Another trade-off in the use of zk-SNARKs in generating shielded transactions is that it requires the prover to generate a proof that requires a relatively significant amount of computer memory and time, which some believe makes it inconvenient for regular use.
In addition to the spending keys used to control addresses, Zcash uses a set of proving and verifying keys to create and check proofs. These keys are generated in the public parameter ceremony that we just discussed, and shared among all participants in the Zcash network. For each shielded transaction, the sender uses their proving key to generate a proof that their inputs are valid. Miners check that the shielded transaction follows consensus rules by checking the prover’s computation with the verifying key. The way that Zcash’s proof generation is designed requires the prover to do more work up-front, which requires computer memory (often over 3GB of RAM) and time. On the other hand, it simplifies verifying, so that the major computational work is offloaded to the creator of the transaction.
In total, the creation of a shielded Zcash transaction could take over a minute, while verifying that a transaction is valid only takes milliseconds. As a result, in the past not many transactions were shielded in Zcash, which affected its fungibility. This means that some coins may be more valuable than others because they don’t have a tainted history associated with it.
Thus, the team aimed to improve performance in a future upgrade, with the goal of significantly reducing the amount of time and memory required, allowing even mobile phones to generate proofs. The Sapling upgrade utilizes a zero-knowledge proof-based technology that makes private transactions far more efficient than they were before the upgrade. According to some sources, this has significantly improved the performance of shielded addresses with a time reduction of 90% for constructing transactions, and a memory reduction of 97%. This drastic reduction of transaction size and increased efficiency possibly makes private transactions much more widely accessible to Zcash users, since they can now indeed perform them from their mobile devices within seconds. This could mean that a greater percentage of Zcash transactions will be shielded, increasing overall privacy and fungibility.
However, it is important to note here that it is currently impossible to conduct a private transaction from legacy-shielded addresses to Sapling-enabled addresses. If one were to do this, the transactional data will simply be revealed, which of course goes against the whole purpose of Zcash. Yet, despite the improvements that have yet to be made to the project, the Zcash company is very optimistic about their ambitions. The development team has even alluded to a future plan for deprecating transparent addresses altogether.
As you might know, there are also other currencies such as ETH that are looking to incorporate zk-SNARK technology into their protocols. This could possibly mean that ZEC will need to set itself apart in some other way.
However, at the same time it is hard to say how the privacy features of Zcash will compare to the future planned features of these other coins. Since the Zcash team and blockchain are primarily focused on privacy, they can probably more easily make development tradeoffs that are geared to optimizing Zcash’s privacy features and there will probably be an advantage to their specialization in terms of efficiency, security and usability.