Zcash gets a mention!





not currently zcash related, but ZEC would probably be a perfect fit for this young industry.

“The personal information of cannabis users is therefore very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully”



This solicits no new information and while true comes off as kind of alarmist or defamatory (this is what novel technology means)

For the record SHA256 could as well but…


it’s a puff piece that from a COO whose coin he works for was a fork from Zcash. It’s a way to get their name out and about and the article itself is a respin of a conversation that was had months ago.

Did I say puff piece, I can do better, this is simply a “I don’t have anything positive to say about my own coin so let me bring up a dead conversation about your coin, attempt to make you look bad so that you will be tricked into looking at my coin.” piece.


https://cryptobriefing.com/zcash-digital-asset-report-zec-token-review-investment-grade/ :roll_eyes:


Pretty much my concerns as well i’am posting for some weeks now …


It is in depth but uses the word if alot (I didnt look at the other reports so perhaps not) but mainly because on the main page they insist I “use these DARE reports as a research tool” after they say DYOR

Nope, I firmly believe this implies they are incentivized to be referenced


Misleading article is misleading.


Doesn’t seem very logic neither when it comes to comparing privacy coins…

DARE final grade of different analysis:

Monero: C+
Zcash: C+
Dash: B

Dash is sometimes not even mentioned as a serious privacy coin anymore…



First time I’ve heard of this platform, doesn’t differentiate between the different kinds of miners, sort of insinuating Bitcoin miners are just going to switch over, also does not mention update to Harmony mining not included in nu3





just logical, this means as well that there will never Z-adresses used by them, only T-adresses…


Let’s not forget the viewing keys. It is feasible to work with shielded addresses while having to share viewing keys with an official entity …

The Gemini release also provides clarity on its plan for supporting shielded addresses. Gemini states, “At launch, Gemini will support deposits from unshielded or shielded addresses, but will only support withdrawals to unshielded addresses. We are working to support withdrawals to shielded addresses in the future.”

Source: https://z.cash/blog/gemini-announces-support-for-zcash/


The Valkenbergh perspectives that pertain to the subject


Yeah I replied to that article, which is complete FUD. Here’s my reply:

Peter Todd’s claim that a compromise of (either of) the Zcash trusted setups could compromise privacy is incorrect. I think it arises from a misundertanding due to the fact that the files needed to verify Zcash’s “Sprout” setup were temporarily unavailable. They are now available here: https://github.com/zcash/mpc

The problem with KEA2 can be described in a single paragraph:

“At an intuitive level, the weakness in KEA2 is easy to see, and indeed it is surprising this was not noted before. Namely, consider an adversary A that on input q, g, g^a, g^b, g^{ab}, picks c1, c2 in some fashion, and outputs (C, Y) where C = g^c1 (g^a)^c2 and Y = (g^b)^c1 (g^{ab})^c2. Then Y = C^b but this adversary does not appear to “know” c such that either g^c = C or (g^a)^c = C.”

In other words, this was a completely elementary mistake (not the only one) by the authors of the paper introducing KEA2. There’s no reason at all to believe that this has any bearing on the reasonableness of KEA1, which is a much simpler, older, “common-sense” assumption. In practice, an attack on KEA1 would call into question the whole basis of discrete-log cryptosystems, whereas the attack on KEA2 is only worth a bit of eyerolling that the paper introducing it even got through peer review. Don’t be confused by the similarity of names.

I’d also like to say something about the criticism of knowledge assumptions as being “non-falsifiable”. First of all, the Bellare and Palacio paper does “falsify” KEA2 (conditionally). So “non-falsifiability” of an assumption in the technical sense used in the cryptographic literature, certainly does not mean that no evidence can be provided either for or against its reasonableness. In this sense there’s no hard distinction between assumptions that are called “non-falsifiable” and those that are not. In addition, there’s no substantial difference in principle from other very widely used security models that are incomparable to the standard model. That is, making a KEA assumption is similar to providing a security proof in other formally non-instantiable models such as the Random Oracle or Algebraic Group model, or using the Fiat-Shamir heuristic. These models are best thought of as resulting in proofs of security against a somewhat restricted class of possible attacks. Please note that all formal security proofs are necessarily for some class of modelled attacks; whether that is as the result of using a model other than the standard model, or the choice of formalisation of desired security properties. The main purpose of doing security proofs is as an aid to the system designer in avoiding the modelled class of attacks, and to draw the attention of other cryptanalysts to where any problems are more likely to lie. Armchair assessments of systems by non-cryptanalysts based on the assumptions and models used in their proofs should be strongly discouraged.

As it happens, the whole line of criticism based on reliance on KEA in Zcash is somewhat obsolete, because since the Sapling upgrade, Zcash no longer uses the PHGR13 proving system whose proof of Knowledge Soundness relied on KEA. It now uses Groth16, for which Knowledge Soundness is proven in the Algebraic Group model. Although this does not by itself exclude forgery based on breaking KEA before Sapling activated, any new attack of that form [clarification: that is, based on an incorrect formalization of KEA as in the case discussed in the article] can no longer be used. Note also that privacy never relied on correct formalization of KEA.

I will refrain from giving my opinion about the security of Zcoin other than to state some facts:

  • it relies on a trusted setup (that is, the assumption that the factors of a particular RSA modulus were deleted);
  • it directly deployed academic prototype code that was clearly labelled as unsuitable for deployment;
  • it has experienced successful forgery attacks, resulting in more money being extracted by the attacker from the Zcoin private pool than was ever put into it. Just over 25% of the current monetary base of Zcoin was forged by this attacker: https://makebitcoingreatagain.wordpress.com/2017/02/18/is-the-zcoin-bug-in-checktransaction/

Disclosure of interest: I am a Zcash developer and cryptanalyst. In this comment I’m speaking for myself, not Zcash Company.


Algebraic group model (and generic group model) imply KEA holds, so assuming your adversary is an AGM adversary - as needed for Groth16 analysis - is at least as strong (imo significantly stronger) assumption as KEA