Firo (formerly Zcoin) Comparison - Reading Assignment

1. The two primary weaknesses of Monero discussed are the small ring size of 11 which mean the odds can be calculated of which transactions are linked hence the links between transactions are not broken just obscured by decoy inputs and outputs, and any weakness in the ring signature or breakthroughs in quantum computing could deanonymize and retroactively expose the entire history of the blockchain

2. A timing attack analyses the time between minting and spending a coin - if close together then it would suggest they are linked and can reveal the sender and receiver addresses and transaction amount. The best way to avoid this is to mint coins a while before spending them.

3. Lelantus is an expansion of Sigma and improves on Sigma by removing the requirement for fixed denominations and allowing direct anonymous payments that do not reveal the amounts

4. The biggest pro of Zcash over Monero is a huge anonymity set, the greatest con is it requires trusted parameters to set up.

5. No this doesn’t seem fair, the anonymity set of Monero is just stated as 11 when in fact it’ll increase as more transactions are added

1.) What two primary weaknesses of Monero are discussed?
Ring signatures as currently implemented in CryptoNote currencies also have limitations concerning practical ring size (the number of other outputs you are taking) as the size of a transaction grows linearly as the ring size increases. This is why by Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring. Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are. This is primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.

Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed

2.) One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
Users have to keep coins minted before they intend to spend to prevent timing attacks.

3.) What is Lelantus and how does it improve on Sigma?
Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan as part of their efforts to continuously improve their privacy protocol. Lelantus expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4.) Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
Pro: Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.

Con: Uses relatively new cryptography and based on cryptographic assumptions (KEA) that have been criticized.

5.) OPINION: Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
I don’t think this is a fair comparison. If you just follow the chart, Monero would be an absolute useless currency. This chart just compares functions these coins offer.

1. What two primary weaknesses of Monero are discussed?
lack of supply audacity and transaction link

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
¨timing attack¨: according to the IP of zerocoin protocol user, usually the nearly minted coins are prior to the real coin. So the hacker can target the IP and its address.
the link between receiver and sender will be vulnerable.
To prevent this kind of hack, the user of sigma should mint the new coin before spending.

3. What is Lelantus and how does it improve on Sigma?
Lantus is a privacy protocol used in Zcoin, which allow direct anonymous payments

** Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
the pro of Zcash is supplying audacity, which can detect the state of coin supply in its own system.
the con of Zcash, I think the complexity of user experience, which is the key to a product.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?**
Theoretically, I think it´s fair, but also should add the character of user experience.

1 Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring.
Also, security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions, that trick now can spot the real coin just 45 percent of the time.
2Users have to keep coins minted before they intend to spend to prevent timing attacks, if not the input transaction may be connected to an output of the same size. When time passes the probability of a similar transaction increases. (If Alice spends 5 units between 10:00 and 10:01 and Bob receives 5 units between 10:01 and 10:02 it is not far fetched who are involved. But If Alice spends 5 units between 10:00 and 11:00 and Bob receives 5 units between 10:01 and 11:01 it is not so easy to deduct who are the participants.)
3Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.
4Perhaps the complex mathematics used
*+*If flawless it provides superior security.
- If not, the creation of coins is untraceable and may be done by an malicious entity.
5 The 11 for Monero is the minimum fixed ringCT size. The anonymity increases with the number of transactions, so this is not the whole truth. Nor does the table take into account that the addresses used are one time only stealth addresses, increasing anonymity further.

1. After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.

Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

2.Users have to keep coins minted before they intend to spend to prevent timing attacks
3.Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan as part of their efforts to continuously improve the privacy protocol. Lelantus expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.
4.Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.
Con: Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected. Bugs of this nature were both found [before launch]. I find this the biggest problem. If there is no supply audit, the system is prone to be abused sooner or later.
5. 11 means now many decoys can be included in a XMR transaction. It seems that the anonymity of XMR transactions increases with their number.

1. a.) Ring signatures have limitations concerning practical ring size (the number of other outputs you are taking) as the size of a transaction grows linearly as the ring size increases. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring. Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are. It doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.
   b.) Security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions. In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction.

2. When a user mints and spends at the same time, then the participants are potentially linkable. Delay between minting and spending can help this.

3. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

4. Pro = Sender and receiver can’t be linked at all
   Con = a leakage in the trusted setup can lead to coin forgery

5. 11 is the minimum ringCT size

1. What two primary weaknesses of Monero are discussed?
   a) “Does not break transaction links, merely obscures them, hence a ‘decoy’ model”
   b) “Large transaction sizes and a non prunable blockchain”

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
   The sender an receiver are linkable, when the user mints and spends at the same time the coins within a small interval.

3. What is Lelantus and how does it improve on Sigma?
   Lelantus improves upon Sigma by removing the requirement for fixed denominations while utilizing a modified version of bulletproofs to obfuscate transaction amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
   Pro: The best anonymity sets (breaking of connection between transactions)
   Con: Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
   I believe is not a a fair comparison since doesn’t take into account RingCT, bulletproofs and “stealth address”.

1.Does not break transaction links (creates decoy model)
It cannot take advantage of the Bitcoin ecosystem

2.Timing attacks are performed as Minted coins need to stay minted until they are spent. The timing can be linked if other factors such as the denominators are the same along with the timing.

3.Lelantus is a better version of Sigma using the same protocol.
It doesnt use Fixed Denominations, and can do anonymous transactions without having to convert base coins

4.PRO - that there is no need to convert to a basecoin, you can directly send anonymized coins directly
CON - Complicated and very few people understand the language - important because its a bit of “3rd party involved” vibe considering only a small amount of people understand it.

1. What two primary weaknesses of Monero are discussed?

The more participants you add to a mixer, the larger the size of a transaction becomes. This in why Monero has a relatively small ring size of 11. Therefore, on a per transacton basis, the anonymity is limited by the number of participants in the ring.

Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are. This is primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.

Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed. This cannot be fixed after the fact.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

I assume it is done by monitoring the execution time of various algorithms while minting/spending tokens. Information such as the identity of the person and the amount they minted could be revealed. A way to prevent this is by keeping coins minted for a while before intending to spend them immediately.

3. What is Lelantus and how does it improve on Sigma?

Lelantus is a new decentralizing anonymous payment protocol which is an improvement from Sigma.

Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

Pro:

• Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.

Reason: Since the whole idea behind a privacy coin is ‘privacy’ it makes sense to have the best one. You want to make it as hard as possible for third-parties to figure out your identity and Zcoin does this better than Monero it seems.

Con:

• Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected.

Reason: Can compromise the value per each coin.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

Monero’s anonymity set is misleading since the number increases as more transactions are included.

1. Two primary weaknesses of Monero are that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs, and if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

2. Timing attacks can happened based on discerning patterns between minting and spending, and the way to prevent it is to mint coins before you intend to spend them.

3. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4. The most important pro is that it has the best anonymity set encompassing all coins minted and breaks transaction links between addresses because this makes it more private and hard to trace. The most important con is the complicated construction and difficult to understand in full meaning that only a handful of people can grasp the cryptography and code may be prone to errors, because this means there can be bugs.

5. It is not a fair comparison because 11 for Monero is the minimum anonymity set, but it increases with the number of transactions.

1. Possibility to deduce which is the actual transaction based on the timing.
2. kind of “active” transactions.
3. Lelantus extends Sigma by removing the requirement for fixed denominations and also allowing direct anonymous payments where the amounts are not known.
   4.Potentially the best anonymity set that covers all minted coins and removes transaction links between addresses, manages to successfully decouple coin relationships.
   Complicated trustworthy set-up that needs to be arranged by the team, trust to achieve trustless systems does not seem very intuitive.
4. Count of decoys used by RingCT

Questions:

1. What two primary weaknesses of Monero are discussed?

Ring size is limited (to 11), the links between transactions is maintained, albeit obscured

Timing also widdles one down towards a smaller set of likely candidates.
Ring Confidential Transactions - hide tx amounts, means no supply audit

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

Weakness spending and minting at regular and or immediate intervals

Hold coins in reserve for a variable length of time, use TOR VPN / vary your timezone(s)

3. What is Lelantus and how does it improve on Sigma?

Lelantus upgrade following Sigma removes fixed denominations and adds direct anonymous payments with non revealed amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

ZCash VIP Pro: superior anonymity set.

ZCash VIP Con: Complex construction, as in dev can be slow and error prone as a result.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

No entirely as destination ‘stealth address’, values hiding within RingCT and bulletproofs are missed and then there are timing attacks plus Monero Anonymity set set grows

1. What two primary weaknesses of Monero are discussed?

First discussed Monero weakness is that CryptoNone does not break transaction links, merely obscures them with decoys. This allowed security researchers to make educated guesses as to which transaction is the real one by tying it to the timing of transactions. Even with recent changes to how Monero chooses mixins, that trick can spot the real coin 45% of the time.

Second discussed Monero weaknesses are: the risk of blockchain being deanonymized in the future or through incorrect implementations and the lack of supply auditability that can complicate detecting hidden inflation.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

When you want to spend your Zerocoin anonymously, you have to mint it first. If timing between minting and spending is analyzed, it is possible to assign probability value of which mint and spend are tied together. Usually, the ones whose timing of mint and spent are closer belong to the same coin. In order to prevent mint attacks users have to keep coins minted before they intend to spend them or in other words wait longer between mint and spend to increase anonymity.

3. What is Lelantus and how does it improve on Sigma?

Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan as part of efforts to continuously improve its privacy protocol. It retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

Zcash has potentially the best anonymity set encompassing all coins minted regardless of the denomination on the blockchain and breaks transaction links between addresses while Monero’s CryptoNote does not break transaction links, merely obscures them. Even though this is important feature for privacy coins, I would say that Monero’s “privacy by default” compensates for its inferior anonymity set as long as Zcash uses shielded addresses (“privacy by choice”) only in small percentage of its transactions.

Most important con of Zcash in my opinion is its complicated construction and implementation of difficult to understand zkSNARKs which makes its cryptography and code prone to errors. Therefore, discovery of the vulnerabilities requires a high level of technical and cryptographic sophistication that very few people possess. In fact, Zcash had counterfeiting bug in its code for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code.

In contrast to Zcash, Monero’s construction is well understood by many experts and is based on well researched cryptography.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

Well it shows correct numbers… but I think it’s not fair to Monero because this anonymity set size is focused on a single UTXO and does not take into account features of Monero which increase its anonymity as time passes as outputs become the new inputs of new mixes. So yes, some Monero’s features are disregarded here but it is also understandable that it is hard to put in such a simple table utilization of Monero’s privacy features such as ringCT, bulletproofs and stealth addresses which give Monero an edge over other privacy coins.

1. Links between the transactions are not broken so Ring signature limitations could guess the red signature.

2. Timing attack is a side - channel attack so that the attacker tries to compromise the crypto system. The sender and the receiver informations are vulnerable. To present time attacks, senders need to stash some coins to the side so they can send them in latter.

3. It improves a sigma by removing the requirements for fixed denominations.

4. The most important pro to Zcash is proof size lower and verifications quicker.

5. I don’t think that it is fair due to the reason of that the anonymity increases with tx.

1. What two primary weaknesses of Monero are discussed?
   After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.
   Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed

3. What is Lelantus and how does it improve on Sigma?
   It improves on sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

5. Pro: breaking of connection between transactions (no chain analysis will link transactions now and in the future). Con: zkSNARKs very unproven, untested, not well understood immature tech, compared to Monero’s cryptography which is better understood and battle tested.

6. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
   The number 11 as given in the chart is more than a little disingenuous. It cannot be compared with the other numbers given in the same column because it refers to a completely different technology, Ring Signatures, does not take into account Confidential Transactions and Stealth Addresses, nor the fact that because of these, one users possible identity is spread among all transactions taking place on the blockchain, not just a single transaction with 11 anon set.

Firo (formally Zcoin) Comparison - Reading

1. The two primary weaknesses of Monero that are discussed are:

• It does’t break the links of transactions but only obscure it with decoys of inputs and outputs.
• lack of auditing the coins to prevent fake coins being produced.

2. Sigma protocol is susceptible to ‘timing attack’ - timing attacks are a side channel in which attacker attempts to compromise the system by analysing the time taken to execute cryptographic algorithm. The information vulnerable are the transaction inputs. The attack can be prevented by mixing, blinding and keep some minted coins and spend when needed.

3. Lelantus retains all the benefits of Sigma of not requiring trusted setup.
   It improves on Sigma by removing the weakness of requiring fixed denominations by utilizing double-blinded commitments and modification of bullet proofs to hide transaction amounts.

4. "Zerocash and Zcash" when compared to Monero".
   The most important is ‘pro of Zcash’. This is potentially the best anonymity set of coins minted, breaks transaction links between addresses, proof of sizes are small and fast to verify, hides transaction amounts and there is no need for conversion to a base coin and an anonymized coin can be sent to each other.

5. "Comparison Chart and Anonymity Set Size".
   Based on my understanding of Monero, Zerocoin and Sigma, It is fair to say Sigma compares very favourably to Monero anonymity schemes. Sigma is providing a very well rounded anonymity package - anonymity set of up to around 100,000. This gives a very strong anonymity set size compared to Monero’s low anonymity set size. You will need a cryptography breakthrough to scale pass the 100,000 of Sigma’s anonymity size if Monero is to pass that.This will be very difficult at this time.

1. What two primary weaknesses of Monero are discussed?
   -Only obscures transaction links
   -Scalability issues because of large transaction size.
2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
   Timing attacks are done by analysing coins being minted and spent straightaway thus possible linking them together. Solution is to mint the coins and keep them for a while (longer is better) before spending them.
3. What is Lelantus and how does it improve on Sigma?
   Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts
4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
   -Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses
   -Private transactions are computationally intensive
5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
   No because the anonymity increases with more transactions

1.- Monero weaknesses: a) Does not break the transaction links just obscure them. b) Highly risk of blokchain being deanoymized at not far future or through incorrect implementatios.
2.- The analysis links between Zcoin Mint and Zcoin send transactions, identifying which ones are connected. So it makes possible to find relations between different addresses. The way to prevent this is to avoid to spend fresh minted coins, as longer someone holds them, as more private the coins becomes.
3.- Improving Sigma protocol by removing the requirement for fixed denominations and allowing for direct anonymous hidden payments.
4.- Pro: The proof size is lower so it can lead to a scalability on Zcash. Con: It does not have supply auditability to check whether any additional coins have been created out of thing air.
5.- If we compare Monero with other privacy coins, Monero ring signatures have a low anonimity set size. So even transactions are not transparent, the low anonimity set makes possible to analized them and be able to see the number of decoys.

1. Supply cannot be audited and Ring Signatures can be potentially de-anonymized in the future because it is a decoy model that doesn’t break the transaction link.
2. The transaction data could be exposed if a user attempts to spend coins right after they are minted. This is due to a hacker being able to guess the time it takes to complete these steps and waiting for the information to leak. A user can prevent this by holding onto their coin for a random set period of time before spend and a platform can use a design that makes it harder to determine timing.
3. It allows denominations of anywise to be spent instead of breaking it down into pre-set denominations. This also allows more secure private transactions between parties.
4. Biggest Pro - The anonymity set is all coins in circulation. If anonymity is the whole reason privacy coins exists then having the most would be the most important.
   Biggest Con - Doesn’t currently work/get used. Every transaction that isn’t private allows more transaction to be public so if they are going to create a fully anonymized blockchain they need to start anonymizing now.
5. No, it was written by Zcoin and neither Sigma or Lelantus have a red section trying to say that they are relatively safe to use. However I would argue that Sigma and Lelantus are recent implementations and while built on sound principals they are untested in everyday use. The chart does a good job however of showing the differences in a short manner that allows the reader to grasp the differences that exist between each protocol.

1. What two primary weaknesses of Monero are discussed?

The small size of the ring signature decoy’s (11) and that it doesn’t break the links between transactions but just obscures them with decoys.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

When minting coins if you spend to quickly an attacker can time it so that they frontrun your transaction which will block your broadcast from the nodes. They can then mint and spend a coin and your transaction is rejected. You can get around this by not spending your minted coin straight away.

3. What is Lelantus and how does it improve on Sigma?

By using double blind commitments and bullet proofs which obfuscate the transaction amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

I think that the supply not being able to be audited is the most important issue as if the code has an error or someone in the trusted setup has a key they can create coins and it will go undetected. The second most significant issue is that this type of cryptography has not been around long enough to be fully tested so is more risky.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

The information does not seem to consider that Monero anonymity set is more dynamic as it takes past transactions used as decoy’s and the more transactions there are the more decoys are available to use. I’d say that Monero’s anon set is 10 x (total transactions in 24 hours). I think that would be a fair calculation. Monero transactions in the last 24 hours are 23678 so if its 10x (minus Bob) 236780 which is a lot more than the those using Zerocoin, Sigma etc.