Firo (formerly Zcoin) Comparison - Reading Assignment

Privacy Coins - Ultimate Course
#101

  1. What two primary weaknesses of Monero are discussed?
    -Ring signatures have a limited range and thus limited anonymity set… because the transaction link is never broken, it is possible to reconstruct the transaction trail
    -Transaction amount is blinded, which mean inflation within XMR can go undetected since the total amount of coin is unknown

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
    -If you know the sender amount, the timing of receipt can elucidate the sender and receiver relationship, possibly the addresses and reconstruct the transaction trail.
    -Can be prevented by keeping coins in a “mint” state

  3. What is Lelantus and how does it improve on Sigma?
    -it doesn’t use the prior sigma fixed denominations through a modification of bulletproofs however it involves an additional spend and remint step

  • while it can do direct anonymous payments without having to convert to base coin by using double blind commitments, again the remint step is later added as above

  1. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
    -large anonymity set which a broken transaction trail: by itself this is a major pro given that these parameters are most important in obfuscating publicly viewable transactions
    -con: initial trusted setup phase…this is a major con since it will be unknown until it occurs, whether there was a compromise at this delicate trust dependent stage. Theoretically if the silver bullet exists and wasn’t destroyed, it could kill ZCash security at anytime in its future.

  2. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
    -Biased, inherently, given that it is published on zcoin.io
    -Monero anonymity set reported as 11…while this is the decoy set size for its ring signature, the anonymity set is a much broader calculation that includes parameters like timing, amount, and range of both send side and recipient addresses (stealth addresses and Confidential transactions at the time, ringCT and dandelion later). Without trying to do the math, an anonymity set size quote restricted only to the number of decoys in the ring sig must be underrepresentative. This was however deliberate and thus highly suspicious since the author would have known this simple factoid.

The tutorial link has been removed, so you can look here for the article:
https://web.archive.org/web/20200517202542/https://zcoin.io/zcoins-privacy-technology-compares-competition/

1 Like
#102
  1. Th two primary weaknesses of Monero discussed are that ring signatures as currently implemented in CryptoNote currencies, have limitations concerning practical ring size (the number of other outputs you are taking) as the size of a transaction grows linearly as the ring size increases. This is why Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring. Also, security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions. In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction. Before a recent change from Monero’s developers, that timing analysis correctly identified the real coin more than 90 percent of the time, virtually nullifying Monero’s privacy safeguards. After that change to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.
  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on my read of the article and understanding of Zerocoin’s Mint/Spend functions, ‘timing attacks’ are performed by analysis of the timing between Zerocoin Mint and Zerocoin Spend transactions, in an attempt to discover which ones are connected. This information, if uncovered, could then possibly identify users sending and receiving addresses. Users should keep a supply of coins minted long before they intend to spend them, to prevent such timing attacks.
  3. Lelantus is a privacy protocol that further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts. Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.
  4. After reading the section on Zerocash and Zcash when compared to Monero, the most important ‘pro’ of Zcash is that it is potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses. As compared to Monero which does not break transaction links, merely obscures them, hence a ‘decoy’ model. The most important ‘con’, in my opinion, is the complicated and difficult to understand in full meaning construction, so that only a handful of people can grasp the cryptography and code, and which may be prone to errors. In comparison to Monero’s well researched cryptography.
  5. OPINION: After looking at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on my understanding of Monero, Zerocoin and Sigma, I do not think that this is a fair comparison as it is merely a ‘snapshot’ of them at a point in time. This is because this post was last updated on the 15th July 2019 and all three privacy protocols have been updated and improved numerous times since then.
1 Like
#103

Thanks for the updated article link.

#104
  1. Ring signatures, because of their limited range (hence limited anonymity set), and Transaction amount being hidden, which means that market cap cannot be established.
  2. If bad decoys are used, it could be trivial to establish the real transaction. Including better decoys and minting coins ahead of time would fix this issue.
  3. Lelantus removes the need for fixed denominations. It also does not need a trusted setup and significantly reduces the proof size.
  4. The pro being “Proof sizes are small and fast to verify” because this makes the coin efficient, and the con being “Uses relatively new cryptography and based on cryptographic assumptions (KEA) that have been criticized” plus it being difficult to understand because this has deterred many people away from the coin due to it’s esoteric and ambiguous construction.
  5. No, because Monero’s anonymity can be much larger. Plus, it doesn’t consider Bulletproofs.
1 Like
#105

The primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.

If there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed. This cannot be fixed after the fact.

With the anonymity set of around 100 thousand, it is vulnerable to relate the timing of mint and spent. Therefore, if we mint coins long before we are wanting to spend, it would minimise this vulnerability.

Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

11 is the Anonymity set size. It is not a fair comparison since some coins requires a trusted setup.

1 Like
#106
  1. What two primary weaknesses of Monero are discussed?
  • It doesn’t break the links between transactions but merely obscures it with decoy inputs and outputsIf there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.
  • One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
  1. What is Lelantus and how does it improve on Sigma?

Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts

  1. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

Pro: Breaks links between addresses. – This improves security by keeping people anonymous

Con: Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins. – Forgeries of coins will decrease the value of the real coin because people will lose trust and stop using the coin.

  1. OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

With what I have learned so far about Monero, I do not think it is a fair comparison. It is missing other factors like Bulletproof. In addition, it does not take into consideration the flaws of other coins like forging coins.

1 Like
#107

1.) -doesnt break links between transactions
-Supply audability is sacrificed
2.) Creating a Link between mint/spend by analyzing the time of creation/spending
3.) It’s a next gen privacy protocol.
Removes requirement for fixed denominations, allowing direct anonymous trx
4.) +bigger anonymity set, breaks links between trx
-lacks supply audability and trust is needed in believing the ceremony and participating people
5.) Not entirely fair. Some aspects are left out.
It looks at points that are important for the competition and compares Monero to those points, but additional “features” are not taken into consideration.
Its like comparing a Navy and Cavalry on how fast they both sink.

1 Like
#108

  1. Two serious weaknesses of Monero are that A) transaction links between users is merely obscured, not broken, and B) It doesn’t have supply auditability, so inflationary exploits could potentially go undetected.

  2. Timing attacks in Sigma are what occur when users mint privacy coins immediately before spending, making it possible to make links between spender and receiver, as well as revealing amounts. This can be prevented by minting coins well in advance of use.

  3. Lelantus is a new privacy payment protocol. It removes the requirement of using fixed amounts, and also enables the sending of direct anonymous payments.

  4. Pro: Breaks transaction link between users, and so likely has the greatest anonymity set. Con: Supply cannot be audited.
    I choose supply auditability as the greatest con, as opposed to trusted setup, because if the supply could be audited then the trusted setup issue could be monitored and inflation can be watched for and dealt with as it emerges. Without supply auditability, eventual bugs and exploits must be discovered by other means.

  5. In general, it seems fair. I do think “anonymity set” is complex enough that it justifies more than a simple number comparison. For example, while 11 is the number of decoys plus user on the one side, the receiver is entirely hidden using stealth addresses, and the transaction amount is also hidden. The anonymity set increases with time, as well.

1 Like
#109

What two primary weaknesses of Monero are discussed?

  • Ring signatures have limitations concerning practical ring size as the size of a transaction grows linearly as the ring size increases. This is why by Monero has a relatively small ring size of 11. This means on a per transaction basis, the anonymity is limited by the number of participants in the ring.
  • Security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions. In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction.

One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

Timing attacks are performed by taking into consideration the time differences between Zcoin Mint and Zcoin Spend transactions.

This can be prevented by preminting some coins and storing them

What is Lelantus and how does it improve on Sigma?

Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

Pro: Zcash breaks the link between sender and receiver (Monero only obscures it)

Con: zkSNARK are difficult to implement and very few people fully understands it.

OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?

Is not a fair comparison as it’s only a snapshot at a certain point in time and doesn’t take into considerations the updates done on each protocol

1 Like
#110
  1. The accautability or transperancy on the supply of coins and the limitation of linking between tx than with some clever math can be decrypted backwards getting some data on the tx with anonymity set
  2. By minting and spending of a coin without too much time separations can cause a decryption of the anonymity because of the link
  3. Lelantus is a creation of Zcoin’s cryptographer Aram Jivanyan as part of their efforts to continuously improve the privacy protocol. Lelantus expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.
  4. pro: no linking is possible between actors than transact
    con: it is difficult and complicated to use causing incorrect implementations and leaks
  5. It s the number of the actual default Ring CT decoys
1 Like
#111

  1. Two primary weaknesses of XMR are: Transactions are hidden with decoys, Inflation can not be tracked/audited.

  2. timing attacks allow people to piece together mints and spends to de-anonymize your transaction. they can be prevented by not spending your minted coins immediately after minting.

  3. Lelantus is a next gen version of Sigma. it improves on sigma by no needing fixed denominations in the mint process.

  4. Zcash best pro over monero is that it has a much larger anonimity set. This is important when you want a statistically more private identity.
    Zcash worst Con is Trust. Users require trust in the team. a major deal breaker for someone that wants to remain truely anonymous.

  5. No its not as the anonymity set size is just a number derived from statistics. It does not take into account that devs may hold a backdoor key.

If this is the case, Then does the anonymity set size number have any relevance at the end of the day?

1 Like
#112

  1. The anonymity is limited by the number of participants in the ring (ring size 11) and timing analysis correctly identified the real coin from Monero mixins 45 percent of the time.

  2. The “timming attacks” are performed by analyzing the timing between ZCoin Mint and ZCoin Spend transactions in order to try to identify which ones are connected and therefore the sending and receiving addresses are vulnerable. An way to avoid that is to delay the spending of the mintied coins.

  3. Lelantus is the next generation privacy protocol. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

  4. “pro”: Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.
    “con”: Incorrect implementation or leakage of trusted setup parameters can lead to forgery of coins.

  5. No, because the anonymity set increases with more transactions.

1 Like
#113
  1. Primary weaknesses of Monero discussed:

1.1.a) Ring signatures have limitations concerning practical ring size as the size of a transaction grows linearly as the ring size increases (small ring size of 11). This is primary drawback of Cryptonote is that it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.
Also, security researchers have found ways to make educated guesses as to which transaction is the real one by tying it to the timing of transactions.

1.1.b) Another criticism of CryptoNote is that if there’s a weakness in its ring signature implementation or a reasonably powerful quantum computer becomes feasible, the entire blockchain history is deanonymized and retroactively exposed.

1.2. It is also to worth pointing out that with RingCT which hides transaction amounts, supply auditability is sacrificed.

  1. Sigma is basically a greatly improved Zerocoin. Its only remaining weaknesses is that it still requires fixed denominations, meaning that it can be easier to discern patterns of mints and spends if one is not careful and anonymity sets are limited to practically around 100,000 before performance degrades.
    Some care is required when doing Zerocoin mints and spends. Users have to keep coins minted before they intend to spend to prevent timing attacks (to prevent identify connections between sending and receiving addresses - between ZCoin Mint and ZCoin Spend transactions).

  2. Lelantus:

  • is a privacy protocol and further expands on Sigma by
  • removing the requirement for fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts,
  • also allowing for direct anonymous payments that do not reveal amounts,
  • retains all the benefits of Sigma of not requiring trusted setup,
  • users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints,
  • direct anonymous payments at the current state of research also require an additional spend and remint step to anonymize the coins from the original coin sender.
  1. When compared to Monero:

4.a) The most important ‘pro’ of Zcash is its anonymity set is the largest among all previous anonymity schemes involving all minted coins regardless of the denomination on the blockchain

4.b) Just like Monero Zerocash lacks supply auditability

4.c) The most important ‘con’ is Zerocash requires a trusted setup and/or the use of new experimental cryptography called zkSNARKs on which there is a lot less scrutiny and therefore is not as battle-tested as RSA.
Compared to other privacy schemes in the article, it still represents the most computationally intensive process.

  1. My article does not display it.
1 Like
#114

1.Using cryptonote doesn’t break the links between transactions only obscures it. Its also vulnerable to quantum computing, when that technology matures.
2.Timing attacks are performed by attackers when they are able to compromise the system by timing the minting of new coins. Address and transaction history are vulnerable.Users have to keep minted coins in order to prevent timing attacks.
3. Lelantus its another Zcoin protocal that will have no need for a mixer, higher anonymity, small proof sizes, doesn’t use fixed denominations, scalable.
4.Largest Pro:( * Potentially the best anonymity set encompassing all coins minted and breaks transaction links between addresses.)
Largest Cons: (a tie between *Complicated construction and difficult to understand in full meaning that only a handful of people can grasp the cryptography and code and may be prone to errors and usability. Both are critical.
5.Yes, with the exception of Monero, it uses 11 anonymity sets, but 10 are decoys.

1 Like
#115
  1. One weakness is the possibility of making educated guesses for the real transaction by tying to the transaction timing. Another weakness is someone who breaks the discrete logarithm that underpins RingCT can forge coins without anyone knowing it.

2.The attacker could potentially figure out the minting and spending patterns and then perform ‘timing attacks’. To prevent this, users would need to keep coins minted before they intend to spend.

  1. Lelantus does not require fixed denominations utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

  2. The most important ‘pro’ is that it provides better anonymity; The important ‘con’ is that its supply cannot be audited therefore if coins are forged and come out of thin air, they cannot be detected.

  3. Fair

1 Like
#116
  • it doesn’t break the links between transactions but merely obscures it with decoy inputs and outputs.
  • In Monero’s implementation of RingCT, someone who breaks the discrete logarithm that underpins RingCT can forge coins without anyone knowing it.
  1. Timing attack - Incorrect use or predictable use of Zerocoin mint and spend transactions such as always minting and spending at regular intervals, or doing mints and spends immediately or using the same IP address for a mint and spend can possibly compromise anonymity thus some care is required.

It is recommended that users mint coins in reserve before they even want to spend. The longer the coin stays in a minted form, the better the anonymity. This is being alleviated by Zcoin’s upcoming GUI which recommends the user to keep a certain percentage of their coins minted.

  1. Lelantus further expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts. Lelantus retains all the benefits of Sigma of not requiring trusted setup, but removes the remaining weakness of requiring fixed denominations by utilizing double-blinded commitments and a modification of bullet-proofs to hide transaction amounts. Users can burn arbitrary amounts and redeem arbitrary amounts as well making it much harder to tie spends to mints.

  2. Pro: breaks transaction links between addresses.

Con: * Supply cannot be audited therefore if coins are forged and come out from thin air, they cannot be detected. Bugs of this nature were both found before launchand also on live mainnet

1 Like
#117

1. What two primary weaknesses of Monero are discussed?
Monero’s tiny anonymity set size of 11 and how Monero choses its mixins.

2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?
Timing attacks are performed by analyzing the time taken to execute cryptographic algorithms (in this case, time until spend from a mint).
If coins are spent too soon after they are minted attackers might be able to link the spends with their mints, compromising the identity of the user.
Timing attacks can be prevented by minting coins way before they are spent

3. What is Lelantus and how does it improve on Sigma?
Lelantus is a cryptographic anonymity protocol which expands on Sigma by removing the requirement for fix denominations by utilizing double-blinded commitments and a modification of bullet-proofs to allow for direct anonymous payments that do not reveal amounts.

4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.
The most important pro of Zcash versus Monero is its immensely larger anonymity set encompassing all coins minted and breaking transaction links between addresses.
Its most important con is the fact its supply can not be audited so if coins are forged and come out from thin air they cannot be detected. Bugs of such a kind were found before its launch and even on its live mainnet.

5. OPINION: Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?
Monero is taken as if it made no sense to use as a privacy coin given its tiny anonymity set size of 11 but that would be the case if all transactions were made as the ones on its first blocks. Monero’s technology allows its users privacy to be compounded by each new block in the network, probably offering the best privacy one can find in a privacy coin today.

1 Like
#118

1.) The two primary weaknesses of Monero that are discussed are the limited ring signature sizes and transaction timing connections. Monero’s ring size is relatively small at 11 users, and each transaction has limited anonymity based on the number of participants in the ring. Analysts and potential blockchain attackers can calculate the odds regarding transaction links. In addition, Monero transaction timing can potentially provide a compromise to attackers; in any transaction, the mix of the real coin and decoys can be distinguished from the authentic coin being moved first (for the majority of the time) before the transaction is carried-out.
2.) Based on my understanding, “timing attacks” are performed by an attacker connecting minted coins from a certain block to those same coins being spent in another block further down the chain. Protocols like Sigma are especially vulnerable to these types of attacks because of the cap on their anonymity set numbers, as well as downgrading performance when those limits are reached. The information that is vulnerable in these attacks is the sender’s transaction time and the amount of tokens he or she mints and spends. This vulnerability can be prevented by removing the requirement for fixed denominations (as used in the Lelantus protocol). The utilization of double-blinded commitments and a modification of zero-knowledge proofs can hide transaction amounts too, and users can burn or redeem arbitrary amounts of minted coins (which makes the connection of spent and minted coins harder to find).
3.) Lelantus is a protocol connected with Zcoin, and it improves on Sigma by removing requirements of fixed denominations and doesn’t need a trusted setup to interact with. Scalability is also improved with Lelantus, as well as providing the ability to do direct anonymous payments without having to convert to the base coin of the protocol.
4.) The most important “pro” of Zcash when compared to Monero is that Zcash has the better anonymity set. I think this is the best advantage of Zcash because when users are moving to a privacy-based cryptocurrency, the basic aspect of anonymity when using the protocol (at all times) should be ensured. Cryptocurrency, and any digital transaction for that matter, already has a risk associated with it; when a user decides to put the privacy of their life first, I think it’s extremely important to research a protocol that has the best anonymity of the user in mind, which is what Zcash possesses over Monero.
The most important “con” of Zcash when compared to Monero is Zcash’s complicated trusted setup that has to be arranged by the team. Zcash’s multi-party ceremony, which is made up of six different people, needs a trust for parameter destruction by the user. Monero, on the other hand, doesn’t need a trusted setup or mixer that requires other users to specify if they want to be involved; the Monero blockchain simply scans the blockchain for other outputs to use. I think this is the most significant disadvantage to Zcash because it draws users away from the original foundation of what cryptocurrency is founded on: decentralization and a trustless system. If I’m a user and putting my coins (and possibly investments) up for a transaction, I don’t want further risk involved in the trust of outside users (even if its a team of expert people). I think user’s and their transactions, as well as public parameters involved, should never have the potential to be leaked and put he or she’s privacy at risk.
5.) Based on my understanding of Monero, Zerocoin, and Sigma, this chart is not a fair comparison. The anonymity set of Zerocoin and Sigma seems correct, but just because the ring size of Monero is eleven, that doesn’t automatically equate to an anonymity set of the same number. It’s important to remember that people using Monero for transactions are also including one’s outputs in their rings, which makes it harder for an adversary to determine which ring is the real spender, and if the Monero has been spent yet (which isn’t detailed in the comparison diagram).

1 Like
#119

:one: **What two primary weaknesses of Monero are discussed? **

They discuss the small anonymity set - equal to that only of what’s available as decoy ring signatures. This means that you do not very well decouple the sender from the receiver, and guesses can be quite good - and even if not spot on, can guess within 2-3 addresses.

It is also not ‘supply auditable’, and hence exploits on the network can go by undetected - and bad actors may be able to have infinite spending.

:two: One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented?

These timing attacks look at the time between a Zcash mint and a Zcash spend.
If an address were to mint 1 Zcash, and spend 1 Zcash 2 minutes later, anonymity is very little, and it’s not hard to locate a spend to a particular address.
Whereas is the send was 1 year after the mint, many mints and sends would have happened in the meantime, and anonymity is enhanced.

A successful timing ‘attack’ could expose the spenders and receivers address.

:three: What is Lelantus and how does it improve on Sigma?

Lelantus is a protocol-level privacy protocol which has:

  • High anonymity set,
  • No mix-in required,
  • No trusted setup, and is
  • Based on Non fixed-denomination transactions.

It expands on Sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that don’t reveal transaction amounts.

:four: Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice.

The most important pro of Zcash is it’s significantly greater anonymity set.
With Monero, you have a far more limited anonymity set ~ usually up to 10 for a sender, however with Zcash, your anonymity set may trend towards 100,000.

The most important con of Zcash is it’s trusted setup. If the setup of the protocol were to be jeopardized, it could undo all of the anonymity retroactively.

:five: OPINION : Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison?**

It is not entirely fair towards Monero. Perhaps when Monero was just using ring signatures, your anonymity set might be 11, however these days - with the implementation of bulletproofs and enforced privacy and further tweaks, you could easily argue that Monero gets the short straw in this comparison.

As the number of transactions increase on the network, the level of anonymity grows further than 11.

2 Likes
#120

  1. What two primary weaknesses of Monero are discussed? : The links between transactions are not broken they are merely obscured with decoy inputs and outputs that can be calculated even though they can’t be proven directly. Scalability issues because of large transaction sizes and a non prunable blockchain.

  2. One listed weakness of the Sigma protocol is susceptibility to “timing attacks”. Based on your read of the article and your understanding of Zerocoin’s Mint/Spend functions, how are ‘timing attacks’ performed, which information is vulnerable, and how can they be prevented? : Users have to keep coins minted before they intend to spend to prevent timing attacks.

  3. What is Lelantus and how does it improve on Sigma? : It improves on sigma by removing the requirement for fixed denominations and also allowing for direct anonymous payments that do not reveal amounts.

  4. Read the section on Zerocash and Zcash. When compared to Monero, what is the most important ‘pro’ of Zcash, and what is the most important ‘con’? Explain your choice. : The most important pro when compared to Monero is the anonymity set encompassing all coins minted and breaks transaction links between addresses. The main ‘con’ is that it uses relatively new cryptography and based on cryptographic assumptions (KEA) that have been criticized. Monero is a well researched cryptography.

  5. OPINION: Look at the ‘Comparison Chart’ at the end, and ‘Anonymity Set Size’ in particular. Based on your understanding of Monero, Zerocoin and Sigma, is this a fair comparison … https://forum.ivanontech.com/t/zcoin-comparison-reading-assignment/13052…? : It represents the current transactions default RingCT ‘decoy’ array size, it does not take into account ‘stealth address’ to destination Bob and the values hiding with RingCT and bulletproofs.

2 Likes