Firo (formerly Zcoin) Comparison - Reading Assignment

1. What two primary weaknesses of Monero are discussed?
   the transaction growth and the security, which is detailed in this paragraph:Ring signatures as currently implemented in CryptoNote currencies also have limitations concerning practical ring size (the number of other outputs you are taking) as the size of a transaction grows linearly as the ring size increases. This is why by Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring. Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are. This is primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

how they are performed: In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms.

which information is vulnerable:
the sender and reciever

how to prevent timing attacks
to avoid time attacks senders need stash some coins to the side so they can send them later

3. What is Lelantus and how does it improve on Sigma?

Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
   the best pro: all transaction amounts are hidden and there is no longer a need to use fixed denominations when doing a minting transaction.

the con:Zcash utilized a multi-party ceremony involving six people set up in a way that the only way these parameters could be leaked is if all six in the ceremony colluded to retain the keys. In other words, you have to trust all of these six people that they destroyed the initial parameters and also that the ceremony was carried out correctly

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

I believe so. no one coin can be completely perfect, some are going to have flaws

1. Two weakensses of Monero are that the link between transactions is not broken, just complicated by decoys and that it is not possible to audit the supply and hence detect counterfited coins.
2. If a user mints and then spends this can be used to link the spender and receiver. It is better to mint coins and keep them on hand until needed.
3. Lelantus is an upgrade to Sigma. It does not need a trusted setup. Sigma also removes the need to use fixed denominations.
4. An improvement over Monero is that the link between transaction addresses is severed. A disadvantage is that it is so complicated that only a handful of people can understand it so there is a real chance of an error being overlooked.
   5.The stated anonymity set of 11 is the size of the current ring signature. You are one of 11. But as transactions propagate through the network over time these compound so it will get harder with more use.

What two primary weaknesses of Monero are discussed?

The first primary weakness discussed is in the use of Ring Signatures, Though there are decoy signatures in the transaction, it’s limited anonymity set doesn’t break the links between transactions, it only obscures them with the decoy inputs and outputs. The Second Primary weakness discussed is in The Ring CT"s, the fact that its so well hidden means you cant audit the coins which means we have no real idea how many Coins are in the Monero ecosystem. It isnt audit-ble. Since it isn’t audit-ble someone could possible create more coins and thus create unknown inflation.

One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

From my understanding a “timing attack” is side channel attack where an attacker analyzes the time taken to execute a cryptographic algorithm. As for that information is leaked it, the timing of when a Zerocoin was minted and spent could be valuable in narrowing down the sender and receiver of coins. As to how to deal with this issue, the article recommends that the user mint coins before-hand and use them later on as it can put the timing in disarray and you the user can avoid spending freshly minted coins.

What is Lelantus and how does it improve on Sigma?

to quote the article.

“Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.”
“Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.”

Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

As Far as Zerocash &cash in comparison to Monero The most important PRO for the “Z’s” is the Speed in verification, if were going be using these currencies in day to day transaction its speed has to be lightning quick especially at the grocery store,I imagine if the speed is great it should/could be better at scalability, thought that’s just my assumption. As for CON the fact that it cant be audited puts it in a terrible situation, first being that we don’t know the inflation rate and second could this hidden inflation hide potential forgeries of new coins?

OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

It is a fair comparison if there based on facts, but as a potential user of the technology, it wouldn’t bother me, security, privacy and usability are more important factors as as discussed in the Monero compassion “Anonymity increases as time passes as outputs become the new inputs of new mixes” and the history of usability with Monero it’ll only get better as time goes on.

1. Size of ring signatures that can in the future be deanonymized by a powerful enough computer.
2. Users should wait before spending the minted ZCoin since someone someone could predict that you sent are the sender of the coins if you send them right away.
3. Removes the required fixed denomination.
4. pro is a very large anonimity set while con is that it is fairly new technology that might have holes.

1. What two primary weaknesses of Monero are discussed?

• Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are.
• Also, security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

• Some care is required when doing Sigma mints and spends. Users have to keep coins minted before they intend to spend to prevent timing attacks.

3. What is Lelantus and how does it improve on Sigma?

• It improves on sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
   Pro
   -Very high anonymity in the many thousands (if not more) with a single mint and spend transaction and completely breaks transaction links between addresses compared to RingCT in Monero with a fixed number for the anonymity set.
   Con

• Requires a trusted setup while in monero mixing is done automatically.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

• Monero has a fixed anonymity set while sigma, though with a fixed denomination set has a largeer anonymity set.

1: Two weaknesses of Monero are it’s ring size limiting the anonymity set , and obsures the links between the transactions instead of breaking them.
2: Timing attacks happen when, minting and spending happen too closely leaving the sender and receiver addresses vulnerable to being seen, if one keeps the minted coins for a longer period then this does not happen as easily.
3: Lelantus is a ZCoin creation that expands on Sigma while keeping Sigma benefits ,it uses double blinded commitments along with bullet proofs to hide transaction amounts.
4: The most important pro to Zcash is proof size lower and verification is quicker, the con is that this is new, less tested and may be at more of a risk.
5: 11 is the ring signature size meaning the past output transactions to obscure mine, yet does not have a connection to the transactions coming that will obscure it more and more.

1. What two primary weaknesses of Monero are discussed? Ring size as implemented in CryptoNote limit anonymity to 11 and anonymity is based on the number of participants in a ring. Also CryptoNoote doesn’t break the transaction links, it only obscures the amounts. These weaknesses making some level of traceability possible ultimately limiting the real coin down to 45% or one of two possible tx’s.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented? Sigma greatly improved on Zerocoin’s protocol. Spending Zerocoins either immediately after minting, incorrectly, or at regular intervals, leaves vulnerabilities in anonymity. It also requires a trusted set-up. Sigma also still requires fixed denominations meaning patterns of mints and spends are more discernible and if not careful anonymity sets are limited to around 100,000 before performance degrades.

3. What is Lelantus and how does it improve on Sigma? Lelantis retains all the benefits of Sigma and doesn’t require trusted set up, and it removes the weakness of fixed denominations by utilizing double-blind commitments and a modification of bulletproofs to hide tx amounts. User can burn arbitrary amounts and retrieve them to reduce ties to spends.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice. In comparison to Monero, one of the most important pro ’s is that transaction links are broken in Zcash and in Monero they are just obscured. The most important con would be Zcash’s complicated set up which only understood by a few making it very hard (if at all) to detect bugs in the code. In Zcash, generated additional supply cannot be detected.

5. OPINION: Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison? It depends what you mean by “fair”. The article and comparison chart look at what seems to be the most current and known privacy protocols being used in various coins on the blockchain. Looking at all the important components and trade offs that play a role in privacy, trusted set up and being able to determine the supply at any point in time, is crucial to the whole idea of blockchain technology and fair peer-to-peer exchange. Loopholes, such as the ability to print coins out of thin air, untrusted setup, or being unable to audit supply errors is bad for the entire ecosystem in my opinion.

1 ring signutares and possibility to audit

2 When the user mints and spends at the same time with a small delay, then sender and receiver are linkable. Creating a delay between minting and spending helps to unlink sender and receiver.

3 Lelantus is an upgrade to Sigma, which doesnt require a trusted sedup or fixed denominations and allows direct payment from sender to receiver without converting between zerocoins and basecoins

4 higher anonymity set. XMR is still traceable
con: trusted setup is an issue

5 it represents the current transactions default RingCT ‘decoy’ array size, It does no take into account that each next transaction obscures it more and the next coming improvements like Bulletproof.

What two primary weaknesses of Monero are discussed?
Ring size is 11, anonymity set is only limited to the ring size which is small. Also from the timing of the real transaction and decoys, the real transaction is deducable because the UTXO used should be recent

One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
When the user mints and spends at the same time with a small delay, then sender and receiver are linkable. Creating a delay between minting and spending helps to unlink sender and receiver

What is Lelantus and how does it improve on Sigma?
Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bulletproofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints

Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
Most important pro: Much higher anonymity set. Research has shown that Monero is still traceable in practice because of the low anonymity set of the ring size and quality of decoys is not always good

Most important con: Trusted setup. The whole point of crypto and the original problem crypto should solve is to minimize trust, but the trusted setup defeats the original purpose of crypto. Although the privacy solution might be the greatest, the original problem we want to solve with blockchains is trust

OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
It´s the minimum fixed ringCT size

1. What two primary weaknesses of Monero are discussed? In Monero’s implementation of RingCT, someone who breaks the discrete logarithm that underpins RingCT can forge coins without anyone knowing it. Bugs can also affect this, and the lack of supply auditability can complicate detecting hidden inflation.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented? A timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute Zerocoin algorithms. Vunerble information include cryptographic system design, the CPU running the system, the algorithms used, assorted implementation details, timing attack countermeasures, the accuracy of the timing measurements, etc. Avoidance of timing attacks involves design of constant-time functions and careful testing of the final executable code. Many cryptographic algorithms can be implemented (or masked by a proxy) in a way that reduces or eliminates data dependent timing information, a constant-time algorithm.

3. What is Lelantus and how does it improve on Sigma? Lelantus expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts. Lelantus retains all the benefits of Sigma of not requiring trusted setup but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice. The most important ‘pro’ in my opinion is the best anonymity set encompassing all coins minted and breaks transaction links between addresses. The most important ‘con’ is the complicated construction and difficult to understand in full meaning that only a handful of people can grasp the cryptography and code and may be prone to errors. Even though links are broken, this provides a layer of protection. However, to have only a hand ful of people that can grasp this, opens the door to vulnerability of hackers.

5. OPINION: Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison? The comparison is only based on current data. I don’t think it’s a fair comparison when it doesn’t take in consideration of quantum computers or computation.

1. What two primary weaknesses of Monero are discussed?

• A small (and not guaranteed) anonimity set;
• Supply cannot be audited, so if a bug enabled inflation, it would not be noticed.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

• If we suspect that two individuals are transacting, we could see one of them minting and the other one spending, which increases suspicion. This, though, could be solved if the currency becomes mainstream and everybody is using it.
• As the transaction amounts are not hidden, but only split in denominations, it could be possible to combine some “mints” with “spends” within a given time frame with some probability.
• This probability is greatly reduced as time passes while the minted coins are kept in the accumulator.

3. What is Lelantus and how does it improve on Sigma?

• It doesn’t require fixed denominations (less linkability);
• It would allow also to hide amounts by sending and receiving arbitrary amounts. But, as seen previously, if a privacy feature is not by default, it is not that effective. And, wouldn’t it also remove the ability to audit supply?

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

• + Potentially the best anonimity set while completely unlinking addresses, because I think it is the only pro against Monero that still applies. But, again, the feature must be by default!
• - I would say it is the trusted setup. Having a small centralized team in this matter spoils the whole point of decentralization. There is the trust issue, and the attack possibility, much like in traditional finance.

By the way, in this section, under Pros it says:
Proof sizes are small and fast to verify.
Then under Cons:
Private transactions are computationally intensive (though much improved with Sapling upgrade), which quite spoils the mentioned pro.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

• No. That could be the case if Zerocoin and Sigma could hide transaction amounts. For now, though, as we see in Sigmastatus, the anonimity set is much less.

It wouldn’t really remove it but I imagine it would make the process much more difficult.

• Risks of blockchain being deanonymized in the future or through incorrect implementations
• Ring size is practically limited

2. If the user mints and then spends right away. This can compromise anonymity. The users have to keep the coins minted before they can spend to prevent timing attacks. The longer the coin stays in its minted form, the better the anonymity set.

3. Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts.

4. Pros: Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses. Monero can still be traceable.
   Con: Requires a trusted setup whereas Monero doesn’t. The whole fascination and what makes cryptocurrency great is the idea of a trustless system.

5. I don’t believe it is. It is just comparing one of the functions these privacy tokens play. It really depends on what you value, do you want to have a “trusted setup” or do you want a “non trusted setup”.

The two primary weakness of the Monero protocol discussed are the small anonymity set and the failure to break the link between transactions. Timing attack refers to how closely the minted coins and spent coins are used. timeframes are always important considerations when trying to establish links of addresses within a public blockchain. lelantus is next gen privacy protocol for ZCoin, featuring new implementations of sigma that eliminate the need for denomenations and also newly allowed no-conversion anonymous payments. The purported biggest pro for ZCAsh over monero is the anonymity set, while transaction speed is noted as its biggest challenge.however, supply auditability is a HUGE concern for zcash, and is overlooked by the authors.
I do not believe the comparison is fair in these coins and their protocols in comparison to Monero. Monero’s Ring CT scheme is not accurately depicted in the chart, as it does not account for stealth addresses or one time spend addresses. Also unaccounted for is the fact that the timing of minting of coins to spending them can greatly affect the feasability for linking, which affects the mathematics when plausible participants are accounted for.

1. What two primary weaknesses of Monero are discussed?
   Ring size is 11, anonymity set is only limited to the ring size which is small. Also from the timing of the real transaction and decoys, the real transaction is deducable because the UTXO used should be recent.
2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
   When the user mints and spends at the same time with a small delay, then sender and receiver are linkable. Creating a delay between minting and spending helps to unlink sender and receiver.
3. What is Lelantus and how does it improve on Sigma?
   Lelantus is an upgrade to Sigma, it doesn’t require a trusted setup, doesn’t require fixed denominations and allows direct payment from sender to receiver without converting between zerocoins and basecoins.
4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

• Most important pro: Much higher anonymity set. Research has shown that Monero is still traceable in practice because of the low anonymity set of the ring size and quality of decoys is not always good.
• Most important con: Trusted setup. The whole point of crypto and the original problem crypto should solve is to minimize trust, but the trusted setup defeats the original purpose of crypto. Although the privacy solution might be the greatest, the original problem we want to solve with blockchains is trust.

5. Read the table at the end of the article (‘Summary’). The Anonymity Set Size for Monero is ‘11’. Based on your knowledge of the different technologies that go into Monero, what does this number actually represent, and what does it not take into account?
   It is the size of “ring signature”, the number of past output transactions that you include in the transaction to obscure yours.
   It does no take into account that each next transaction obscures it more and the next coming improvements like Bulletproof.

1. anonymity set not quite guaranteed, and supply auditability not possible
   2.They are performed by analyzing the timing between ZCoin Mint and ZCoin Spend transactions in order to try to identify which ones are connected. The valuable information at that point would be related to sending and receiving addresses, as it would be possible to identify relations between different addresses. A way to prevent such type of attack is to keep some minted coins in store to spend them when needed, avoiding to spend freshly minted coins right after the process.
   3.removes fixed denominations
   4.imho the largest anonymity set as this is vital for current users thus giving the team tools for further development… cons : trusted setup defo and also KEA.
   5.it is a bit misleading . It is the number of how many decoys that can be included in a transaction using ring signatures on Monero.It can be possible to analyze since but 11 is a low anonymity set but the anonymity level increase with the number of transactions - outputs becoming new inputs of new mixes.

1. Monero’s anonymity set is relatively low (11) and it is not supply auditable - if someone cracks the code (breaks the discrete logarithm) they can forge coins.

Supply auditability: the ability to verify that no new coins are being secretly generated and to know how many coins are in circulation at any one time.

2. I’m not sure about this one, but I think that with a timing attack an attacker measures the time it takes from a mint to a spend and can in such a way somehow deduce the amount you have spent. One way around this is to hold on to your mints for different amounts of time before spending them.

3. There are no fixed denominations and one can do anonymous transactions directly without having to revert to a basecoin.

4. Pro: it has the best anonymity set - all minted coins, which means it grows with every mint. Compare that to Monero’s measly 11 and I rest my case.
   Con: The trusted setup. If anything goes wrong the entire cryptocurrency could be in serious trouble and we wouldn’t even know about it (con nr two - lack of supply auditability).

5. Not really, because it only shows one side of things. Zerocoin for instance kicks Monero’s ass when it comes to the anonymity set, but is itself an outdated protocol that has been abondoned by pretty much everyone, whereas Monero is still going strong. Sigma is a stronger player, not just with its anonymity set (100 000 is crazy!), but also with its supply auditabilty, which Monero doesn’t have. However, one has to use fixed denominations with Sigma, whereas you don’t with Monero.
   In conclusion, I don’t think that this is a fair comparison of these three coins/protocols based soley on the anonymity set.

1. What two primary weaknesses of Monero are discussed?
   link between tx are not broken but obscured
   it is not possible to check the total supply and therefore risk of inflating attack

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
   are performed by analyzing the time between mint and spend tx, it can be avoided by keeping minted coin to spend later

3. What is Lelantus and how does it improve on Sigma?
   remove fix denominations and make possible anonymous payments

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
   it has very high anonymity but it has issues with the setup parameters

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
   xmr anonymity set is not fair because the anonymity increase with tx

1. What two primary weaknesses of Monero are discussed?

It is a decoy based system that only obscures the links between transactions and addresses, not break them.
Supply audits are not possible because of RingCT, so you can’t tell if inflation is happening for sure.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

If you spend coins immediately after minting them, an attacker can compare the denominations being sent to mint and sent from spend and the time they are minted and spent to connect the amount, sending address, and receiving address. To prevent this, I suppose you would need to always have coins minted in advance of wanting to spend them. Also, maybe sending change to another of your addresses through the spend in addition to the output you want to send to someone else would help obscure which output went to whom.

3. What is Lelantus and how does it improve on Sigma?

It is a protocol that expands Sigma by removing the requirement for fixed denominations and allows for direct anonymous payments that do not reveal amounts

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

The most important pro vs Monero would be it has a better anonymity set and breaks the link between addresses instead of just obscuring it. This is important because if the chain is attacked the previous txs will not be deanonymized like it could be in Monero and cryptonote systems.
The most important con is the lack of supply auditability, but Monero also has this problem. So I would say that in addition to this con, Zcash also requires a trusted setup. This is a big problem as it requires people to “trust” that everything is working properly without any ability to verify the process on chain.

5. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

No, this is not a fair comparison, as the anonymity set of Monero increases as more and more txs are added.

1. -because of the small ring size, on a per transaction basis, the anonymity is limited by the number of participants in the ring. Blockchain analysts although they might not be able to prove transactions are linked, they can calculate the odds that they are. This is primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.

   • another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed. This cannot be fixed after the fact. In fact, a flawed implementation in a CryptoNote currency called ShadowCash allowed for its blockchain to be deanonymized in its entirety.

2. Time attacks allow you to find the link between minted and spent Zcoins.
   This is possible thanks to an analysis of the time between the minting and the spending of Zcoins. You can prevent these attacks by keeping Zcoins minted for a while, without spending them right away.

3. Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

4. pro - it has a bigger anonymity set and links between sender and receiver are completely severed. No link guessing possible.

   con - difficult and dangerous to use, as an incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.

5. no this is not a fair comparison at all, as the anonymity set of Monero increases as more and more txs are added.