47 comments

[ 2.6 ms ] story [ 107 ms ] thread
I worked in the cryptocurrency space for a while and zcash was definitely one of the altcoins that I hoped would succeed. A Bitcoin fork that’s privacy focused, what’s not to like?
I also worked in the crypto space, as an architect/applied cryptographer with ConsenSys, here's what's not to like with Zcash:

* the fact that 20% of the block reward is given to the founders as a "fee". i.e. 6 people will end up with 20% of a "global currency".

* the fact that it's a "privacy focused" crypto-currency and the CEO said "we can make it private, but not for criminals" i.e. backdoored. (https://twitter.com/zooko/status/863202798883577856?s=20)

* the fact it's a crypto-currency with a CEO.

* the fact that the ZK-SNARKs they use (however mathematically beautiful), requires a trusted setup, i.e. prover key(non I/O), verify key(target polynomial, secret point, I/O), from random elements. Trusted setup generates a point where the polynomial is evaluated on, and should it not be disposed of properly the consequences are devastating. (You shouldn't need to trust people to use crypto).

* the fact the SNARKS are computationally expensive and no-one uses them. Thus opt in privacy and reduced anonymity set.

People just associate “zk-snark” with "big-ass anonymity sets for free" when really it’s “complex circuit enforcement enabled by verifier-efficient trusted proving system"

I totally agree BTC + Privacy is the holy-grail of crypto, and Monero is the project that's the furthest towards that goal with an actually competent team.

Take it from someone that does this for a living, use Monero instead.

I disagree that these are disqualifying, and also disagree Monero is a better alternative, but you missed one big one I do find worrying about zcash: there's no way to verify supply. Not only do you have to trust the trusted setup, but if the cryptography is broken it will be very difficult to find out there's no way to verify that coins are not being created from this air.
> and also disagree Monero is a better alternative

It's empirically better.

Monero uses zero-knowledge proofs for the range proof, cryptographically protects the sender, receiver and notional.

Monero uses known, audited cryptographic primitives, elliptic curve Diffie-Hellman over curve25519, EdDSA signature over the twisted Edwards variant of the same curve, libsodium.

Monero is much less likely to have a production exploit than zcash.

Are you saying if you needed to send money privately you'd actually choose Zcash over Monero?

> Monero uses known, audited cryptographic primitives, elliptic curve Diffie-Hellman over curve25519, EdDSA signature over the twisted Edwards variant of the same curve, libsodium.

The cryptographic primitives in zcash are also audited.

It's also the case that the cryptography underlying the next generation of zkSNARKs (which will be used by zcash) is the same as what Monero uses for range proofs; it's trustless (or low trust).

> Monero uses zero-knowledge proofs for the range proof, cryptographically protects the sender, receiver and notional.

Again, this is an over-simplification; the anonymity set is smaller, and moreover more difficult to analyze.

Monero is cool, but it has fundamental flaws: its anonymity set. And ring signatures is not standard crypto at all. Less complexity than zk-SNARKs for sure, but there's a trade off in confidentiality.
> "we can make it private, but not for criminals"

That's literally not what Zooko said.

> I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible.

At the very least it'd be interesting to see what exactly he meant by that. He's got enough crypto and pro-privacy cred to be worth a listen.

Yes I linked to the tweet when I wrote the comment.

I paraphrased his babel in my comment for brevity.

> I think we can successfully make Zcash too traceable for criminals

a bit like:

"I think we can make this encryption algorithm too weak for criminals, but strong enough for everyone else"

> He's got enough crypto and pro-privacy cred to be worth a listen.

Not from what I understand.

> Not from what I understand.

What is your understanding?

Well apparently he thinks the laws of mathematics change based on your criminality status, for one.
source?
>I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible.
That'd be the trivial knee-jerk interpretation. Look up Zooko, his past work and background. See if you still think he doesn't know how "the laws of mathematics" work.

It's also why I said it'd be genuinely interesting to him elaborate on that statement.

Unfortunately you're not thinking about regulations, which Zcash has to think about every day.
Zcash is no more compatible with “regulations” than any other cryptocurrency
> Take it from someone that does this for a living

What do you do for a living?

Work in cryptography, applied cryptography, enterprise architecture with blockchain, and security architecture.
Do you do this for a company or any specific projects? I’m just trying to understand because I’m also a big fan of ZCASH but your statements are so bold and matter-of-fact, so I want to learn more about you and see what experiences you have that qualify those statements.

Thanks in advance!

The person you’re asking kind of gave all the information needed to verify. Second rule in crypto: don’t trust, verify ;)

OC sounds legit but if you look at peoples credentials as proxy for trustworthiness you will get burned. Just look at the sketchy endeavors of David Chaum, for one.

So why not apply for a ZEC grant and make it better?
> BTC + Privacy is the holy-grail of crypto

The holy grail doesn't exist. It's all about trade-offs.

Bitcoin has a transparently auditable supply. Privacy coins based on Confidential Transactions have a choice between perfect soundness and perfect privacy. So far they all choose the latter (Pedersen commitments), as it also happens to be more efficient than the former (El-Gamal commitments). But it means that knowledge of a single discrete log allows undetectable inflation.

Then there's the scalability trade-off. Bitcoin allows a full client to prune all spent outputs after verification, to minimize disk-space. Privacy coins need to keep some information about past transactions. Worse still, the Initial Block Download is way bigger due to the sizeable range proofs. Except for the Mimblewimble based coins, in which spent outputs can be completely forgotten. But those are still mostly traceable...

Then there are trade-offs in emission. A fixed supply sounds great for scarcity/speculation, but also risks mining instability / security risks down the road as the block subsidy dwindles.

Then there are trade-offs in transaction throughput. You can easily increase it with bigger and more frequent blocks, but then resources needed to fully verify all transaction history will make it less decentralized.

A quickly falling block reward is good for early adopters but also leads to wealth concentration.

Smart contracts increase functionality but as they say complexity is the enemy of verification, and the attack surface gets much bigger.

Etcetera, etcetera.

What do you think about Aztec (zkRollup L2 for Ethereum)? I tend to get really excited about it as it looks like a private by default system that supports smart contracts (including calling L1 in some cases), inherits Ethereum's security, and is interoperable with DeFi and Ethereum's ecosystem.

It sounds fairly perfect for us cypherpunks but I just know there's some blemish that I'm missing. If there's not then it makes me very hopeful for our future.

Yep I think Aztec is pretty cool.

It’s not trying to provide an anonymous base for the platform though.

Crypto tribalism aside, you got two technical points fundamentally wrong about the cryptography: 1) snarks are fast now. It takes 3 seconds on a pixel phone for Zcash.

2)The decoy based approaches Monero uses are subject to all kinds of passive and active attacks. Both in practice ( https://arxiv.org/pdf/1704.04299/) and just fundamentally: https://www.youtube.com/watch?v=9s3EbSKDA3o. There are ways to mitigate some of these problems to a degree. This is why you hear Monero people talk about coin control and churning (both of which can make you stand out in other ways). But the fact that they have to mention that should tell you its far from a perfect solution cryptographically.

There's a reason projects go with the large anonymity set approach. And if you're a cryptographer at ConsenSys, you should know that: it's what Ethereum is doing with Aztec. You also should know several projects, including Zcash, are working on trustless setup zk proofs.

(Disclosure: I am involved in Zcash.)

Those issues with monero in that paper were already fixed. Years ago.

Disclaimer: I wouldn't trust zcash for anything.

How much non-default "churning" should a Monero user manually choose for maximum privacy?
Most of those attacks, as the paper points out, are fixed. The one that is still relevant is the issues around sampling decoys vs real spends. At the time, with high probability you could assume the most recent tx in the set of decoys was the real source of funds because money is spent frequently. Monero improved their sampling algorithm, but it's still an arms race. The existence of the problem at all, whether or not its reasonably dealt with, should tell you monero isn't cryptographicly strong privacy, its obfuscation. This isn't a Zcash vs Monero thing, people should do their own comparisons. But that has to start with facts.
You mentioned Aztec so I'd like to ask you my unanswered question for him below as I'd love to hear the opinion of an expert!

What do you think about Aztec (zkRollup L2 for Ethereum)? I tend to get really excited about it as it looks like a private by default system that supports smart contracts (including calling L1 in some cases), inherits Ethereum's security, and is interoperable with DeFi and Ethereum's ecosystem. It sounds fairly perfect for us cypherpunks but I just know there's some blemish that I'm missing. If there's not then it makes me very hopeful for our future.

I'd suggest you read the whole thread and not just that one tweet.
> * the fact that 20% of the block reward is given to the founders as a "fee". i.e. 6 people will end up with 20% of a "global currency".

This applied to the first 4 years of issuance, so it's actually only 10% of the total supply, and it went to not just founders but also advisors, investors, etc, and some was donated to the Zcash foundation, so the portion that was personal profit for 6 people was much smaller! The bulk went into... paying salaries for quite a lot of developers. Since then another dev reward was agreed on (for the next 4 years), but this is going directly to the company+foundation directly building Zcash with no "founder share".

TLDR: the share of the Zcash supply of which "6 people" are receiving through in-protocol issuance is much smaller than 20%.

> * the fact that it's a "privacy focused" crypto-currency and the CEO said "we can make it private, but not for criminals" i.e. backdoored. (https://twitter.com/zooko/status/863202798883577856?s=20)

Zooko did NOT mean backdoors; he meant things like KYC at exchanges and giving people the ability to voluntarily give "viewing keys" to law enforcement that prove which transactions they actually send/received.

See some follow up tweets:

https://twitter.com/zooko/status/863516385426755585 https://twitter.com/zooko/status/864342017605750784

> * the fact it's a crypto-currency with a CEO.

Fair point! Zcash governance is definitely more centralized in that way (though there is a lot of community engagement, as we saw in the [dev fund extension](https://electriccoin.co/reaching-consensus/)). We'll see how it evolves.

> * the fact that the ZK-SNARKs they use (however mathematically beautiful), requires a trusted setup, i.e. prover key(non I/O)

Also a valid point, though this is a big part of why they have been working on Halo, a ZK scheme which does not require trusted setups and still has the benefits of succinct proofs etc.

> * the fact the SNARKS are computationally expensive and no-one uses them. Thus opt in privacy and reduced anonymity set.

These days you only need a few seconds to make a SNARK, even on a phone! But the "opt in privacy" thing is definitely a fair point; I hope that they can escape their bitcoin roots somewhat and get rid of transparent addresses and Script and that whole mess entirely at some point, but we'll see.

As Vitalik said, most of GP's message is wrong. The trusted setup was participative, as in anyone could participate and as long as one person was honest the protocol was secure. I know people who participated, I think it's FUD to say that the trusted setup is not great if you're getting value from it (short-size proofs).

Furthermore zk-SNARKs are the best constructions out there for confidentiality, not ring signatures, as was demonstrated many times on research on Monero

tl;dr monero does not provide that much confidentiality because the anonymity set is too small. In other words, you are only hiding your transaction among multiple ones, whereas Zcash hides your transactions among all the set of accounts.

> giving people the ability to voluntarily give "viewing keys" to law enforcement that prove which transactions they actually send/received

That's not a good thing.

The fifth amendment becomes weaker over time; and may not apply in locales outside the US.

LE can easily coerce you to reveal your viewing keys, and assume you are guilty if you don't. That would be a bug, not a feature. See recent discussion proposing that google make its expired DKIM keys publicly available.

Viewing keys are standard in privacy-preserving cryptocurrencies, and are required for payment detection without spend authority. CryptoNote derivatives like Monero also have them. We absolutely need to fight against misuse of this feature.
> A Bitcoin fork that’s privacy focused, what’s not to like?

Is it accurate to describe it as a fork?

In any case, I'm most concerned about the fact that there was some kind of mysterious collaborative operation [1] for the z-SNARK bootstrapping.

If Monero and ZCash have similar properties, Monero seems to be superior because it requires less trust.

[1] https://www.wnycstudios.org/podcasts/radiolab/articles/cerem...

I think they mean a fork of the codebase.
Yes -- I didn't think it was one. But I see now that I was mistaken.
I haven’t seen a single grant system in the crypto space that was worthwhile.

Gitcoin is arguably the closest to working but at least it’s obvious that it’s a popularity contest there.

All the corporate controlled grants are super arbitrary, unorganized, opaque and you don't even know who you are selling to.

And all the community ones are penny pinched popularity contests where everyone still imagines that specialized devs from Malaysia will work at low rates.

You can donate to the EFF and they’ll match all donations until Wednesday if you send shielded ZEC with the memo “powerup”.
This post is about earning money, not sending it away. Exchanging time for food and shelter. Somehow that wasn't clear and I got replies tangentially related to "organizations + grant + crypto".

When I said "worthwhile", I was talking about applying for development contracts.

The Monero Community Crowdfunding System (CCS) has funded a lot of fundamental research and implementations https://ccs.getmonero.org/

Also Monero is superior to ZCash in both tech and ethos.

The mimblewimble based cryptos (grin,beam) are using way better tech than ZCash.

Even Monero is better than ZCash.

Tezos is getting ZCash-type privacy features in a few months and has been running ETH 2.0-type PoS for years. Oh and has on chain governance.
I'm one of the 5 participants elected to this grantmaking body and entrusted with getting it started.

My background is as an activist for privacy and freedom online. I co-founded the organization Fight for the Future (https://fightforthefuture.org/) and co-ran it from 2011 to early 2018, through the SOPA/PIPA fights, the Snowden revelations, and the net neutrality battles in the US and EU. I got interested in Zcash when I started building an experimental messaging app and marketplace (https://zbay.app).

The main thing I'd want anyone reading to take away from the thread is that:

1. Zcash is one of a very small number of promising paths to the end goal of "HTTPS for money."

2. If you're interested in pursuing that goal (by researching, auditing, and/or building new tech) we are offering grants that can fund you and a small team, at market rates, and we'll strive to be timely and transparent.

3. We fund work related to Zcash, but since the hardest problems are common to all paths, your work will likely advance all of them.

On achieving "HTTPS for money," I think all of us recognize how important a goal this is. So let's look at how to get there.

There are a handful of promising paths. Zcash, Monero, Mobilecoin, and Aztec are mentioned here. Tornado.cash is another. For ALL of these projects, the harsh reality is that they are ALL extremely likely to fail for the exact same reason: by the time they make anything useful, most of the planet will be using Venmo, WhatsApp, or worse, WeChat, losing any privacy their governments don't explicitly mandate and refrain from violating themselves. We've seen this happen to countless theoretically-empowering free software projects; outside the realm of software development tools, it's the norm, not the exception. Regulatory pressure—either through outright bans or death by a thousand cuts—is another likely reason for failure, again, common to all of these projects.

Against that sobering reality, fighting over which of these projects is better right now would be counter-productive even if we were able to have that fight without ideology and tribalism, which is super hard when so many people involved in crypto have a financial or technical horse in the race! The reality is that each of these projects is just a starting point, and each starting point has advantages and disadvantages:

* Ethereum-based approaches like Aztec and Tornado.cash benefit from being part of the Ethereum ecosystem, but it will be difficult for them to address side channel attacks and issues like network-layer privacy (like the attacks described here: https://arxiv.org/abs/1410.6079) because they share so much of their stack with products and infrastructure that have a much less strict threat model. Privacy coins like Zcash and Monero control their whole stack and can, over time, build against the same strict threat model, though there's a ton of work to do here for both projects.

* Monero benefits from being the first to get traction and fervent supporters, but its approach of using decoy traffic to hide the transaction graph means that at some point, well-resourced entities like governments will be able to start identifying Monero users, and they'll likely be able to do this retroactively as far back as subpoenaed users and exchanges keep data. We know this because the theoretical attack is widely understood (see ian's links above) and the funding exists (see: https://www.forbes.com/sites/kellyphillipserb/2020&#...