Zcoin and Zcash: Similarities and Differences-CN

By 10月 5, 2016 No Comments

A question that often pops up is: what are the differences between Zcoin and Zcash? 

Zcoin and ZCash are the only two cryptocurrencies that use zero-knowledge proofs to guarantee zero-knowledge financial anonymity. There are various tradeoffs between using ZCoin and ZCash. Zcoin uses the Zerocoin Protocol (cited by academics 208 times, at time of writing), whereas Zcash uses the Zerocash Protocol (cited by academics 104 times, at time of writing). The cryptographic properties of Zcoin and Zcash supplement each other quite nicely, and a good way to describe them would be sibling cryptocurrencies.

Three major differences between Zcoin (Zerocoin Protocol) and Zcash (Zerocash Protocol) are as follows:

1) Zcash conceals the amount of money sent in each transaction, whereas Zcoin does not. So Zcash is less prone to privacy timing attacks than Zcoin. On the other hand, this comes with a big tradeoff for Zcash, in the form of potentially undetected hyper-inflation in Zerocash’s money supply.

A timing attack on Zcoin could work by exploiting knowledge of when somebody “mints” a Zerocoin.

The Zerocoin Protocol has two major steps. The first step is the “Zerocoin mint” step, in which a “public coin” goes into a data structure called an accumulator. An accumulator answers a query as to whether a potential candidate is a member of a set without revealing the individual members of the set. The second step in the process is the “Zerocoin spend” step, which allows for somebody to conduct a Zero-Knowledge proof showing that one owns a coin in the accumulator without having to tell which coin one owns. With this Zero-Knowledge “Zerocoin spend” proof, a fresh Zcoin is generated without any transaction history attached.

Because each Zerocoin must execute “Zerocoin mint”, before it can be made anonymous with “Zerocoin spend”, analysis of the timing between the “Zerocoin mint” and “Zerocoin spend” might be used in a timing attack. It is possible that users might want to conduct “Zerocoin spend” transactions right after their “Zerocoin mint” transaction. Thus, if this behavioral heuristic is true, it could be used to assign a probability value that a “Zerocoin mint” transaction is associated with a certain “Zerocoin spend” transaction. However, by waiting a longer time between “Zerocoin mint” and “Zerocoin spend” transactions, this prevents such timing attacks from being effective.

Because ZCash conceals the quantity amount, it may be more effective than Zcoin against such timing attacks. However, this benefit also comes with a major tradeoff.

Essentially, for Zcash, there is no “certain scarcity” that even a fairly intelligent person can verify on a mathematics/ cryptographic first principles basis. ZK-Snarks uses some very sophisticated cryptography. Only a handful of cryptography academics in the world can understand the steps in ZK-Snarks on a first principle basis. The cryptography principles behind Zerocoin have been around for a lot longer, and the Zerocoin paper was one of the most often cited cryptography papers in the past few years, with about 200 citations. Any fairly intelligent cryptography academic would be able to understand the foundations underlying Zerocoin.

If god forbid, Zcash had a bug that allowed for people to generate more Zcash coins than the intended money supply, then it is possible that nobody could tell. If it were a severe bug, potentially somebody could inflate the money supply by hundreds of millions of dollars, making a profit while lowering the price of Zcash for speculators. There are several examples of major cryptocurrency bugs that have led to a massive misallocation of the quantity of cryptocurrency that should have been in circulation. One major example is the 2010 Bitcoin value overflow bug, which increased Bitcoin’s money supply by over 90 billion:

“On August 15 2010, it was discovered that block 74638 contained a transaction that created 184,467,440,737.09551616 bitcoins for three different addresses.[1][2][3] Two addresses received 92.2 billion bitcoins each, and whoever solved the block got an extra 0.01 BTC that did not exist prior to the transaction. This was possible because the code used for checking transactions before including them in a block didn’t account for the case of outputs so large that they overflowed when summed”

With Zcash, these kinds of bugs could go completely unnoticed. Thus, if Zcash encountered a similar bug, it could see 99.999% of the entire ZCash market cap owned by one person, without anybody noticing.

A recent example of another cryptocurrency bug was The DAO, which experienced a $50 million hack.

As Greg Slepak notes, writing for the okTurtles blog:

This situation, however, is far more serious than The DAO. Zcash’s code is several orders of magnitude larger and more complicated, and the consequences of failure are several orders of magnitude bigger.

In Zcash’s current state: it is impossible to know whether a successful attack occurred. Unless a saboteur turns whistleblower, we’ll know it was compromised only after damages have occurred. And the more valuable Zcash is, the more dangerous it is. There is no “Undo” button.

Outside of unintentional bugs, there is also another problem. Due to the cutting edge nature of ZK-Snarks, there is not nearly as much peer-review of the underlying cryptography for Zerocash, as there is for Zerocoin. There is also a much smaller group of academics that can understand the cryptographic first-principles underlying Zerocash. If there are hundreds of millions of dollars on the line, even the noblest of academics may find a way to cross ethical grounds. In contrast, with Zcoin, even if there were a bug, everyone could tell that the money supply doesn’t check out.

2) Parameter generation:

Zcoin uses parameters generated 25 years ago from the RSA Factoring Challenge. At projected computing capacity, it will be safe to use for many more decades. By then, Zcoin can port its parameters to a new cryptographic scheme. Admittedly, the RSA has not been a great company in recent years, with revelations of the RSA collaborating with the NSA. But the keys to the RSA Factoring challenge were generated in 1991, early in the RSA days when the creators of the RSA algorithm still had a high amount of control over their company. On the other hand, there is a strong mitigating factor in the unlikely scenario of a compromised Zcoin setup: everybody could still see that Zcoin’s money supply checks out. In contrast, if Zcash’s setup were compromised, a hyper-inflated money supply could go completely undetected.

Zcash relies on the assumption that all actors in the parameter generation do not collude together. As long as there is one honest actor, then everything is fine. If not, then they could double spend / do anything they want with Zcash. Just as there has been worry over Zcoin’s parameter setup, there has been some worry about Zcash‘s setup.

However, in our opinion, Zcash‘s setup will be fine, as there will most likely be at least one honest person. Both setups are not ideal, but still workable.

3) Zcash requires a higher use of memory with significantly longer time needed to send a private transaction than Zcoin. On the other hand, Zcoin currently requires significantly more storage space than Zcash.

According to Zcash’s benchmarks:

“On a quad-core benchmark server, generating a private transaction consumes ~3.2 GB of memory and ~50 seconds of compute time.”

This is a relatively high memory requirement, as many laptops only have 4GB RAM. Even on a device with 8GB RAM, a 3.2 GB memory requirement may force Zcash’s private generation to go into swap space.  If Zcash goes into swap, then even on the state of the art SSDs, transfer rates are at least 10 times slower than DDR-3 speeds. On older devices, transfer rates could be 30 times slower or more if Zcash goes to swap. Thus, for a typical 4gb RAM device (which usually already has at least 1gb of memory being used), Zcash’s effective compute time should be between 10 minutes to 30 minutes. It is also very possible that many devices with 8GB RAM would go into swap as well, also taking between 10 minutes to 30 minutes to generate a private transaction.

Zcoin’s private transactions are not memory-intensive as with Zcash. On a quad-core benchmark server, generating a private transaction with “Zerocoin mint” and “Zerocoin spend” consumes ~10 seconds of compute time. Thus, sending a private transaction with Zcoin could be between 5-200 times faster than Zcash, depending on device.

On the other hand, Zcoin’s private transaction sizes are about 50 times larger than Zcash’s transaction sizes. This will not be a limiting issue for several reasons. One easy fix would be to update Zcoin to support pruning:

In his whitepaper, Satoshi had mentioned “pruning” as a solution to Bitcoin’s potential future scalability issue. Surprisingly, it’s not discussed often. When there is greater demand for Zcoin transactions than its capacity, Zcoin can build pruning into the protocol. This way, the storage requirements for Zcoin could be minimal.

By stubbing off branches in the merkle tree to save storage space, pruning could be built into Zcoin in a similar fashion as described in Satoshi’s whitepaper:

“Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block’s hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block’s hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.”

Diagram from Satoshi’s whitepaper:


However, as for now, Zcoin’s transaction volume capacity is more than enough. Even with 50 times larger proof sizes, storage is a low priority concern because of Moore’s Law. As Satoshi describes in the whitepaper:

With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.

Here at Zcoin, we believe that multiple zero-knowledge cryptocurrency implementations is a blessing to society. Like Zcoin, Zcash is also enabling individual freedom and open commerce to the world by increasing financial privacy. We applaud the work that the Zcash team is doing. With that in mind, it is important to understand the inherent tradeoffs between the Zerocoin and Zerocash protocols. Zcoin has some major advantages over Zcash, as well as significant disadvantages. By increasing awareness of these tradeoffs, privacy-centric users can more effectively use either coin tailored to their concerns and specific use cases.

Reuben Yap

Author Reuben Yap

More posts by Reuben Yap