I was aware of the ZeroCash innovation over ZeroCoin with more details to be forthcoming May 18, but your video added some new details for me now specifically from the following linked time forward to the end:
https://www.youtube.com/watch?v=l7LSSE0bRRo#t=492Both ZeroCash and ZeroCoin have the following weaknesses:
- The don't make your IP address anonymous, i.e. others can still see that your computer sent a transaction (and Tor and VPNs are honey pots). The government has the law to compel you to reveal your passwords or throw you in jail if you don't.
- They require we trust someone to generate the master key and never use it maliciously. If the master key is compromised, unlimited new coins can be created and we won't know which coins these are (anonymity is not compromised), thus the entire crypto-currency comes crashing down. I think this is too much of a risk to put in a currency. Would you trust you money if you can never prove if someone is creating more coins? In other words, we will never know what the coin supply is. That for me is a step backwards to fiat central banking. They may claim they will generate the master key at a ceremony where it is destroyed in front of all viewers, but there is no way to know that the computer used isn't somehow backdoored. The NSA even has means of using electromagnetic sensors to eavesdrop on air-gapped computers.
- Their ZK (zero knowledge) system uses bilinear pairings so this means it is vulnerable to potential secret NSA cryptanalysis and any future quantum computer. I would much prefer we use Lamport signatures on the block chain and helped generalize an improvement for them recently. I haven't yet seen a ZeroCash type zero knowledge employing McEliece binary Goppa codes which are thought to be resistant to quantum computing, even then I would still prefer Lamport because very unlikely cryptanalysis can ever break it.
- Even with ZeroCash's improvement to 9ms per transaction verification speed (ZeroCoin was 400 - 500 ms), this can't scale to Visa scale without requiring that mining be highly centralized. Bitcoin already has the horrific weakness that one pool controls more than 50% of the hash power and thus could blacklist coins...
- It is brand new cryptography and often weaknesses are found in new cryptography. It is premature to put this on the block chain wherein if it is later broken, then it is too late to undo it and the currency potentially collapses. New crypto (especially this complex Pinocchio SNARKs stuff which is a higher order polynomial abstraction of Span Programs) requires 5 - 10 years to be fully vetted.
- If ever the crypto is broken, all the historical anonymity is lost because it is sitting on the block chain.
- It appears to be incompatible with a Mini block chain design.
- There is no way to make mixed anonymous transactions indistinguishable from regular unmixed transactions.
- ZeroCash adds 3 minutes to the transaction time (from time you click checkout) whereas ZeroCoin only added less than 1 second, and this is for all transactions unless you give up the anonymity of the transaction amount for ZeroCash so that you can do some of the transactions outside of ZeroCash (and do anonymity mixing only when you need to) in which case might as well do it offchain as I explain below.
Any way, the immediate solution to all this is to use ZeroCoin offchain (not ZeroCash because ZeroCoin is simpler, much faster to generate transactions, and open source code already exists) and decentralized (no risk of coin loss nor need to trust as with centralized mixers). More details will be forthcoming. The only feature that would be lost is ZeroCash's ability to hide the transaction amounts with Pour transactions, i.e. we'd be stuck with fixed denominations for mixing.
I'd rather see a conservative strategy and give time for something like ZeroCash to mature and solve the weaknesses I enumerated. In the meantime, ZeroCoin could be used offchain decentralized very effectively. So we don't lose much and we don't take the big risks. And we gain some other capabilities.