Same Tools, Different Trade-offs
Bitcoin, Ethereum, Zcash and Monero side by side: the shared foundation, the Zcash-vs-Monero assumption trade-off, why mandatory privacy matters, and the FCMP++ roadmap.
We started with a claim: every major cryptocurrency is built from the same mathematical skeleton, and Monero is a particular arrangement of those bones aimed at privacy. Now we make that explicit by laying Bitcoin, Ethereum, Zcash and Monero side by side — same toolkit, different choices — and weighing what each gains and gives up. This is the synthesis that turns a pile of equations into a worldview about how private money is engineered.
The Shared Foundation, One More Time
Strip each chain to its math and the overlap is enormous. All four rely on:
- Finite-field arithmetic — every operation happens modulo a large prime.
- The discrete-logarithm problem on an elliptic curve — the one-way trapdoor that makes a public key safe to publish.
- Cryptographic hashing — for chaining blocks, deriving keys, and committing to data.
- Schnorr-family signatures — the commit-challenge-respond proof of key ownership, made non-interactive by Fiat–Shamir.
If you understand those four, you understand the load-bearing math of the entire industry. The rest is configuration.
The Comparison Table
Bitcoin Ethereum Zcash (shielded) Monero
Curve secp256k1 secp256k1 BLS12-381 + JubJub Ed25519
Signature ECDSA ECDSA (in zk-SNARK) CLSAG ring sig
Hash SHA-256 Keccak-256 BLAKE2 / Pedersen Keccak
Sender public public hidden (SNARK) hidden (ring + key image)
Receiver public addr public addr hidden (SNARK) hidden (stealth addr)
Amount public public hidden (SNARK) hidden (Pedersen + BP+)
Privacy pseudonymous pseudonymous optional mandatory
Trusted setup none none historically yes none
Extra assumption ECDLP ECDLP pairings + knowledge ECDLP
Read the columns as design statements. Bitcoin and Ethereum chose auditability. Zcash and Monero chose privacy, but reached it by different mathematical roads.
The Central Trade-off: Assumptions vs. Power
The sharpest contrast is Zcash versus Monero, because they want the same thing — hide sender, receiver and amount — yet bet differently:
- Zcash uses zk-SNARKs: one succinct proof that the whole transaction is valid. Upside — tiny proofs, total flexibility. Downside — it leans on pairing-based cryptography and "knowledge" assumptions, and its early systems needed a trusted setup whose leaked secret would allow undetectable counterfeiting. Privacy is also opt-in, shrinking the real anonymity set.
- Monero composes classical primitives: ring signatures, stealth addresses, Pedersen commitments, Bulletproofs+. Upside — only the plain discrete-log assumption, no trusted setup, and privacy is mandatory so everyone is a decoy for everyone else. Downside — larger transactions and a finite (though growing) anonymity set per ring.
"More powerful proof system" and "fewer things you must trust" pull in opposite directions. There's no free lunch — only an honest choice about which risks you'd rather carry.
Why Monero's Combination Is Distinctive
No single Monero primitive is unique — ring signatures, ECDH addresses and Pedersen commitments all predate it. What's distinctive is the insistence: combine all three, with conservative assumptions, with no trusted setup, and turn them on for every transaction by default. That last decision is as important as any equation. Privacy is a crowd phenomenon; a strong proof used by a handful of people gives weak anonymity, while a modest proof used by everyone gives strong anonymity. Monero optimizes for the crowd. It's a thesis as much as a protocol: get privacy from well-understood math, demand it of everyone, and trust no one's secret ceremony.
Where the Math Is Heading
None of this is frozen. Monero's research roadmap — Seraphis, Jamtis, and Full-Chain Membership Proofs (FCMP++) — aims to replace the fixed-size ring with a proof that your output is one of the entire set of chain outputs, making the anonymity set the whole blockchain instead of a handful of decoys. It does this with curve-tree (Merkle-like) commitments and modern proof systems, while still avoiding trusted setup. The toolkit keeps the same foundation — curves, hashes, commitments, the discrete log — but the arrangement keeps getting sharper. That's the throughline of this course: the math is shared and remarkably stable; the genius is in how you compose it.
What You Should Walk Away With
You can now look at any cryptocurrency and ask the right questions: which curve, which signature, which hash, and — the privacy question — which of sender, receiver and amount does it reveal, and by what math does it hide the rest? You've seen that Monero invents almost no new primitives and instead re-points the universal toolkit from "reveal and audit" to "prove and conceal." If you want the byte-level mechanics of these constructions, continue into Monero Internals: Cryptography & Protocol Deep Dive. You now have the mathematical map of the entire territory.
Comments
Log in or create a free account to comment.
No comments yet — be the first.