Zcoin is a privacy-centric cryptocurrency based on the Zerocoin protocol, developed by Johns Hopkins University cryptographer Matthew D. Green, Ian Miers, Christina Garman and Aviel D. Rubin Being privacy-centric, Zcoin has a number of features that help to enhance or protect one’s privacy as they perform transactions, including: strong, tested encryption; having an auditable supply; a larger anonymity set; and zero knowledge proofs.
No Tumblers/Mixers or Ring Signatures
Tumblers, also known as mixers, attempt to provide privacy by distorting and potentially severing the link between transactions. Through a process known by various names as ‘tumbling’, ‘coinjoin’, ‘coin shuffling’, ‘fog’, and so on, coins are gathered from multiple sources and mixed together, creating obfuscation. This process could be roughly visualized as shuffling a deck of cards where one card was your transaction.
When tumblers mix coins from various transactions together to create anonymity, each source gets back the same amount of coins that they put in. However, the coins they receive may or may not be the exact coins they put in. When mixers are involved, (1) you must trust the mixer to be honest and (2) the mixer must be online. If the mixer is not online, no mixing can be done. This removes an element of privacy protection.
Mixing can be implemented in two ways: active or passive. Active mixing, as done in DASH’s PrivateSend, requires that 1. all parties are actively involved and intend to participate in the mixing process and 2. that there is enough liquidity. That is, it is a manual process that requires user intervention. Passive mixing, as done in Monero or AEON, as done automatically. One implementation of passive mixing is the usage of ring signatures, as used in Monero. However, the ring size limits the anonymity set. The effectiveness of mixers as it relates to anonymity is directly proportional to their usage. Zcoin, on the other hand, does not require the usage of a mixer or ring signatures. Zcoin has implemented Zerocoin anonymity at a protocol level to make the above features unnecessary.
Zcoin utilizes a process of minting and spending. Through this process, an individual burns up a set of coins (in specific denominations with current limitations) to mint coins. These new coins — Zerocoins — can then be used in a spend transaction to convert them back into the base coin. These new base coins appear as brand new coins, similar to freshly mined coins with no previous transaction history. They hold no technical link to the initial coins you burned up in the minting process. As such, the transactions are rendered anonymous.
In other cryptocurrencies, the anonymity set can be limited by how many people you mix with or how many people with which you form a ring. However, the anonymity set in Zcoin is based on the number of people who have performed a mint of a particular amount and is an ever increasing amount which can scale into the many thousands as opposed to mixing solutions which are typically limited to a couple of dozen. This level of anonymity is realized instantaneously. This causes Zcoin’s anonymity set to scale far beyond other coins.
However, timing could potentially de-anonymize the process. For example, if you always immediately do a Zerocoin spend after a mint with regularity, that pattern could be observed and analyzed to discern which transactions correspond to a prior mint. Therefore, it is advised to mint in advance of planned spend and to let time elapse before spending.
Zcoin has an auditable supply and this has been tested. Without this feature, forged coins cannot be detected in other coins such as in Zcash or Hush. Forgery of coins may occur if a trusted setup is broken, a flaw in cryptography is found or if there’s an implementation bug. Combined with the use of experimental cryptography and a controversial trusted setup in Zcash, this compounds the risk.
Zcoin utilizes RSA accumulators. RSA, having been around for decades, has seen thorough review and usage throughout industry, such as in financial applications. Other currencies use less suitable encryption that is not as widely used, reviewed, or tested. Additionally, the Zerocoin paper is frequently cited by academics and cryptographic schemes underpinning the technology peer-reviewed.
For example, Zcash uses zk-SNARKs. Zk-SNARKs is an experimental cryptography that uses arguably weak cryptographic assumptions and generates private transactions significantly slower than alternatives. Further, given that Zcash does not have an auditable supply, any breaks in the chain related to this experimental cryptography cannot be detected.
An example of what happens when thoroughly tested cryptography is not used is the case of IOTA in the latter half of 2017. A group of individuals discovered that the developers implemented their own hash function. This function produced collisions that allowed forgery of signatures on payments.
Currently, Zcoin uses a trusted set up meaning certain initial parameters need to be generated and then destroyed. Leakage of these parameters can allow forgery of coins. Zcoin’s trusted setup uses parameters from the RSA Factoring Challenge in 1991, where special care was taken to destroy the initial parameters. Zcoin plans to eliminate trusted setup with the implementation of the Sigma protocol of which a proof of concept library is already functional while coding continues.
Zcash, based on the Zerocash protocol and also developed by the same Matthew D. Green is a separate project that he moved onto after developing the Zerocoin protocol. Zcash, on the other hand, uses a multi-party ceremony to generate the parameters for its trusted setup. At this time, Zcash is considering a replacement for the trusted setup with zkSTARKs.
An important difference between the trusted setup for Zcoin and Zcash is that for Zcoin, the trusted setup was done completely by third parties (meaning that even the Zcoin developers cannot know the initial parameters) and was from a purely academic challenge meant to test the practical difficulty of cracking RSA cryptography. This was further strengthened by a USD $200,000 bounty to find those RSA Factoring challenge parameters which remained unclaimed and to date, to the best of our knowledge, has not been broken. As such, the incentive for secretly keeping the initial parameters are a lot lower compared to Zcash’s trusted setup which was done solely for the creation of Zcash.
Zcoin implements several of the most advanced technologies to help prevent information leakage and ensure privacy. Through tested encryption, an auditable supply, and privacy mechanisms, such as a large anonymity set and zero-knowledge proofs, Zcoin helps to ensure security, integrity of supply, and preserve privacy on the network.