Zcash Vanity Address Generator

I just thought of something. Eventually there'll be some interest in brute force scanning bitcoin addresses to find one with the first few characters customized to your name, kind of like getting a phone number that spells out something. Just by chance I have my initials.

—Satoshi Nakamoto in an email to Hal Finney in 2009, referring to 1NSwywA5Dvuyw89sfs3oLPvLiDNGf48cPD.

Zcash-vanity is a high-performance GPU-based vanity address generator for Zcash shielded addresses (z-addrs), written in Rust/OpenCL (source code).

Installation

First you need to install Rust. Then run cargo install zcash-vanity.

Then run zcash-vanity --help for usage information.

You can load multiple patterns from a file (-f), and optionally turn on case-insensitive matching (-i) to reduce the search space.

Example

The following address was found by searching for the prefix zcVANiTY:

zcVANiTYZ1VxZp9dr6CEqfesYyfak8d6ZDFh4LLQPtHdGUb47CkpHzspFg4YV4NqsfyWkUxs4rcrzhKGsqHhXkzZsWkDaLT

Each additional character will of course take around 58 times longer than this for an exact match. For every character that has two cases available in the base58 alphabet, the expected time can be halved, so enabling case-insensitivity may be worthwhile for longer prefixes.

Method

To receive a Zcash payment on the Zcash blockchain, the recipient needs to provide two pieces of information to the sender: a paying key apk and a transmission key pkenc, which together form a payment address.

Zcash encodes a payment address as follows:

Both the paying key and the transmission key are derived from a 252-bit secret key ask. Since we’re only interested in finding z-addrs that match particular prefixes, we can ignore the transmission key as it appears after the paying key in the raw address, and set it to some fixed value such as all zeroes for the brute-force search.

The paying key apk is derived from the secret key ask by applying SHA256Compress to the secret key (along with some additional fixed data). Therefore the brute-force search simply runs SHA256Compress on random ask until it finds a matching apk.

There are a few tricks that we can use to optimise performance on GPUs:

Range of Valid Addresses

A maximum range of possible encoded shielded addresses can be calculated by taking the smallest/largest possible raw addresses and encoding them, i.e.

base58(0x169ac000…00) → zc8E5gYid86n4bo2Usdq1cpr7PpfoJGzttwBHEEgGhGkLUg7SPPVFNB2AkRFXZ7usfphup5426dt1buMmY3fkYeRrJD8PUK

base58(0x169acfff…ff) → zchid4y8fAVDtAb9Q4G3QiPJbNaocboTwXCdmQ9EhvpdMg4HK8hxRFafoMDjjmaLXHkqy68w4dk2nG4XhLJaKpBLh88zPav

This gives us a range of possible encoded prefixes for z-addrs. In other words, the third character can match [8-9A-Za-h], but in the case of 8 or h, subsequent characters will be restricted.

Zcash-vanity detects if any input patterns are outside of the allowed range and throws an error.

Related Work

Credits

Zcash-vanity was written by Jason Davies. Thanks to Sean Bowe for providing encouragement and feedback.

You may send a donation to the address below if you wish to support development:

zcVANiTYZ1VxZp9dr6CEqfesYyfak8d6ZDFh4LLQPtHdGUb47CkpHzspFg4YV4NqsfyWkUxs4rcrzhKGsqHhXkzZsWkDaLT