A question that often pops up is: what are the differences between Zcoin and Zcash?

Zcoin and ZCash were the first two cryptocurrencies that use zero-knowledge proofs to guarantee zero-knowledge financial anonymity. There are various tradeoffs between using ZCoin and ZCash. Zcoin uses the Zerocoin Protocol (cited by academics 208 times, at time of writing), whereas Zcash uses the Zerocash Protocol (cited by academics 104 times, at time of writing). The cryptographic properties of Zcoin and Zcash supplement each other quite nicely, and a good way to describe them would be sibling cryptocurrencies.

There are four major differences between Zcoin (Zerocoin Protocol) and Zcash (Zerocash Protocol) are as follows:

1) Zcash conceals the amount of money sent in each transaction, whereas Zcoin does not. So Zcash is less prone to privacy timing attacks than Zcoin . On the other hand, this comes with a big tradeoff for Zcash, in the form of potentially undetected hyper-inflation in Zerocash’s money supply .

A timing attack on Zcoin could work by exploiting knowledge of when somebody “mints” a Zerocoin and trying to analyze patterns in when he “spends” the Zerocoin. Thus we always recommend minting some Zerocoins beforehand as a store and spending them as required rather than ‘minting’ them right before an intended transaction.

The Zerocoin Protocol has two major steps. The first step is the “Zerocoin mint” step, in which a “public coin” goes into a data structure called an accumulator. An accumulator answers a query as to whether a potential candidate is a member of a set without revealing the individual members of the set. The second step in the process is the “Zerocoin spend” step, which allows for somebody to conduct a Zero-Knowledge proof showing that one owns a coin in the accumulator without having to tell which coin one owns. With this Zero-Knowledge “Zerocoin spend” proof, a fresh Zcoin is generated without any transaction history attached.

Because each Zerocoin must execute “Zerocoin mint”, before it can be made anonymous with “Zerocoin spend”, analysis of the timing between the “Zerocoin mint” and “Zerocoin spend” might be used in a timing attack. It is possible that users might want to conduct “Zerocoin spend” transactions right after their “Zerocoin mint” transaction. Thus, if this behavioral heuristic is true, it could be used to assign a probability value that a “Zerocoin mint” transaction is associated with a certain “Zerocoin spend” transaction. However, by waiting a longer time between “Zerocoin mint” and “Zerocoin spend” transactions, this prevents such timing attacks from being effective.

Because ZCash conceals the quantity amount, it may be more effective than Zcoin against such timing attacks. However, this benefit also comes with a major tradeoff.

Essentially, for Zcash, there is no “certain scarcity” that even a fairly intelligent person can verify on a mathematics/ cryptographic first principles basis. ZK-Snarks uses some very sophisticated cryptography. Only a handful of cryptography academics in the world can understand the steps in ZK-Snarks on a first principle basis. The cryptography principles behind Zerocoin have been around for a lot longer, and the Zerocoin paper was one of the most often cited cryptography papers in the past few years, with about 200 citations. Any fairly intelligent cryptography academic would be able to understand the foundations underlying Zerocoin.

If god forbid, Zcash had a bug that allowed for people to generate more Zcash coins than the intended money supply, then it is possible that nobody could tell. If it were a severe bug, potentially somebody could inflate the money supply by hundreds of millions of dollars, making a profit while lowering the price of Zcash for speculators. There are several examples of major cryptocurrency bugs that have led to a massive misallocation of the quantity of cryptocurrency that should have been in circulation. One major example is the 2010 Bitcoin value overflow bug, which increased Bitcoin’s money supply by over 90 billion:

“On August 15 2010, it was discovered that block 74638 contained a transaction that created 184,467,440,737.09551616 bitcoins for three different addresses.[1][2][3] Two addresses received 92.2 billion bitcoins each, and whoever solved the block got an extra 0.01 BTC that did not exist prior to the transaction. This was possible because the code used for checking transactions before including them in a block didn’t account for the case of outputs so large that they overflowed when summed”

With Zcash, these kinds of bugs could go completely unnoticed. Thus, if Zcash encountered a similar bug, it could see 99.999% of the entire ZCash market cap owned by one person, without anybody noticing.

A recent example of another cryptocurrency bug was The DAO, which experienced a $50 million hack.

As Greg Slepak notes, writing for the okTurtles blog:

This situation, however, is far more serious than The DAO. Zcash’s code is several orders of magnitude larger and more complicated, and the consequences of failure are several orders of magnitude bigger.

In Zcash’s current state: it is impossible to know whether a successful attack occurred. Unless a saboteur turns whistleblower, we’ll know it was compromised only after damages have occurred. And the more valuable Zcash is, the more dangerous it is. There is no “Undo” button.

Outside of unintentional bugs, there is also another problem. Due to the cutting edge nature of ZK-Snarks, there is not nearly as much peer-review of the underlying cryptography for Zerocash, as there is for Zerocoin which we go into more detail in point 3. There is also a much smaller group of academics that can understand the cryptographic first-principles underlying Zerocash. If there are hundreds of millions of dollars on the line, even the noblest of academics may find a way to cross ethical grounds. In contrast, with Zcoin, even if there were a bug, everyone could tell that the money supply doesn’t check out.

2) Parameter generation

Zcoin uses parameters generated 25 years ago from the RSA Factoring Challenge. At projected computing capacity, it will be safe to use for many more decades. By then, Zcoin can port its parameters to a new cryptographic scheme. Admittedly, the RSA has not been a great company in recent years, with revelations of the RSA collaborating with the NSA. But the keys to the RSA Factoring challenge were generated in 1991, early in the RSA days when the creators of the RSA algorithm still had a high amount of control over their company. On the other hand, there is a strong mitigating factor in the unlikely scenario of a compromised Zcoin setup: everybody could still see that Zcoin’s money supply checks out. In contrast, if Zcash’s setup were compromised, a hyper-inflated money supply could go completely undetected.

Zcash relies on the assumption that all actors in the parameter generation do not collude together. As long as there is one honest actor, then everything is fine. If not, then they could double spend / do anything they want with Zcash. Just as there has been worry over Zcoin’s parameter setup, there has been some worry about Zcash‘s setup. Similarly, Peter Todd, one of the 6 participants of the parameter generation ceremony felt there were enough questions and possibilities for the ceremony to be backdoored that he took down his post about his participation in the ceremony.

However, in our opinion, Zcash‘s setup will be fine, as there will most likely be at least one honest person assuming the ceremony wasn’t otherwise backdoored. Both setups are not ideal, but still workable.

One primary difference is that the parameters generated in the RSA Factoring Challenge were never intended to be used in a a cryptocurrency and was a pure academic challenge. There was much less motive to backdoor such a ceremony only to defeat the entire purpose of the academic challenge. Zcash’s ceremony on the other hand was known to everyone that it was to create a new cryptocurrency and as such the incentive to backdoor or compromise the setup is much higher especially if the forged coins cannot be detected.

3) Tried and tested vs exotic cutting edge cryptography

Zerocoin as used in Zcoin uses RSA cryptography which has been and continues to be in widespread use since the 1970s. A lot of research has been done upon it and it relies on the difficulty of integer factorization which is expected to remain viable until the coming of quantum computers. Zerocash as used in Zcash on the other hand relies on zkSNARKs which relies on the knowledge of exponent (KEA) assumption which has received little attention and is therefore more likely to have vulnerabilities that may have not been discovered yet. Zooko, founder of Zcash indeed acknowledges that “Zcash is built on new, risky, unproven technology. It could have fatal flaws that we as scientists and engineers just haven’t discovered yet.”

It is a trade off, Zerocoin uses strong cryptography that is less likely to have weaknesses but has worse performance characteristics while Zerocash uses experimental cryptography that is risky and unproven but has excellent performance characteristics. While we applaud research in this area, we at Zcoin believe that for a launched cryptocurrency with financial value, a more stable and proven cryptography system is preferable.

4) Zcash requires a higher use of memory with significantly longer time needed to send a private transaction than Zcoin. On the other hand, Zcoin currently requires significantly more storage space than Zcash.

According to Zcash’s benchmarks:

“On a quad-core benchmark server, generating a private transaction consumes ~3.2 GB of memory and ~50 seconds of compute time.”

This is a relatively high memory requirement, as many laptops only have 4GB RAM. Even on a device with 8GB RAM, a 3.2 GB memory requirement may force Zcash’s private generation to go into swap space. If Zcash goes into swap, then even on the state of the art SSDs, transfer rates are at least 10 times slower than DDR-3 speeds. On older devices, transfer rates could be 30 times slower or more if Zcash goes to swap. Thus, for a typical 4gb RAM device (which usually already has at least 1gb of memory being used), Zcash’s effective compute time should be between 10 minutes to 30 minutes. It is also very possible that many devices with 8GB RAM would go into swap as well, also taking between 10 minutes to 30 minutes to generate a private transaction.

Zcoin’s private transactions are not memory-intensive as with Zcash. On a quad-core benchmark server, generating a private transaction with “Zerocoin mint” and “Zerocoin spend” consumes ~10 seconds of compute time. Thus, sending a private transaction with Zcoin could be between 5-200 times faster than Zcash, depending on device.

On the other hand, Zcoin’s private transaction sizes are about 50 times larger than Zcash’s transaction sizes. This will not be a limiting issue for several reasons. One easy fix would be to update Zcoin to support pruning:

In his whitepaper, Satoshi had mentioned “pruning” as a solution to Bitcoin’s potential future scalability issue. Surprisingly, it’s not discussed often. When there is greater demand for Zcoin transactions than its capacity, Zcoin can build pruning into the protocol. This way, the storage requirements for Zcoin could be minimal.

By stubbing off branches in the merkle tree to save storage space, pruning could be built into Zcoin in a similar fashion as described in Satoshi’s whitepaper:

“Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block’s hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block’s hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.”

Diagram from Satoshi’s whitepaper:

However, as for now, Zcoin’s transaction volume capacity is more than enough. Even with 50 times larger proof sizes, storage is a low priority concern because of Moore’s Law. As Satoshi describes in the whitepaper:

With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.

Here at Zcoin, we believe that multiple zero-knowledge cryptocurrency implementations is a blessing to society. Like Zcoin, Zcash is also enabling individual freedom and open commerce to the world by increasing financial privacy. We applaud the work that the Zcash team is doing. With that in mind, it is important to understand the inherent tradeoffs between the Zerocoin and Zerocash protocols. Zcoin has some major advantages over Zcash, as well as significant disadvantages. By increasing awareness of these tradeoffs, privacy-centric users can more effectively use either coin tailored to their concerns and specific use cases.

Our work on zero knowledge proofs are also not at a standstill, and much like how Zcash is moving forward with improving zkSNARKs especially with their Sapling release, we are researching into alternative zero knowledge proof systems that do not require trusted setup and have strong cryptographic fundamentals as laid out in our roadmap.