Zcoin Comparison - Reading Assignment

  1. doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs and limited anonymity set.
    if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

  2. If a coin is minted and spent in too short of a time, they will be easier to be linked by observers; amount spent (same denomination), sender and receiver. Prevention by keeping minted coins in reserve, and only spend coins directly from the mint reserve.

  3. Lelantus is an improvement to Sigma. It retains all the benefits Sigma has and adds on to them by removing the need for fixed denominations and also hides TX amounts.

  4. Pro: potentially has the best anonymity set and this ensures greater privacy when transacting
    Con: Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected.

  5. 11 is the minimum decoy available in a single transaction. The table does not take into account that the addresses used are one time only stealth addresses

  1. a) Ring Signatures use decoys which enable analysts to calculate the odds that a transaction is yours. They also enable timing analysis. And possibly remain vulnerable to “flooding” attacks.

    b) Non-auditability, which makes it possible, if there were a CryptoNote bug, to mint an infinite supply of new coins without anyone knowing.

  2. As in Zerocoin, Sigma mints and spends can be connected by timing attacks. They can also be connected by use of same IP address in both a mint and a spend. Users are encouraged to mint a larger amount first, making it ready for smaller spends later, doing mints and spends at random times to prevent timing association of mints and spends, and using different IP address for mints and spends. If one did not follow these warnings, one might for example leak a common mint/spend IP address, and if one minted and spent the same amount right away or at a predictable interval repeatedly, those spend amounts could be connected.

  3. Lelantus is an improvement over Sigma in that Lelantus doesnt use fixed denominations, nor does it reveal amounts, and anonymized coins can be sent directly between users in Lelantus. However, it requires an extra mint and spend step.

  4. Perhaps the most important pro that Zcash has over Monero might be the fact that a Zcash user can send completely anonymized coins that are completely separated from base coins. In Monero, one’s transaction is obscured with Ring Signatures but the mixins can possibly be partly identified by flooding attacks, or through probabilistic analysis. In terms of cons, Zcash uses a new and obscure type of cryptography that few understand, so there is more of a chance for an unnoticed weakness might be lurking under the surface that may be exploited. Monero, on the other hand, is older, simpler, and therefore better tested.

  5. The number 11 as given in the chart is more than a little disingenuous. It cannot be compared with the other numbers given in the same column because it refers to a completely different technology, Ring Signatures, and does not take into account Confidential Transactions and Stealth Addresses, nor the fact that because of these, one users possible identity is spread among all transactions taking place on the blockchain, not just a single transaction with 11 anon set.

1 Like
  1. What two primary weaknesses of Monero are discussed?
    It doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs and limited anonymity set.
    If there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    If a coin is minted and spent in too short of a time, they will be easier to be linked by observers; amount spent (same denomination), sender and receiver. Prevention by keeping minted coins in reserve, and only spend coins directly from the mint reserve.

  3. What is Lelantus and how does it improve on Sigma?
    Further expansion on Sigma; no more fixed denominations and possibility of direct spending

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    Pro: breaking of connection between transactions (no chainanalysis will link transactions now and in the future). Con: zkSNARKs very unproven, untested, not well understood unmature tech, compared to Monero’s cryptography which is better understood and battle tested.

  5. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
    It represents UTXO’s in one transaction, but in Monero the overall anonymity increases with the number of transactions.

1 Like

1 - What two primary weaknesses of Monero are discussed?

a.) Security researchers have found ways to make educated guesses  as to which transaction is the real one in a mix of one real coin and a set of fake coins bundled up in a transaction

b.) In Monero/CryptoNote there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

2 - One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

Some care is required when doing Sigma mints and spends.
Zerocoin users have to keep coins minted before they intend to spend to prevent timing attacks

3 - What is Lelantus and how does it improve on Sigma?

Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4 - Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

	Pros:

	Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.
	Proof sizes are small and fast to verify
	Hides transaction amounts

	Cons:

	Complicated trusted setup that has to be arranged by the team
	Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.
	Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected. Bugs of this nature were both found before launch and also on live mainnet.
	Uses relatively new cryptography and based on cryptographic assumptions (KEA) that have been criticized and not had enough time in industry to be fully vetted.
	Too complicated construction and difficult to understand by all in the security industry.

5 - Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?

Monero has ring size of 11 which has 10 decoy UTxO inputs and 1 real UTxO input. What it does not take into account the ‘stealth address’ to destination address and the values hiding within RingCT and bulletproofs.

1 Like
  1. Obscures instead of unlinking. Possible to deduce which is the actual transaction based on timing.
  2. Recent transactions are kind of “active”.
  3. “Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.”
  4. “Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.”: manages to successfully unlink coin relations.
    “Complicated trusted setup that has to be arranged by the team”: trust to achieve trustless systems doesn’t seem very intuitive.
  5. The count of decoys used in the RingCT
1 Like
  1. Two primary weaknesses of Monero are that its timing of the real coin can be detected 90% of the time but then Monero changed this yet the real coin can be detected 45 of the time Another weakness discussed was that if the Ring CT discrete logarithm was broken new coins can be forged without anyone knowing.

  2. Timing Attacks are executed by watching the timing of the Mint and Spend transactions as this will help an attacker identify which ones are connected. The information that is vulnerable would be the addresses the transactions where being sent from and to as they could then be linked. To help stop this would be to have minted coins available to spend when required.

  3. Lelantus is a privacy protocol. Lelantus improves on Sigma by not requiring fix amounts, hiding transaction amounts and users can decide on the amount they use.

  4. The best Pro would be the size of the anonymity set and the fact that all addresses cannot be linked. Very important of you are looking for anonymity. The Con would be the fact that the crpyptography is still new so has not had enough attacks on it yet.

  5. The anonymity set of Monero is 11 as this is the amount of outputs 10 false and 1 true. It does not take into account the fact that Monero’s anonymity set grows with the number of txns

1 Like
  1. Monero does´t not break the link between transactions, but only obscures it by using decoys in the ring signatures (also small set of anonymity, in a special way you could odd which transactions belongs to whom). There is also a wearkness in the implementation in the ring signature itself. With quantum computer it could be possible to deanonymized the entire blockchain and retroactively expose it.
    But here is also a lack of auditability (Check if there is inflation in the supply)

  2. When you want so spend Zerocoin anonymously you have to execute Zerocoin mint in a first step. In an analysis of the timing between minting and spending a time attack could be performed. Imagine, someone want spend Zerocoins immediately after minting. Now it is possible to assign a probability value which minting and spending belongs together. You should wait a longer time frame before spending the Zerocoins.

  3. Lelantus improves Sigma by removing the requirement for fixed denominations and add direct anonymous payments which do not revel amounts. With removing of the fixed denomination the anonymity set is enhanced.

  4. Pro: Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.
    Why? Because it has the highest set of anonymity.

Con: Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.
Why? This is in my opinion a major problem why I do not like and use ZCash. The lack of auditability in combination with trust (trust when money is involved, not a good idea) and not just verifying, is not worth the risk of using ZCash.

  1. The number represents the decoys in the signature within your transaction. But it not includes stealth addresses and the fact that each next transaction obscures your spoofs also. And bulletproofs are also not considered.
1 Like
  1. What two primary weaknesses of Monero are discussed?
  • links between transaction are only obscured not broken, you could calculate that there are links between transactions
  • By transaction timing in could be guessed which transaction is the real one.
  1. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
  • If you mint and spend a coin almost on the same time, you could probably take for granted that they linked to eachother. Could prevent by keeping coins minted for a longer period of time.
  1. What is Lelantus and how does it improve on Sigma?
    It improves Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

  2. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    Pro: the anonymity set
    Con: Good researched cryptography

  3. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
    It does not compare the coming bulletproof

1 Like
  1. What two primary weaknesses of Monero are discussed?
  • Do not break the links between transactions but merely obscures it with decoy inputs and outputs.

  • Ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

  1. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
  • Users have to keep coins minted before they intend to spend to prevent timing attacks.
  1. What is Lelantus and how does it improve on Sigma?

By removing the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts.

  1. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
  • Most important Pro of Zcash:

Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses, this is the main key point that every privacy coin try reach.

  • Most important Con Zcash:

Private transactions are computationally intensive (though much improved with Sapling upgrade), could be a big problem for the scalability.

  1. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

It does not take into account the ‘stealth address’ to destination address and the values hiding within RingCT and bulletproofs.

1 Like

• Limitations concerning practical rig size (11), due to size of transaction growing linearly. Anonymity set limited by this. Blockchain analysts would be able to calculate odds and link transactions, cryptonote does not break the link between Tx it merely obscure it.
Security researches found way to make educated guesses of what Tx is the real one by timing of Tx. This used to be 90% accurate but is down to 45% since the implementation of a changed by the Monero developers.
• If I understand correctly both Protocols, Zerocoin and Sigma require or have the same weakness, which is to mint certain amount of coins for future usage, this is due to prevent timing attacks, which could potentially leak your identity. It is not recommended to mint and spend with a short period of time basically.
• Lelantus is another protocol, a further expansion of sigma. Three major things, it gets rid of the fixed denominations and allows direct anonymous payments with private amounts and it makes harder to tie spends to mints.
• Pro; anonymity set is in a way infinite since it encompassed all minted coins, so possibilities are endless vs Monero.
Con; trusted set up……it would just be great to have the program running and not need human intervention, greed is a bitch.
• I don’t think it is fair as this could be compared to the weakness of Zerocoin and Sigma for Timing attack.

1 Like

Leaves me wondering if the zk-SNARKs maintainability and correctness situation could be improved with functional programming and correctness proofs. If the bugs could be eliminated then it’s just down to the strength of the algorithm. Functional compilers also tend to generate faster code than imperative compilers. Or better: functional programming in Fortran 95 for speed and maintainability.

1 Like

1. What two primary weaknesses of Monero are discussed?
Links between transaction are merely obscured, not broken.
Ring signature limitations in being able to guess the real signature.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
When the user mints and spends at the same time with a small delay, then sender and receiver are linkable. Users have to keep coins minted before they intend to spend to prevent timing attacks.

3. What is Lelantus and how does it improve on Sigma?
An upgrade – Removes the requirement for fixed denominations and also allows for direct anonymous payments that do not reveal amounts

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
Pro: Zcash has a much larger anonymity set since it breaks the link between senders and receivers. Monero only masks it.
Con: Difficult to understand, which will dampen development and could result in less support and more errors. Monero is simpler.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
It’s a good attempt to try and simplify it on a very basic level, but there are just too many factors that don’t come into play with a simple chart like this such as stealth addresses.

1 Like
  1. The first is the fact that the linking of transactions does not break and the second is the very limited anonymity set.
  2. Time attacks allow you to find the link between mined and spent Zcoins. This is possible thanks to an analysis of the time between the minting and the spending of Zcoins. You can prevent these attacks by keeping Zcoins coined for a while, without spending them right away.
  3. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.
  4. For me the best pro is the fact that it breaks the link between the addresses, rather than just hiding them. This is because, in the case of Monero, if the blockchain were to be deanonymized, all the links between the addresses would be seen. The biggest center is complicated construction and difficulty of understanding. As few people understand the encryption and code behind Zcash, it becomes slow to improve this privacy coin.
  5. Absolutely not. Put this way Monero seems like a “useless” currency. In reality Monero compensates the low anonymity set with other qualities.
1 Like
  1. The two primary weaknesses of Monero which are discussed are; a) that Cryptonote doesn’t break the link between transactions, but merely obscures it with decoy inputs and outputs, particularly as the number of decoys are relatively small, and b) that if a weakness is found then the entire blockchain will be deanonymised and retroactively exposed.

  2. Timing attacks are performed by connecting the time a coin is minted to the time it is spent. If these processes are determined to be by the same person, then we know the transaction is theirs. The information which is vulnerable is the amount sent and the sender’s and receiver’s address. The attack can be prevented by minting coins before they are needed and keeping them in reserve, and also by spending coins at irregular intervals to stop spending patterns from being noticed.

  3. Lelantus is a privacy protocol used in Zcoin which improves on Sigma by removing the requirement for fixed denominations in transactions. It also allows for direct anonymous payments that do not reveal amounts.

  4. The most important “pro” of Zcash compared to Monero is its far larger anonymity set. Clearly the greater the number of decoys, the harder it is to spot the real transaction. The most important “con” is the fact that a trusted set-up is required. Trusting humans is far riskier to privacy than trusting maths.

  5. I feel the assessment of Monero’s anonymity set is too narrow-focused to be fair. The assessment implies that it has made a direct comparison between the two coins but it hasn’t accounted for Monero’s other privacy features such as ringCT, bulletproofs an stealth addresses.

1 Like
  1. The primary drawback of Cryptonote/Monero is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs. Also, security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions.

  2. Some care is required when doing Sigma mints and spends. Users have to keep coins minted before they intend to spend to prevent timing attacks. Attackers can guess with a great degree of accuracy (up to 50%) the participants of a transaction by just focusing on the most recent transaction being the most likely.

  3. Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

  4. When compared to monero the most important “pro” of Zcash is Zcash has a much larger anonymity set. It breaks the link between senders and receivers. Monero masks it (ring signatures). The most important con would be the difficulty to understand the zk SNARK. This could stunt development and could result in less support and more errors. Monero is much easier to understand.

  5. Looking at the comparison chart at the end and anonymity set size in particular based on my unerstanding of Monero, Zerocoin and Sigma I think this is a fair comparison in regards to the set size. I think it can be deceiving in terms of privacy because typically the anonymity set is the number one factor in determining privacy. Monero seems to be very lacking when looking at privacy this way. Yet Monero has other attributes which make it much more private and is arguably the front runner in privacy in my mind. Being neck and neck with Zcash.

1 Like
  1. What two primary weaknesses of Monero are discussed?
    The transaction links dont get removed they just get obscured using the decoys.

There is a future risk of quantum computing being abel to deanonymize the ring security.

  1. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    If coins aren’t minted in advance then based on the mint and spending activity it is possible to identify the transacting party. it is recommended that coins are minted in advance.

  2. What is Lelantus and how does it improve on Sigma?
    No fixed denominations and scaleable enough to allow privacy on by default. It also allows direct payments without revealing the amounts.

  3. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    It has the largest anonymity set and the transaction links are broken. The con is that the supply of coins cant be audited, if there is a weakness and coins could be artificially created then you would have a problem.

  4. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin, and Sigma, is this a fair comparison?
    What stands out is the Anonymity set in Monero, with 11 its rather small, not offering much transaction anonymity in comparison to the other methods.

1 Like
  1. Does not break transaction links, merely obscures them, hence a ‘decoy’ model.
  2. If there is only a small amount of time between minting and spending, then sender and recipient can be linked. Senders need to have a stash of coins minted and spend them at later times in order to avoid timing attacks.
  3. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.
  4. The biggest plus for me is that the technology breaks the link between addresses, while with XMR there is always that lurking danger that address can be deanonymized at a later time. On the downside, the cryptography used in ZCash is not well researched and broadly understood, so users need to trust the team.
  5. I like simplicity and cudos that chart from that perspective. However, not all important factors of a private transaction are included here. XMR does have other qualities such as ringCT and stealth addresses that are not mentioned here that definitely weigh in when deciding which tech to use.
  1. It does not break transaction links, merely obscures them, hence a ‘decoy’ model.
    Scalability issues because of large transaction sizes and a non-prunable blockchain
  2. Sigma still uses fixed denominations. it will be easy to discern patterns of mints and spends if one is not careful. It is recommended that users mint coin in reserve before they want to spend them.
  3. Lelantus doesn’t require fixed denominations and allows for direct anonymous payments that do not reveal amounts and makes it harder to tie spends to mints.
  4. Pro: Breaks transaction links between addresses and has small proof sizes.

Con: Private transactions are computationally intensive and it requires a complicated trusted setup.
5. It represents UTXO’s in one transaction, but in Monero the overall anonymity increases with the number of transactions.

1Links between transaction are merely obscured, not broken.Ring signature limitations powerfull quantum computers could guess signatures
2: Senders and receivers can be linked if the spends and received are done within a relatively shart time. Coins need to be kept for a while after being minted before spending.
3:Requirements for for fixed denominations were removed. Direct anonymous payments that do not reveal amounts were allowed.
4:Zcash breaks the link between senders and receivers and has a larger anonymity set where Monero only obscure the link. Difficulty in understanding leading to less support and less development,more errors. Monero is much simpler.
5: It is a good simple chart with good info but does not go into many more issues and factors simplifying the impact of Monero

  1. A. Monero’s anonymity is limited by the number of participants in the ring. The size of a transaction grows linearly as the ring size increases. This is why Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring.
    B. Security issues. Blockchain analysts and security researchers found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions. The real one is very likely to have been the most recent coin to have moved prior to that transaction.
    C) Also, if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

  2. You always have to fully redeem Zerocoins, meaning if you burn 10 you always have to redeem 10, there are timing attacks where you can guess which redemption corresponds with which burn especially if there is a pattern to them. You can prevent this by holding onto the minted coins longer instead of minting and spending right away.

  3. Lelantus is a privacy payment protocol. The improvements over Sigma are
    A)No need for a mixer
    B) Very high anonymity with anonymity sets of up to around 100,000. Mint and spend transactions and completely breaks transaction links between addresses.
    C) Uses well-researched cryptography and only requiring DDH cryptographic assumptions
    D) Small proof sizes of around 1.5 kB
    E) No trusted setup
    F) Doesn’t use fixed denominations
    G) Can do direct anonymous payments without having to convert to base coin.
    H) Scalable enough to allow privacy on by default

  4. A. Most important pro is Zcash encrypts the data, meaning that the entire transaction history is hidden from sight. The platform uses a cryptographic technique called zero-knowledge proofs that can verify payments without having to know specific details about it.
    B. Most important con is supply can’t be audited and if it was compromised an infinite amount of coins could be minted with no one knowing.

  5. IMO I think it’s fair. Every coin has its pros and cons.