Hacker News new | past | comments | ask | show | jobs | submit login
ZCash Will Be a Truly Anonymous Blockchain-Based Currency (ieee.org)
273 points by mbgaxyz on Oct 25, 2016 | hide | past | favorite | 267 comments



Another altcoin. This one has a 10% pre-mining cut for the founders:

"Zcash's monetary base will be the same as Bitcoin's — 21 million Zcash currency units (ZEC, or ⓩ) will be mined over time. 10% of that reward will be distributed to the stakeholders in the Zcash Company — founders, investors, employees, and advisors. We call this the “Founders Reward”."

Here's a list of the other 709 altcoins.[1] 373 of them are still tradeable. 88 have a market cap in excess of $1M. 27 have a market cap in excess of $10M. 4 have a market cap in excess of $100M. PayCoin, which was last year's heavily promoted new cool coin with a "guaranteed floor" of $20, is now at position 415 with a value of $0.002606 and a market cap of $30,247.

[1] https://coinmarketcap.com/all/views/all/


> Another altcoin.

The vast majority of "altcoins" are minor tweaks on Bitcoin and a couple others, they're not at all technically interesting, and I think it's an open secret they're pump-and-dump schemes.

I don't know much about ZCash, but I know it's pretty unfair to dismiss it as "another altcoin". The people behind it are well respected [1][2] and it makes use of novel technology.

1. https://en.wikipedia.org/wiki/Matthew_D._Green

2. https://en.wikipedia.org/wiki/Zooko_Wilcox-O%27Hearn


>I don't know much about ZCash

ZCash has this ability to de-anonymize users through targeted blocks, and is a privately-held U.S.-based company that claims no liability for it's user's actions, meaning if subpoenaed they will [probably] turn over information.

They're also privately cashing in on 20% of all transaction fees.

Just because someone behind a project has credentials you respect doesn't mean we should ignore aspects of the project.


> Just because someone behind a project has credentials you respect doesn't mean we should ignore aspects of the project.

I agree. Good thing that's not what I did.

Regardless of any flaws, there has clearly been a lot of effort put into it by multiple smart people with good intentions (from what I can tell), therefore it is unfair to characterize it as just "another altcoin".

That's the only assertion I made.


But when you look at the characteristics of ZCash, it is just another garden variety alt-coin, despite the credentials of the people behind it.


The privacy in ZCash is information theoretical. There just aren't enough bits in the transaction to identify you.


>There just aren't enough bits in the transaction to identify you.

From the ZCash Whitepaper:

>A powerful attacker could potentially fabricate an additional block solely for a targeted user. Spending any coins with respect to the updated Merkle tree in this “poison-pill” block will uniquely identify the targeted user.


That would only tell you that a given network participant is making a transaction. The inputs, outputs and amounts are all still private.


So what? That is the opposite of anonymous. That's the point.


You do not know anything about the transaction. Not the amount, not the sender. Just that it happened.


[flagged]


Huh? What part of his post is trolling?


Not trolling. What makes you think I am?


"Premined" is not strictly accurate. 1/10 of the mining reward will eventually go toward a wallet controlled by the developers. The rate of the incentive payments starts out high and decreases over time. [1] This is different from a premine or instamine, where the devs begin life with a stash of protocol tokens, which they then have a strong inclination to dump on the market.

Zcash 10% vig is an improvement over instamine or premine. I agree this structure is still not ideal for maximizing zcash value, as it creates an incentive to clone zcash (without the vig). Zcash looks like it will be rather more difficult to clone than, say, Ethereum. But it will certainly be done. I also expect that some of zcash features will be added to other protocols, thus diluting its tech advantage.

No one has figured out how to force everyone to invest in the same version of bitcoin, and perhaps that is as it should be. I still expect the Zcash devs to make out OK.

[1]https://z.cash/blog/funding.html


Did anyone fork or clone Ethereum to cut out the developer's premine? I'd be interested in an Ethereum-like, but only without the politics of forking based on protecting assets of the original developers.


Yes - the forthcoming UBIQ is a fork of eth without premine along with some code improvements. You can read more here: https://bitcointalk.org/index.php?topic=1631210.0


You might be interested in Tezos (https://tezos.com, disclosure: I'm the lead dev), an upcoming distributed ledger and smart-contract platform with a decentralized governance model. It's not a clone of Ethereum, it's a fresh, from scratch implementation of a new protocol in pure OCaml (with the notable exception of a dependency on libsodium).

It's two year in the making and we're hoping to launch in March. Governance is necessary for the maintenance of the commons, but we don't think it should be in the hand of a foundation or a core development team.


I heard about your project via Doug Barnes at a lawyer party, of all places. Very interested in the meta protocol or governance model. A worthy experiment!


Glad to hear, we've been very lucky to have Doug advise us on the project!

For those reading this who don't know him, Doug has an impressive pedigree both as a lawyer and as a technologist / cypherpunk. He was, for instance, to president of "Evil geniuses for a better tomorrow"

https://en.m.wikipedia.org/wiki/Mnet_(peer-to-peer_network)

He now specializes in advising startups and I cannot recommend him enough. http://barneslegal.net/


Yes, there are various clonese, possibly premined by clone devs! I won't mention any b/c I don't want to appear to endorse any.

To my knowledge, ETHC maintained chain of title with original ETH up to the fork. However, the DAO exploits may have transferred some of the premine to the team that worked the exploit, to the extent any of the devs invested in the ill-fated DAO.


> Another altcoin. This one has a 10% pre-mining cut for the founders

The way the "10%" is done is that it's really 20% for the first 4 years then 0%. Given the past history of premined altcoins I wouldn't weigh the odds that this specific system really lasting more than 4 years out especially high.


Never fear, I liquidated my entire 401k and put it into dogecoin, 5.56 ammunition and canned lard.


I heard that lego bricks are a better investment. No joke.

http://www.telegraph.co.uk/investing/shares/lego-a-better-in...


Laughed until I read 'canned lard' then I knew you were serious. I too dropped luxury. highfive


Such balls. Much chest hair. Amaze.


Yup, it's a clever idea, but wait for someone to be the Litecoin to their Tenebrix.


Given how complicated the technology is that they will be working with (as someone who has attempted to read the zcash whitepaper), I find this extremely unlikely. Sure there will be clones, but no altcoin "developer" will be able to properly maintain this, so bugs won't get fixed, or it'll always be lagging behind Zcash, or worse, they introduce unintentional bugs and completely wreck their blockchain and lose the money of the few fools who thought that the developers/company running it getting some money is bad


a/ It's naive to assume market won't work in this one case and people will happily pass ten percent of their money to support staff just because their work is important. What can be competed away will be competed away.

b/ Open source works well for very complicated pieces of software.

c/ As we saw in the case of Ethereum, assuming you can buy due diligence with money alone is a mistake.


Open source works well for very complicated pieces of software, except for complicated cryptography; the material used in ZCash was developed in papers as recent as 4 yrs ago. Rest assured that most programmers understand nothing about the underlying SNARKs.


You are underestimating passionate and very smart people.


I am not underestimating anyone; even within theoretical cryptography, SNARKs are understood by a handful of people.


I am a cofounder of a company in this space and three people in my company are in a position to understand it very well. For example Sergio who also blogs here: https://bitslog.wordpress.com


Sergio's a great guy, but he does NOT understand the mechanics behind SNARKS "very well". You're overestimating his grasp of the moon-math in SNARKS.


I don't see anything there about zkSNARKs?


Sorry to get it personal but it seems you are very shortsighted and need to see a specific keyword to understand the capabilities of the people.

Please let me know what specific topic of zkSNARK you find challenging to explain and we can write a blog post about it.


Here are the topics I'd be happy to hear blog posts about

a) the mechanics of the proof generation, including outlining the time for proof generation.

b) How the trusted setup works; for extra credit describe in detail how zcash plans to do it.

c) an ELI5 explanation of zkSNARKS

d) a comparison of the Ben-sasson and Parno implementations.


Your request was routed internally and we hope to have an article in ~1 month.


Off topic, I'd actually be very interested in a cryptographer's guide to zkSNARK...


I don't want to see a specific keyword; all I'm saying is that there is nothing on that website indicating any great knowledge of theoretical cryptography. For instance: no proofs, formal definitions, nothing. Not even links to other websites hosting such things.


I really feel frustrated by your lack of search/manual-crawling/link-clicking/understanding capabilities. He was the official security reviewer of Bitcoin and Ethereum. Then some extra references so you can continue your own search:

- "MPF (Mental Poker Framework): A new family of practical and secure Mental Poker protocols" http://www.dc.uba.ar/inv/tesis/licenciatura/2010/lerner

- MAVEPAY: a new lightweight payment scheme for peer to peer currency networks: https://bitslog.files.wordpress.com/2012/04/mavepay1.pdf

- Strict Memory Hard Hashing Functions: http://www.hashcash.org/papers/memohash.pdf referenced in the Ethereum original paper: http://gavwood.com/paper.pdf


I am not doubting Sergio's security expertise, but security expertise != theoretical cryptography expertise. Crypto requires providing clear definitions and proofs of security. All I see in the first two links are adhoc constructions, with heuristic arguments for security; no security definitions, no reductions, no proofs.

The last link is more formal, and talks about models of computation, but once again does not provide any reductions.


Are you part of the Zcash team?


The Zcash additions are significantly less complex than the Bitcoin system overall especially once accepting the ZKP as a tidy black box with clear boundaries.


I wouldn't be so sure of that, there already exist some alternatives which seem better in some ways like Monero. I have very low trust for scam developers like the ZCash ones, I'm sure someone quite capable could take it up.


The people behind ZCash are definitely not "scammers"; they're respected computer scientists and applied cryptography engineers.


They may have some flashy names, but there's no truely provable reason to believe they're better than the fly-by-night guys who pop up on bitcoinforums with a new altcoin and dump it as soon as it's up and running.

Since there's no cryptographically provable way to know they won't do this, well, we have to assume it's what they'll do. Distrust is the basis for cryptocurrencies afterall.


Unlike those fly-by-night guys, these people have their reputations at stake; they've have not only their names associated with this project, but also their academic careers.

Moreover, having worked with some of them, I can assure they're not shady no-gooders...


There's no truly provable reason to believe anyone isn't a scammer. Many supposedly reputable people in the finance industry are eventually revealed to be scammers. It's unavoidable.

But these guys are much less likely to be scammers than the typical no-name GitHub/Twitter/Bitcoinforums accounts promoting a new revolutionary coin.


Part of the reason for their share of the mining reward is to give them a strong economic incentive to stick with it for at least four years.


So the developers are scammers because you use an alternative?


'scam developers'? A bit harsh isn't it?


They're running a pump and dump, sure, they made it rate limited, but a delayed pump and dump is still a pump and dump.


A pump and dump that was started at John Hopkins and been being worked on for three years? Wat?


I went to a talk at Stanford by Eran Tromer on Wednesday, in which he described some of the theory behind Zcash. He made a lot of very strong claims about his new approach to computer security. There was a lot of hand-waving. I don't understand exactly what he's claiming, and what he claims to have proved. You can watch the video yourself and try to figure it out.[1]

Tromer's paper [2] may be helpful. At least there, the references are cited and findable. Tromer's first result deals with collision-resistant hash functions. That's been a big headache in practice. It's really hard to develop a cryptographic hash function for which someone can't create two strings that result in the same hash.[3] MD4 and MD5 have been broken, SHA-1 has been partially broken, and SHA-256 hasn't been (publicly) broken yet. Tromer seems to claiming that he has a solution to weak hash functions. But it's really hard to tell from his writing.

Anybody really understand this?

[1] http://web.stanford.edu/class/ee380/ [2] http://www.cs.tau.ac.il/~tromer/papers/huntingsnark-20140724... [3] https://www.cs.cornell.edu/courses/cs6830/2009fa/scribes/lec...


I don't disagree with your general point but PayCoin was a straight up scam, created by scammers. Not a fair comparison.


I don't see how it's arguable for a currency to have a 10% cut for the founders. That's too high.


Alt-coin founders are still into the whole deflationary thing I see.


What's the problem with that? It seems to be working so far.


It incentivizes hoarding over spending, especially in the face of an expanding economy.

Though to be fair, the rate at which new cryptocurrency pools are being created seems to more than keep up with the growth of the economy. Who needs the government to print money when anybody can?


> it incentivizes hoarding over spending, especially in the face of an expanding economy.

That kind of macroeconomic analysis assumes that everybody already owns some amount of the currency.

However in the new currency markets that are developing, you have to consider the incentive to even start accepting a currency.

One that loses value over time is not attractive to the recipient.


>One that loses value over time is not attractive to the recipient.

Correction: One that changes value over time is not attractive to the recipient.

You can shine the deflationary currency as much as you'd like, but economists have a consensus on why the volatile behavior of set-supply currencies are inferior.

It's precisely why the world's major currencies don't use the gold standard, but honestly, this conversation repeats itself almost every time a deflationary cryptocurrency gets posted.


Sure, pyramid schemes are a great way to drum up interest.

How about stability and liquidity instead? The more readily exchangeable a unit of currency is for goods, the easier it will see adoption. Deflationary currencies, due to their incentivization of hoarding, tend to be both unstable and illiquid, driving away anyone but speculators.


Working for whom? It certainly works the best for those that mine early (aka the founders)


There's Freicoin.


The whole electronics market is deflationary, and it's doing just fine.


I don't see anyone seriously suggesting to use electronics as a trade medium.


nah ach, swift, amex, visa, mastercard, unionpay, ebay, paypal, venmo, facebook, wechat; wont ever catch on


It's the internet vs. intranets all over again. People have too much stock invested in "bitcoin is fundamentally flawed" and before that it was "bitcoin is a scam". Now it's "a different bitcoin is the answer".

EDIT: Time and again getting downvotes because of HN's cognitive dissonance. Pathetic low-tier reddit run-off is entering HN's market share.


I really hope for some success from Interledger[1] and the Web Payments Community Group at W3C[2] to start bridging the gap and letting people exchange money (directly) with whatever currencies they want.

[1] https://interledger.org/

[2] https://web-payments.org/


   letting people exchange money (directly) with whatever currencies they want
If you had any idea the amount of regulation and ridiculousness involved in banking and forex, you'd laugh at this statement.


Or it's like Gulden (NLG) [0] which went times 30 over the last months. Currently they are installing terminals in parts of the Netherlands, some in Taxis.

Edit: This altcoin also seems to provide anonymity [1]

[0] https://bittrex.com/Market/Index?MarketName=BTC-NLG

[1] https://shadowproject.io/en


I'm Dutch, consider myself well-informed and well-read, but I've never heard of this project before. To be honest, it sounds like another cryptocoin pyramid scheme. On their website this altcoin is presented as an investment opportunity where the value of the coins you own increases with the number of users.

> The value of Gulden is determined by the demand for Gulden, as with gold or silver. The price can go up or down, but on average the value of Gulden goes up.

Sure. It will only go up. Just like all the other altcoins.

There is something that irks me about the name of this project. Gulden is the name of the Dutch currency used before the introduction of the Euro. At this point in time it has strong historical connotations (obviously), but it is also a symbol of adherents of the nationalistic political (far) right in the Netherlands. There are plenty of people from the lower socio-economic classes who fuelled by demagogues who believe we should revert to the Gulden (the actual currency, not this altcoin), close our borders, get out of the EU and once again prosper (even though we are already doing pretty well all things considered, and the EU benefits us on the whole, despite all its warts).

Choosing Gulden as a name for this project seems to explicitly place it at the heart of that particular bit of discontent. It also feels extremely pretentious to use the name of our historic currency that anyone over the age of twenty actually used. This I can grok from a commercial standpoint, but it leaves a nasty taste.


Apart from you associating wanting back the old Gulden and leaving the EU with being part of a lower-economic class, which it find extremely elitist, condescending and it annoys me greatly...

Gulden is used for actual value transfer that is easier than currently possible between banks, I can just transfer value to you by scanning your QR code. As such there is value in this method. Moreover I can not only transfer value to you but also to shop holders and taxi drivers around Groningen, this is due to human labor by the company behind Gulden. Gulden was trending in the iOS store a couple of days ago by the way, so many people have heard of it, even internationally.

The name YouTube also refers to old CRTs, perhaps indeed to evoke a certain feeling. Who cares.


I understand your annoyance about the class statement, but demographically speaking I'm not far off the mark. Appearances aside, marketeers don't choose names at random. There is a thought-through business plan behind this that specifically targets a certain demographic — I contend that a good part of the group targeted here can often ill-afford to invest their savings in something as ethereal as an altcoin (which is what they are suggesting on the Gulden website).

> Gulden is used for actual value transfer […]

I can see some of the benefits touted, but for most of those situations cash or our excellent system of debit cards and POS-terminals already do this, and transferring money via IBAN is peanuts (and free within most EU countries). But convenience aside, cash works without a smartphone and middlemen. It's mostly anonymous too.

Besides, I get that companies are vying for the position of the one digital money transfer 'app' here in the Netherlands, because whoever manages to do that is in for a very profitable ride (like that one similar app popular in Sweden), but linking it to their own altcoin seems like a way to propagate a pyramid scheme by means of an app some will find useful.


Already down 50% from the peak one week ago.


Sure it's volatile but there are truly innovating companies. Gulden for example can transfer directly to iban accounts. You can also directly get Euros from them on their own website. Shops are starting to accept Gulden locally. These are the projects to follow.


What's the point behind Gulden, though? Why do I need a cryptocurrency for anything they're doing? Do they allow anonymous gulden -> IBAN transfers? If yes, that'd be a unique feature but also one that has obvious potential for misuse and might not go down well with financial institutions and regulators.


There's a general attitude to some of the comments here.

  "Another altcoin."
  "I wouldn't weigh the odds that this specific system really lasting
  more than 4 years out especially high."
ZCash isn't just another fly-by-night cryptocurrency scam. It's a serious engineering effort that was carefully undertaken by some very well-known cryptography and security experts.

  Matthew Green
  Daira Hopwood
  Taylor Hornby
  Ian Meiers
  Zooko Wilcox-O'hearn
Every one of the names in the preceding list is or was involved in the ZCash project to some capacity. Every one of those names stands alone on their own merits.

Ask your cryptography expert friends what they think about ZCash. Yes, the one who are always yakking about side-channel cryptanalysis and which character device to use for generating random numbers. If you don't have any such friends, go to ##crypto on Freenode and say "Hi". It's all uphill form there.

Saying the equivalent of "Monero is better" is little better than trolling. Let Monero stand on its own merits; being negative and hostile accomplishes nothing.

Saying the equivalent of "Sigh! Another doomed altcoin" is needlessly pessimistic. ZCash represents what every other altcoin should have been doing all along:

  - It uses a real proof-of-work function.
  - It offers actual anonymity (an improvement over BitCoin).
  - It uses an entropy source that won't fail open (like so many BitCoin apps did).
  - It was designed and implemented by a team of academic cryptographers
    and industry experts on secure cryptography implementations.
  - The team took their time bringing a solid implementation to market.
  - Every design decision was documented and discussed openly.
If you have technical concerns about the protocol design or implementation, please don't feel discouraged in sharing them. It's the dismissive attitude that's bothering me.


> ZCash isn't just another fly-by-night cryptocurrency scam. It's a serious engineering effort that was carefully undertaken by some very well-known cryptography and security experts.

The implication that most of the alt coins are like this is unfortunate. Sure, a very many of the alt coins are just bitcoin clones with a different genesis block trying to get rich but many of the alt coins have had great minds behind them, that's not novel in and of itself.


Out of curiosity, which alt coins would you put in the latter category ("have had great minds behind them")?


If I answered that I would have to make personal endorsements of the team members of those coins which I am not prepared to do.

Same reason Gary Johnson didn't answer the "Name a foreign leader you respect"... once you name someone you open up to answering for all their mistakes.


This dismissive attitude infests HN; whenever some-one does something, the top comments are from people nit-picking and finding flaws with the work.


Are you being meta on purpose?


Hey there, I asked about some comparisons to cryptonote technologies, of which Monero is one, and I haven't gotten any real answers, would you like me to repost it under your thread? Or can you just find it in the comments

My understanding of the execution of Zcash is pretty clear, and it seems like a worse execution that existing technologies, especially cryptonote of which Monero is one. Am I trolling, or looking for a counterpoint? Do you understand how cryptonote technology works? The criticisms have been the exact same since 2014

Blockchain technologies are intended to be able to stand on their own without high profile names attached to them. ZCash is doing the opposite of that, and not even offering anything to make up for it. This invites criticism, let alone the product itself.


Monero has a weaker security/performance tradeoff; it seems that if you want a large anonymity set then you have to pay for it with a large tx size. Zcash, on the other hand, has the entire blockchain as the anonymity set with no increase in tx size.


An "attitude" pump, really? :)

I was one of the first and most dismissive when bitcoin was released. I'm on record saying "yet another p2p currency piece of crap" one ~day after its January 2009 announcement and release. There are so many endless p2p currencies out there-- this was even the case when bitcoin was first launched-- so many that, frankly, any dismissive attitude is completely justified. You can't go around saying "you're too dismissive" because by doing so you commit the same crime you're accusing others of committing. Keep in mind that for some of us there's a lot of background in reviewing cryptocurrency proposals; it came as surprise to me to later learn that there was actual working source code associated with bitcoin rather than merely manifesto emails.

Also, "I wouldn't weigh the odds that this specific system really lasting more than 4 years out especially high" is clearly a reference to the author's experience analyzing (or reviewing) zk-SNARKs and related cryptocurrency proposals. I suspect even Zooko would readily admit that there are alternative SNARKs constructions that they might move towards over time. Heck, it was nullc who pointed out to me that Bryan Parno had published on a libsnark security hole: https://eprint.iacr.org/2015/437 -- and besides, it's not yet time to say that the trusted setup and the host of new cryptographic assumptions are rock solid... otherwise let's merge this into bitcoin. "Attitude", ha.

Also... it's not clear whether a high-privacy cryptocurrency, built by a specific nameable centralized company, is able to both operate as a legal business entity while still ensuring they are not operating under secret court orders from secret courts or other adversarial government interests, such as to inject silent inflation or otherwise compromise your integrity. It's too early to dismiss the concerns (of adversarial intervention) regarding the financial link between the Zcash developers and the Zcash cryptocurrency. (It may not be clear to casual readers that, unlike in Zcash, in bitcoinland there's no protocol rules about paying developers from the mining subsidy reward amounts. There are very strong reasons for why this is still the case.)

(If you are going to have adversarial intervention like that, then you might as well use a much more directly centralized currency. It's not enough to handwave about the wonders of crypto and theoretical computer science while subjecting your work to extreme adversarial intervention. High-privacy designs in a centralized system can somewhat work, even if you were to want to explicitly make a backdoor for whatever law enforcement interests you pledge loyalty to.)


I doubt that the majority of dismissive comments come from such an apparently informed perspective as your own. Many likely come from people who know a little, and who want to say something on HN, and (in true hipster fashion) take the safe route and trash the idea rather on vague hand waves, than sticking their necks out to support it. That is the attitude I believe was frustrating the grandparent.


> I doubt that the majority of dismissive comments come from such an apparently informed perspective as your own.

Maybe. You might have to admit that it's pretty funny that out of all the "overly dismissive comments" from which OP could have selected, one of the two quotes picked happens to be from someone I have pointed out as having done far more diligence than myself :).


> That is the attitude I believe was frustrating the grandparent.

Precisely.

kanzure: An informed criticism is valuable. Thank you for sharing yours.


Some slight corrections:

It's Ian Miers, not Meiers.

The Equihash proof of work, its name notwithstanding, is a real puzzle, not a Hashcash hash function. Each instance can yield 0, 1, 2 or more solutions (though rarely more than 7).


ZCash has a myriad of fundamental issues, chief among them:

-ZCash is a US-based LLC, and given what is publicly known about the capabilities and past behavior of its intelligence apparatus I don't see how anyone can claim that such an organization can shepherd a 'truly anonymous blockchain', particularly one that is essentially a black box

-ZCash's blockchain is a black box and requires you to not only trust them with your anonymity, but also to trust them not to create coins arbitrarily - a successful attacker could also mint coins at will - as there is no way to verify circulation

-Anonymous transactions are optional and require tremendous resources to generate

-It is an innovative take on a pre-mine where insiders were given opportunity to pre-purchase coins at the expense of future miners

I suggest that anyone looking for a truly anonymous blockchain experience take a look at Monero.


> I suggest that anyone looking for a truly anonymous blockchain experience take a look at Monero.

And I suggest that anyone looking for strong provable anonymity guarantees not look at Monero. The security guarantees of ZCash are stronger than those of Monero, and the trusted setup issue can be mitigated via the MPC protocol detailed in a recent paper.

EDIT: compromising the trusted setup does not compromise anonymity; the zero knowledge proofs used enjoy a property known as "perfect zero knowledge".


> ZCash is a US-based LLC, and given what is publicly known about the capabilities and past behavior of its intelligence apparatus [...]

why does it matter where zcash is incorporated when the apparatus you're describing operates without regard for borders?

zcash is the first effort at a cryptocurrency where I have immense respect and trust for its team right out of the gate. not sure where the FUD is coming from (although I'd hypothesize that you are long monero?).

>Anonymous transactions are optional and require tremendous resources to generate

this is indeed a problem. hopefully temporary.


"why does it matter where zcash is incorporated when the apparatus you're describing operates without regard for borders?"

Yes, they can do intelligence ops and attacks in others countries, but can't issue a subpoena along with gag order. Attacks can be defended against, secret court orders - not. A decision to make this currency US based killed it before it was even born. That's sad, because technically ZCash looks quite interesting.


Subpoena for what? There's no useful data to hand over, that's the entire point of zero knowledge.


"Zero knowledge" is not an excuse, it's way too easy to "miss a bug" or few to leak an information. NSA is known to talk/force companies into adding backdoors to their products. Users can never be sure, so why risk it?


It is too easy to miss a bug, which is why there was an audit.

I really don't understand the risk of US incorporation that you're talking about, or why it is better or worse than any other country without introducing other potentially even less desirable risks. Can you explain further?

More recently the US is known for failing to force companies to add back doors (see Apple/FBI). It's probablg worth noting Jospeh Bonneau (EFF) is on the board of Zcash. I just don't see the risk that you're seeing, sorry.


"Can you explain further?"

No other western country (to my knowledge) has secret courts, that were also proven to target tech companies. If such reason is not enough for you, I don't know what else could it be then.


right, but we already covered that. there is no court order in the world that can compel to you to provide what you do not have. so why is the US a bad place for ZCash to incorporate?


Are you sure such argument would fly against (possibly and probably technically illiterate) judge? I'm not. Apple was a separate case, because it is publicly known and loved company, and there are very few companies that have luxury to say the same. How did that play out to Lavabit (that's a controversial example, but it's to illustrate that court doesn't hesitate to crush a company to achieve its goal)? Also, RSA scenario[1] is not unrealistic too imho.

That's it, I'm not going to argue in circles anymore, I don't trust and will not trust any US based, privacy related tech company unless something fundamentally changes in its legal and power structures -- there are more than enough reasons and examples for me. If you do -- that's fine by me.

1. https://en.wikipedia.org/wiki/RSA_BSAFE#Dual_EC_DRBG_backdoo...


Forum-shopping is a problem, I don't disagree. But Apple didn't win that case on PR, and Lavabit didn't lose that case by making smart decisions. These are not analagous situations.

If you could name a single country that would offer better protections, we might have something to talk about. Western Europe, seriously? [1]

The reason we are going in circles is because you're unwilling to trust ZCash, not because of where it's incorporated. If, like me, you trusted ZCash, it wouldn't matter to you where their articles of incorporation were filed, because you would trust that the zero-knowledge implementation would prevent law enforcement from mattering at all. If open source, audited code by some of the brightest minds in the space doesn't earn your trust, nothing will. IcelandBux won't save you.

1. https://www.theguardian.com/world/2015/may/05/france-passes-...


The software is open source with reproducible builds. I'm not saying this is a magic wand, but it's a significant difference from the other cases.


> ZCash's blockchain is a black box and requires you to not only trust them with your anonymity

You do not trust anyone with your privacy in our system. Assuming you're talking about our zk-SNARK parameters, if they were not securely generated you still could not violate anyone's privacy.


I am long Zcash:

* The founder is Zooko Wilcox-O'Hearn, creator of Zooko's triangle, the BLAKE2 hash function, Tahoe-LAFS, and former employee at MojoNation (an early attempt at cryptocurrency/P2P filesharing where another employee, Beam Cohen, went on to create Bittorrent). He knows a thing or two about decentralization/P2P.

* This project is NOT a trivial Bitcoin clone with only a new proof-of-work swapped in. The Zero Knowledge Proofs they use to keep transactions private is state of the art crypto. Also their PoW is actually memory-hard (many currencies have used PoW functions which they thought would be memory-hard and ASIC-proof, such as Litecoin with Scrypt, but it turned out not to be the case).

* Their "Founders Reward" is less like a premine and more like startup vested equity (it pays out to them gradually over 4 years to incentive themselves not to pump and dump).

* The team is extremely helpful in the Zcash Slack and are a relief after dealing with the pedantic, difficult Bitcoin developers.


I can't stand the proliferation of proof-of-work cryptocurrencies in a world where people don't have to pay for the externalities of the energy they use.

Let me know when there's a cryptocurrency based on proof-of-carbon-sequestration or something.


I'm working a coin minted for proof of carbon sequestration. It'd be implemented as a ledger on Ethereum (which is currently PoW but moving to proof of stake). Pay ether to a smart contract, it forwards the ether to approved organizations doing sequestration, and you get new minted coins.

A couple weeks ago I presented the idea at MIT's Solve conference, and I've got a writeup at MIT's ClimateColab that made finalist this year.

http://climatecolab.org/contests/2016/shifting-behavior-for-...

http://solvecolab.mit.edu/challenges/2016/fuel-carbon-price

(The Solve writeup is pretty old, the Colab is recent but I've done more thinking about the minting schedule since then and made some changes.)


Neat.

Aside from the fact that it's built on a bug-prone foundation (Ethereum), the idea at least gives me some hope that cryptocurrencies don't have to have a negative impact.


Cool :)

As for Ethereum, so far the bugs in the underlying platform have been minor; right now they're dealing with DoS attacks resulting from mispriced opcodes but that's getting fixed. Most issues have been due to poorly-written smart contracts rather than the platform. That's not entirely the fault of the contract authors; it's taking some time to figure out the attacks and best practices.

I'm not planning to launch in the near future anyway, because Ethereum is going through some major changes next year for scalability, and contracts will need to be coded differently to take advantage of that. In the meantime I've gotten a job doing Ethereum app work, so I should be reasonably well-prepared to get the technical side of things right.

I think the bigger challenge is making sure the climate action is actually effective. Something I learned from people at the MIT conference is that while carbon offsets are readily available in the voluntary market, even the certified offsets are often very poor quality, or even outright scams.

Also I'd like to figure out a governance system that doesn't rely on central administration, but that may not be workable; a more democratic system could end up funding charismatic projects that don't actually do much good. I've got some ideas though.


>I can't stand the proliferation of proof-of-work cryptocurrencies in a world where people don't have to pay for the externalities of the energy they use.

Not a fare comparison; all of visa/mc's servers have externalities, all of the money trucks driving around physically collecting cash have carbon externalities, building ATMs and printing plastic credit cards have carbon externalities, building banks and running them have carbon externalities.

You have to compare the relative carbon impact. Cryptocurrency miners obviate all of those things.


Have you compared the relative carbon impact? You're making it sound like the things you're "obviating" are on at all the same scale.

Visa et al. are incredibly efficient compared to Bitcoin. I heard a Bitcoin advocate point out that all it would take to make Bitcoin have enough throughput that everyone could use it is 1% of the power in the entire world.


That is the case for Bitcoin but not for all blockchains, particularly prove of stake systems. BitShares for example has an extremely efficient system.

The tradeoff is that the 'peer' need to be relatively high performance servers (just normal commodity servers, nothing special).

Its impossible to achieve with the concept of everybody running their own nodes on a laptop.

In BitShares the Shareholders (people who own BitShares) can vote on either improving the performance and decreasing the distribution or the other way around.

So you are still gone be somewhat less efficient compared to Mastercard but you can achieve the same the scalability with a reasonable amount of extra power usage.


Good luck getting anything like that into a cryptosystem.

Do you actually understand the utility of proof-of-work? Whenever someone proposes something silly like "proof of recycling" or "proof of solar power" I can't imagine they do.


I understand the negative utility of proof-of-work. It takes useful resources and turns them into nothing.

I didn't claim it would be straightforward to make a cryptosystem whose mining process causes a benefit instead of a harm. I didn't claim I had such an idea. But let's rank some options in order of goodness:

1. Figure out a cryptocurrency with a real-world benefit

2. Don't use cryptocurrencies

3. Use cryptocurrencies

You may have chosen the worst option. I'm content with option #2.


> I didn't claim I had such an idea

Hint: it's impossible.

But regardless, I seriously doubt that Bitcoin mining actually has negative utility even after taking into account any negative externalities introduced by the relatively small electricity use from mining. My suspicion is it's more or less negligible compared to manufacturing or transportation.


What do you think about Cryptonote projects? Such as Monero, Boolberry, a variety of other similar networks

Some advantages Cryptonote has that come to mind:

- They are private by default. Zcash requires two states, a state analogous to bitcoin, and the anonymous zcash state which has to be explicitely opted into. Shadowcash also has this, but opted for ring signatures for the anonymous state (like cryptonote coins use by default) instead of the zkSNARKs. The market hasn't focused much attention on Shadowcash.

- Cryptonote projects have proof of work algorithms that are durable and so far ASIC-proof. Cryptonite, Wild Keccak still are CPU and GPU friendly. But I'd have to read their respective papers before I say "ASIC Proof because memory hard"

- Cryptonote are also auditable if a user wants to reveal information about a transaction. But even then the information is limited, it will show that payments came in and out of specific amounts, but it won't show the sending/receiving address along with those transaction IDs.

- Cryptonote projects have nonthreatening names. Many privacy centric projects have names like Dark- Shadow- Anon- whereas noteworthy cryptonote projects have names that at worst simply wouldn't be taken seriously by a "powerful establishment" until so much capital and infrastructure is already built. I think ZCash or "Zerocash" isn't going to get smiles and congratulations from FinCEN. Hyperbole, but I don't think it is an advantage for the project.

Its one thing to be optimistic about the founders and their company, but for you to say "long" something that doesn't seem like a better investment, makes me wonder what you see in comparison to some other existing technologies.

Looking forward to your thoughts


> Zcash requires two states, a state analogous to bitcoin, and the anonymous zcash state which has to be explicitely opted into.

It does not require two states, this is a misconception that originates from the paper which refers to "basecoins" and other obsolete terminology. The protocol was anticipated to be a sidechain of some kind, but due to technical limitations that never panned out. Our system does use two states, but I personally advocate for removing the "transparent" system in the future when we have things like private multi-sig.

> Cryptonote are also auditable if a user wants to reveal information about a transaction. But even then the information is limited, it will show that payments came in and out of specific amounts, but it won't show the sending/receiving address along with those transaction IDs.

You can do all of this with our system as well, it was one of our design goals!


I get that the protocol in theory doesn't need two states, Zcash the product will have two states. The harder second state likely won't be used that much. There are several cryptocurrencies that had multiple states to promote privacy. Darkcoin's darksend was an option in an otherwise bitcoin clone. Shadowcash has two states where the default state is an otherwise bitcoin clone. Zcash doesn't differentiate there.

As regard to your second point, I know, thats why I said "also".

Aside from the marketing budget and evangelists, Zcash isn't really standing out to me. What do you see? Your idea and possibility of removing the transparent system? From my understanding this means every transaction will have the high system requirements, it still seems like a worse execution of this technology than other existing cryptocurrencies who will be even further ahead by the time these growing pains are even considered on the Zcash network.


CryptoNote doesn't look very scalable; if you want a large anonymity set, your transaction size grows linearly with the size of the set.


Scaling is a valid criticism of cryptonote

Have you talked with the monero team on how they plan to address it?

They might not have a good answer (cheaper storage, computers faster in the future), maybe they do have some solutions in mind

This seems to be an issue with zcash too? Can you explain why it isn't?

Given current information if seems like these problems won't become apparent till the year 2021


In ZCash each transaction is the same size, regardless of how large your anonymity set is.


Okay, that is an interesting perk, where could I read about that and come to the same conclusion? For some reason I don't recall the white paper explicitly saying that but it wasn't comparing itself to cryptonote to begin with.


It's a property of the zero knowledge proofs in question; they're called Succint Non-interactive Arguments of Knowledge because their size grows sublinearly with the size of the statement being proved. In the case of ZCash, the statement consists of proving things about the blockchain, and things are set up in such a way that the size of the proof used is 288 bytes, ALWAYS.


is this proof the one that also cannot be formed in a trustless way?


As you are zealously talking your zcash book, maybe you would be willing to let me short this worthless charlatanry and transparent crytopportunism to you for actual dollars? Via a personal CFD?


I'm kind of confused by the tenor of the comments in here. I'll admit I haven't been following cryptocurrencies closely, but there seem to be a large number of comments suggesting that ZCash is a scam and that Monero is better (without any concrete arguments).

Could someone enlighten me as to why that's the case? I know of ZCash via the academic papers on it, and because the people involved – Zooko Wilcox, Matthew Green, etc. – are extremely well known and trusted in the security community. I've heard basically nothing about Monero.


I have been reading through and also noticing this. I was looking for a better explanation too - from what I understand basically:

Monero uses ringCT algorithm on transfer to mix the payments and obfuscate the sender

Monero has a private view key and separate spend key. View key can decrypt transactions made by you to confirm your total balance (Monero balance is unknown to daemon, is calculated as (xmrRecieved - xmrSpent)

ZCash has 'zero-knowledge' proofs and while the whitepaper[1] is a bit intense it uses a novel Proof-of-Work explained within. Called zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKS).

ZCash coins origins obfuscated before recieved by user, reducing need to mix payments together

Personally, I think they're both great and it's a healthy time for a privacy-based cryptocurrency face off. Having said that, ZCash theoretically sounds better (to me) yet Monero is proven in the wild - and both have people with money already sunken in.

IMO the cryptocurrency world will be much better off when it's userbase is looking for a CURRENCY and not a COMMODITY.

[1]: http://zerocash-project.org/paper

[2]: https://github.com/zcash/zips/blob/master/protocol/protocol....

[3]: https://www.reddit.com/r/Monero/comments/41vg68/monero_vs_zc... - decent ZEC vs XMR ELI5 thread

edit: formatting


What is the difference between a currency and a commodity? If the rate of appreciation is perceived as high enough, and the exchange rate into goods and services is high enough, anyone will have a tendency to hoard a currency - why wouldn't you?

It would be simple to create an alt-coin that degrades in value over time, thus encouraging circulation and not hoarding (though how you would battle fake-circulation through shill transactions is up for debate), but no one wants to buy into such a thing.

I happen to think the conflation of money/debt/interest with the corresponding need for continual economic growth is one of the great tragedies of our age, but I'm not entirely sure how to get out of it.


> What is the difference between a currency and a commodity?

Whether you want to spend it.

> If the rate of appreciation is perceived as high enough, and the exchange rate into goods and services is high enough, anyone will have a tendency to hoard a currency - why wouldn't you?

Of course it's reasonable to do in such a situation, but that doesn't make it good for the thing being hoarded. Ideally a currency would have minimal appreciation.


SNARKs are not proofs-of-work, but are instead used to prove that you can spend a coin, without revealing which coin you're spending.


Bear in mind that owners of either coin are financially motivated to promote it vs the alternative, as its value is driven by demand. Expect to disregard the majority of comments about altcoins (Monero and ZCash are among the few doing anything remotely interesting, so it's only worse for less well known coins).


Monero is just an over-hyped pumped up alt coin. All of the trade volume is on the exchange Poloniex which claims to be based in the US but provides no details of who owns or operates the site beyond that. They allow margin trading. I highly doubt their legitimacy. The initial rise of Ethereum also occurred on Poloniex. Lots of hype surrounding both of those coins without any real world utility.

https://coinmarketcap.com/currencies/monero/#markets


AlphaBay is pushing Monero http://motherboard.vice.com/read/monero-cryptocurrency-dark-... . This is not a surprise: right now, aside from a few geeks meddling with things the only real world usage for all of these cryptocurrencies (where the word currency is strongly debatable) is one which a bank can not do because if a bank can do it, it's better to use a bank for now. See, one of the (biggest?) selling points of banks are providing a safety layer between the stupidity of people and their money. All cryptocurrencies remove this to one extent or another (I believe this https://www.reddit.com/r/ethereum/comments/4yru3h/scared_and... to be the sad end of the scale).


ZCash requires a trusted setup, takes a 20% fee from miners, and active mixing requires 8GB of RAM.

https://blog.okturtles.com/2016/03/the-zcash-catch/

http://weuse.cash/2016/06/09/btc-xmr-zcash/

If you are interested in anonymous blockchains, I highly encourage you to look into Monero. It meets or exceeds that of ZCash. And Monero's RingCT is currently implemented and in use on TestNet with a target "go-live" this January.


Could you please explain this?

_"And Monero's RingCT is currently implemented and in use on TestNet with a target "go-live" this January."_

I couldnt find any relevant infromation on this. Does it mean that from January 2017 bitcoin will have anonymity properties of Monero?


8GB of RAM is only required when you want to transact; if you're not making transactions but are simply another node in the network (perhaps mining, or something), then I don't think the work required is any different from Bitcoin.


Thanks for these articles. Great comparison! Monero looks very good indeed.


I'm a big believer in privacy, but anonymity scares me. Anonymity invites bad behavior: look at how bitcoin -- which isn't even all that anonymous -- has enabled the ransomware industry.

I agree that it is very important for people to be able to conduct financial transactions without having to disclose them to third parties. It's also important for people to be able to use a mutually-agreed-upon trusted third party to mediate transactions where neither party knows the other's identity. But I'm much less convinced of the wisdom of enabling people to conduct financial transactions with no possibility of knowing who they are doing business with. That seems to me to be fraught with all manner of moral hazard.


I would argue that anonymity and privacy are equally positive things and both necessary for a functional society.

Anonymity facilitates the exposing of bad actors and systemic failures in the bureaucracies we've created to help and protect each other, i.e., whistle blowers.

I would also argue think ransomware is a good thing. Although it's annoying, it's providing just enough of a shift in incentives for people to start taking data security seriously. Ransomware makes everyones data more secure in the long run.


> Anonymity facilitates the exposing of bad actors

No, it doesn't actually. What are called "anonymous sources" in the press are actually not anonymous in the sense that ZCash makes them anonymous: their identity is known to the journalist who publishes the story. The identity of the source is kept confidential by the journalist. This mechanism is an important check on the credibility of the source. True anonymity leads as much to vendetta-driven libel as it does to legitimate whistle-blowing. There's a reason that serious people get their information from the Register and the Washington Post instead of 4chan.

Also, anonymity in general and an anonymous currency are not the same thing.


we have fully anonymous, working cryptocurrencies now (monero is the best example). You cannot link transactions nor determine the balance of a public key. without the private key and transaction key no court can seize.

we have anonymous darknet markets, where you can buy many controlled substances, in visibility of law enforcement.

My point is that you can't uninvent these things. They have already changed society, and moralizing on how we shouldn't invent these things has gone way past into heavy production.

Use the technology, dont use it; this is really the only choice you can make. Their existence wont go away.


I'm not moralizing about inventing these things, I'm moralizing about using them. Inventing a nuclear weapon is not the same as using one.

BTW, I didn't know about Monero. Is there any substantive difference between it and ZCash?


Yes. Monero is fairly distributed, not 20% for insiders to dump.


By the same token, sending the message to launch is not the same as sending a confidential message.


Confidential != anonymous. Anonymous invites bad behavior more than confidential does.


How are those different? They have equivalent meaning.


"Confidential" means the content of a communication is (intended to be) secret. "Anonymous" means the identity of the author is secret. Big difference.


When I send a friend an encrypted Signal, it's confidential i.e. its contents are secret. My friend knows it's from me. I am not anonymous.


"But in ZCash, the miners only get to keep ninety percent of those coins. The rest gets dumped into accounts controlled by the ZCash company"

This alone makes me extremely sceptical.


It's worth reading the Zcash perspective:

> At first, 50 ZEC will be created every ten minutes. 80% of the newly created ZEC will go to the miners, and 20% ZEC to the founders.

> Every four years, the rate of ZEC being created will halve (again, just like in Bitcoin). After the first four years the ZEC created per ten minutes will drop to 25ⓩ, but after the first four years, 100% of it goes to the miners.

> The end result (as shown in the diagram) is that there will ultimately be 21 million ⓩ, and 10% of it, or 2.1 million ⓩ, will have been initially distributed to the founders.

> With this approach, the founders are incentivized to support Zcash for the long haul (at least for four years), and they have limited ability to pump-and-dump.

From https://z.cash/blog/funding.html.

I don't know if this makes things better or not, but it sounds reasonable to me. From what I understand, "pump-and-dump" has been a concern in cryptocurrencies.


> the founders are incentivized to support Zcash for the long haul (at least for four years)

Four years is not the long haul when talking about a new currency.


Four years is an extremely long time when talking about a new currency.


A currency from 2016, maybe. Not on the greater scale of things. I'd argue the dollar has only recently hit maturity in the past 50 years, being written into law in the 1790s [1]. The yuan has been around for over 2,000 years [2].

Currencies take time for sure.

[1] https://en.wikipedia.org/wiki/United_States_dollar?wprov=sfl...

[2] https://en.wikipedia.org/wiki/Chinese_yuan?wprov=sfla1


Bitcoin is extremely new on the grand scale of things and has already been around for nearly 8 years now. 4 years is nothing.


Unlike Bitcoin, where Satoshi probably mined 5% of all BTC before other people noticed? Or unlike Bitcoin, where developers get paid by layering centralized startups on top?


5% < 10%, last time I checked. Also, "Bitcoin did something fishy" should be a reason to invent some thing less fishy, not more.


The only way I could foresee a cryptocurrency where, by its nature, the early adopters would not have a significant amount of money in the eventual economy, is to make the rate of money generation grow with participation and / or transaction rates. The former is effectively impossible to judge, unless you use the block difficulty as a measure of popularity, and the later seems like it doesn't accurately reflect the market cap - coins like doge had much higher velocities than btc at unique times despite being a fraction the size.

The other option might be a blockchain that doesn't do time based payouts but does volume based payouts. Rather than having blocks issued on fixed intervals you could have them dynamically issued and computed based on the previous blocks time to reach a calculated size threshold to hash. Unless you were psychic and could guarantee your coin would take off, investing the electricity to generate bogus volume would be a tremendous gamble in resources to try to beat the market.


If I recall correctly, it's not 10% of the entire supply, but rather 10% of the first 2 years worth of supply. After that, the 10% cut from miners is stopped and their 10% of the supply will slowly decrease as the overall supply increases


No, it's 20% of the first 4 years' reward, which is equal to 10% of all time's reward.


Or Ethereum where the founders reserved 12.5% of the presale to themselves. I had no problem with that, and the Zcash incentives seem better than the Ethereum ones because they're effectively vesting over years.


Until proven otherwise, Satoshi still didn't touch his original mined coins…


IIRC they are supposedly locked in a 'trust' until ~2020

(See: Tulip Trust)


This is one of the many claims by a person who came forth and claimed to be Satoshi. Although a few notable people in the community believe(d) him, most don't. This should be treated as a rumor at best.


I don't think that's directly comparable -- he announced in advance what he was doing, and everyone had the opportunity to start mining. Getting 5% was an artifact of others not participating as much when they could have, not something written directly into the protocol.


The word yuan has been around. RMB is a very new thing.


> the miners only get to keep ninety percent of those coins

It's 80% for the first four years then all after.

The fact that this isn't completely clear to people is another reason to be skeptical.


ZCash is one of a few options for anonymity. Cryptonote-based ring-signature coins like Monero have been around for a while.

See also https://news.bitcoin.com/meet-top-3-coins-cryptocurrency-ano...


ZCash looks like a promising tool to prevent civil forfeiture and legalized theft.

It is interesting how the same (or similar) technologies that have made cash rare, and allowed tracking of transactions and spending, may subsequently enable radical anonymity.

P.S. I hope to see an investment market based on anonymous cryptocurrency one day; it would allow many people who currently lack access to investment markets or funding to prosper.


"ZCash looks like a promising tool to prevent civil forfeiture and legalized theft."

How does it prevent civil forfeiture specifically? Can you elaborate?


Not familiar with Zcash specifically, but it should work the same as Bitcoin. You cannot initiate a transaction without the (password protected) private key of the wallet containing BTC. If the victim of civil forfeiture refuses to provide the password and private key there is nothing that can be done to acquire the money. This is good because it changes the game from the "government takes your money and you have to sue to get it back" to "government has to prosecute to get your money in the first place".

It doesn't prevent some vague yet menacing government agent from breaking your kneecaps in order to get the password, but no security system has been able to plug that hole yet.


Yes, I see your point. Thanks for the clarification.

For anyone who's interested about the practice of "civil forfeiture" in the U.S. and why its so concerning. This is decent introductory read:

https://priceonomics.com/how-police-officers-seize-cash-from...


Some attempts to plug that hole: https://en.wikipedia.org/wiki/Deniable_encryption


So there's an idea: a wallet format that lets you decrypt with any of one or more passphrases, with each passphrase giving a different set of addresses.


This is already in wide use by Trezor users. A user can have an arbitrary number of decoy wallets unlocked by the same root private key, but different passphrases.


Trezor firmware supports Monero. No zcash as of yet.


If you carried your money electronically, the police would have nothing physical to seize. The most common form of civil forfeiture is when the police seize money or other items of value from someone transporting or holding them.

More significantly, if you have an anonymous ZCash account, the state has very little idea of how much money you have, where it is, or how you've used it; this means they don't know whether you have anything they want, or how to get it.


Isn't that beside the point? If you have all this money and they only suspect you have it, give you some court order for the money, then even if they can't get hands on the money neither can you. All they have to do is watch you, as a person, and your interaction with systems. That sort of thing is only getting more easy.

Furthermore with the push for "Online identity" they could just seize all your data storage and your various account information sets. Maybe your Ident never touched any of your personal hardware, or maybe you opened access to your hardware and pumped so many Idents through your confident they wont be able to figure out which is yours. But they can still out wait you.

I mean MAYBE with smart contracts will get us out of that.


> If you carried your money electronically, the police would have nothing physical to seize.

This type of attack probably won't work on Zcash, but that statement seems to be wrong these days:

http://www.npr.org/sections/alltechconsidered/2016/07/02/483...


How does it defeat the $5 wrench?


Given that the previous comment is referring to state actors, you have the courts to defeat the 5$ wrench.

For more direct criminal elements, you can make it difficult enough that its not worth them going through the effort to use the 5$ wrench and wait while you have to fetch the key. Beyond that, you're no worse off than you were versus carrying cash. The only thing electronic cards might have advantage over this is many provide fraud protection which will refund/void fraudulent charges.


Ok, so you're in court, and the courts just gonna be like, 'ok, we'll just ignore our orders to make you pay because it's crypto currency'?

I don't think you understand what happens when you defy court orders...

Also, mostly this will be used for tax issues, where guess what, the burden is on you to prove that your income was only X, so the more crypto shit you have the easier it is for the prosecution to say you have millions in crypto currency.

You really think ZCash is the first company to think of hiding assets from the gov't?


The point seems to be that the court would actually have to order you to release the funds, as opposed to the current case where law enforcement can seize physical funds without a court order, putting the burden on you to get it back if the seizure wasn't justified.

The court reference you replied to is saying that the court system protects you from having a state actor use force to take your property before you've had your day in court.

ETA: That said, I don't think you need anonymity for this, so it would apply to any currency you can use as cash and secure with a password. I guess the anonymity just makes it more like physical cash in that nobody can track how much or where you spend/receive it. For tax purposes, it would be no different from cash in terms of ability to work under the table and be called on it or accused of it by the IRS.


How do they actually know that you have millions though?

Imagine the opposite scenario. The government thinks you have millions, but you genuinely do NOT have that money. How do you prove to the government that you are innocent and don't actually have the money.

You can't. You, an innocent person, are indistinguishable from a person who actually DOES have millions hidden away in crytocurrency.


Well, this only holds so far as you live like someone who doesn't have millions hidden away. It would be difficult to turn this hidden currency into an appreciable lifestyle improvement in a way that wouldn't be observable and result in an audit that could prove that your observed expenditures exceed your claimed resources. At best, you could make a bunch of minor improvements that aren't easily observed.


Your question was how do you defeat the 5$ wrench, not how do you tell them tax-man to f himself.

If state actors use the 5$ wrench, that's illegal and consequently you have the defense of the courts to counter that behavior. Civil forfeiture is dependent on being able to "prosecute" your stuff, rather than you. So if they can't seize it, they have to go after you directly, which puts the burden of proof on the prosecution to demonstrate that the money is unlawfully possessed. The fundamental principle of the US court system is "innocent until proven guilty", so you don't have to prove what your income is, they have to prove it. You only need to counter their claims.


> Civil forfeiture is dependent on being able to "prosecute" your stuff, rather than you. So if they can't seize it, they have to go after you directly.

The US certainly has had cases prosecuting "stuff" where said stuff is cryptocurrency. See "United States v. 178.95842915 Bitcoins" [0], which appears to be a civil forfeiture case [1][2].

[0] https://www.usmarshals.gov/assets/2016/bitcoinauction/index....

[1] https://www.pacermonitor.com/public/case/10752506/United_Sta...

[2] https://docs.justia.com/cases/federal/district-courts/washin...


To prosecute your stuff, they still have to confirm its existence. You don't have to prove it doesn't exist.


It depends on what you mean by 'the $5 wrench', but anonymous cryptocurrency would allow the victim to deny or misstate their account balance. It would not protect a victim being slowly tortured to death (a situation for which I cannot imagine a protection), but would protect the victim in situations where the attacker had limited means.


He's most likely referring to this XKCD comic: https://xkcd.com/538/


Multisignature wallets mean that you can beat the credentials out of a person and still not be able to access the coins. You would have to figure out who else had keys and beat then too. Raising the difficulty a non-trivial level.


For the wallet to be useful, the person you are beating will either know who else needs to be beaten, can be compelled to withdraw their funds under duress, or in the case of a centralized counterparty, like a bank, can be trivially compelled by a government bearing a lawful order, to sign off on a money transfer.

If none of those means of getting you to pay work out, they can always leave you to enjoy your internet money in jail.


The issue is that they have no idea how much money you 'actually' have.

If someone threatens you with a wrench, you simply do what they ask you to do and provide a password to your "account" that conveniently doesnt have much money in it.

"yes officer! I have done exactly what you asked me to do. Here is all the electronic money that I own. "


Ok, but how does that protect ME from that $5 wrench?


You can setup a hardware wallet with plausible deniability[1]

[1] https://www.reddit.com/r/TREZOR/comments/2e8a9i/can_someone_...


And then they beat me with the wrench anyway for wasting their time. But I suppose the money's ok, which I'll need for hospital bills.


If they were going to beat you anyway, another layer of encryption was not going to help.


In respect of protection against civil forfeiture, how is it different from a regular bank account?


The government can very easily take money out of your bank account. Happened to me one time when the Texas Comptroller made a paperwork error. Even after they fixed it and refunded my money, Wells Fargo charged me $150 for "legal fees". That was a lot of fun.


Your problem is that you used Wells Fargo instead of a credit union.


After that event I switched to a credit union. Good decision.


A month ago I did a deep dive in to etherium and the 'altcoin' universe. The one thing I came out of it all with was a feeling that I had seen so much of the same sentiment and rhetoric about specific altcoins and altcoins in general as I saw with the 'HYIP' sites of two decades ago.

HYIPs were plain ponzi schemes, given the fancy name of 'high yield investment portfolio'; they promised things like "1.5% yield/day on investments of egold" but all of them would fold.


The article is a bit inaccurate; SNARKs weren't developed just by Eli; there's an entire group of researchers at the SCIPR lab who worked on this stuff:

http://www.scipr-lab.org/


Hi. I'm the author. Thanks for pointing this out. You were not the only one. We've reworked the attributions paragraph to include all of the institutions that had a hand in this particular work. And we also tried to make it clear that the snarks they worked on were specific to the zcash project.



I think the people behind a project mean a heck of a lot to the validity an integrity of the project.

So if Zooko Wilcox et al are indeed respected in the P2P and security community, then I am interested in this.


You have to trust them, because if they cheat, they can print infinite zcash.

I do not trust Israeli SIGINT people with my secrets.


So people like Matthew Green, Alessandro Chiesa, Madars Virza, Ian Miers and Christina Garman, none of whom are Israeli, had absolutely no say in how this project was constructed, right? Eli and Eran are just two members of a much larger research group. They most certainly did not "backdoor" ZCash.

There's skepticism, and then there's this stupid crap like your post. No technical foundation, no evidence, nothing, just FUD.


A current problem that I feel blockchain-based currencies face all is the inability to effect large scale changes. Whether it be Bitcoin's infighting or Ethereum's decision to fork, the reliability of transactions by blockchains comes into question.

The central conflict is over authority: should the system be in the hands of miners or in a central power? Both of these have pros and cons.

Miners have an economic incentive to ensure changes to the system are in favor of users. And in theory, these changes are democratic: representing the opinions of the majority of miners. However, in practice, this is rarely the case; as voting power is allocated based on computing power, the result is a system governed by a few individuals with the economic resources and advantages to cheaply 'outrepresent' others. In effect, they do not represent the majority of miners and users. Look at Bitcoin, where a handful of Chinese companies control the network (http://www.nytimes.com/2016/07/03/business/dealbook/bitcoin-...)

A central power has the ability to enact large scale change affecting the whole system, but is inherently undemocratic. Ethereum, in response to a capital fund being hacked, performed a hard fork earlier this year, mitigating the adverse effects. This rapid collective action would be hard to do in Bitcoin.

The benefits of blockchain are anonymity, security, and low costs of transactions. Both of these features need to be upheld if blockchain-based currencies are to be competitive with current credit systems, regardless of which form of authority is adopted.

In my opinion, a central power blockchain-based currency would be preferable. Why? Current credit systems charge high fees for transactions to offload the cost of fraud and corresponding insurance. Blockchains don't, but there is no guarantee of security against hackers in a system not run by a central power. Low cost and security of transactions must be maintained. In addition, in a miner-based blockchain, all transactions are not treated equally. For Bitcoin, transactions which give a fee to miners are processed faster (https://docs.google.com/spreadsheets/d/1aYfkjiN534p4zyE5WJNm...).

Any response?


Anyone else finds naming important for adoption? Bitcoin sounds pretty elegant to the regular Joey IMO but „ZCash“...I mean...awful. Well lets hope for a rebrand later.


Most villains have no problem with zee name.


You mean like Zoro?


No, because Zoro is not a villain?

I was thinking of some old Bond villain.


According to Wikipedia only one bond villain ever had a Z name. That was Max Zorin.

https://en.m.wikipedia.org/wiki/List_of_James_Bond_villains


This is the rebrand. This project was initially ZeroCoin, then ZeroCash, and now the abbreviated ZCash


> This project was initially ZeroCoin,

ZeroCoin was an entirely different approach based on different cryptography with radically different properties.

( https://bitcointalk.org/index.php?topic=175156.0 )


ZeroCoin and ZeroCash are probably the worst possible names for something like this.


I don't know ... to my ear, Bitcoin sounds petty -- the "bit" and "oi" pieces are diminutive.

ZCash seems relatively neutral to me, not evoking positive or negative feelings.

ZeroCash (from which it comes) is somehwat negative, since it evokes "no more money".


To be fair "Google" strikes me as an awful name so it might just be taste.


> Although privacy was a motivating factor for Bitcoin’s flock of early adopters

Not quite. I mean surely there were people interested in that, but frankly this is exaggerated. We knew very early that anonymity was far from obvious, even on a purely theoretical point (that is, even if you could anonymise your IP for instance).

Bitcoin was approximately anonymous not by design, but by convenience. Who wants to have to bother checking the identity of users? In fact, I'd argue that bitcoin was no more anonymous than any other FOSS project. You usually don't ask for an ID before allowing someone to download your software.


The blockchain is slowly going to become a dominant pillar of our transactions. Whether it be information, money, etc., blockchain will probably be a part of it. If we want it to be secure anyway...


  If we want it to be secure anyway...
Oh God, I'm _really_ hoping you're being sarcastic.

You've read about the dozens on dozens of compromised exchanges?

You heard about the DAO hack?

You realize that the majority of bitcoin is mined by like a dozen people in China?

Maybe someday we'll get our act together, but right now blockchains are a recipe for FUD and centralization.

(I say this as someone who thinks bitcoin is cool. For instance, the traditional financial system makes it unnecessarily hard to send money overseas, a need bitcoin can fill well. But secure? No.)


tolerable growing pains

all of those things improve the resilience of the implementations

exactly as the original white paper suggested


I'm not sure how the centralization improves the resilience of the implementations. Mining pool centralization is definitely a big downside for security on the blockchain. A lot of research is being done in cryptocurrencies looking for ways to discourage this type of centralization.


centralization doesn't, that wasn't a claim I was making or considering

mining pool centralization has ebbs and flows. I'm not concerned about bitcoin's TODAY for example, but maybe tomorrow and at times in the past. There are a lot of blockchains people don't put under much scrutiny, where it turns out there is massive centralization. But this isn't an inherent problem, Satoshi was 100% of Bitcoin's network for a long time.


Is anyone working on/does it make sense to have blockchain based voting for elections?


It's been looked at (my advisor in grad school was working on it) and it keeps running up against the problem of scaling -- 100 million transactions (800 million if you want to scale up to India) on a single day is going to be hard from a realization standpoint, even if it's theoretically doable.

There's also the interesting psychological side to it: while a blockchain system is in a theoretical sense more transparent than anything else, from a popular standpoint it's incredibly opaque compared to a county registrar counting two different stacks of paper ballots.


We can just use cryptography and forego the blockchain for much more scalable verifiable elections:

https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...

https://vote.heliosvoting.org/


Yes, Dash (DashPay) has been up and voting on stuff for a couple years. Because I own 1,000 of the things I get to vote on stuff like sending devs to conferences and different ad campaigns to run, then the winning bids get paid out of the block reward. If we vote no the Dash just gets destroyed and inflation is slightly reduced.


I like the idea. There's some funding waiting for that innovation


There are several voting systems built on top of Ethereum.


Especially if done using a ZKP like ZCash supposedly does. That would be great.


I would suggest that BTC in particular, because it's pseudo-anonymous, has some industry and government forces propelling it which zcash will not share the same benefit of.


We need something better than money. I don't know what that is, but I think focusing on creating new forms of tokens won't enable any radical change.


If you want to get rid of money entirely, the first thing you have to do is solve the 'Economic Calculation Problem'.[1]

[1] https://en.wikipedia.org/wiki/Economic_calculation_problem


I'm convinced that reputation based economics are a natural successor to currency with enough automated means of coordinating transactions.

Disclaimer: I may be extremely biased from spending the majority of my time trying to figure out how to put that into practice.


Bitcoin seems to be going through an issue at the moment where many transactions are taking hours to complete due to a large backlog. This might be transient but when I ask any questions about so what happens if volume doubles, I just get attacked for asking such questions.

It seems bitcoin just doesn't scale very well.

So my question is does ZCash? How will it cope with current bitcoin volumes? Or 10 times? Or 1000?


If you want an automated build that you can run on any platform (not only Linux/Ubuntu) then check out my Docker guide: http://blog.alexellis.io/mine-zcash-with-docker/


I can't wait for the arrival iCoin.


Here's a question: I can see the value in an anonymized blockchain for use by individuals...

...but, is there a reason that anonymity would be good for use in a blockchain for use by businesses? Or, is it categorically better for a business-centric blockchain to have the most identity possible?


They touch on that in the link. "“There are regulatory and commercial and moral reasons for privacy from all sectors,” he says. To give a commercial example: Apple wouldn’t want Samsung to be able to track its transactions and gain valuable competitive intelligence."

I agree with this sentiment.


On the other hand, how do you deal with the for the for proving who the currency belongs to, for example in the case of death (and the person never shared their passwords/keys)?


Couldn't you tweak that a bit?

"Apple wouldn’t want the government to be able to track its transactions and gain valuable tax revenue."


Zooko's mentioned interest from banks/finance because they need privacy, too. I haven't asked about this because I'm not really into business.


This looks good to me. It looks like it is not just another bitcoin clone, it has genuine, and well thought out improvements. I'll probably try it out unlike all the others.


Privacy coins is the new hot thing in altcoins. There's Monero, ZCoin, ZCash, Dash, ...


ZCoin uses an old, weaker research paper by Christina, Ian and Matt, ZeroCoin. ZeroCoin offers weaker security guarantees than Zcash.


Takeover AD behind the link. Is this acceptable for a hacker news link ?


An truly a scam as well. These investment pumps are so obnoxious


As I said the last several dozen times ZCash hype articles got posted; what's worse than currency controlled by a government AND currency controlled by an unelected group of developers? Currency controlled by a for profit company.


This just sounds like a new clone of Dash (née darkcoin) but with pre-mine for the founders and without the cool proposal / voting system. Why would anyone buy into this?


Except this work is the result of many years of both theoretical and engineering advances in cryptography; if you can't take even the modicum of effort to read up on the subject matter, maybe you shouldn't be spouting bullshit?


Dash was a premine scam too.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: