cash to fiat, and as we have seen from Kappos et-al, once I transact away from the shielded pool, I can be tracked.

As soon as exchanges start allowing completely shielded transactions and connections to fiat, the use of Zcash for illicit transactions will increase.

If I wanted to prove Zcash is not being used for illicit transactions, the best way to do it would be to assign a purity metric to each transaction and show that there no transactions that cross a threshold. If Zcash can successfully show that for shielded transactions, then their privacy use-case is invalidated.

The analysis done here is to look up two databases that RAND has, as concerns dark markets and searches them for Zcash addresses and mentions of Zcash on the forums.

That leaves behind all the P2P shielded transactions occurring on locations not on the RAND database.

It also does not explore the use of blockchain tokens is primarily for speculation.

What it correctly points out is that a multitude of factors mostly to do with usability and signalling affect the illicit nature of Zcash. These same factors also affect regular usage of Zcash.

If Zcash is too difficult for people who have shown the motivation to use a privacy coin for illicit uses, how will a regular person make use of its privacy features?

To whose benefit this all this?

Zcash’s two tier privacy system is great for

  • Messaging as “privacy coin” – you want to transact in private, use our shielded pool that you cannot exit to fiat with, and is too difficult for even criminals.
  • Signaling compliance via the majority of transactions that happen in the public.

Why commission a report to quell rumors of illicit use when that report says your privacy coin is not being used by criminals because it is too difficult to keep transactions private?

Did Zcash’s price or transaction count move significantly on either the Chainalysis news or the RAND report? No.

They had to do it because their USP (whether valid or not) is an orientation towards privacy.

Understanding the fat protocol thesis

In August 2016 Joel Monegro (then at USV) wrote about value capture for blockchain vs web protocols. It gave folks a mental model of how to value blockchain protocol tokens.

According to this thesis, applications built on top of web protocols captured more value than the protocol, but when it comes to blockchain protocols, value capture shifts from applications directly to the protocol. Here is a nice picture explaining the difference

The Bitcoin network has a $10B market cap yet the largest companies built on top are worth a few hundred million at best, and most are probably overvalued by “business fundamentals” standards. Similarly, Ethereum has a $1B market cap even before the emergence of a real breakout application on top and only a year after its public release.

Joel Monegro, Fat Protocol thesis post.

What Joel rightly points at in the paragraph above, is that the few applications built to service these protocols are valued at a small fraction to the underlying protocol ( as calculated by the price of the token times the number of existing tokens ).

Breaking down this thesis into its core assumptions

  • It is easy to shift between applications as they provide a commoditized service because the underlying protocol has a shared data layer and provides a lot of utility.
  • The price of the token, along with an open network and a shared data layer, incentivizes protocol adoption, and affects value distribution via the token feedback loop.

He also points out the following

  • When a token appreciates in value, it draws the attention of early speculators, developers, and entrepreneurs.
  •  the market cap of the protocol always grows faster than the combined value of the applications built on top, since the success of the application layer drives further speculation at the protocol layer

From the state of affairs in 2016, these statements are prescient. From what was happening then and we have seen transpire in the following years, they are a bit naive.

What has happened since

We have seen two types of businesses have been built, one is an on-chain product ( truly an application built on top of the protocol ) and the second are off-chain businesses built to serve the needs of people using the protocol.

On-Chain applications have opted to go the app coin route with each application capturing more of the value it creates and lending less of it to the underlying token.

For example –

Aragon, an application built on ethereum has its own App coin called ANT which one needs, in order to access it. One would expect the need for aragon tokens increases the need for ethereum tokens, increasing their value.

Two things stop this from happening

  1. The need for Aragon tokens is miniscule compared to the network.
  2. Speculation on the price of Aragon tokens opposes the outflow of value from Aragon to Ethereum

Off-Chain applications (i.e. businesses) cater to speculators as they are by far the biggest audience. This decouples the need to build applications that accrue value to the network.

For example – An Identity application built on top of Bitcoin or Ethereum that does not use its own app coin, adds value to the protocol. However, building a credit facility to service speculators who ultimately exit to fiat, does not accrue value to the protocol. For sure they create value, but most of it goes towards making the market more efficient and liquid rather than accruing to the base protocol.

The token feedback loop gets broken down into two

The two core assumptions of fat protocol thesis have been broken

  1. the token feedback loop did not complete. Price action has brought in speculators and developers/entrepreneurs are building mainly for speculators and not others because there are very few of them.
  2. applications have found ways to capture value by either creating app coins or providing services that make switching between them harder.

Expected Token feedback loop

Actual Token feedback loop

Reversed Causality

Fat protocol thesis is the first approximation of a venture captial model to blockchain entities. But it reverses causality

From Albert Wenger’s Crypto tokens and the coming age of protocols

Now, however, we have a new way of providing incentives for the creation of protocols and for governing their evolution. I am talking about cryptographic tokens. You can think of these like the tokens you might buy at a fair to get on a ride: different operators can have their own rides and set their own price in terms of tokens. You only need to buy tokens once (in exchange for fiat currency) and then can use them throughout the fair. With blockchains we now have a way of issuing and redeeming these tokens digitally (the underlying blockchain can be Bitcoin or Ethereum or possibly its own as in the case of Steemit).

Albert Wenger, Crypto Tokens and the coming age of protocols

Both Albert and Joel make an assumption that the fair ground has rides that are available for people to use.

What actually happened was, tickets were sold to an empty field with a promise of rides being built in the future.

This caused speculators to rush in and people built tools to take advantage of this price action.The few rides that got built haven’t seen people using them because of the lower hanging fruit of speculation.

We can see causality being broken if we use the core assumptions of the fat protocol thesis to model tech startups (you can say that the thesis does not apply here, but it makes sense to compare what it says)

Applying fat protocols to tech startups, you could conclude that because venture capitalists speculate on tech startups, it attracts entrepreneurs and builders of such startups, causing the startup ecosystem to gain value.

Now we see the core issue with this thesis, builders and entrpreneurs accrue vaue to the ecosystem, their capital needs are not a driver of value. If these business have no outside capital sources, then that argument has more footing.

What this framing also suggests is speculative investments are the main source of capital for block chain tokens and not utility because, if there was utility people would pay for it. The fact that their payment has to be in kind(buying tokens) does not add value to the enterprise but just fetches a higher price for the tokens.

What it leaves out

  • The sheer number of base protocols that emerged, often with no appreciable difference, spread out the value capture.
  • The radical importance of Governance of these protocols. Similar teams building similar applications on similar protocols have huge disparities in value created/captured. Example a #defi application on ethereum vs similar applications built on other protocols.
  • Disproportionate ownership (read hoarding) of network and app tokens by teams building applications, causes further value silos.
  • The importance of forks, and the effect forking has on network value.

A thesis is a mental model – Like all theses, the fat protocol thesis was a way to look at the current state of affairs and model what might happen in the future. It provided folks who wanted a guide to making decisions, a model. Nothing more, nothing less.

Further Reading

No true decentralized scotsman

I wrote about the various components of blockchain networks, and the point of decentralization. I want to explore what decentralization means for each component.

Decentralization as a feature is multiplicative in nature. This creates a bottleneck where your network is only as decentralized as your least decentralized component.


Let’s take bitcoin, for example, there is one code-base that accounts for more than 90% of nodes. This implies any bugs in this codebase will affect a majority of miners. Whoever has control over this codebase can exert undue influence on the network.

Decentralizing the code component implies

  • multiple source code-bases in multiple languages.
  • multiple competing implementations that compete on features.
  • Upgrades do not affect the majority of nodes, so the network is more resilient
  • Difficult to keep track of which code-base has which features, and things like security become harder.


Block chain networks are only truly decentralized at the miner(and full node) level. The more decentralized this component becomes, the better co-ordination between nodes needs to get.

Decentralization at this level needs hardware improvements for mass appeal. Technically you can run a node on a raspberry pi, and there are solutions like Casa but these appeal to people in the decentralized everything group.

Token Ownership

Token ownership is the most discussed component of decentralized networks. Decentralization here is often confused with distribution of ownership. This is because most blockchain network tokens are bearer instruments and voting is usually signaled by amounts of tokens pledged towards a decision.

Decentralizing ownership goes against a plutocracy emerging amongst holders of the token. This matters only in so far as ownership correlates with decision making power. So if there is a way to distribute decision making power separate from token holding, then decentralizing token ownership becomes easy.


A decentralized community is the most under-discussed component of a blockchain network. As people from various jurisdictions take part in blockchain networks, the pros and cons of each jurisdiction become apparent. The same applies to communities with different needs, any subset of the community should be able to get their needs met by the network.

This usually shows up as differences of opinion between sects of developers, or between developers and miners or between users and anyone else.

A first order, reaction to solve for disjointed community needs to fork the network. Forking and governance is a huge topic, and I will go into it deeper later.

No true decentralized scotsman

Arguing about the decentralized-ness of a network is rarely meaningful. As we now see that each sub component of a blockchain network can be decentralized to various degrees, its better to compare lines of control.

No true Scotsman, or appeal to purity, is an informal fallacy in which one attempts to protect a universal generalization from counterexamples by changing the definition in an ad hoc fashion to exclude the counterexample.


What people mean when they say X network is more decentralized than Y is that there is some component which is more decentralized (along the sub-components own axis) than the whole network.

And like other appeals to purity, the decentralized frontier is always moving towards a never reachable asymptote of Full decentralization at each sub-component.

Decentralization is for rule breaking.

One way of categorizing networks is by their “connectedness”. The easier it is to get from and to any node in the network, generally the more connected it is. This property is very good for analyzing a network’s structure. The more connected networks are, the better they are at handling sudden losses in connection to smaller parts within themselves.

Another way for networks to withstand such losses is Decentralization.

Decentralization at the network level implies the lack of central control over connections or information flow. The more decentralized a network is, the more resilient it is against loss of connectivity.

This is achieved by increasing the connections each node has in the network. In fully decentralized networks, information is broadcasted freely so that any node on the network can listen to it.

The consequences of making networks more resilient via decentralization are that we add a lot more noise. If each node is listening to information from every other node, then there need to be clear rules about how to process duplicate information, how to order received information, and so on.

Network losses are not always passive connection issues. The same decentralization that makes networks resilient, also allows them to continue operating despite rule changes. That is, to a sufficiently decentralized network, there is no difference between a node dropping off because of a technical issue or a node not being allowed to communicate via a rule.

Enter Blockchain networks

Since Bitcoin launch, blockchain networks have been used to transact massive amounts of money (read value). They have also combined the resilience of decentralization with pseudo-anonymity to be one of the best ways to ignore rules about moving money around the world. So much so that blockchain networks appeal to their users, whichever user group they belong to, by pointing to decentralization as the main feature.

What this approach to marketing forgets, are the trade-offs that such decentralization brings. They usually use decentralized as a buzzword to signify better technology, cheaper transaction costs. They might also be putting you in the “decentralized everything” product flow, where you might be looking for a fintech 2.0 or trading product.

Some questions that you should ask anyone pitching decentralization as a feature

  • What current rule or cost structure is the decentralization resilient towards? (usually, the answer is onerous financial regulation)
  • Sure your blockchain network is decentralized, does it need to be if all transactions are fully allowed under current rules?
  • Do you care that two nodes who have nothing to do with your transactions must relay that to you?
  • Should you relay every action, however insignificant to the entire network?
  • Are the throughput trade-offs worth it for this particular type of action?

So if you hear someone pitch decentralization as their product’s core use-case, ask them which rules you can break via decentralization.

A component model of blockchain networks

Now that I have a framework to look at blockchain niches, I want to logically model the various components of blockchain networks.

Every blockchain network can be broken down into the following components: entities, client software, mining network, and ledger.

information flow in blockchain networks

Entities do not transact directly, but via the network. Each blockchain network has a way to identify entities uniquely. This is usually a public-private key pair and by definition unique to the network. Using the same identifiers in different networks causes its own issues, but that is for a different post.

Client software, including wallets and supporting software, allows participating entities to send read/write requests to a mining network. Minimally, all this client software needs to do is to send a syntactically valid transaction to a mining network.

The Mining network is where transactions are added to the chain. Transactions can be added only by a miner, which is compensated for this work. I have modeled a simple miner here.

Finally, the Ledger is THE artifact that describes the blockchain. Like an application has a database, blockchain networks have ledgers. When people refer to network state, they mean an instance of this ledger, either particular version, or its being at a certain time.

Interesting things to note

  • Information flows one way, from entities to miners via transactions that are put into a ledger. I am not aware of a blockchain design where data from the ledger is actively sent to client software, in the protocol. (Experts will disagree here by noting that wallets lookup UTXOs assigned to them, they are right in the specific case of miners but, I want to keep this model as general as possible).
  • Full nodes verify transactions for themselves but are not paid fees.

  • There is no personal information attached to wallets at the protocol level, so an entity can represent one person, zero people (ie., a program) or a bunch of people (company, meetup group, DAO).
  • Each entity can trivially create many identities (addresses) using freely available software.

Let’s subject this model to a few constraints

Setup Costs – Client software is easy to set up, a miner not so much. As the gap between them widens, there will be more intermediaries between the mining network and entities that would like to transact via the blockchain.

This also opens up the client software to do things other than just read/write to a particular chain. Most wallets have the ability to transact with more than one network, use public key infrastructure to send signed messages, act as identity credentials etc.

Trading – If blockchains are primary used to trade, then it makes sense to create exchanges that

  • talk to multiple blockchain networks
  • solve the ‘double coincidence of wants’ problem between entities
  • optimize (read minimize) writing to the blockchain which involves paying mining fees
  • add client software as part of their user management systems to have a consistent tracking system
  • let fiat currencies easily enter the system

This can lead to exchanges holding a lot of network token, which gives them influence in network decisions. There are also very few regulations on reserve requirements and fiduciary duties for purely crypto exchanges.

Decentralization – For decentralization to be a goal, people should build things that

  • make it easy for everyone to write directly to the blockchain.
  • allow for greater competition between miners
  • make p2p trading as easy as interacting with a central exchange
  • encourage people to keep a copy of the ledger and verify each incoming transaction

Openness – Each of the components is powered by software defined by the protocol specification. To maximize openness and verifiability

  • make the protocol specification public
  • Open source the software that runs each component
  • let the ledger be publicly readable and cryptographically verified

Privacy – Most blockchain network specifications do not record things like I.P addresses of the entities or their emails. They use a public-private key pair to address entities.

Transaction data is more difficult to keep private, because miners and full nodes have to verify transactions for authenticity. There are a few privacy oriented networks like Zcash or Monero that use cryptographical proofs to verify transactions while preserving privacy.

Combining this component model with the blockchain framework, you can identify under-served niches and build for them.

A framework to understand blockchain niches

The blockchain space when seen as a monolith, is very confusing. It has parts whose priorities are opposite other parts. Each niche while lightly conforming to the ideals of a superset have wildly different views on what decentralization means, which compromises are ok and sometimes if there are even compromises at all.

To make sense of this, it is better to break apart these sub-niches, understand what they value, what they are trying to build towards, and how to judge what each of them is selling.

Let’s dig in

Product Niches

Decentralized Everything

  • focus here is on users verifying every bit of the stack, push towards more edge computing, protocols and applications not having an admin key, tech-heavy,
  • Things like running your own node, Public key infrastructure based ID, and open source are the defining norms
  • Currently the smallest target market, requires hard tech improvements.

Fintech 2.0

  • The focus here is on building blockchain-based versions of current financial products and services. Defi is a perfect example
  • There is an effort towards compliance and interacting with current regulators.
  • Value proposition is reduced compliance costs and ease of transacting, easy creation of new financial products because of new finance rails,
  • Currently the largest target market.

Experimental Economics.

  • Productizing new economic devices like Token Curated Registries, Autonomous Organizations.
  • These experiments can only work on blockchain networks
  • It can lead to better fintech 2.0 products
  • offers economists and researchers the ability to test theories practically.

Blockchain Tech

  • Focuses on using tech that makes blockchains work to better service a business use-case.
    • For example blockchain data-structures used for entity tracking.
    • Identity solutions based on public key infrastructure.
  • Enterprise software vendors are the major players here.

People can build for more than one niche, but that confuses both the product and marketing message.

User Groups


  • Currently the largest subset of users.
  • Care very much about price movements and will eventually exit to non-blockchain things.


  • Consisting of developers who build applications, hardware, and services
  • Care about tooling, documentation, community, and ease of application development
  • May want to get paid in crypto and can benefit from experimental economic devices.
  • Liability, Incentives are under-discussed here.


  • Products in any niche product tons of metadata.
  • Understanding patterns and delivering insights to people who pay for them is the main goal here.
  • Works very well with all three product niches with academics focusing on experimental economics, data providers focusing on fintech 2.0, and protocol researchers focusing on decentralized everything.


  • Currently the smallest group.
  • When most people talk about adoption they mean adoption by this user group.
  • Care about stable prices, known costs, and most importantly ease of use.

None of the above categorizations have hard boundaries, and people move from one niche to another quite easily. There are of course scams/scammers, whose pitch does not hold up once you ask the right questions, based on which niche they are impersonating

Understand the strategy, business and impact of blockchain projects.