This past week I came across two interesting developments about Zcash which I thought were worth writing about. I like the direction that the Zcash team are going, but I think the two publications this week give some cause for concern and show where things can be improved in the future.

Developments:

1. A recent study found that misusing Zcash will not make you any more anonymous than using Bitcoin.
2. Another research paper has suggested a way to make the proofs in Zcash more efficient and also proposed a way to build a similar coin without reliance upon a secret key destroying ceremony.

On the linkability of Zcash transactions

The first study looked at the practical anonymity achieved using Zcash by considering the linkability of transactions. Note that this does not mean that Zcash has a vulnerability in its protocol but rather that Zcash is often misused. While Zcash arguably offers the greatest level of anonymity when performing a transaction between two shielded "z-" addresses there is actually no real anonymity when one of the addresses in the transaction is a public “t-” address.

On the linkability of Zcash transactions
Official Zcash response

The high degree of linkability is a problem for newbies trying to conduct transactions with Zcash and believing they get automatic 100% privacy. Interestingly, and I mean this in a non-troll way, Monero doesn’t suffer from this problem since there is only one type of address and all transactions use Ring Signatures. Arguably the level of anonymity provided by Monero is lower in a theoretical sense but in a practical sense it may be higher in many cases.

Doubly efficient zk-SNARKS without a trusted setup

Putting the above concern aside, I think the two of the biggest inherent problems with Zcash are:

1. that shielded transactions are very heavy weight compared to any other cryptocurrency transactions which means that no one really uses them. This suggests that Zcash is mostly held as a speculative investment (perhaps more so than the other top currencies), and
2. the protocol requires a secret key destruction ceremony to be performed.

A new research paper suggests that both problems can potentially be solved. I have to admit that the paper is not going to be accessible without a solid understanding of academic cryptography which means that the claims can only really be properly checked and criticised by those of an appropriate background. However, if the claims are true then there is a lot of progress here. I actually found this paper via r/Monero (some of the comments in that thread are interesting).

PDF
Comments on r/Monero

Problem 1 - slow shielded transactions

“Private transactions take a while to generate (almost a minute on a decently powerful computer)”
“Supply cannot be audited therefore forgery can be very difficult to detect.”

The preceding comments have come from this Steemit post comparing privacy coins.

However, the ZEC team have indicated that there will be improved efficiency in the a future upgrade: faster zk snarks.

Problem 2 - opaque key destruction ceremony

The current Zcash protocol required the destruction of certain private keys when the network was launched. Unfortunately, the keys had to be kept private and destroyed in private. This means it is very hard to publicly verify that the destruction was done properly. It requires too much trust on our part as users. It doesn't help that this issue is compounded when there is no ability to audit the total supply. Trust is easy we when have non-repudiable cryptographic proof that anyone can verify.

The stories of the key destruction ceremony sound rather comical. Matters are made worse when one of the participants in the ceremony voiced concerns that the ceremony could have been compromised.

For a cutting edge cryptocurrency with heavy weight claims on privacy it really should have had an implementation without a trusted setup. There should be zero contention surrounding the setup of such a currency. Unfortunately, that didn't happen.

The new research

If this new research paper proves correct then we can do away with the worst aspect of Zcash: the trusted setup. Plus it will improve on the efficiency of creating and checking the proofs required for shielded transactions. As I pointed out above, these claims are difficult to critique unless you have the appropriate background. Moreover, there is likely some work required in either pushing these improvements into ZEC or into a new coin.

Doubly efficient zk-SNARKS without a trusted setup (PDF)

Comparing the various privacy coins

There is a good comparison post on Steemit by the Zcoin team (not Zcash) of the most popular privacy coins: an overview of privacy mechanisms and associated coins. I recommend reading this post if you want a brief summary of the main privacy coins.