Author here. Seeing some of the discussion go down on Twitter, I feel maybe I should explain further the "white supremacist" example in the post. (one tweet at me: "So now you can hide the fact that white supremacists are sending you money? F!@#ing weird example.")
When I shared a draft post with some friends, a lot of them had an ah-ha moment, so I was hoping for the same from others. I was trying to illustrate 2 privacy concerns around the graph Bitcoin exposes: (1) accidental associations and (2) exposing the people you transact with to each other.
In the blog's hypothetical, you're not receiving money from some asshole because you're collecting Klan dues from him. Rather, you performed some public transaction with a stranger. For example, maybe you sold him some tickets. An external observer of the graph who knows he's a dangerous character may start applying high odds that you, too, are a dangerous character, since they don't know why he sent you money. This would suck. And, second, this character who sent you money may also be learning things about you. Since you sold tickets to a local show and mailed them to him, (1) he's likely to live near you, and (2) he knows your return address. You really don't want him seeing that you're sending money to causes he opposes. If so, he might show up at your door.
The goal was to clear up this misconception that a private cryptocurrency is there to protect criminals. This is especially important if you'd like to post a static address on a profile.
That's an important example. Person A can make a perfectly legal transaction with Person B who is involved in illegal activities, without Person A knowing that. Then, external observer, not knowing the transaction details, might as well associate Person A with the same illegal activities. A false positive in metadata analysis.
Just as a data point, I found the example perfectly clear, although I do wish you had added Monero instead of Zcash, just because it looks more legitimate to my uninformed eyes.
This. Can someone chime in here and give me an argument for why Zcash is better than Monero? Because everybody I've talked to thinks Monero is better.
I'm not saying it is, but Monero came out far earlier than Zcash, and unless there is a substantial argument for using it over Monero, I'm not convinced of the argument to standardize on it. The only striking difference I can see between Monero and Zcash is that Zcash was premined by investors.
I do not understand all of the details behind Monero, but basically the privacy is incomplete. When you spend money, you basically say "I am one of X people", where X is usually fairly small. It's a lot better than Bitcoin where X=1, but it's still something that advanced algorithms can get though, and it still collapses if enough people have their identities and transactions revealed.
In Zcash on the other hand, your anonymity set is everyone who holds Zcash. It's a lot nicer, and there isn't really the same collapsing effect as can happen with Monero.
That said, Monero crypto is simpler, doesn't have trusted setup, and overall I would advocate that people treat Zcash as hemorrhaging-edge experimental, while Monero is somewhere between cutting-edge and bleeding-edge.
Since Monero outputs go to dual-key stealth addresses, outputs are effectively paid to a random 256-bit "address". So if you use a mixin of 50, in a transaction with 1 input, an external observer can say "this illicit transaction spends funds from 1 of 50 possible transactions", but then you need to go to those 50 and work your way back till eventually you find a needle, in a very large haystack, that you can actually identify.
Because of this, the anonymityset grows exponentially the further up the tx chain from an identifiable transaction (eg. a withdrawal from a KYC / AML exchange) you are.
The major advantage here is that every Monero transaction adds to this anonymityset, since privacy is compulsory.
On the other hand, ZCash's privacy is nearly unusable. Using it requires 8gb+ of RAM, and takes over a minute on a Xeon processor. Because of its unusability you end up being "1 of X people", where X is very tiny - it's limited to the people moving from traceable addresses to z-addresses who haven't identifiably moved ~the same amount out.
ZCash is useless at best, dangerous privacy theatre at worst.
I like both Monero and zCash. As technologies they both have different advantages and they are both pushing the state of the art in privacy cryptocurrencies. As a researcher it makes me optimistic that we are pursuing multiple paths to the goal of "digital cash".
>Using zCash requires 8gb+ of RAM, and takes over a minute on a Xeon processor.
Cryptography in this area is rapidly advancing, we have seen dramatic speed ups in zkSNARKS (cryptography behind zCash's anonymity) over the last few years and the launch of zCash will probably accelerate this trend.
> it's limited to the people moving from traceable addresses to z-addresses who haven't identifiably moved ~the same amount out.
This number, X, is growing and will continue to grow.
>ZCash is useless at best, dangerous privacy theatre at worst.
zCash is an excellent and exciting experiment. It is not a very mature platform (it has only been live for a month), but that doesn't mean it will never been mature.
Sorry but I can't agree with you here. When Monero still allowed mixin 0 transactions almost nobody used the privacy-enhancing transaction type. The same goes for Dash and it's DarkSend, or Shadow's ring-signature side-currency - all virtually unused.
Thus X grows at a rate that is useless for its intended purpose: getting lost in the dust of millions of others.
But to make matters worse, ZCash is grossly irresponsible by not making private transactions mandatory, as people will use t-address transactions and think they're safe. Pools pay out to t-addresses, exchanges only accept t-address deposits, and lightweight clients will all end up being t-address only as it's the quick win.
Claiming that it's "just an experiment" is not acceptable when people's money is on the line, at best, and where their lives might hang in the balance, at worst. The disgusting and dangerous approach taken by the for-profit US company behind ZCash, that of fast-tracking the launch of massively immature technology due to investor pressure, is something that should lead to grave consequences for them because of the nature of this technology.
I greatly respect the work of Ben-Sasson, Green, Garman, Miers, et. al., but even they have been complicit in the rush hack-job that is ZCash. We would do well to consider what advantage a nation state attacker would have in encouraging adoption of this immature and likely broken system, over alternatives that are FOSS and have prolific contributor communities.
>Claiming that it's "just an experiment" is not acceptable when people's money is on the line, at best, and where their lives might hang in the balance, at worst.
Claiming it is just an experiment means that people should NOT use it when serious money or human lives are on the line. I think we can both agree that people should wait for a technology to mature before betting their life on it.
Also if Gmail lost all your email it would be bad, but you'd probably be ok. If ZCash causes you to lose a significant portion of your life saving, on the other hand...
That was my point, gmail was in beta for five years, but it wasn't in beta forever. Technology takes a long time to mature and it is hard to get to that level of maturity without having people use it for real things.
Do not put a significant potion of your life savings in ZCash.
It's not that simple. In your example, the X-1 "people" apart from you have already mixed their own coins with other people before...and so on. Monero is like a constant tumbler getting better with usage.
I don't think you understand how Monero works _at all_ - let me fix one of your arguments to illustrate:
>When you spend money, you basically say "I am one of 2^256 people", where 2^256 is usually fairly small.
Disappointing/embarrassing level of insight from a crypto project leader - here's a good layman-friendly video https://youtu.be/GEVm1dMn5Ks?t=14m to bring you up to speed (the simplified example is continued at 20m).
Hmm. I don't think this is clear issue at all. I have been looking at monero block explorer, and there seems to be "mixing level" etc parameters. What do these parameters imply if not the level of how many people you mix the inputs with?
I mean, your argument "you're stupid, look at this youtube video" is not very convincing either.
The Monero blockchain is comprised of inputs and outputs - public keys/one-time addresses to power of 10 denominated amounts into which each transaction is split and mixed with past public keys of identical power of 10 amounts. There are no 'orthodox' addresses on the blockchain which can be linked to transactions or to an identity.
That's just a misunderstanding of inherent blockchain limitations. It's very easy for me to reveal a bunch of addresses on the Monero blockchain.
Step 1: make a bunch of addresses
Step 2: the world know it was you
That reduces the anonymity set for everyone else. They thought they were mixing with you anonymously but now that you are revealed, your participation in the mixing is useless, people would have done better to select someone else.
Combine this with Sybil attacks, criminal investigation, and other unmasking techniques and you might get the anonymity set down to 1 for a particular output, allowing you to further reduce other anonymity sets.
I was not aware, but apparently the Monero blockchain has a snowball effect to help mitigate this.
Basically, unless you own 80% of the outputs on the blockchain you don't have enough to identify subsequent transactions, so any foothold you gain in owning outputs becomes rapidly weaker. Given the cost of owning 80% of the blockchain outputs, it's not an attack that is particularly effective even at Monero's current state of usage.
Individuals who publish their input history won't make any significant difference.
Zcash is definitely better in the sense that it has big money investors, the ear of the NYT and now Gavin Andreson shilling for it. Technically, on the other hand, it's a dud in it's current form. It doesn't have anon by default (because the anon transactions take too many resources to generate) and the few anon transactions that occur are subject to timing analysis.
Thank you for your post (and Keybase!). I thought the example was a good one. Buying a book creates a permanent transaction record with the seller who's ethics you may not share. Humorous as well with the tongue and cheek reference to Atlas Shrugged :)
We're sadly living in a society where people search high and low for grievances to publicly virtual signal over. Hopefully the Twitter-sphere will realize there's value in your example and not just clutch pearls.
Im not so sure why it has to be a "white supremacist" as opposed to "career criminal", "wall street husker", "hong kong gangster" or "isis radical".
very interesting choice. i can only guess the political affiliation of this author.
when i was in my formative years everyone was trying to shake labels and thus the stigmatism associated with them. and thats really what the civil rights leaders of the 60s stood for. its a shame that the movement has been subverted by corporatists and sycophants. you all lost me. and many others.
> In the blog's hypothetical, you're not receiving money from some asshole because you're collecting Klan dues from him. Rather, you performed some public transaction with a stranger.
To clear this up, I'd suggest adding the explanatory labels ("Old copy of...") directly adjacent the lines in the image, instead of in a separate key.
yeah that's how skyline is black listing journalists in conflict zones as terrorists judging from geo data[1].
they do this because they can justify their data derivative, but if there's no trace data to justify semi-justifiable decisions, such disastrous inferential machines would be impossible to justify.
it's a tricky case - but it would force law enforcement - and other parties of interest - to actually investigate before pulling triggers.
choosing zcrash has to be pretty punitive for your users, given the rate of price inflation. For that matter, it must be pretty punitive for you as well.
Zcash's anonymous transactions are much more expensive CPU-wise to verify and aren't pruneable, and the cryptography behind it has been much less reviewed (Bitcoin operates on a bunch of very boring standard already established and long-trusted algorithms in comparison!), so I'd be surprised if an established project like Bitcoin adopted them before they were proven in practice. There's a lot of money tied up in Bitcoin, so the project is going to be pretty conservative in how it chooses to change.
Oh, I guess I mixed up some posts with one lamenting that Zcash wasn't incorporated into Bitcoin.
Stealth addresses seem like they give much weaker anonymity guarantees than Zcash, unless you only ever send and receive funds through stealth addresses with others who follow the same precautions.
5 hours and almost 100 comments later no one has pointed out that Zcash and Keybase share the same investors.
I am relieved that 'Keybase chose Zcash' purely on merit after an exhaustive and objective selection process, and that this potential conflict of interest is transparently disclosed in the linked adverticle - wait, they did no such thing.
Does it concern no one that this security-focused company is shilling for other (fundamentally questionable) products?
I couldn't decide whether to up- or downvote this: it sounds like equal parts 1) information worth bringing to people's attention and 2) slandering a team that seem really nice fellas to me. So I looked both companies up on CrunchBase, and can find zero overlap between investors declared there. Where did your information come from?
Thanks very much for this. Based on the one or two private individuals featuring on both lists, I'm inclined to think your original post was exceedingly strongly worded.
Did you read the blogpost? It's basically a Zcash presskit - note the surely calculated title, and the omission of any actual "anonymous" competitor coins in the first paragraph as well as the entire article, all at a time when ZEC price is in free-fall.
It might even be worse if it wasn't as such - a security-oriented business that, motivated by Bitcoin's shortcomings, does due diligence on anonymous crypto and genuinely concludes that Zcash, in its current state no less, is the answer? Come on.
I did, but I (perhaps naively) took it as someone cheerfully geeking out about something cool their friends built, and which they're now interfacing with.
I do appreciate you're pointing out this alternative take. I guess what clouded our discussion is that we mixed questioning their motivations (the investors thing) and their judgement (ie is zcash a good choice?). I missed the latter, focusing on the former only.
Worth adding here that it also appears Zcash stakeholders have been internally buying/selling their own ZEC at inflated prices on Poloniex to artificially increase both volume and the market price.
Whilst perfectly legal, it doesn't enhance a "trustworthy" reputation to me.
> Worth adding here that it also appears Zcash stakeholders have been internally buying/selling their own ZEC at inflated prices on Poloniex to artificially increase both volume and the market price.
I don't understand this. None of the stakeholders have even received their money yet; this is publicly verifiable.
Hypothetically, anyone could "prop-up" the crypto market for a newly launched coin by buying the first Asks from Poloniex at a deliberately inflated price and then sell back-and-forth to themselves at the same inflated price to create false volume / pricing.
You wouldn't need any ZEC to begin with.
Just to be clear, I am not specifically claiming the devs are doing this, but somebody with an interest in ZEC performing well (and money to burn to prop up the price) has been.
It's eased off now in any case, but it hasn't gained trust from a trading point of view.
No. I wish they were more open about it, (if that's really the case!) but why would it concern me? Then again I don't see zcash as fundamentally questionable, so that may be the difference.
I like Zcash. I think it's a good solution to a problem that Bitcoin did not solve, and creates a cryptocurrency more in line with the vision spelled out in A Cyperpunk's Manifesto than the previous attempts.
Yeah, but proof that (Beyond the 10% pre-mine) more ZEC are not being secretly generated for the creators relies upon trust in a cabal of six individuals based upon a "public" exhibition of genesis involving theatrical destruction of computers (whose video was supposed to be published but I can't find?)
Even if they are 100% legitimate actors, the lack of absolute proof undermines the provenance. From my perspective, Zcash is technically a Fiat currency without the clout of a state backer.
> whose video was supposed to be published but I can't find?
Keep in mind that while videos of the destruction are entertaining - and and possibly useful for education and peer review - they prove nothing. You shouldn't trust Zcash significantly less because they haven't been released yet - if that'd make you trust Zcash more, you're probably not thinking carefully about how fundamentally based on trust the whole process was. I'm one of those six individuals, and the simple fact is it would have been trivial for me collude with the other five to backdoor the process undetectably; if we did that you would never know. End of story. (and sorry, but the video footage of the ceremony that some stations apparently kept doesn't change that either)
Also remember that everyone ran the exact same software - a bootage DVD image - and that software was produced by one guy the day prior to the ceremony. I hear Andrew Miller successfully reproduced the build of that DVD image, but there's a lot more independent auditing work that needs to be done on that software. Until that work is done by multiple independent people, the entire multi-party aspect of the ceremony is just a bunch of crypto hocus pocus that means nothing.
The trusted setup only requires one person to not collude. Given how skeptical Peter Todd has been about this entire business, I'd be t that at the very minimum he was honest in his role.
As someone entirely unfamiliar, why only six? If the weakness is all of them colluding, then wouldn't adding anybody in the world (let's say, me) as a seventh make it strictly better?
The protocol is expensive; it took 2 days with 6 people. After a certain point, it's not practical to add more participants without increasing risk. It requires gigabytes worth of communication per participant and many millions of curve operations.
Actually the fork is when I diversified from only bitcoin. It gives me more confidence than the perpetual ideological wanking behind the btc size bump. I don't usually take a fundamentalist perspective, especially when it requires siding with thieves who stole enough to become an existential threat to the currency.
If I could come up with something better, they would have done that. Absence of a better solution does not imply any fitness of the proposed solution. Until such time that someone comes up with a better idea, I am sticking to public blockchains.
> If I could come up with something better, they would have done that.
Don't give up so easily! If you're going to make a stance borne out of principle, why not follow through to outperform the suboptimal solution that you dislike so much?
Innovate. Put some skin in the game. That's what I would do, anyway.
As it stands: If any of the folks involved in the trusted setup was honest, then it's secure. It takes a 100% corruption to make it insecure. I think that's acceptable until a better solution is proposed.
Then rushing the launch in the absence of a superior MPC protocol is just a bad idea.
Except that they had to rush the launch because they're a for-profit, centralised company, with investors that are demanding return on their investment. Thus they went with a shoddy, half-baked attempt at a trusted setup, with a whole lot of hand-waving to make it seem like it was done securely.
Since this is an investment we're talking about, I think we should strongly lean towards the interpretation of the facts that more conservative rather than less; 20% vs. 10% is a big difference to Zcash as an investment for the first few years, which could easily be longer than the lifespan of the currency.
That's a fair point, and I don't really disagree with your priority here now that it's spelled out. I just think that people would be better served with both facts simultaneously rather than demanding one at a time.
> I think you need to stop talking and start listening
That's not really an appropriate way to approach a conversation on HN. I'm surprised this comment hasn't been flagged.
Personally, I think you would benefit from incorporating non-violent communication strategies. It's fine that you respect someone's work. It's not okay to open with "You're some random on HN" and then tell them to shut up, just because they were questioning the person you admire. Especially since I wasn't telling them they were wrong, but rather that the disagreement was one of scope and context, not one side being right while the other being wrong.
By dismissing people's entire existence and expertise right out of the gate, you destroy any possibility of a constructive conversation that could follow.
If you'll notice: Until now, I mostly asked people questions. Regardless of whatever background I may have with cryptography, my interest in these discussions is to learn. Probably not the ideal target to call a nobody and to shut up if you're interested in the strength of a community.
I think it's relevant, as I've heard a LOT of people claim that ZCash is amazing "because of the dream team behind it". The dream team clearly misunderstand cryptocurrencies, see for eg https://github.com/zcash/zcash/issues/713
Linking to that GitHub issue is pretty embarrassing for you. Not only can it not be practically exploited, per the author of that issue, but it looks like it's just using Keccak as a stream cipher of sorts (but seeding it from /dev/urandom). That's pretty ok, and if we don't trust stream ciphers to produce pseudorandom numbers we have much bigger issues.
But more importantly, the contributors acknowledged the issue, and are fixing it. Do you honestly expect bug free open-source development? No, and the entire benefit of it being a welcoming open-source development community (instead of ZCash's centralised development team) is that it is made better by many eyes. Hopefully the OP that opened that issue spends some more time reviewing the code along with the 160+ Monero contributors.
Also, if we're going to view lapses like these as representative of a major failure, you'd best review some of ZCash's greatest hits, maybe starting with the fact that wallet encryption is ENTIRELY DISABLED in ZCash, and your wallets are stored in the clear and ready for malware to steal: https://github.com/zcash/zcash/issues/1552
> it looks like it's just using Keccak as a stream cipher of sorts (but seeding it from /dev/urandom). That's pretty ok, and if we don't trust stream ciphers to produce pseudorandom numbers we have much bigger issues.
I very strongly disagree with userspace RNGs being used instead of the kernel's CSPRNG being "pretty ok".
Don't "seed a userspace RNG from urandom". Just use urandom.
Sure, and I agree with you in principle. Doesn't change the fact that what you've highlighted as some indication of Monero's inferiority lives in start contrast with the ZCash amateurs.
I recommend supporting Zclassic also ( http://Zclassic.org )
It's the same exact code as Zcash except there is no 20% "genius" tax for 4 years. It's the fair choice and even has the blessing of Zcash developer Zooko.
I think it's worth paying the "genius" tax. Though controversial, the tax manifests in the form of inflation and will help fund a company that can get things running and stable.
Of all the qualms I have with Zcash, I think that their mining fee is one of the cleaner ways in the ecosystem to fund altcoin development. This technology takes a lot of effort, and a lot of salary money to develop. And then you have to do marketing, PR, bizdev, etc.
re: qualms:
- trusted setup makes me uneasy
- could have picked more than 5 people for signing party
- cryptography is really scary - lots of assumptions, lots of things that haven't really stood the test of time or the examination of experts
- equihash was a poor decision, and a confusing one given that it's pretty well understood that complex hashing functions are counterproductive (and we've seen this play out already for Zcash, things are just getting started)
- The 'slow start mining' was also a really bad idea, and I would almost suggest that it's abusive to the community. More than $100,000 of trade volume happened over Zcash at prices that are 1000x the current price of Zcash. It should have been easy to understand that this would happen.
Mostly, I would urge people not to use Zcash for situations that require real anonymity. E.g. wikileaks accepting donations, or routing around captial controls in oppressive countries. And this is because I do not believe that the cryptography will hold up. There's too much of it, it's too new, and it's too interesting (e.g. a lot of aspiring undergrads and grads are looking to make their mark on the world, and breaking Zcash would be a great way to do that). I believe that your privacy will be compromised retroactively, and not due to bugs but due to actual cryptographic breaks. And then you're back to the Bitcoin network where everyone can see everything, and you're vulnerable.
> Mostly, I would urge people not to use Zcash for situations that require real anonymity. E.g. wikileaks accepting donations, or routing around captial controls in oppressive countries. And this is because I do not believe that the cryptography will hold up. There's too much of it, it's too new, and it's too interesting
I would disagree; the cryptography that people are more skeptical of in Zcash involves soundness of the zero-knowledge proofs. (i.e., if counterfeiting could occur) Privacy is protected by standard cryptographic assumptions that are relied on in other systems.
The slow start was a good way to avoid unfair distribution in the beginning phase when miner implementations were still being written, deployed, tested, debugged, ported and optimized.
In fact I would advocate for a zero-day start, where the first few hundred blocks following genesis have exactly 0 reward, coupled with an overestimated initial difficulty, so people have some less stress-full time to get set up and sort out technical problems.
The crazy initial prices are abusive to no-one except the fools who pay them.
We will have to agree to disagree. Inflation is a trade-off - it hurts people holding the coin but it increases distribution.
I generally hold the opinion that you should not create traps for speculators, that's exactly what slow start mining is.
I think there are better ways to prevent unfair early distribution, such as a more responsive difficulty adjustment algorithm (per the work of maaku), or even just a longer inflation taper. Instead of mining half the entire supply in just 4 years pick something a bit slower.
Or do something like let Bitcoin holders as of X date collect a proportionate amount of coins in a premine. Then you get to borrow from some of the distribution that Bitcoin has already achieved.
---
And you are right as far as traders only hurting themselves. Nobody aware of the inflation schedule bought above $1k per coin, I'm almost certain of that. But I think what happened is akin to throwing a bunch of black belts into an arena with people who have never been in a fight before. Sure, they might have chosen to be in the arena, but are you free of responsibility when they get hurt? Especially if they did not realize they would be fighting champions?
Perhaps a weak metaphor. But I think disingenuous to call someone a fool simply because you had more information than they did. It doesn't seem right to me to use that to justify predatory behavior.
Thinking further, you could have achieved something similar by refusing to allow coins to be traded for X weeks. E.g. no coins at all can be sold until the first 2 weeks of mining become available all at once.
It's fair-ish distribution, without the absurd trading game that followed the Zcash release.
> There's too much of it, it's too new, and it's too interesting (e.g. a lot of aspiring undergrads and grads are looking to make their mark on the world, and breaking Zcash would be a great way to do that). I believe that your privacy will be compromised retroactively, and not due to bugs but due to actual cryptographic breaks. And then you're back to the Bitcoin network where everyone can see everything, and you're vulnerable.
Which component do you think is most likely to break?
Privacy of ZCash is not affected by the underlying cryptography; the zero knowledge proofs used enjoy perfect zero knowledge, which does not rely on any cryptographic assumptions.
Basically yes. Strictly speaking privacy also relies on assumptions about Curve25519 (with a Blake2b-based key derivation function) and ChaCha20, but those are standard and uncontroversial.
I'd rather own the taxed coin. It's a great model to align the interests of the developers and the coin owners. When new features are introduced by the core team it may result in a fork. The z-cash alts may not fork the exact same way, and wallet makers most likely won’t support all forks - making a market for z-cash alts less likely.
Probably because chances of zcash becoming popular is very slim, chances of zclassic becoming popular is even slimmer.
Personally I find the whole idea of zclassic a bit disappointing. Some people spent a lot of time and effort on to something which cost a lot of money. They're giving it away for free and people have a problem with them making money off it.
Wouldn't it make more sense to use Monero instead of ZCash?
Privacy is compulsory with Monero and also the entire platform is decentralised.
The privacy features in Zcash are optional & very slow / difficult to use -- most users will simply make non-private transactions. Also Zcash requires trust of the founders (Any "private" coin that requires trust of a third party is a fail in my mind).
I think Keybase is making a mistake in choosing Zcash over Monero - especially so soon after Zcash's launch. But that's okay - they'll come around soon enough. Zcash has been fantastic advertising for Monero.
The biggest criticism of Zcash is the Founder's Reward. Some people say it's greedy, that they should have given away their work for free. I disagree. I think it's great that they will get paid for their work, and it also gives me confidence for the future of the coin. They have an incentive to make Zcash a long-term success. Getting paid for work done should be the default, of course. I could understand that if a billionaire ran a lemonade stand for an afternoon and steadfastly demanded payment with no free handouts, people would criticize that. But it should be expected that normal people get paid for doing real work.
The founders reward is extremely high, so high that the founders have a significant ability to manipulate the market. This is a concern in part because the founders may be forced to do that - the actual implementation is with a single address, rotated periodically, which means that address is a single-point-of-failure for the whole currency in the sense that compromising it can be used to crash the price. Finally, 20% is high enough that it gives a significant advantage to 51% attackers.
The concern in that last sentence seems misplaced; there is no relation between proportion of monetary base held by an attacker, and proportion of mining power held by an attacker.
Completely unrelated to the article but boy do I like the design for Keybase. The blog is beautiful and minimal with no crap popping up on your screen asking for your email (every modern blog now seems to do this.) The colors work perfectly too. In fact, that combination of white, blue, black, and gray is very similar to what Bitcoinica originally used for their popular Bitcoin margin trading platform back in the day (and I like it as much now as I did back then - contrasts so well on every screen type.)
The home page also follows a similar pattern: just beautiful, uncluttered, no bullshit design, that gets straight to the point. Why can't more websites do this? A+++ would browse again.
I have read almost all comments, and it seems like nobody has pointed out that the supposedly anonymous transactions (using z addresses) are still not working. All mining pools are warning about it. For example:
If anonymity is so important for people, there are already excellent solutions, Monero being one of the best, if not the best, with a strong and serious dev team.
Disclaimer: I am not a Monero dev and I own a huge total of 0.6 XMR. This is only my opinion as a software dev.
Fixed in Zcash 1.0.3. (They were always "working", despite the bugs that were recently fixed. You can see plenty of successful z-address transactions on the blockchain.)
Doesn't anyone else find this post funny for talking about discovery of social graphs while the main product keybase.io offers does exactly this? I mean the entire service acts an a nice centralized graph linking users nyms across various services. Irony much?
Since Zcash uses the same codebase of Bitcoin, does that mean it would be possible to later integrate it back into Bitcoin, and just transition Zcash T-addresses to regular Bitcoin addresses, and then add the Z-addresses on top of the Bitcoin addresses ecosystem?
I also wonder about how much of a risk to its own ecosystem Zcash being a private company represents. Was that really better than making it a non-profit? And won't this make it easier for law enforcement to go after Zcash as the sole culpable entity for "money laundering" and other such charges?
Nah, they're just extra data, that could easily go in the signature fields; it's definitely possible to add Zcash functionality to Bitcoin in a backwards compatible soft-fork.
Basically you'd have a pool of "shielded" txouts that could be spent with a zcash signature, without any requirement that a particular txout be spent for a given signature. Surpisingly easy upgrade all things considered; the main blocker is Zcash's crypto is very experimental and slow.
Is there any way to mimic Zcash's z-addresses in Bitcoin?
I like the ideas behind Zcash and it solves important privacy issues, but I don't like the idea of a for profit company being the heavyweight behind Zcash.
From what I gather, Bitcoin is more of a community effort than most other altcoins, which inspires trust.
I looked up Zcash's price chart, it fell from ~$1300 at launch to ~$90 now. Ouch.
If I recall correctly, more than 500btc was traded when the price was over 100 btc per Zcash - $350,000 in trade volume at a price exceeding $70,000 per token, when the price today has fallen to about $100 per token. Max price was almost $2,000,000 per token, someone actually literally spent that much.
Perhaps the greatest example I've ever seen of tulip mania. And I'm fairly confident those were real trades, as they occurred on a public exchange where anyone with money or zcash was able to buy or sell at any time. Granted, at this point there were only dozens of people with the asset, but anyone was able to mine the currency and blocks were being found every 2.5 minutes using commodity hardware (e.g. laptops and desktops).
>Max price was almost $2,000,000 per token, someone actually literally spent that much.
No. When zcash was trading at such a price, it was less than a single zcash coin in total. So a few people were paying significant sums for very small fractions of a zcash coin, but no one payed 2,000,000 for a single coin. The price has crashed because supply has grown exponentially. What you were seeing was supply vs demand in action in an unusually obvious way.
I did not mean to suggest that a whole $2M was dropped, but someone did buy a fragment for $2M per coin.
These people buying it hopefully would have been aware of the publicly known upcoming inflation, the fact that they bought at these prices I believe is a tragedy and a black mark against Zcash.
So if I buy 0.01 BTC for $750 [1] and cause the price to "fall 99%" that will leave a black mark against Bitcoin? Perhaps the blame really lies in the exchanges who were so eager to allow trading on such a scarce asset.
[1] I realize this is not really possible because you'd have to buy the entire order book first, but in the case of ZCash the order book was empty.
The order book was not empty, as stated above there was over $350,000 in trade volume at prices greater than 100x what they were less than a week later.
It might make sense for receivers of the Founders Reward to pay such huge sums, even knowing full well that the price can only go down. They would keep buying coins while the price slowly drops, just to make the eventual floor, where more people will consider it a bargain, higher than it would be otherwise. It's all about creating a perception of value.
There is no tragedy here, IMO. Just some calculated market manipulation...
It is pending a Bitcoin softfork (segregated witness) (edit: actually I don't think it depends on this), and I don't think anyone has implemented something approximating z-addresses on this yet, but the opportunity is there.
Slightly OT, but I realllyy wish Keybase would prioritise email validation so that it could fulfill the much needed role of general PGP key server, with the added "sum of your social identities" assurance.
Is it too late to get started with Zcash? If not would you recommend buying it or trying to mine it? Last question, would AWS be a good resource to mine it?
Kraken is an exchange that sells Zcash to USD holders (as long as you aren't in NY state!). Another option is to buy Bitcoin (e.g. from Coinbase) with USD, and then use shapeshift.io to convert your Bitcoin to Zcash.
Consider that after by end of this month there will be 200,000 ZEC released following every month with 20% going to the founder's coffers after 4 years.
Extreme inflation will continue sending prices crashing. Recall early this month prices were hovering around 2 Ferrari 458 and now it's tanked to under a 100 dollars.
If we were to assume that in 48 months X 200,000 ZEC = ~100,000,000 ZEC with 20,000,000 ZEC belonging to the Founders.
It's important to consider the pros and cons about the Founder's Reward with Zcash, and I appreciate you trying to start a discussion, but I just wanted to clarify that your numbers are slightly off.
20% for the next 4 years goes to the "founders" (which is not just the developers, but investors as well). But much like Bitcoin the total monetary base is fixed at 21,000,000 ZEC. And also like Bitcoin, the total mining reward is halved (roughly) every 4 years, and consequently decreases exponentially until it reaches that total reward.
Effectively, this means that the Zcash Founders Reward doles out 10% of the currency to the investors/early development team over the lifetime of the currency, and in many ways mirrors a startup vesting cycle of 4 years (minus the one year cliff). Their blog goes into more detail about the reward here: https://z.cash/blog/continued-funding-and-transparency.html
Personally, I think this reward distribution is a significant improvement to the "premine/ICO" antics you see in many other cryptocurrencies/tokens, even if I think it's a little high. I applaud the team for trying something new/seemingly more fair.
(Also, not affiliated with the team, just a cryptocurrency nut: http://keybase.io/cin)
The amount of perverse incentives it creates is insane. Instead of investors being forced to slowly accumulate ZEC, they are given it almost in bulk, and are in a perfect position to manipulate and short the market.
Just like how some people like to report areas in terms of football fields or Belgiums and weight in terms of busses and whales instead of SI units.
In cases they seem to be reporting a price in terms of random objects instead of currency. For reference the price converts into roughly 1.5 pints (US) of gold
ZEC is currently down 14.24% on the day. 8 days ago, Daily volume exceeded the market cap. I don't think that qualifies as normalized by most standards.
"Normalized" is spin control. "Screaming dive" is more like it. From $6000 to $92 in a month, and dropping about 10% per day. Zcash is on its way to joining the other 700 dead and dying altcoins. Right now, it's the 43rd most valuable altcoin, and dropping in rank.
Mining is generating Zcash way too fast for the market to absorb. The "market cap" has been holding steady as the priced dropped over 99%.
To be fair to ZCash, the high prices at launch were primarily due to very limited supply and market manipulation. The "screaming dive" is really just heading towards a sustainable price.
Somewhere between $2-$10 is a more realistic valuation (based on other coin valuations) -- it will be interesting to see if the price stabilises once within this range.
You need a ton of space and/or processing power for the zero-knowledge transactions. The anonymity isn't free!
In practice Zcash/zcoin (different tradeoffs) are of no use to you unless you are willing to go the extra mile to hide something (criminal activities and such). There's no point in paying for the extra effort for normal transactions.
Anonymity of the system as a hole is the value. Just like with Telegram and the concept of a secret chat, you should not only use anonymity if you particularly need it. Anonymity and Security should be the default and you should optionally to be able to not have it.
Maybe even if I don't need the anonymity now, maybe in 10 years I will, and then I don't want to start using them because that change provides information.
Sending takes a few minutes of computation on your wallet - but that's not such a big deal as it's comparable to the time it takes for block confirmations anyway.
The problem is verification of private transactions is very slow by cryptocoin standards, and verification is something that every full node and miner must do. Zcash would fail if private transactions were used in large numbers, as blocks would take too long to validate for mining to remain decentralized; Bitcoin transactions are a few orders of magnitude faster to validate, with a 4x more conservative block interval and 2x smaller blocksize, and the Bitcoin dev community has had to make heroic efforts to further optimize validation.
There are ways to significantly reduce the cost of zk proof verification by batching (that are compatible with the existing Zcash protocol without a fork).
Prove it first by actually implementing those ways and having them survive peer review; this is highly experimental crypto so it's not clear what's actually possible.
Again, I don't think it's very responsible to knowingly release design a protocol that in its current form would collapse if heavily used due to a lack of safety limits.
A regular Bitcoin address of the form `1LoD3JXVckEKkZh8nkSrvmQaovnGYu8fNP` is non-private, everyone knows this. Posting such an address in your public profile allows blockchain data harvesting firms to learn when your address receives BTC and from where, and to whom your address sends money to.
But there is no reason to post such an address. If Alice wants to post a fully private Bitcoin address that can't be monitored by data harvesting firms, she should post a stealth address [1]. If Bob wants to send Alice BTC, he takes Alice's stealth address and derives from it a regular Bitcoin address. No one but Bob can know what Alice's derived Bitcoin address is, because the address is derived from Bob's private data.
The libbitcoin software suite supports these stealth addresses, but because libbitcoin isn't VC backed and doesn't have the hype of moneyed interests behind it, libbitcoin wasn't good enough for Keybase. They probably never even evaluated it.
A ZCash "zaddress" is basically just a Bitcoin stealth address.
That the CEO of a privacy-focused social networking service is not in tune with this information is a huge red flag to me. As each Keybase.io profile is an implicit endorsement of Keybase and by extension Keybase's investors, I was deeply saddened and frustrated to learn the news that Keybase has decided for its entire userbase to prop up ZCash based on their faulty assumptions.
When I shared a draft post with some friends, a lot of them had an ah-ha moment, so I was hoping for the same from others. I was trying to illustrate 2 privacy concerns around the graph Bitcoin exposes: (1) accidental associations and (2) exposing the people you transact with to each other.
In the blog's hypothetical, you're not receiving money from some asshole because you're collecting Klan dues from him. Rather, you performed some public transaction with a stranger. For example, maybe you sold him some tickets. An external observer of the graph who knows he's a dangerous character may start applying high odds that you, too, are a dangerous character, since they don't know why he sent you money. This would suck. And, second, this character who sent you money may also be learning things about you. Since you sold tickets to a local show and mailed them to him, (1) he's likely to live near you, and (2) he knows your return address. You really don't want him seeing that you're sending money to causes he opposes. If so, he might show up at your door.
The goal was to clear up this misconception that a private cryptocurrency is there to protect criminals. This is especially important if you'd like to post a static address on a profile.