Zcash pioneered zero-knowledge proofs to deliver the strongest on-chain privacy of any financial network. Since launch, Zcash researchers have made these proofs dramatically faster and eliminated the need for a trusted setup.
Yet the protocol still faces fundamental scaling limits. Shielded transactions are large and costly to verify, constraining throughput. And while some history can be pruned, the consensus state that validators must retain keeps growing, raising hardware requirements for full nodes and block producers.
Zcash does not compromise on privacy. It achieves ledger indistinguishability, a strong form of on-chain privacy in which fully shielded transactions cannot be discerned from one another. In practice, much of the data needed to tell transactions apart never even appears on-chain.
That indistinguishability rules out many conventional scaling techniques, so we turn to more advanced cryptography.
To prevent double spends, shielded transactions reveal tokens called nullifiers—unique values that must never repeat. In today's protocol, every validator must store all revealed nullifiers forever, leading to runaway state growth: gigabytes per day even at modest TPS.
In theory, proof-carrying data (PCD) could fix this by making spenders prove they have not revealed the same nullifier before. Many projects explored this but abandoned it when it did not scale without weakening privacy.
Tachyon solves this with oblivious synchronization: a remote service incrementally constructs a proof that your funds have not been spent. Crucially, the service never learns your actual nullifiers, because the protocol forces them to periodically evolve in an unlinkable way.
Tachyon addresses these limits by redesigning the shielded protocol around proof-carrying data (PCD), a primitive that lets computation be continually compressed across steps—far beyond what traditional zk-SNARKs enable.
PCD lets block producers aggregate shielded transactions without user coordination, cutting marginal size and verification cost and boosting block capacity. Aggregation scales horizontally thanks to PCD's fundamental properties.
Together with oblivious synchronization, PCD also lets transaction creators cap the amount of state validators must actively maintain. This removes the final asymptotic scaling barrier for private payments while preserving ledger indistinguishability.
PCD operates at both ends of Tachyon's protocol: as a precomputation to reduce validator state (via oblivious synchronization) and as a post-computation to compress shielded transactions for inclusion in blocks.
This requires a new shielded protocol that uses PCD end-to-end with a simplified key structure. To build on today's ecosystem (including hardware wallets) we preserve backward compatibility with the existing cryptography.
Tachyon decouples the wallet payment protocol from the on-chain shielded protocol. This removes quantum-vulnerable privacy assumptions from the on-chain layer and opens a path to post-quantum privacy.