This. Can someone chime in here and give me an argument for why Zcash is better than Monero? Because everybody I've talked to thinks Monero is better.
I'm not saying it is, but Monero came out far earlier than Zcash, and unless there is a substantial argument for using it over Monero, I'm not convinced of the argument to standardize on it. The only striking difference I can see between Monero and Zcash is that Zcash was premined by investors.
I do not understand all of the details behind Monero, but basically the privacy is incomplete. When you spend money, you basically say "I am one of X people", where X is usually fairly small. It's a lot better than Bitcoin where X=1, but it's still something that advanced algorithms can get though, and it still collapses if enough people have their identities and transactions revealed.
In Zcash on the other hand, your anonymity set is everyone who holds Zcash. It's a lot nicer, and there isn't really the same collapsing effect as can happen with Monero.
That said, Monero crypto is simpler, doesn't have trusted setup, and overall I would advocate that people treat Zcash as hemorrhaging-edge experimental, while Monero is somewhere between cutting-edge and bleeding-edge.
Since Monero outputs go to dual-key stealth addresses, outputs are effectively paid to a random 256-bit "address". So if you use a mixin of 50, in a transaction with 1 input, an external observer can say "this illicit transaction spends funds from 1 of 50 possible transactions", but then you need to go to those 50 and work your way back till eventually you find a needle, in a very large haystack, that you can actually identify.
Because of this, the anonymityset grows exponentially the further up the tx chain from an identifiable transaction (eg. a withdrawal from a KYC / AML exchange) you are.
The major advantage here is that every Monero transaction adds to this anonymityset, since privacy is compulsory.
On the other hand, ZCash's privacy is nearly unusable. Using it requires 8gb+ of RAM, and takes over a minute on a Xeon processor. Because of its unusability you end up being "1 of X people", where X is very tiny - it's limited to the people moving from traceable addresses to z-addresses who haven't identifiably moved ~the same amount out.
ZCash is useless at best, dangerous privacy theatre at worst.
I like both Monero and zCash. As technologies they both have different advantages and they are both pushing the state of the art in privacy cryptocurrencies. As a researcher it makes me optimistic that we are pursuing multiple paths to the goal of "digital cash".
>Using zCash requires 8gb+ of RAM, and takes over a minute on a Xeon processor.
Cryptography in this area is rapidly advancing, we have seen dramatic speed ups in zkSNARKS (cryptography behind zCash's anonymity) over the last few years and the launch of zCash will probably accelerate this trend.
> it's limited to the people moving from traceable addresses to z-addresses who haven't identifiably moved ~the same amount out.
This number, X, is growing and will continue to grow.
>ZCash is useless at best, dangerous privacy theatre at worst.
zCash is an excellent and exciting experiment. It is not a very mature platform (it has only been live for a month), but that doesn't mean it will never been mature.
Sorry but I can't agree with you here. When Monero still allowed mixin 0 transactions almost nobody used the privacy-enhancing transaction type. The same goes for Dash and it's DarkSend, or Shadow's ring-signature side-currency - all virtually unused.
Thus X grows at a rate that is useless for its intended purpose: getting lost in the dust of millions of others.
But to make matters worse, ZCash is grossly irresponsible by not making private transactions mandatory, as people will use t-address transactions and think they're safe. Pools pay out to t-addresses, exchanges only accept t-address deposits, and lightweight clients will all end up being t-address only as it's the quick win.
Claiming that it's "just an experiment" is not acceptable when people's money is on the line, at best, and where their lives might hang in the balance, at worst. The disgusting and dangerous approach taken by the for-profit US company behind ZCash, that of fast-tracking the launch of massively immature technology due to investor pressure, is something that should lead to grave consequences for them because of the nature of this technology.
I greatly respect the work of Ben-Sasson, Green, Garman, Miers, et. al., but even they have been complicit in the rush hack-job that is ZCash. We would do well to consider what advantage a nation state attacker would have in encouraging adoption of this immature and likely broken system, over alternatives that are FOSS and have prolific contributor communities.
>Claiming that it's "just an experiment" is not acceptable when people's money is on the line, at best, and where their lives might hang in the balance, at worst.
Claiming it is just an experiment means that people should NOT use it when serious money or human lives are on the line. I think we can both agree that people should wait for a technology to mature before betting their life on it.
Also if Gmail lost all your email it would be bad, but you'd probably be ok. If ZCash causes you to lose a significant portion of your life saving, on the other hand...
That was my point, gmail was in beta for five years, but it wasn't in beta forever. Technology takes a long time to mature and it is hard to get to that level of maturity without having people use it for real things.
Do not put a significant potion of your life savings in ZCash.
It's not that simple. In your example, the X-1 "people" apart from you have already mixed their own coins with other people before...and so on. Monero is like a constant tumbler getting better with usage.
I don't think you understand how Monero works _at all_ - let me fix one of your arguments to illustrate:
>When you spend money, you basically say "I am one of 2^256 people", where 2^256 is usually fairly small.
Disappointing/embarrassing level of insight from a crypto project leader - here's a good layman-friendly video https://youtu.be/GEVm1dMn5Ks?t=14m to bring you up to speed (the simplified example is continued at 20m).
Hmm. I don't think this is clear issue at all. I have been looking at monero block explorer, and there seems to be "mixing level" etc parameters. What do these parameters imply if not the level of how many people you mix the inputs with?
I mean, your argument "you're stupid, look at this youtube video" is not very convincing either.
The Monero blockchain is comprised of inputs and outputs - public keys/one-time addresses to power of 10 denominated amounts into which each transaction is split and mixed with past public keys of identical power of 10 amounts. There are no 'orthodox' addresses on the blockchain which can be linked to transactions or to an identity.
That's just a misunderstanding of inherent blockchain limitations. It's very easy for me to reveal a bunch of addresses on the Monero blockchain.
Step 1: make a bunch of addresses
Step 2: the world know it was you
That reduces the anonymity set for everyone else. They thought they were mixing with you anonymously but now that you are revealed, your participation in the mixing is useless, people would have done better to select someone else.
Combine this with Sybil attacks, criminal investigation, and other unmasking techniques and you might get the anonymity set down to 1 for a particular output, allowing you to further reduce other anonymity sets.
I was not aware, but apparently the Monero blockchain has a snowball effect to help mitigate this.
Basically, unless you own 80% of the outputs on the blockchain you don't have enough to identify subsequent transactions, so any foothold you gain in owning outputs becomes rapidly weaker. Given the cost of owning 80% of the blockchain outputs, it's not an attack that is particularly effective even at Monero's current state of usage.
Individuals who publish their input history won't make any significant difference.
Zcash is definitely better in the sense that it has big money investors, the ear of the NYT and now Gavin Andreson shilling for it. Technically, on the other hand, it's a dud in it's current form. It doesn't have anon by default (because the anon transactions take too many resources to generate) and the few anon transactions that occur are subject to timing analysis.
I'm not saying it is, but Monero came out far earlier than Zcash, and unless there is a substantial argument for using it over Monero, I'm not convinced of the argument to standardize on it. The only striking difference I can see between Monero and Zcash is that Zcash was premined by investors.
I just did some digging and also found this: http://monero.stackexchange.com/questions/83/how-does-monero...