Can a shielded Zcash transaction be linked back to the previous t-transactions?

Alice has Zcash that was sent to her by her chosen exchange

Alice sends Zcash to Bob via shielded transaction

Bob sends Betty Zcash also via a shielded transaction

Betty wants to cash out and sends the money to an different (or same) exchange via a t-transaction

Can Betty’s exchange figure out that Alice or the first exchange ever held these coins?

So you want to sell drugs and is wondering if anyone can find out?

Start here: https://z.cash/support/security/privacy-security-recommendations.html and there are also some decent blog posts i.e. here https://z.cash/blog/shielded-ecosystem.html and https://z.cash/blog/anatomy-of-zcash.html

Simply put the shielded transaction information wouldn’t be visible on the blockchain but depending on the timing or exact amounts used it may be possible to find some linkages i.e. if the exact same amount (minus the standard transaction fee) was used for both t-transactions that occurred within a short space of time.

1 Like

This page appears to answer my question:

https://z.cash/blog/anatomy-of-zcash.html

Unshielding a transaction by sending from z-addr to t-addr does not reveal any previous history.

I guess this is why the trusted setup forgery problem exists. If you were able to trace back to mining then forgeries would not be possible.

1 Like

They are actually unrelated. Unlinkability is ensured by the very nature of zero-knowledge proofs - the linking data simply isn’t there (modulo any end-to-end linkability due to matching amounts etc.). The trusted setup forgery problem is a side-effect of using an efficient ZKP - there exist ZKP systems that don’t have trusted setups, but their proofs are either too large or too slow to use in a cryptocurrency (probably both).

2 Likes