A common misconception is that Zcoin is a fork of Zcash. Zcoin is based off the Zerocoin paper while Zcash is based off the Zerocash paper. While the Zerocoin paper and Zerocash paper share common authors and both use zero knowledge proofs, they rely on different cryptography. There is otherwise no relation between the two projects.
Zcoin uses RSA accumulators which were introduced in 1993 as the foundation of our anonymity scheme while Zcash uses zk-SNARKs which was recently formulated in 2014 and very few ppl understand it. Comparatively, RSA cryptography is one of the earliest form of public key cryptography which was publicly described in 1977, has been battle tested and forms the basis of many encryption schemes in wide use today such as HTTPS, SSH logins and PGP for e-mail. It also uses the Fiat-Shamir transform scheme that was published in 1986.
Peter Todd’s blog post illustrates this perfectly in pointing out that if RSA breaks, Zcoin would probably be the least of your concerns.
zk-SNARKs as used in Zcash requires on more novel cryptographic assumptions which have not been really been put under serious scrutiny.
It is a serious enough problem that the Zcash devs themselves are trying to find alternatives to it in the form of zk-STARKs which remain in research stage and are currently impractical to use. If these cryptographic assumptions do not hold, then the cryptography in Zcash breaks. This combined with an unauditable supply that may make it impossible to detect such problems means that zk-SNARKs although technologically advanced, is taking certain risks to achieve it.
While both Zcoin and Zcash uses trusted setups, they are implemented differently.
Zcoin’s setup is conceptually very simple as it only involves taking two primes p and q, to generate a modulus n. p and q are then destroyed. Instead of generating these parameters ourselves, we use parameters that were generated from the RSA factoring challenge many years ago so there is no possibility that the devs of Zcoin know these parameters. In fact, successfully obtaining those parameters would have netted you a nice bounty from the RSA (before they discontinued the challenge)! You can read more on how these parameters were generated and destroyed here. Our opinion is that the simpler the setup process, the less things can go wrong.
However are now positive that we can remove trusted setup completely using the Sigma (Σ) protocol that would allow us to continue using the high anonymity of zero knowledge proofs without worrying about trusted setup and this is currently in development.
Zcash’s setup is more elaborate and involved 6 trusted people, and can be read here. But in short, all six participants need to collude or be compromised for the parameters to be leaked out.
The main risk of having trusted setups being broken is that an attacker can counterfeit coins out of thin air.
Zcoin features a fully auditable coin supply. In our view, this is immensely important as in the event of any issues with our trusted setup or cryptographic implementation, this can be detected. No code is ever perfect even with the best of audits and new threats and vulnerabilities are constantly being found. For example, even Bitcoin suffered a serious flaw that resulted in 184.4 billion Bitcoin being generated and an auditable supply allows such bugs to be found and fixed.
With Zcash’s use of private transactions and addresses where amounts are also hidden, it is very difficult to detect if a vulnerability is exploited or a problem in their trusted setup. It is to be noted that Zcash’s own audit itself did discover vulnerabilities and despite it being fixed, it is noted that in their own post that:
“Building secure crypto protocols is hard, and even our team of world-class cryptographers and security engineers will make mistakes along the way. Despite the challenge, we’re optimistic that our practices of careful security review and transparency will lead to a secure product.
At this point the Zcash protocol has been subjected to intense security review, first through scientific peer review, and then by our in-house team of experts. But we need even more scrutiny to gain assurance that the protocol is safe.”
We applaud Zcash’s developments and highly value their work in the cryptocurrency space and look forward to seeing their advances. However, we feel Zcoin has a place in providing one of the best anonymity systems which is built on proven cryptography and is setup in such a way that flaws if exploited, can be detected.
For further details, please read our blog post.
As with any other technology, Zcoin can be used for both good and evil. However, we are firm believers that the net good for Zcoin far outweighs the bad. Throughout history, freedom of commerce has been shown to prevent wars, promote prosperity, and increase cross-culture exchange.
Zcoin is designed to benefit legitimate users who have realized the risk of using a cryptocurrency with a completely transparent public ledger, and the danger of having all their financial details made public with Bitcoin. Because there are already pre-existing mechanisms for such activities, Zcoin does not affect the status quo for such activities, while it provides notable benefits to legitimate users.
Even without Zcoin, such transactions can take place via existing financial systems (e.g. by using cash. Although not actually private, Bitcoin has faced the scrutiny of regulators with its potential use in money laundering.
The Zerocoin Protocol, created in 2013, was originally meant to be an extension on top of Bitcoin. There was a lot of support for Zerocoin from key members of the Bitcoin community. However, Bitcoin has the primary goal of ensuring stability in its money supply, by moving slowly with only unanimously agreed upon changes. As a result of the political deadlock, the Zcoin project was created.
Zcoin strives to increase individual liberty. By guaranteeing financial privacy, Zcoin can help ensure freedom of commerce. People should be able to transact however they want, as long as it does not infringe on the well-being or individual liberty of others. We are also big believers that freedom of commerce also facilitates peace and prosperity across countries and cultures. By guaranteeing financial privacy, Zcoin can directly guarantee fungibility, an essential property for free commerce.
Although there are many anonymity solutions out there for cryptocurrencies, it is our aim in providing the strongest level of anonymity that is possible without sacrificing usability, the auditability of our coin supply and relying on well established cryptographic protocols.
The Founders Reward is to reward the funding given by early investors, the time invested by the developers and a bounty wallet used to fund the team and other Zcoin community efforts. Bounties are available for various tasks, such as Zcoin core development, web development, graphic design, marketing, etc. If you’d like to help out, please email or message us on Discord.
There will be 21.4 million Zcoins. Zcoin follows the same halving cycle as Bitcoin (every 4 years).
It was originally planned that 20% of Zcoins (10 XZC per block) in the first 4 years will be distributed to the Founders’ Reward which is equivalent to 10% of total supply. The Founders’ Reward consists of Poramin Insom (lead dev and Founder) (4%), seed investors (12%) and the team wallet (4%).
However upon the launch of Znodes, the Founders and the team have agreed to reduce this to 14% of the block reward: 2% Poramin Insom, seed investors (6%) and team wallet (6%).
To find out how the Founder’s Rewards are used, see here.
After the first 4 years, the block reward goes completely towards the miners and Znode rewards.
The MTP (Merkle Tree Proof) algorithm was devised by Alex Biryukov and Dmitry Khovratovich from the University of Luxembourg in their paper published on the 11 June 2016 titled Egalitarian Computing. These are the same researchers who came up with Equihash that is currently used in ZCash and the Argon2 key derivation function.
MTP promotes fair and democratic mining by making ASIC development expensive. The key element of this approach is large (in size) and intensive (in bandwidth) use of RAM. RAM is expensive in both FPGA and ASIC and slow on GPU. Previous attempts in large and memory intensive proof of works were problematic. This is because to verify these memory intensive proof of works, the nodes had to also have that memory and spend a relatively long time calculating it. This made the network susceptible to transaction DoS attacks where nodes are constantly occupied in verifying transactions.
MTP’s advancement means that hard memory intensive proof of works can be verified quickly with low resources. MTP was designed to be able to require miners to utilize large amounts of RAM up to potentially 10 gb while remaining fast to verify! This can potentially revolutionize PoW mining by bringing it closer to the original vision of Satoshi where one CPU = one vote and democratizing mining instead of keeping it within a handful of powerful miners while maintaining a resilient and low resource network of nodes.
Zcoin uses a temporary algorithm Lyra2z
It is a chained algorithm with Blake256 first round and Lyra2 (timecost = 8, r=c=8) for the final round.
It was designed to achieve a slight advantage to GPU while making it feasible for CPU mining.
This algorithm will be replaced by MTP which aims for democratic mining without sacrificing performance. To read more on the MTP mining algorithm, click here.
MTP is currently running our testnet and is expected to go live in September 2018.
Blockchains without privacy like Bitcoin only offer pseudo-anonymity. In blockchains without complete privacy, it is the relationships and links between addresses that can reveal private information about you. Every single coin has an immutable history.
This is why freshly mined Bitcoins with no previous transaction history can command premiums of 20% or more as the holder does not have to worry whether it has been tainted and also private.
Zcoin allows you to burn your coins to destroy them so that they stop existing and then redeem them later for coins that have no previous transaction history. The process of burning and redeeming breaks the links between addresses making transaction graph analysis very difficult.
The burning process destroys the coin so that they stop existing and therefore their transaction history stops there and cannot be traced.
The redemption process involves giving a zero-knowledge proof that you previously burnt coins, without having to show which were the coins you burnt. The freshly redeemed coins appear as new coins with no previous transaction history and hence have no linkage with the original coins that were burnt.
In cryptography, a trusted setup is used to create a cryptographic system by generating certain initial parameters which will later be destroyed. An easy analogy is to imagine creating a lockbox with a key and then throwing the key away.
Why it is called trusted setup is that you must trust the person who created it, to actually destroy the parameters. Zero knowledge proof privacy systems such as the Zerocoin (as originally used in Zcoin and now deprecated) and Zerocash (as used in Zcash, Komodo and Horizen) protocol requires a trusted setup.
Zcoin’s Sigma and Lelantus privacy protocols, do not use trusted setups.
Why it Matters
Having a trusted setup is generally undesirable and adds another point of failure. One of blockchain’s mottos is ‘Don’t trust. Verify’ and trusted setups are the antithesis of that philosophy.
A compromised trusted setup in zero-knowledge proofs allows someone to forge the proofs meaning that coins can be created out of thin air leading to hyperinflation. In privacy coins where amounts are obscured, such inflation can also remain undetected.
There are ways to mitigate the risks of a trusted setup such as using a multi-party ceremony that if in theory works, requires all parties in the ceremony to collude. If at least one party destroys their portion of the secret, then the system is secure.
However, even if the risk is mitigated, we still need to be sure parties do not collude or that the ceremony was set up correctly or was not backdoored which can be challenging.
For example, Zcash’s original Sprout MPC ceremony sparked controversy because of binaries that were not deterministically built and MPC transcripts that went missing (which turned out to be to prevent a flaw from being exploited until it was patched).
A zero-knowledge proof is a cryptographic method to prove that you know something without giving any other details about it, except that the fact that you know it. For example, zero-knowledge proofs could be used to show you have assets of more than a million dollars, without showing the exact amount you own or the transactions that make it up.
Zero-knowledge proofs are an ideal fit for providing privacy on blockchains. On a public blockchain, everyone has to be able to verify the authenticity of transactions and so every transaction is posted for everyone to see along with its entire history.
Zero-knowledge proofs allow others to verify that a valid transaction has happened without giving any other information thus providing privacy while retaining verifiability.
Zcoin uses zero-knowledge proofs in its privacy mechanism to allow people to burn their coins and redeem them later for brand new ones with no previous transaction history without showing which coins were burnt.
To best understand how blockchain-tracking software works, it helps to view Bitcoin as a kind of financial social network. The same kinds of mechanisms used to break privacy in social networks, by analyzing social network topology, can be used to break privacy in the Bitcoin network. By taking a pre-existing social network like Facebook, we can use that information to generate heuristics about who is transacting with whom on Bitcoin.
There is a relevant research paper that attempted to identify Twitter users by using data from Flickr. They took the twitter data, and stripped away all identifying information about the user such as name or username. Then, by looking at the social network topology of the anonymized twitter data and comparing it to the flickr data, they found that they could identify one third of twitter users, even though the twitter data was anonymized.
This research also applies to Bitcoin. If we take an anonymous network such as Bitcoin, and use data from a social network from Facebook or Bitcointalk, we can use topological analysis to identify a lot of users. A comprehensive study on Bitcoin’s privacy also shows that even with best practices, a significant proportion of users can be identified from their behaviour.
The converse is also true where Bitcoin’s network can also deanonymize TOR users.
Our testnet explorer can be found here: https://testexplorer.zcoin.io
The chances of not getting a block in blocktime * K is approximately e(-K).
This means that the chance of getting a ≥30-minute block (K=6) is ≈0.25%. So even though our target block time is 5 minutes, roughly 1 in 400 blocks can take more than at least 30 minutes to find.
Bitcoin and preceding alternative cryptocurrencies have attempted to solve this problem through the use of transaction mixers or ring signatures. But they score very poorly on the metric called the traceability set. The traceability set is a key metric to understanding how private a cryptocurrency is. The traceability set in formerly proposed solutions is limited by the size of the mixing cycle or ring signature. Each mixing cycle or ring signature is limited by the number of transactions per cycle, which is transitively limited by the the block size of the cryptocurrency. Thus, the traceability set in previous attempts at privacy tends to only be a few hundred.
With Zcoin, the traceability set is on a dramatically higher magnitude. Instead of having a traceability set limited to the few hundreds, Zcoin has a traceability set that encompasses all minted coins in an accumulator. Thus, the magnitude of the traceability could be in the order of many thousands rather than hundreds. So its privacy level is magnitudes higher than cryptocurrencies that rely on mixing or ring signatures.
The other problem is that tumbling methods are only secure under the assumption of a lack of topological analysis and pre-existing network data, which is an incorrect threat model. There have been multiple research papers demonstrating that taking a separate network topology like Facebook can be used to de-anonymize a cryptocurrency as long as a long chain of transaction history exists. With all previous cryptocurrencies, a long chain of transactions is publicly viewable on the blockchain and prone to topological analysis.
With Zcoin, this long chain of transaction history simply does not exist, and there is zero information leakage about the sender and receiver of a transaction, so it is not prone to topological analysis and so the link between the sender and receiver disappears.
In the event people want to pool together their funds to make a Znode, please take note that you have to trust the person holding the funds for everyone.
This is because the 1000 XZC needs to be sent to a new address in one transaction and the custody is with one person. We ideally do not recommend such arrangements unless you really trust the person holding the funds on behalf of you. There is nothing to prevent the person holding the Znode funds from running away with your share.
This is not a problem if you have 1000 XZC as you can still keep those funds on your own local wallet. A Znode provider in such cases only requires your Znode private key (not the same as your funds private key) and the transaction ID of your 1000 XZC deposit.
Znodes do not hold any funds. They merely hold a Znode private key (not the same as your actual private key) which allows you to start and stop the Znode. There is a marker in your Znode configuration that links the Znode to your 1000 XZC deposit. In the event of a Znode being hacked, all that will happen is that your Znode will go offline and you will lose your position in the payment queue.
Your local Zcoin wallet still holds the 1000 XZC so it is that wallet that will need to be secured. Ensure that your wallet is frequently backed up and encrypt your wallet.
If you go with a Znode provider, all he requires is your Znode private key and the transaction ID of your 1000 XZC deposit. The Znode provider does not need your private key to the funds. You also do not need to send any funds to him.
Please refer to this Znode setup guide.
There will also be a number of Znode providers who can simplify the process for you for a fee.
A fixed amount (30%) of the block reward (7.5 XZC with current block reward) is paid to Znodes. Znodes are put in a queue and take turns to receive this block reward in return for hosting a Znode that hosts a complete copy of the blockchain and helps store and propagate blocks to the network.
Once they are in the top 10% of the queue, there is a degree of randomness in being selected as it uses the block hash entropy to pick the winner deterministically.
The frequency of the block payout depend on how many active Znodes there are. The more Znodes there are, the longer it takes to receive the Znode block reward.
To get a more in-depth understanding of the process, please read our article Understanding Znode Payments.
There are third party tools that estimate the frequency of Znode block rewards payouts and other Znode statistics:
A Znode requires
- 1000 XZC (refundable at any time)
- A computer or VPS with a fixed IP address
- 1 GB of RAM
- Enough disk space to store the blockchain (55GB is recommended for the moment)
Typically a VPS of this specification costs around USD5 to run a month per node and you can head on to Amazon AWS, Google Cloud, Microsoft Azure, Leaseweb, Vultr, Linode, or DigitalOcean to obtain a basic VPS when Znodes are launched. There will also be Znode providers who can assist you to set this up and/or maintain it for a small fee.
Nodes are computers that host a full copy of Zcoin’s blockchain and help to verify the validity of transactions.
Znodes are a special type of node that earn part of Zcoin’s block reward (currently at 30% of the block reward) in return for hosting a reliable and powerful node that helps to support the network. Znodes require a refundable collateral of 1000 XZC to ensure Znode holders have a stake in the coin and are incentivized to keep it working honestly, updated often and have a high uptime.
In the future, it is intended that Znodes serve as a building block for other services to be built on top of it including the delegation of Zerocoin transaction processing.