What are the differences between Zcoin and Zcash?

By November 1, 2016 No Comments

A common misconception is that Zcoin is a fork of Zcash. Zcoin is based off the Zerocoin paper while Zcash is based off the Zerocash paper. While the Zerocoin paper and Zerocash paper share common authors and both use zero knowledge proofs, they rely on different cryptography. There is otherwise no relation between the two projects.

Cryptographic Implementations

Zcoin uses RSA accumulators which were introduced in 1993 as the foundation of our anonymity scheme while Zcash uses zk-SNARKs which was recently formulated in 2014 and very few ppl understand it. Comparatively, RSA cryptography is one of the earliest form of public key cryptography which was publicly described in 1977, has been battle tested and forms the basis of many encryption schemes in wide use today such as HTTPS, SSH logins and PGP for e-mail.

Peter Todd’s blog post illustrates this perfectly in pointing out that if RSA breaks, Zcoin would probably be the least of your concerns.

Trusted Setup

While both Zcoin and Zcash uses trusted setups, they are implemented differently.

Zcoin’s setup is conceptually very simple as it only involves taking two primes p and q, to generate a modulus n. p and q are then destroyed. Instead of generating these parameters ourselves, we use parameters that were generated from the RSA factoring challenge many years ago so there is no possibility that the devs of Zcoin know these parameters. In fact, successfully obtaining those parameters would have netted you a nice bounty from the RSA (before they discontinued the challenge)! You can read more on how these parameters were generated and destroyed here. Our opinion is that the simpler the setup process, the less things can go wrong.

However are now positive that we can remove trusted setup completely using the Sigma (Σ) protocol that would allow us to continue using the high anonymity of zero knowledge proofs without worrying about trusted setup and this is currently in development.

Zcash’s setup is more elaborate and involved 6 trusted people, and can be read here. But in short, all six participants need to collude or be compromised for the parameters to be leaked out.

Auditable Supply

The main risk of having trusted setups being broken is that an attacker can counterfeit coins out of thin air.

Zcoin features a fully auditable coin supply. In our view, this is immensely important as in the event of any issues with our trusted setup or cryptographic implementation, this can be detected. No code is ever perfect even with the best of audits and new threats and vulnerabilities are constantly being found. For example, even Bitcoin suffered a serious flaw that resulted in 184.4 billion Bitcoin being generated and an auditable supply allows such bugs to be found and fixed.

With Zcash’s use of private transactions and addresses where amounts are also hidden, it is very difficult to detect if a vulnerability is found or a problem in their trusted setup.

We applaud Zcash’s developments and highly value their work in the cryptocurrency space and look forward to seeing their advances. However, we feel Zcoin has a place in providing one of the best anonymity systems which is built on proven cryptography and is setup in such a way that flaws can be found.

For further details, please read our blog post.