Sapling: the Next Major Zcash Upgrade

4 Likes

Will the existing proving key remain useful with the changes in Sapling?

somebody just posted this on r/cryptocurrency… if you’re on reddit, plz upvote, for great justice

1 Like

you forgot to link it

2 Likes

Up voted on reddit. Posted mandatory “to the moon” comment as well

3 Likes

Yes, the new zk-SNARK scheme, the new curve, and changes in the NP statement being proven, all require require a new proving key.

Fortunately, we now have better multiparty computation schemes for generating the proving key, that will make the ceremony easier to run with more participants (while still only requiring that at least one participant is honest and uncompromised). Also, the new proving key will be smaller. These will be discussed in a future blog post.

1 Like

The fact that you need a new proving key will affect wallets such as Zcash4win? @tromer

So there will be a second ceremony ?

Yes, there will be another multiparty computation. Using the randomness accumulator approach (see Large zk-SNARK MPCs · Issue #2247 · zcash/zcash · GitHub), we hope to have more participants than in the first ceremony. How “ceremonial” it will be depends is up to participating nodes, and I hope that many of them will go through the trouble of strong operational-security measures, and thus bolster the confidence in the final result.

Full-node wallets will require an upgrade to understand the new form of shielded transactions. Lightweight wallets that only deal with transparent transactions, and rely on a servers to parse the blockchain (e.g., all mobile wallets today), may be unaffected; but their servers will need to be upgraded.

2 Likes

Will the existing proving key still be needed to make sense of the existing portion of the blockchain?

@Voluntary: the proving key is never needed to parse and verify past transactions, not even today. To verify past transactions you need just the verification key, which is created along with the proving key, but is much smaller (currently 1.5kB).

To use unspent notes (shielded output from past transactions), you do need a proving key. There are several options are under discussion for how to do this in the transition to Sapling (see Decide how spends from old notes or addresses will work after the Sapling circuit upgrade · Issue #2248 · zcash/zcash · GitHub), and most of them do not require the old proving key.