A common misconception is that Zcoin is a fork of Zcash. Zcoin is based off the Zerocoin paper while Zcash is based off the Zerocash paper. While the Zerocoin paper and Zerocash paper share common authors and both use zero knowledge proofs, they rely on different cryptography. There is otherwise no relation between the two projects.
Zcoin uses RSA accumulators which were introduced in 1993 as the foundation of our anonymity scheme while Zcash uses zk-SNARKs which was recently formulated in 2014 and very few ppl understand it. Comparatively, RSA cryptography is one of the earliest form of public key cryptography which was publicly described in 1977, has been battle tested and forms the basis of many encryption schemes in wide use today such as HTTPS, SSH logins and PGP for e-mail.
Peter Todd’s blog post illustrates this perfectly in pointing out that if RSA breaks, Zcoin would probably be the least of your concerns.
While both Zcoin and Zcash uses trusted setups, they are implemented differently.
Zcoin’s setup is conceptually very simple as it only involves taking two primes p and q, to generate a modulus n. p and q are then destroyed. Instead of generating these parameters ourselves, we use parameters that were generated from the RSA factoring challenge many years ago so there is no possibility that the devs of Zcoin know these parameters. In fact, successfully obtaining those parameters would have netted you a nice bounty from the RSA (before they discontinued the challenge)! You can read more on how these parameters were generated and destroyed here. Our opinion is that the simpler the setup process, the less things can go wrong. We also have some ideas and an academic paper that suggests that the trusted setup can be removed completely which is scheduled to be explored later on in our roadmap.
Zcash’s setup is more elaborate and involved 6 trusted people, and can be read here. But in short, all six participants need to collude or be compromised for the parameters to be leaked out.
The main risk of having trusted setups being broken is that an attacker can counterfeit coins out of thin air.
Zcoin features a fully auditable coin supply. In our view, this is immensely important as in the event of any issues with our trusted setup or cryptographic implementation, this can be detected. No code is ever perfect even with the best of audits and new threats and vulnerabilities are constantly being found. For example, even Bitcoin suffered a serious flaw that resulted in 184.4 billion Bitcoin being generated and an auditable supply allows such bugs to be found and fixed.
With Zcash’s use of private transactions and addresses where amounts are also hidden, it is very difficult to detect if a vulnerability is found or a problem in their trusted setup.
We applaud Zcash’s developments and highly value their work in the cryptocurrency space and look forward to seeing their advances. However, we feel Zcoin has a place in providing one of the best anonymity systems which is built on proven cryptography and is setup in such a way that flaws can be found.
For further details, please read our blog post.
As with any other technology, Zcoin can be used for both good and evil. However, we are firm believers that the net good for Zcoin far outweighs the bad. Throughout history, freedom of commerce has been shown to prevent wars, promote prosperity, and increase cross-culture exchange.
Zcoin is designed to benefit legitimate users who have realized the risk of using a cryptocurrency with a completely transparent public ledger, and the danger of having all their financial details made public with Bitcoin. Because there are already pre-existing mechanisms for such activities, Zcoin does not affect the status quo for such activities, while it provides notable benefits to legitimate users.
Even without Zcoin, such transactions can take place via existing financial systems (e.g. by using cash. Although not actually private, Bitcoin has faced the scrutiny of regulators with its potential use in money laundering.
The Zerocoin Protocol, created in 2013, was originally meant to be an extension on top of Bitcoin. There was a lot of support for Zerocoin from key members of the Bitcoin community. However, Bitcoin has the primary goal of ensuring stability in its money supply, by moving slowly with only unanimously agreed upon changes. As a result of the political deadlock, the Zcoin project was created.
Zcoin strives to increase individual liberty. By guaranteeing financial privacy, Zcoin can help ensure freedom of commerce. People should be able to transact however they want, as long as it does not infringe on the well-being or individual liberty of others. We are also big believers that freedom of commerce also facilitates peace and prosperity across countries and cultures. By guaranteeing financial privacy, Zcoin can directly guarantee fungibility, an essential property for free commerce.
Although there are many anonymity solutions out there for cryptocurrencies, it is our aim in providing the strongest level of anonymity that is possible without sacrificing usability, the auditability of our coin supply and relying on well established cryptographic protocols.
The Founders Reward is to reward the funding given by early investors, the time invested by the developers and a bounty wallet used to fund the team and other Zcoin community efforts. Bounties are available for various tasks, such as Zcoin core development, web development, graphic design, marketing, etc. If you’d like to help out, please email or message us on Slack.
There will be 21 million Zcoins. Zcoin follows the same halving cycle as Bitcoin (every 4 years). 10% of the total Zcoin supply will be distributed to the Founders Reward as time passes.
In the first 4 years, 20% of Zcoins will be distributed to the Founders Reward. In other words, during the first 4 years, 40 Zcoins will go to the miners and 10 Zcoins will go towards the Founders reward. To find out how the Founder’s Rewards are used, see here.
After the first 4 years, the block reward goes completely towards the miners.
Zcoin uses the ASIC-resistant Lyra2 key derivation function.
Lyra2 is designed for democratic mining, and is currently a very CPU friendly mining algorithm.
The parameters for Lyra2 are as follows:
Zcoin uses the RSA-2048 number from the RSA factoring challenge. The computer’s hard drive which generated the factors were destroyed over 25 years ago. No factoring solution to the RSA-2048 number has been found for the past 25 years, and it is unlikely to be factored in the next several decades. In the long term, Zcoin would eventually shift to a different cryptographic scheme for its setup parameters or move to a trustless setup entirely.
Bitcoin and preceding alternative cryptocurrencies have attempted to solve this problem through the use of transaction mixers or ring signatures. But they score very poorly on the metric called the traceability set. The traceability set is a key metric to understanding how private a cryptocurrency is. The traceability set in formerly proposed solutions is limited by the size of the mixing cycle or ring signature. Each mixing cycle or ring signature is limited by the number of transactions per cycle, which is transitively limited by the the block size of the cryptocurrency. Thus, the traceability set in previous attempts at privacy tends to only be a few hundred.
With Zcoin, the traceability set is on a dramatically higher magnitude. Instead of having a traceability set limited to the few hundreds, Zcoin has a traceability set that encompasses all minted coins in an accumulator. Thus, the magnitude of the traceability could be in the order of many thousands rather than hundreds. So its privacy level is magnitudes higher than cryptocurrencies that rely on mixing or ring signatures.
The other problem is that tumbling methods are only secure under the assumption of a lack of topological analysis and pre-existing network data, which is an incorrect threat model. There have been multiple research papers demonstrating that taking a separate network topology like Facebook can be used to de-anonymize a cryptocurrency as long as a long chain of transaction history exists. With all previous cryptocurrencies, a long chain of transactions is publicly viewable on the blockchain and prone to topological analysis.
With Zcoin, this long chain of transaction history simply does not exist, and there is zero information leakage about the sender and receiver of a transaction, so it is not prone to topological analysis and so the link between the sender and receiver disappears.
Zcoin’s zero-knowledge proof makes a cryptographic statement. When someone is sent Zerocoin, the person only knows that X amount of money was sent to their wallet. Unlike Bitcoin, there is no other unintended identifying information about the sender and receiver. Zero Knowledge proofs ensure that there is zero information leakage about the sender and receiver of a transaction.
A zero-knowledge proof is a method in which one person can prove to another person that a given statement is true, without conveying any information apart from the fact that the statement is indeed true.
The classic example of a zero knowledge challenge is called Yao’s Millionaire problem: how can two people determine who is richer without either person having to reveal how much money they have? Through a complex application of cryptography, it’s actually possible to do.
Craig Gidney , writing for the Twisted Oak Studios blog, provides a simplified version of the problem that can help you understand the process. In Gidney’s example, two workers — Bob and Alice — want to determine whether they’re being paid the same amount, without disclosing how much they’re being paid to each other or anyone else. The example assumes that Bob and Alice know that they’re each being paid exactly $10, $20, $30, or $40 per hour.
Bob goes and buys four anonymous comment card boxes — the kind a restaurant might have to gather opinions from customers. He labels each one $10, $20, $30 or $40, then throws away all the keys, except the one to the box that corresponds to how much money he makes. Alice then writes “Yes” on one slip of paper and “No” on three others. She puts the “Yes” slip in the box that matches her wage, and the “No” slips in all the others. Once Alice is gone, Bob can then open his box and see if the slip inside reads “Yes” or “No.” If “Yes,” then he and Alice are paid the same wage. If “No,” they will then know that their wages are different.
This example is obviously over simplified. Zerocoin is far more complex, and includes various protections to keep anyone from cheating. But it uses a variation of this same type of thinking.
Zerocoin was one of the most cited cryptography papers in the last 3 years, with over 200 citations. The cryptography principles behind Zerocoin are well-understood and battle-tested. Zerocoin uses zero-knowledge proofs to ensure that zero information is leaked regarading sender and receivers of Zerocoin.
To best understand how blockchain-tracking software works, it helps to view Bitcoin as a kind of financial social network. The same kinds of mechanisms used to break privacy in social networks, by analyzing social network topology, can be used to break privacy in the Bitcoin network. By taking a pre-existing social network like Facebook, we can use that information to generate heuristics about who is transacting with whom on Bitcoin.
There is a relevant research paper that attempted to identify twitter users by using data from flickr. They took the twitter data, and stripped away all identifying information about the user such as name or username. Then, by looking at the social network topology of the anonymized twitter data and comparing it to the flickr data, they found that they could identify one third of twitter users, even though the twitter data was anonymized.
This research also applies to Bitcoin. If we take an anonymous network such as Bitcoin, and use data from a social network from Facebook, we can use topological analysis to identify a lot of users.