What do you think about zcash? They seem to have solved the private transactions problem, have a better anonymity set than monero (and are accepted at exchanges) and are actively working on faster consensus.

Disclaimer, I currently work at a zcash corp.

▲

alphazard 2 days ago | parent [-]

IMO the hard problem here is PoS consensus with the private transactions. It seems like the stakers have to come up from the depths of privacy to participate in consensus. Maybe there is a way to do private staking, but that makes the network very difficult to understand and build confidence in. So I don't see upgrading to faster consensus to be a small incremental improvement, it's fundamental.

A separate issue is that both Monero and ZCash are not post-quantum secure, while many of the new zkSTARK VMs are. The ledger lives forever, and state actors will eventually decrypt the transactions if the cryptography can be broken. At that point it seems like it's better just to build the currency product in one of the zk VMs.

	▲	dlubarov 2 days ago \| parent [-]
		In Zcash a quantum attacker could include invalid transactions with forged proofs, but I'm not sure they could actually break Zcash's privacy properties? I'd need to review the design details more to say for sure, but e.g. from what I recall Pedersen hashes are used in the commitment tree, but not for nullifiers. Those use blake hashes (which are plausibly post-quantum secure), IIRC. There's also the underlying prover layer, but many proof systems actually have information-theoretic zero-knowledge properties (assuming a suitable source of randomness), even if their soundness guarantees are based on assumptions like DLP.