Zcash vs Monero Which has better privacy?


#1

Zcash and Monero are both “privacy” coins which are cryptocurrencies that can be used to make anonymous payments. They both achieve privacy in different ways. But which has stronger privacy?

How does Zcash achieve privacy?
Through encryption and zk-Snarks.

  • Encryption: Zcash uses encryption to achieve privacy. It hides sender, receiver, amount data that goes on its public blockchain for single-signature transactions.
  • zk-Snarks: Zcash uses zk-SNARKs to verify payments. zk-SNARKs is an implementation of Zero-knowledge proofs in cryptography. Zero-knowledge proofs used in a cryptocurrency means that transactions can be verified without knowing the details of the transaction (sender, receiver, amount).
  • Optional privacy: In Zcash, transactions can be anonymized (via shielded addresses that utilize the encryption and zk-Snarks above) or unanonymized (via transparent addresses that work like Bitcoin transactions).

How does Monero achieve privacy?
Through ring signatures and stealth addresses.

  • RingCT: Ring signatures group together a bunch of sender’s inputs together, obfuscating who are making payments.
  • Stealth addresses: Stealth addresses are one-time use transaction addresses that senders and receivers use to make payments with each other.

Credit: This post from Cryptobriefing did a great job summarizing the differences between Monero and Zcash.

From a non-technical standpoint, because Zcash encrypts transaction history while Monero jumbles it, I would argue that Zcash has stronger privacy.

But a Reddit user in the Monero Subreddit, Vespo, makes an interesting argument. Hypothetically, if Zcash and Monero transactions were deanonymyized, the consequence is far smaller in Monero. He argues that in Monero transactions, even if the transaction is deanonymized, they would only get information pertaining to a one-time-use-only address. So the sender/receiver data wouldn’t be able to be exploited more than once.

Would love to get your thoughts on which privacy coin ensures greater privacy.
How do the vulnerabilities and attack vectors of each coin factor into this?
The Monero protocol recently updated itself to use Bulletproofs. What affect does this have?


#2

This article on hacked.com gives a good overview and comparison of the security/privacy merits of both coins.

The author comes out in favor of Monero for a few reasons, but the strongest is because all transactions are strictly private. With Zcash, privacy is optional, and because of that only 2-13% of transactions are private and this affects the security of the whole ecosystem. He argues that:

This means that those users who make use of their shielded addresses could immediately raise suspicion of “having something to hide” even if they do not. Therefore, the actions of the users that do not make their addresses shielded are decreasing the privacy of those who do.
Monero on the other hand, decided that this negative externality was not conducive to a cohesive ecosystem. They decided to make all of their transactions private. This means that all transactions on the Monero network look identical and the ecosystem is generally stronger for it.

He concludes the article with a practical example of when the FBI brought down the founder of the Alphabay darknet market.

The FBI was able to identify how the amounts of each cryptocurrency the founder had, including Zcash. All except for Monero:

Extract from Asset Forfeiture. Image Source.


#3

I thought people who were were saying Monero had better privacy than Zcash because of Zcash’s optional privacy were strawmanning them but this is such an astute point; that those using non-shielded addresses reveal information about those using shielded ones.


#4

Yeah, that’s the key point that won me over.


#5

@jtierney can you explain why this is? How do non-shielded addresses decrease the privacy of shielded ones?


#6

I’m out of my depth here on the technicals, but here’s what I’m wrapping my head around now.

Basically, Zcash having both shielded and unshielded address allows for the creation/discovery of heuristics to identify or trace transactions, values, and addresses.
I came across this great paper by George Kappos, Haaroon Yousaf, Mary Maller, and Sarah Meiklejohn.

First, the paper shows that the vast majority of shielded Zcash belongs to the founders and miners - more than 90%. The activity of the founders and miners is identifiable because it follows consistent patterns. Therefore the small subset of shielded activity that does not fit the patterns of the miners and founders is likely to be by an individual.

The paper provides five heuristics they developed to trace and identify activity. For example, heuristic five states that:

For a value v, if there exists exactly one
t-to-z transaction carrying value v and one z-to-t transaction carrying value v, where the z-to-t transaction happened after the t-to-z one and within some small number
of blocks, then these transactions are linked.

In other words, if you send your unshielded coins to the shielded address and then back again within a shorter time frame – in what they call a 'round trip transaction’ – then you can surmise that this is the same person or group and you now know their addresses. And since you know their address, you reduced the pool of addresses you don’t know, which makes the others a bit easier to trace.

They conclude that:

Our study has shown that most users are not taking advantage of the main privacy feature of Zcash at all. Furthermore, the participants who do engage with the shielded pool do so in a way that is identifiable, which has the effect of significantly eroding the anonymity of other users by shrinking the overall anonymity set.

This twitter thread breaks down the same article too:


#7

ah, okay. thank you for the tweet thread. this particular tweet helped clear it up for me:

Shielded ZEC is made nearly entirely of miners and founders, whose behavior is easy to determine. The anonymity set is incredibly small in practice for normal users, only ~10% of the total shielded value.

So the argument is that because shielded transactions are mostly founders/miners AND because we can apparently easily detect the behavior of founders/miners, it that means the set of shielded transactions which are NOT founders/miners is small, which then means the anonymity set is small. A small anonymity set means less secure/private.

makes sense :slight_smile:


#8

Don’t forget about Kovri for Monero as well.


#9

Related : U.S. Government wants to research ways to perform forensic analysis of Monero and Zcash