Before Sapling: Sprout
Zcash launched in 2016 with its first shielded protocol, Sprout. While groundbreaking, Sprout had a critical practical limitation: generating a shielded transaction required several gigabytes of RAM and took over a minute on consumer hardware. Mobile use was essentially impossible, and even desktop use was cumbersome.
The Sapling upgrade (activated October 2018) solved this with a complete re-engineering of the zero-knowledge proof system.
What Sapling Changed
| Metric | Sprout | Sapling |
|---|---|---|
| Proof generation RAM | ~3 GB | ~40 MB |
| Proof generation time | ~40 seconds | ~2–7 seconds |
| Mobile-compatible | ⌠| ✅ |
| Trusted setup required | ✅ (Powers of Tau) | ✅ (Sapling ceremony) |
| Proving system | Groth16 (BCTV) | Groth16 (optimized) |
| Address type | zs… (Sprout) | zs… → Sapling address |
How Sapling Proofs Work
Sapling uses a proving system called Groth16 over the BLS12-381 elliptic curve. The key innovation was a more efficient arithmetic circuit for the transaction proof — reducing the number of constraints from millions (Sprout) to a far smaller set, dramatically cutting the computation required.
The proof structure for a Sapling transaction includes:
- Spend proofs: One per input note, proving you own a valid note and authorizing its spend
- Output proofs: One per output note, committing to the recipient's encrypted note
- Binding signature: Ties all inputs and outputs together, preventing fee manipulation
The Trusted Setup: What It Means
Sapling required a "trusted setup ceremony" — a multi-party computation where multiple participants generated cryptographic parameters. If all participants in the ceremony colluded and kept their secret "toxic waste," they could theoretically create counterfeit ZEC within the shielded pool. However, the ceremony's design requires every single participant to be compromised simultaneously for this attack to work, and the Sapling ceremony had hundreds of participants.
This was nevertheless a legitimate concern that motivated the development of Orchard, which removed the trusted setup requirement entirely.
Sapling vs Orchard: Current Status
| Feature | Sapling | Orchard (NU5) |
|---|---|---|
| Activated | October 2018 | May 2022 |
| Trusted setup | Yes (Sapling MPC) | No (Halo 2) |
| Proving system | Groth16 | Halo 2 / PLONKish |
| Recursive proofs | No | Yes |
| Address format | zs… addresses | Part of Unified Address |
| Still supported | Yes | Yes (default in new wallets) |
Should You Still Use Sapling?
Both Sapling and Orchard are active and provide strong privacy. Modern wallets (Zashi, YWallet, Nighthawk) default to Orchard via Unified Addresses, which is the recommended choice for new transactions. Sapling remains fully functional for existing balances and wallets that haven't upgraded.
If you have ZEC in a Sapling address, you don't need to do anything urgent — but migrating to a Unified Address for new receiving is a good practice to take advantage of Orchard's trustless proof system.