ZeroCash is to bitcoin like Tor is to traffic. ZeroCash wants to mix everybody's traffic up between users in order to get privacy. Bitcoin's dirty little secret is that it has very little privacy; anybody who reads the chain can figure out what accounts are doing. By following the flow of money, an adversary can spy on a person's monetary activities.
Increasingly worrying is the lack of forward secrecy on the blockchain. There's nothing to stop a heavy-handed agency from subpoenaing everybody who sent someone bitcoin. Someone can be found guilty through association.
Forget a court of law, bitcoin transactions can make someone guilty or vulnerable in the eyes of another party. Hacktivists and simple hackers will know who has a bitcoin nest egg and might be motivated to attack your computer to get access to the keys for the bitcoin.
This centralized tumbler might act in bad faith. They might act good for 99 days and on the 100th day run off with thousands of dollars in bitcoin. They might be working with an attacker to profile transactions. They may take your hundred bitcoins and give them all to somebody who uses them to break the law in a way that traces back to you. They may do all of these at the same time.
ZeroCash is a protocol underlying the newer tumbler pool called ZCash that hopes to provide a trustless solution to tumbling.
The basic idea behind ZeroCash is to create a pool of funds that anybody can use to mix their holdings in. After adding one's bitcoins to the pool, one can take out an equal amount of other bitcoins in order to hide a paper trail. The problem with this is that the process of identifying which deposit the withdrawing user had used is enough information to identify the withdrawing user. This could defeat the purpose. ZeroCash thus uses zero-knowledge proofs to check and manipulate what people's balances are without exposing which users are being manipulated.
ZeroCash has a construction which uses some tools that we haven't seen before. ZeroCash falls back upon non-interactive zero-knowledge proofs (zk-SNARKs). These are slower than some of the other cryptography that we've seen before. These zk-SNARKs are quite complex things. They enable someone to validate certain characteristics about a piece of encrypted data without seeing the decrypted data. The crazy thing is that in ZeroCash, this zero-knowledge proof will provide evidence that someone has been owed enough
ZeroCash has two operations, Mix and Pour. Both of them build up the cryptographic state to create a new "now." When someone adds new coins to the pool, they perform a Mix. When someone removes coins from their pool, they perform a Pour.
Since it's relatively expensive to use the zk-SNARC, most of ZeroCash's design is based around minimizing the amount of reliance on the mechanism. Mix and Pour both create states to validate, but only Pour transactions really require a full validation as Pour transactions are the only ones that require action from the pool. These transactions are a few microseconds, so they're not incredibly slow. They would definitely pose a problem to scaling to a proof on every bitcoin transaction.
One of the secrets to scaling ZeroCash is that the zk-SNARC is not forced to handle a structure tracking every account in the pool. ZeroCash maintains a Merkle tree. The depth of the tree is logarithmic in the number of transactions, making it much more computationally tractable to carry out the slower zk-SNARC operations.
ZeroCash is just fast enough to do what it promises but too slow to do much more. The algorithm underlying the system is quite powerful and complex, using cryptographically-verified manipulation of ledgers that nobody can read the entirety of. People interact with the ledger to carry out their ZeroCash activities, creating a state that can be queried and verified later.
Nowhere in this state is there a decrypted copy of whom has inserted and removed the coins in question. When someone wishes to remove a unit of currency from the system, they cause the state to change in a way that does this without exposing their role in the operation. This offers near perfect anonymity to the user.
The problem is that this system is both very powerful and fairly slow. While only taking milliseconds to verify a number of proofs, these add up. This means that most people won't use ZeroCash between every transaction, only as a way to "clean" a quantity of coins of a paper trail.
This nature is reinforced more by the fact that ZeroCash is unsuitable for transactions. Transactions require a long chain of money changing hands; which may become arbitrarily difficult to process. Because of this, and because of the lack of ZeroCash proof checking by bitcoin miners, ZeroCash cannot work as a sidechain and transfer money between peers. ZeroCash is only a money tumbling service.
How good of a money tumbling service is it? So no longer can a tumbler operator collect traffic analysis or steal from a user. No longer does bitcoin laundering require communication with multiple active parties.
On the other hand, someone who analyzes the ZeroCash network may be able to perform attacks which are quite similar to the attacks on any mixnet. If an attacker observed someone pay 0.083 btc to ZeroCash and then 0.083 btc in transactions leaving the network and all eventually going to the same address, then the attacker can correlate the message. Likewise, if someone uses the network for a quick Mix and Pour in the middle of the night when the network has few other people, then the timing of the transaction is enough to betray who was doing the mixing. Lastly, you have no control what the coins that you put into the pool are doing. You may be unintentionally implicating your bitcoins in felonies.
ZeroNet thus needs enough users for "privacy in numbers" in order to get real privacy.
Extensions of Idea:
The really interesting thing is to consider the mechanics of this system. By anonymously allowing users to "check in" and "check out" resources from a global pool, ZCash contributes a novel cryptographic technique. In many systems, embedded devices will take and return resources such as shared locks. These systems must work hard to prevent reverse engineering and obfuscation.
ZCash seems like a reliable model for cooperative resource sharing among agents with strong ownership. After it becomes more mainstream, it will be interesting to see how it may be applied to the embedded blockchain domain.