Cryptocurrencies recommendations are dangerous #207
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#207
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The Shadowcash project has been abandoned by its developers, and should be removed from the site.
https://steemit.com/cryptocurrency/@tonylondon/particl-a-new-privacy-friendly-market-platform
The Zcash listing is misleading at best, and because of Zcash' trusted setup, the project itself is not cryptographically sound. It should be removed from the site. The key point here "Unlike Bitcoin, Zcash transactions automatically hide the sender, recipient, and value of all transactions on the blockchain." is false, Zcash does not automatically hide anything. Users must explicitly choose to use Zcash' private transactions; the default is not private and the majority of users never change the default. Possibly because they've been misled into believing it's already private by default.
The only cryptocurrency in existence that is private automatically, by default, is Monero. It should be raised from just a "mention" to a more prominent listing. It is the only one that actually protects users' privacy.
Listing Bitcoin is problematic as well. It is well proven to be fully traceable and offers zero privacy protection. http://www.coindesk.com/danish-police-claim-breakthrough-bitcoin-tracking/
@hyc, I had a PR open, but it sat for over a month until I eventually closed it. PR's aren't automatically merged via cron job or anything, so we're at the mercy of the repo owner to recognize and approve them.
https://github.com/privacytoolsIO/privacytools.io/pull/156
Why should PRs be merged automatically?
Any news on this? i still see that the cryptocurrencies have misleading information.
I would just like to add that in addition to the Shadowcash devs announcing that the project is finished, it is also nigh impossible to get SDC, as most, if not all currency exchanges have delisted it. It no longer has any practical use.
@YuFanLovezYou
Shadowcash is also dead project so it should be removed imo..
says their own website..
I believe you should put Monero up first. It's the only currency that forces users to use encryption on every transaction, unlike ZCash, that allows some users do to so. But if only 10% uses it, it's easier to track who uses it and who doesn't, being defeating it's purpose. Also, Dash isn't the best example - it's a very centralized service (they use masternodes that are determined by how much dash you own).
Create a PR fixing the cryptocurrency section and I'll merge.
Replacing the ShadowCash project is good decision.
Bitcoin should stay, maybe with a warning about the potential privacy problems. There are only a few ways to get Monero or ZCash without buying Bitcoin first, it makes sense to have it included.
I don't agree, however, with the arguments raised against Zcash here.
I'll reference back to the reddit thread; https://www.reddit.com/r/privacytoolsIO/comments/5md4xi/why_having_shadowcash_dash_and_zcash_in_the/dc2q0ao/
Zcash privacy is entirely conditional, based on the whims of the Zcash Electric Coin corporation. https://www.reddit.com/r/Monero/comments/6k57zy/can_we_get_a_fair_comparison_of_zcashs_private/djjtary/
That doesn't seem right to be honest. You could argue that Monero suffers, in manners far worse to the same 'standard timing analysis' you can think off. The standard anonymity set is several orders of magnitude lower for Monero than for ZCash. I bet, even if you apply the best known combinatorial analysis attacks for each coin respectively, that you'd still end up with a bigger anonymity subset in ZCash (and thus more privacy).
"without privacy by default, there is no privacy.", I haven't seen any proof as to why that should be considered a 'general principle'.
One of the many argument I hear is that 'you can do x transactions to yourself and gain a anonymity set of r^x, where r = amount of mixins'. That's not privacy by default? It doesn't even work that well when operating over short time intervals due to skewing the probability, making it more vulnerable to the timing analysis attacks that have plagued Monero. 1 The same tactics can be applied to Zcash too.
"based on the whims of the Zcash Electric Coin corporation. " Forks remain forks. If people strongly disagree, then they can fork their way out of it.
Doesn't privacy by default make timing analysis harder by increasing the amount of potential subjects?
Well that depends. I'll try to explain it simplistically, without going into any individual analysis attacks.
Privacy by default is generally considered to be more healthy as it grows the overall anonymity set, however, claiming that you have no privacy without having it on by default is bullocks.
RingCT (used and invented by Monero) allows you to obfuscate the sender of the transaction, it picks r amount of other "mixins" (aka potential subjects). With every transaction you have a probability of randomly picking the right spender 1 / (r + 1) times. The anonymity subset per transaction remains constant over time. The overall anonymity set (= the pool of potential subjects to pick from) grows linearly per transaction (assuming two outputs each tx).
With ZCash, the anonymity subset per transaction is equal to the overall anonymity set, which also grows linearly per shielded transaction. The probability of randomly picking the right spender becomes near zero because it is equal to 1 / (r + 1) where r = overall anonymity set. r is not a constant, it grows and if you (incorrectly but theoretically interesting) assume that r -> infinity then the probability goes down to zero ( lim ( 1 / (r + 1) with r -> infinity))
To get back to statistical attacks, there are a few classic ones 'time correlation attack' where you assume that the youngest mixin is the right spender that simply don't apply to zcash. The issue with zcash and the ability of transparent amounts is that you can do some 'amount correlation attacks', where you can narrow down the anonymity subset per transaction because the non-hidden output amount is so high that you can scratch any mixin that is lower than that. But I'll bet that in most cases, the smaller subset after applying the attacks is still bigger than the anonymity subset per transaction by Monero. Any sane person will tell you RingCT is a lot more vulnerable to sidechannel attacks (time analysis, combinatorial attacks) than Zcash.
The only arguments which are valid against ZCash, is the fact that zk-SNARKs are generally a new thing and being skeptical about it is okay. But RingCT is generally considered to be new too, I still stand by my decision to not have Monero included at first, there was a bug discovered recently that would've allow the printing of an infinity amount of XMR. It brings a bit more piece of mind to know that developers from Blocksteam (gmaxwell and sipa iirc) have looked at RingCT, also (re)discovering the infinity money bug.
The last argument we had about this case was on reddit, and it too was flooded by Monero supporters (they have a dedicated group of supporters/shills). The funny fact is that the arguments against the trusted setup were mostly because it would allow the creation of infinity money, a thing which can happen with bugs too. I didn't care for how the coins are as a store of value, if you ask me, they're all shit, even bitcoin, they're speculative assets but generally the only ways to transact online with privacy.
A compromise of the trusted setup would not allow the attackers to remove anonymity.
Your discussion of anonymity set is like "how many angels can dance on the head of a pin." Since Monero uses stealth addresses, the anonymity set is essentially infinite - even if you can correctly guess which input is the real one in a transaction, that doesn't tell you anything about who the sender is. I.e., anonymity is always 100% because there's nothing that links a one-time-use stealth address to any user's wallet address. And, your statistical attacks only give you a probability - you never have any certainty that a particular input is the real one. It really is just a guess; you have no way to verify it.
Your assertion
doesn't seem to stand up to close scrutiny, when the CEO of Zcash himself says they can trace their tokens.
The anonymity set isn't infinite from all perspectives. The person who sent you the money knows that the ephemeral address (well public key in the case of Monero) and can link the output to the stealth address because they sent it. Anonymity has to work even in hostile environments, I wouldn't call it trustless otherwise. By your analogy, using stealth addresses is the only thing needed to provide anonymity?
You also conveniently left out a few parts where he says that it would have to be done through KYC/AML compliance and where it would still be private and fungible.
"And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible. …"
"It's simply that good KYC/AML compliance at FIs probably deters criminals without violating privacy. Zcash makes that easier not harder."
https://mobile.twitter.com/zooko/status/863202798883577856
Doesn't sound like success to me.
What he says is that exchanges and their KYC/AML policy should be enough to prevent criminals like WannaCry as long as they want to cash out to fiat. If they don't want fiat, then it will still be untraceable.
The same applies 100% to Monero, Bitcoin etc.
https://mobile.twitter.com/zooko/status/863202798883577856
@kewde someone smart enough to create (insert malware) in order to steal crypto is smart enough to use anonymous crypto-to-cash services. But assuming they have a lot to cash out and only an exchange is able to do so - fine, but fraud is still easy to do. I mean, they just need to create a Skrill/Neteller account, request an ATM card and they can cashout up to 1000 euros a day. They'd even receive a 10-20% markup when selling their crypto for skrill/neteller. Anyone with 2 fingers worth of know-how is able to succesfully and anonymously cashout in these days, be that with bitcoin or Monero or ZCash.
So, that aside, yes, the sender knows how much they send. But no one else other than the sender and the receiver knows how much. The sender knows that the receiver has AT LEAST the amount send, nothing more. In a WannaCry scenario, only if you get everyone that sent the money to say "I did it", you will never know how much was sent and where is it in a currency like Monero (I haven't looked into ZCash's process).
Concluding, KYC/AML isn't enough to deter anyone from anonymously cashing out, assuming they're not dumb. I'm a strong supporter of Monero and their tech, and their argument against ZCash is clear - if only some are using the anonymity process, then no one is truly anonymous.
@hugoncosta I wasn't saying that zookoo was right about this whole KYC/AML argument, I was merely stating that there was no intention (atleast in that specific statement) to change Zcash wallet software to make it more traceable.
I don't see the relevance of the second paragraph, but the same applies to Zcash.
'if only some are using the anonymity process, then no one is truly anonymous.' - I agree with your stance from a macroscopic (dare I say altruistic) perspective, I think it's beneficial to getting people to use anonymous currencies because then in general there are more potential subjects. However, it isn't correct: anonymity always works within a set. In the digital world you are always anonymous among X people. 'Truly anonymous' doesn't exist. From the macroscopic perspective, there are probably more people using Monero than there are using the Zcash's anonymity features but that doesn't directly imply that a transaction through Monero is more anonymous than on Zcash. If you were to take everyone using Monero and make them use Zcash then, in an ideal world, they would be better off privacy-wise, mainly because the obfuscation on a transactional level is superior. The theoretical anonymity of a single transaction is magnitudes lower for RingCT than for Zcash.
The main problem with recommending ZCash to someone who needs to make private and anonymous financial transactions is this:
The company that is developing ZCash just doesn't seem to realise what privacy means in real world. They are more like group of academics testing their new cryptographic idea as startup. And when first ransomware emerges, they are rady to back up and suggesting to find ways how to make ZCash more traceable, comply with KYC/AML etc. Compare this with Monero, where the privacy is clearly stated as no1 focus of the cryptocurrency, an ongoing effort that is still being worked on and improved. Not just on blockchain level, but on all levels that making financial transaction
in real world. For example Kovri is ongoing development of I2P integration into the whole network by default. There is also whole ecosystem of tools (like xmr.to) that make it usable for anonymous payments, there are guides (like monero.how) that help people understand how to use it correctly and anonymously. The focus of the Monero project is very much aligned with "privacytools recommendation". Zcash? Who knows.
They can not retroactively deanonymize transactions. If they do implement something that is the opposite of privacy than it should obviously be removed from privacytools.io. Don't forget that such an alteration of the currency would require a fork, requiring the miners and users to migrate to the client. I don't immediately see them jumping ship, when their main purpose is to provide private transactions. A tweet of one man does not define the faith of a cryptocurrency.
Both Bitcoin and Zcash already provides more or less the functionality that Kovri would offer, but over the Tor network through stream isolation They inherited that from the Bitcoin codebase, but once you point your bitcoind or zcashd to 127.0.0.1:9050 it will create a new circuit for each node.
“Claiming that you have no privacy without having it” Yeah I was pretty much convinced otherwise after h us much.
We're talking about Zcash as it exists, not about possible forks. Zcash as it exists is run by a corporation that's vulnerable to coercion from TLAs, and whose CEO has already publicly stated that he's amenable to weakening his coin's security. And has systematically laid out plans to break his coin's anonymity at scheduled intervals of time. And has already demonstrated its own ability to trace its transactions. Why you still defend it so vigorously makes no sense.
Are you so sure? Reread those 3 links I posted in this comment https://www.reddit.com/r/Monero/comments/6k57zy/can_we_get_a_fair_comparison_of_zcashs_private/djjzsp7/ They can retroactively reveal the balances of all shielded addresses. What makes you think they can't then trace all the transactions that made up those balances?
If you want to talk about Zcash as it exists, then please do so because I'm not aware of any malicious insertions in their codebase that suggest that they are actively making it more traceable. I mostly keep tabs on what their developers are actually doing, not at what the sales guy says. Zooko might be a fool, but you need more than a fool to destroy a cyptocurrency. I think he just does the dance with legality, just like they avoid the usage of the word "anonymous" on their website and communications.
He has mentioned one way of possible doing a coin supply audit, which involves revealing the amounts. That doesn't automagically deanonymize a transaction.
The anonymity set per transaction is every output in existence on the chain. Even you must admit, that such a large anonymity set is the holy grail of anonymous cryptocurrencies. RingCT is interesting to me but mostly for the wrong reasons. More specifically the many attacks and different situations make it a fun game of creating new analysis stategies. The limitations of ring signatures are starting to show, the debate about mixin input selection for example. People actually spend their coins rather fast, which creates a input distribution that is heavily skewed. If you want to actually match that distribution you'll need to pick more recent outputs as mixins, making it more vulnerable to active deanonymization attacks. This is because of the rather low anonymity subset per transaction in comparison to Zcash.
I'm very sure they can't retroactively reveal the balances of shielded addresses without consent of the user; Revealing the balance of a shielded address doesn't magically deanonymize it.
What makes you think such code is in any codebase you have access to?
Zcash is clearly not decentralized, and code to monitor the network has already been deployed at least once before: https://z.cash/blog/security-announcement-2017-04-13.html
"In theory, theory and practice are the same. In practice, they're different." In theory, ZK-SNARKS provide perfect privacy. In practice, no exchanges support them, and very few users use them because the computational costs of creating shielded txns are too high. They've been working on this since at least 2013 and the issue remains just as bad. (And Moore's Law is dead, so they can't just say "well CPUs will get faster in the future and this won't be a problem.")
Revealing the balance of a shielded address breaks one of the guarantees "hide the sender, recipient, and value of transactions in z-addresses." The centralized authority of Zcash corp. is monitoring the network and can probably break the other two. You have no way to prove otherwise.
The fact that the Zcash network can't be audited without breaking these original guarantees should also trouble anyone considering using it. It renders the coin completely worthless as a store of value if you have no guarantees against uncontrolled inflation, and if the only way to check for counterfeiting inflation is by periodic unshielding audits, it is completely worthless as a privacy store.
I'd ask you to provide links/references for any further assertions you make, because you're obviously getting the facts wrong here.
Actually it wouldn't. Just like with stealth addresses, you wouldn't be able to tag the balance to the z-address. The next part of this paragraph contains some wild and unsubstantiated claim based for which I'd like to see some references. In the field of security, you prove to me that you can break something, not the other way around.
https://github.com/zcash/zcash/issues/2371
Seems like they might be able to keep the amount private after all.
I can equally change Zcash to Monero in that statement. I don't think I have to remind you about the 2 infinite money bugs in Monero, one of which was luckily detectable. The other bug, discovered in testnet was undetectable. As far as I know, there are currently no measures to provide auditability on the Monero blockchain.
Wrong again. The Monero coinbase transactions are always transparent, so the entire money supply can always be audited by anyone, any time.
In regards to Zcash - prove to me that the trusted setup parameters were actually destroyed. Prove to me that Zooko was only talking about KYC/AML exchanges when he talked about making Zcash "too traceable." You're far too willing to take Zcash's word for something that an objective observer would remain skeptical about.
coinbase transactions are, but other transactions can also inflate the supply, given that there is a bug in CT that allows them to. Which was the case, twice.
The only reason I take it so far, is to nuance your opinion of it. You paint them as the devils is disguise.
Read it completely, don't just cherrypick the pieces you like.
The exact tweet you're quoting, read the follow up.
https://mobile.twitter.com/zooko/status/863202798883577856
What? So the protocol is going to decide whether the adversary is "good" law enforcement?
Otherwise, not weakening security whilst being compatible with "good" law enforcement implies that the security doesn't have to be weakened in order to be compatible with "good" law enforcement, therefore it's insecure at the moment?
I don't see how anything can be secure yet compatible with law enforcement.
I wouldn't trust anything developed with being compatible with law enforcement in mind.
What he means is that a secure protocol layer shouldn't be explicitly weakened to accommodate for law enforcement. Good law enforcement doesn't require insecure protocols.
We're not going to break HTTPS on purpose just to let the snoops in. HTTPS is perfectly compatible with (legal) law enforcement as far as I know, are you suggesting its insecure? 😄
HTTPS is based on CA's which are subject to warrants -- law enforcement.
The point of "decentralizement" is to avoid exactly this.
One of the main uses of cryptocurrencies is free market, an enemy of governments. Cryptocurrencies should not be subject to law enforcement per se.
You're implying law enforcement is (always) good. By this logic, we should focus on developing technologies which would help law enforcement catch criminals like Snowden.
We're getting a bit of track here, but I never implied that in any form or shape.
I don't see any evidence, or even the intent to weaken the current Zcash protocol and/or reference client to favor law enforcement. What I did see, was someone tweeting that good law enforcement doesn't require people to purposefully weaken the security.
"someone tweeting that good law enforcement doesn't require people to purposefully weaken the security" != being compatible with good law enforcement
"Doesn't require people to purposefully weaken the security" meant how?
That the protocol can be broken by law enforcement already, or that "good" law enforcement is so good they don't require anyone to comply?
I doubt the latter. You compared it to HTTPS.
Further in the replies:
The main point in context of privacy tools should be which currency can better protect the anonymity and privacy for people who need that, because their security or life may depend on it. There are plenty of regimes where doing financial transaction may cost you years in prison or indeed threaten your life and there is no guarantee that the users of these recommended cryptocurrencies will be tech savy. So 'better' in this context is more about ease of use, ecosystem and the whole setup of the project. I really can't recommend using Zcash over Monero with what I know to someone in this possible situation. Just because Zcash has anonymity otional, is easier to track on exchange points (almost no service accepts shielded txs) and there are doubts about what their CEO ment by "make it too traceable for crimminals to use". Who decides who/what is criminal? Iranian Government? US Goverment? Zooko himself?
Compare with monero where anonymity is default, community has record of helping who ever needs the help, developers are clearly aware that what they do might affect lives of people and also monero has larger network effect which might be very important for IRL operations.
Zcash is nice academical excercise of testing new cryptography and the project is developped by some very intelligent academics. But real world privacy requires more than that.
Good and effective law enforcement in my opinion, is doing detective work on individual cases. A fishnet approach isn't effective and fills the process with a lot of clutter. LE doesn't need to know the exact path the money came from, it can be anonymous. The person they targeted has to explain and prove where the money came from just like with cash money.
You have a mangled definition of "security" to be honest: if LE gets your private keys/CAs then indeed, it's game over. But then you can just shut down privacytools.io because not a single tool would be up to your standards. Should we remove Tor or Signal? Is Monero insecure because LE has the transaction history if they get ahold of the wallet file?
I, and I assume most people, consider something to be secure when there are no cryptographic backdoors (or bugs).
This is quite vague, it makes it easier to track for whom? How would this attack be applied?
I haven't seen any evidence or write ups describing this attack. I can see where it is heading, and I've heard the main pseudo-argument is something along the lines of 'oh but the amounts are public, that makes analysis easy'. I haven't seen any evidence of that.
Also let's just assume there are vulnerabilities in the protocol, we apply the attack to the enormous anonymity subset per transaction. Let's assume that our imaginary statistical attack allows us to narrow of the potential inputs to 10% of the initial set (a 90% reduction, that is quite effective, I'm being generous here), well that 10% still has a lot more mixins than a Monero transaction.
A statistical attack applied on Monero, causing a 90% reduction will cause a lot more trouble than on Zcash. The enormous anonymity set makes is naturally resistant against statistical attacks.
That's immoral and false.
Your logic seems mangled. CAs possess the private key, not you. A CA is subject to warrants, you are not. By your logic, we shouldn't recommend any tools at all since they're rendered useless by bad opsec.
That's how the law works for cash in my jurisdiction. I'm not saying it's moral, I'm pointing it out as an example that anonymous cryptocurrencies are compatible with LE in the same way that cash is.
The only opinion I expressed in my previous comment is that LE should work on a case by case scenario, not a fishnet approach. It's not because you're a Zcash or Monero user that you suddenly should be looked into by LE.
I suggest you take a look at the TLS specification, RFC5246.
CA's don't possess the (most important) private key, the one used for encryption. They can however issue new private keys for an instance, which is indeed a security issue. You can equally be subject to those warrants, Lavabit is an example of that. You can "pinpoint" a certificate for a website by the way, causing your browser to display an error when it changes.
I don't know what made you interpret my words and come to that conclusion.
By my logic, we should recommend tools that are considered secure, both cryptographically and in reality.
Sorry, I meant providers using TLS, not CAs.
CCs are a way to evade immoral economic government oppression. In many jurisdictions, there are things like the Fifth Amendment of the US Constitution. And with good opsec combined with good CCs, you don't need the Fifth anyway.
contradicts
Also
Cryptographically secure implies incompatibility with law enforcement.
I'm not saying it's moral or immoral. There's nothing more anonymous than tangible goods, there is no direct history to those. Everything comes with a history on the blockchain.
No it doesn't. There are many opinions on what "good" law enforcement is or is supposed to be. Something being (reasonably) cryptographically secure is a fact. It being incompatible with 'good' LE depends on your opinion of what 'good' LE is.
I stand behind the statement that 'good' LE doesn't require their author to deliberately make a protocol insecure. Any LE that does, is 'bad' LE.
I said it implies incompatibility. I changed a few things in my comment before you posted, so you may want to update your post as well.
Anyway, I stand behind the statement that law enforcement is often unethical per se, but that's off-topic. Your statement that good LE doesn't require someone to make a protocol insecure seems irrelevant, given zooko was talking about making Zcash compatible with LE.
That would imply a backdoor, which they've already commited to not doing (check their FAQ on their website).
Making such a change would be detectable and require a fork, and if they do implement it then Zcash will be removed.
It doesn't imply it either. Ask anyone if they consider Signal to be cryptographically secure and compatible with LE, the answer will be 'yes' on both.
There are good reasons as to why everyone should think that secure protocols are compatible with LE. Because if you don't, then the general opinion will allow backdoors.
"I can" != "I will"
Still a bad way of thinking for an anonymous cryptocurrency dev.
Is it?
I think it's genius, spreading the idea that LE and anonymous currencies aren't enemies.
Anonymous currencies have a long way to go before being accepted by the general public, and I'm all for spinning the public narrative into the direction that anonymous currencies are just like "good old cash". If we would now (as a theoretical exercise) imprint the idea into the public opinion that the two are inherently incompatible then we are screwing ourselves over, because all the pussies will pick 'LE' over 'secure protocols' without a shred of doubt.
Will they? Take the Apple vs FBI case as an example. A lot of people were on Apple's side.
Many people were, but even 1% of Apple's users is considered a lot. The other 99% couldn't even care.
Anyways, ask yourself: how many percentage of people that you know in your daily life, care deeply about privacy and security?
@kewde I believe this is going way off topic. "What's the percentage of people you know that care about privacy?" - what's this website all about? In my mind, we're supposed to give alternatives to "normal" services, that's it. Everything has its flaws, we have to be careful even with the most "secure" systems.
But to answer the question, 0. No rounding down, literally, 0. And I know a ton of geeks, software engineers, and they're connected to Google, location on, no password managers, nothing.
Apple vs FBI just confirmed what we already knew - sheep will repeat what people tell them. Those that were on FBI's side couldn't understand what it could do to Apple's products and their privacy/safety. In the long run, I hope the new generation that's in the oven right now will understand what really matters. Although with recent updates on Snapchat, it just shows me that this generation is getting deeper and deeper into the Big Data's arms.
Still, we haven't come to a conclusion despite this issue being closed.
Should BTC be the first?
Is Zcash so (arguably) superior to Monero that privacy by default isn't important?
I'd personally prefer the following order: Monero, Zcash, Bitcoin.
My opinion is that no matter how Zcash's tech may be superior to that of Monero, I'd go with Monero simply because of privacy by default and devs that aren't on the FBI's side.
Absolutely. Zcash might be theoretically superior (debatable) but in the real world, it is inferior in every way. Smaller user base (Official binaries are Linux-only), smaller anonymity set (less than 10% of txns use the privacy tech), worse usability (requires extensive compute resources), requires trusting a 3rd party (defeats the purpose of using a blockchain in the first place), etc. etc. etc.
Plus, the only proponent of Zcash here, @kewde, is a known scammer, purposefully endorsing ShadowCash when he knew full well that it was about to be exitscammed. Why he still has commit privs on this project is beyond me.
Hi, one of the Zcash Founders here. I've been reading this thread with interest.
I don't think there are good metrics about user base, yet. One metric that I know of — total transactions per day — shows Zcash as having more transactions per day (week, month) than Monero currently has:
https://explorer.zcha.in/statistics/usage
https://moneroblocks.info/stats/transaction-stats
(Note that the zcha.in stats do not exclude coinbase transactions. You should subtract about 576 txns per day if you want to exclude them.)
Now it's really difficult to analyze the effective privacy that users get. It isn't as simple as saying that Zcash transparent addresses give you no privacy and Zcash shielded addresses give you complete privacy.
Transparent addresses could potentially be safe for some users, for example if I had Zcash in a shielded address, and I sent it to your transparent Zcash address, and then you deposited it into an exchange and sold it, then your transparent Zcash address would not be linkable to me (except if I wasn't using Tor/I2P! Or if the amount of Zcash I sent to you — which amount is publicly visible since you are using a transparent address — somehow identifies me or reveals what you and I are doing.)
Going the other way, Zcash partially-shielded transactions might not give you as much privacy as you think, especially if you're not using Tor/I2P or if the amounts and the addresses of your counterparties reveal information.
Now Zcash fully-shielded transactions — those really are safe (if you use Tor/I2P). Almost nothing (almost zero — the "Z" in Zcash) is leaked into the blockchain about a fully shielded transaction. Zcha.in shows that there were 399 fully-shielded transactions in the last 30 days. There is no information in the blockchain that can be used to link one of those transaction tAo anything else or to distinguish those transactions from each other, except for the blockchain height when they were posted and the blockchain height ("anchor") that they were based on.
On the Monero side, it isn't accurate to think that all Monero users are safe "because privacy is on by default". Privacy being on by default is great. It's one of the many good things that Monero does, and I hope to level-up Zcash to that level in the future, but it doesn't mean that Monero users are automatically safe!
The ringsig (aka "mixin") method of obfuscating the true origin of a transaction is a fragile method of protecting privacy. https://monerolink.com is a great demonstration of how, up until January 31, 2017, it was possible to de-anonymize most Monero transactions.
Monero has subsequently been upgraded to improve one of the weaknesses leveraged by that attack, but that doesn't mean that the current version is definitely safe. We can't conclude that every user of today's version of Monero is at risk, but neither can we conclude that every user is safe, which is what a naive interpretation of "privacy is turned on by default" might imply.
https://moneroblocks.info/stats/ring-size shows that 70% of current Monero transactions use only 1–2 mixins, but even for those who use more (I think the recommendation is 4), that might not actually protect the user, depending on a lot of factors. Obfuscation is just an inherently fragile technique.
Bottom-line: both projects are, in my opinion, reasonable attempts at providing privacy, with a lot of different trade-offs. I'm not aware of any credible accusations of fraud or betrayal on the part of Monero devs. I think both projects ought to be listed here.
Great to see one of the actual founders of a coin pitching in on this project! I believe that a good compromise would be to set a clear note below the cryptos saying something like "These currencies can only be private if you take extra precautions. Read their documentation first in order to make sure you're using the safest way to transfer value"
@hyc wrote:
The wording currently used at https://z.cash is "Shielded transactions hide the sender, recipient, and value on the blockchain." It's had that wording since early January; before that it said "Zcash encrypts the contents of shielded transactions." I do seem to remember the inaccurate wording you give above being used at some point, maybe before launch? In any case it's clearly not the case for all transactions and we do not claim that.
This is not accurate. There is no default, there are merely new APIs. It's up to wallet implementors to decide which type of addresses are presented as default in their interface; that's not a zcashd or protocol issue. Now, there are performance issues with using shielded transactions for everything, and we're fixing those with Sapling. I believe the decision to implement the Zerocash protocol with only minor changes first was the correct one; launching with major cryptographic upgrades would have been very risky.
For clarity:
It is still true that 100% of Monero transactions are more private than 81% (as of today) of Zcash transactions. If you exclude Zcash's transparent transactions from the comparison (which would be more fair, since these are basically the same as Bitcoin transactions), it's still true that Monero has more transactions than Zcash's partly- and fully-shielded transactions combined.
No, actually that site doesn't demonstrate de-anonymization at all. That's a pretty gross misrepresentation of what can be proven. https://getmonero.org/2017/04/19/an-unofficial-response-to-an-empirical-analysis-of-linkability.html
Hello @zookozcash since you are here could you please clarify what you ment by making transactins in Zcash too traceable for criminals and who is going to decide who is criminal?
@daira
The inaccurate sentence that hyc pointed out was my fault and was on privacytools.io, not on the official zcash site.
It is also still true that 19% of Zcash transactions are more private than 100% of Monero transactions.
False. Even Zooko said "it isn't as simple as that." Nor can you assert that "19%" which consists of both partially- and fully-shielded transactions are equally private. Thank you for playing.
That was when comparing t-addresses with z-addresses, not Monero vs Zcash.
You're right about that, I've added a <, that should fix it.
@hyc wrote:
The linked security announcement does not demonstrate any ability to trace transactions. For people who actually want the technical details rather than just believing any old FUD that is thrown: the security announcement in question related to a denial of service attack. The monitoring that was deployed for this simply had to detect a node crashing in a particular way; it had nothing to do with tracing or privacy violation.