Apart from that I liked this post and it shone some light on issues I wasn't aware of.
[1] https://www.reddit.com/r/btc/comments/4nai1r/on_fungibility_...
Monero uses CryptNote's ring signature approach, which scales linearly with the number of coins you want to mix with. Want to fully mix 1,000 coins together? You need a 30kb transaction[0]. You chunk those coins into smaller mixing sets, but then they aren't fully mixed. In anything using this approach, your anonymity set is limited by what you can transmit across the network in any given transaction or a small set of transactions. I've never seen an exact proposal for mixing tx size and I'd be very interested to see one, but if it was more than 100 coins per tx I'd be surprised.
In ZCash, transactions are constant size and are fully mixed with every other coin in the current anonymity set.
Both approaches do have the indefinitely growing list of spent tokens issue. Which in practice means you need to move coins into a new anonymity set after e.g. 2^32 serial numbers and throw away the old coins and spent serial number list[1]. So there is an inherent limit on the maximal anonymity set you get out of any anonymous ecash scheme. Zerocash hits that limit. Due to its per transaction scaling issues, CryptoNote simply can't.
As a result, in ZCash, your coin is hidden amongst all the coins in the maximal anonymity set. In Cryptonote/Monero, it's hidden amongst a far smaller fraction of that set. In Monero, you are far less anonymous. All things being equal, you want to be more anonymous.
Of course, all other things are not equal. There are merits to both Zerocash and CryptNote on a technical level, but scalability isn't where CryptNote shines.
[0] Assume one group element per signature in the ring at 32 bytes per element. The real scheme is likely worse.
[1] There more sophisticated approaches that can be used.
Monero/CryptoNote based coins offer better privacy than any other competitor. And we live in an age where that's becoming increasingly important.
This relative anonymity is not what attracted the vast majority of bitcoin users anyway. It was more the idea of a public, decentralized ledger.
It's less anonymous than that. Not a 100% accurate analogy but this would be similar to having your browsing history stored in a public location mapped to your IPs.
It's more anonymous than that. Most people can't change their IP, let alone generate a new IP address for every single page load.
I'd also mention that bitcoin had a BIP at some point to add stealth address support to the core (BIP63) with a couple of wallets providing support for those.
Monero has existed for the entire two years that Zerocash has been whitepaper vaporware, and it works really well.
It's using libsodium. This is an alarmist and false statement.
> Nobody can really guarantee that there aren’t some bugs in the system that will make it possible to deanonymize transactions or create coins out of thin air.
Sure, that's technically true of all crypto-currencies.
But more importantly than that it uses libsnark for the actual clever bits, which has already been critically broken[1] precisely because it is so new and poorly tested.
Even the cryptography in ZeroCash/ZeroCoin is too new to be trusted with a financial system. That is not alarmist, that is practical. Relying on old, established cryptography is precisely why Bitcoin hasn't been trivially broken, and the zk-snarks cryptography will need to go through the same peer-review and refinement process over the next decade or two.
Really? Does libsodium support pairing base cryptography?
https://github.com/zcash/zcash/issues/714#issuecomment-21691...
To be sure, libsodium is shiny and nifty and wonderful, but the root cause of a large number of crypto insecurities is in key management. A bunch of others can be regarded as subtle mistakes in using an otherwise solid algorithm.
Assuming that using a trusted implementation of a trusted algorithm means your crypto is solid is roughly like saying, "my car as airbags, so it is safe."
Having used a handful of the exchanges and other more casual wallets like Circle, it's obvious that the trend is towards more "security" and legitimacy by vetting users and knowing their real world identities, etc. Which can include Skype interview, scanning personal bills to prove addresses and so forth.
The laws in almost everywhere (except niche jurisdictions that treat holding offshore accounts as their main industry) pretty much require you to know your customer and not be an enabler of any anonymous transfers of money - or alternatively, be treated as responsible for any "bad" money passing through you.
Any institution that would enable you to trade a scalable amount of USD for Monero or some new cryptopayment solution would also have to require the same information to know your real world identity.
Any institution that would enable you to trade a significant amount of such new cryptocurrency for USD would be required (perhaps not immediately, but definitely if/when it becomes sufficiently popular) to report that to IRS, who would then request documentation about the transactions and originators where you obtained that amount (which you surely reported when filing your taxes, didn't you?), and it doesn't really matter that much that the blockchain is anonymous since essentially you'll give them the transaction details anyway or go to jail.
If no institutions enable that, then the cryptocurrency cannot be liquid enough for everyday use, as it's not easy to trade it with other liquid currencies.
This is also not the first time someone has smacked down ZCash for being ill-conceived and dangerous: https://blog.okturtles.com/2016/03/the-zcash-catch/
