Aaron Day asks What is the source of conflict between the Monero and Zcash communities?
First, let me state upfront my personal biases.
To date, I think that the technical trade-offs the Monero team made have worked better to protect the privacy of users than the trade-offs made by the Zcash team.
However, I'm glad that the Zcash project exists, and I wish them great success. I think their hearts are in the right place, and they've corrected a number of the initial downsides of Zcash over time. (IMO, the only major downside to Zcash now is the lack of privacy by default.)
IMO, we need multiple approaches to protecting user privacy, as privacy coins are a new technology and it's impossible to know a priori which technology offers the best trade-offs.
It's only by trying different strategies and observing their outcomes over time that we can learn what works.
In addition, I think that it's important to have multiple tech stacks so that users can switch to other privacy coins if critical flaws are found in a given technology.
That said, both Monero and Zcash are competing for similar markets. Many people aren't very diplomatic when expressing their disagreement, and this has resulted in hostility and distrust on both sides. I hope that this will dissipate over time, and that both projects will work side by side as friendly competitors.
Here are some of the reasons I've preferred Monero to Zcash to date (and the source of some of the hostility that some in the Monero community have expressed toward Zcash):
When Zcash started, their cryptography relied on a trusted setup. If the setup was compromised, someone could theoretically issue unlimited amount of Zcash without detection. They have since upgraded their software so that this is no longer an issue, but it was a downside early on.
Zcash development is funded by a 20% devfund/devtax. This reward is only available to insiders / friends of the founders. By contrast, anyone can mine Monero. Many believe that the latter coin issuance method is more fair.
If you only use shielded transactions, Zcash's zero knowledge cryptography offers stronger encryption than Monero. However, this comes at a cost of higher memory and processing requirements, which made it difficult to use on mobile phones. ECC/Zcash Foundation didn’t release an official production mobile wallet that supported shielded transactions until 2024. (Though the third-party Unstoppable mobile wallet was released in 2020.)
Monero's cryptography is easier to crack, but requires less memory and processing power. That allowed the Monero team to offer a mobile wallet in 2017. Monero will soon offer Full-Chain Membership Proofs (FCMP). (3) At that point, I think the encryption tech of both coins will be comparable.
Zcash is not private by default. This has the advantage of making Zcash more palatable to regulators as most Zcash users don’t switch to shielded transactions, and therefore most Zcash transactions are just as traceable as Bitcoin.
It also makes using Zcash privately more difficult, as users must choose a wallet that supports shielded transactions, and make sure that their transactions are shielded. This increases the risk that users will accidentally expose themselves. Many in the Monero community think the UI costs / increased risk is unacceptable.Zooko lead dev / founder of Zcash made a number of ill-advised remarks that called into question his commitment to protect the privacy / value of Zcash user's holdings:
The Zcash team has since clarified that they will not backdoor or brick their user's wallets.
Some Zcash developers feared that Monero and other privacy coins would free ride on their development efforts. As a result, the Zcash team prevent free riding by licensing their new tech with a non open source BOSL license. They have since dropped the BOSL license for the MIT license.
Monero is designed to be "ASIC-resistant", aka it's possible to profitably mine Monero on non-specialized hardware Zcash is not designed to be ASIC-resistant. Many in the Monero community believe that being ASIC-resistant is necessary to avoid mining centralization, and the risk of 51% attacks.
And that was when I learned that I write threads, but people use tweets. And they’ve been using that one tweet (not the thread that I wrote, which doesn’t say that) ever since. If there’s anybody left who reads threads:
Matthew Green--a significant contributor to Zcash’s cryptography-- has also spoken favorably of backdooring cryptocurrencies on behalf of law enforcement:
“Green says that he and his fellow researchers are not interested in facilitating criminal activity with Zerocoin. “Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.” The paper is due to be presented at the IEEE Symposium on Security & Privacy in Oakland, California, in May.”
While I don’t think Zcash is currently backdoored, those comments definitely contributed to the historical suspicion of the Zcash team's motives.
Law enforcement has secretly backdoored a number of nominal privacy protecting tools in the past:
Very few people have the technical chops to evaluate the code/cryptography of Zcash. So they have to rely on signals that they can evaluate.
It's similar to how people judge restaurants. Most restaurant guests aren't allowed into the kitchen, and can't really evaluate the procedures of the cooking staff even if they were allowed.
But guests can tell if the bathroom is dirty or not. If you find a restaurant's bathroom is dirty, does that mean that the kitchen is also dirty? No. But does it set off red flags if the bathroom is poorly maintained.
Even the suggestion that it was desirable to be able to trace criminal transactions is a "dirty bathroom".
As many people rely on private currencies to conduct currently "criminal" transactions, Zcash’s comments reduced trust.