ZCash vs Bitcoin w/ CT and ZKCP


Can someone explain the differences between Zcash and Bitcoin with confidential transactions and zero knowledge contingent payments? I'm confused on the pros/cons of each. Thanks


First, confidential transactions.

Bitcoin confidential transactions hide only the amounts of the transactions. They do not hide the sending and receiving addresses. Used in conjunction with (vary carefully implemented) CoinJoin we'll be able to achieve a reasonable level anonymity in BTC. However BTC with confidential transactions and coinjoin has the following caveats:

(a) The attack surface on this implementation is larger (because every step of the CoinJoin has to be done very carefully). It's a lot easier for users to get things wrong .

(b) The anonymity level achieved is less than with zcash (because the former has an anonymity set only as large as the coinjoin set, while zcash has an anonymity set as large as the entire user base of zcash)

(c) The privacy guarantees of this method are questionable when you have a global adversary with a huge amount of raw computing power and access to almost any third-party information that they desire. If your adversary is the NSA then you'll want better privacy guarantees than btc+confidential_transactions+coinjoin can provide. (You'll also probably want to find different adversaries... just saying). With zcash, on the other hand, raw computer power won't help your adversary at all. Third-party information can still hurt you with zcash, but generally speaking it eases your OpSec burden compared to the former.

Now on to ZKCP:

As far as I'm aware, ZKCP isn't related to private payments at all (at least not in sense that we're discussing here). It's a super awesome way to atomically swap digital info for money, and I anticipate that we will see some pretty cool use cases for it soon. But its not particularly useful for private payments in btc.


Thanks so much that's a great explanation! Are CT already working in bitcoin thanks to blockstream or is it something they are working on? And does ZKCP also make private what the digital info being swapped is?


"Are CT already working in bitcoin thanks to blockstream?"

Not quite. They DO have it fully functioning on a test net side chain (https://elementsproject.org/sidechains/alpha/). So the technology exists and could, in principle, be used today.

However the functionality is not currently present on bitcoin's main net. So we can't use it presently in bitcoin proper.

"Does ZKCP also make private what the digital info being swapped is?"

Yes! It's pretty cool. Only the buyer learns the solution.


So will blockstream's sidechains Elements and Liquid only work in bitcoin if bitcoin core decides to include them? Because if so I feel like that will probably never happen and they will stay on their own test net side chain.

And wow ZKCP is really cool! Is that being implemented in bitcoin or is it kind of in the same situation confidential transactions are?

Thanks for all your help!


ZKCP has already been done in Bitcoin proper, so the functionality is there. To make it more user friendly it will need to be implemented in a wallet which is part of what this is about;


That's awesome! ZKCP sounds like a great innovation.

Do you know what needs to be done to get Confidential Transactions on blockstream's test net side chain Elements working on bitcoin's main net?


It looks like it's going to be implemented some time after segwit is deployed. Since they'll be able to do it on a soft fork, it's very unlikely there will be any significant resistance.



Okay cool I really appreciate all your help @Uninvention and @Austin-Williams! All makes a lot more sense now.


In addition to @Austin-Williams' excellent answer, see https://leastauthority.com/blog/zerocash_and_confidential_transactions.html

Edit: Zcash is open-source, so the "Code Auditability" row in table 2 and corresponding section of the text is out-of-date (it was correct in June 2015). Everything else looks still to be valid.


Also note that it should be possible to do ZKCP on the Zcash network; they are complementary if you want to do a ZKCP transaction anonymously or pseudonymously. (I don't immediately know whether the ZKCP demo used features that are only available for transparent transactions, but if it did, that can likely be solved.)