Cryptovest Exclusive: Q&A With Reuben Yap, COO, Zcoin

We met with the COO of Zcoin to talk about the future of privacy coins, ASIC resistance, use cases for zero-knowledge proofs, and several other big-picture subjects.


On the second day of the Blockshow Europe 2018 conference, we had the pleasure of meeting up with Reuben Yap, the COO of Zcoin—a privacy coin that differentiates itself from Monero and Zcash by using an original protocol that provides its own flavor of transaction masking by minting and burning coins in its transactions.

We spoke at length about Zcoin, its future, how privacy coins in general are fairing, legal issues, politics, and the future of ASIC resistance—a battle that’s been raging for some years now, and it seems as if though ASIC manufacturers have the upper hand, for now.

CV: How does Zcoin differentiate itself from other privacy coins like Zcash and Monero?

RY: First of all, we use a completely different cryptography for our privacy scheme. Monero uses ring signatures and Zcash uses something like Zerocash—zk-SNARKS is basically the foundation of their cryptography.

We use something called Zerocoin, which was like a predecessor to Zerocash, but it has certain advantages where you have an auditable supply using fancy cryptography. I guess there are not that many independent privacy implementations out there.

We have many Monero clones, we have Sumo--

CV: Even Wownero

RY: Yeah, and all this other stuff. And we have Monero Classic now and all this other stuff.

With Zcash, you have basically coins like Zclassic, [Bitcoin] Private, Zencash, Komodo; all of them are just taking that privacy implementation from Zcash. For us, we’re quite independent. We basically are the first to implement the Zerocoin protocol, which is often seen as kind of like this older protocol, but we feel it has certain advantages in cryptography—not necessarily [following the idea of], “The newer it is, the better it is.”

Generally, the more tested it is, the better it is. This is something we can talk about later, about how we are moving away from this system to a more advanced privacy system, and to address many of the issues that are plaguing current privacy coins right now, including adoption of the privacy transactions.


CV: One of the concerns that I have is that a lot of exchanges have been removing privacy coins—like Coincheck, most recently, removing Dash, Monero, Zcash. What kind of reassurances do we have that these coins could still be traded, especially Zcoin, in the future?

RY: Yes, we have seen, I guess, in Japan, that there’s been quite a lot of worries about privacy coins and delisting them. But on the other hand, you have Gemini listing Zcash, which is a totally regulated [exchange], yet they could list a privacy coin.

So, that’s quite interesting. I don’t think there’s a clear answer of where we’ll be going, but I do believe that decentralized exchanges is a way to achieve these types of things. Because right now, even Binance are looking at their own decentralized exchange.

As long as you have a centralized exchange, you’re basically a target. But now, we’ve recently got Blocknet DX integration, we’re integrated into the Decred exchange, we’re integrated into Komodo, so they all have these atomic swaps in exchanges. I guess that’s one way of making sure that there are always exchanges for Zcoin or privacy coins in general.

I don’t think anyone has quite solved the issue of fiat conversion to privacy coins, but I guess that in those cases—you know, you can have a regulation—the idea is that you can always go from a fiat exchange to a non-privacy coin and then always use another service to change it into a privacy coin.

I mean that’s one way… It’s a bit convoluted, but I don’t think this is the “end” of privacy coins per se and I do think that the Gemini listing of Zcash is a very positive movement in that regard.

CV: The problem with that convoluted system that you were talking about, though, is that you still have a trail.

RY: Yeah, you have a trail, but it just stops there. I mean, I guess what you’re saying is that, “Oh, you know what? I have a trail buying the Bitcoin.”

I don’t know if there’s a way to totally remove that… Of course, it’s not ideal. You have that trail. A P2P system where--

CV: Local Zcoin?

RY: Local Zcoin, Localbitcoin… Those are also solutions that we’re looking at as well. There’s no one shot that cures it all. It’s a matter of having a decentralized exchange, having P2P exchanges, making sure that we are still listed on the exchanges that are more privacy-friendly. I don’t think it’s clear-cut that all exchanges will be removing privacy coins.

And I do think that a lot of the issues with privacy coins is that coins like Monero have been very… They’re not shy to talk about criminal types of activities and they’re quite proud of it.

Zcash, on the other hand, are much more realistic, talking about privacy as a basic financial right. And the way we see it is that privacy is, “My money is my business.”

We’re not here necessarily to do nefarious activities. And as long as we manage to change that narrative and convince governments that privacy coins are not going to screw them over—after all, cash is more private than any of these systems if you think about it—they shouldn’t be fighting these things… [Otherwise] you’d be forcing these privacy coins into the dark market, when it shouldn’t necessarily be so.


CV: Governments are still… I don’t think this will ease governments’ opinions because I don’t think that governments ever were particularly as concerned with… Well, they might be more concerned with money laundering than with tax evasion. But they still will be concerned ultimately with tax evasion quite a lot.

RY: Tax evasion, I mean… It’s a tricky issue. I really have no idea how the governments are going to react to privacy coins in general because, of course, you can say, “Yeah, I’m going to ban all privacy coins,” but that’s just going to bring them underground in the unregulated sphere.

I don’t think they should be doing it. I guess it’s a similar argument like prostitution. Should we legalize it? Should we not legalize it? If you don’t legalize it, then it just goes underground and you just lose total control of it.

At least if you have the privacy coins at the exchange level, at the very moment when you convert your privacy coins to fiat and what not, [governments] can regulate that. And I think that’s OK.

If you say, “I convert my privacy coins to fiat and I want to get taxed on that,” it’s not about tax evasion. But we are about, I guess, basic financial privacy. That’s what we’re trying to do.

You raised a very good problem. I don’t think that we have an exact solution to that, for sure. We’re more about the technology, and of course, you bring very good issues about whether privacy coins will achieve adoption.

But I don’t think anyone has a silver bullet for that right now.

CV: What’s in Zcoin’s future right now?

RY: Right now, we [just launched] several things that are really important—I would say three things—one of them being MTP, Merkle tree proofs, our new proof-of-work algorithm. The second would be our next-generation privacy protocol, and I guess the third would be user experience.

User experience is something that has been really, really neglected in the privacy coin space and even other cryptocurrencies… They don’t think so much about this. It’s about geeks doing this cool technological stuff and people don’t get it, especially with privacy coins; they are much harder to use than, say, a regular currency.

And if you’ve taken a look at this academic paper “breaking the anonymity of Zcash,” although Zcash’s technology is really good—they are industry leading, they are great scientists and great researchers—what that research shows is that when you don’t have a system where it actually educates the user on how to use it, many people were using Zcash in a way that was de-anonymizing them.

They thought that, “If I just change the address and bring it back, it’s automatically anonymized,” without realizing that if you’re burning 1.75 coins and you’re redeeming 1.75 coins, I have a good estimation that these 1.75 coins were the same ones that you burnt.

And all these usability issues are really affecting and compromising privacy on Zcash. Monero has really taken a good step. Monero actually started out without having privacy on by default, then it moved to privacy on by default, which takes a lot of the user error out.

But at the same time, there’s also studies on how you can use Monero wrongly and there’s been ways that Monero transactions also have been compromised. But in general, I think that Monero has a very complete product.

Having privacy on by default has a lot of benefits. But I do think that they’ve kind of reached the limit of their technology in the sense that in Monero, when you’re using ring signatures, you’re limited by the ring sizes.

You’re going to get anonymity sets in the thousands or millions or stuff like that. It’s going to be 5, 12, 13, maybe, maybe 100 at most.


CV: But wouldn’t that be enough?

RY: Not necessarily. I mean, we’re always talking about “the best.” And I actually spoke to some of the analytics guys and they were saying, “Yes, it’s one in five, but I kind of know that this transaction is being used for illicit activity.”

It’s kind of like by elimination. In one-in-five, you can still do it all by elimination. But with one-in-millions, it’s really hard to do elimination there.

I guess that’s the idea. Also, in those cases where in Monero there is a per-transaction-basis, your anonymity set is limited per transaction while with zero-knowledge proofs, or Zcash or Zerocoin, it’s not on a per-transaction basis. It’s with the entire history of anyone who has done that private transaction.

It’s seen as a huge benefit of zero-knowledge proofs versus something like ring signatures. So, you know, we always thought, “Is it enough?”

Yeah, maybe last time, Bitcoin was anonymous enough, Monero was anonymous enough, but at the end of the day, Monero’s key technology is actually a single point of failure.

We’ve seen cases like Monero clones like ShadowCash, now known as Particl, where they made a mistake. And once that thing was compromised, everything was retrospectively de-anonymized.

And similarly, with quantum computing… When quantum computing comes, then Monero transactions are retrospectively exposed. While with systems like Zerocoin, and with systems such as Zcash, the cryptography may be broken, but it still preserves the anonymity aspect.

So, that’s quite important, if you’re thinking 10 or 20 years from now, when QC computing might be here. And I think that’s really important because, is your history from 7 years ago worthy? Maybe it is! You never know.

I do think that we shouldn’t be just looking at things [from a perspective of], “Oh, yeah, this is good enough. We can just stop there.”

CV: Speaking on quantum computing… Do you really believe that we will see within our lifetimes a mass scale adoption of quantum computing?

RY: I do think we are definitely going to be seeing quantum computing. I mean, we have been seeing… A lot of people get confused with quantum general-purpose computing. Right now, you can see that IBM has been steadily increasing their quantum computing capabilities.

Once you have that, it’s just a matter of time before quantum computing gets mainstream. Maybe we’re like ten years out or something like that. But who knows?

We’re already starting to think about quantum resistance schemes, and we should be looking at schemes like this. But I guess in the next five years, we shouldn’t be too worried.

I mean, Bitcoin isn’t really looking into that so much just yet. It’s not a remote possibility. I do think it’s coming.

CV: So, what made you choose to go with a privacy coin and just that? Why not choose to have a privacy coin with features like Ethereum, where you can actually have applications built on top of it and stuff like that?

RY: Well, that’s actually in our roadmap. We do have some ideas of how we want to implement it, because being built on the Bitcoin core, there are several options open like opcodes and things like that where you can bring Ethereum virtual contracts into a Bitcoin core code.

These are some things that we have to be quite careful about because once you introduce smart contract capabilities, you are in effect increasing your attack surface because there are more things that can go wrong.

There are so many smart contract platforms out there. So, what are we doing that is different?

And if you take a look at Ethereum, they are also developing something called zk-SNARKS on Ethereum, which is basically an application of Zcash technology. And I’m thinking, “Do we really need to go down that path?” to compete with all these things.

But we also develop something called Zerocoin on Ethereum where we have a smart contract that can mix coins and serve as an anonymizing layer on Ethereum. We actually have finished the smart contract for this layer right now. The only thing that’s preventing us from launching it is scalability issues with Ethereum right now where the gas costs are too high.

That’s also a case with zk-SNARKS on Ethereum. But, hopefully, with Casper—with proof-of-stake—and further optimizations into the library, one day, we will see privacy on this smart contract platform.

It is something that is definitely in our roadmap. We want to have, maybe, applications for smart contract platforms where you really need privacy, but a cut-down set of instructions. But one of the things that we really, really want is in the area of voting and polling.

We think that zero-knowledge proofs really fit into those types of things where I can prove that I have voted without showing you which way I have voted. If you think about it, especially from a country like mine—a southeast Asian country—where we might not have the best democracy, and we may be a bit concerned about our data being leaked out…

We’re actually in talks with the lower level with the Thai government to implement this type of system in small-scale elections. It’s not general elections, but we’re saying, “Look, we want to implement something where I can vote and prove that I voted but not show you which way I voted.”

That is, I guess, a prototype and we want to use it as a polling system where I want to really hear the feedback of the civilians, the people, without having fear of repercussions. I would think that these types of systems are not only good as a use case but it goes to the basis of democratic governance where I can express my opinion without being singled out, but yet at the same time the government has a feedback of what their people are thinking.


CV: Do you think that there are any other use cases for this kind of thing besides elections?

RY: You mean, like, zero-knowledge proofs in general?

CV: Yeah, zero-knowledge proofs.

RY: Well, right now, there’s this sort of discussion in which I think that with smart contract platforms, you definitely need some kind of financial privacy. We know about the financial privacy stuff, but there’s also talks about something where I can prove that I have a certain balance existing without showing the individual transactions that make it up.

So, I may want to declare to the tax agency that I have X amount of balance, and prove that it’s there. But I’m not going to show you the individual transactions.

And that’s been actually talked about in electricity, like, you know, those electric blockchains—something like WePower, these types of things—where I can prove that I can prove that I’ve consumed a certain amount of electricity without showing you the individual transactions, which may be a bit sensitive.

These are potential use cases. But I do think that the most obvious ones will be voting and polling right now. That’s my own personal opinion.

CV: Alright, so--

RY: So, we were talking about how much we know about MTP…


RY: The Merkle tree proofs that we were talking about. Right now, we think that as a privacy coin, it is very important for the hashrate to be decentralized.

CV: Hashrate?

RY: I mean, hashing power, not hashrate.

CV: Hashing power, as in mining pools?

RY: Yeah. Mining pools. We don’t want to be in a situation where there are a bunch of mining farms controlling it, also because we are primarily a cryptocurrency and not a smart contract platform.

CV: You are using Equihash?

RY: No, no. That’s Zcash.

CV: Oh yeah, excuse me.

RY: Yes.

CV: But you know that they just recently… That Bitmain just recently built an ASIC for this.

RY: Yes! This is the thing. So, this is something that I’m really excited about because right now, we’re at that point where a lot of people have given up on developing ASIC-resistant algorithms because things like Equihash, Ethash, Cryptonight, all have ASICs developed for them.

MTP is, I would say, the latest weapon against ASICs. I’m not saying that Bitmain is evil people, but we are generally against ASICs for decentralization reasons.

But let’s talk about what the current situation is right now. A lot of people think, “Equihash is broken. There’s no point in developing it.” First of all, Equihash is broken not because Equihash is shit, but because the parameters chosen by Zcash were quite bad.

So, you have the algorithm and you have the parameters. Equihash has certain parameters where you can adjust it up and down and increase the computational complexity.

What happened with Zcash is that they wanted to make it so that smartphones can mine Zcash, which I think is kind of a silly idea, personally. But that was one of their design goals. As a result, they had to reduce the complexity and that’s why we feel that Equihash had an ASIC developed much sooner than anticipated.

CV: What happens if an ASIC is developed for Zcoin? Will you be forking it very quickly?

RY: We would think that the hard forking route is a stop-gap solution because if you are going to keep on hard forking [your coin], you can do that, but first of all, all you are doing is incentivizing people not to even tell that they have an ASIC.

“I’ll develop an ASIC, and I won’t tell you.”

That’s even worse! That’s much, much worse.

MTP has certain features that make it a lot harder to develop an ASIC for it, for the moment. If you take a look at the current batch of ASICs that are coming out, they are very specialized machines. They only do one thing very, very well.

They’re not flexible ASICs where they can tolerate a parameter change.

Now, with MTP, the first thing that we use is a huge amount of memory. We require the miner to allocate 4 GB of memory and it is done at every single block. So, unlike with Ethash—which is allocated once every hundred hours—ours is allocated at every single block.

You need a huge amount of memory to actually [develop an ASIC]. This brings up, first of all, development costs, and it’s also interacting with the memory quite intensely so that most of the time, you will be waiting for the memory as opposed to the computational parts.

CV: Couldn’t someone just make an ASIC that has a lot of memory?

RY: Yes, you can! But the thing is that MTP was actually designed to require ASICs to have a lot of memory. However, when you’re interfacing with the memory, you cannot go any faster than the memory’s latency.

Yes, there’s talks about, “Let’s have SRAM, or eDRAM, or other specialized types of RAM.” But none have actually gone to that size of 4 gigabytes. It’s more like one megabyte or two.

RAM and chips are made with many different processing types. So, so far, even if you amalgamate it to join the memory and the computation portions, you’ll still be waiting for the memory [to do its work].

There will be some benefits to making an ASIC for [MTP], but you’ll be limited. You can already see this with Bitcoin miners. They’re several thousand times more efficient than a computer or GPU. But then we have Scrypt miners, which are maybe 100 times more efficient. Then, you have the Equihash miners, which are maybe five times more efficient. And Ethash is even less than that.

So, I do think that this multiple is coming down a lot more. And we can make it as difficult as possible. I don’t think it’s possible to make it [completely] ASIC-proof, but it’s possible to make it really, really, really expensive to develop an ASIC for it. And the benefits from an ASIC optimization will be so low that GPUs and CPUs can still [be feasible].