ZCash is only as secure as you trust 9 people and their ceremony. There's gotta be a way to do consensus about zero-knowledge proofs that's a little more... you know ... decentralized.
Before you guys start saying, banks don't trust Bitcoin either because transactions are controlled by like 5 mining pools and the occasional lucky lottery winner. If they blacklist your address, your "permissionless" currency starts looking a lot more like a frozen bank account.
«ZCash is only as secure as you trust 9 people and their ceremony»
No. You only need to trust 1 of 9 persons. The cryptographic algorithm works so that if 1 honest and 8 malicious persons participate, then the output can be 100% trusted. I do think it would have been interesting to allow hundreds of random participants to take part in the ceremony. But I'm not sure what the technical hurdles would have been (eg. what if one person abandons the process in the middle, does the whole ceremony has to be restarted?)
I believe there's a hardfork planned to add more features (like light client support) that will need another ceremony and the Zcash team is planning on there being hundreds of participants.
Zcash's zk-SNARKs are totally private even if that ceremony failed and even if the cryptographic assumptions underlying zk-SNARKs fall apart.
I find the comparison with Bitcoin perfect. The same people trusting PoW cartels to keep their system operational are complaining that zk-SNARKs require a parameter setup for proof soundness? That doesn't really make sense to me.
Zero-knowledge proofs for a given statement, by definition, reveal nothing about its witness. zk-SNARKs (used by Zcash) are statistically zero-knowledge; there are no cryptographic assumptions involved.
As a slight aside, I always wondered if zero-knowledge proofs really reveal "slight" knowledge.
That is, if I ask 1 billion questions about a resource, and get true, verifiable answers, can't I find out something about it? For example, some projection onto a linear subspace or something.
> There's gotta be a way to do consensus about zero-knowledge proofs that's a little more... you know ... decentralized.
Not really, no. There is no known scheme that has similar properties but non-trusted setup. There's not a proof that it's impossible either, so something might get invented. But at the moment, no.
That said I share the criticism. Even with trusted setup it could have been done much better.
If I understand correctly a recent presentation by Eli Ben-Sasson, one of ZCash's scientists, there is now at least one ZK system with this 'transparent' property (needing no trusted setup), but it is not yet practical for a blockchain currency. See Ben-Sasson on "STARK": https://www.youtube.com/watch?v=HJ9K_o-RRSY
> There is no known scheme that has similar properties but non-trusted setup. There's not a proof that it's impossible either, so something might get invented. But at the moment, no.
With a very different set of tradeoffs. MW does not provide anonymity. It provides, at best, pseudo-anonymity with coinjoin mixing by default, with N=2 in the implementations being considered. Careful repeated application with the right counter-parties can compound that into larger anonymity sets. That's a step forward from bitcoin, for sure. And if you're very careful, it could achieve whatever privacy requirement you might have.
The Zcash-like approach on the other hand is to provide a transaction mode where your anonymity set is everyone who has ever transacted with the system before. That's N=everybody; the source of funds is entirely obscured.
The two achieve totally different goals, with a different set of tradeoffs. Apples to oranges.
Yes, as interesting a development as zcash is, you need more trust in the 9 people at that one-off ceremony than you do in a central bank.
Monero's ring signatures have their drawbacks, but they don't require trust. It is hard to see his rationale for referring to it as an "amateur effort".
Ring signatures with small anonymity sets have very serious privacy drawbacks, but they have more sensible assumptions for protecting the monetary base integrity.
zk-SNARKs are the opposite: they don't compromise on privacy at all, but require stronger assumptions to protect the monetary base.
ZCash has unsolveable issues, Monero has solveable issues. I don't see that as a tradeoff.
zk-SNARKS have no privacy issues, but to trust ZCash you require absolute trust in the zcash ceremony. This is an issue for many, including me. This ceremony has happened, there is no way for me to prove to myself that the private keys were not stored somewhere. Although I can prove to myself it is decentralised and private, I can't see how I could ever prove to myself that noone can cheat and generate coins with minimal effort, thus devaluing mine. I just have to trust the founders.
Monero's Ring signatures require no trust, but they have privacy problems in the case of small rings. This is solveable by restricting to large rings (as a hard fork will enforce this September[1]), and at that point, I can see how to convince myself that the system is decentralised, private, and noone can generate coins without appropriate mining effort.
The software those people ran is a single point of failure that hasn't been properly audited. As one of those people, all I know is I attempted to faithfully run a DVD image; I have no idea if that DVD image was backdoored.
"If they blacklist your address, your "permissionless" currency starts looking a lot more like a frozen bank account."
Interesting aspect. Could you please clariy _who_ could blacklist _what_ address? It's not exactly clear what you were referring to.
https://petertodd.org/2016/cypherpunk-desert-bus-zcash-trust...
https://www.reddit.com/r/Monero/comments/6a26rh/peter_todd_h...
Before you guys start saying, banks don't trust Bitcoin either because transactions are controlled by like 5 mining pools and the occasional lucky lottery winner. If they blacklist your address, your "permissionless" currency starts looking a lot more like a frozen bank account.
There are better ways :)