
Keybase chooses Zcash - aston
https://keybase.io/blog/keybase-and-zcash
======
malgorithms
Author here. Seeing some of the discussion go down on Twitter, I feel maybe I
should explain further the "white supremacist" example in the post. (one tweet
at me: "So now you can hide the fact that white supremacists are sending you
money? F!@#ing weird example.")

When I shared a draft post with some friends, a lot of them had an ah-ha
moment, so I was hoping for the same from others. I was trying to illustrate 2
privacy concerns around the graph Bitcoin exposes: (1) accidental associations
and (2) exposing the people you transact with to each other.

In the blog's hypothetical, you're not receiving money from some asshole
because you're collecting Klan dues from him. Rather, you performed some
public transaction with a stranger. For example, maybe you sold him some
tickets. An external observer of the graph who knows he's a dangerous
character may start applying high odds that you, too, are a dangerous
character, since they don't know why he sent you money. This would suck. And,
second, this character who sent you money may also be learning things about
you. Since you sold tickets to a local show and mailed them to him, (1) he's
likely to live near you, and (2) he knows your return address. You really
don't want him seeing that you're sending money to causes he opposes. If so,
he might show up at your door.

The goal was to clear up this misconception that a private cryptocurrency is
there to protect criminals. This is especially important if you'd like to post
a static address on a profile.

~~~
kobeya
Have you considered supporting a stealth address scheme for Bitcoin? The
problem is reuse of addresses, period. Bitcoin has solutions for this.

~~~
AgentME
Zcash's anonymous transactions are much more expensive CPU-wise to verify and
aren't pruneable, and the cryptography behind it has been much less reviewed
(Bitcoin operates on a bunch of very boring standard already established and
long-trusted algorithms in comparison!), so I'd be surprised if an established
project like Bitcoin adopted them before they were proven in practice. There's
a lot of money tied up in Bitcoin, so the project is going to be pretty
conservative in how it chooses to change.

~~~
kobeya
Stealth addresses don't use any new cryptography, aren't computationally
expensive, and require no changes to bitcoin consensus or policy rules.

~~~
AgentME
Oh, I guess I mixed up some posts with one lamenting that Zcash wasn't
incorporated into Bitcoin.

Stealth addresses seem like they give much weaker anonymity guarantees than
Zcash, unless you only ever send and receive funds through stealth addresses
with others who follow the same precautions.

------
pero
5 hours and almost 100 comments later no one has pointed out that Zcash and
Keybase share the same investors.

I am relieved that 'Keybase chose Zcash' purely on merit after an exhaustive
and objective selection process, and that this potential conflict of interest
is transparently disclosed in the linked adverticle - wait, they did no such
thing.

Does it concern no one that this security-focused company is shilling for
other (fundamentally questionable) products?

~~~
gtlondon
Good spot, though not surprising to me.

Worth adding here that it also appears Zcash stakeholders have been internally
buying/selling their own ZEC at inflated prices on Poloniex to artificially
increase both volume and the market price.

Whilst perfectly legal, it doesn't enhance a "trustworthy" reputation to me.

~~~
ewillbefull
> Worth adding here that it also appears Zcash stakeholders have been
> internally buying/selling their own ZEC at inflated prices on Poloniex to
> artificially increase both volume and the market price.

I don't understand this. None of the stakeholders have even received their
money yet; this is publicly verifiable.

~~~
gtlondon
Hypothetically, anyone could "prop-up" the crypto market for a newly launched
coin by buying the first Asks from Poloniex at a deliberately inflated price
and then sell back-and-forth to themselves at the same inflated price to
create false volume / pricing.

You wouldn't need any ZEC to begin with.

Just to be clear, I am not specifically claiming the devs are doing this, but
somebody with an interest in ZEC performing well (and money to burn to prop up
the price) has been.

It's eased off now in any case, but it hasn't gained trust from a trading
point of view.

------
CiPHPerCoder
I like Zcash. I think it's a good solution to a problem that Bitcoin did not
solve, and creates a cryptocurrency more in line with the vision spelled out
in A Cyperpunk's Manifesto than the previous attempts.

(Yes, I've looked at the other attempts to build a private alternative to
Bitcoin, including Monero: [https://github.com/monero-
project/monero/issues/1271](https://github.com/monero-
project/monero/issues/1271))

~~~
elif
Yeah, but proof that (Beyond the 10% pre-mine) more ZEC are not being secretly
generated for the creators relies upon trust in a cabal of six individuals
based upon a "public" exhibition of genesis involving theatrical destruction
of computers (whose video was supposed to be published but I can't find?)

Even if they are 100% legitimate actors, the lack of absolute proof undermines
the provenance. From my perspective, Zcash is technically a Fiat currency
without the clout of a state backer.

I'm sticking to bitcoin and ethereum :)

~~~
valarauca1
>I'm sticking to bitcoin and ethereum

You don't trust ZCash but you trust Ethereum? The coin that's had it's network
hard forked and invalidated... what 4 times now?

~~~
elif
Actually the fork is when I diversified from only bitcoin. It gives me more
confidence than the perpetual ideological wanking behind the btc size bump. I
don't usually take a fundamentalist perspective, especially when it requires
siding with thieves who stole enough to become an existential threat to the
currency.

------
computerwizard
I recommend supporting Zclassic also (
[http://Zclassic.org](http://Zclassic.org) ) It's the same exact code as Zcash
except there is no 20% "genius" tax for 4 years. It's the fair choice and even
has the blessing of Zcash developer Zooko.

~~~
Taek
I think it's worth paying the "genius" tax. Though controversial, the tax
manifests in the form of inflation and will help fund a company that can get
things running and stable.

Of all the qualms I have with Zcash, I think that their mining fee is one of
the cleaner ways in the ecosystem to fund altcoin development. This technology
takes a lot of effort, and a lot of salary money to develop. And then you have
to do marketing, PR, bizdev, etc.

re: qualms:

\- trusted setup makes me uneasy \- could have picked more than 5 people for
signing party \- cryptography is really scary - lots of assumptions, lots of
things that haven't really stood the test of time or the examination of
experts \- equihash was a poor decision, and a confusing one given that it's
pretty well understood that complex hashing functions are counterproductive
(and we've seen this play out already for Zcash, things are just getting
started) \- The 'slow start mining' was also a really bad idea, and I would
almost suggest that it's abusive to the community. More than $100,000 of trade
volume happened over Zcash at prices that are 1000x the current price of
Zcash. It should have been easy to understand that this would happen.

Mostly, I would urge people not to use Zcash for situations that require real
anonymity. E.g. wikileaks accepting donations, or routing around captial
controls in oppressive countries. And this is because I do not believe that
the cryptography will hold up. There's too much of it, it's too new, and it's
too interesting (e.g. a lot of aspiring undergrads and grads are looking to
make their mark on the world, and breaking Zcash would be a great way to do
that). I believe that your privacy will be compromised retroactively, and not
due to bugs but due to actual cryptographic breaks. And then you're back to
the Bitcoin network where everyone can see everything, and you're vulnerable.

~~~
tromp
The slow start was a good way to avoid unfair distribution in the beginning
phase when miner implementations were still being written, deployed, tested,
debugged, ported and optimized.

In fact I would advocate for a zero-day start, where the first few hundred
blocks following genesis have exactly 0 reward, coupled with an overestimated
initial difficulty, so people have some less stress-full time to get set up
and sort out technical problems.

The crazy initial prices are abusive to no-one except the fools who pay them.

~~~
Taek
Thinking further, you could have achieved something similar by refusing to
allow coins to be traded for X weeks. E.g. no coins at all can be sold until
the first 2 weeks of mining become available all at once.

It's fair-ish distribution, without the absurd trading game that followed the
Zcash release.

~~~
plasticmachine
Exactly. The coinbase could've been time-locked and only spendable after a
block height.

------
gtlondon
Wouldn't it make more sense to use Monero instead of ZCash?

Privacy is compulsory with Monero and also the entire platform is
decentralised.

The privacy features in Zcash are optional & very slow / difficult to use --
most users will simply make non-private transactions. Also Zcash requires
trust of the founders (Any "private" coin that requires trust of a third party
is a fail in my mind).

------
choffman
I think Keybase is making a mistake in choosing Zcash over Monero - especially
so soon after Zcash's launch. But that's okay - they'll come around soon
enough. Zcash has been fantastic advertising for Monero.

------
Panino
The biggest criticism of Zcash is the Founder's Reward. Some people say it's
greedy, that they should have given away their work for free. I disagree. I
think it's great that they will get paid for their work, and it also gives me
confidence for the future of the coin. They have an incentive to make Zcash a
long-term success. Getting paid for work done should be the default, of
course. I could understand that if a billionaire ran a lemonade stand for an
afternoon and steadfastly demanded payment with no free handouts, people would
criticize that. But it should be expected that normal people get paid for
doing real work.

~~~
petertodd
The founders reward is extremely high, so high that the founders have a
significant ability to manipulate the market. This is a concern in part
because the founders may be _forced_ to do that - the actual implementation is
with a single address, rotated periodically, which means that address is a
single-point-of-failure for the whole currency in the sense that compromising
it can be used to crash the price. Finally, 20% is high enough that it gives a
significant advantage to 51% attackers.

~~~
daira
The concern in that last sentence seems misplaced; there is no relation
between proportion of monetary base held by an attacker, and proportion of
mining power held by an attacker.

~~~
petertodd
The problem is that it reduces the cost for an attacker; why do you think
monetary base has anything to do with it?

------
kneel
[https://z.cash/blog/funding.html](https://z.cash/blog/funding.html)

ctrl-f 'founders reward'

~~~
exstudent2
"After the first four years the ZEC created per ten minutes will drop to 25ⓩ,
but after the first four years, 100% of it goes to the miners."

Seems like a good business model and a way to fund the innovation they've
created.

~~~
kneel
Why don't they just mine then?

Bitcoin worked just fine without Satoshi programming rewards for himself.

~~~
alvarosm
ripping off the greedy fanboys is way cheaper and quicker

------
Uptrenda
Completely unrelated to the article but boy do I like the design for Keybase.
The blog is beautiful and minimal with no crap popping up on your screen
asking for your email (every modern blog now seems to do this.) The colors
work perfectly too. In fact, that combination of white, blue, black, and gray
is very similar to what Bitcoinica originally used for their popular Bitcoin
margin trading platform back in the day (and I like it as much now as I did
back then - contrasts so well on every screen type.)

The home page also follows a similar pattern: just beautiful, uncluttered, no
bullshit design, that gets straight to the point. Why can't more websites do
this? A+++ would browse again.

------
EvilMonkeyMat
I have read almost all comments, and it seems like nobody has pointed out that
the supposedly anonymous transactions (using z addresses) are still not
working. All mining pools are warning about it. For example:

[http://zcash.flypool.org](http://zcash.flypool.org)

If anonymity is so important for people, there are already excellent
solutions, Monero being one of the best, if not the best, with a strong and
serious dev team.

Disclaimer: I am not a Monero dev and I own a huge total of 0.6 XMR. This is
only my opinion as a software dev.

~~~
daira
Fixed in Zcash 1.0.3. (They were always "working", despite the bugs that were
recently fixed. You can see plenty of successful z-address transactions on the
blockchain.)

~~~
plasticmachine
You had a single thing with ZCash that you had to get right, and you couldn't
get it working in your initial release? What an utter embarrassment.

------
yownie
Doesn't anyone else find this post funny for talking about discovery of social
graphs while the main product keybase.io offers does exactly this? I mean the
entire service acts an a nice centralized graph linking users nyms across
various services. Irony much?

------
mtgx
Since Zcash uses the same codebase of Bitcoin, does that mean it would be
possible to later integrate it back into Bitcoin, and just transition Zcash
T-addresses to regular Bitcoin addresses, and then add the Z-addresses on top
of the Bitcoin addresses ecosystem?

I also wonder about how much of a risk to its own ecosystem Zcash being a
private company represents. Was that really better than making it a non-
profit? And won't this make it easier for law enforcement to go after Zcash as
the sole culpable entity for "money laundering" and other such charges?

~~~
Ar-Curunir
No, most likely not. ZCash shielded transactions have completely different
structure to normal BTC ones.

~~~
petertodd
Nah, they're just extra data, that could easily go in the signature fields;
it's definitely possible to add Zcash functionality to Bitcoin in a backwards
compatible soft-fork.

Basically you'd have a pool of "shielded" txouts that could be spent with a
zcash signature, without any requirement that a particular txout be spent for
a given signature. Surpisingly easy upgrade all things considered; the main
blocker is Zcash's crypto is very experimental and slow.

------
speps
> HN users: those PM'ing me for an invitation.... in the FAQ there is a temp
> code to skip the queue. We'll turn that code off in a day or two.

> use the invitation code "zcash" during signup

------
anondon
Is there any way to mimic Zcash's z-addresses in Bitcoin?

I like the ideas behind Zcash and it solves important privacy issues, but I
don't like the idea of a for profit company being the heavyweight behind
Zcash.

From what I gather, Bitcoin is more of a community effort than most other
altcoins, which inspires trust.

I looked up Zcash's price chart, it fell from ~$1300 at launch to ~$90 now.
Ouch.

~~~
Taek
If I recall correctly, more than 500btc was traded when the price was over 100
btc per Zcash - $350,000 in trade volume at a price exceeding $70,000 per
token, when the price today has fallen to about $100 per token. Max price was
almost $2,000,000 per token, someone actually literally spent that much.

Perhaps the greatest example I've ever seen of tulip mania. And I'm fairly
confident those were real trades, as they occurred on a public exchange where
anyone with money or zcash was able to buy or sell at any time. Granted, at
this point there were only dozens of people with the asset, but anyone was
able to mine the currency and blocks were being found every 2.5 minutes using
commodity hardware (e.g. laptops and desktops).

~~~
hackinthebochs
>Max price was almost $2,000,000 per token, someone actually literally spent
that much.

No. When zcash was trading at such a price, it was less than a single zcash
coin in total. So a few people were paying significant sums for very small
fractions of a zcash coin, but no one payed 2,000,000 for a single coin. The
price has crashed because supply has grown exponentially. What you were seeing
was supply vs demand in action in an unusually obvious way.

~~~
Taek
I did not mean to suggest that a whole $2M was dropped, but someone did buy a
fragment for $2M per coin.

These people buying it hopefully would have been aware of the publicly known
upcoming inflation, the fact that they bought at these prices I believe is a
tragedy and a black mark against Zcash.

~~~
wmf
So if I buy 0.01 BTC for $750 [1] and cause the price to "fall 99%" that will
leave a black mark against Bitcoin? Perhaps the blame really lies in the
exchanges who were so eager to allow trading on such a scarce asset.

[1] I realize this is not really possible because you'd have to buy the entire
order book first, but in the case of ZCash the order book was empty.

~~~
Taek
The order book was not empty, as stated above there was over $350,000 in trade
volume at prices greater than 100x what they were less than a week later.

------
jszymborski
Slightly OT, but I realllyy wish Keybase would prioritise email validation so
that it could fulfill the much needed role of general PGP key server, with the
added "sum of your social identities" assurance.

~~~
rspeer
And that's what I thought Keybase was until this article.

I got myself a Keybase account a while ago; is it reasonable to use it if
Zcash is not something I would touch with a ten-foot pole?

------
doozler
Is it too late to get started with Zcash? If not would you recommend buying it
or trying to mine it? Last question, would AWS be a good resource to mine it?

------
alexmingoia
Why not Monero? Why not Ethereum? The reasons stated aren't very consistent.

------
rgbrgb
How do you purchase zcash with USD?

~~~
cjbprime
Not an expert, but:

Kraken is an exchange that sells Zcash to USD holders (as long as you aren't
in NY state!). Another option is to buy Bitcoin (e.g. from Coinbase) with USD,
and then use shapeshift.io to convert your Bitcoin to Zcash.

------
dstaten
"The sex toy shop knows you gave to UNICEF so that feels good."

------
brilliantcode
Consider that after by end of this month there will be 200,000 ZEC released
following _every month_ with 20% going to the founder's coffers after 4 years.

Extreme inflation will continue sending prices crashing. Recall early this
month prices were hovering around 2 Ferrari 458 and now it's tanked to under a
100 dollars.

If we were to assume that in 48 months X 200,000 ZEC = ~100,000,000 ZEC with
20,000,000 ZEC belonging to the Founders.

edit: why the downvotes? I'm just reporting the facts:
[https://twitter.com/TommyEconomics/status/793435785097646081...](https://twitter.com/TommyEconomics/status/793435785097646081?s=09)

~~~
FlailFast
It's important to consider the pros and cons about the Founder's Reward with
Zcash, and I appreciate you trying to start a discussion, but I just wanted to
clarify that your numbers are slightly off.

20% for the next 4 years goes to the "founders" (which is not just the
developers, but investors as well). But much like Bitcoin the total monetary
base is fixed at 21,000,000 ZEC. And also like Bitcoin, the total mining
reward is halved (roughly) every 4 years, and consequently decreases
exponentially until it reaches that total reward.

Effectively, this means that the Zcash Founders Reward doles out 10% of the
currency to the investors/early development team over the lifetime of the
currency, and in many ways mirrors a startup vesting cycle of 4 years (minus
the one year cliff). Their blog goes into more detail about the reward here:
[https://z.cash/blog/continued-funding-and-
transparency.html](https://z.cash/blog/continued-funding-and-
transparency.html)

Personally, I think this reward distribution is a significant improvement to
the "premine/ICO" antics you see in many other cryptocurrencies/tokens, even
if I think it's a little high. I applaud the team for trying something
new/seemingly more fair.

(Also, not affiliated with the team, just a cryptocurrency nut:
[http://keybase.io/cin](http://keybase.io/cin))

~~~
plasticmachine
The amount of perverse incentives it creates is insane. Instead of investors
being forced to slowly accumulate ZEC, they are given it almost in bulk, and
are in a perfect position to manipulate and short the market.

------
xiphias
I'm not that much into zcash, but this is cool:

[https://petertodd.org/2016/cypherpunk-desert-bus-zcash-
trust...](https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trusted-
setup-ceremony)

~~~
alvarosm
At least I hope he got paid well for that idiotic tale...

~~~
petertodd
Like I said in the article, I didn't get paid for my involvement other than
having my expenses reimbursed.

Did you actually read it?

~~~
alvarosm
Of course I did.

------
alvarosm
You need a ton of space and/or processing power for the zero-knowledge
transactions. The anonymity isn't free!

In practice Zcash/zcoin (different tradeoffs) are of no use to you unless you
are willing to go the extra mile to hide something (criminal activities and
such). There's no point in paying for the extra effort for normal
transactions.

~~~
detaro
How large is the overhead in numbers? I tried to search but didn't find any
clear examples.

EDIT: found some data in the ceremony report linked elsewhere in this
discussion: [https://petertodd.org/2016/cypherpunk-desert-bus-zcash-
trust...](https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trusted-
setup-ceremony#scale-and-scalability)

~~~
petertodd
Sending takes a few minutes of computation on your wallet - but that's not
such a big deal as it's comparable to the time it takes for block
confirmations anyway.

The problem is verification of private transactions is very slow by cryptocoin
standards, and verification is something that every full node and miner must
do. Zcash would fail if private transactions were used in large numbers, as
blocks would take too long to validate for mining to remain decentralized;
Bitcoin transactions are a few orders of magnitude faster to validate, with a
4x more conservative block interval and 2x smaller blocksize, and the Bitcoin
dev community has had to make heroic efforts to further optimize validation.

~~~
daira
There are ways to significantly reduce the cost of zk proof verification by
batching (that are compatible with the existing Zcash protocol without a
fork).

~~~
petertodd
Prove it first by actually implementing those ways and having them survive
peer review; this is highly experimental crypto so it's not clear what's
actually possible.

Again, I don't think it's very responsible to knowingly release design a
protocol that in its current form would collapse if heavily used due to a lack
of safety limits.

------
nickik
PM me if you are interested in invites, I have a bunch.

------
prashnts
I have ~15 invites left, in case someone needs it they can ping me at ps+hn
<at> noop <dot> pw. :)

~~~
wbinford
Actually, the faq in the ZCash blog post ([https://keybase.io/blog/keybase-
and-zcash](https://keybase.io/blog/keybase-and-zcash)) has a way to sign up
for keybase.io immediately.

------
Walkman
Some invitation codes for keybase:

[https://keybase.io/inv/81ae92fb55](https://keybase.io/inv/81ae92fb55)

[https://keybase.io/inv/1405ab98be](https://keybase.io/inv/1405ab98be)

[https://keybase.io/inv/841bcaf887](https://keybase.io/inv/841bcaf887)

[https://keybase.io/inv/1b2d6b8489](https://keybase.io/inv/1b2d6b8489)

[https://keybase.io/inv/d4d629e661](https://keybase.io/inv/d4d629e661)

[https://keybase.io/inv/aa8d6f88a7](https://keybase.io/inv/aa8d6f88a7)

[https://keybase.io/inv/1e2d324856](https://keybase.io/inv/1e2d324856)

[https://keybase.io/inv/ed26718971](https://keybase.io/inv/ed26718971)

[https://keybase.io/inv/3b60a5f56d](https://keybase.io/inv/3b60a5f56d)

[https://keybase.io/inv/c11ebfb7ac](https://keybase.io/inv/c11ebfb7ac)

Sold out.

------
atweiden
The "zaddress" is already implemented in Bitcoin in the form of a stealth
address, pioneered by libbitcoin [1].

This news spurred me to delete my Keybase account. I regret ever giving a
corporation that much control over my personal privacy.

[1] [https://github.com/libbitcoin/libbitcoin-
explorer/wiki/Steal...](https://github.com/libbitcoin/libbitcoin-
explorer/wiki/Stealth-Commands)

~~~
detaro
Care to explain why for someone who doesn't know much about the
bitcoin/cryptocurrency world? I don't get what the link is supposed to tell
me.

~~~
atweiden
A regular Bitcoin address of the form `1LoD3JXVckEKkZh8nkSrvmQaovnGYu8fNP` is
non-private, everyone knows this. Posting such an address in your public
profile allows blockchain data harvesting firms to learn when your address
receives BTC and from where, and to whom your address sends money to.

But there is no reason to post such an address. If Alice wants to post a fully
private Bitcoin address that can't be monitored by data harvesting firms, she
should post a stealth address [1]. If Bob wants to send Alice BTC, he takes
Alice's stealth address and derives from it a regular Bitcoin address. No one
but Bob can know what Alice's derived Bitcoin address is, because the address
is derived from Bob's private data.

The libbitcoin software suite supports these stealth addresses, but because
libbitcoin isn't VC backed and doesn't have the hype of moneyed interests
behind it, libbitcoin wasn't good enough for Keybase. They probably never even
evaluated it.

A ZCash "zaddress" is basically just a Bitcoin stealth address.

That the CEO of a privacy-focused social networking service is not in tune
with this information is a huge red flag to me. As each Keybase.io profile is
an implicit endorsement of Keybase and by extension Keybase's investors, I was
deeply saddened and frustrated to learn the news that Keybase has decided for
its entire userbase to prop up ZCash based on their faulty assumptions.

[1] [http://sx.dyne.org/stealth.html](http://sx.dyne.org/stealth.html)

