How zk-SNARKs Work: Zcash's Privacy Magic Explained

What is a Zero-Knowledge Proof?

A zero-knowledge proof (ZKP) is a cryptographic protocol that allows one party (the "prover") to convince another party (the "verifier") that a statement is true — without revealing anything about why it's true beyond the fact that it is.

The classic illustration: imagine you want to prove to a colourblind friend that two balls are different colours, without revealing which is which. You hand them both balls, they pick one randomly, hide it behind their back, and show you both again in a random order. You correctly identify which one moved. If you couldn't actually distinguish the colours, you'd only guess correctly 50% of the time. After 30 rounds of this with a perfect record, your friend is statistically convinced you can tell the difference — but you've revealed nothing about the actual colours.

This intuition — proving knowledge without revealing the knowledge — is the foundation of zk-SNARKs.

Unpacking the Acronym

zk-SNARK stands for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge.

• Zero-Knowledge: The proof reveals nothing about the underlying data
• Succinct: The proof is tiny — a few hundred bytes regardless of how complex the computation being proved
• Non-Interactive: The prover sends one message to the verifier; no back-and-forth dialogue needed (unlike the coloured balls example above)
• Argument of Knowledge: The proof doesn't just show a statement is true — it proves the prover actually knows the witness (the private data) that makes it true

The "succinct" property is what makes zk-SNARKs practical for blockchains. A blockchain node verifying thousands of transactions needs proofs that are fast to check. A Zcash zk-SNARK proof is about 200 bytes and verifies in milliseconds, regardless of the complexity of the transaction being proven.

What Zcash Proves With zk-SNARKs

For every shielded transaction, Zcash's zk-SNARK proof mathematically demonstrates the following — without revealing any of the underlying values:

1. The sender owns the notes being spent. The proof shows knowledge of the spending key associated with the note commitment, without revealing the key or which note is being spent.
2. The input amount equals the output amount plus fees. No ZEC is created from nothing. The proof shows the arithmetic balances without revealing any individual amounts.
3. The notes being spent exist in the blockchain's commitment tree. The proof shows the input notes are valid commitments recorded on-chain, without revealing which specific note is being spent.
4. The nullifiers are correctly derived. Each nullifier uniquely identifies a spent note without revealing which note it corresponds to, preventing double-spends.

The result: a blockchain verifier can confirm a transaction is valid — nobody's counterfeiting ZEC, nobody's spending funds they don't own, nobody's double-spending — without learning a single piece of private data about the transaction.

The Circuit: Turning Logic Into Math

To create a zk-SNARK, you first need to express the computation you want to prove as an arithmetic circuit — a mathematical structure of addition and multiplication gates that encodes all the constraints of a valid transaction.

Zcash's transaction circuit encodes: note ownership checks, value balance equations, Merkle path verification, nullifier derivation, and more — all as polynomial equations. The zk-SNARK proving system then generates a proof that these equations are simultaneously satisfied, with the private inputs (amounts, addresses, spending keys) kept hidden.

This is the hard part of building a privacy coin — not the concept, but the engineering. Zcash's circuits are the result of years of cryptographic research and are among the most battle-tested zk-SNARK circuits deployed in production.

Groth16 vs Halo 2: The Two Zcash Proving Systems

Zcash has used two different zk-SNARK proving systems over its history:

Groth16 (used by the Sapling pool) is a highly optimised proving system that produces very small proofs and verifies extremely fast. Its limitation: it requires a trusted setup — a one-time ceremony where cryptographic parameters are generated. If the participants of this ceremony colluded and preserved their secret randomness ("toxic waste"), they could theoretically forge proofs and create counterfeit ZEC. Zcash conducted this ceremony (Powers of Tau) with hundreds of participants to make collusion implausible, but the theoretical risk remains.

Halo 2 (used by the Orchard pool) is a newer proving system developed by the Electric Coin Company that eliminates the trusted setup requirement entirely. Halo 2 achieves this through a technique called recursive proof composition — proofs that verify other proofs — which allows the system to be bootstrapped without any secret parameters. Security rests purely on well-studied mathematical hardness assumptions, not trust in any ceremony participants.

Halo 2's elimination of the trusted setup is considered a major advancement in applied cryptography. It removes the last theoretical weakness in Zcash's privacy model.

Why zk-SNARKs Are Stronger Than Ring Signatures

Monero uses ring signatures for privacy — a different cryptographic approach that groups multiple inputs together so observers can't tell which was actually spent. Ring signatures obscure transactions rather than making them genuinely unknowable.

The difference: ring signature privacy degrades under statistical analysis. Research has shown that timing patterns, transaction graph heuristics, and amount analysis can de-anonymise a significant percentage of Monero transactions under certain conditions. zk-SNARKs provide information-theoretic privacy — there is simply no information on-chain to analyse. The proof says "this is valid" but reveals nothing else.