A common misconception is that Zcoin is a fork of Zcash. Zcoin is based off the Zerocoin paper while Zcash is based off the Zerocash paper. While the Zerocoin paper and Zerocash paper share common authors and both use zero knowledge proofs, they rely on different cryptography. There is otherwise no relation between the two projects.
Zcoin uses RSA accumulators which were introduced in 1993 as the foundation of our anonymity scheme while Zcash uses zk-SNARKs which was recently formulated in 2014 and very few ppl understand it. Comparatively, RSA cryptography is one of the earliest form of public key cryptography which was publicly described in 1977, has been battle tested and forms the basis of many encryption schemes in wide use today such as HTTPS, SSH logins and PGP for e-mail. It also uses the Fiat-Shamir transform scheme that was published in 1986.
Peter Todd’s blog post illustrates this perfectly in pointing out that if RSA breaks, Zcoin would probably be the least of your concerns.
zk-SNARKs as used in Zcash requires on more novel cryptographic assumptions which have not been really been put under serious scrutiny.
It is a serious enough problem that the Zcash devs themselves are trying to find alternatives to it in the form of zk-STARKs which remain in research stage and are currently impractical to use. If these cryptographic assumptions do not hold, then the cryptography in Zcash breaks. This combined with an unauditable supply that may make it impossible to detect such problems means that zk-SNARKs although technologically advanced, is taking certain risks to achieve it.
While both Zcoin and Zcash uses trusted setups, they are implemented differently.
Zcoin’s setup is conceptually very simple as it only involves taking two primes p and q, to generate a modulus n. p and q are then destroyed. Instead of generating these parameters ourselves, we use parameters that were generated from the RSA factoring challenge many years ago so there is no possibility that the devs of Zcoin know these parameters. In fact, successfully obtaining those parameters would have netted you a nice bounty from the RSA (before they discontinued the challenge)! You can read more on how these parameters were generated and destroyed here. Our opinion is that the simpler the setup process, the less things can go wrong.
However are now positive that we can remove trusted setup completely using the Sigma (Σ) protocol that would allow us to continue using the high anonymity of zero knowledge proofs without worrying about trusted setup and this is currently in development.
Zcash’s setup is more elaborate and involved 6 trusted people, and can be read here. But in short, all six participants need to collude or be compromised for the parameters to be leaked out.
The main risk of having trusted setups being broken is that an attacker can counterfeit coins out of thin air.
Zcoin features a fully auditable coin supply. In our view, this is immensely important as in the event of any issues with our trusted setup or cryptographic implementation, this can be detected. No code is ever perfect even with the best of audits and new threats and vulnerabilities are constantly being found. For example, even Bitcoin suffered a serious flaw that resulted in 184.4 billion Bitcoin being generated and an auditable supply allows such bugs to be found and fixed.
With Zcash’s use of private transactions and addresses where amounts are also hidden, it is very difficult to detect if a vulnerability is exploited or a problem in their trusted setup. It is to be noted that Zcash’s own audit itself did discover vulnerabilities and despite it being fixed, it is noted that in their own post that:
“Building secure crypto protocols is hard, and even our team of world-class cryptographers and security engineers will make mistakes along the way. Despite the challenge, we’re optimistic that our practices of careful security review and transparency will lead to a secure product.
At this point the Zcash protocol has been subjected to intense security review, first through scientific peer review, and then by our in-house team of experts. But we need even more scrutiny to gain assurance that the protocol is safe.”
We applaud Zcash’s developments and highly value their work in the cryptocurrency space and look forward to seeing their advances. However, we feel Zcoin has a place in providing one of the best anonymity systems which is built on proven cryptography and is setup in such a way that flaws if exploited, can be detected.
For further details, please read our blog post.