Can This Man Build a Better Bitcoin?
Two years ago, Bryce “Zooko” Wilcox was running a struggling startup and sleeping in his car. Today he’s collaborating with JPMorgan Chase on the privacy tech that could give Bitcoin and other cryptocurrencies a run for their money. Here’s how he got from A to Z
Bryce “Zooko” Wilcox stands by as his brother, Josh “Za,” slices into his Lenovo desktop computer with an angle grinder. The metal on metal looses a dazzling cascade of sparks, which flicker through the harsh rays of the car headlamps trained on the scene taking place in a backyard in Longmont, Colo. A fire glows nearby.
“Can I try whacking it now?” Zooko asks from underneath the wide brim of a wizard’s hat.
Za obliges. Like Gandalf wielding a makeshift staff, Zooko unleashes the force of a sledgehammer upon the CPU tower. THWUANCK. “It’s kind of smoking, so I don’t want to touch it,” Zooko says, before picking up the mangled mess with his bare hands. Fragments fall to the gravel below. He pins the battered husk down with his foot and prods its innards with a crowbar.
Za’s wife, Jessica, enters the firelight. She begins clobbering computer chips with a hammer, just as the stereo switches to “Still,” the gangsta-funk Geto Boys track made famous in the printer-whupping scene from the 1999 film Office Space. Under her buffets, the circuitry explodes into shrapnel. The brothers grin.
Tonight’s carnage marks the conclusion of an event Zooko calls The Ceremony. With barbecue, whisky, and heaps of entropy, Zooko and his crew are celebrating the completion of an elaborate computation meant to spawn a new, more private digital currency. They call it Zcash.
The project involved six people with an assortment of machines distributed across multiple continents. Each member of the group, several of whom were operating under aliases, contributed shards, or fractions, of an unfathomably big number that will serve as the basis for what is essentially a secret, special cryptographic key. The end result of the clandestine crew’s efforts is a set of numeric parameters that will underpin a data-scrambling scheme capable of concocting a virtual currency with confidentiality at its core.
The work is spread out geographically to ensure that no malicious actor can sabotage the process or obtain the component parts. Traces of the computers’ leftover math—Zooko calls it “toxic waste”—may reside in memory; if salvaged, the material could grant someone the power to counterfeit infinite sums of virtual money.
Powering down just one of the computers should be enough to wipe part of the key’s recipe from the face of the earth. But in such a high-stakes scenario, one can never be too sure. Thus the total annihilation of The Ceremony.
Zooko tosses the electronic wreckage into the fire pit as Za sprays bursts of lighter fluid onto the crackling conflagration. Plumes erupt in response. The blaze reeks of melted plastic—literal toxic waste.
“And this, children, is why on Oct. 23 we have fireworks,” Zooko declares to unseen future generations with mock self-importance. His compatriots stand tall. To this observer, watching the festivities on video almost a year later, the entire act seems absurd. But the pyrotechnics will help ensure that Zooko and his troupe can responsibly bring into being the germ of a new digitized tender, Zcash, one that represents the best hope yet for imbuing the realm of cryptocurrency with an element it is sorely lacking: privacy.
Within a year of that fateful evening in October 2016, the market capitalization of Zcash will swell to just under $ 1 billion, making it a top 20 cryptocurrency. Its fundamental technology will be added to Ethereum, the decentralized computing network that, alongside Bitcoin, is spurring an exuberant $ 350 billion boom in crypto coins. And Zcash’s incipient parameters, hatched in the cool shadow of the Rockies, will be adopted by the U.S.’s biggest bank, JPMorgan Chase (jpm).
Despite the record-breaking values of Bitcoin and its ilk, most digital currencies have failings that make them problematic as a mainstream medium of exchange. For instance, the transactions are essentially public and easy to track, offering you, the consumer, less privacy than your credit card. Zcash aims to change that. If, one day, businesses and people come to rely on cryptocurrencies, they may have Zooko and his band of ravagers to thank for laying the foundations to make that possible.
Critics were split in the years following Bitcoin’s arrival in 2009. Its peer-to-peer system for verifying transactions, called the blockchain, allowed people to securely and electronically exchange money without having to rely on third parties like banks. To supporters, Bitcoin promised to be a sort of anonymous, transnational digital currency that eschewed the inefficiencies of today’s monetary system. To critics, it was a lawless thought experiment run amok. It didn’t help that most people associated the invention with the black market. From 2011, Bitcoin was best known for its association with the dark web bazaar called Silk Road, where unscrupulous folks used it to buy or sell drugs and other contraband under the guise of pseudonyms—the only basic protection Bitcoin afforded. They were in for a rude awakening.
“Criminals thought it was something that could never be traced back to them,” says Kathryn Haun, a former federal prosecutor who now serves on the board of Coinbase, the highest privately valued digital currency startup. “People weren’t thinking ahead.”
The truth is that Bitcoin is radically transparent, a major strength and weakness. Think of the blockchain, the central accounting innovation at the heart of the system, as a giant billboard broadcasting everyone’s holdings and financial activity at all times. The whole point is to display a public record of transactions. Anyone with some rudimentary computer skills and a familiarity with the technology can inspect the digital ledger to see who traded what with whom. The transparency helps ensure the integrity of the system. Without it, people could potentially lie about what they spent, recycling the same money in different places—a would-be disaster.
But the lack of privacy for Bitcoin and just about every other cryptocurrency is not only a problem for crooks, it’s also a major barrier to adoption for regular people and businesses. There are countless transactions you might wish to keep out of the public eye: your paycheck, a surprise anniversary gift, a visit to the doctor. Bitcoin effectively exposes all of that. The same is even truer for corporations. No executive in his or her right mind would conduct business in a way that exposes trade secrets, like the amounts paid to suppliers or partners. Most cryptocurrency payments make complying with the Health Insurance Portability and Accountability Act (HIPAA) and other data-privacy regulations nigh impossible, ruling out key industries. For many, these deficiencies are nonstarters.
“Bitcoin is the least private financial system ever invented,” says Matthew Green, a cryptographer and professor at Johns Hopkins University.
Green spent the first years of Bitcoin’s existence trying to find flaws in its code. Once he considered the premise sound, he focused on figuring out how to add privacy to the system. His motivations arose not from a desire to aid and abet baddies but rather from a compulsion to create safeguards for everyday users. So he and two graduate students, Ian Miers and Christina Garman, devised Zerocoin, a protocol that could obscure the parties to a transaction using encryption while maintaining the auditability of the shared ledger with a set of advanced mathematical techniques called “zero knowledge proofs.” These nifty concepts, developed at MIT in the 1980s, allow people to prove a statement true without revealing any other details about the item in question. The technology miraculously ensures everyone stays honest even as it blinds data.
“This is not some scam to help criminals do their job,” Green says. “It’s technology we need.”
Ask the Cryptographers
The math at the heart of Zcash is new and complex. So how, exactly, do “zero knowledge proofs” work? Computer scientists and cryptographers involved in the Zcash project do their best to explain in layman’s terms.
Matt Green, Zcash founding scientist and Johns Hopkins professor:
Zero knowledge proofs are this kind of foggy, beautiful, magical thing invented in the 1980s by cryptographers at MIT.
Ian Miers, Zcash founding scientist and Cornell Tech postdoc:
Explaining zero knowledge proofs to people is an exercise in demonstrating their existence. Because by the end of the talk you have convinced people that you know what a zero knowledge proof is, and by the end they will have no idea whatsoever.
Eli Ben-Sasson, Zcash founding scientist and zk-SNARKs co-inventor:
It’s like a magical restaurant bill where the items are blanked out but the restaurant can’t cheat you, even if you can’t see the individual sums.
Andrew Miller, Zcash adviser and University of Illinois Urbana-Champaign professor:
If you’re familiar with how digital signatures work in Bitcoin, it’s easy to understand. A digital signature is already a kind of zero knowledge proof. You’re proving you know your secret key. You’re using your knowledge of a secret key to bind your identity to a transaction you want to authorize. It’s secure because no one who doesn’t know your private key is able to fool someone.
Peter Todd, Bitcoin core developer and Zcash skeptic:
zk-SNARKs are a very sophisticated mathematical technique, but you’ve got to remember how novel this math is. It would not surprise me and many other cryptographers if, in the future, that math got broken, making the entire system no longer secure.
Green and his team hoped to contribute their invention to the Bitcoin blockchain because of what they deemed its benefits. But the core developers of Bitcoin weren’t interested. It was too new, would slow down the network, and make computations more expensive. Green and his students needed a different game plan.
At a San Jose Bitcoin conference in 2013, the Zerocoin researchers encountered another academic team, from the Technion Institute in Israel, that would prove a perfect match. Led by cryptographer Eli Ben-Sasson, these counterparts discovered a way to make zero knowledge proofs much more efficient. Ben-Sasson dubbed the invention “zk-SNARKs.” The two teams joined forces and created a new protocol called Zerocash that was 98% more efficient than its forerunner.
Emin Gün Sirer, a computer scientist at Cornell University, recounts some of the cynical reactions he initially heard about the project. Colleagues said it would be used for money laundering, drugs, and other illicit activities, he says—the same criticisms lobbed at Bitcoin when it debuted. The sentiment didn’t last long. The naysayers have come to appreciate, Sirer says, that “even mainstream systems need this level of privacy guarantees.”
Vitalik Buterin grasped the significance immediately. Prior to creating Ethereum, Buterin covered the San Jose Bitcoin conference as a correspondent for Bitcoin Magazine, a publication he cofounded. The wunderkind programmer interviewed Ben-Sasson about his breakthroughs, and it left an indelible impression. “Personally, I think zk-SNARKs are a hugely important, absolutely game-changing technology,” Buterin tells Fortune. “They are the single most under-hyped thing in cryptography right now.”
Again, Bitcoin’s core developers took a pass on the technology. So Green and his colleagues agreed to create a digital coin of their own that wove in zk-SNARKs. But they needed a leader with business experience to commercialize the currency. They found those traits in an unlikely man—a cypherpunk, part-coder, part-activist, who boasts of holding a world record for the most failed attempts at building a business around peer-to-peer, decentralized file sharing. They found Zooko Wilcox.
Zooko Wilcox wants to show me where he once slept. On a crisp fall day in downtown Boulder, we roll down the street in his beat-up 1989 Volvo station wagon, its interior decorated with peanut shells and casually discarded coffee mugs. He is wearing a faded black T-shirt with a threadbare collar that reads, cheekily, across the chest: “I am Satoshi Nakamoto,” a reference to the elusive, still unknown, pseudonymous creator of Bitcoin. His thick russet thatches exist in a state of perpetual tousle, as though magnetized by the invisible energy of some faraway Tesla coil.
He pulls into a garage off Pearl Street, the town’s main thoroughfare. “This is the parking lot I used to sleep in,” he says as he descends to the lower level. “This is something I have not previously talked about, really, because it’s kind of shameful and embarrassing and weird.”
In the summer of 2015, Wilcox had sunk most of his money in a decentralized file storage company he founded called Least Authority. He was going through a divorce with his then-wife, Amber O’Hearn. Wilcox, now 43, wanted to stay in Boulder so he could drive his kids to school. So he would enter the garage around 11 p.m., after the guard had gone home, and pull into a space on the rooftop, where he would recline his seat and rest.
A year earlier Matthew Green, the Johns Hopkins University cryptographer, had approached Wilcox about helming the Zerocoin Electric Coin Company. Wilcox declined. He felt its prospective coin, Zcash, would be a niche product and a plaything for bad actors. He later reversed his opinion once he determined the core technology would be useful to businesses and ordinary consumers.
In 2015, Wilcox scrounged together the money to fly to California with Green and pitch potential investors on the new project. It was a frustrating exercise. Wilcox’s suitcase was stolen from the car after he left the airport, forcing him to spend what little he had on a new suit from Men’s Wearhouse. And during the first meeting with an investor at Kleiner Perkins, the storied venture capital firm, the host showed up 10 minutes late, declared that he had to leave 10 minutes early, and radiated uninterest throughout. “The closest thing you could say is that we were laughed out of the room,” Green says.
Despite the slow start, the team managed to cobble together $ 720,000 in seed funding from angel investors including Naval Ravikant, CEO and founder of the startup network AngelList, and investment firms such as Pantera Capital and Shanghai’s Fenbushi Capital. A year later they bagged another $ 2 million. Zcash was in action.
That Wilcox would wind up spearheading a cryptocurrency seems, in retrospect, inevitable. In 1996, as a computer science student at the University of Colorado at Boulder, Wilcox took a leave of absence to work as a junior coder at DigiCash, the world’s first e-money startup, founded by pioneering cryptographer David Chaum. Wilcox would dream up ways to make the firm’s product, dubbed “cyberbucks,” more decentralized. None were feasible.
The notion haunted him. After DigiCash flamed out, Wilcox explored the concept as an employee of the file-sharing startup Mojo Nation and later as a developer of Tahoe-LAFS, a decentralized cloud-storage service like Amazon S3, sans Amazon.
“I had struggled for more than 10 years to try to make a decentralized currency, and I couldn’t make it work,” Wilcox recalls. “In large part, I was waiting for Satoshi,” the Bitcoin creator.
In January 2009, Wilcox became perhaps the first person ever to blog about Bitcoin in a post titled “Decentralized Money” on his personal blog, Zooko’s Hack Log. Satoshi Nakamoto returned the favor several weeks later, linking to Wilcox’s write-up in an addendum to a preliminary release of the Bitcoin software on Bitcoin.org, the newly created project’s home page. Wilcox was one of only three people to receive an honorable mention in the “related links” section. (The others were Nick Szabo, inventor of “bit gold,” and Wei Dai, creator of “b-money.”)
If Wilcox was waiting for Nakamoto, then perhaps the reverse can be said for the enigmatic inventor. In an August 2010 thread on a forum discussing ways to improve the privacy of Bitcoin, one commenter under the alias “Insti” proposed zero knowledge proofs as one potential approach, though the author worried that they might be “theoretically impossible.”
Nakamoto mulled the idea. “This is a very interesting topic,” the inventor replied. “If a solution was found, a much better, easier, more convenient implementation of Bitcoin would be possible.”
“Still thinking this idea through …”
Four months later, Nakamoto would vanish from the web, never to post a public note again.
At his modest home in the Boulder suburbs, Wilcox defends his unconventional eating habits over a grilled steak and a glass of 12-year-old Lagavulin Scotch. He is a proponent of the fringe dietary movement known as carnivory, in which participants consume only meat. (Yes, he cheats sometimes and adds milk to coffee or tomato to a burger—or in this case, whisky to a tumbler.) He’s discussing a recent Vice story that took the trend to task. Wilcox, unsurprisingly, has a bone to pick.
“Just like Bitcoin is a puerile rebellion against monetary orthodoxy, so too is carnivory a puerile rebellion against nutritional orthodoxy,” Wilcox says, summarizing the author’s argument. The rickety black square table in his dining room rocks from leg to leg as he saws through a juicy slab of beef.
Wilcox and his ex-wife O’Hearn originally fell into a ketogenic diet—high fat, low carb—as an experimental treatment to lose weight and stave off depression. The two began collaborating on a blog, ketotic.org, where they would catalog their beliefs and observations. “Neither of us have medical credentials,” the site’s “About Us” page warns. “This is actually an advantage, because it reduces our temptation to say ‘Trust us—we know what we’re talking about!’ Instead, we show you the evidence that led us to our beliefs, so you can judge for yourself.”
Amazingly, the writings helped spark a relationship between Zcash and JPMorgan Chase. Wilcox met Amber Baldet, who now leads JPMorgan’s blockchain efforts, after she gave a talk on mental health at the hacker conference Defcon in 2013. The two bonded over the subject matter and kept in touch. Years later, in 2016, after Wilcox had begun working on Zcash and Baldet on business blockchains, the two discussed a possible partnership.
The pair’s long-standing mutual respect “got everyone on the same page,” Baldet tells Fortune.
It was the start of an unlikely collaboration between a lifelong cypherpunk and a titan of Wall Street. Quorum, JPMorgan’s Ethereum-inspired payments platform for businesses, now uses the zk-SNARKs commercialized by Zcash to mask the money moving around on its permissioned, enterprise blockchain. This shield, which is called the Zero Knowledge Settlement Layer, or ZSL, keeps details related to the last step of a payment private. Without this piece in place, competitors could potentially glean information about deals, front-run trades, and throw markets out of whack.
“We have a fiduciary and regulatory obligation to keep customer data private,” Baldet says. “While they’re a novel approach,” she says of zk-SNARKs, “they solve privacy in a very elegant, universal way.”
Patrick Mylund Nielsen, the lead blockchain engineer at JPMorgan, believes Zcash’s zero knowledge proof–based technology holds more promise for privacy than any other single approach he’s seen. Wilcox’s involvement sealed the deal. “A lot of crypto engineers know Zooko as someone who only backs things he really believes in,” Mylund Nielsen says.
Five Crypto Privacy Tools to Know
A virtual currency that uses “ring signatures,” which make it hard to pinpoint the origin of a transaction among a group.
A cryptocoin that offers “private send,” a feature that minces payments across its network’s so-called masternodes.
A browser that routes Internet traffic through encrypted relays, shielding one’s IP address and geographic location.
Services that divide transactions into smaller denominations and scramble their routes.
Techniques that mask transaction amounts with “hashes,” the outputs of certain one-way cryptographic functions.
JPMorgan isn’t the only bank actively exploring this technology. Dutch financial giant ING recently released a piece of software under an open-source license that uses zero knowledge proofs as its basis. The tool allows people to prove that some figure exists between a range of numbers, such as a salary between $ 70,000 and $ 100,000 or a point between two geographic coordinates, without revealing the exact sum or location. “We believe the application for all this is huge,” says Mariana Gomez de la Villa, ING’s blockchain program manager.
At the conclusion of our meal, Wilcox ferries our dishes into the kitchen. He recounts the tale of Vilhjalmur Stefansson, an early 20th-century Arctic explorer and one of the earliest advocates of an all-meat lifestyle. Later in life, when it looked like the regimen might actually catch on, Stefansson is said to have remarked to his wife with a tinge of sorrow, “I shall have to find myself a new heresy.”
Now that carnivory and cryptocurrencies are gaining traction among a growing group of people, Wilcox jokes that he might have to do the same. “I haven’t had time to think about what my next unpopular opinion will be,” he says.
As promising as Zcash is, it is far from perfect. Its sluggishness in processing private transactions, its inability to perform well on mobile devices, and the novelty of its math hold it back from its full potential—though many of these issues are likely to be addressed in coming upgrades and with further testing. What’s more, the currency’s strange origin story, with only six founding formulators, leaves something to be desired.
That’s why a new Ceremony is underway. In the next iteration, virtually anyone can participate in the computational process that forges a new batch of zk-SNARKs. The only requirements are some computing power and a bit of bespoke randomness in the code—like an excerpt from a book or indiscriminate keyboard mashing. The goal: a new set of secure, cryptographic parameters for the next generation of the technology. “I actually think, personally, that this Ceremony is bigger news than Zcash itself,” says Nathan Wilcox, a Zcash project manager and brother to Zooko and Za. He adds that it could establish a reproducible process for people interested in using zk-SNARKs.
Even novices can chip in. On Nov. 18 I joined as the ninth Ceremony participant from the comfort of my living room in Brooklyn. Others took stronger security precautions: computing their numeric shards while hurtling underground on a Hong Kong subway, within a granite-walled farmhouse outside London, or inside a cardboard box lined with aluminum foil.
Soon even this pageantry may be unnecessary. Zcash researchers intend to obviate the need for a Ceremony entirely. Ben-Sasson, an architect of zk-SNARKs, is at work on a souped-up version of the tech that will require no multiparty setup phase—no computational baton-passing, no bonfires. He calls them “zk-STARKs,” where the “t” stands for “trust” and “transparency.” Or, as Zooko Wilcox prefers, “toxic waste–free.”
As Zcash evolves, Wilcox intends to step aside. Already the new Ceremony is moving forward without him. He’s happy about it. The Zcash Foundation, an alternate governing body for the project and what it says is the first-ever cryptocurrency-related 501(c) nonprofit in the U.S., is expected to assume more responsibilities over time. Next year the organization plans to host a “constitutional convention,” Wilcox says, where it will discuss how to gradually transition power to the community.
Zcash is one of the first commercially successful applications for zero knowledge proofs, “but there are more applications coming as scientists get more familiar with it,” Wilcox says. Right now when we shop, bank, or do anything online, we generate data that belongs to the companies that run the websites and the pipelines; in Wilcox’s vision, that data will belong to us. And the tech behind Zcash is all open source, meaning it’s free to modify and redistribute. The approach has long been a hallmark of Wilcox’s work.
“When I’m on my deathbed, I want to be able to say I took every opportunity presented to me to improve the world for the good of all,” Wilcox says. “We were never going to have a monopoly on the math.”
A version of this article appears in the Dec. 15, 2017 issue of Fortune.