Hacker News new | comments | show | ask | jobs | submit login
ZCash (formerly Zerocash/Zerocoin) technology preview (z.cash)
240 points by malgorithms 623 days ago | hide | past | web | 109 comments | favorite

Actually, zerocash is significantly different than other altcoins, in that it replaces digital signatures with zero knowledge proofs. It's technically very interesting, and seems like a believable next direction for Bitcoiners. The other direction would be some variant of ethereum.

If you don't believe that a general purpose one-size-fits-all blockchain technology can be easily and safely created, but you would prefer more privacy and security, Zcash is a frankly compelling idea, and deserves a look.

Monero uses a different scheme (ring signatures, essentially mixing in fake and real digital signatures) for privacy. To my knowledge, they don't duplicate the 'blinding' type of hiding about bucket recipients and ownership that zcash does.

Note also that BIP47 and the like are trying to add some of these privacy features into Bitcoin core, so there's lots of angles on improved privacy.

Two questions I've yet to receive answers on:

- my laptop is stolen in a compromised state (eg logged on, nothing left encrypted); can anyone trace my transactions?

- I've read suggestions that Zcash themselves can deanonymize every transaction, thanks to generating the initial "Genesis" block. Is that roughly right? (Ignoring obfuscation techniques like getting many other people to create separate signatures)

I'm definitely concerned that this comes with a lot of asterisks next to its claims.

Hi, I'm Ian, one of the scientists behind ZCash, Zerocash, and Zerocoin.

-laptop being stolen: An attacker will get how much money you have, and if you have kept around the private keys for all your addresses, when and how much you were paid, but not who paid you or who you paid. The attacker can use those keys to go back and decrypt the notifications that get posted to the blockchain that allow you to access a transaction. This gets them how much funds you have been sent and when. It doesn't tell them who sent it unless someone put identifying info in the memo field(e.g.'For Homer Simpson's bar tab'), because senders are anonymous even to recipients. It also doesn't tell them anything directly about who you paid or how much. It does let them identify when you made payments though.

If you move your funds to a new address and delete those keys, then all an attacker gets is your current balance.

- deanonymize every transaction. We can't. The zero-knowledge proofs(zkSNARKS) we use to hide transaction data are zero-knowledge no matter what. The information simply isn't there.

The confusion is there is an issue with setting things up to ensure we can't forge coins. The zkSNARKs that ZCash uses need to be generated correctly to ensure the proofs are sound (i.e. actually prove what they claim) and someone therefore cannot forge coins. We plan on doing a multiparty computation setup where if at least one party is honest, the parameters are correct. But zkSNARKs provide statistical zero-knowledge without trusted setup. So assuming the software correctly does the protocol, no one can ever deanonymize transactions (see my other comment on post quantum security for the caveats) unless they get your keys.

Thanks Ian, I really appreciate your comprehensive answer :)

- laptop being stolen: cutting out potential ifs and buts, would it be drastically unfair of me to take that as: if you laptop's compromised, all bets are off?

- deanonymize every transaction: genuinely interesting, thanks for taking the time to educate me :)

Laptop being stolen: Certainly for normal users, yes. Don't let that happen. But you can protect yourself by moving funds to new addresses and deleting the old address keys. Poor man's forward secrecy. Since no one will probably do that, yeah .... all bets are off.

> you can protect yourself by [...] deleting the old address keys.

I think it's important to distinguish between "deleting" and "securely erasing" here. The former often provides only a layer of obscurity, while the latter takes expertise to perform reliably.

Ideally the wallet's key deletion functionality would include ensuring the private data doesn't remain on disk (and warn if the media makes this impossible), but I think this is more or less impossible; a secure erase facility really needs to be implemented at the OS level, since it requires knowledge of the workings of the filesystems in use as well as its interactions with the physical media. And it gets worse; in the case of any solid state devices that perform their own write balancing, even the operating system can't know what data has actually been lost.

Of course, if someone has your (unencrypted) hard drive digging around for old ZCash key data is probably low on the list of privacy-compromising information available to them anyway.

>Laptop being stolen: Certainly for normal users, yes. Don't let that happen. But you can protect yourself by moving funds to new addresses and deleting the old address keys. Poor man's forward secrecy. Since no one will probably do that, yeah .... all bets are off.

Heh, thanks, I appreciate your honesty! :)

I guess it's a bit like the problems with trying to get mass adoption of PGP; the tech's there, but trying to get Joe Public to use it without missing any of the vital steps and not messing any of them up is difficult at best.

For me, it's one of those "last, great"-levels of problem to solve: creating privacy tech that regular people who don't know or care about the specifics can use reliably and not mess up because they don't know and/or care.

1) Laptop stolen, unlocked, you never encrypted anything: yep, you're hosed as far as I know. How else would your wallet be able to tell you a balance?

2) The creation of the genesis block involves a trust 'game' of sorts, in which many participants are asked to pick a number. The statement from zcash, which a better cryptographer than me could verify, is that only one of the participants need be trustworthy in order to make this step safe.

I think anyone can participate in the genesis block creation, so you may be just who they need to get the genesis block in good shape. :)

On a different note, it would take a juvenile and short-sighted thinker to want to be able to deanonymize the transactions; not that those people don't exist, but most rational adults would not wish to be emotionally and personally liable in some way for knowing the identities of the money launderers, child pornographers and others who will undoubtedly be drawn to a technology like this.

Ah, two of the Four Horsemen of the Infocalypse rear their ugly heads:

8.3.4. "How will privacy and anonymity be attacked?" [...] like so many other "computer hacker" items, as a tool for the "Four Horsemen": drug-dealers, money-launderers, terrorists, and pedophiles.


It's pleasant to be snarky or even in denial about the existence of those four archetypes. The sad truth is not only that they exist, but that they benefit from cryptocurrencies in general.

I spent 2012 and 2013 vigorously parrying journalists who only wanted to write about Bitcoin and the four horsemen. I was wrong to do that. Most Bitcoin transactions of substance in 2012 were related to one of the four.

While I'm pissed off that I spent time taking shots in the public limelight on behalf of asshole drug dealers, that was not actually the point I was raising above. I presume that the zcash folks are aware their inventions will be used for bad things, and have weighed the moral calculus, and are fine with the outcome. And, I wouldn't necessarily disagree with that calculus.

What I was saying is that a clear-headed individual needs to go into launching a cryptocurrency like this with the certain knowledge that their tool will be used, very rapidly, and perhaps very aggressively, to forward the agendas of the four horsemen. In fact, those will likely be the earliest adopters, or the earliest adopters with real money.

That has some implications for how you design your own responsibility / rights / powers in a cryptocurrency. To think otherwise is terribly avoidant behavior.

I think this moral panic (for lack of a better term) is omnipresent because it's actually true to some degree. You can't seriously claim these groups wouldn't benefit from anonymous, secure payment systems. However:

- They already have anonymous, secure payment systems (cash, drugs, jewels, shell companies, etc)

- The cat is out of the bag, so they're going to have it anyway

- These proverbial Horsement do more than just move money around; there's still plenty of room for detective work.

Splitting the atom gave us nuclear power, viable cancer treatment, smoke detectors, and also Hiroshima, Nagasaki, and the threat of radiological terrorism. The proverbial sword is always double-edged.

To make an actual point: I think we'd do well as a community to acknowledge the degree of truth these moral panics hold, because I suspect we frustrate a lot of people by being dismissive of what they perceive to be an apocalyptic problem.

I agree that we shouldn't be dismissive. However, I still think you are being somewhat dismissive when you say "The cat is out of the bag, so they're going to have it anyway."

This is binary thinking but crime isn't binary. There are varying levels of crime. New technologies can make criminal behavior easier or more difficult. Just giving up on money laundering isn't something most people are willing to think about, particular for an experimental payment system that they don't care about and probably won't use.

For someone who doesn't understand the benefits of a new technology and is rounding it to zero, the cost/benefit tradeoff isn't hard to decide, and making an analogy to splitting the atom is unlikely to be persuasive.

>Just giving up on money laundering isn't something most people are willing to think about, particular for an experimental payment system that they don't care about and probably won't use.

But nobody is actually advocating this, least of all me. The argument is that tracking every financial transaction is no longer viable, whether we like it or not.

Moreover, digging your heels into the sand and saying "but it's not right to give up on money-laundering" doesn't change the reality: there exists technology that makes arbitrary, anonymous payments trivial to perform. What do you propose we do?

>These proverbial Horsement do more than just move money around; there's still plenty of room for detective work.

This. Taking away everyone's privacy because somebody might use privacy to break the law is dumb. You want to bust drug dealers? Bust them for selling drugs.

The response to this will be "yes, but it's only natural to give up some privacy for the greater good", and they'll be right insofar as there's a lot of precedence for this.

- We have driver's licenses, passports and all manner of ID's

- The IRS can audit banking records to ensure there's no tax fraud, sans warrant.

- You can be filmed and photographed in public places for security purposes

The list goes on, and the argument will be that new technologies require new compromises. Yours is hardly a constructive (or even correct) approach to the problem, because it (a) dismisses valid concerns and (b) implies a warped interpretation of privacy law. There is no absolute right to privacy; there cannot be!

That said, we're largely in agreement -- restricting privacy is probably the wrong approach in this particular case, but I think the counter argument should instead be made as I previously described, rather than by a knee-jerk opposition to restricted privacy.

"Taking away" is interesting language. The ability to transfer money without either meeting in person (meetings can be surveilled) or generating records subject to disclosure (shell companies and laundering schemes can be deciphered through forensic accounting) is unprecedented. We've never lived in a time when people had cryptographic certainty of the secrecy of their transactions.

Cash and dead drops provide both of those properties. There are many other ways to investigate crimes. Just because the internet is new doesn't mean that human rights don't apply for this new communication medium.

Government-impervious money transfer as a human right is nebulous at best. The internet has not changed the legal or ethical status of money laundering. At best you could say it has always been a human right, but it's certainly never existed in the US or Western Europe.

Cash transactions carry substantial risk: both parties must be physically present in some place to make the deal. They can be tailed, the meeting place can be under surveillance, they can be raided, they can murder each other and run, etc. It's also impractical to deal with large amounts of cash due to the risk of robbery/theft (including civil forfeiture), and legitimate entities won't take suitcases full of cash for large purchases. Infiltrating and exfiltrating large amounts of money from the legitimate banking system is also very likely to leave traces that can be understood by sufficiently skilled/motivated forensic accountants.

Whereas flipping some bytes in the firehose of cryptographically secure bytes already coming in and out of every home is undetectable and basically risk-free.

Some much more concrete human rights are ensured through taxation: food, shelter, water, health care, police, education, national defense, etc. If you make taxation effectively optional by running a perfect, free money-laundering system, some of them may have to go.

You clearly don't understand how money laundering works or what it is. Anonymous payment systems do not make it any easier to launder money, tax offices can still figure out that you have unregistered income.

It may be easier to give money to people you don't meet, but cash never left records.

Surveilling and busting in-person deals with suitcases full of cash was the bread and butter of law enforcement for decades, so much so that it's a Hollywood trope.

Sure, but it's not like we're all keeping records of cash transactions for the mandarins to go through later when they become annoyed.

Businesses which operate mostly or exclusively in cash are pretty much guaranteed regular IRS audits, which they'll need damn good records to survive.

Doing a significant volume of cash transactions with any financial institution also causes it to send a Suspicious Activity Report [0] to the federal government, which greatly increases your chance of being selected for an audit.

It's true that you don't need records to explain your personal spending, but you will need to produce records justifying any deductions/benefits claimed, and if your lifestyle appears to be large for your reported taxable income, you'll need to account for that too. Recently the IRS has started using public social media posts indicating lavish spending against people who are only paying taxes on meagre incomes.

Laundromats are actually classic tax fraud vehicles. There was an article on HN recently about how the government will pull their water/electric bills to see if the volume of business they claim their doing is in line with their actual resource usage.


I remember the time the internet went mainstream and the general public (non-tech people) were very receptive to media spelling out all the negative horrors ... about all the potentially dark corners ... all the porn ... people dating online ... all which ultimately leading to a meltdown of society.

In reality we sorted a lot of the problems out as we went along. We have muddled through somehow. The process I think was hardly linear or deterministic. And I think it never will be. Look at InfoSec where it is a constant game of catching up. Yet somehow our ancient technology stacks (DNS, SMTP, HTTP, ...) still seem to work and our world has not yet imploded. Society not yet collapsed. Our children who grew up with the Internet have turned out pretty well (people today seem a lot smarter than most of the guys I grew up with in the 70ies/80ies mainly because of the Internet)

Seems that every time we're on the verge to discovering something totally radical (crypto currencies, big-data, IoT, ...) fear is strong. The only place (people) I have seen where the mainstream approaches technologies with an open mind is Japan. There even old people think robots are cute and innovation is ultimately good. In the rest of the world technology is something potentially evil that must be regulated at all cost before it is even invented.

What if we succeed in creating a decentralized autonomous organizations (DAO)[0] or an economy that doesn't answer to the state. We are pretty close to having the tools for it, and I'm sure this is scary as hell for a lot of nation states. See also the latest news about UK government creating their own version of a blockchain by removing the best feature (decentralization [1]). I doubt though that any of this will lead to anarchy (unless our system/society is already so broken that it was due to be replaced with a healthier model anyway).

[0] https://en.wikipedia.org/wiki/Decentralized_autonomous_organ...

[1] http://www.newsbtc.com/2016/01/19/uk-government-to-develop-a...

> drug-dealers

People profiting off the illegality of drugs who are drawn to high-risk/high-reward work.

> money-launderers

People who want to keep ANY of their income sources private. Also see: Anyone who uses cash.

> terrorists

"There is neither an academic nor an accurate legal consensus regarding the definition of terrorism." https://en.wikipedia.org/wiki/Definitions_of_terrorism This makes it a "weasel word" (or "appeal to anonymous authority" fallacy) pure and simple, like "treason" from back in the day.

> pedophiles

Most aren't active and suffer in silence. The rest can be managed. As the grain of truth of Louis CK's infamous "Most Offensive Joke Ever," if pedophilia wasn't as demonized as it is now, then most people would get their kids back after being abused, instead of them ending up dead in a ditch. The former being arguably not as bad as the latter.

> > money-launderers

> People who want to keep ANY of their income sources private. Also see: Anyone who uses cash.

That's not what money laundering is, I really wish people would stop perpetuating this misinformation. Money laundering is when somebody takes illegal income and "cleans" it by creating fake clients that pay a front business. You obviously have to pay taxes, etc but at the end of the day you have a completely clean cut of your illegal income.

Anonymous payment methods only solve one (very small part) of the money-laundring problem: getting the money to someone who will clean it. After that, you still need to create fake clients and do your tax returns (which require believable income figures). So you're still stuck with trying to convince the IRS (or tax office of your choice) that the money you gained was legitimate.

> "illegal" income

I found the problem. I don't think money has an intrinsic morality. It might be the result of (what some may deem) immoral action, but the money itself should not be illegal. There is nothing about "suddenly" having a lot of money which should be automatically illegal or prevented, and people should not have to explain every detail about how they obtained the money they did.

This kind of thinking leads to things like asset forfeiture abuse, where merely having a bunch of money on your person is apparently grounds for confiscation.

You may disagree, but I'm entitled to my opinion.

"illegal income" means "income that was acquired illegally". And I was specifically referring to money laundering (which in of itself is a fairly emotionally-charged term if you think that money can be "dirty" in a moral sense). I don't see how you could read "illegal income" as "illegal money". And yes, I agree that money doesn't have morality.

Is there an actual reason this is getting downvoted? I have stated absolutely nothing untrue.


> I guess I just don't see enhanced ability to enforce laws a compelling enough reason to deny everyone privacy.

I think he's saying the exact opposite - that it'd be short-sighted to _want_ to deanonymize people and to have to deal with those identities.

> it replaces digital signatures with zero knowledge proofs

digital signatures are somehow non-interactive zero knowledge proofs. So what's the novelty here?

As I understand it, it means that a valid transaction is accompanied by a zero-knowledge proof, proving that this transaction is in fact valid, but revealing nothing about source or destination of funds.

Bitcoin requires each user to verify the entire blockchain, whereas the SNARK-technique means a single user can verify the blockchain, and produce a piece of data which essentially proves that 1. the verification has taken place and that 2. the claimed result of the verification (valid/non-valid) is the actual result of running the verification.

If it sounds too good to be true, that's because it is fairly revolutionary (if it works). Here's the paper: https://eprint.iacr.org/2013/507.pdf

Hi folks! I'm the Founder and CEO of the Zcash company. It's really great to have this much interest in a project that we just released in alpha "Technology Preview" form two weeks ago.

There are a lot of good questions in here, some of which I answered in an AMA a few days ago: https://forum.bitcoin.com/ama-ask-me-anything/i-m-zooko-wilc...

I can't wait to release the next iteration of the Zcash software, in — fingers crossed — just a couple of weeks. We'll continue to have lots of blog posts and technical discussions from us along the way. This is only the beginning!

Hi Zooko,

There have been some concerns raised about your ability to do a pump-and-dump scheme. You mention on your funding page that you are incentivized to support it for at least 4 years due to the payout scheme. My question is, how can that statement be audited, since the transactions are anonymous. Is it built into the client then?


>Please, just tell me it's not premine.

Why are you opposed to premining? (I had to look up the term, so I'm not baiting you! I don't see the problem, so I'd like to hear your thoughts).

Premining devalues future work done on a cryptocurrency because the underlying idea is to decentralize money, and the coins found at the start of a blockchain are easier to generate because the target difficulty for finding a block is significantly lower.

The most famous case of premining I can think of is https://en.wikipedia.org/wiki/Coinye (ltc clone), where people started mining it after dogecoin began. Dogecoin was in its first few weeks of release and had an extremely active number of miners; and was even more profitable to be mining than bitcoin at the time. There was speculation that having a celeb figure attached to a currency could bring the cryptocurrency movement mainstream; but when the block explorer for kanyecoin was released it was found that a very large number were premined by the developers, and few people considered it was worth dedicating mining time towards. The devs basically dumped all of their coins onto an exchange and abandoned the currency soon after. Premining is bad for building up a community of miners towards which an altcoin can be established for both trust and future earnings.

Zcash gets %10 of the mined coins for the first 4 years and %1 goes to a foundation. This is their business model. It seems reasonable to me... using the currency you're creating to fund the development of the currency.

If Zcash ends up worthless, then they won't have captured any value.

Since it's not a pre-mine it's not subject to the pump-and-dump dynamics of a pre-mine... it will take 4 years and the coins will have to be valuable over those four years for them to net anything.

It's a reasonable approach to aligning the companies interests with those of the users.

I'd love to hear a better one though, if you know of one.

Thanks, MCRed. Yeah, I worked long and hard on this, and this (https://z.cash/blog/funding.html) is the best idea I could come up with. And yeah — if anyone else reading this has any better ideas, I would love to see you try it! If it helps, you could start with a copy of our source code (https://github.com/Electric-Coin-Company/zcash/).

I would love to see your source code get audited by a third party. I have a lot of faith in your cryptographers, but your methods are harder to grasp than bitcoin and thus harder for me to audit myself-- I admit, I don't have the crypto skills.

It's economically impossible to create a sustainably decentralized currency. Ultimately it will come to be controlled by whoever is most connected within the network.

Here's hoping we see much better means of facilitating polycentric currency systems that render individual currencies no more than "dumb pipes" for anyone who wants to use more than one.

Hi Zooko,

Has there been any serious discussion about incorporating the results of PQCRYPTO in your protocol so Zcash is still secure and viable (at >= 2^128 security level) after the development of practical quantum computers?


Hi, I'm one of the ZCash scientists: Section 8.1 in the full paper describes how to get anonymity that survives quantum computers. (http://zerocash-project.org/media/pdf/zerocash-extended-2014...).

The zero-knowledge proof itself offers statistical privacy in the face of unbounded (so more powerful than quantum) attackers. So surprisingly, you are mostly fine. But you would need to take two steps to protect yourself. First, you have to use each zcash address only once.

Second, you need to use a post quantum secure means of notifying the recipient they got a transaction and of the coin commitment openings. The built in mechanism in ZCash, which posts a ciphertext to the blockchain encrypted under the recipients public key is standard off the shelf public key cryptography. It's efficient, but is of course not post quantum secure. Nothing requires that you use this mechanism, however. You can always post a garbage ciphertext and inform the recipient some other way.

For anyone interested in how Zcash (formely Zerocoin) works and who understands German, I've written my Bachelor thesis about it in 2013: http://www.math.uni-bremen.de/~jhasse/Kryptografische%20Grun... (see Part IV)

Note that the Anonymity section of this describes Zerocoin. Zcash is an implementation of Zerocash which is a later and more efficient, but cryptographically quite different protocol (by the same and additional authors).

Oh didn't know that! Thanks :) I thought that Zcash was just a new name ;)

> We believe that privacy strengthens social ties and social institutions, protects societies against their enemies, and helps societies to be more peaceful and more prosperous.

It's time to have a serious conversation about whether this is actually true when it comes to financial privacy.

Our society is governed by money. Money governs our production directly, and it governs our regulations indirectly since votes can be purchased. Governments derive their power from the consent of the governed, but we use money that doesn't allow us to withdraw our consent without opting out of the economy entirely. Your complaints about money in politics or unstoppable violent cartels around the world are complaints about tyranny, and we should be fighting that tyranny.

Anonymous currencies go in the other direction. I'm glad people are building them, but we need to start talking about the implications of using them. Everything about our society will be decided by the people with the most money if people accept anonymous currencies. Democracy isn't possible when you can't hope to detect when influence is being purchased.

We're already most of the way there: dollars are anonymous to everyone except the governments that regulate banks. Since those governments have been purchased, those regulations can only really be used against those who haven't already purchased strong representation in the government already.

I think we need to go in the opposite direction. We need currencies that everyone can track so individuals can decide whose power they'd like to submit to. If I know someone is buying influence and I want to reject their power to do so, I can stop accepting any money they've used in that way. People accept money to influence politics because other people will accept that money. If other people stop accepting that money, it won't be possible to buy influence anymore. The people who sell their goods, services, and labor will set the rules by their decisions about what money to accept. Wealth won't govern our society, production will.

This is merit capitalism. I think it's closer to the world we want to live in. I hope you'll join me in reconsidering whether financial privacy is actually a good thing.


I think this is an extremely important discussion to have. Democracy requires some form of transparency applied to government. Ideally, private citizens have maximum privacy to avoid abuses from corrupt government, or fellow citizens, but government itself should not have maximum privacy. I'd argue it should have maximum transparency.

However, an unbeatable and untraceable cryptographic money scheme effectively would make bribery of power brokers undetectable, or at the very least, untraceable to it's source.

What we gain in personal privacy, we will trade off for increased government corruption, and it is corruption and its abuses I'd argue are a greater danger than government snooping. If you look at many nations that are struggling, even those with ample revenues, the failure to improve the standard of living can often be traced to corruption and just blatant theft and embezzling.

Government or large organizational snooping is a serious problem in countries without adequate protection of individuals and where discrimination goes unpunished. If I live in North Korea, I want maximum privacy. The threat model in OECD countries is different. While having say, the government of Sweden read my emails is disconcerting, the repercussions and threat from that are far smaller.

The world is full of corruption and cronyism at all levels, both in government, and in large organizations. To what extent are we increasing their power to harm by assuming that maximum privacy effectively disarms their power against us?

This is a truism accepted in the cypherpunks movement that's never really been tested, and it is deeply intertwined with libertarian thinking, that cryptoanarchy or laissez-faire regulation, imposed by technology, leads to a situation where big power brokers can do less damage. But we've also seen that when such organizations are opaque and unwatched, they often become more dangerous.

> Everything about our society will be decided by the people with the most money if people accept anonymous currencies. Democracy isn't possible when you can't hope to detect when influence is being purchased.

Traceable currency doesn't solve that problem. People don't have to use literal money to buy influence. The politician does what you want and you make sure their kid gets into the right college. Or you hire their son in law at $250K/year. Or you run advertising that isn't officially part of their campaign but helps them stay in office. Or refrain from running critical advertising.

The problem is not proving that each transaction took place. It's proving that one was a quid pro quo for another. Which the currency tells you nothing about.

> If I know someone is buying influence and I want to reject their power to do so, I can stop accepting any money they've used in that way.

And if you're one person or ten people then nothing happens. But if you have a sufficiently powerful coalition with an organizational structure capable of causing the coalition to act in unison then you become the tyranny of the majority and it is the minority who needs protecting from you.

That's... actually a really interesting idea, but you have to consider who you're building the system for - governments, or normal everyday people?

There is a principle, that I think has basically been proven at this point, if not academically:

A: In any non-optional system used by n people, the bad actors using that system are < n/2 (read: not a majority)

B: It is impossible to prevent bad actors from misusing any system.

C: Trying too hard means the system necessarily damages good actors.


D: Any system that punishes bad participants more than it helps non-bad participants is degenerate.

Bitcoin can be seen as a rejection of a system suffering from C. For perfectly legitimate businesses and people, sending money is an unmitigated pain in the ass, substantial bites taken by middlemen, arbitrary negative action (c.f. civil forfeiture, paypal freezes) and so on. Bitcoin solves almost all of those problems, but makes lives easier for the bad actors too (but not enough that it substantially increases corruption in the world - bad actors gonna bad act)

Now, if your hypothetical system is strictly opt-in, perhaps with social pressure for politicians and such to use it, then I'd have no trouble with it. Were it to become the de facto currency, on the other hand, the problems we have with government overreach and data mining just become a lot worse.

If we accept B as true, then it makes more sense to design for the case of innocent, law abiding people first, out of fear of harming them due to C.

Put another way, I'm a lot more worried about government misusing things under color of law, than I am worried about government corruption. At least regular people can oppose the second one in good faith, while the first one always comes with the "it's legal, so?" baggage.

It's strictly opt-in, but you won't be able to buy anything if everyone else requires auditable money and you don't want to opt-in. The more people who adopt it, the less tenable it is to stay out.

Governments are people. People who use this system nefariously can be sanctioned by refusing to accept money they've touched. We're so afraid of governments misusing their power because our checks and balances have failed miserably, but it's not so bad that anyone wants to use the ultimate fallback of revolution. Merit capitalism is a check that the people control directly. People don't need to revolt to reclaim power anymore.

You're going to have to convince people that adopting this tool is better for them than what they have now for it to stand a chance of adoption.

From a purely selfish standpoint, I would not want to use this system, because I don't want advertisers, insurance companies, malcontents, stalkers, debt collectors, busybodies, three-letter-agencies, data brokers, or any other random with an internet connection to know that I spent money at a hypothetical STD clinic or received money for participating in a scientific study.

This plan introduces a huge number of of unknown unknowns, where right now, we've got a pretty good idea of how widespread the corruption is, the forms it generally takes, and what, if anything, we can do about it. And since past behavior is the best predictor of future behavior, I can look backwards to see how behavioral data is abused right now, and say with complete certainty that it would be abused more under this system.

No thanks.

I agree that conservatism has virtues. Change does introduce unknown unknowns. I think there's a good strategy for handling them: when people do undesirable things, sanction them.

Change is inevitable. Zcash is here, so regulation is dead. Conservatism isn't an option: we have to choose how to adapt to change. I think merit capitalism is the right choice.

Thanks for your questions! Good talk.

I hope I'm wrong, but if ZCash delivers on the technical promise the blowback from legislators and law enforcement is sure to result in a net loss of privacy for everyone. Enabling illegal profiteering from the very real pain and suffering of others almost always results in government actio (appropriately so); but also legislative over-reaching (eg. mandated sentencing legislations, zero tolerance policies, warrantless wiretapping) because ZCash's message of economic and societal benefits will be utterly lost amid stories of how the tech hurt people.

ZCash is very impressive. Brilliant even. But for those who want better privacy... elect leaders who share the concern. Donate to the EFF and ACLU. Advocate for a 'privacy czar' as a cabinet/ministerial level position.

The same could be said of strong encryption: if people use it, the government might crack down.

On the other hand, the more people use encryption, the less useful mass surveillance will be to the government. When the government no longer gets much worthwhile information from eavesdropping, it may be easier to get politicians to put a halt to eavesdropping.

So it could be that the best way to protect privacy is to use both technical and political approaches.

I think many prefer non-violent direct action, for good reason. The cost to the government to spy on you is so low, cryptographically enforcing privacy is the only way to guarantee it.

If successful ZCash cryptographically guarantees more government regulation and surveillance to counter the very real and also the very irrational fears of harm anonymous payments make possible. It will have opposite the desired impact on privacy if it takes off. I want to be wrong about this, but experience tells me otherwise.

For those of you concerned about pump and dump, they've specifically addressed it in a blog post [1]. And they are open sourcing a ton of stuff. But that's addressed in their blog. So to me, the lay man, it seems like they won't be doing a pump and dump. I say lay man because I'm really not qualified to assert that my statements are indeed correct.

[1] https://z.cash/blog/funding.html

So, what is to stop someone from forking the code and removing the percentages that go to the Zcash company and devs? Similar to how Monero was forked from Bytecoin due to some odd shadiness (not that I think Zcash and co. are shady!) [0].


From that link I see this:

> With this approach, the founders are incentivized to support Zcash for the long haul (at least for four years), and they have limited ability to pump-and-dump.

I don't see how anyone can audit that statement since the transactions are encrypted [1].

[1] https://z.cash/tech.html

> I don't see how anyone can audit that statement since the transactions are encrypted

Couldn't one audit the code? Provided zcash itself doesn't have 51% or more of the mining network post launch the open source code should be verifiable and needs to have some special case to route the "founder reward". Though I admit I haven't looked through the source code so I may be missing something.

Mining rewards, and the proportion of them that goes to the Zcash company, are transparent (not encrypted).

What's wrong with pump and dump to begin with? Some like to think it short-term, some long-term.

Here's some stuff on zerocash:

Zerocash: Decentralized anonymous payments from Bitcoin: http://diyhpl.us/~bryan/papers2/bitcoin/Zerocash:%20Decentra...

Zerocoin: anonymous, distributed e-cash from bitcoin: http://diyhpl.us/~bryan/papers2/bitcoin/Zerocoin:%20anonymou...

How to explain zero knowledge protocols to other people's children: http://diyhpl.us/~bryan/papers2/bitcoin/snarks/How%20to%20ex...

GGPR paper, NIZKs without PCPs: http://diyhpl.us/~bryan/papers2/bitcoin/snarks/Quadratic%20s...

Snarks for C: Verifying program execution succinctly and in zero knowledge: http://diyhpl.us/~bryan/papers2/bitcoin/snarks/SNARKs%20for%...

Secure sampling of public parameters for succinct zero knowledge proofs: http://diyhpl.us/~bryan/papers2/bitcoin/snarks/Secure%20samp...


FWIW I think that confidential transactions and even SNARKs will eventually make their way into Bitcoin.

There seems to be plenty of privacy-oriented altcoins around. How does the privacy model of zcash compare to others, like monero or dash?

Zerocash offers far stronger and more complete privacy than anything I'm aware of.

Reusing an old comment about Cryptonote (which is what monero uses IIRC). Similar analysis applies to Dash, which I believe uses some (no doubt "improved") version of CoinJoin. :

All anonymity is not created equal: you're better off if we can only figure out that one out of 6 billion people bought a Nickelback album, then if we know it was either you or one guy in Tristan da Cunha. The size of your anonymity set matters and Cryptonote provides a rather small one in comparison to Zerocash. This is not to say Cryptonote is worthless, there are tradeoffs between the two, but Zerocash has a distinct advantage in terms of anonymity and I think it matters.

Cryptonote's ring signatures scale linearly in the number of people your transactions are mixed with. As a result, you can't mix an individual transaction with that many people without it getting too big and too computationally costly(chaining transactions doesn't solve this). In contrast, Zerocash mixes every transaction with every other transaction ever[1].

If you are worried about maintaining privacy given repeated interactions with merchants or others who already have some partial information about you, the size of the anonymity set matters considerably. Longterm intersectional attacks are a major problem with anonymity systems. The smaller the set you mix with on any given transaction, the easier it is for some third party to use outside information to eliminate everyone else in the mixing set (e.g because she knows no one else in the set was online at the time of the transaction or was in your approximate geographic area), and determine the true spender. One of the few effective defenses we have for this is to simply include as many people as possible in the anonymity set. If you want to avoid companies building financial profiles of users from the blockchain, this is precisely the type of attack you need to thwart.

[1] Technically, up to 2^64 transactions and the networks ability to handle the spent serial number list. So there is a limit, but it's rather large.

I can't do an apples-apples comparison to the ones you listed because I'm only familiar with Bitcoin and the original Zerocash paper. I can say that the zkSNARK approach to crypto-currency is certainly novel and they have a great team of competent cryptographers and engineers on the team.

That is to say, Zcash isn't a hobbyist effort, it's the result of serious crypto engineering. It's not clown-shoes privacy.

OK so basically appeal to authority etc. Not much that a common guy can understand.

Sounds to me like a product that is only designed for really smart people...

> OK so basically appeal to authority etc.

No, I'm not making an appeal to authority. Sorry if it sounded like that.

The team behind Zcash has serious technical chops, and it's worth pointing out that some of the most competent cryptographers and engineers in the world are working on this project.

They've openly published the paper behind their protocol and their code base is open source. They aren't going the "trust us, we're kind of a big deal" route.

If you want to understand, read the paper: http://zerocash-project.org/paper

...and the source code: https://github.com/Electric-Coin-Company/zcash

If you don't want to bother to understand (e.g. if you don't consider yourself a subset of "really smart people"), then you have to find some other metric to decide whether or not to trust it. I offered the backgrounds and reputations of the people involved as one possible heuristic, but feel free to choose another if you prefer.

Most people don't understand how the Internet works, yet they manage to use it every day. Same goes for existing mainstream financial systems.

Well the question really is, how do the masses start to use this? If only couple of smart people understand it, it won't help much. There are already lot of "like bitcoin, but anonymous" coins, which haven't gained that significant success. If most of the people can't understand why this one is "the shit", they aren't going to see difference between this and the other privacy-promoting altcoins.

For those of us who'd like to buy, which platform would be best? I'm only aware of Coinbase but they seem to be a Bitcoin-only exchange.

Its in beta right now and the current blockchain will be reset at 1.0 invalidating current coins. So buying in right now is pointless.

https://shapeshift.io/ will probably have it once it's off the testnet.

There isn't a live version yet, just testnet network. The real thing will come out 6 months later.

http://poloniex.com is a US based alt coin trading system.

I wish someone would come up with a bitcoin alternative that isn't based upon speculation to get people interested in it.

I don't see another way to bootstrap value in an unbacked unofficial currency. It's possible to back digital currencies by gold or something, but then we have counterparty risk and potential for shutdown by governments.


With it use BTC or have a new money supply, or both? Will it be launched as a Bitcoin sidechain, or are there any plans to make it one after launch?

Zcash runs it's own blockchain.

The original zerocash team approached the bitcoin developers over a year ago asking to integrate some of their ideas into the bitcoin blockchain and were turned down entirely. So they went underground and developed zcash.

Zcash still seems to share quite a bit in common with bitcoin, however. For example, they are sticking with the 21,000,000 coin market cap.

We need to talk about the elephant in the room. A totally untraceable digital coin is gonna be Christmas for organized crime.

Cash and gold already exist. They are already celebrating Christmas, every day.

How can the state trace transactions as to collect tax on transactions made with Zcash? If the state cannot trace the transactions and this becomes black economy 2.0 then will it not face banning and seizure from the authorities?

Ie how can we build roads and schools in a Zcash economy?

How does the state trace transactions made with paper cash?

No links in the article but I found an ArchLinux AUR package for ZCash:


Builds from source, pulling from Github.

Well, that is one cool domain.

Definitely! I wonder what a single-letter domain costs?

Correct me if I'm wrong but this is a for profit company telling me to use the currency, no commodity, they created and control in order to have privacy?

How about I just stick to actual money?

I don't think they will actually control anything, once it takes off; just like no single entity really controls Bitcoin.

> just like no single entity really controls Bitcoin.

That's just not true. The core developers do control it. Look at the problems its having with the blockchain limit. Yes in theory anyone can fork it and people can run the fork, but that theory has now been tested and it failed.

Similarly, if ZeroCash took off, the "official" devs would be the ones to control it. And they're a for profit company on top of it. I can't think of a worse idea than that. A commodity "currency" that is controlled entirely by a for profit company.

You mean like the US Dollar?

It bothers me that there are "investors" for this and a CEO.

What happens if it takes off? There's one or two founders and a couple investors that essentially control the flow of money in the system. Bitcoin was appealing precisely because it lacked a center control.

Is there something I'm missing here?

If they're making a decentralized currency and things are sane, then the code is all open source, and their authority is only in developing the official client.

Nothing new here. Add it to the pile of hundreds of other altcoins.

Why is this here? Feels like the pump-and-dump world of altcoins is being done here to pump up this post.

> Why is this here?

Actually there's a precise answer to that. In yesterday's popular Keybase.io thread, the submitter (rdl) said "Along with Zcash, it is the most amazing crypto-engineering project I've seen in years." https://news.ycombinator.com/item?id=11037297

That was evidence the community might find it interesting, and the project hadn't had discussion on HN yet, so we invited an earlier submitter (malgorithms) to repost it. From there it received significant community interest.

> Nothing new here. Add it to the pile

Whoa, this is exactly what we ask commenters not to do when discussing new work on Hacker News. The ratio of dismissiveness to substance in your post is too high. Substantive criticism is fine, of course, but not this; it degrades the discussion.

If you know something or have a genuine insight—including a critical one—you're more than welcome to share it. But "nothing new here", "add it to the pile", and "feels like" is far too weak to justify a dismissive swipe. A comment like this would be better phrased as the question, "What is new here?", in a spirit of curiosity not snark.

^ This is why Hacker News is worth coming to. Snark and quick dismissal lead to negativity and thoughtlessness, which rapidly kills communities.

Thanks for everything you do, dang.

You're right :) Thanks for the constructive rebuke.

I can't speak to as to whether Zcash is a pump-and-dump particularly, but I do know a bit about financing the technology development behind blockchains, and it's difficult. If the code is open source, you risk a fork and loss of any intrinsic value. If you sell the coins, you risk SEC difficulties in the USA. If you premine, people complain that you premined. If your company controls the currency, you get forks when founders leave (e.g. Ripple/Stellar), and you have to build large compliance teams.

In the end, though, blockchain tech needs SIGNIFICANTLY more technology development than it has had so far to develop its latent potential.

I'm sure blockchain enthusiasts would be interested in your suggestions as to how to get development funded.

> I can't speak to as to whether Zcash is a pump-and-dump particularly.

Look at the founder's stake noted here: https://z.cash/blog/funding.html

They get 20% of the mined coins off the top for the first 4 years, without doing any actual mining.

10% of all mining rewards for the first 5 years go to the developers. The tech is certainly interesting, but the pseudo-premine makes me a little wary of putting any significant amount of money into it.

Citation: https://z.cash/blog/funding.html (Check the "Founder's reward" section)

That bothered me too. It seems like "pump-and-dump" is a little harsh. I used the term "speculation" in my comment. But in this case, both are true.

what's to stop miners with 50%+ of hashing power from withholding the founders rewards?

Given that the coin hasn't launched yet, it can't be a pump-and-dump. Anyone who wants to profit that way has to pump after they obtain their coins, and it's not yet possible to obtain zcash coins.

Well, I was wrong.

I suppose when you see so many scams, you rely on instinct. But had I read more of the site, I would have realized that Zcash really is something different.

So what did I do? I relied on Cunningham's Law: "the best way to get the right answer on the Internet is not to ask a question, it's to post the wrong answer." I rarely notice my karma score going up, but I certainly notice it when it goes down. That caused me to look at the comments and figure out why.

So I learned something :)

> Nothing new here. Add it to the pile of hundreds of other altcoins.

It sounds to me like you don't understand the technology involved. To be fair, it's probably Greek to most people outside of crypto.

How many of the other altcoins were based on zero-knowledge proofs or allowed for private transfers (with respect to the blockchain)?

I'm not aware of any. I think that's something new and worth talking about.

(EDIT: Snark was removed. Sorry dang.)

Please don't be rude and confrontational when someone comments like the GP, even though they shouldn't have. Instead, respond with the information you clearly have and they (and the rest of us) don't. Then we all learn something.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact