TI Rating Report - Zcoin

OVERVIEW

1. In July 2019, Zcoin officially launched the Sigma anonymity protocol to replace its previous Zerocoin protocol. As an important part of the next-generation anonymity protocol Lelantus, the Sigma protocol features small proof sizes and requires no trusted setup. The Lelantus protocol is still under development, with its official release expected for the first quarter of 2020. Ongoing work on Lelantus aims to further enhance its anonymity and solve the problem of fixed denomination completely.
2. Zcoin, as an anonymous payment token, still falls behind Dash, Monero and other leading projects in market segments with relatively low total market capitalization. It also lacks competitiveness in terms of user volume, trading activity, exposure and media attention, which have yet to show improvement over the short term. However, in view of the leading role that anonymity technology plays throughout the industry and its large-scale application in Thailand's general election, as well as its application among 5 million local merchants, the project shows strong development prospects for the future.
3. In terms of development progress, Zcoin has reached most of its initial goals on schedule, including the upgrade of its Lyra2z consensus algorithm to a more ASIC-resistant MTP algorithm and the launch of the next-generation Sigma anonymity protocol.
4. In terms of organization and governance, Zcoin maintains a centralized operational body, and has financed its initial rounds of investments and core team independently. At present, its team comprises of nearly 30 publicly recognized members across several teams that include R&D, marketing, advisory, and regional ambassadors, as well as several publicly disclosed investors. Public information about the team is fairly comprehensive, including coverage of development progress, team allocation, development plans, the project’s code, and so on. The company has also privately disclosed its financial information to the TokenInsight team for review.
5. According to Zcoin's token distribution mechanism, from September 2016 to December 2017, 4% of block rewards was distributed to founders and 12% to seed investors. Since 2017, the rewards for founders and seed investors have halved to 2% and 6% respectively.
6. The Zcoin team has a relatively high proportion of technical developers, and its technical personnel, including internal advisors, generally come from strong educational backgrounds, rich theoretical research experience, and extensive industry knowledge. More recently, Zcoin’s team of local ambassadors has joined the project to promote its growth into different countries and regions, but this has yet to generate profound impact apart from its developments in APAC. The team is generally well structured and the project seems well positioned for development over the long run.

1. PROJECT ANALYSIS

1.1 Zcoin Project Background

Launched in September 2016 by an R&D team led by Poramin, Zcoin (XZC) primarily aims to achieve on-chain anonymity, and is the first cryptocurrency to implement the Zerocoin and Sigma protocols. Zcoin uses zero-knowledge proof to prevent any leakage to either party’s address information, thus ensuring complete anonymity for its users.

Zcoin tokens have been traded online on Binance, CoinEx, Huobi Global, BitTrex, Indodax and other prominent trading platforms. In addition to the anonymous payment function, the project is now actively deploying a range of functions including on-chain anonymous voting, anonymous third-party transmission, and other related applications. In 2018, key progress included upgrading the consensus algorithm, increasing the speed of transactions, and upgrading the privacy protocol while continuing development of its long-term plan.

1.2 Technical Features

1.2.1 Zero-knowledge Proof

Zero-knowledge proofs (ZKPs) were first introduced by S. Goldwasser et al. in the 1985 article "The Knowledge Complexity of Interactive Proof Systems". The essence of zero-knowledge proofs is a special type of interactive proof，but is made non interactive using Fiat Shamir. In this proof, the prover knows the answer to the question, and needs to prove this to the verifier; however, the verifier is not allowed to receive any information about the answer.

For example, consider the following scenario:

A wants to prove to B that A owns the key to a room. (Assume for this example that the room can only be unlocked with this key and that there is no other means of access.) If B is certain that there is an object in the room, A can then open the door of the room with the key and retrieve the object to show to B. This method effectively satisfies the criteria for a zero-knowledge proof; at no point in the proof’s process does B see the actual key, thus avoiding any possibility of its details becoming disclosed.

Applied to cryptocurrency, such capabilities can greatly increase protection for users’ anonymity and privacy. Numerous demonstrations have shown zero-knowledge proofs to be highly useful in cryptography. Encrypted digital tokens and blockchains offer a new potential direction for the application of zero-knowledge proofs. At present, Zcoin and Zcash are the two main cryptocurrencies in the market to use these technologies to achieve anonymity with zero-knowledge proofs. Zcash uses a zero-knowledge proof technology called zk-SNARKs to verify the authenticity of transactions, thus achieving anonymity. Zcoin’s integration of zero-knowledge proofs has undergone a series of developments ranging from the original Zerocoin protocol to the 2019 official release of Sigma, now shifting to the planned deployment of Lelantus in 2020.

The underlying principle of the Zerocoin and Sigma protocol is to first burn or mint cryptocurrencies and then redeem the same number of new tokens in a process called Zerocoin spending. These tokens appear without any transaction history and are akin to new tokens acquired through mining. Applying a zero-knowledge proof can effectively demonstrate that one party has indeed minted cryptocurrency without revealing any specific information about that token, after which a new token of equivalent value can be redeemed.

Figure 1-1 Comparison of the traditional BTC Transaction Process and the Zerocoin Chain Mint and Spend Process

Sources: Zcoin website, TokenInsight

Unlike the coin mixing mechanism deployed by Dash (which mixes its own tokens and other tokens in a pool) or the Cryptonote technology deployed by Monero (with which the number of anonymous users is limited by the number of participants or the size of the ring), Sigma Protocol allows you to remain completely anonymous throughout all transactions with anyone. Meanwhile, they can instantly acquire tokens of a specific denomination, enabling anonymous use on the scale of thousands of people based on the mint and spend model.

1.2.2 Next-generation Anonymity Protocol

Sigma Anonymity Protocol

Zcoin 13.8.1, released in July 2019, formally integrates and activates the Sigma anonymity protocol, replacing its previous Zerocoin protocol. The Sigma protocol combines the high anonymity of the zero-knowledge proof scheme and improves the Zerocoin protocol in three key ways: removing trusted setup; reducing the proof size from 25 kB to 1.5 kB; and improving network security.

In a trusted setup, a set of secret (public) parameters is generated initially based on a master private key. These network parameters are required to create the anonymity technology supporting zero-knowledge proofs, and the master private key is later destroyed to prevent the person who has access rights to the private key from generating an unlimited number of anonymous tokens. While previous zero knowledge proof protocols that use the burn and redeem method used the trusted setup, According to more recent research, blockchain technology’s original goal is to build systems that do not depend on trust, and the same principle is applicable to anonymous systems. The Sigma protocol replaces RSA accumulators by utilizing cryptographic construction techniques that does not require trusted setup. The only system parameters needed for the Sigma setup are ECC group specifications and group generators.

On the other hand, the Sigma protocol reduces the proof size from Zerocoin’s 25 kB to a mere 1.5 kB, making it far cheaper to store this information on the blockchain and accommodating far more anonymous transactions in blocks. This effectively solves one of the biggest problems facing the Zerocoin protocol without compromising its security.

Lelantus Anonymity Protocol

Sigma is the precursor to Zcoin’s next-generation anonymity protocol Lelantus, and is also an important part of the Lelantus protocol. (Lelantus is still under development and is expected to be officially released in the first quarter of 2020, until which time Sigma will be temporarily deployed as an alternative protocol.) Sigma features a small proof size and does not require trusted setup, but nevertheless falls short of solving the core problem of fixed denomination that Zerocoin has faced so far.

The fixed denomination problem means that Zcoin must be burnt and redeemed in terms of a fixed denomination. This greatly limits usability, and restricts anonymity to within groups using a common denomination. Meanwhile, it also generates the problem of “small change” – in other words, how to spend fewer Zcoin than the smallest permitted denomination allows. Some projects have proposed allocating the leftover “change” of transactions toward miners' fees and reminting any remaining balance, but this presents drawbacks for performance and adds considerable overhead. Based on Sigma, Lelantus solves this problem by allowing users to burn any amount of Zcoin and then redeem any partial amount while keeping the rest in a burnt state.

For example, with the traditional Zerocoin or Sigma protocol, the most efficient way to privately spend 153 coins would be to employ 100 + 50 + 1 + 1 + 1 Zcoins. This would involve spending Zcoin a minimum of five times, occupying 125 kB of space and requiring a total of 1500 (300 x 5) milliseconds for verification.

With Lelantus, achieving the same anonymous spending of 153 Zcoins simply requires users to apply any of the mint transactions they have previously performed – in any arbitrary amount – and then proceed to make a spend transaction. The minimum number of spends required is now one, and verification takes between 20 and 30 milliseconds with batch verification – 300 to 400 milliseconds for a single proof. As Lelantus proofs occupy only 1.5 kB, the entire transaction occupies a very small quantity of resources compared with the original Zerocoin protocol. Meanwhile, Lelantus allows direct anonymous transfers, which means users don’t have to ‘spend’ to redeem it and can send it directly. This is similar to a z2z transaction in Zcash.

Figure 1-2 Comparison of the Mint-Spend Process in Lelantus and Sigma

Sources: Zcoin website, TokenInsight

In terms of anonymity, with Lelantus there are no longer separate sets of mints for each denomination, as all mints reside in a single set. This eradicates the worry that certain denominations may be more private than others. Lelantus also shifts from checking anonymity to using anonymous transactions by default, while offering the option of not using anonymity in transactions.

Whereas Sigma and Zerocoin protocols take 300 to 500 milliseconds to verify a single proof, Lelantus uses batch verification to verify a set of proofs. Verifying 100 proofs takes around 2967 milliseconds; in other words, the cost of verifying a single proof is only 30 milliseconds. This time can be shortened again by further optimizing parallelization and precomputation.

Figure 1-3 Comparison of Batch Verification Time for Lelantus

Sources: Zcoin website, TokenInsight

Figure 1-4 Comparison of Major Anonymity Technologies

Sources: Zcoin website, TokenInsight

Compared with other advanced anonymity technologies, Lelantus offers a well-rounded combination of advantages. It provides high anonymity, strong performance and small proof size. Meanwhile, its development is based on mature cryptography. Lelantus is still undergoing development, with its official release expected in the first quarter of 2020.

1.2.3 MTP Mining Algorithm

MTP refers to Merkle tree proof. This algorithm was proposed by Alex Biryukov and Dmitry Khovratovich of the University of Luxembourg in their 2016 paper "Egalitarian Computing". In 2018, this paper was funded by Zcoin to support improvement on the theoretical level and further improve the implementation process.

The idea of the MTP algorithm is to help balance the relative competitiveness of people with lots of computing power (i.e., large-scale mining farms) and people with smaller amounts of computing power (i.e., home miners). MTP is designed for intensive memory use, with the key characteristic that it requires a lot of continuous memory use while reaching a very high verification speed. Its ultimate goal is to achieve "equality in computing" and to realize decentralization for a more balanced distribution of computing power that will enable anyone to become a miner.

Usually, cheaters and adversaries can use tools like botnets, FPGAs and ASICs to gain significant power advantages and attack at low costs. The basic idea of MTP is to ensure that the computing power costs of various mining methods remain relatively close to one another, forcing attackers to spend as much as ordinary users to obtain computing power. As a result, they can no longer carry out automated large-scale attacks. At the same time, because the MTP hash algorithm is memory-intensive, Trojan-infected users will quickly notice a significant decline in performance and know to remove malware. This can effectively limit the control that botnets are able to achieve over large amounts of computing power.

MTP supports up to 10 GB of memory usage and maintains quick verification speed, making the network more resistant to DoS attacks from verifiers. It also allows lightweight hardware such as smartphones to perform verification, while the verification speed is expected to exceed that of Equihash.

On December 10, 2018, MTP was released on the Zcoin mainnet, and the block time has fallen to just five minutes. Regarding to its ASIC resistance and algorithm security, it has been running for 9 months and there is no evidence of FPGAs or ASICs yet. However, there is an argument that it’s not economically viable to develop an ASIC for Zcoin.

1.2.4 Znodes

Znodes were originally designed to be an incentivized node layer used to process and verify Zerocoin transactions that were computationally intensive. With technological improvements, especially with Sigma, Znodes will be repurposed to protect against 51% attacks and provide instant transactions in the future. Zcoin uses an ASIC resistant algorithm MTP with more available rented hash power, and is at higher risk of 51% attacks. Thus, this protection is quite important.

According to the Zcoin team, there will be more extensive applications for Znodes, including making them serve as Exodus nodes for smart asset token support with Sigma privacy features. The development is almost completed.

2. ROADMAP

Figure 2-1 Zcoin Development Roadmap (2018-2020)

Sources: Zcoin website, TokenInsight

3. TOKEN MODEL

3.1 Basic Token Information and Distribution Scheme

Figure 3-1 Overview of Zcoin

Sources: Zcoin website and TokenInsight

Zcoin issued a total of 21,400,000 tokens under the name XZC, with 8,081,743 tokens currently in circulation. 56% of the tokens are allocated for mining, and mining rewards will be halved in September 2020; 30% are allocated for Znodes (master nodes), and will be halved in September 2020 (not confirmed); 6% are for teams and reward packages, and will be terminated at the next halving (not confirmed); 6% are for seed investors, and will be terminated at the next halving (confirmed); the remaining 2% are for founder rewards, and will also be terminated at the next halving (confirmed).

Figure 3-2 Anonymous Token Rankings by Market Capitalization

Sources: coinmarketcap.com, TokenInsight

According to the latest market capitalization rankings from CoinMarketCap, Zcoin ranks 84th among payment tokens in terms of total market capitalization. Zcoin still lags behind Dash, Monero and other leading projects in its market segment, but ranks higher than Grin, Beam and other similar projects. In addition, the latest data indicates the top ten Zcoin addresses account for just 12.6% of the total, meaning its tokens are highly dispersed.

3.2 Token Incentivization

According to Zcoin's token distribution mechanism, from September 2016 to December 2017, 4% of block rewards was distributed to founders and 12% to seed investors. Since 2017, the rewards for founders and seed investors have halved to 2% and 6% respectively.

Figure 3-3 Zcoin Block Rewards Changes

Sources: Zcoin, TokenInsight

3.3 Overall Assessment

Zcoin offers a wealth of potential application scenarios, including anonymous transfers, anonymous information transmission, ordinary payment transfers, on-chain transaction costs, cash withdrawal, and more.

According to the latest data, Zcoin's weakness still lies in its lack of general influence, including user volume and activity, exposure and media attention. Currently, it has around 60,000 Twitter followers, 4,000 Reddit followers and 30,000 Facebook followers. In terms of its Github popularity, it has around 2000 total commits, over 400 Stars and around 300 Forks. The overall popularity is relatively low compared with Monero, Dash and is higher compared with Nano, Grin, Veil and many other anonymous tokens.

It is worth mentioning that in November 2018, Thailand's opposition party successfully held its primary election using a real-time electronic voting system hosted on the Zcoin blockchain. Nearly 130,000 voters participated, making it the world’s largest political election held using blockchain technology to date. The practical application of blockchain technology in this election has helped raise Zcoin’s media exposure and popularity to some degree.

In addition, in August 2019, Zcoin's research team announced that holders now have the ability to spend their coins through the Satang App at any merchant registered with the Thai QR code system PromptPay, with the number of total merchants reaching 5 million. As part of the payment process, the Zcoin is instantly converted through the regulated exchange Satang Pro allowing merchants to be paid in real-time with Thai Baht. The large-scale application of Zcoin in real life application senecios has further promoted its acceptance and popularity in countries including Thailand, Laos and Singapore.

4. TEAM AND PARTNERS

4.1 Core Team Members

Figure 4-1 Core Members of the Zcoin Team

Sources: Zcoin website, TokenInsight

Figure 4-2 Team Distribution

Sources: Zcoin website, TokenInsight

Zcoin has officially announced 29 team members, of whom roughly 50% are focused on technical research and development. Most have rich working experience and theoretical research backgrounds. Zcoin’s founder, Poramin Insom, has conducted in-depth research and brings an influential wealth of practical experience in the field of blockchain and cryptocurrencies.

4.2 Investors and Partners

Zcoin's primary investor is Tim Lee and Roger Ver, and the primary partners include Changelly (https://changelly.com/), Midas Protocol (https://midasprotocol.io/), and Cookly (https://www.cookly.me/). Zcoin also has good partnership with various projects such as Cobo and ChangeNow.