
ZCash (formerly Zerocash/Zerocoin) technology preview - malgorithms
https://z.cash/blog/helloworld.html
======
vessenes
Actually, zerocash is significantly different than other altcoins, in that it
replaces digital signatures with zero knowledge proofs. It's technically very
interesting, and seems like a believable next direction for Bitcoiners. The
other direction would be some variant of ethereum.

If you don't believe that a general purpose one-size-fits-all blockchain
technology can be easily and safely created, but you would prefer more privacy
and security, Zcash is a frankly compelling idea, and deserves a look.

Monero uses a different scheme (ring signatures, essentially mixing in fake
and real digital signatures) for privacy. To my knowledge, they don't
duplicate the 'blinding' type of hiding about bucket recipients and ownership
that zcash does.

Note also that BIP47 and the like are trying to add some of these privacy
features into Bitcoin core, so there's lots of angles on improved privacy.

~~~
mootothemax
Two questions I've yet to receive answers on:

\- my laptop is stolen in a compromised state (eg logged on, nothing left
encrypted); can anyone trace my transactions?

\- I've read suggestions that Zcash themselves can deanonymize every
transaction, thanks to generating the initial "Genesis" block. Is that roughly
right? (Ignoring obfuscation techniques like getting many other people to
create separate signatures)

I'm definitely concerned that this comes with a lot of asterisks next to its
claims.

~~~
vessenes
1) Laptop stolen, unlocked, you never encrypted anything: yep, you're hosed as
far as I know. How else would your wallet be able to tell you a balance?

2) The creation of the genesis block involves a trust 'game' of sorts, in
which many participants are asked to pick a number. The statement from zcash,
which a better cryptographer than me could verify, is that only one of the
participants need be trustworthy in order to make this step safe.

I think anyone can participate in the genesis block creation, so you may be
just who they need to get the genesis block in good shape. :)

On a different note, it would take a juvenile and short-sighted thinker to
_want_ to be able to deanonymize the transactions; not that those people don't
exist, but most rational adults would not wish to be emotionally and
personally liable in some way for knowing the identities of the money
launderers, child pornographers and others who will undoubtedly be drawn to a
technology like this.

~~~
Forbo
Ah, two of the Four Horsemen of the Infocalypse rear their ugly heads:

8.3.4. "How will privacy and anonymity be attacked?" [...] like so many other
"computer hacker" items, as a tool for the "Four Horsemen": drug-dealers,
money-launderers, terrorists, and pedophiles.

[https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse)

~~~
omginternets
I think this moral panic (for lack of a better term) is omnipresent because
it's actually true to some degree. You can't seriously claim these groups
wouldn't benefit from anonymous, secure payment systems. However:

\- They already have anonymous, secure payment systems (cash, drugs, jewels,
shell companies, etc)

\- The cat is out of the bag, so they're going to have it anyway

\- These proverbial Horsement do more than just move money around; there's
still plenty of room for detective work.

Splitting the atom gave us nuclear power, viable cancer treatment, smoke
detectors, and also Hiroshima, Nagasaki, and the threat of radiological
terrorism. The proverbial sword is always double-edged.

To make an actual point: I think we'd do well as a community to acknowledge
the degree of truth these moral panics hold, because I suspect we frustrate a
lot of people by being dismissive of what they perceive to be an apocalyptic
problem.

~~~
gozur88
>These proverbial Horsement do more than just move money around; there's still
plenty of room for detective work.

This. Taking away everyone's privacy because somebody might use privacy to
break the law is dumb. You want to bust drug dealers? Bust them for selling
drugs.

~~~
superuser2
"Taking away" is interesting language. The ability to transfer money without
either meeting in person (meetings can be surveilled) or generating records
subject to disclosure (shell companies and laundering schemes can be
deciphered through forensic accounting) is unprecedented. We've never lived in
a time when people had cryptographic certainty of the secrecy of their
transactions.

~~~
cyphar
Cash and dead drops provide both of those properties. There are many other
ways to investigate crimes. Just because the internet is new doesn't mean that
human rights don't apply for this new communication medium.

~~~
superuser2
Government-impervious money transfer as a human right is nebulous at best. The
internet has not changed the legal or ethical status of money laundering. At
best you could say it has always been a human right, but it's certainly never
existed in the US or Western Europe.

Cash transactions carry substantial risk: both parties must be physically
present in some place to make the deal. They can be tailed, the meeting place
can be under surveillance, they can be raided, they can murder each other and
run, etc. It's also impractical to deal with large amounts of cash due to the
risk of robbery/theft (including civil forfeiture), and legitimate entities
won't take suitcases full of cash for large purchases. Infiltrating and
exfiltrating large amounts of money from the legitimate banking system is also
very likely to leave traces that can be understood by sufficiently
skilled/motivated forensic accountants.

Whereas flipping some bytes in the firehose of cryptographically secure bytes
already coming in and out of every home is undetectable and basically risk-
free.

Some much more concrete human rights are ensured through taxation: food,
shelter, water, health care, police, education, national defense, etc. If you
make taxation effectively optional by running a perfect, free money-laundering
system, some of them may have to go.

~~~
cyphar
You clearly don't understand how money laundering works or what it is.
Anonymous payment systems do not make it any easier to launder money, tax
offices can still figure out that you have unregistered income.

------
zooko-zcash
Hi folks! I'm the Founder and CEO of the Zcash company. It's really great to
have this much interest in a project that we just released in alpha
"Technology Preview" form two weeks ago.

There are a lot of good questions in here, some of which I answered in an AMA
a few days ago: [https://forum.bitcoin.com/ama-ask-me-anything/i-m-zooko-
wilc...](https://forum.bitcoin.com/ama-ask-me-anything/i-m-zooko-wilcox-ceo-
of-the-zcash-company-ask-me-anything-t5413.html)

I can't wait to release the next iteration of the Zcash software, in — fingers
crossed — just a couple of weeks. We'll continue to have lots of blog posts
and technical discussions from us along the way. This is only the beginning!

~~~
paragon_init
Hi Zooko,

Has there been any serious discussion about incorporating the results of
PQCRYPTO in your protocol so Zcash is still secure and viable (at >= 2^128
security level) after the development of practical quantum computers?

[http://pqcrypto.eu.org](http://pqcrypto.eu.org)

~~~
ianmiers
Hi, I'm one of the ZCash scientists: Section 8.1 in the full paper describes
how to get anonymity that survives quantum computers. ([http://zerocash-
project.org/media/pdf/zerocash-extended-2014...](http://zerocash-
project.org/media/pdf/zerocash-extended-20140518.pdf)).

The zero-knowledge proof itself offers statistical privacy in the face of
unbounded (so more powerful than quantum) attackers. So surprisingly, you are
mostly fine. But you would need to take two steps to protect yourself. First,
you have to use each zcash address only once.

Second, you need to use a post quantum secure means of notifying the recipient
they got a transaction and of the coin commitment openings. The built in
mechanism in ZCash, which posts a ciphertext to the blockchain encrypted under
the recipients public key is standard off the shelf public key cryptography.
It's efficient, but is of course not post quantum secure. Nothing requires
that you use this mechanism, however. You can always post a garbage ciphertext
and inform the recipient some other way.

------
jhasse
For anyone interested in how Zcash (formely Zerocoin) works and who
understands German, I've written my Bachelor thesis about it in 2013:
[http://www.math.uni-
bremen.de/~jhasse/Kryptografische%20Grun...](http://www.math.uni-
bremen.de/~jhasse/Kryptografische%20Grundlagen%20von%20Bitcoin.pdf) (see Part
IV)

~~~
davidsarah
Note that the Anonymity section of this describes Zerocoin. Zcash is an
implementation of Zerocash which is a later and more efficient, but
cryptographically quite different protocol (by the same and additional
authors).

~~~
jhasse
Oh didn't know that! Thanks :) I thought that Zcash was just a new name ;)

------
natrius
_> We believe that privacy strengthens social ties and social institutions,
protects societies against their enemies, and helps societies to be more
peaceful and more prosperous._

It's time to have a serious conversation about whether this is actually true
when it comes to _financial_ privacy.

Our society is governed by money. Money governs our production directly, and
it governs our regulations indirectly since votes can be purchased.
Governments derive their power from the consent of the governed, but we use
money that doesn't allow us to withdraw our consent without opting out of the
economy entirely. Your complaints about money in politics or unstoppable
violent cartels around the world are complaints about tyranny, and we should
be fighting that tyranny.

Anonymous currencies go in the other direction. I'm glad people are building
them, but we need to start talking about the implications of using them.
Everything about our society will be decided by the people with the most money
if people accept anonymous currencies. Democracy isn't possible when you can't
hope to detect when influence is being purchased.

We're already most of the way there: dollars are anonymous to everyone except
the governments that regulate banks. Since those governments have been
purchased, those regulations can only really be used against those who haven't
already purchased strong representation in the government already.

I think we need to go in the opposite direction. We need currencies that
everyone can track so individuals can decide whose power they'd like to submit
to. If I know someone is buying influence and I want to reject their power to
do so, I can stop accepting any money they've used in that way. People accept
money to influence politics because other people will accept that money. If
other people stop accepting that money, it won't be possible to buy influence
anymore. The people who sell their goods, services, and labor will set the
rules by their decisions about what money to accept. Wealth won't govern our
society, production will.

This is merit capitalism. I think it's closer to the world we want to live in.
I hope you'll join me in reconsidering whether financial privacy is actually a
good thing.

[http://meritcapitalism.com/](http://meritcapitalism.com/)

~~~
Karunamon
That's... actually a really interesting idea, but you have to consider who
you're building the system for - governments, or normal everyday people?

There is a principle, that I think has basically been proven at this point, if
not academically:

A: In any non-optional system used by n people, the bad actors using that
system are < n/2 (read: not a majority)

B: It is impossible to prevent bad actors from misusing any system.

C: Trying too hard means the system necessarily damages good actors.

Therefore:

D: Any system that punishes bad participants more than it helps non-bad
participants is degenerate.

Bitcoin can be seen as a rejection of a system suffering from C. For perfectly
legitimate businesses and people, sending money is an unmitigated pain in the
ass, substantial bites taken by middlemen, arbitrary negative action (c.f.
civil forfeiture, paypal freezes) and so on. Bitcoin solves almost all of
those problems, but makes lives easier for the bad actors too (but not enough
that it substantially increases corruption in the world - bad actors gonna bad
act)

Now, if your hypothetical system is _strictly_ opt-in, perhaps with social
pressure for politicians and such to use it, then I'd have no trouble with it.
Were it to become the de facto currency, on the other hand, the problems we
have with government overreach and data mining just become a _lot_ worse.

If we accept B as true, then it makes more sense to design for the case of
innocent, law abiding people first, out of fear of harming them due to C.

Put another way, I'm a lot more worried about government misusing things under
color of law, than I am worried about government corruption. At least regular
people can oppose the second one in good faith, while the first one always
comes with the "it's legal, so?" baggage.

~~~
natrius
It's strictly opt-in, but you won't be able to buy anything if everyone else
requires auditable money and you don't want to opt-in. The more people who
adopt it, the less tenable it is to stay out.

Governments are people. People who use this system nefariously can be
sanctioned by refusing to accept money they've touched. We're so afraid of
governments misusing their power because our checks and balances have failed
miserably, but it's not so bad that anyone wants to use the ultimate fallback
of revolution. Merit capitalism is a check that the people control directly.
People don't need to revolt to reclaim power anymore.

~~~
Karunamon
You're going to have to convince people that adopting this tool is better for
them than what they have now for it to stand a chance of adoption.

From a purely selfish standpoint, I would not want to use this system, because
I don't want advertisers, insurance companies, malcontents, stalkers, debt
collectors, busybodies, three-letter-agencies, data brokers, or any other
random with an internet connection to know that I spent money at a
hypothetical STD clinic or received money for participating in a scientific
study.

This plan introduces a _huge_ number of of unknown unknowns, where right now,
we've got a pretty good idea of how widespread the corruption is, the forms it
generally takes, and what, if anything, we can do about it. And since past
behavior is the best predictor of future behavior, I can look backwards to see
how behavioral data is abused right now, and say with _complete_ certainty
that it would be abused more under this system.

No thanks.

~~~
natrius
I agree that conservatism has virtues. Change does introduce unknown unknowns.
I think there's a good strategy for handling them: when people do undesirable
things, sanction them.

Change is inevitable. Zcash is here, so regulation is dead. Conservatism isn't
an option: we have to choose how to adapt to change. I think merit capitalism
is the right choice.

Thanks for your questions! Good talk.

------
rrggrr
I hope I'm wrong, but if ZCash delivers on the technical promise the blowback
from legislators and law enforcement is sure to result in a net loss of
privacy for everyone. Enabling illegal profiteering from the very real pain
and suffering of others almost always results in government actio
(appropriately so); but also legislative over-reaching (eg. mandated
sentencing legislations, zero tolerance policies, warrantless wiretapping)
because ZCash's message of economic and societal benefits will be utterly lost
amid stories of how the tech hurt people.

ZCash is very impressive. Brilliant even. But for those who want better
privacy... elect leaders who share the concern. Donate to the EFF and ACLU.
Advocate for a 'privacy czar' as a cabinet/ministerial level position.

~~~
wcummings
I think many prefer non-violent direct action, for good reason. The cost to
the government to spy on you is so low, cryptographically enforcing privacy is
the only way to guarantee it.

~~~
rrggrr
If successful ZCash cryptographically guarantees more government regulation
and surveillance to counter the very real and also the very irrational fears
of harm anonymous payments make possible. It will have opposite the desired
impact on privacy if it takes off. I want to be wrong about this, but
experience tells me otherwise.

------
swsieber
For those of you concerned about pump and dump, they've specifically addressed
it in a blog post [1]. And they are open sourcing a ton of stuff. But that's
addressed in their blog. So to me, the lay man, it seems like they won't be
doing a pump and dump. I say lay man because I'm really not qualified to
assert that my statements are indeed correct.

[1] [https://z.cash/blog/funding.html](https://z.cash/blog/funding.html)

~~~
bb88
From that link I see this:

> With this approach, the founders are incentivized to support Zcash for the
> long haul (at least for four years), and they have limited ability to pump-
> and-dump.

I don't see how anyone can audit that statement since the transactions are
encrypted [1].

[1] [https://z.cash/tech.html](https://z.cash/tech.html)

~~~
jacobr1
> I don't see how anyone can audit that statement since the transactions are
> encrypted

Couldn't one audit the code? Provided zcash itself doesn't have 51% or more of
the mining network post launch the open source code should be verifiable and
needs to have some special case to route the "founder reward". Though I admit
I haven't looked through the source code so I may be missing something.

------
kanzure
Here's some stuff on zerocash:

Zerocash: Decentralized anonymous payments from Bitcoin:
[http://diyhpl.us/~bryan/papers2/bitcoin/Zerocash:%20Decentra...](http://diyhpl.us/~bryan/papers2/bitcoin/Zerocash:%20Decentralized%20anonymous%20payments%20from%20Bitcoin%20\(extended%20version\)%20-%202014-05-18.pdf)

Zerocoin: anonymous, distributed e-cash from bitcoin:
[http://diyhpl.us/~bryan/papers2/bitcoin/Zerocoin:%20anonymou...](http://diyhpl.us/~bryan/papers2/bitcoin/Zerocoin:%20anonymous%20distributed%20e-cash%20from%20bitcoin.pdf)

How to explain zero knowledge protocols to other people's children:
[http://diyhpl.us/~bryan/papers2/bitcoin/snarks/How%20to%20ex...](http://diyhpl.us/~bryan/papers2/bitcoin/snarks/How%20to%20explain%20zero%20knowledge%20protocols%20to%20other%20people's%20children.pdf)

GGPR paper, NIZKs without PCPs:
[http://diyhpl.us/~bryan/papers2/bitcoin/snarks/Quadratic%20s...](http://diyhpl.us/~bryan/papers2/bitcoin/snarks/Quadratic%20span%20programs%20and%20succinct%20NIZKs%20without%20PCPs%20-%20GGPR.pdf)

Snarks for C: Verifying program execution succinctly and in zero knowledge:
[http://diyhpl.us/~bryan/papers2/bitcoin/snarks/SNARKs%20for%...](http://diyhpl.us/~bryan/papers2/bitcoin/snarks/SNARKs%20for%20C:%20Verifying%20program%20executions%20succinctly%20and%20in%20zero%20knowledge.pdf)

Secure sampling of public parameters for succinct zero knowledge proofs:
[http://diyhpl.us/~bryan/papers2/bitcoin/snarks/Secure%20samp...](http://diyhpl.us/~bryan/papers2/bitcoin/snarks/Secure%20sampling%20of%20public%20parameters%20for%20succinct%20zero%20knowledge%20proofs.pdf)

[https://github.com/scipr-lab/libsnark](https://github.com/scipr-lab/libsnark)

FWIW I think that confidential transactions and even SNARKs will eventually
make their way into Bitcoin.

------
jerguismi
There seems to be plenty of privacy-oriented altcoins around. How does the
privacy model of zcash compare to others, like monero or dash?

~~~
sarciszewski
I can't do an apples-apples comparison to the ones you listed because I'm only
familiar with Bitcoin and the original Zerocash paper. I can say that the
zkSNARK approach to crypto-currency is certainly _novel_ and they have a great
team of competent cryptographers and engineers on the team.

That is to say, Zcash isn't a hobbyist effort, it's the result of serious
crypto engineering. It's not clown-shoes privacy.

~~~
jerguismi
OK so basically appeal to authority etc. Not much that a common guy can
understand.

Sounds to me like a product that is only designed for really smart people...

~~~
statoshi
Most people don't understand how the Internet works, yet they manage to use it
every day. Same goes for existing mainstream financial systems.

~~~
jerguismi
Well the question really is, how do the masses start to use this? If only
couple of smart people understand it, it won't help much. There are already
lot of "like bitcoin, but anonymous" coins, which haven't gained that
significant success. If most of the people can't understand why this one is
"the shit", they aren't going to see difference between this and the other
privacy-promoting altcoins.

------
smaili
For those of us who'd like to buy, which platform would be best? I'm only
aware of Coinbase but they seem to be a Bitcoin-only exchange.

~~~
bbatha
Its in beta right now and the current blockchain will be reset at 1.0
invalidating current coins. So buying in right now is pointless.

------
bb88
I wish someone would come up with a bitcoin alternative that isn't based upon
speculation to get people interested in it.

~~~
PierreRochard
Why?

~~~
bb88
[http://www.coindesk.com/bitcoin-price-15-network-failure-
cla...](http://www.coindesk.com/bitcoin-price-15-network-failure-claims/)

------
aminok
With it use BTC or have a new money supply, or both? Will it be launched as a
Bitcoin sidechain, or are there any plans to make it one after launch?

~~~
GigabyteCoin
Zcash runs it's own blockchain.

The original zerocash team approached the bitcoin developers over a year ago
asking to integrate some of their ideas into the bitcoin blockchain and were
turned down entirely. So they went underground and developed zcash.

Zcash still seems to share quite a bit in common with bitcoin, however. For
example, they are sticking with the 21,000,000 coin market cap.

------
elorant
We need to talk about the elephant in the room. A totally untraceable digital
coin is gonna be Christmas for organized crime.

~~~
sandstrom
Cash and gold already exist. They are already celebrating Christmas, every
day.

------
acd
How can the state trace transactions as to collect tax on transactions made
with Zcash? If the state cannot trace the transactions and this becomes black
economy 2.0 then will it not face banning and seizure from the authorities?

Ie how can we build roads and schools in a Zcash economy?

~~~
erikpukinskis
How does the state trace transactions made with paper cash?

------
dmix
No links in the article but I found an ArchLinux AUR package for ZCash:

[https://aur.archlinux.org/packages/zcash-
git/](https://aur.archlinux.org/packages/zcash-git/)

Builds from source, pulling from Github.

------
oliv__
Well, that is one cool domain.

~~~
jessaustin
Definitely! I wonder what a single-letter domain costs?

~~~
GigabyteCoin
$1,118.00 USD, apparently. [0]

[0]
[https://www.namecheap.com/domains/registration/results.aspx?...](https://www.namecheap.com/domains/registration/results.aspx?domain=p.cash)

------
ebbv
Correct me if I'm wrong but this is a for profit company telling me to use the
currency, no commodity, they created and control in order to have privacy?

How about I just stick to actual money?

~~~
mangeletti
I don't think they will actually control anything, once it takes off; just
like no single entity really controls Bitcoin.

~~~
ebbv
> just like no single entity really controls Bitcoin.

That's just not true. The core developers do control it. Look at the problems
its having with the blockchain limit. Yes in theory anyone can fork it and
people can run the fork, but that theory has now been tested and it failed.

Similarly, if ZeroCash took off, the "official" devs would be the ones to
control it. And they're a for profit company on top of it. I can't think of a
worse idea than that. A commodity "currency" that is controlled entirely by a
for profit company.

~~~
mangeletti
You mean like the US Dollar?

------
meow_mix
It bothers me that there are "investors" for this and a CEO.

What happens if it takes off? There's one or two founders and a couple
investors that essentially control the flow of money in the system. Bitcoin
was appealing precisely because it lacked a center control.

Is there something I'm missing here?

~~~
AgentME
If they're making a decentralized currency and things are sane, then the code
is all open source, and their authority is only in developing the official
client.

------
milesf
Nothing new here. Add it to the pile of hundreds of other altcoins.

Why is this here? Feels like the pump-and-dump world of altcoins is being done
here to pump up this post.

~~~
dang
> _Why is this here?_

Actually there's a precise answer to that. In yesterday's popular Keybase.io
thread, the submitter (rdl) said "Along with Zcash, it is the most amazing
crypto-engineering project I've seen in years."
[https://news.ycombinator.com/item?id=11037297](https://news.ycombinator.com/item?id=11037297)

That was evidence the community might find it interesting, and the project
hadn't had discussion on HN yet, so we invited an earlier submitter
(malgorithms) to repost it. From there it received significant community
interest.

> _Nothing new here. Add it to the pile_

Whoa, this is exactly what we ask commenters not to do when discussing new
work on Hacker News. The ratio of dismissiveness to substance in your post is
too high. Substantive criticism is fine, of course, but not this; it degrades
the discussion.

If you know something or have a genuine insight—including a critical
one—you're more than welcome to share it. But "nothing new here", "add it to
the pile", and "feels like" is far too weak to justify a dismissive swipe. A
comment like this would be better phrased as the question, "What is new
here?", in a spirit of curiosity not snark.

~~~
JBReefer
^ This is why Hacker News is worth coming to. Snark and quick dismissal lead
to negativity and thoughtlessness, which rapidly kills communities.

Thanks for everything you do, dang.

