Investigating a Zcash Web Wallet

ChainSafe R&D has been investigating the feasibility of a Zcash web wallet. Such a wallet would allow easy onboarding to Zcash. It is also the first step in building a browser extension wallet or a MetaMask snap.

Investigating a Zcash Web Wallet

In recent months, ChainSafe R&D has been investigating the feasibility of a Zcash web wallet. Such a wallet would allow easy onboarding to Zcash and would be the first step in building a browser extension wallet or a MetaMask snap.

Understanding why this is challenging requires some background knowledge about how privacy-geared cryptocurrencies like Zcash work. In particular, the protocol uses encrypted notes and note commitments to allow a wallet to detect and spend funds.


Encrypted notes

Zcash-shielded transactions don't reveal the sender, recipient, or amount sent. If this is the case, how can a wallet know when it receives funds?

The way this works is that the sender of a transaction encrypts the notes destined for the recipient using the recipient's public key. These notes are only decryptable using the recipient's view key. The only way to know if a note will decrypt is to try it and find out.

So, determining a wallet's balance requires downloading every note spent by the chain, attempting to decrypt them with the wallet view key, and storing those that decrypt successfully.

The challenge is that the downloading and decrypting of notes has to be very fast as it must be applied over every spent note. The process cannot be handed off to another party without revealing the view key and compromising the wallet's privacy.

Note commitments and witnesses

Every new note in the protocol (and remember, at least one new note gets produced for each spend) gets added to an append-only Merkle tree as a note commitment. This doesn't reveal anything about the note itself, but when spending a note, the path to its commitment in the Merkle tree can be used to prove ownership. This path is called the note witness.

For a wallet to spend its notes, it must know the witnesses for every unspent note it holds. The commitment Merkle tree updates each block as new note commitments get added. Ideally, you want to submit transactions using witnesses in the most recent version of the Merkle tree. Otherwise, you leak some information about when you created your spending notes.

If a third party did this computation, it would leak information about which notes you might be holding. So, a spending wallet must also obtain and update these witnesses by processing every new commitment added to every block.

The challenge

A private wallet needs to do a lot of computation itself to avoid compromising the wallet privacy. This problem becomes particularly challenging when designing for restricted environments.
This study investigates whether trial decryption and witness updating for a wallet could be completed within a browser's memory and computation-restricted environment in a reasonable time frame.

Our implementation

Previous attempts have been made at a Zcash web wallet several years ago by compiling the existing Rust wallet code for Wasm. Unfortunately, we found this to be infeasible due to long sync times. 

Regardless, we went with a similar approach but trial decryption by:

  1. Making heavy use of parallelism via web-workers
  2. Using GRPC-web from within Rust to avoid deserializing block data multiple times
  3. Using newer, more efficient implementations of trial decryption and witness updating provided by librustzcash

Our PoC was not a complete web wallet but a benchmarking page that would apply the trial decryption and witness updating processes to compact mainnet block data streamed from a lightwallet instance.


Previous 90 days of mainnet

Using four web workers, we could download and trial-decrypt all notes from the previous 90 days worth of mainnet Zcash in around 15 seconds. If you hadn't opened your web wallet for 90 days, seeing the new wallet balance would take 15 seconds.

Similarly, for witness updating, we could download blocks and update 100 witnesses in around 16 seconds. If your wallet had 100 upspend transactions, this is how long it would take to sync from 90 days ago to spend these notes. If performing both tasks, as a regular wallet would, the combined time would be less as blocks would only need to get downloaded once.

Previous 600 days of mainnet

We also tested trial decryption from the Orchard activation height (~600 days ago) to the tip. During this period, the chain was experiencing a DoS attack, so the blocks contained spam transactions with many notes. As an optimization, any transactions spending more than 50 notes did not get decrypted, although they still needed to be downloaded.

Syncing from this height took around 55 minutes. This speed is much less palatable; however, syncing from this many blocks in the past would only need to be done for wallets created before such time. Any new wallets designed to be web wallets could avoid syncing during this network spam period. Therefore, any real users would likely experience a shorter sync time.


Given the advancements in Wasm parallelism, enhanced witness updating algorithms, and the integration of GRPC-web, we conclude that developing a Zcash web wallet is indeed feasible.

The initial prototypes show promising results, and there is considerable potential for further improvements through meticulous optimization and potentially leveraging WebGPU to accelerate cryptographic operations.

Implementing a web wallet or browser plugin would be a significant enhancement to the Zcash ecosystem, offering users a more accessible and private option for engaging with cryptocurrency.

Interested in learning more? 

  • Check out the full report → Here
  • Or run the benchmarks in your own browser → Here

About ChainSafe

ChainSafe is a leading blockchain research and development firm specializing in protocol engineering, cross-chain interoperability, and web3 gaming. Alongside its contributions to major ecosystems such as Ethereum, Polkadot, and Filecoin, ChainSafe creates solutions for developers across the web3 space utilizing expertise in gaming, interoperability, and decentralized storage. As part of its mission to build innovative products for users and improved tooling for developers, ChainSafe embodies an open-source and community-oriented ethos to advance the future of the internet.

Website | Twitter | LinkedIn | GitHub | Discord | YouTube | Newsletter