Thoughts on Zcash?

[st0at]

Functionally the main difference between Monero and Zcash (esp. after RingCT is integrated) is that Zcash has a larger anonymity set at the level of individual transactions (all previous users) than Monero (some randomly chosen subset of previous users).

tldr, these are both serious, credible cryptographic techniques to deliver private transactions, with different advantages and disadvantages.

That insolent banned narcissist claimed the main difference is that the IP address and other markers of activity could be correlated to specific UXTO on the ring of potential payers and that this was not possible in Zcash. And he arrogantly claimed that this was some fundamental distinction. Thanks for the clarifying slogan.

[1715363038]

1715363038

[smooth]

Functionally the main difference between Monero and Zcash (esp. after RingCT is integrated) is that Zcash has a larger anonymity set at the level of individual transactions (all previous users) than Monero (some randomly chosen subset of previous users).

tldr, these are both serious, credible cryptographic techniques to deliver private transactions, with different advantages and disadvantages.

That insolent banned narcissist claimed the main difference is that the IP address and other markers of activity could be correlated to specific UTXO on the ring of potential payers and that this was not possible in Zcash. And he arrogantly claimed that this was some fundamental distinction. Thanks for the clarifying slogan.

He claims that you don't need to use Tor/I2P to hide your IP if you are using zerocash because the transactions are so opaque even revealing your IP does not matter. I'm sure there is a narrow way of looking at it that makes that the case, but overall, I don't agree and the Zcash developers don't agree (they are integrating Tor).

Monero works with a Tor proxy and will have I2P integrated. Dash (and Bitcoin) works with Tor.

[st0at]

Functionally the main difference between Monero and Zcash (esp. after RingCT is integrated) is that Zcash has a larger anonymity set at the level of individual transactions (all previous users) than Monero (some randomly chosen subset of previous users).

tldr, these are both serious, credible cryptographic techniques to deliver private transactions, with different advantages and disadvantages.

That insolent banned narcissist claimed the main difference is that the IP address and other markers of activity could be correlated to specific UTXO on the ring of potential payers and that this was not possible in Zcash. And he arrogantly claimed that this was some fundamental distinction. Thanks for the clarifying slogan.

He claims that you don't need to use Tor/I2P to hide your IP if you are using zerocash because the transactions are so opaque even revealing your IP does not matter. I'm sure there is a narrow way of looking at it that makes that the case, but overall, I don't agree and the Zcash developers don't agree (they are integrating Tor).

Monero works with a Tor proxy and will have I2P integrated. Dash (and Bitcoin) works with Tor.

Yeah! Everybody knows Tor is precisely 98% reliable same as the internet and precisely 98% anonymous which is much better than the internet. That TPTB tried to pull the wool over our eyes.

And everybody knows that when a payer reveals his or her identity to the recipient of the transaction, then it is still necessary to employ Tor to hide the IP address from the recipient because otherwise the recipient would know the identity of the payer.

Your logic is clearly superior to AnnoyingMint's drivel.

[monsterer]

And everybody knows that when a payer reveals his or her identity to the recipient of the transaction, then it is still necessary to employ Tor to hide the IP address from the recipient because otherwise the recipient would know the identity of the payer.

That's a logical contradition. If the payer reveals thier identity, it is revealed, full stop.

[dEBRUYNE]

Relevant post of Monero vs Zcash. There was also a discussion on reddit, most of it is the same though.

https://www.reddit.com/r/Monero/comments/41vg68/monero_vs_zcash_eli5_fundamental_differences

Also, st0at check the last quote where IP obfuscation is mentioned.

zcash alpha has been launched

https://github.com/Electric-Coin-Company/zcash

http://www.wired.com/2016/01/zcash-an-untraceable-bitcoin-alternative-launches-in-alpha/

I'll just copy my reddit comment here:

I've made this list earlier:

List of possible pitfalls wrt ZeroCash/ZeroCoin:

[1] If ZeroCash/ZeroCoin is launched on behalf of a company, which seems the case here, the company can be given a gag order (e.g. to add a line of malicious code).

[2] If I recall correctly, the creator of the genesis block holds some kind of masterkey. As a result, you have to trust this person. Even if this key was held by a group, you still have to trust that particular group. In addition, you have to trust the program they run to create the Genesis block (the masterkey could be in there).

[3] It's too opaque in my opinion. If a bug existed that would create additional coins, there is no way you would see it.

[4] The math and cryptography backing it isn't peer reviewed yet and in an infancy stage.

[1] seems to be confirmed. They will be launching as a for profit company, see:

For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company

This could also invoke some legal issues, since they are basically not a decentralid currency and bear in mind they are **US** based (http://www.bizapedia.com/de/THE-ZEROCOIN-ELECTRIC-COIN-COMPANY-LLC.html). Just remember what happened with Ripple.

Basically, with Ring Confidential Transactions included in Monero it's basically pepsi vs coke (thanks to u/smooth_xmr for this analogy), where both have their advantages and disadvantages.

P.S. They are currently only on testnet, the "real-version" is at least 6 months away.

P.P.S. It seems like they transactions are also quit inefficient compared to Monero's. See this description on how to get from the basecoins (the transparent ones) to the zerocoins (anonymous ones):

This operation (called a pour) might take a minute or two depending on your hardware. It is producing a zero-knowledge proof. (This operation's performance will be improved in the coming months.)

Shen Noether (aka NobleSir), who is obviously more knowledgeable about this subject than me, also made a comparison on reddit:

I've done a little bit of comparison in the Ring CT paper / you can also look here for some facts on zcash- there are a few I've seen so far

[1] Setup: Monero (Trustless) vs Zerocash (Must Trust zcash company)

[2] Proof Generation: Monero (100's second ) vs Zcash (1/minute)

[3] Algorithm auditability: Monero (a decent number of people seem to understand ring signatures and confidential transactions) vs Zerocash (I'm not sure how many people actually understand the proofs besides the small group of authors) - although this point is certainly subjective.

[4] Poison-pill attack vulnerability: Monero (attacker would need 51%) vs Zerocash Vulnerable, (see zerocash extended paper section 6.4

[5] Anonymity set: Monero (although the zcash proponents note that a ring signature is a "smaller" anonymity set, they usually don't mention that the stealth address factor actually means that each transaction is masked, whereas the ring signatures provide additional plausible liability, furthermore, since keys appear in different ring signatures in different blocks in time, the anonymity set for when a given key is spent grows infinitely, and could eventually grow larger than the zcash anonymity set at any fixed instant in time) vs Zcash (anonymity set is the entire blockchain )

[6]Anonymous Multisig: Monero (yes! see "written up" link on ring ct sticky, this could make things like lightning potentially possible ) vs Zerocash (?)

[7] Mining: Monero (has it's own strongly decentralized mining process) vs Zerocash protocol from the paper lacks it's own mining (it's essentially just a distributed anonymous database), so there must be another coin which is mined to convert to zerocash tokens

--note that point 4. is an actual potential compromise of anonymity, which contradicts some of the statements the zerocash team has made.
.
Other Differences are slight: Slight differences in transaction size - however Monero transactions should end up being a bit larger when transmitted, but cost less in terms of storage (their eventual block-chain cost will be approximately 32 bytes* (n+1) where n is mixin + epsilon, where epsilon is the current tx size - ring signatures (Note in the recent Ring CT drafts, there is pruning mentioned for the range proofs, see the "written up" link)

https://www.reddit.com/r/Monero/comments/41vg68/monero_vs_zcash_eli5_fundamental_differences/cz63pqw

And:

TPTB_need_war has repeatedly been stating that Zerocash does not need IP obfuscation and therefore is not subject to I2P/TOR, which are, in his opinion, flawed.

However, it seems like Zerocash actually needs IP obfuscation as well and they seem to go with TOR, see -> https://twitter.com/ioerror/status/689958030859960321

I took out this excerpt from the discussion in this thread -> https://bitcointalk.org/index.php?topic=1139756.msg13623846#msg13623846 (starting point).

Look way back in 2014 when you launched Monero, I told you smooth and fluffypony that IP address correlation was the weakness. Fluffypony proceed to try to integrate I2P. I warned you all many times that was not an adequate direction. But you wouldn't listen.

I2P, and even somewhat Tor, is perceived as adequate by 99% of the market. The remaining 1% may be smarter but isn't obviously much of a market at all. Very niche-y.

By the speculators because they are clueless.

But the corporations do not use darknets. They want privacy on the block chain, like we have disk encryption. Mention dark nets, illegal drug trade, etc, and they won't touch it with a 100 foot pole.

I would guess that many corporations do use Tor now for certain things. I2P will be integrated and invisible. No one will know or care how it works, except that the obvious network level vulnerabilities having to do with broadcasting transactions will be removed, and it will pass routine (though not intelligence agency level) technical muster for being private sufficient to satisfy most of the market. That's my opinion, and you are welcome to disagree.

Zerocash still needs IP obfuscation for a lot of private usages in practice too. They acknowledge it in the paper.

Zerocash does not need IP obfuscation when all the transactions are in the private zerocoins. Cite the section of the paper. I think you must be misunderstanding something. You are probably conflating the use of the regular non-anonymous coins mentioned in the paper.

Here you are making excuses again. Corporations are not going to trust unprovable shit. And moreover, mixnets are always vulnerable to flood attacks. They are very, very unreliable. Not only do I disagree, but I also think you are ignoring basic fundamental realities about the technologies.

Edit: arguing for Tor/I2P is akin to arguing for Dash's off chain mixing. Now look in the mirror and remember your arguments for End-to-End Principled ring sigs (versus off chain mixing) and realize the same logic applies to why Zerocash is superior to using off chain mixnets. Hypocrite.

Edit#2: okay I see the section you are referring to:

6.4 Additional anonymity considerations
Zerocash only anonymizes the transaction ledger. Network trac used to announce transactions,
retrieve blocks, and contact merchants still leaks identifying information (e.g., IP addresses). Thus
users need some anonymity network to safely use Zerocash. The most obvious way to do this is
via Tor [DMS04]. Given that Zerocash transactions are not low latency themselves, Mixnets (e.g.,
Mixminion [DDM03]) are also a viable way to add anonymity (and one that, unlike Tor, is not as
vulnerable to trac analysis). Using mixnets that provide email-like functionality has the added
benet of providing an out-of-band notication mechanism that can replace
Receive
.
Additionally, although in theory all users have a single view of the block chain, a powerful
attacker could potentially fabricate an additional block
solely
for a targeted user. Spending any
coins with respect to the updated Merkle tree in this \poison-pill" block will uniquely identify the
targeted user. To mitigate such attacks, users should check with trusted peers their view of the
block chain and, for sensitive transactions, only spend coins relative to blocks further back in the
ledger (since creating the illusion for multiple blocks is far harder).

I will need to understand this attack better. Seems to me they are saying that you need to spend from a block where your pour transaction was the only transaction in the block. But the user would I think know this and thus not spend the coin any more. Thus I believe the anonymity remains provable without the use of any mixnet. I will need to understand this more deeply to be sure.

Bear in mind that I2P will be integrated in Monero, but you can always choose to run Monero over TOR if you want.

[Fuserleer]

Functionally the main difference between Monero and Zcash (esp. after RingCT is integrated) is that Zcash has a larger anonymity set at the level of individual transactions (all previous users) than Monero (some randomly chosen subset of previous users).

tldr, these are both serious, credible cryptographic techniques to deliver private transactions, with different advantages and disadvantages.

That insolent banned narcissist claimed the main difference is that the IP address and other markers of activity could be correlated to specific UTXO on the ring of potential payers and that this was not possible in Zcash. And he arrogantly claimed that this was some fundamental distinction. Thanks for the clarifying slogan.

He claims that you don't need to use Tor/I2P to hide your IP if you are using zerocash because the transactions are so opaque even revealing your IP does not matter. I'm sure there is a narrow way of looking at it that makes that the case, but overall, I don't agree and the Zcash developers don't agree (they are integrating Tor).

Monero works with a Tor proxy and will have I2P integrated. Dash (and Bitcoin) works with Tor.

Yeah! Everybody knows Tor is precisely 98% reliable same as the internet and precisely 98% anonymous which is much better than the internet. That TPTB tried to pull the wool over our eyes.

And everybody knows that when a payer reveals his or her identity to the recipient of the transaction, then it is still necessary to employ Tor to hide the IP address from the recipient because otherwise the recipient would know the identity of the payer.

Your logic is clearly superior to AnnoyingMint's drivel.

As always its simply a case of "use whats right for the job", there's tradeoffs with everything.

If you want as close to real anonymity as you can get, then use Zero, Monero and connect over TOR/I2P (I too don't agree with TPTB's statements on the IP argument).  If you want some other feature that these can't provide due to technical limitations, then settle for a psuedo-anon platform and again, connect over TOR/I2P.

If you don't care, well, use whatever you fancy

[afbitcoins]

I have done zero bedtime reading about zero cash so forgive me if I'm writing crap, but anyway my impressions I have that I don't like are that it is owned by a company. In a sense it is centralised with a generous slice of minted coins directed to the aforementioned company.

Also I remember hearing about an anonymisation technique in which you have to trust the person who generated the first block to destroy the private key without writing it down, otherwise they have the ability to decrypt the anonymisation forever after. Is this using that technique ? If so why trust they don't have the backdoor key handy ?

[LucyLovesCrypto]

Also I remember hearing about an anonymisation technique in which you have to trust the person who generated the first block to destroy the private key without writing it down, otherwise they have the ability to decrypt the anonymisation forever after. Is this using that technique ? If so why trust they don't have the backdoor key handy ?

Your memory is only partially right. There is a potential problem with trusted setup. They have said they play to do this in some public ceremony with multiple parties so that unless ALL of those parties collude, the minting process is safe.

If all parties colluded they could print a unlimited number of coins undetected, however the privacy of transactions would not be affected. Essentially it is an economic threat of a poorly designed setup allowing parties to collude to print unlimited coins. There is not a privacy threat from collusion.

[slapper]

It doesn't matter because some people have already voted to become the company's sales representatives and will be applying for positions as soon as they are available. It's too bad they are not doing an ICO. All we need is voodoo TA charts and dumperooo.

Anyways lets wait for the coin company to setup help desk and support lines first.

[paratox]

Also I remember hearing about an anonymisation technique in which you have to trust the person who generated the first block to destroy the private key without writing it down, otherwise they have the ability to decrypt the anonymisation forever after. Is this using that technique ? If so why trust they don't have the backdoor key handy ?

Your memory is only partially right. There is a potential problem with trusted setup. They have said they play to do this in some public ceremony with multiple parties so that unless ALL of those parties collude, the minting process is safe.

If all parties colluded they could print a unlimited number of coins undetected, however the privacy of transactions would not be affected. Essentially it is an economic threat of a poorly designed setup allowing parties to collude to print unlimited coins. There is not a privacy threat from collusion.

I think that will be the biggest problem. Why should anyone trust a few people(from a "for profit" company) to not profit if they have the possibility to do it without anyone noticing it?  Thats a no-brainer...

[DaveyJones]

Also I remember hearing about an anonymisation technique in which you have to trust the person who generated the first block to destroy the private key without writing it down, otherwise they have the ability to decrypt the anonymisation forever after. Is this using that technique ? If so why trust they don't have the backdoor key handy ?

Your memory is only partially right. There is a potential problem with trusted setup. They have said they play to do this in some public ceremony with multiple parties so that unless ALL of those parties collude, the minting process is safe.

If all parties colluded they could print a unlimited number of coins undetected, however the privacy of transactions would not be affected. Essentially it is an economic threat of a poorly designed setup allowing parties to collude to print unlimited coins. There is not a privacy threat from collusion.

I think that will be the biggest problem. Why should anyone trust a few people(from a "for profit" company) to not profit if they have the possibility to do it without anyone noticing it?  Thats a no-brainer...

Right what i said last page.

[CoinHoarder]

Also I remember hearing about an anonymisation technique in which you have to trust the person who generated the first block to destroy the private key without writing it down, otherwise they have the ability to decrypt the anonymisation forever after. Is this using that technique ? If so why trust they don't have the backdoor key handy ?

Your memory is only partially right. There is a potential problem with trusted setup. They have said they play to do this in some public ceremony with multiple parties so that unless ALL of those parties collude, the minting process is safe.

If all parties colluded they could print a unlimited number of coins undetected, however the privacy of transactions would not be affected. Essentially it is an economic threat of a poorly designed setup allowing parties to collude to print unlimited coins. There is not a privacy threat from collusion.

I think that will be the biggest problem. Why should anyone trust a few people(from a "for profit" company) to not profit if they have the possibility to do it without anyone noticing it?  Thats a no-brainer...

Who said there will only be a few people from the company at this ceremony? Maybe they are inviting mother teresa, ghandi, oprah, and pinnochio.

[CoinHoarder]

You might want to check your facts. Many smart people (and ZeroCash team members) are watching what Monero is doing with RingCT right now:

.... Post from your actual account and then maybe we will consider what you have to say. Obvious sock puppet is obvious.

Even still, a re-tweet hardly constitutes as an endorsement. I am sure he stands behind Zerocash tech and was genuinely interested in RingCT for academic purposes. Pretty much all of the Zcash guys hail from academia.

This is why I never seriously supported Monero. I have claimed repeatedly over the past couple years that better technology would come along and render it useless. I recently invested a little into Monero, because its marketing on these forums is on point, but it is really just a safety net in case Zcash crashes and burns. As long as the initial parameters for Zcash can be generated in a transparent manner, then I have no doubts it will take over the "anon coin" market.

Isn´t that even a critical thing to achieve before we can even start to cheer for Zcash?

Not really. If they screw it up, someone will come in behind them and do it properly. The success of the cryptocurrency hinges on this one moment, do you really think they are going to "half ass" it?

[st0at]

And everybody knows that when a payer reveals his or her identity to the recipient of the transaction, then it is still necessary to employ Tor to hide the IP address from the recipient because otherwise the recipient would know the identity of the payer.

That's a logical contradition. If the payer reveals thier identity, it is revealed, full stop.

Oh

And he continues his arrogant boasting! Can you believe that he is mr-know-it-all arrogantly insulting the recent points in this thread from Reddit talking to himself and everybody is ignoring him. What kind of sanity is that to have a debate with yourself after you've been kicked out of the party, lol.    

[monsterer]

Oh

If the payer reveals their identity to the recipient voluntarily, then there is nothing you can do, but if he doesn't there should be no way for the recipient to follow the transaction back to him - this is one of the critical failures of the bitshares anonymity design; the payer is always revealed. This doesn't sound like such a big problem until the recipient's wallet gets seized by some authority and all his payers are revealed to them.

[st0at]

This doesn't sound like such a big problem until the recipient's wallet gets seized by some authority and all his payers are revealed to them.

Hmmm. If the block chain is entirely amorphous then one would need to seize all recipient wallets to rebuild the structure of the block chain.

Damn the torpedoesfundamentals! Buy the dips!

[Matkurb]

Don't ask me to comment on Z.Cash v's Monero/Dash/et. al, ring signatures never interested me due to the 3rd party requirement, so I haven't researched them at all.

Ring signature is built into Monero protocol. So it does not rely on 3rd party involvement. That is my understanding.

[TPTB_need_war]

This was written in June 2015, which probably motivated Shen-noether and Maxwell to work on combining CT with CN to create RingCT. And I was working on combining CCT with CN to create ZKT:

https://leastauthority.com/blog/zerocash_and_confidential_transactions.html

Any way, they all need to catch up with my latest logic on these matters:

https://www.reddit.com/r/ethtrader/comments/42rvm3/truth_about_ethereum_is_being_banned_at/czefpyb

https://bitcointalk.org/index.php?topic=1342223.msg13713790#msg13713790

[CoinHoarder]

I finally found some time to properly respond... busy week!  

Functionally the main difference between Monero and Zcash (esp. after RingCT is integrated) is that Zcash has a larger anonymity set at the level of individual transactions (all previous users) than Monero (some randomly chosen subset of previous users). In practice the difference is likely somewhat narrower, but difficult to fully characterize.

I agree

The trade off for that difference in anonymity set is a wide gap in efficiency

I agree, but I am not sure it is a huge deal. Most cryptocurrencies hardly process any transactions per second. It is unclear exactly how less efficient Zerocash is compared to RingCT anyways, so we will not really be able to test how big of an effect this will have until both technologies are out in the wild. When using privacy-focused cryptocurrencies, I think that it is reasonable to accept longer transaction processing times and a larger amount of data per transaction for the sake of anonymity/privacy. I am not sure how worried privacy/anonymity focused users will be when it comes to efficiency and data usage.

a wide gap in cryptographic complexity and maturity

I disagree here. Maybe if you are comparing Zerocash to Monero as it currently exists, but you are comparing Zerocash vs Monero with RingCT... hardly anyone truly understands the math behind Monero as it currently exists, much less the math behind RingCT. Although it may be true Zerocash is more complicated mathematically than RingCT, they both are quite hard to grasp if you don't dedicate a long time to understanding them and/or are a mathematician/genius. Furthermore, people use things they don't understand every day. Many people don't understand how a car works but drive, how a credit card works but use their cards for every transaction they make, how a plane works but fly, etc.

probably a gap in implementation maturity

I disagree with this as well. RingCT will be just as new, as far as the implementation, as Zerocash because both have barely entered the library/alpha stage.

the trusted setup,

After a little research, they seem to have figured out a good way to do this using multi party computation. Using MPC to generate the seed was talked about in the original version of Zerocoin, and it seems like they will use their own version of it for Zerocash. If you look into the (now proven false rumors) that Anoncoin was going to implement Zerocoin there is a lot of discussion about MPC. The whitepaper for the MPC math they will use to generate the seed is written by the authors of the Zerocash whitepaper. https://forum.z.cash/t/trusted-setup-phase/68/2

some functional limitations

I'm not sure what you mean

and some stronger cryptographic assumptions (meaning more ways it can break, but not necessarily to a degree that is a huge concern).

I can agree with this.

Anyway given that Monero already uses cryptography rather than mixing, the option to swap out the cryptography with zerocash exists, just as regular ring signatures are now being swapped out with RingCT. There are no current plans to do so for the above reasons, but if zerocash techniques become more mature and trusted (and perhaps efficient), and it becomes clear that's what users want, it could be done at some point.

tldr, these are both serious, credible cryptographic techniques to deliver private transactions, with different advantages and disadvantages.

I agree.

-------------------

I think you gave a mostly fair review, but I disagree (and/or disagree about how big of a deal) some of your claims are.

Disclaimer: I am an investor in Monero, and will also be buying some Zcash as soon as I am able.

[TPTB_need_war]

Functionally the main difference between Monero and Zcash (esp. after RingCT is integrated) is that Zcash has a larger anonymity set at the level of individual transactions (all previous users) than Monero (some randomly chosen subset of previous users). In practice the difference is likely somewhat narrower, but difficult to fully characterize.

I agree

Please refute this then if you agree with smooth:

http://reddit.com/r/ethtrader/comments/42rvm3/truth_about_ethereum_is_being_banned_at/czefpyb

There appears to be an epic distinction that is not about anonymity set size (although I claim RingCT will fail in unprovable, uncharacterizable, unreliable ways in that comparison as well), but rather around meta-data.

Note Zcash will be commenting on this soon:

https://forum.z.cash/t/zcash-vs-bytecoin/136/2
https://forum.z.cash/t/fundamental-challenges/39/12?u=shelby3 (here I requested they point out any flaws in my logic if they have time)