Firo (formerly Zcoin) Comparison - Reading Assignment

Privacy Coins - Ultimate Course
#81

  1. It has a low Anonymity Set size (11), and the verification time is 30ms.

  2. To mitigate the timing attack, you can wait and not spend your recently minted coin straight away.

  3. Retains some degree of supply auditability since amounts are not hidden and coins have to be spent to base layer.

  4. The most important pro is that Zcach has a higher anonymity set: 2^32 vs 11. The most important con is that Zcas relies on untested cryptography.

  5. I think it’s a fair comparison.

1 Like
#82

  1. With ring signatures, as the number of participants increases, the transaction size increases linearly. Because of this, Monero has set the size of ring signatures to 11 participants. The anonymity set is limited to the number of participants in the ring signatures. Also, the link between the transactions is not broken but obscured with decoy inputs and outputs.

  2. The timing of the minting and spending of coins can provide a link between the transactions. If coins are minted and spent consecutively, there is a high chance that the transactions belong to a common owner. If there is a link, it can reveal information about the sender and receiver’s address and the amount sent. As a solution, users should wait a period before spending their newly minted coins.

  3. Lelantus is an improved privacy protocol developed by Aram Jivanyan for Zcoin. It expands on Sigma by removing the need for fixed denominations and allowing transactions that hide the amounts.

  4. Pro: In comparison to Monero, ‘Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.’ is an important advantage to have. It is important because Monero only obscures the link between the addresses meanwhile Zerocash and Zcash break them.
    Con: A relatively small number of people understand the cryptography behind zk-SNARKS which is highly complex in construction. This level of complexity may lead to errors in the code.

  5. For Monero, it is an unfair comparison because it does not take into account its implementation of stealth addresses and the number of decoys used in RingCT.

1 Like
#83

1.The ring size is 11. Anonymity set is only limited to the small ring size. Also, from the timing of the real transaction and decoys, the real transaction is deducable, because the UTXO used should be recent.

  1. If a coin is minted and spent in too short of a time, they will be easier to be linked by observers; amount spent, sender and receiver. Prevention by keeping minted coins in reserve, and only spend coins directly from the mint reserve.

  2. Lelantus doesn’t require fixed denominations, and allows for direct anonymous payments that do not reveal amounts and makes it harder to tie spends to mints.

  3. Maybe, the most important pro that Zcash has over Monero is that a Zcash user can send completely anonymized coins that are completely separated from base coins. In Monero, one’s transaction is obscured with Ring Signatures, but the mixins can possibly be partly identified by flooding attacks, or through probabilistic analysis. As for cons, Zcash uses an obscure type of cryptography that few understand. There is more of a chance for an unnoticed weakness may be lurking under the surface that can be exploited. Monero is older, simpler, and better tested.

  4. Monero’s anonymity set is 11. The amount of outputs being 10 false and 1 true. It does not take into account the fact that Monero’s anonymity set grows with the number of transactions.

1 Like
#84

  1. Weaknesses of Monero are a small anonymity set (11) and a general weakness of using decoy outputs, being that transactions can be deanonymized with decent probability (45%) as well as the entire blockchain being retroactively deanonymized if quantum computing takes off.

  2. A weakness of the Sigma protocol is its susceptibility to timing attacks. From my understanding, the fact that the protocol “still requires fixed denominations” means that “it can be easier to discern patterns of mints and spends if one is not careful”. For example, if a coin is minted and a few seconds later “another” coin of the same denomination is spent, they were probably the same coin.

  3. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.”

  4. When compared to Monero, I think the most important pro of Zcash is

“Its anonymity set is also the largest among all previous anonymity schemes involving all minted coins regardless of the denomination on the blockchain”

2^32 >> 11, so Zcash wins the anonymity race hands down.

On the other hand, I think Zcash’s most important con (when compared to Monero) it is complexity. It is already known that its “supply cannot be audited”, so any error in its code, while potentially “safe” at the moment due to the implementation’s novelty and complexity (i.e. obscurity), I believe will prove to be disastrous down the road.

  1. The anonymity sets for:
  • Monero: 11
  • Zerocoin: 2^13
  • Sigma: 2^14

Zcoin Solutions Comparison Chart

9385×5485

Based on the knowledge I have gained during this course, I would not say this is a fair comparison. This is more like “Anonymity Set Upper Limit”, as there are various small assumptions that an attacker could make about a given anonymity set to decrease its size. For example, assuming that most people would mint and spend the same coin within a week - this assumes that most people are impatient - then I imagine the anonymity sets for Sigma and Zerocoin would drastically decrease.

1 Like
#85
  1. Doesn’t break links between transactions but merely obscures them with decoy inputs and outputs. The anonymity set is limited to the number of participants in ring.
  2. Timing attacks figure out that the most recent transaction which is most likely to be the real one. Minting and spending should not happen within a short time frame to help prevent timing attack.
  3. Lelantus is an improvement by removing the requirement for fixed denominations and allowing for direct anonymous payments that do not reveal amounts.
  4. Most important pro is increased anonymity set. Most important con is requirement of trusted set up.
  5. It looks fair.
1 Like
#86
  1. imposibility to audit real supply and that it’s not fully anonymous
  2. by comparing mints to spends to find the balance, you can relate linked addresses…
    ------> don’t know about a solution, I still can’t fully understand privacy coins :frowning:
  3. by allowing direct anonymous payments
  4. It’s faster but less tested tech
  5. That’s the number of decoys included on a Tx’s
    ------> Still can’t give a fair assessment on: if the comparison table is a fair comparison?
    ------> I would say it must have missing data?
1 Like
#87

They are all very different with different approaches so its better to focus on one you trust based on your assessment. :slight_smile:

Kind of, Monero mixes UTXOs and increases annonimity over time.

#88
  1. Ring size is 11, anonymity set is only limited to the ring size which is small and also from the timing of the real transaction and decoys.
  2. When the user mints and spends at the same time with a small delay, then sender and receiver may be linkable. You can avoid it by creating a delay between minting and spending which helps to unlink sender and receiver.
  3. Lelantus is an upgrade to Sigma, it doesn’t require a trusted setup, doesn’t require fixed denominations and allows direct payment from sender to receiver without converting between zerocoins and basecoins.
  4. Zcash Pro compared to Monero: Much higher anonymity set
    Zcash Con compared to Monero: Trusted set up of the blockchain
  5. Monero’s anonymity set is 11. It cannot be compared with the other numbers given in the same column because it refers to a completely different technology, Ring Signatures, and does not take into account Confidential Transactions and Stealth Addresses.
1 Like
#89
  1. Ring size of only 11. Timing analysis can achieve a higher than wanted % of guessing the correct transaction.
  2. If a user Mints coins and immediately spends them there is a possibility of the transactions being linked. One needs to hold the Minted coins for a longer period of time.
  3. Removes the need for fixed denominations and allowing for direct anonymous payments that do not reveal amounts
  4. Pro: Very High anonymity. Con: Requires a trusted setup.
  5. Monero’s anonymity set does not take into consideration of a few more factors. But the others look correct.
1 Like
#90
  1. What two primary weaknesses of Monero are discussed? — relatively small ring size of 11, blockchain analysts can still calculate odds of transactions based on transaction times
  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented? — when minting and spending at same time with little delay, sender and receiver could be linked because time delay is small, should wait and increase delay between minting and sending to prevent discovery
  3. What is Lelantus and how does it improve on Sigma? — upgrade to sigma that removes need for fixed denominations and trusted setup.
  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice. — high anonymity set so transaction is completely private whereas monero is still traceable due to low anonymity set. However, Zcash trusted setup requires trusting people.
  5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison? — doesn’t consider bulletproof
1 Like
#91

1. What two primary weaknesses of Monero are discussed?
Because the links between transactions aren’t broken, a timing attack can be used to probabilistically associate which transaction (from the 11 in the RingCT) is the real one.
The second criticism was that after quantum computers become more powerful, the entire blockchain can be deanonymized.
2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
If the minting and spending are both performed from the same IP, the information can be deanonymized. They can be prevented by either having a reserve of Zerocoins so that the timing isn’t the same, or they could implement Dandelion to obscure the IP. (Or use Tor)
3. What is Lelantus and how does it improve on Sigma?
It removes the requirement for fixed denominations and also allows for direct anonymous payments that do not reveal amounts. Additionally it is scalable enough to allow privacy on by default.
4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
Pro: Not sure.
Con: It can’t be audited. This is akin to just trusting and hoping that there aren’t any bugs. Relying on hope, without verification is a poor design.
5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
No. They are not taking into account Stealth Addresses for monero, Or dandelion, or any of the other surrounding technologies that also impact the anonymity set.

1 Like
#92

. The small AS when we consider the number of decoys. It is also vulnerable to timing attacks.

. A Timing attack is a way to logically link unlinked UTXO by analyzing their timestamps. Typically, the more recent Utxos are the ones used in a new anonymous TXs.

. Lelantus is an improvement of Sigma. It removes the requirement for fixed denomination in TXs.

. Pro : size of AS. Con : new and obscur technology.

. I think the Monero AS is better than what the chart shows since the AS grows with appended(newest) TXs.

1 Like
#93
  1. What two primary weaknesses of Monero are discussed?

The ring size is discussed as primary drawback as the anonymity set is stated to be 11, which doesn’t break the links between transactions, only obscures them. A 45% probability that a transaction can be linked via timing attacks which make educated guesses as to which transaction is not the decoy.

The second criticism was that once quantum computers prevail in the future, it can deanonymise the blockchain in its entirety breaking their privacy model and rendering it unfixable.

  1. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

Timing attacks are preformed by comparing the mint and spends to find the balance and sender and receiver. This can be prevented by delaying the mint and spend time periods.

  1. What is Lelantus and how does it improve on Sigma?

It is a new privacy protocol and developed by Zcoin’s cryptographer Aram Jivanyan as part of our efforts to continuously improve our privacy protocol. It maintains Sigmas trust-less setup and users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints fixing the weakness of requiring fixed denominations.

  1. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

pro = Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.
Reason: The anonymity set is most sought after privacy feature as its what the monero and other privacy coins lack in their privacy model. Also it because renders addresses untraceable it subsequently hides amounts.

con = Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected.
Reason: This can increase the attack surface and further lead to misplaced trust in the protocol as auditing is considered a vital component to security and trust among its community.

  1. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

It doesn’t consider bulletproof, dandelion, or other cryptographic techniques to increase anonymity set and un-traceability.

1 Like
#94

  1. What two primary weaknesses of Monero are discussed? Monero as a relatively small ring size with it’s ring signitures, so the anonymity is limited by the number of participants in the ring. There is also a timing analysis that can identity the real coin in the transaction about 50 percent of the time, reducing the anonymity effect. Also someone who breaks the discrete logarithm that underpins ringct can forge coins without anyone knowing.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

  3. What is Lelantus and how does it improve on Sigma? Lelantus enhances the anonymity aspect of sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice. Zero coin have a much larger anonymity set that crypto-note used by monero. In addition the transactions links are completely broken as they appear as completely brand new coins, and not previous coins placed in a mix. The con is the trusted set-up to generate the parameters, that will ultimately need to be destroyed and the additional storage on the bloc chain.

  5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison? No, Monero’s anonymity set size is much too small.

1 Like
#95

Seems like you forgot to answer the second question :wink:

#96

One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented? — Sender and receiver could be linked when there is little time lapse between the mint and spend. To minimize detection it’s best to have a lag between mint and spend.

1 Like
#97
  1. Supply audtiability and ring signature anonymity is not entirely granted due to incorrect implementations.
  2. Coins are minted before spending to prevent timing attacks.
  3. Lelantus is a Sigma upgrade with no trusted setup and allow direct payment between sender and receiver.
    4.Zcash has a higher anonymity set than Monero and the con is that is requires a trusted setup.
  4. The table illustrates how much higher of an anonymity set than the other coins, and displays the tradeoff of trusted setup with anonymity set.
1 Like
#98

1.- Transaction links are not broken. Potential attacks related to ring signatures.

2.- A timing attack consists in linking minted coins to spent coins by analyzing their creation/spent times, therefore creating a potential link between inputs and outputs. This could lead any attacker to identify relations between addresses. A recommendation to prevent this to happen to you is to store some minted coins for a while for when you need them, just to not have to create them and spend then in the moment.

3.- A protocol that seeks to improve sigma, it removes the requirement of fixed denominations and adds direct anonymous payments, they do not reveal amounts.

4.- The best pro is fast verification, the worst con is that these techniques are new and prone to be unsafe.

5.- No, since Monero uses a different method to keep transactions private, I would say it is kind of misleading.

1 Like
#99

  1. What two primary weaknesses of Monero are discussed?
    -Timing analysis can identify the real UTXO amongst the decoys.
    -Lack of supply auditability.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    Timing attacks can be performed by identifying mints and spents of the same amount, uncovering the link between sender and receiver. This can be prevented by avoiding regular minting/spending patterns and minting coins in advance.

  3. What is Lelantus and how does it improve on Sigma?
    “Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.”

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    Pro: Much bigger anonymity set, because it makes timing analysis much harder.
    Con: Trusted setup, because if compromised can create undetectable inflation.

  5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
    Seems to be a simple way to compare them. I think it is okay but you need to also consider other factors such as wether amounts are hidden or not to draw better conclusions.

1 Like
#100
  1. being able to identify the real transaction amongst the decoys and the possibility of undetected hidden inflation
  2. minting coins and storing them in a pool ahead of time would eliminate the timing issue
  3. Lelantus expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts
  4. Pro: Proof sizes are small and fast to verify. Con: Complicated construction and difficult to understand in full meaning that only a handful of people can grasp the cryptography and code and may be prone to errors
  5. No, Monero’s anonymity set size is listed as very small
1 Like