On 18 October, Monero integrated Bulletproofs as the core change in its latest Beryllium Bullet release. Yesterday Zcash, the runner-up to the largest privacy coin by marketcap, rolled out Sapling, a major network upgrade that introduces significant performance and functionality improvements to shielded transactions
The Zcash network was initiated with a randomness generation procedure called the Ceremony on October 28, 2016. Since then the Zcash team has been working on Sapling, a big milestone on the project’s roadmap. Yesterday, precisely two years later, Sapling was successfully activated at block height 419200. According to the official announcement, with Sapling, constructing a shielded transaction will be 90% faster and will require 97% less memory. Along with the dramatic performance enhancements, Sapling brings a new improved ceremony and the more efficient BLS12-381 zk-snark elliptic curve.
The shielding of transactions in Zcash is optional and, pre-Sapling, the majority of transactions on the Zcash network were public, despite the cryptocurrency’s sharp focus on privacy. This was largely connected with high computational costs associated with generating private transactions. With Sapling, constructing a shielded transaction requires only a few seconds and 40 megabytes of RAM, which facilitates the adoption of Zcash for mobile use and light-client support.
Along with these changes, private addresses, or z-addrs, are now only 77 characters long, as opposed to the 95-character z-addrs used in the original Sprout release. The Sprout z-addrs are still functional but will eventually be retired in favor of the Sapling ones.
It is important to note that currently funds cannot be transferred from legacy z-addrs to the Sapling shielded addresses without revealing amounts. The Zcash team says they are working on a tool that will automate the migration of funds and urges users to be patient and wait for the release of this tool.
Decoupled Spend Authority
All shielded transactions require a zero-knowledge proof. Previously the computer that constructed the proof had to have the spend key that authorized the transaction. The Sapling release changes this by allowing the hardware that creates the proof to be independent of the hardware that authorizes the transaction.
Now you can sign shielded transactions while allowing another computer, not trusted with the spend key, to construct the proof. Additionally, hardware wallets can support shielded addresses by allowing the connected computer to construct the proof without exposing the spending key to that machine.
Improved View Key
A view key is a key that enables the holder to view all incoming transactions (amount and memo field) associated with the corresponding private address. Sapling extends the capabilities of view keys by allowing those who have your view key to see all your outgoing transactions. Now you can share a view key with a trusted third party for the purposes of compliance, auditing, etc. However, you should be careful about choosing the channel (e-mail, messenger, etc.) by which you share the view key and use one with strong data encryption.
Pre-Sapling, the owners of z-addresses had to do a small computation to receive a transaction. Sapling z-addresses come with a feature that allows, according to Zcash, trillions of addresses to receive payments simultaneously with no additional costs on the receiving end, which primarily benefits exchanges that can now create a large number of distinct and unlinkable z-addresses for their clients.