Monero (XMR) and ZCash (ZEC) are the two premiere privacy coins in the cryptocurrency space. While there are other projects, these two remain the most reputable and technologically cutting-edge. While there are many, MANY key differences between the two token projects (discussed more here and here) arguably the key difference is how they approach privacy with their technology. Below I share a quick overview of each and then really dig into the key technological differences between the two projects. While Bitcoin and Ethereum continue to work on adding privacy features further "up the stack" (not on the base layer), XMR and ZEC will have a place in the crypto-markets and the dark net as privacy-first cryptocurrencies.

Monero Overview

Monero is an open-source cryptocurrency created in April 2014 that focuses on privacy, fungibility, censorship-resistance, and decentralization. It is one of the most popular anonymity-focused cryptocurrencies today. Its privacy-focused approach has led to Monero’s developing and integrating numerous cutting-edge advances in cryptography, including Ring Confidential Transactions (Ring CTs) and Bulletproofs. Monero is particularly popular with a strong base of users who believe in ASIC resistance and financial privacy.

Monero Strengths

• Industry-leading privacy enhancing technology like Ring Confidential Transactions (Ring CTs), Stealth addresses, and Bulletproofs
• Default-privacy and anonymity rather than optional privacy or pseudo-anonymity
• Staunch and devoted community, along with a decentralized and crowdfunded team that place their commitment to privacy above all else

Monero Weaknesses

• Dominated by 4-5 mining pools which account for nearly 75% of the hashing power
• An overwhelming majority of code contributions since 2017 have come from one individual: moneromoo-moo
• The threat that a larger, more popular blockchain adopts full privacy-preserving technology making its existence (essentially) superfluous
• Increased regulatory scrutiny due to private transactions and anonymity
• More difficult user experience and fewer wallet options due to the privacy technology associated with a transaction

Important Links

• Whitepaper
• Website
• Github
• Block explorer
• Reddit
• Wallet - TREZOR

Zcash Overview

ZCash (ZEC) is a privacy-oriented cryptocurrency employing one of the most innovative cryptographic primitives available today: zero-knowledge proofs (ZKPs). Specifically, ZCash uses an optimized form of ZKPs known as zk-SNARKs, along with shielded transactions that obfuscate transaction details across its public blockchain network, providing anonymity and fungibility. ZEC is run by the Electric Coin Company, and is one of the most prominent privacy-focused cryptocurrencies available today.

ZCash Strengths

• Enhanced, optional privacy features not currently native to bitcoin or many other cryptocurrencies
• Above-average network effects including exchange listings, liquidity, and name brand recognition
• Strong, reputable team and advisors including Zooko Wilcox, Nathan Wilcox, Gavin Andresen, and Vitalik Buterin.

ZCash Weaknesses

• High inflation and Founder’s reward are unattractive to many holders and investors
• The zK-SNARK privacy technology is not unique to ZEC and can be implemented by other cryptocurrencies (like Ethereum)
• Trusted Setup ceremony is a “security hole”, and arguably antithetical to a trustless money
• Project is run by a centralized business: Electric Coin Company
• In October 2018, an inflation vulnerability was revealed after a fix had already been implemented within the Sapling upgrade. Although unlikely that the bug was exploited, there is no way to be 100% certain that counterfeit ZEC was not created prior to the fix.

Important Links

• White paper
• Website
• GitHub
• Block explorer
• ZCash community
• Reddit
• Blog
• Wallets- Ledger and TREZOR
• Where to buy? Coinbase and Gemini

Monero Technology

Monero is famous for its advanced privacy features, including some of the leading technologies available in cryptography today. Widely believed to be nearly anonymous, Monero employs some cutting-edge cryptographic technology in combination with established models for consensus such as Proof-of-Work, used in Bitcoin and many other coins.

Consensus Model

Monero is a CryptoNote coin, the CryptoNote protocol focuses on providing anonymous, egalitarian cryptocurrencies through applied advances in mathematics, cryptography, and technology. CryptoNote coins use Proof-of-Work consensus models. While most of them use the CryptoNote hashing algorithm, Monero uses an optimized version to make the use of ASIC and FPGA miners prohibitively costly to use. This altered version of CryptoNote is known as the CryptoNight hashing algorithm.

Proof-of-Work consensus is the same consensus mechanism currently used in both Bitcoin and Ethereum used to ensure all the participants agree on the state of the public ledger (blockchain) and solve for the “double spend” problem. Specialized computers across the globe are all responsible for updating and maintaining the XMR blockchain, thereby creating a distributed consensus system. More specifically, these operations are collectively known as “mining”: a process by which transactions are verified and added to the public blockchain ledger (onto a block). These highly specialized supercomputers (miners) compile the transactions into the blocks and compete to solve computationally-intense puzzles. If they are successful in solving the puzzle, they are rewarded with a certain amount of XMR (currently 2.97 XMR) for their time and costs (electricity costs from running the computers). Upon solving the puzzle, the miner will broadcast their success to the other miners and thus prove that they have done the work (Proof of Work) and can be trusted. The significant costs inherent to solving for a block make it cost-prohibitive for a bad actor to act dishonestly in the system. Trying to harm the blockchain would have an enormous upfront cost in computer power and then, if successful, degrade the integrity of the XMR blockchain, causing the price to plummet, leaving little to no reward for the attacker. PoW is thus so successful because of how it aligns the incentives of the participants.

The CryptoNight hashing algorithm in Monero is specifically tailored to allow for ordinary PC CPUs to participate and to deter specialized mining devices from participation. CryptoNight relies on random access to slow memory and latency dependence. Blocks are also dynamically scalable, meaning each block does not have a predefined block size limit. The potential exploitation of this is mitigated using a proprietary block reward-penalty system.

The Monero Research Labs arm of the community is continually looking into new developments for the platform, so future iterations of Monero's consensus model may be different from the current CryptoNight implementation.

Network Scaling

Similar to Bitcoin and Ethereum, Monero faces scaling issues, and is currently developing solutions to these problems. Aside from the aforementioned dynamic block size, Monero's implementation of Bulletproofs allows for significantly reduced transactions sizes, with the Monero website even quoting up to 80% reduction in transaction size and fees as a result of Bulletproofs.

An obstacle unique to Monero and other privacy-oriented cryptocurrencies is the corresponding increase in transaction size necessitated by the use of anonymity-protecting technologies. Since ring signatures are used for their transactions, the size of each transaction is substantially larger than other cryptocurrencies. This leads to blockchain bloating which will eventually cause problems for users running full clients. Blockchain pruning technologies were attempted with smaller CryptoNote projects, such as the now defunct Boolberry, but substantial progress needs to be made on this front for Monero to scale practically. Instituting Bulletproofs helps with this, but further adoption of technologies to reduce the blockchain and transaction size of private transactions is needed. Without improvements, the chain bloat, computing cost of running a node, and transaction costs will become cost-prohibitive to most looking to use Monero as a currency.

Outside of the storage size of the Monero blockchain, it faces scalability issues similar to other Proof-of-Work cryptocurrencies when it comes to on-chain transaction throughput. Theoretically, Monero can achieve a TPS of approximately 1,000; however, the storage size of the Ring CTs makes this essentially too large for nodes to process, so it is only a theoretical limit and is lower in reality. While the Monero block size is technically dynamic, it is capped such that it will never exceed the median of twice the size of the previous 100 blocks. The Monero block time is 1 minute, and you need to wait for 18 confirmations for the transaction amount to be shown in the recipient’s account.

Privacy Features

The privacy components of Monero are its cardinal feature. From Ring CTs to Bulletproofs, Monero—particularly the Monero Research arm—are at the forefront of cryptographic implementations in publicly obfuscated blockchain networks.

Monero transactions are confidential and untraceable. Transactions use the Ring CT (Confidential Transactions)  scheme were put forth by Bitcoin developer Gregory Maxwell as part of the LN side chain privacy feature, and are one of the primary components that allow for transaction obfuscation in Monero. Ring CTs are a method for obfuscating the value of transactions being sent. It does so by implementing a new form of ring signature known as a "Multi-layered Linkable Spontaneous Anonymous Group Signature." Ring signatures hide the signer of transactions by mixing their signature with a randomly selected group of signatures from previous transactions in the network, creating a muddying effect whereby determining the actual sender and recipient of a transaction is infeasible.

In combination with key images – a cryptographically secure key used to ensure that there is no double-spending – and one-time stealth addresses for transactions, the amounts transacted, the sender, and the recipient are all kept private. Recently, Monero instituted testing for Bulletproofs, which are optimized Pedersen Commitment (Ring CT), where transaction amounts are obfuscated using a short non-interactive zero-knowledge proof. This is a new level of anonymity for the network as Bulletproofs bring the benefits of implementing zero-knowledge proofs, but are much more efficient and do not require a trusted setup. The Stanford Applied Cryptography group initially proposed the concept in an academic publication, which eventually led to its testing and eventual integration with Monero. Kudelski Security recently completed an audit of Monero’s Bulletproof implementation. Full implementation of Bulletproofs in Monero were rolled out in the “Beryllium Bullet” upgrade on October 2018.

ZCash Technology

Consensus Mechanism 

ZCash (ZEC) is built using Bitcoin’s open-source core code, and is derived from the ZeroCash protocol, using a Proof-of-Work (PoW) sybil resistance schema/consensus mechanism with the Equihash mining algorithm to ensure all the participants agree on the state of the public ledger (blockchain) and solve for the “double spend” problem. Specialized computers across the globe are all responsible for updating and maintaining the ZEC blockchain, thereby creating a distributed consensus system. More specifically, these operations are collectively known as “mining”: a process by which transactions are verified and added to the public blockchain ledger (onto a block). These highly specialized supercomputers (miners) compile the transactions into the blocks and compete to solve computationally-intense puzzles. If they are successful in solving the puzzle, they are rewarded with a certain amount of ZEC (currently 12.5 ZEC) for their time and costs (electricity costs from running the computers). Upon solving the puzzle, the miner will broadcast their success to the other miners and thus prove that they have done the work (Proof of Work) and can be trusted. The significant costs inherent to solving for a block make it cost-prohibitive for a bad actor to act dishonestly in the system. Trying to harm the blockchain would have an enormous upfront cost in computer power and then, if successful, degrade the integrity of the ZEC blockchain, causing the price to plummet, leaving little to no reward for the attacker. PoW is thus so successful because of how it aligns the incentives of the participants.

The ZCash team originally designed the protocol to be resistant to ASIC mining concentration, although in a recent November 2018 blog update, the ZCash team softened their stance on ASIC resistance and even touted the added security benefits that ASICs bring. ASICs are specially designed chips that are hard coded to run a single function. During the evolution of the Bitcoin protocol, GPUs and finally ASICs outcompeted the early CPU miners. As these new processors took over the market, it became impossible for the casual miner to compete. Many believe that allowing ASICs into your protocol lead to a concentration of mining power while some argue that striving for true ASIC resistance is a futile effort entirely.

To combat this, the ZCash protocol uses a memory intensive proof of work algorithm called Equihash. This makes it more expensive to scale into the types of massive pools that exist in Bitcoin. In theory, this protects the independent miner by making him more competitive and reducing the barrier to entry for small mining operations. If successful, this should equate to a broader than normal distribution of mining power and more egalitarian industry but this has not materialized in real world terms as just three mining pools control over 60% of the hashrate . However, it remains to be seen if the coin will maintain such a posture. In a recent vote, the community agreed not to prioritize ASIC resistance in future development.

Block sizes are 2MB, and arrive roughly every 2.5 minutes. Depending on the ratio of “shielded” transactions to transparent transactions, the ZCash blockchain can currently process between 6 and 25 transactions per second. Currently, 12.5 ZEC are mined per block, but this number halves (similar to Bitcoin) every ~ 4 years with the next issuance “halvening” to take place in 2020. 

Z-Cash doesn't rely on mixing for its fungibility. Instead, the team has developed a method of validating transactions without revealing the participants. A miner on the Bitcoin blockchain can see if a transaction is legitimate by checking the public ledger. By tallying transactions that involve an address, they can see how much BTC is available to send. On ZCash, however, a miner can verify the amount of ZEC available to trade without knowing the true address of the sender if it is a shielded transaction. Thus, the actual address is never published on the ledger unless the user chooses to use transparent transactions. 

Shielded transactions are just one of four different kinds of transactions that can take place involving ZEC depending on the amount of privacy desired. They span completely public and transparent to complete anonymity and privacy for all parties involved. Currently, the vast majority (86%) of the transactions on the network are transparent in nature as most exchanges do not support shielded transactions.
 

ZEC mining uses a memory intensive algorithm to prevent ASIC proliferation among miners. But, the downside of this is that users cannot shield transactions on hardware wallets. In order to make a privacy-enabled transaction, you need to be on a computer connected to the Internet. 

Second Layer Solutions 

ZCash has placed a strong emphasis on enhancing privacy and fungibility of the network while also increasing the efficiency of shielded transactions; however, these efficiency improvements – like Sapling –  are on-chain transaction construction enhancements, and layer two scaling solutions for the network are far down the development pipeline.

Sapling enables users to construct shielded transactions with vastly reduced computational resources and time. By separating spending and proving keys, users can viably have transactions audited through a third-party without giving access to user funds too. Shielded transaction computation can also be outsourced to cloud computing rather than relegated to a user’s machine, which often times – in the case of a laptop – is not practical when it comes to the use of shielded transactions. Spending keys can also be stored in hardware wallets – such as Trezor and Ledger – but shielded transactions are still precluded from being generated within a cold wallet. 

Continual advances in ZKPs should enable ZCash to scale better, as more users seek to use its shielded transaction functionality now that it is less resource intensive. Furthermore, improving the efficiency of zk-SNARKs and other ZKPs is a subject of consistent research and development as the potential upside for the technology is enormous. 

Privacy Tech 

ZCash’s privacy is its main feature and relies on the cryptographic guarantees of zk-SNARKs. Mathematical proofs are used to authenticate the validity of transactions without revealing any details about the transaction itself. Addresses using shielded transactions are hidden on the public blockchain, and users have to construct the zk-SNARK proof for each transaction on their computer.

The complicated math behind Zk-SNARKS enables, in short, outside parties like other nodes and miners to verify the veracity and legitimacy of a transaction without knowing any details of the transaction, including the amounts transacted, or the identity of the sender/receiver. Senders of shielded transactions using zk-SNARKS need to provide three properties to the prover in order for the transaction to be considered valid. 

1. The input and output values sum to the same number for a specific transfer. 
2. Spender proves that they have the private keys to spend the requisite inputs.
3. Private spending keys are linked to a cryptographic signature associated with the entire transaction, meaning that the inputs of the transaction cannot be altered without knowing the private spending keys. 

A ‘commitment’ must exist for each transaction too, proving that the transaction was constructed under the guidelines of the protocol for shielded transaction constructions. With no commitment, the transaction is invalid. Nodes on the ZCash network store a consistently updating list of commitments used in the network, as they can only be used once, and are unique for each transaction.

Zk-SNARKS and shielded transactions provide the highest level of anonymity due to their cryptographic primitives based on complex mathematics. The drawback of shielded transactions is that they are much more cumbersome than standard transactions using public-key cryptography with digital signatures, as is done for all transactions on the Bitcoin blockchain. They take both time and computational resources to construct, which made them largely impractical before the Sapling upgrade. Sapling improved their efficiency, but they still are noticeably more cumbersome than unshielded transactions, and can eventually lead to blockchain bloating. 

Technology is far and away the standout advantage of Z-Cash. The team has demonstrated an ability to innovate and act quickly to solve problems. The different transaction types and processes involved with each are explained more thoroughly in an in-depth look on the technology page of the ZCash website.