A common misconception is that Zcoin is a fork of Zcash. Zcoin is based off the Zerocoin paper while Zcash is based off the Zerocash paper. While the Zerocoin paper and Zerocash paper share common authors and both use zero knowledge proofs, they rely on different cryptography. There is otherwise no relation between the two projects.
Zcoin uses RSA accumulators which were introduced in 1993 as the foundation of our anonymity scheme while Zcash uses zk-SNARKs which was recently formulated in 2014 and very few ppl understand it. Comparatively, RSA cryptography is one of the earliest form of public key cryptography which was publicly described in 1977, has been battle tested and forms the basis of many encryption schemes in wide use today such as HTTPS, SSH logins and PGP for e-mail. It also uses the Fiat-Shamir transform scheme that was published in 1986.
Peter Todd’s blog post illustrates this perfectly in pointing out that if RSA breaks, Zcoin would probably be the least of your concerns.
zk-SNARKs as used in Zcash requires on more novel cryptographic assumptions which have not been really been put under serious scrutiny.
It is a serious enough problem that the Zcash devs themselves are trying to find alternatives to it in the form of zk-STARKs which remain in research stage and are currently impractical to use. If these cryptographic assumptions do not hold, then the cryptography in Zcash breaks. This combined with an unauditable supply that may make it impossible to detect such problems means that zk-SNARKs although technologically advanced, is taking certain risks to achieve it.
While both Zcoin and Zcash uses trusted setups, they are implemented differently.
Zcoin’s setup is conceptually very simple as it only involves taking two primes p and q, to generate a modulus n. p and q are then destroyed. Instead of generating these parameters ourselves, we use parameters that were generated from the RSA factoring challenge many years ago so there is no possibility that the devs of Zcoin know these parameters. In fact, successfully obtaining those parameters would have netted you a nice bounty from the RSA (before they discontinued the challenge)! You can read more on how these parameters were generated and destroyed here. Our opinion is that the simpler the setup process, the less things can go wrong.
However are now positive that we can remove trusted setup completely using the Sigma (Σ) protocol that would allow us to continue using the high anonymity of zero knowledge proofs without worrying about trusted setup and this is currently in development.
Zcash’s setup is more elaborate and involved 6 trusted people, and can be read here. But in short, all six participants need to collude or be compromised for the parameters to be leaked out.
The main risk of having trusted setups being broken is that an attacker can counterfeit coins out of thin air.
Zcoin features a fully auditable coin supply. In our view, this is immensely important as in the event of any issues with our trusted setup or cryptographic implementation, this can be detected. No code is ever perfect even with the best of audits and new threats and vulnerabilities are constantly being found. For example, even Bitcoin suffered a serious flaw that resulted in 184.4 billion Bitcoin being generated and an auditable supply allows such bugs to be found and fixed.
With Zcash’s use of private transactions and addresses where amounts are also hidden, it is very difficult to detect if a vulnerability is exploited or a problem in their trusted setup. It is to be noted that Zcash’s own audit itself did discover vulnerabilities and despite it being fixed, it is noted that in their own post that:
“Building secure crypto protocols is hard, and even our team of world-class cryptographers and security engineers will make mistakes along the way. Despite the challenge, we’re optimistic that our practices of careful security review and transparency will lead to a secure product.
At this point the Zcash protocol has been subjected to intense security review, first through scientific peer review, and then by our in-house team of experts. But we need even more scrutiny to gain assurance that the protocol is safe.”
We applaud Zcash’s developments and highly value their work in the cryptocurrency space and look forward to seeing their advances. However, we feel Zcoin has a place in providing one of the best anonymity systems which is built on proven cryptography and is setup in such a way that flaws if exploited, can be detected.
For further details, please read our blog post.
As with any other technology, Zcoin can be used for both good and evil. However, we are firm believers that the net good for Zcoin far outweighs the bad. Throughout history, freedom of commerce has been shown to prevent wars, promote prosperity, and increase cross-culture exchange.
Zcoin is designed to benefit legitimate users who have realized the risk of using a cryptocurrency with a completely transparent public ledger, and the danger of having all their financial details made public with Bitcoin. Because there are already pre-existing mechanisms for such activities, Zcoin does not affect the status quo for such activities, while it provides notable benefits to legitimate users.
Even without Zcoin, such transactions can take place via existing financial systems (e.g. by using cash. Although not actually private, Bitcoin has faced the scrutiny of regulators with its potential use in money laundering.
The Zerocoin Protocol, created in 2013, was originally meant to be an extension on top of Bitcoin. There was a lot of support for Zerocoin from key members of the Bitcoin community. However, Bitcoin has the primary goal of ensuring stability in its money supply, by moving slowly with only unanimously agreed upon changes. As a result of the political deadlock, the Zcoin project was created.
Zcoin strives to increase individual liberty. By guaranteeing financial privacy, Zcoin can help ensure freedom of commerce. People should be able to transact however they want, as long as it does not infringe on the well-being or individual liberty of others. We are also big believers that freedom of commerce also facilitates peace and prosperity across countries and cultures. By guaranteeing financial privacy, Zcoin can directly guarantee fungibility, an essential property for free commerce.
Although there are many anonymity solutions out there for cryptocurrencies, it is our aim in providing the strongest level of anonymity that is possible without sacrificing usability, the auditability of our coin supply and relying on well established cryptographic protocols.
The Founders Reward is to reward the funding given by early investors, the time invested by the developers and a bounty wallet used to fund the team and other Zcoin community efforts. Bounties are available for various tasks, such as Zcoin core development, web development, graphic design, marketing, etc. If you’d like to help out, please email or message us on Discord.
There will be 21.4 million Zcoins. Zcoin follows the same halving cycle as Bitcoin (every 4 years).
It was originally planned that 20% of Zcoins (10 XZC per block) in the first 4 years will be distributed to the Founders’ Reward which is equivalent to 10% of total supply. The Founders’ Reward consists of Poramin Insom (lead dev and Founder) (4%), seed investors (12%) and the team wallet (4%).
However upon the launch of Znodes, the Founders and the team have agreed to reduce this to 14% of the block reward: 2% Poramin Insom, seed investors (6%) and team wallet (6%).
To find out how the Founder’s Rewards are used, see here.
After the first 4 years, the block reward goes completely towards the miners and Znode rewards.
The MTP (Merkle Tree Proof) algorithm was devised by Alex Biryukov and Dmitry Khovratovich from the University of Luxembourg in their paper published on the 11 June 2016 titled Egalitarian Computing. These are the same researchers who came up with Equihash that is currently used in ZCash and the Argon2 key derivation function.
MTP promotes fair and democratic mining by making ASIC development expensive. The key element of this approach is large (in size) and intensive (in bandwidth) use of RAM. RAM is expensive in both FPGA and ASIC and slow on GPU. Previous attempts in large and memory intensive proof of works were problematic. This is because to verify these memory intensive proof of works, the nodes had to also have that memory and spend a relatively long time calculating it. This made the network susceptible to transaction DoS attacks where nodes are constantly occupied in verifying transactions.
MTP’s advancement means that hard memory intensive proof of works can be verified quickly with low resources. MTP was designed to be able to require miners to utilize large amounts of RAM up to potentially 10 gb while remaining fast to verify! This can potentially revolutionize PoW mining by bringing it closer to the original vision of Satoshi where one CPU = one vote and democratizing mining instead of keeping it within a handful of powerful miners while maintaining a resilient and low resource network of nodes.
Zcoin uses a temporary algorithm Lyra2z
It is a chained algorithm with Blake256 first round and Lyra2 (timecost = 8, r=c=8) for the final round.
It was designed to achieve a slight advantage to GPU while making it feasible for CPU mining.
This algorithm will be replaced by MTP which aims for democratic mining without sacrificing performance. To read more on the MTP mining algorithm, click here.
MTP is currently running our testnet and is expected to go live in mid August 2017.
Zcoin uses the RSA-2048 number from the RSA factoring challenge. The computer’s hard drive which generated the factors were destroyed over 25 years ago. No factoring solution to the RSA-2048 number has been found for the past 25 years, and it is unlikely to be factored in the next several decades. In the long term, Zcoin would eventually shift to a different cryptographic scheme for its setup parameters or move to a trustless setup entirely.
Bitcoin and preceding alternative cryptocurrencies have attempted to solve this problem through the use of transaction mixers or ring signatures. But they score very poorly on the metric called the traceability set. The traceability set is a key metric to understanding how private a cryptocurrency is. The traceability set in formerly proposed solutions is limited by the size of the mixing cycle or ring signature. Each mixing cycle or ring signature is limited by the number of transactions per cycle, which is transitively limited by the the block size of the cryptocurrency. Thus, the traceability set in previous attempts at privacy tends to only be a few hundred.
With Zcoin, the traceability set is on a dramatically higher magnitude. Instead of having a traceability set limited to the few hundreds, Zcoin has a traceability set that encompasses all minted coins in an accumulator. Thus, the magnitude of the traceability could be in the order of many thousands rather than hundreds. So its privacy level is magnitudes higher than cryptocurrencies that rely on mixing or ring signatures.
The other problem is that tumbling methods are only secure under the assumption of a lack of topological analysis and pre-existing network data, which is an incorrect threat model. There have been multiple research papers demonstrating that taking a separate network topology like Facebook can be used to de-anonymize a cryptocurrency as long as a long chain of transaction history exists. With all previous cryptocurrencies, a long chain of transactions is publicly viewable on the blockchain and prone to topological analysis.
With Zcoin, this long chain of transaction history simply does not exist, and there is zero information leakage about the sender and receiver of a transaction, so it is not prone to topological analysis and so the link between the sender and receiver disappears.
Zcoin’s zero-knowledge proof makes a cryptographic statement. When someone is sent Zerocoin, the person only knows that X amount of money was sent to their wallet. Unlike Bitcoin, there is no other unintended identifying information about the sender and receiver. Zero Knowledge proofs ensure that there is zero information leakage about the sender and receiver of a transaction.
A zero-knowledge proof is a method in which one person can prove to another person that a given statement is true, without conveying any information apart from the fact that the statement is indeed true.
The classic example of a zero knowledge challenge is called Yao’s Millionaire problem: how can two people determine who is richer without either person having to reveal how much money they have? Through a complex application of cryptography, it’s actually possible to do.
Craig Gidney , writing for the Twisted Oak Studios blog, provides a simplified version of the problem that can help you understand the process. In Gidney’s example, two workers — Bob and Alice — want to determine whether they’re being paid the same amount, without disclosing how much they’re being paid to each other or anyone else. The example assumes that Bob and Alice know that they’re each being paid exactly $10, $20, $30, or $40 per hour.
Bob goes and buys four anonymous comment card boxes — the kind a restaurant might have to gather opinions from customers. He labels each one $10, $20, $30 or $40, then throws away all the keys, except the one to the box that corresponds to how much money he makes. Alice then writes “Yes” on one slip of paper and “No” on three others. She puts the “Yes” slip in the box that matches her wage, and the “No” slips in all the others. Once Alice is gone, Bob can then open his box and see if the slip inside reads “Yes” or “No.” If “Yes,” then he and Alice are paid the same wage. If “No,” they will then know that their wages are different.
This example is obviously over simplified. Zerocoin is far more complex, and includes various protections to keep anyone from cheating. But it uses a variation of this same type of thinking.
Zerocoin was one of the most cited cryptography papers in the last 3 years, with over 200 citations. The cryptography principles behind Zerocoin are well-understood and battle-tested. Zerocoin uses zero-knowledge proofs to ensure that zero information is leaked regarding sender and receivers of Zerocoin.
To best understand how blockchain-tracking software works, it helps to view Bitcoin as a kind of financial social network. The same kinds of mechanisms used to break privacy in social networks, by analyzing social network topology, can be used to break privacy in the Bitcoin network. By taking a pre-existing social network like Facebook, we can use that information to generate heuristics about who is transacting with whom on Bitcoin.
There is a relevant research paper that attempted to identify twitter users by using data from flickr. They took the twitter data, and stripped away all identifying information about the user such as name or username. Then, by looking at the social network topology of the anonymized twitter data and comparing it to the flickr data, they found that they could identify one third of twitter users, even though the twitter data was anonymized.
This research also applies to Bitcoin. If we take an anonymous network such as Bitcoin, and use data from a social network from Facebook, we can use topological analysis to identify a lot of users.
In the event people want to pool together their funds to make a Znode, please take note that you have to trust the person holding the funds for everyone.
This is because the 1000 XZC needs to be sent to a new address in one transaction and the custody is with one person. We ideally do not recommend such arrangements unless you really trust the person holding the funds on behalf of you. There is nothing to prevent the person holding the Znode funds from running away with your share.
This is not a problem if you have 1000 XZC as you can still keep those funds on your own local wallet. A Znode provider in such cases only requires your Znode private key (not the same as your funds private key) and the transaction ID of your 1000 XZC deposit.
Znodes do not hold any funds. They merely hold a Znode private key (not the same as your actual private key) which allows you to start and stop the Znode. There is a marker in your Znode configuration that links the Znode to your 1000 XZC deposit. In the event of a Znode being hacked, all that will happen is that your Znode will go offline and you will lose your position in the payment queue.
Your local Zcoin wallet still holds the 1000 XZC so it is that wallet that will need to be secured. Ensure that your wallet is frequently backed up and encrypt your wallet.
If you go with a Znode provider, all he requires is your Znode private key and the transaction ID of your 1000 XZC deposit. The Znode provider does not need your private key to the funds. You also do not need to send any funds to him.
Please refer to this Znode setup guide.
There will also be a number of Znode providers who can simplify the process for you for a fee.
A fixed amount (30%) of the block reward (15 XZC with current block reward) is paid to Znodes. Znodes are put in a queue and take turns to receive this block reward. Depending on the number of Znodes active, the payout will be once every few days.
The amount of returns depend on how many active Znodes there are. The more Znodes there are, the less each Znode gets. Based on 50% of circulating Zcoin being made into Znodes, we estimate the first year’s return to be in the region of 20-30+% per annum.
A Znode requires
- 1000 XZC (refundable at any time)
- A computer or VPS with a fixed IP address
- 1 GB of RAM
- Enough disk space to store the blockchain (25gb is recommended for the moment)
Typically a VPS of this specification costs around USD5 to run a month per node and you can head on to Amazon AWS, Google Cloud, Microsoft Azure, Leaseweb, Vultr, Linode, or DigitalOcean to obtain a basic VPS when Znodes are launched. There will also be Znode providers who can assist you to set this up and/or maintain it for a small fee.
Nodes are computers that host a full copy of Zcoin’s blockchain and help to verify the validity of transactions.
Znodes are a special type of node that earn part of Zcoin’s block reward (currently at 30% of the block reward) in return for hosting a reliable and powerful node that helps to support the network. Znodes require a refundable collateral of 1000 XZC to ensure Znode holders have a stake in the coin and are incentivized to keep it working honestly, updated often and have a high uptime.
In the future, it is intended that Znodes serve as a building block for other services to be built on top of it including the delegation of Zerocoin transaction processing.
zcoin.io will be our home for the foreseeable future. Previously zcoin.io was not available and thus we used zcoin.finance which we have now phased out.
zcoin.tech despite the similar website is not run by us and we highly recommend not downloading any files from there.