ZCoin compared to ZCash.
This is by no means an article trying to declare a winner. ZCoin encourages and appreciates all projects working to restore financial privacy. Except some which are outright scams! But then that’s a topic I will leave for another day ;)
However you may feel throughout this article that I am a little biased towards ZCoin. And yes, I will not deny this. Because I have been a long time community member of both of these projects and personally I think ZCoin has a much more transparent community and are actually concerned about the issues that are pointed in their technology. I will post facts and evidences of my findings. You should form your own opinions and identify the better project irrespective of the popular opinion.
For people who want a quick overview, there is a summary section at the end. However, I highly recommend to go through the complete article.
Let me start this article with the most common misconception that people have. They think that ZCoin is a fork of ZCash.
ZCoin is NOT a fork of ZCash
You can’t get any more wrong than this. ZCoin is based off the ZeroCoin paper while ZCash is based off the ZeroCash paper. The only common thing between these is that both these papers have the same authors. And yes, their names start with the letter ‘Z’.
Fun Fact: ZCoin was initially named Moneta
Philosophy
Before doing a deep dive between the protocol level differences, there is something I want to point out. The researchers behind ZCash have always thought about making a backdoor.
The article clearly states “….would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.”
Well, then, it’s not really private is it? The thing with bitcoin users is that they don’t like the people tracking their activity. That’s why they are using bitcoin. Adding a backdoor is a sure-fire way to guarantee that nobody uses their service. Simply suggesting that they *might* add a back-door is enough to keep me from using it.
Allowing authorities to view where the transactions went in a “backdoor” kind of defeats the purpose of it being anonymous.
The founder and CEO of ZCash tweeted this recently.
Now, for someone who is interested in anonymous coins, that is a complete turn-off!
This is from zerocash-project.org, an older site that visitors browsing the new z.cash domain will be unlikely to find. After all, Zcash requires trust to work, and hiding the details by using a slightly rephrased question doesn’t build confidence. The answer should also acknowledge that Zcash cannot guarantee that they will succeed in the trusted setup.
Now, coming back to the protocols.
ZeroCoin protocol is an earlier protocol and the authors then went on to create a new protocol call ZeroCash. Many people ask why ZCoin is using an “obsolete” technology. To answer this question, we will have to first understand why did the authors decide to create a new protocol.
Basically, ZeroCoin has a larger proof size (approx 25 Kb) whereas Bitcoin has a transaction size of around 280 bytes. So the greater proof size was a big blocker for them at that time. On top of that ZCoin can be minted only in fixed denominations (like 1, 25, 50, 100 and so on). ZCash removes these limitations. They have smaller proof size and no restrictions on denominations. Sounds so much better, right?
But then these benefits come with their trade-offs.
Audit-ability of Supply
The security of any blockchain ledger comes down to public verifiability of two properties of every transaction: that they are authorized by all required parties, and that they do not affect the total currency supply.
I explained in the previous article on how ZCoin works. Just to summarise it quickly, basically you take a coin which has it’s whole transaction history behind it. You burn a coin and prove to the network that you have burned a coin without specifying which coin you burnt and then you receive a new coin which has no transaction history. In such kind of a system, if there is any flaw, any number of coins can be generated.
Fun Fact: This has happened with ZCoin
But then this is nothing to be worried about. Because this shows that ZCoin was able to track this bug only because they have an audit-able supply. While in ZCash, you can’t as they do not have an audit-able supply.
Whereas in ZCash someone can print as much money as they want, for free, and in total secrecy.
This concern has been raised many times with the ZCash community but they have always hand-waved it. I personally do not think it is responsible to hand-wave this concern as it is actually one of the most important aspect of a currency. But then again, it’s their project and it’s their decision on how they interact with the community.
For the more curious ones, here’s a link that talks more about the supply manipulation topic.
Cryptography
To achieve small proof sizes, ZCash uses very new cryptography technique. This technique has been developed in the last 2–3 years. This technique is called zkSNARKS. Very few people in the industry right now understand about this technique.
Fun Fact: Zooko, the creator of ZCash himself admits that he does not understand zkSNARKs completely.
There is a difference between publishing a paper and peer-review. Outside of those involved with Zcash, there is almost no peer-review that the entire approach — from the zk-SNARK implementation to the setup — is sound, and that’s not from lack of trying. Several of the brightest minds in the cryptocurrency space have been asked, and none feel confident enough to implement or teach zk-SNARKs, let alone vouch for the legitimacy of the trusted setup (the details of which were only recently revealed).
It will require time for folks to get a sufficient enough grasp of zk-SNARKs before they can begin to evaluate the full safety and security of what Zcash is proposing to do.
In contrast, ZCoin uses RSA encryption and accumulators which has years of development behind it and has been battle tested in numerous production applications. It is the backbone of all the financial, defence, space and all the others highly secure applications.
Peter Todd points out here that if RSA is broken, how bitcoin and ZCoin will be least of our concerns :P
ZeroCash explores a very unknown territory and what they are doing is great. But I personally value the security of a financial network more than anything because my money is stored there. ZCoin has some minor problems like larger proof sizes but then the security it provides is orders of magnitudes higher given ZCash’s unauditable supply and experimental cryptography. And there are very promising efforts within the ZCoin community to decrease the proof sizes.
Trusted setup
This is another major concern and the one that turns me off personally. In ZCash you have to trust a random bunch of people to generate some special parameters and then destroy them. The problem is that you have to believe that all of these individuals destroyed the keys in isolation. And combine that with the unauditable supply which we discussed above, this is a huge problem.
The overall gist is that a trusted setup involves a group of some number of people running a computer program on multiple machines. Assuming there are no flaws in the approach, if at least one those people manages to correctly follow the setup procedure on a computer that is not compromised, then the project should live up to its claim of having a knowable number of coins.
Here is a link if you want to deep dive.
On the other hand, the ZCoin team is fully confident that they can remove the trusted setup using the Sigma protocol (more on that later in another article).
Fun Fact: ZCoin in it’s current state uses these parameters from a factoring challenge 20 years ago. There was a 200k USD bounty for anyone who could break and no one could.
Anyway, future developments on Sigma protocol will completely remove the need to have a trusted setup of any sort.
In words of Greg Slepak,
In Zcash’s current state: it is impossible to know whether a successful attack occurred. Unless a saboteur turns whistleblower, we’ll know it was compromised only after damages have occurred. And the more valuable Zcash is, the more dangerous it is. There is no “Undo” button.
Here is a great video interview of the community manager explaining the main differences.
Summary
Zerocash protocol was meant to improve on Zerocoin protocol on these issues:
1. Zerocoin still requires a basecoin to convert back before being allowed to spend. Zerocash has no more basecoin.
2. Zerocash’s proofs are much more efficient and smaller than Zerocoin’s.
3. Zerocoin uses fixed denominations to mint (1, 25, 50, 100) while Zerocash is not subject to such limitations.
4. Greater privacy with Zerocash since sender/receiver/amount are all obscured.
Zerocoin’s advantage over Zerocash are as follows:
1. Although Zerocoin’s proofs are larger and occupies more storage space, the computational requirements to generate a private transaction are many times faster. Zcash requires large amounts of RAM and minutes of computational time. Zerocoin requires seconds to use and is not memory intensive. Basically Zerocoin uses more storage space but is computationally much less intensive.
2. Parameter generation for both Zcoin and Zcash requires a trusted setup but Zcoin’s parameters are arguably less controversial. (https://github.com/zcoinofficial/zcoin/wiki/Parameters-in-set-up-phase-for-Zerocoin-in-ZCoin)
3. Most importantly is that in Zcoin, total supply is still visible so if there’s a flaw and someone is secretly creating coins for themselves, this can be much more easily detected. With Zcash, because everything is hidden, if a flaw is exploited, it may be almost impossible to detect!
4. Zerocoin’s tech is more peer reviewed and better understood than Zcash’s. Zcash’s use of zero knowledge proofs uses ZK-Snarks which very few people understand. Even Zooko himself admits he doesn’t understand it (https://www.youtube.com/watch?v=P6RLjcGVUnw&feature=youtu.be&t=17m30s). Note that Zerocoin’s paper was only like 15 pages. Zcash’s paper is more than 50 pages so Zcash’s is considerably more complex which means more things that can go wrong.
I hope I have given you a good insight on how these technologies differ and what are the advantages/disadvantages of using them. However if you have any more questions or want more details, ZCoin has a very transparent and active community over at slack. Come ask questions, give suggestions and contribute. Remember this is a community driven initiative.
Until next time, see you space cowboys!
