How does Monero privacy compare to Zcash? What are the key security risks associated with each design?
Since important Monero improvements are in active development and Zcash has yet to launch, please compare a working RingCT Monero implementation with Kovri against the Zcash design in its whitepaper and more recently updated protocol specifications.
As described by Monero Research Lab academic Shen Noether with regard to the anonymity set:
Monero (although the zcash proponents note that a ring signature is a "smaller" anonymity set, they usually don't mention that the stealth address factor actually means that each transaction is masked, whereas the ring signatures provide additional plausible deniability, furthermore, since keys appear in different ring signatures in different blocks in time, the anonymity set for when a given key is spent grows infinitely, and could eventually grow larger than the zcash anonymity set at any fixed instant in time) vs Zcash (anonymity set is the entire blockchain)
The above quote demonstrates that while a Monero ring signature may be a "smaller" anonymity set, stealth addresses mask the receivers identity while the ring signature guarantees plausible deniability. When RingCT is activated in January, 2017 the amount of Monero spent in each RingCT transaction will also become protected.
Zcash uses much newer zero-knowledge proof cryptography called zk-SNARKs. Thanks to zk-SNARKs nodes do not need to store signatures or public keys forever on the blockchain. All transaction data is completely private, including metadata which is encrypted:
Instead of publicly demonstrating spend-authority and transaction values, the transaction metadata is encrypted
Ring signatures are much older than zk-SNARKs and have had many years of extensive peer review. With RingCT, which combine Monero ring signatures and Confidential Transaction As developed for Bitcoin by Greg Maxwell Monero transaction amounts will be hidden and Kovri (I2P C++ implementation) will hide IP addresses. MRL has spend a lot of time researching RingCT and Monero now has funded an experienced full time I2P developer to work Kovri.
Perhaps the biggest security risk with Zcash is the possibility of collusion among those participating in the trusted setup. If all parties involved in the "trusted setup collude (either willingly or under duress) then there would become a possibility for the creation of an unlimited number of coins without detection. Zcash is so private that even the coin supply cannot be verified if the trusted setup described above fails.
Monero did not require a "trusted setup" and total coin supply is easily verifiable on the blockchain in real time. Therefore any exploit altering the Monero coin supply (other than ordinary coinbase transactions) would immediately be noticed.
More details on trustless vs trusted systems and the risks associated with a trusted setup can be found here. In the case of Zcash, only six people participated in the trusted setup process:
The ceremony used a multi-party computation protocol with the property that the resulting parameters are secure unless all of the participants were dishonest or compromised during the ceremony.
This setup process has been received a lot of criticism, and even some critique from one of the best known Zcash advisors, Vitalik Buterin but with a subsequent edit to clarify that he still thinks the risk of compromise is quite low:
I actually recommended a different process for the trusted setup - my preference was to not bother with the airgaps, DVDs, offline laptops, etc and make up for it by having 20-30 participants instead of six and make sure they come from different countries, backgrounds, etc. I got this instinct from my experience managing the ethereum foundation wallet - our original setup was 3-of-4 but had lots of fancy secret sharing, encryption, offline signing and other machinery on each device but at one point it nearly broke, and since then we're using a 4-of-7 hot wallet between online laptops, and I feel much more comfortable with the security of the latter. But these are only my views, not shared by everyone, and others of course have different opinions how the risks and benefits should be balanced.
EDIT: just to be clear, I still personally think that the risks of the current setup having been compromised are quite low.
Peter Todd, one of the trusted setup participants was much more critical:
Adding this answer to make it simpler to those who can not understand the top response.
ZCash uses a new cryptography tool called zk-SNARK (don't worry about the name). This is different than the ring signatures that Monero uses. Without getting into too much detail, this is how they both work:
zk-SNARKs use the entire blockchain when making transactions, whereas ring signatures in Monero instead hide it in certain parts of the blockchain chosen randomly (4 parts by default). Ring signatures have been around for much longer and have undergone years of peer review, while zk-SNARKs are new and have little to no review in their current state.
After January 2017, RingCT hid the amounts of each transaction by default, which made Monero much more private. This helped Monero reach feature parity with ZCash, which was the only coin that could hide the amount of a transaction for a few months.
ZCash introduces a new risk where a group of users can collude (work together) to counterfeit an unlimited number of coins without detection. Since you cannot find out how many coins are in circulation at any given time, it would be very difficult or impossible to tell if this had happened. You can still check how many total coins are on the Monero blockchain.
In Monero, all transactions are private by default. For ZCash, transactions are transparent by default and optionally private. This is a problem for ZCash since less than 5% of the total ZCash coin supply is "hidden" at the time of writing. Thus, Monero benefits from all its users using privacy features, whereas for ZCash, an attacker can simply isolate the few users who are using the privacy features. In Bitcoin, transactions appear suspicious if mixing services are used. For ZCash, this is basically the same story. For Monero, few transactions appear suspicious because they all look similar.
In a much more general sense, ZCash may represent what private coins will look like in the future, but it is still trying to figure out how to deal with new vulnerabilities. Monero is not finished either, although everything that is a part of the current code works very well.
Attached are a few slides from a PowerPoint regarding anonymous cryptocurrency coins presented at the University of Minnesota. This was presented shortly before the ZCash launch. Monero now has RingCT implemented and a GUI wallet, and ZCash has obviously launched.
Concern has been expressed in the Zcash community that the NSA sponsored SHA-256 algorithm is being used for their coin. Here is an example:
https://github.com/zcash/zcash/issues/706
A strange choice for a coin that supposedly claims privacy. There is much circulating on the Internet about SHA-256 and other SHA algorithms having open back doors.
Monero uses the CryptoNight Proof of Work algorithm.
