
The Zcash Anonymous Cryptocurrency [video] - ianopolous
https://media.ccc.de/v/33c3-8330-the_zcash_anonymous_cryptocurrency
======
EvilMonkeyMat
I've said it before: Zcash has nothing Monero isn't already offering. And like
others said, right now, I still haven't seen a mining pool or an exchange that
can handle anonymous transactions. An example:
[http://zcash.flypool.org/](http://zcash.flypool.org/)

Also, Zcash had an initial trusted setup ceremony after which the 6
participants supposedly all deleted their private keys. You DO have to trust
none of those have colluded to someday, for example, start creating zcash
coins for their own good without anyone knowing. All the info here:
[https://petertodd.org/2016/cypherpunk-desert-bus-zcash-
trust...](https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trusted-
setup-ceremony)

~~~
FiloSottile
And as others said before, Monero does some sketchy weak mixing of something
like a 100 tx, which is really not enough for long term anonymity (think what
happens when the other 99 outputs are spent). EDIT: there are a couple papers
linked in a child comment that seem to analyze this which I haven't read
entirely yet; the following two points still stand.

You don't need an exchange to use z-addresses, just receive into a one-use t,
and then make it disappear into your main z-address yourself.

Finally, you have to trust that AT LEAST ONE won't collude, because you need
all pieces to fake Zcash, which is very different.

Enough with this FUD. It's innovative tech, I expected HN to appreciate it
more than the usual cryptocurrency circles.

~~~
otheotheothe
Hello Mr. Cloudflare, Your whole understanding of how XMR works seems to be
wrong; theres no concept of spend outputs at all, to deanonymize tx with a
certain certainity one would have to own around 83% of the networks outputs.

Theres a good academic read about this here:
[https://lab.getmonero.org/pubs/MRL-0001.pdf](https://lab.getmonero.org/pubs/MRL-0001.pdf)
and here:
[https://lab.getmonero.org/pubs/MRL-0004.pdf](https://lab.getmonero.org/pubs/MRL-0004.pdf)

And also a privacy improvement which gets into effect in about 25 hours or so
with the next hardfork called RingCT, which has been peer reviewed by Ledger
journal:
[http://www.ledgerjournal.org/ojs/index.php/ledger/article/do...](http://www.ledgerjournal.org/ojs/index.php/ledger/article/download/34/45)

Optional privacy a la ZCASH is broken by design and cannot work, you are still
able to have tainted coins and do blacklisting etc, its effectily useless,
also it opens up a whole world of other attack vectors like this one:
[https://github.com/zcash/zcash/issues/1360#issuecomment-2461...](https://github.com/zcash/zcash/issues/1360#issuecomment-246109488)

A good read for everyone unbiased tho a bit old is here (which explains the
inner workings):
[https://lab.getmonero.org/pubs/MRL-0003.pdf](https://lab.getmonero.org/pubs/MRL-0003.pdf)

~~~
otheotheothe
Theres are a whole bunch of different downsides at ZCash too:

\- multisig with zaddresses seems not to be possible. \- Using Z Addresses on
a Smartphone or HW device like Trezor is too resource intensive

Looks like a privacy disaster to me, as no one will be using it.

~~~
aminorex
20% of the mining goes to the controlling corporation. This is not
decentralization; it's a blatant grab at your wallet.

------
nickik
Not the best talk by far. Its just a real simple intro.

All the developers of Zcash were in the audience and then there is some
associated guy giving a intro.

I thought it was a bit pointless.

------
droffel
The title of this talk is 'zero knowledge succinct non-interactive arguments
of knowledge for laypeople', yet the speaker (at 1:40 in the talk), says he
won't be able to explain how they work.

ZCash, at least for the first 3 builds, did not have their primary feature
(fully anonymous transactions) working. I don't believe thats fixed yet (is
it?). How they missed their primary feature being broken before releasing, I
have no idea.

~~~
woah
Wasn't the issue just that they couldn't mine into anonymous addresses?

~~~
droffel
The issue prevented all transactions which had all z-address inputs and
outputs (that is, fully anon txes) and no t-address inputs or outputs (public
addresses) from being mined.

~~~
biafra
I am sure, you're mistaken. I just created and executed a tx with only
z-addresses with zcashd version 1.0.1. It was mined and can be found on the
block exlorer.

Please stop spreading FUD about zcash.

~~~
plasticmachine
It's not FUD, he's entirely correct. They had one thing to get right before
launch, and they got it wrong. Speaks volumes for the so-called dream team.
References:

\-
[https://github.com/zcash/zcash/issues/1705](https://github.com/zcash/zcash/issues/1705)

\- [https://www.cryptocoinsnews.com/zcash-bug-prevents-
private-t...](https://www.cryptocoinsnews.com/zcash-bug-prevents-private-
transactions-soon-after-launch/)

~~~
biafra
It is FUD, because droffel claims no private tx could be mined.

~~~
plasticmachine
No he doesn't. Go read what he wrote again. Private transactions (one z-addr
sends to another z-addr) were not being mined.

------
woah
This thread doesn't seem to have any discussion of the linked video, it's full
of people trying to push something called Monero

~~~
plasticmachine
It's being presented as an alternative that doesn't cut corners or make the
incredibly dangerous compromises ZCash does. Would you expect a thread lauding
SnapChat as a privacy enhancing messaging app to not have a bunch of people,
finding the suggestion ludicrous, "pushing" Signal?

As to the video, the talk was pathetic. The speaker claimed he was going to
explain zk-SNARKS to the layperson, then immediately claimed to not understand
them. It presented none of the risks of ZCash, and only really covered how
joinsplits work.

------
chx
Can anyone explain to me why do we call these things currencies? There's to
start with
[https://www.washingtonpost.com/news/wonk/wp/2015/06/08/bitco...](https://www.washingtonpost.com/news/wonk/wp/2015/06/08/bitcoin-
isnt-the-future-of-money-its-either-a-ponzi-scheme-or-a-pyramid-scheme/) and
then [https://www.wired.com/2017/01/bitcoin-will-never-currency-
so...](https://www.wired.com/2017/01/bitcoin-will-never-currency-something-
way-weirder/)

~~~
knocte
[https://99bitcoins.com/bitcoinobituaries/](https://99bitcoins.com/bitcoinobituaries/)

~~~
chx
I haven't said anything about Bitcoin dying, I am just saying it's not a
currency.

------
anon13
It seems like the Monero guys can not stand that Zcash is the de facto
standard for private transactions and the clear technological leader. Long
live Zcash! for the benefit of all privacy loving users. On the other hand
spreading FUD and lies does not speak well of Monero. That in addition to the
mathematically weaker and inferior tech used by Monero.

~~~
plasticmachine
Or maybe we're just not buying into cryptography being pushed by a company
that has a marketing department.

~~~
anon13
For sure any marketing that they (Zcash) have is no so active as the Monero
guys are spreading lies and confusion around.

May be we should all abandon the privacy ship, join the Monero guys (no matter
its obscure origins by the way) and spread FUD and lies about any better tech
like Zcash or others that comes up, right?

~~~
plasticmachine
By "the Monero guys" you mean the broader technical community that understand
security software design?

Also, obscure origins are irrelevant when the technology is solid. Take the
following examples: TrueCrypt, Bitcoin, MimbleWimble. Are you honestly arguing
that TrueCrypt was bad?

~~~
anon13
By the "Monero guys spreading FUD and lies" I mean exactly that. I have used
Monero in the past and consider myself part of that comunity at the time. Even
used its predecessor Bytecoin for a while before Monero came up. I have
researched a lot and just happen to like and trust Zcash tech much more! May
be you should do a bit more research. It is nice to have competing privacy
technologies. It is good for privacy loving users and for the advancement of
the field. If you like Monero and feel is much better, good for you, use it
and enjoy it, this is a free world, but there is no need to lie and confuse
people about Zcash.

------
kneel
Can't take zcash seriously. The entire currency is programmed to give 10% of
all zcash to the developers.

~~~
meowface
I think that's a fair share given the amount of work that's gone into it.

~~~
kneel
First time I've heard of this practice, it's a very very large percent of the
pie. Makes me wonder why they don't just mine?

~~~
nickik
The alternative is premining. The went for this model because it it more
transparent.

~~~
plasticmachine
Really? So Bitcoin and Monero only work because of their premine...?

------
wildchild
ZCash is scam.

~~~
anon13
Zcash is the most technologically advanced cryptocurrency existing today to
effectively accomplish mathematically proven private transactions. Built with
love for all Planet Earth privacy loving users. Use it, test it and you will
love it too!

~~~
plasticmachine
Ummmm no.

1\. It's controlled by a corporation with VC backing. This leads to a single
point of failure, a ton of disincentives, and makes it easier for an attacker.

2\. The cryptography is untested, unproven, and too new to be trusted. Since
when did technically competent people advocate for cryptography like that??

3\. The 20% tax puts a crazy amount of strain on the economic system, and is
inordinately high.

4\. The trusted setup is hard to get right, but they completely screwed it up
(see my comment upthread).

5\. Private transactions take 8gb+ of RAM and several minutes to compute on my
laptop, how is that at all scalable or useful?

We should be immensely critical of new cryptography being rushed into
production at the behest of investors, and we should not be promoting a
centralized, corporate-controlled cryptocurrency.

~~~
anon13
Answers to your concerns below:

1\. As a Bitcoin fork and descendant it is not controlled by anyone but by its
network of users. Therefore there is no single point of failure. Development
is done today by a corporation with VC backing which does not necessarily mean
that will continue to be the case tomorrow. A community of developers and/or
users can take the development leadership at any point in the future if it
were so needed.

2\. The cryptography is currently superior to any other. It has been tested
and proven. It is in your hands to prove it wrong. Please do so.

3\. The founders reward provides even more security and development resources
during the first 4 years. Many people see it in fact as an advantage.

4\. The trusted setup process whitepaper has been made public, plus the
participants are also known. You can research and certify the process and
contact the participants as you wish since it is all public. Please provide
the exact point of failure in the process and where exactly has it failed. It
seems like a highly secure setup to me.

5\. The RAM and time required for private transactions can be done with no
problem at all by most users with laptops as of today. Even so, there is
development going on by the Zcash team to improve the performance and reduce
the ram and time required.

In the spirit of Bitcoin, Zcash is decentralized and built for privacy loving
users.

~~~
plasticmachine
1\. Given that not even Zooko understands zk-SNARKs, the ZCash name is
trademarked, and they've shut down their Reddit and IRC channels, there is no
chance of a community of competent developers that understand the technology
springing up. Also I wouldn't be proud of forking Bitcoin, especially when the
changes that have been made are so substantial that they can't keep in sync
with upstream.

2\. No, it's not in my hands to do so. The onus is on ZCash to demonstrate
this the way any other cryptography is proven: peer review, and time. ZeroCash
has little of either.

3\. Anyone that sees it as an advantage has no clue about disincentives or
game theoretic attacks.

4\. The exact point of failure is that they all booted off the same ISO that
was provided by one person. Additionally, when an observer at one of the
stations had their phone compromised they didn't shut the ceremony down and
restart, they just continued. Also, the participants are just Zooko's buddies
- who's to say they aren't conspiring together, and merely compromising the
procedure for anyone who isn't part of that (e.g. Peter Todd)?

5\. If privacy is not the default, and is immensely hard to use (due to the
system requirements), it will hardly be used. The entropy of the private
system will be restricted to a relative handful of users.

~~~
anon13
Answers below:

1\. You will probably be surprised that there are a lot of highly qualified
people in the community already.

2\. If it is so unproven and so untrusted, please go ahead and break it. Words
are cheap, mathematical proof and action is what counts.

3\. Remains to be seen who is right on this one and we will see it during the
next 4 years when the founders reward expires.

4\. Conspiracy theories. Well, there will probably be more setups in the
future. May be you want to propose a counter-whitepaper with a better way to
do the cryptography setup and even be part of the ceremony itself?

5\. Zcash uses mathematically proven privacy. Privacy loving users will use
it. Research the tech and then may be you will be inclined and destined to use
it too.

