## Navigation

# Zcash VS Monero: Comparative Privacy Coin Guide

Zcash vs Monero are the two most significant privacy coins in the market. While their end goal is the same, the way they go about it is entirely different. **Zcash (ZEC)** is a fork of the Bitcoin protocol and attains privacy via the use of the zk-SNARKS, a zero-knowledge privacy protocol. **Monero (XMR)**, on the other hand, has a completely different underlying protocol called CryptoNote. Monero maintains the privacy of its senders, its transactions, and its receivers via ring signatures, ring confidential transactions, and stealth addresses respectively. In this Zcash VS Monero guide, we are going to take a look at the differences and similarities between these projects.

**Zcash at a Glance**

**Important Statistics**

In our graphs below, the data set chosen is May 6 – May 10.

**#1 Price per Day (in USD)**

In our data set, the peak price was reached on May 7th at $60.48. From May 8th to May 10th, the price has remained pretty stable at around $57.70. The average price of ZEC in our dataset is $58.61.

**#2 Difficulty (in millions)**

Zcash reached peak difficulty of 77.42 million at May 7th. On May 9th, Zcash reached a low of 66.95 million. The average mining difficulty in our data set is 72.68 million.

**#3 Average Hashrate per Day (in GHash/s)**

In our dataset, the average hashrate is 3.99 GHash/s. The peak hashrate was reached on 7th May with 4.26 GHash/s and the least on 9th May with 3.66 GHash/s.

**#4 Total Mining Reward Collected Daily (in USD)**

The total mining fees collected reached a peak on 7th May, which is $434,011.16. The total fees also have managed to remain above $410,000. The average total mining reward in our dataset is $419,771.23.

**#5 Daily Trade Amount**

A peak of 4,256 ZEC was sent on 9th May and low of 3,298 ZEC on 8th May. An average of 3,676 ZEC was traded each day in our dataset.

**Monero at a Glance**

**Important Statistics**

In our graphs below, the data set chosen is May 6 – May 10.

**#1 Price per Day (in USD)**

In our dataset, Monero reached a peak of $68.47 on May 7th and a low of $66.68 on May 6th. In our dataset, the value of Monero has trended in a $2 range between $66.65 ad $68.50.

**#2 Number of Transactions per Day**

More than 8,000 transactions have been sent per day in our data set and exceeded 10,000 on three occasions. A low of 8,310 transactions were sent on May 6th and a high of 13,840 transactions was sent on May 8th. The average number of transactions sent per day is 11,214.

**#3 Average Transaction Fee sent per Day (in USD)**

The average transaction fee spent per day exceeded $0.02 on four out of the five days in our dataset. May 7th, saw the most average transaction fees with $0.023 and a low of $0.015 on May 9th.

**#4 Average Hashrate (in MHash/s)**

May 10th saw the highest average hashrate with 342.38 MHash/s and May 6th saw the least with 325.40 MHash/s. In our dataset, the average hashrate per day was 332.83 MHash/s.

**#5 Difficulty per Day (in millions)**

May 10th saw a high of 40.56 million difficulty and may 6th saw a low of 38.15 million. On average, our dataset saw a difficulty of 39.52 million.

**ZCash vs Monero: The differences**

We will be focussing on the following two differences:

- Underlying Protocol.
- Cryptography.
- Mining.

**#1 ZCash VS Monero Underlying Protocol**

**Monero**

Back in July of 2012, Bytecoin, the first real-life implementation of CryptoNote, was launched. CryptoNote is the application layer protocol that fuels various decentralized currencies. While it is similar to the application layer which runs bitcoin in many aspects, there a lot of areas where the two differ from each other.

While bytecoin had promise, people noticed that a lot of shady things were going on and that 80% of the coins were already published. So, it was decided that the bytecoin blockchain will be forked and the new coins in the new chain will be called Bitmonero, which was eventually renamed Monero meaning “coin” in Esperanto. In this new blockchain, a block will be mined and added every two mins.

Unlike other cryptocurrencies, Monero has two public keys and two private keys.

**Public and Private View Keys**

- The public view key is used to generate the one-time stealth public address where the funds will be sent to the receiver. (more on this later).
- The private view key is used by the receiver to scan the blockchain to find the funds sent to them.

The public view key makes the first part of the Monero Address.

**Public and Private View Keys**

If the view key was mostly for the recipient of a transaction, the spend key is all about the sender. As above, there are two spend keys: public spend key and private spend key.

- The public spend key will help the sender take part in ring transactions and also verify the signature of the key image. (more on that later)
- The private spend key helps in creating that key image which enables them to send transactions.

The public spend key makes the second part of the Monero address. The Monero address is a 95-character string. All the transactions in Monero are private by default.

**Zcash**

Zcash started as a fork of the Bitcoin blockchain on October 28, 2016. Earlier it was called the Zerocoin protocol before it was transformed into the Zerocash system and then finally, Zcash. As the Zcash Wikipedia page states:

“Development of protocol improvements and the reference implementation is led by the Zerocoin Electric Coin Company, colloquially referred to as Zcash Company.”The Founder, CEO, and the driving force behind Zcash is Zooko Wilcox. Since ZCash is a fork of Bitcoin, it has a maximum supply of 21 million.

In Zcash, you have a choice to choose between two kinds of transactions.

- Normal transparent transactions.
- Shielded private transaction.

Suppose Alice wants to send 1 ZEC to Bob.

If Bob is ok with keeping the transaction transparent and open for the world to see, then she can send him the Zec to his transparent address or t-addr.

However, if he wants some privacy and does not want the transaction details to be open to the public, he can have the money sent to his shielded address also called “z-addr”.

If both Alice and Bob use their shielded addresses to interact with each other, then all the details of the transaction would be private. This includes Alice’s identity, Bob’s identity and the details of the transaction itself.

The reason why Z-Cash achieves such a high level of privacy is that of the utilization of zk-SNARKS or Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge.

Using shielded and transparent transactions, you can do four types of transactions:

- Public: Open sender and open receiver.
- Shielding: Open sender and shielded receiver.
- Deshielding: Shielded sender and open receiver.
- Private: Shielded sender and shielded receiver.

**#2 ZCash VS Monero Cryptography**

In this section, let’s look at the cryptography used by both Monero and Zcash, which gives them the required privacy.

**Monero Cryptography**

There are three pieces of cryptography that Monero uses:

- The privacy of the sender is maintained by Ring Signatures.
- The privacy of the recipient is maintained by Stealth Addresses.
- The privacy of the transaction is maintained by Ring CT aka Ring Confidential Transactions.

**Ring Signatures**

To understand what ring signatures are and how they help maintain the sender’s privacy let’s take a hypothetical real-life example. When you are sending someone a check, you need to sign it off with your signature right? However, because of that, anyone who sees your cheque (and knows what your signature looks like) can tell that you are the person who has sent it.

Now think about this.

Suppose, you pick up four random people from the streets. And you merge your signatures with these four people to create a unique signature. Nobody will be able to find out whether it really is your signature or not.

That’s how ring signatures work. Let’s see its mechanism in the context of Monero.

Suppose, Alice has to send 1000 XMR (XMR = Monero) to Bob, how will the system utilize ring signatures to hide her identity? (For simplicity’s sake, we are taking a pre- ringct implementation case..more on that later).

Firstly, she will determine her “ring size”. The ring size are random outputs taken from the blockchain which is of the same value as her output aka 1000 XMR. The bigger the ring size, the bigger the transaction and hence higher the transaction fees. She then signs these outputs with her private spend key and sends it to the blockchain. Another thing to note, Alice doesn’t need to ask the owners of these previous transactions their permission to use the outputs.

So, suppose Alice chooses a ring size of 5 i.e. 4 decoy outputs and her own transaction, for an outsider, this is what it will look like:

In a ring signature transaction, any of the decoys is as likely of being output as the actual output because of which any unintended third party (including the miners) won’t be able to know who the sender is.

**Stealth Addresses**

Now, how does Monero ensure the receiver’s privacy? Let’s assume that the sender is Alice and the receiver is Bob.

Bob has 2 public keys, the public view key, and the public send key. For the transaction to go through, Alice’s wallet will use Bob’s public view key and the public spend key to generate a unique one-time public key.

This is the computation of the one-time public key (P).

P = H(rA)G + B

In this equation:

- r = Random scalar chosen by Alice.
- A = Bob’s public view key.
- G = Cryptographic constant.
- B = Bob’s public spend key.
- H() = The Keccak hashing algorithm used by Monero.

The computation of this one-time public key generates a one-time public address called “stealth address” in the blockchain where Alice sends her Monero intended for Bob. Now, how is Bob going to unlock his Monero from the random distribution of data?

Remember that Bob also has a private spend key?

This is where it comes into play. The private spend key helps Bob scan the blockchain for his transaction. When Bob comes across the transaction, he can calculate a private key which corresponds to the one-time public key and retrieves his Monero. So Alice paid Bob in Monero without anyone getting to know.

So how is a key Image (I) calculated?

Now we know how the one-time public key (P) was calculated. And we have private spend key of the sender which we will call “x”.

I = xH(P).

Things to note from this equation:

- It is infeasible to derive the one-time public address P from the key image “I”(it is a property of the cryptographic hash function) and hence Alice’s identity will never be exposed.
- P will always give the same value when it’s hashed, meaning H(P) will always be the same. What this means is, since the value of “x” is constant for Alice, she will never be able to generate multiple values of “I” making the key image unique for every transaction.

**Ring Confidential Transactions**

Ring Confidential Transactions (Ring CT) is used to shield the value of the actual transaction that Alice sends to Bob. Before the implementation of Ring CT, the transactions used to happen like this:

If Alice had to send 12.5 XMR to bob, then the output will be broken down into three transactions of 10,2 and .5. Each of those transactions will get their own ring signatures and then added to the blockchain.

While this did safeguard the sender’s privacy, what it did was that it made the transactions visible to everyone.

To address this issue, Ring CT was implemented which was based on the research done by Gregory Maxwell. What RingCT does is simple, it hides the transaction amounts in the blockchain. What this also means is that any transaction inputs don’t need to be broken down into known denominations, a wallet can now pick up ring members from any Ring CT outputs.

Think of what that does to the privacy of the transaction?

Since there are so many more options to choose rings from and the value is not even known, it is now impossible to be aware of any particular transaction.

**Zcash Cryptography**

Zcash uses zk-SNARKS for its cryptography. zk-SNARKS stands for Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge. To understand that, you need to understand what zero-knowledge proofs are.

There are two parties when it comes to a zero-knowledge proof (ZKP), the prover and the verifier. Zero knowledge states that a prover can prove to the verifier that they possess a certain knowledge without telling them what that knowledge actually is.

For a ZKP to work it needs to satisfy these parameters:

- Completeness: If the statement is true then an honest verifier can be convinced of it by an honest prover.
- Soundness: If the prover is dishonest, they can’t convince the verifier of the soundness of the statement by lying.
- Zero-Knowledge: If the statement is true, the verifier will have no idea what the statement is.

So, how does ZKP work? Let’s take an example.

**ZKP Example: Billiard Balls**

In this case, we have a prover and a verifier, but the verifier is color-blind. The prover has two billiard balls, red and green. Now, color-blind people can’t tell the difference between the two colors, as you can see from the following image:

So, this is the situation right now. The verifier believes that both the balls are of the same color, while the prover wants to prove that the colors are both the same. How are we going to do this?

The verifier takes both the balls and hides it behind his back. Now, he can either switch the balls in his hands or keep them as is. After he is done switching the balls (or not), he presents them to the prover. The prover can see the actual color of the balls and will know instantly whether the switch has been made or not.

The verifier can then repeat this experiment as many times as he wants before he is satisfied with the fact that the prover wasn’t lying about the color of the balls.

Let’s look up the three properties of the ZKP in the experiment given above:

- Completeness: Since the statement was true, the honest prover convinced the honest verifier.
- Soundness: If the prover was dishonest, they couldn’t have fooled the verifier because the test was done multiple times.
- Zero-Knowledge: The prover never saw the verifier switching the balls in his hand.

**How does Zk-Snark work?**

A Zk-Snark consists of 3 algorithms: G, P, and V.

G is a key generator takes an input “lambda” (which must be kept confidential and shouldn’t be revealed under any circumstances) and a program C. It then proceeds to generate two publicly available keys, a proving key pk, and a verification key vk. These keys are both public and available to any of the concerned parties.

P is the prover who is going to use 3 items as input. The proving key pk, the random input x, which is publicly available, and the privacy statement that they want to prove the knowledge of without revealing what it actually is. Let’s call that private statement “w”. The P algorithm generates a proof prf such that: prf = P(pk, x,w).

The verifier algorithm V returns a boolean variable. A Boolean variable has only two choices, it can be TRUE or it can be FALSE. So, the verifier takes in the verifying key, public input x and proof prf as input such as:

V(vk,x,prf)

..and returns TRUE if the prover is correct and false otherwise.

The value of “Lambda” must be kept confidential because then anyone can use it to generate fake proofs. These fake proofs will return a value of TRUE regardless of whether the prover knows the private statement “w” or not.

**Functionality of zk-SNARK**

For showing the functionality of a zk-SNARK, we are going to use the same example function that Christian Lundkvist used in his article for Consensys. This is what the example program looks like:

** function C(x, w)**

**{**

**return ( sha256(w) == x );**

**}**

The function C takes in 2 values as input, a public hash value “x” and the secret statement that needs to be verified “w”. If the SHA-256 hash value of w equals “x” then the function returns TRUE otherwise it returns FALSE. (SHA-256 is the hash function that is used in Bitcoin).

Let’s bring back our old friends Anna and Carl for this example. Anna being the prover and Carl the skeptic is the verifier.

The first thing that Carl, as the verifier, has to do is to generate the proving and verifying key using the generator G. For this, Carl needs to create the random value “lambda.” As stated above, however, he needs to be super careful with Lambda because he can’t let Anna know its value to stop her from creating fake proofs.

Anyway, this is what that will look like:

**G(C, lambda) = (pk , vk).**

Now that the two keys are generated, Anna needs to prove the validity of the statement by generating the proof. She is going to generate the proof using the proving algorithm P. She is going to prove that she knows the secret value “w” which hashes (on parsing through SHA-256) to give the output x. So, the proving algorithm for proof generation looks like this:

** prf = P( pk, x, w).**

Now that she has generated the proof “prf”, she is going to give the value to Carl who is finally going to run the verification algorithm of Zk-Snarks.

This is what that will look like:

**V( vk, x, prf).**

Here, vk is the verifying key and x is the known hash value and prf is the proof that he has gotten from Anna. If this algorithm returns TRUE then this means that Anna was honest and she indeed had the secret value “w”. If it returns FALSE then this means that Anna was lying about knowing what “w” is.

**#3 Mining in Monero vs Zcash**

Finally, let’s look at how mining in Monero and Zcash work.

**Monero Mining**

Monero’s protocol is ASIC-resistance. Monero is based on the CryptoNote system which uses the “CryptoNight” hashing algorithm. Cryptocurrencies which incorporate Cryptonight cannot be mined using ASICs. It was hoped that this would prevent the creation of mining pools and make the currency more evenly distributed.

The properties which make CryptoNight ASIC-Resistant are:

- Cryptonight requires 2 MB of fast memory to work. This means that parallelizing hashes is limited by how much memory can be crammed in a chip while keeping cheap enough to be worth it. 2 MB of memory takes a lot more silicon than the SHA256 circuitry.

- Cryptonight is built to be CPU and GPU friendly because it is designed to take advantage of AES-Ni instruction sets. Basically, some of the work done by Cryptonight is already being done in hardware when running on modern consumer machines.

Monero also has a clever protocol in place to keep their mining profitable.In total, there are 18.4 million XMR tokens and mining is projected to go on until 31st May 2022. After that, the system is designed such that 0.3 XMR/min will be continuously emitted by it. This has been done so that miners would have the incentive to continue mining and won’t have to depend on just transaction fees after all the XMR tokens have been mined out.

**Zcash Mining**

Block mining in Zcash is done via the equihash.

Equihash is a Proof-of-Work algorithm devised by Alex Biryukov and Dmitry Khovratovich. It is based on the Generalized Birthday Problem.

A big reason why equihash is being used is to make mining as ASIC unfriendly as possible. The problem with currencies like Bitcoin is that most of the mining pools monopolize the mining game by investing a lot of money on ASICs to mine as much bitcoin as possible.

Making your mining ASIC unfriendly means that mining will be more democratic and less centralized.

This is what the Zcash blog had to say about Equihash:

“We also think it is unlikely that there will be any major optimizations of Equihash which would give the miners who know the optimization an advantage. This is because the Generalized Birthday Problem has been widely studied by computer scientists and cryptographers, and Equihash is close to the Generalized Birthday Problem. That is: it looks like a successful optimization of Equihash would be likely also an optimization of the Generalized Birthday Problem.”

**What is the birthday problem?**

The birthday problem is one of the most famous paradoxes in probability theory. If you meet any random stranger out on the streets the chances are very low for both of you to have the same birthday. Assuming that all days of the year have the same likelihood of having a birthday, the chances of another person sharing your birthday is 1/365 which is 0.27%.

In other words, it is really low.

However, having said that, if you gather up 20-30 people in one room, the odds of two people sharing the exact same birthday rises up astronomically. In fact, there is a 50-50 chance for two people sharing the same birthday in this scenario!

Why does that happen? It is because of a simple rule in probability which goes as follows. Suppose you have N different possibilities of an event happening, then you need square root of N random items for them to have a 50% chance of a collision.

So applying this theory for birthdays, you have 365 different possibilities of birthdays, so you just need Sqrt(365), which is ~23~, randomly chosen people for 50% chance of two people sharing birthdays.

**Zcash vs ****Monero: ****Conclusion**

Zcash and Monero are both exciting projects in the privacy space. Both of them utilize fascinating cryptography to achieve their goals. To finish off this comparison, let’s do an overview of their differences.