I've said it before: Zcash has nothing Monero isn't already offering. And like others said, right now, I still haven't seen a mining pool or an exchange that can handle anonymous transactions. An example: http://zcash.flypool.org/
Also, Zcash had an initial trusted setup ceremony after which the 6 participants supposedly all deleted their private keys. You DO have to trust none of those have colluded to someday, for example, start creating zcash coins for their own good without anyone knowing. All the info here: https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trust...
And as others said before, Monero does some sketchy weak mixing of something like a 100 tx, which is really not enough for long term anonymity (think what happens when the other 99 outputs are spent). EDIT: there are a couple papers linked in a child comment that seem to analyze this which I haven't read entirely yet; the following two points still stand.
You don't need an exchange to use z-addresses, just receive into a one-use t, and then make it disappear into your main z-address yourself.
Finally, you have to trust that AT LEAST ONE won't collude, because you need all pieces to fake Zcash, which is very different.
Enough with this FUD. It's innovative tech, I expected HN to appreciate it more than the usual cryptocurrency circles.
Hello Mr. Cloudflare,
Your whole understanding of how XMR works seems to be wrong; theres no concept of spend outputs at all, to deanonymize tx with a certain certainity one would have to own around 83% of the networks outputs.
Optional privacy a la ZCASH is broken by design and cannot work, you are still able to have tainted coins and do blacklisting etc, its effectily useless, also it opens up a whole world of other attack vectors like this one: https://github.com/zcash/zcash/issues/1360#issuecomment-2461...
Your lack of understanding of how Monero works is embarrassing. Please educate yourself before commenting!
As to the trusted setup, there are a few salient points:
- you don't have to "just trust one participant", what if 3 of them collude and 3 were compromised?
- every participant booted off the same ISO which was provided by a single person. The claim is that the ISO can be built deterministically, but that still does not prevent it being compromised in subtle ways, and it seems that hardly anyone has bothered to try verify the ISO build process even subsequent to the ceremony.
- even when there was clear evidence that someone's phone was compromised, the ceremony went ahead. This is a huge red flag - why not just stop the ceremony and rethink it, given the fact that there was obvious infiltration?
- why only 6 participants? Why were they chosen by Zooko? Why was there no open application process where applicants could be considered by the community? Why were no members of academic institutions involved as participants?
The way the trusted setup was conducted is shocking, this is privacy theatre at best.
On your closing remark about it being innovative: nobody doubts that the ZeroCash white paper is innovative, but it is also too new for us to be trusting it. Would you advocate for TLS 1.3 to default to only use some encryption method that was in a very recent, largely unreviewed whitepaper, especially when that whitepaper contains math that is particularly hard to grok (Greg Maxwell calls it "moon math")? Why do we hold all of our cryptography to such high standards, distrusting everything that is new and unproven, but we're expected to give a financial system a pass? Would you feel the same if all of your net worth was held in that financial system?
Both Zcash and Monero (plus perhaps Dash, but it has some issues) try to augment Bitcoin with some privacy guarantees.
Ethereum is extending Bitcoin with Turing-completeness.
I follow Bitcoin, Ethereum and Monero with interest. I wonder whether any of these additional features will prove advantageous enough to surpass Bitcoin, which is more mature and has much bigger market cap right now.
IMHO, Bitcoin is secure enough for its current main use-case, which seems to be escaping Yuan / Bolivar. But I might be proven wrong. It's also interesting to note some other black swans may trigger cryptocurrency adoption in 2017 [1].
Ethereum seems advantageous for many business applications which are impossible with a traditional blockchain, but they really need to ensure Turing completeness doesn't lead to more fiascos. Perhaps by enforcing much much better static analysis than currently available [2]. You can err on the safe side and reject contracts that don't pass whatever static analysis. Seems the only way to retain Turing-completeness and safety.
However, given EVM semantics is complicated, perhaps a redesign will be needed so that static analysis does not rule most contracts as potentially unsafe.
> IMHO, Bitcoin is secure enough for its current main use-case, which seems to be escaping Yuan / Bolivar. But I might be proven wrong. It's also interesting to note some other black swans may trigger cryptocurrency adoption in 2017 [1].
I don't follow bitcoin very closely. Could you please tell me more about escaping yuan/bolivar?
It seems to me that if you have access to bitcoin, it means you have banking capabilities and access to the internet. Once you have these two, you can use paypal or similar and store EUR or USD. Volatility of USD is way lower than bitcoin?
You can buy bitcoin with cash via localbitcoins.com in most countries except Germany (or at least, with a German IP address).
In China it seems the preference is to buy bitcoin mining equipment in yuan and generate bitcoin to sell, taking advantage of the cheap electricity available in China and writing off some of the capital investment via tax. Although there is significant trade on Chinese exchanges much of this is often thought to be suspect due to the lack of trading fees which means fake/self trades are available at no cost.
> you can use paypal [to] store EUR or USD [from yuan]
How would you do this?
If it is possible to exchange yuan to usd and keep it in paypal without a US account, I would still be very uncomfortable storing hundreds of thousands of dollars in it. It is a centralized entity that can freeze funds for any reason, be compelled to report things, make mistakes, paper trail, etc.
Being able to exchange currencies is also a step above regular banking I believe. You need access to forex markets and the associated setup and trails.
Bitcoin will get all features that Monero has, but security is still the most important aspect, so the maintainers take a very slow, conservative path (which I think is awesome for something so important). Segwit is still a great first step. It will take multiple years to get there...there's no rush though. People who really believe in BTC understand that it's not something that will be finished in 5-10 years.
Bitcoin will get a minimum block reward that ensures miner incentives in perpetuity? Bitcoin will switch from secp256k1 to Curve25519? Bitcoin will get a dynamic block size limiter that adjusts with transactional demand?
Dynamic block size makes it harder to reason about security of the system, so it's not a conservative choice. Adding another curve for signing won't be hard with segwit, the only question is if there is really enough demand for it (and it doesn't need a ,,switch'', both curves can be supported at the same time, and users can select which they want to use). One of the most interesting ideas right now that may be implemented in the future is mimblewimble, unless something better comes. But there are many other, easier to implement ideas talked about on the scaling bitcoin conferences.
The title of this talk is 'zero knowledge succinct non-interactive arguments of knowledge for laypeople', yet the speaker (at 1:40 in the talk), says he won't be able to explain how they work.
ZCash, at least for the first 3 builds, did not have their primary feature (fully anonymous transactions) working. I don't believe thats fixed yet (is it?). How they missed their primary feature being broken before releasing, I have no idea.
The issue prevented all transactions which had all z-address inputs and outputs (that is, fully anon txes) and no t-address inputs or outputs (public addresses) from being mined.
I am sure, you're mistaken. I just created and executed a tx with only z-addresses with zcashd version 1.0.1. It was mined and can be found on the block exlorer.
It's not FUD, he's entirely correct. They had one thing to get right before launch, and they got it wrong. Speaks volumes for the so-called dream team. References:
The ticket says "In some cases, some transactions with joinsplits do not get mined." So this does not prove droffels point. He said all tx with only z-addresses could not be mined.
He's 100% correct, as is the GitHub issue. Transactions that were z-addr -> t-addr, or vice versa, were being mined, but private transactions (my z-addr pays your z-addr) were not.
It's being presented as an alternative that doesn't cut corners or make the incredibly dangerous compromises ZCash does. Would you expect a thread lauding SnapChat as a privacy enhancing messaging app to not have a bunch of people, finding the suggestion ludicrous, "pushing" Signal?
As to the video, the talk was pathetic. The speaker claimed he was going to explain zk-SNARKS to the layperson, then immediately claimed to not understand them. It presented none of the risks of ZCash, and only really covered how joinsplits work.
...because we like monero, consider the technology more appropriate and mature for the task, and wish to use it. Currency abhors liquidity barriers, slippage, etc. Since Monero is the most liquid crypto that provides acceptable privacy and hence fungibility, it is a win-win situation if it is universally adopted.
Also the corrupt terms of the zcash social contract make it abhorrent to many of us, who believe in open source, peer-review, and decentralization of authority, as well as casting deep suspicion on the motivations of the beneficiaries of zcash's corporate structure, and the acts which self-interest will therefore dictate.
It seems like the Monero guys can not stand that Zcash is the de facto standard for private transactions and the clear technological leader.
Long live Zcash! for the benefit of all privacy loving users.
On the other hand spreading FUD and lies does not speak well of Monero. That in addition to the mathematically weaker and inferior tech used by Monero.
For sure any marketing that they (Zcash) have is no so active as the Monero guys are spreading lies and confusion around.
May be we should all abandon the privacy ship, join the Monero guys (no matter its obscure origins by the way) and spread FUD and lies about any better tech like Zcash or others that comes up, right?
By "the Monero guys" you mean the broader technical community that understand security software design?
Also, obscure origins are irrelevant when the technology is solid. Take the following examples: TrueCrypt, Bitcoin, MimbleWimble. Are you honestly arguing that TrueCrypt was bad?
By the "Monero guys spreading FUD and lies" I mean exactly that.
I have used Monero in the past and consider myself part of that comunity at the time.
Even used its predecessor Bytecoin for a while before Monero came up.
I have researched a lot and just happen to like and trust Zcash tech much more!
May be you should do a bit more research.
It is nice to have competing privacy technologies. It is good for privacy loving users and for the advancement of the field.
If you like Monero and feel is much better, good for you, use it and enjoy it, this is a free world, but there is no need to lie and confuse people about Zcash.
Although I think it is obvious. I mention it anyway. The founders fee that goes to the developers is meant to fund the development for the next four years.
If you don't like that, there is already the Zclassic fork wihout the founders fee.
20% of coins mined in first 4 years, 0% thereafter:
"At first, 50 ZEC will be created every ten minutes. 80% of the newly created ZEC will go to the miners, and 20% ZEC to the founders.
Every four years, the rate of ZEC being created will halve (again, just like in Bitcoin). After the first four years the ZEC created per ten minutes will drop to 25ⓩ, but after the first four years, 100% of it goes to the miners."
"At first, 50 ZEC will be created every ten minutes. 80% of the newly created ZEC will go to the miners, and 20% ZEC to the founders.
Every four years, the rate of ZEC being created will halve (again, just like in Bitcoin). After the first four years the ZEC created per ten minutes will drop to 25ⓩ, but after the first four years, 100% of it goes to the miners."
Too late to edit and I wanted to quote the second link correctly:
"The 10% of the total supply that makes up the Founders' Reward is distributed between launch and the first halving (at block 850,000). During this period (which will last approximately four years), half of the total monetary base will be generated. After the first halving, there will be no more Founders' Reward, and all newly-created ⓩ will be received by miners."
They are taking 20% during the most important period of distribution. That is worse than any kind of premine. All Zerocoin based coins had the same ridiculous rewards and all dead yet or barely breathing.
Not _all_ cryptocurrencies, no - it's mostly just the scammy ones of little genuine utility and/or technological merit.
Both Bitcoin and Monero have fair distribution; development of neither is done by for-profit LLCs financially supported by any pre-mine, miner tax, insider investment/ICO, or other fancy scheme paid out by either the underlying monetary system or taxed from the users and/or those securing the network, and while Blockstream Inc. does employ Bitcoin Core developers, Monero development is entirely decentralized without even a foundation to its name.
The original comment purports that ridiculous enrichment schemes are a carpet necessary evil for initial and continued development of cryptocurrencies, which is simply not true - what you're pointing out is a different argument.
Zcash is the most technologically advanced cryptocurrency existing today to effectively accomplish mathematically proven private transactions.
Built with love for all Planet Earth privacy loving users. Use it, test it and you will love it too!
1. It's controlled by a corporation with VC backing. This leads to a single point of failure, a ton of disincentives, and makes it easier for an attacker.
2. The cryptography is untested, unproven, and too new to be trusted. Since when did technically competent people advocate for cryptography like that??
3. The 20% tax puts a crazy amount of strain on the economic system, and is inordinately high.
4. The trusted setup is hard to get right, but they completely screwed it up (see my comment upthread).
5. Private transactions take 8gb+ of RAM and several minutes to compute on my laptop, how is that at all scalable or useful?
We should be immensely critical of new cryptography being rushed into production at the behest of investors, and we should not be promoting a centralized, corporate-controlled cryptocurrency.
1. As a Bitcoin fork and descendant it is not controlled by anyone but by its network of users. Therefore there is no single point of failure.
Development is done today by a corporation with VC backing which does not necessarily mean that will continue to be the case tomorrow.
A community of developers and/or users can take the development leadership at any point in the future if it were so needed.
2. The cryptography is currently superior to any other. It has been tested and proven. It is in your hands to prove it wrong. Please do so.
3. The founders reward provides even more security and development resources during the first 4 years. Many people see it in fact as an advantage.
4. The trusted setup process whitepaper has been made public, plus the participants are also known. You can research and certify the process and contact the participants as you wish since it is all public. Please provide the exact point of failure in the process and where exactly has it failed. It seems like a highly secure setup to me.
5. The RAM and time required for private transactions can be done with no problem at all by most users with laptops as of today. Even so, there is development going on by the Zcash team to improve the performance and reduce the ram and time required.
In the spirit of Bitcoin, Zcash is decentralized and built for privacy loving users.
1. Given that not even Zooko understands zk-SNARKs, the ZCash name is trademarked, and they've shut down their Reddit and IRC channels, there is no chance of a community of competent developers that understand the technology springing up. Also I wouldn't be proud of forking Bitcoin, especially when the changes that have been made are so substantial that they can't keep in sync with upstream.
2. No, it's not in my hands to do so. The onus is on ZCash to demonstrate this the way any other cryptography is proven: peer review, and time. ZeroCash has little of either.
3. Anyone that sees it as an advantage has no clue about disincentives or game theoretic attacks.
4. The exact point of failure is that they all booted off the same ISO that was provided by one person. Additionally, when an observer at one of the stations had their phone compromised they didn't shut the ceremony down and restart, they just continued. Also, the participants are just Zooko's buddies - who's to say they aren't conspiring together, and merely compromising the procedure for anyone who isn't part of that (e.g. Peter Todd)?
5. If privacy is not the default, and is immensely hard to use (due to the system requirements), it will hardly be used. The entropy of the private system will be restricted to a relative handful of users.
1. You will probably be surprised that there are a lot of highly qualified people in the community already.
2. If it is so unproven and so untrusted, please go ahead and break it. Words are cheap, mathematical proof and action is what counts.
3. Remains to be seen who is right on this one and we will see it during the next 4 years when the founders reward expires.
4. Conspiracy theories. Well, there will probably be more setups in the future. May be you want to propose a counter-whitepaper with a better way to do the cryptography setup and even be part of the ceremony itself?
5. Zcash uses mathematically proven privacy. Privacy loving users will use it. Research the tech and then may be you will be inclined and destined to use it too.
Also, Zcash had an initial trusted setup ceremony after which the 6 participants supposedly all deleted their private keys. You DO have to trust none of those have colluded to someday, for example, start creating zcash coins for their own good without anyone knowing. All the info here: https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trust...