Computational cost for proof generation


I have been reading the zerocash paper and have a question more on the technical side: so the joinsplit/pour operation
can take arbitrary number of input/outputs. I am wondering how does the time required to generate the zk-SNARKs grow with the number of inputs/outputs?

In the original paper, the benchmark was 2 minutes for 2 inputs and 2 outputs. So what about transactions
with few hundred outputs? If it scales linearly, then it takes few hundred minutes to generate these proof, which is prohibitive. Any thoughts/clarifications would be helpful!


I don't have a specific answer (number), but I know flypool (very large ZEC pool) will not process miner payouts to z-addresses due to the performance issue. The pool owner stated that it was taking 15-20 minutes to send a z-addr join-split transaction. He didn't mention a number of inputs/outputs, but I did take a quick look at the transaction on the blockchain, and it was upward of 200 outputs. Of course, I have no idea what hardware he was using, and clearly it could be a higher performance (server class) system compared to that used in the whitepaper benchmark.

It's an issue that I'm surprised Zcash Co hasn't put a higher priority on. In my opinion, it's a very visible failing, given that flypool cannot, for practical reasons, use what is a fundamental feature of Zcash. If you cannot do z-addr join-split transactions with a reasonable number of inputs/outputs, then the Zcash network is not fully functional. I think that is, in part, the reason the price keeps slipping. Every point release that comes out, people are expecting this deficiency to be resolved, and nothing happens, nothing improves. So, this fundamental functionality remains broken, with no clear indication that Zcash Co. is in any hurry to make it right. Go figure.

If they would get it working/performing well, the pools would be a huge user of z-addr join-split transactions, which would help establish the credibility of zk-SNARK technology. As it is, shielded transactions, so far, have been a minor part of the overall network transaction volume. I think that is due to the user base not being fully confident that it works as advertised. Just my take on it.

Edit: I should add that a large percentage of miners would much rather have their payouts go to a z-addr.


Here's a link to the latest flypool experience with z-addr join-split (it's worse than I recalled):


I think the Sprout release of Zcash does not support arbitrary number of inputs/outputs. The maximum number of input notes is 2, so does the output notes. And you can get a benchmark result by running the following command script: ./zcash-cli zcbenchmark createjoinsplit 2.