It might be interesting to note that there is a fundamental trade off between privacy and soundness. If you want unconditional sound money, you need everyone to be able to verify that the money is in fact sound. In other words, you need the public to be able to count up all the money so they can see the quantity is as expected.
Something like monero or zcash cannot do this, because the public can't see the amounts of the transactions. You trust that the quantity of money has not inflated because you can trust the cryptography that enforces this. However, if the cryptography is broken, someone might *secretly* inflate the money supply of the broken coin. This is known as "computational soundness".
On the other hand, bitcoin is unconditionally sound but isn't even computationally private. Mixing services give you "hide in the crowd" privacy, but its not strong enough to really be called "computationally private". It is possible to do confidential transactions in a way that is unconditionally sound and computationally private, but I'm not sure if anyone is doing that (possibly Oasis and Secret?).
Personally, I would never store my life savings on a chain that merely has computational soundness. Unconditional privacy is nice for transactions tho, and I certainly would consider using a coin like Monero for transactional purposes when I need privacy.
But another interesting thing about privacy is that fundamentally it's always a "hide in the crowd" type of privacy at a certain level. Even for something like Zcash, you at very least know that if someone is using zcash, they might be related to any zcash transaction. The larger the group of zcash users, the bigger the crowd to hide in. I don't know how big of a crowd is sufficient to eliminate any realistic attempt to correlate you, but it seems plausible that Zcash and Monero have reached those numbers.
Bitcoin will almost certainly will never be unconditionally private (because of the strong cultural importance given to unconditional soundness), but it is very likely to achieve default privacy of some kind. Specifically the kind of privacy that reduces transaction costs. Batching transactions can allow you to create a smaller (in megabyes) and therefore cheaper transaction than they would be separately. Having a system of transaction mixing where people collaborate to build a larger transaction can give people a similar level of privacy to mixing services. And since doing so would be cheaper than a normal transaction, its very likely that everyone will want to do it that way whenever possible. To me, this makes it inevitable, unless a cheaper form of transaction is invented that doesn't allow the privacy aspect.
The technology you're describing is called CashFusion, and it's been widely deployed since 2019. CashFusion transactions include inputs and outputs from up to hundreds of participants.
In fact by 2022, more than 94 percent of all Bitcoin Cash transactions descended from a CashFusion transaction (See the Rucknium study) – there's also a great visualizer here: https://fusionstats.redteam.cash
Note that Bitcoin Cash (split from Bitcoin in 2017) is also "unconditionally sound" as you describe, but recent upgrades to its smart contract language also enable Bitcoin Cash wallets to implement the same privacy technologies as Monero (including Full-Chain Membership Proofs), Zcash (Halo2 proofs), etc. using custom transaction types. These have been technically possible on Bitcoin Cash since 2023, but they continue to become more practical in terms of transaction sizes/fees (the May 2025 upgrade is another big jump).
So privacy and soundness are demonstrably not a tradeoff: Bitcoin Cash has both.
Very cool that Bcash people have implemented CashFusion. Would love to see that for Bitcoin.
You cannot have both unconditional privacy and unconditional soundness. It is fundamentally and logically impossible. If you can't know the value of each transaction, you can't verify soundness. If you can know the value of each transaction, then its not fully private. If you can't determine where the coins are (eg in what address) then you can't know if someone creates secret monetary inflation (if they break the cryptography that prevents that). Bitcoin Cash hasn't surmounted this fundamental fact of the universe.
Yes, we can "unconditionally" know the sum of all BCH locked in a particular ZKP covenant by looking at its cleartext balance, and at the same time, the individual ZKP transactions leak no balance or public key information.
"Unconditional" monetary soundness for Bitcoin Cash, "unconditional" privacy across the user's chosen privacy system.
Even if a particular wallet/covenant implementation is broken and an attacker steals money, other BCH users aren't impacted: BCH's monetary soundness remains guaranteed. Contrast this with the equivalent impact on a "privacy coin" if its consensus implementation were broken: all units of the privacy coin are probably immediately and irredeemably worthless.
(Obviously we could extend this to a semantic dispute: if particular BCH wallets/covenants can have vulnerabilities, does that violate "unconditional soundness" for BCH as a whole? BTC wallets can have vulnerabilities too, but that doesn't seem to disqualify BTC from your "unconditional soundness" category.)
Related: I also don't think that optional transparency – e.g. each user's ability to withdraw BCH from ZKP covenants and transparently spend it – makes the privacy any more "conditional": remember that outside substitutes always exist. If transparency isn't possible without switching currencies, some users are simply lost to other currencies. E.g. today it is common to swap Monero for BCH or other currencies to make transactions with merchants that don't or can't accept privacy coins.
Omission of support for transparent transactions simply hurts the network effect of a currency, and in the long term, it likely hurts privacy too: those transparent users have been lost to alternatives rather than retained as transparent holders and potential future members of the anonymity set.
So: BCH is an empirical example of a currency with "unconditional" soundness that also supports "unconditional" privacy. (Again, baring semantic disputes like "unconditional soundness is impossible because implementation vulnerabilities can always exist" or "unconditional privacy is impossible because non-private currencies also exist in the marketplace".)
> ZKP covenant by looking at its cleartext balance, and at the same time, the individual ZKP transactions leak no balance or public key information.
I don't know how this works in bcash, but it sounds like you have a covenant that encapsulates some amount of coin, then transactions can be done privately within the covenant. Is that right?
If that's the case, all you're doing is drawing a boundary around some coins and saying that while they stay within that boundary, they're private. The existence of a boundary means the anonymity set is far smaller than all bcash users/transactions. But within that boundary, you cannot say there is unconditional soundness. Someone who has broken the ZK cryptography can secretly inflate the amount of coin within that covenant, and perhaps the last people to leave the covenant will find out the hard way.
> if particular BCH wallets/covenants can have vulnerabilities, does that violate "unconditional soundness"
Mistakes and bugs are always possible. But at least you can know if its possible that the system has unconditional soundness or not.
> I also don't think that optional transparency .. makes the privacy any more "conditional"
The kind of conditional that's meant with "unconditional privacy" and "unconditional soundness" is a guarantee that for a particular system soundness can never be broken by any means, even if the cryptography is broken, or that privacy will never be leaked any time in the future, even if (or more likely, when) the cryptography is broken. Its the difference between being able to say its private for now vs it will be private forever. Optional transparency in the way you're talking about doesn't compromise unconditional soundness for the whole system, but choosing to be non-transparent (ie private) does mean you lose some degree of unconditional soundness, in this case within the boundaries of the ZK covenant. You can support both modes, but each mode does have separate trade offs.
Like calling Bitcoin Cash "bcash", I recognize that this soundness vs. privacy false dilemma is a popular dogma among BTC holders – it's designed to excuse BTC's worsening privacy.
I'm not interested in arguing about the definition or usefulness of phrases like "unconditional soundness", but I'll note that BTC only meets your proposed definition if we generously assume that its elliptic curve cryptography will never be broken (either by cryptanalytic breakthroughs or quantum computers). It's odd to be so generous to the existing EC crypto while simultaneously considering any other (optional, user-deployed, rapidly-upgradable) ZK crypto to represent an entirely different "soundness" concern. E.g. STARKs are considered quantum-resistant, but all BTC locking scripts are currently quantum vulnerable. If anything, ZK covenants increase the overall "soundness" of BCH compared to BTC – in addition to the improved privacy. (Not to mention BTC's impending "fee market" soundness concerns, i.e., tail inflation past 21 million BTC.)
Regardless of semantics, the original point remains: Bitcoin Cash is a real-world example of sound digital money – as sound or more sound than BTC – that also has strong (and improving) privacy.
> BTC only meets your proposed definition if we generously assume that its elliptic curve cryptography will never be broken
What you are describing is computational soundness. Bitcoin will remain sound (ie no one will be able to create coins except by the intended schedule) even if all of its cryptography breaks. That's what unconditional means.
It's an honor to be mentioned, even if my comment had to be called bullshit by Zooko to get it 🙂. Since my comments were about Monero, and privacy coins generally, not ZCash specifically, I took some time to square my knowledge of AML laws with my lack of knowledge of ZCash. It's odd to me that the distinction between private and public addresses within ZCash was never mentioned.
>Zcash is a cryptocurrency that offers two types of addresses: transparent addresses that are publicly visible on the Zcash blockchain and shielded addresses that are more private. Coinbase customers can receive Zcash from both transparent and shielded addresses and send Zcash to transparent addresses. Sending to shielded addresses is not supported at this time.
This means to me that at the end of experiment #2, you've taken self custody, but everything is still as transparent and public as Bitcoin. The fact this detail was left out seems disingenuous to me.
Regardless it seems you could then make those transparent funds private by moving them to a shielded address, fair enough. Impressive actually, I didn't know you could do that. But at this point the layers of indirection are exactly the point I was originally trying to make. Usage of private money is theoretically possible, but not convenient or practical for the average Joe.
So how does this fit with AML laws?
The centralized exchange (Coinbase in this case), which knows you intimately, also knows your new (transparent) ZCash address. And as a compliant Money Services Business (MSB) has to follow 31 USC 5311. To pull a quote:
>(2) prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism;
The term "risk-based programs" is key. MSBs are expected to monitor their customers for anything and everything that could signal "higher risk". You must have an appointed officer and processes in place to monitor your customers and look for and secretly report red flags. This report is called a SAR (Suspicious Activity Report). Any cash transaction over $10k MUST have a SAR filed, as example. A SAR's content or even its existence cannot be revealed, not by the government, or the MSB, or even in court discovery. (https://www.federalregister.gov/documents/2010/12/03/2010-29880/confidentiality-of-suspicious-activity-reports) This is to encourage and embolden MSBs (All financial institutions but I'm focusing on MSBs) to report early and often.
As soon as you move those funds to a shielded address, Coinbase will almost certainly identify that as a risky behavior and file a SAR with anything else they find odd about your account. (Any suspicious IP locations? Unusual sums for your employment? Did you appear in the news for something bad or suspicious? (In AML world this is called "adverse media" or "negative news"). You are also expected to warn and collaborate and share data with other financial institutions to investigate and build a more complete profile of your suspicious customer for your SAR. From there various agencies and investigators decide whether further investigation is merited.
Why can Coinbase accept funds from shielded addresses and not send them? I'm speculating here but I'd guess that (1) Financing of terrorism relies on disguising the outgoing funds, less so their source. And the other goal (2) money laundering has other patterns to look for, such as volume and frequency and where the funds are subsequently moved. Investigators would much rather that money be on Coinbase tied to a known person they can investigate, than remain in a shielded anonymous wallet. That said, Coinbase gets as close to the edge of compliance as possible. And they've already paid 9 figures in AML compliance fines.
Why doesn't Coinbase support Monero, or the privacy-protecting elements of ZCash? It's not *de jure* illegal, but it is *de facto* illegal for them to do so, because a regulator expects a MSB to only take on new business with risks that it can manage successfully. How can a MSB justify to a regulator that it has the risk of money laundering and terrorist financing under control while also offering a product specifically designed to evade that due diligence? It can't, so they don't.
Is this government overreach? Maybe. Probably. I'm sympathetic to the kindof anarcho-individualist ideal where everyone takes sovereignty over their money and no business is involved. But the real world involves businesses facilitating transactions for any number of reasons besides just convenience. Those businesses, with current laws, are absolutely incompatible with a privacy currency.
I hope I'm wrong, because I'd love to exchange fiat for crypto, facilitate transactions and do all the things my customers need me to do while also respecting their maximum privacy.
None of this is intended as an attack on you @Zooko or ZCash. I believe we're on the same team at the end of the day.
On stablecoins, I've done quite a bit of work in this area. First just the numbers, in November last year 28m users sent 600m in transactions just in that month. Most of these are on Tron with USDT. It's causing dollarization in places like South Korea where SEA traders prefer stablecoin payments with their import/export partners since blockchain transactions are irreversible and speedier than bank payments. More info generally on stablecoin payments from a VC perspective: https://a16zcrypto.com/posts/article/how-stablecoins-will-eat-payments/
I can say a lot more in this area but one thing to add - accounting balance sheet chains drive the need for a single unit of account. Put simply, for a business they prefer to have assets and liabilities denominated in the same unit of account to reduce forex risk. This causes units of account to propagate across balance sheet networks.
Bitcoin is designed as a fully transparent system to enhance it's auditability and therefore, it's security. In contrast, privacy-focused cryptocurrencies like Monero (and ZCash probably) prioritize anonymity, but this can introduce structural security trade-offs. While Bitcoin’s base layer is transparent, anonymity can be achieved through second-layer solutions, such as certain Lightning Network applications. However, these solutions often come at the cost of reduced security compared to the base layer.
This is the key issue with alternatives to Bitcoin: they always involve trade-offs. Moreover, any genuine innovations developed in other cryptocurrencies can be integrated into Bitcoin, which—surprisingly to some—receives regular updates to improve its functionality.
My information may be out of date, but I recall the problem with ZCash being that the algorithm is extremely computational intensive even for the end user. In particular you can't run it with all the privacy features on a smart phone.
Money needs to be stable and reliable. Relative to fiat crypto is unstable and unreliable ( if someone hacks your bank account chanced of recovering money isuch higher than if someone steals your crypto. And as bybit hack demonstrated even the best crypto security measures (multisig) are not good enough.
Things might change in the future but presently crypto is just speculative asset. Its neither medium of exchange, neither store of value.
You can say but what about usdt? Well its basically usd securitized to be on chain. Not really Blockchain based token.. because emission and issuance are ultimately dependent on USD
That is only if you do "usual" stuff with your money and exercised sufficient care with your choice of parents and place of birth. However, as soon as semi-automated compliance procedures start picking on you for one reason or another, banks become unstable and unreliable to the point of unusability: your transactions (both outgoing and incoming) regularly get flagged and frozen requiring a lot of time and effort to unfreeze or at least revert, your entire accounts get blocked or closed once in a while, when you need to go through all the hassle of finding another bank that is willing to do business with you only to be refused several times until you find one that does. Welcome to my world!
Most of my liquid savings are in crypto and most of my spending and income is also in crypto. Because as far as I am concerned, the legacy financial system is borderline unusable, very inconvenient and much less stable or reliable than crypto.
It might be interesting to note that there is a fundamental trade off between privacy and soundness. If you want unconditional sound money, you need everyone to be able to verify that the money is in fact sound. In other words, you need the public to be able to count up all the money so they can see the quantity is as expected.
Something like monero or zcash cannot do this, because the public can't see the amounts of the transactions. You trust that the quantity of money has not inflated because you can trust the cryptography that enforces this. However, if the cryptography is broken, someone might *secretly* inflate the money supply of the broken coin. This is known as "computational soundness".
On the other hand, bitcoin is unconditionally sound but isn't even computationally private. Mixing services give you "hide in the crowd" privacy, but its not strong enough to really be called "computationally private". It is possible to do confidential transactions in a way that is unconditionally sound and computationally private, but I'm not sure if anyone is doing that (possibly Oasis and Secret?).
Personally, I would never store my life savings on a chain that merely has computational soundness. Unconditional privacy is nice for transactions tho, and I certainly would consider using a coin like Monero for transactional purposes when I need privacy.
But another interesting thing about privacy is that fundamentally it's always a "hide in the crowd" type of privacy at a certain level. Even for something like Zcash, you at very least know that if someone is using zcash, they might be related to any zcash transaction. The larger the group of zcash users, the bigger the crowd to hide in. I don't know how big of a crowd is sufficient to eliminate any realistic attempt to correlate you, but it seems plausible that Zcash and Monero have reached those numbers.
Bitcoin will almost certainly will never be unconditionally private (because of the strong cultural importance given to unconditional soundness), but it is very likely to achieve default privacy of some kind. Specifically the kind of privacy that reduces transaction costs. Batching transactions can allow you to create a smaller (in megabyes) and therefore cheaper transaction than they would be separately. Having a system of transaction mixing where people collaborate to build a larger transaction can give people a similar level of privacy to mixing services. And since doing so would be cheaper than a normal transaction, its very likely that everyone will want to do it that way whenever possible. To me, this makes it inevitable, unless a cheaper form of transaction is invented that doesn't allow the privacy aspect.
The technology you're describing is called CashFusion, and it's been widely deployed since 2019. CashFusion transactions include inputs and outputs from up to hundreds of participants.
In fact by 2022, more than 94 percent of all Bitcoin Cash transactions descended from a CashFusion transaction (See the Rucknium study) – there's also a great visualizer here: https://fusionstats.redteam.cash
Note that Bitcoin Cash (split from Bitcoin in 2017) is also "unconditionally sound" as you describe, but recent upgrades to its smart contract language also enable Bitcoin Cash wallets to implement the same privacy technologies as Monero (including Full-Chain Membership Proofs), Zcash (Halo2 proofs), etc. using custom transaction types. These have been technically possible on Bitcoin Cash since 2023, but they continue to become more practical in terms of transaction sizes/fees (the May 2025 upgrade is another big jump).
So privacy and soundness are demonstrably not a tradeoff: Bitcoin Cash has both.
Can confirm. My sats are fusing more or less all day every day. Negligible cost. Fully non-custodial. Sound money for the win.
Very cool that Bcash people have implemented CashFusion. Would love to see that for Bitcoin.
You cannot have both unconditional privacy and unconditional soundness. It is fundamentally and logically impossible. If you can't know the value of each transaction, you can't verify soundness. If you can know the value of each transaction, then its not fully private. If you can't determine where the coins are (eg in what address) then you can't know if someone creates secret monetary inflation (if they break the cryptography that prevents that). Bitcoin Cash hasn't surmounted this fundamental fact of the universe.
Yes, we can "unconditionally" know the sum of all BCH locked in a particular ZKP covenant by looking at its cleartext balance, and at the same time, the individual ZKP transactions leak no balance or public key information.
"Unconditional" monetary soundness for Bitcoin Cash, "unconditional" privacy across the user's chosen privacy system.
Even if a particular wallet/covenant implementation is broken and an attacker steals money, other BCH users aren't impacted: BCH's monetary soundness remains guaranteed. Contrast this with the equivalent impact on a "privacy coin" if its consensus implementation were broken: all units of the privacy coin are probably immediately and irredeemably worthless.
(Obviously we could extend this to a semantic dispute: if particular BCH wallets/covenants can have vulnerabilities, does that violate "unconditional soundness" for BCH as a whole? BTC wallets can have vulnerabilities too, but that doesn't seem to disqualify BTC from your "unconditional soundness" category.)
Related: I also don't think that optional transparency – e.g. each user's ability to withdraw BCH from ZKP covenants and transparently spend it – makes the privacy any more "conditional": remember that outside substitutes always exist. If transparency isn't possible without switching currencies, some users are simply lost to other currencies. E.g. today it is common to swap Monero for BCH or other currencies to make transactions with merchants that don't or can't accept privacy coins.
Omission of support for transparent transactions simply hurts the network effect of a currency, and in the long term, it likely hurts privacy too: those transparent users have been lost to alternatives rather than retained as transparent holders and potential future members of the anonymity set.
So: BCH is an empirical example of a currency with "unconditional" soundness that also supports "unconditional" privacy. (Again, baring semantic disputes like "unconditional soundness is impossible because implementation vulnerabilities can always exist" or "unconditional privacy is impossible because non-private currencies also exist in the marketplace".)
> ZKP covenant by looking at its cleartext balance, and at the same time, the individual ZKP transactions leak no balance or public key information.
I don't know how this works in bcash, but it sounds like you have a covenant that encapsulates some amount of coin, then transactions can be done privately within the covenant. Is that right?
If that's the case, all you're doing is drawing a boundary around some coins and saying that while they stay within that boundary, they're private. The existence of a boundary means the anonymity set is far smaller than all bcash users/transactions. But within that boundary, you cannot say there is unconditional soundness. Someone who has broken the ZK cryptography can secretly inflate the amount of coin within that covenant, and perhaps the last people to leave the covenant will find out the hard way.
> if particular BCH wallets/covenants can have vulnerabilities, does that violate "unconditional soundness"
Mistakes and bugs are always possible. But at least you can know if its possible that the system has unconditional soundness or not.
> I also don't think that optional transparency .. makes the privacy any more "conditional"
The kind of conditional that's meant with "unconditional privacy" and "unconditional soundness" is a guarantee that for a particular system soundness can never be broken by any means, even if the cryptography is broken, or that privacy will never be leaked any time in the future, even if (or more likely, when) the cryptography is broken. Its the difference between being able to say its private for now vs it will be private forever. Optional transparency in the way you're talking about doesn't compromise unconditional soundness for the whole system, but choosing to be non-transparent (ie private) does mean you lose some degree of unconditional soundness, in this case within the boundaries of the ZK covenant. You can support both modes, but each mode does have separate trade offs.
Like calling Bitcoin Cash "bcash", I recognize that this soundness vs. privacy false dilemma is a popular dogma among BTC holders – it's designed to excuse BTC's worsening privacy.
I'm not interested in arguing about the definition or usefulness of phrases like "unconditional soundness", but I'll note that BTC only meets your proposed definition if we generously assume that its elliptic curve cryptography will never be broken (either by cryptanalytic breakthroughs or quantum computers). It's odd to be so generous to the existing EC crypto while simultaneously considering any other (optional, user-deployed, rapidly-upgradable) ZK crypto to represent an entirely different "soundness" concern. E.g. STARKs are considered quantum-resistant, but all BTC locking scripts are currently quantum vulnerable. If anything, ZK covenants increase the overall "soundness" of BCH compared to BTC – in addition to the improved privacy. (Not to mention BTC's impending "fee market" soundness concerns, i.e., tail inflation past 21 million BTC.)
Regardless of semantics, the original point remains: Bitcoin Cash is a real-world example of sound digital money – as sound or more sound than BTC – that also has strong (and improving) privacy.
> BTC only meets your proposed definition if we generously assume that its elliptic curve cryptography will never be broken
What you are describing is computational soundness. Bitcoin will remain sound (ie no one will be able to create coins except by the intended schedule) even if all of its cryptography breaks. That's what unconditional means.
It's an honor to be mentioned, even if my comment had to be called bullshit by Zooko to get it 🙂. Since my comments were about Monero, and privacy coins generally, not ZCash specifically, I took some time to square my knowledge of AML laws with my lack of knowledge of ZCash. It's odd to me that the distinction between private and public addresses within ZCash was never mentioned.
From coinbase:
(https://www.coinbase.com/price/zcash)
>Zcash is a cryptocurrency that offers two types of addresses: transparent addresses that are publicly visible on the Zcash blockchain and shielded addresses that are more private. Coinbase customers can receive Zcash from both transparent and shielded addresses and send Zcash to transparent addresses. Sending to shielded addresses is not supported at this time.
This means to me that at the end of experiment #2, you've taken self custody, but everything is still as transparent and public as Bitcoin. The fact this detail was left out seems disingenuous to me.
Regardless it seems you could then make those transparent funds private by moving them to a shielded address, fair enough. Impressive actually, I didn't know you could do that. But at this point the layers of indirection are exactly the point I was originally trying to make. Usage of private money is theoretically possible, but not convenient or practical for the average Joe.
So how does this fit with AML laws?
The centralized exchange (Coinbase in this case), which knows you intimately, also knows your new (transparent) ZCash address. And as a compliant Money Services Business (MSB) has to follow 31 USC 5311. To pull a quote:
>(2) prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism;
The term "risk-based programs" is key. MSBs are expected to monitor their customers for anything and everything that could signal "higher risk". You must have an appointed officer and processes in place to monitor your customers and look for and secretly report red flags. This report is called a SAR (Suspicious Activity Report). Any cash transaction over $10k MUST have a SAR filed, as example. A SAR's content or even its existence cannot be revealed, not by the government, or the MSB, or even in court discovery. (https://www.federalregister.gov/documents/2010/12/03/2010-29880/confidentiality-of-suspicious-activity-reports) This is to encourage and embolden MSBs (All financial institutions but I'm focusing on MSBs) to report early and often.
As soon as you move those funds to a shielded address, Coinbase will almost certainly identify that as a risky behavior and file a SAR with anything else they find odd about your account. (Any suspicious IP locations? Unusual sums for your employment? Did you appear in the news for something bad or suspicious? (In AML world this is called "adverse media" or "negative news"). You are also expected to warn and collaborate and share data with other financial institutions to investigate and build a more complete profile of your suspicious customer for your SAR. From there various agencies and investigators decide whether further investigation is merited.
Why can Coinbase accept funds from shielded addresses and not send them? I'm speculating here but I'd guess that (1) Financing of terrorism relies on disguising the outgoing funds, less so their source. And the other goal (2) money laundering has other patterns to look for, such as volume and frequency and where the funds are subsequently moved. Investigators would much rather that money be on Coinbase tied to a known person they can investigate, than remain in a shielded anonymous wallet. That said, Coinbase gets as close to the edge of compliance as possible. And they've already paid 9 figures in AML compliance fines.
Why doesn't Coinbase support Monero, or the privacy-protecting elements of ZCash? It's not *de jure* illegal, but it is *de facto* illegal for them to do so, because a regulator expects a MSB to only take on new business with risks that it can manage successfully. How can a MSB justify to a regulator that it has the risk of money laundering and terrorist financing under control while also offering a product specifically designed to evade that due diligence? It can't, so they don't.
Is this government overreach? Maybe. Probably. I'm sympathetic to the kindof anarcho-individualist ideal where everyone takes sovereignty over their money and no business is involved. But the real world involves businesses facilitating transactions for any number of reasons besides just convenience. Those businesses, with current laws, are absolutely incompatible with a privacy currency.
I hope I'm wrong, because I'd love to exchange fiat for crypto, facilitate transactions and do all the things my customers need me to do while also respecting their maximum privacy.
None of this is intended as an attack on you @Zooko or ZCash. I believe we're on the same team at the end of the day.
On stablecoins, I've done quite a bit of work in this area. First just the numbers, in November last year 28m users sent 600m in transactions just in that month. Most of these are on Tron with USDT. It's causing dollarization in places like South Korea where SEA traders prefer stablecoin payments with their import/export partners since blockchain transactions are irreversible and speedier than bank payments. More info generally on stablecoin payments from a VC perspective: https://a16zcrypto.com/posts/article/how-stablecoins-will-eat-payments/
I can say a lot more in this area but one thing to add - accounting balance sheet chains drive the need for a single unit of account. Put simply, for a business they prefer to have assets and liabilities denominated in the same unit of account to reduce forex risk. This causes units of account to propagate across balance sheet networks.
Bitcoin is designed as a fully transparent system to enhance it's auditability and therefore, it's security. In contrast, privacy-focused cryptocurrencies like Monero (and ZCash probably) prioritize anonymity, but this can introduce structural security trade-offs. While Bitcoin’s base layer is transparent, anonymity can be achieved through second-layer solutions, such as certain Lightning Network applications. However, these solutions often come at the cost of reduced security compared to the base layer.
This is the key issue with alternatives to Bitcoin: they always involve trade-offs. Moreover, any genuine innovations developed in other cryptocurrencies can be integrated into Bitcoin, which—surprisingly to some—receives regular updates to improve its functionality.
Monero
My information may be out of date, but I recall the problem with ZCash being that the algorithm is extremely computational intensive even for the end user. In particular you can't run it with all the privacy features on a smart phone.
Money needs to be stable and reliable. Relative to fiat crypto is unstable and unreliable ( if someone hacks your bank account chanced of recovering money isuch higher than if someone steals your crypto. And as bybit hack demonstrated even the best crypto security measures (multisig) are not good enough.
Things might change in the future but presently crypto is just speculative asset. Its neither medium of exchange, neither store of value.
You can say but what about usdt? Well its basically usd securitized to be on chain. Not really Blockchain based token.. because emission and issuance are ultimately dependent on USD
That is only if you do "usual" stuff with your money and exercised sufficient care with your choice of parents and place of birth. However, as soon as semi-automated compliance procedures start picking on you for one reason or another, banks become unstable and unreliable to the point of unusability: your transactions (both outgoing and incoming) regularly get flagged and frozen requiring a lot of time and effort to unfreeze or at least revert, your entire accounts get blocked or closed once in a while, when you need to go through all the hassle of finding another bank that is willing to do business with you only to be refused several times until you find one that does. Welcome to my world!
Most of my liquid savings are in crypto and most of my spending and income is also in crypto. Because as far as I am concerned, the legacy financial system is borderline unusable, very inconvenient and much less stable or reliable than crypto.