One of privacytools.io github collaborators opened an issue to mentioned Monero first before Zcash and Bitcoin. Let's back him up and voice why Monero is more private than Zcash.
@alvinjoelsantosMoreover, there is an issue of what standard of proof should be met. From a legal prospective, generally, in criminal cases, the standard is "beyond a reasonable doubt" and in civil cases, "more likely than not." With 2 to 4 mixin, there is a probability of between 41% to 23%; if this is the only information an adversary is able to deduce, it is not enough proof to establish guilt or liability for a given transaction. Users would have plausible deniability.
You're raising a good point, it is true what you are saying, I doubt any democratic court on this planet can convict someone on the basis of a statistical correlation, something I think we can be very happy about. However the adversary has narrowed down his set of suspects, and there will most likely be more evidence to prove his guilt. A transaction, in itself, is almost never illegal. The adversary can be anyone, they aren't specifically governments either. The juridical process doesn't apply for a lunatic with a shotgun..Even if a particular output can be guessed by an adversary to be the "real" output used in a transaction, this is not enough information to definitively state that "Alice sent x amount to Bob in this particular transaction" given the other features of Monero that hides the transaction amounts and the recipient's public address from the blockchain.
Also true, but the person that sent you the money knows with 100% certainty that that specific output is linked to a stealth address, and in the case of an exchange, they often know the exact identity of the person.
As ebfull has suggested, there are real case scenarios of potential "adversarially controlled mixins" - exchanges for example control a relatively large portion of outputs to pick from as mixins. Let's assume that exchanges control X% of transaction outputs. The average transaction has two mixins, causing the following probabilities to emerge: 1% of tx outs -> complete deanonymization for 0.01% of all transactions. 10% of tx outs -> for 1%. 25% -> 6.25% of all transactions. (I believe this works with any mixin distribution, correct me if I'm wrong)
Zcash gets a lot of "crap" because a lot of services prefer using t-addresses, but it's also a benefit, the centralized exchanges for example aren't creating toxic waste in the anonymity set.For argument sake, let's assume that in situation (1) the recipient is able to guess correctly that an output in a transaction is the real one in a ring signature . For an example, in this transaction, ba5f53cbaefb95709299512c4cfcce2300373538ebaf4e2d3cb217ddcd32a57f is the real output. What information can be gained from this knowledge? Would the recipient be able to determine the sender's public address? Know the sender's wallet balance? Associate outputs and inputs that belong to the sender's wallet? If so, please provide peer reviewed empirical evidence that support the link between deduced outputs and the disclosure of a wallet transactions and balance.
I'm not saying RingCT is horrible or bad, it does it's job in most scenarios quite nicely - I'm saying that Zcash (in terms of privacy) is basically Monero but with a much larger anonymity set per transaction. Giving it the ability to resist against edge case scenarios (such as centralized entities poisoning the anonymity set to pick mixins from) more than RingCT.
@Shifterovich It's often the people who work "in the branch" that have the most expertise in a field. Also note, that I specifically asked them to replace ShadowCash with Monero on reddit. I was a bit at unease with RingCT because I hadn't had a very extensive look at it yet. The underlying ring signature construction (the part that provides anonymity in plain terms) of RingCT isn't that different from their previous iteration version, which was a very positive sign. I have no ties to Zcash other than being on their IRC channel and helping people for free on the Bitcoin StackExchange, (both of which I also do with/for Monero). I've contributed more hours looking into the Monero whitepaper and their code (the code is doing different things than described in the whitepaper by the way) than on Zcash. I am an enthusiast of zero knowledge proofs and I'm 100% convinced that they will shape the future of applied cryptography.