[zooko-zcash]

Hi folks! I'm the Founder and CEO of the Zcash company. It's really great to have this much interest in a project that we just released in alpha "Technology Preview" form two weeks ago.

There are a lot of good questions in here, some of which I answered in an AMA a few days ago: https://forum.bitcoin.com/ama-ask-me-anything/i-m-zooko-wilc...

I can't wait to release the next iteration of the Zcash software, in — fingers crossed — just a couple of weeks. We'll continue to have lots of blog posts and technical discussions from us along the way. This is only the beginning!

[swsieber]

Hi Zooko,

There have been some concerns raised about your ability to do a pump-and-dump scheme. You mention on your funding page that you are incentivized to support it for at least 4 years due to the payout scheme. My question is, how can that statement be audited, since the transactions are anonymous. Is it built into the client then?

[paragon_init]

Hi Zooko,

Has there been any serious discussion about incorporating the results of PQCRYPTO in your protocol so Zcash is still secure and viable (at >= 2^128 security level) after the development of practical quantum computers?

http://pqcrypto.eu.org

[ianmiers]

Hi, I'm one of the ZCash scientists: Section 8.1 in the full paper describes how to get anonymity that survives quantum computers. (http://zerocash-project.org/media/pdf/zerocash-extended-2014...).

The zero-knowledge proof itself offers statistical privacy in the face of unbounded (so more powerful than quantum) attackers. So surprisingly, you are mostly fine. But you would need to take two steps to protect yourself. First, you have to use each zcash address only once.

Second, you need to use a post quantum secure means of notifying the recipient they got a transaction and of the coin commitment openings. The built in mechanism in ZCash, which posts a ciphertext to the blockchain encrypted under the recipients public key is standard off the shelf public key cryptography. It's efficient, but is of course not post quantum secure. Nothing requires that you use this mechanism, however. You can always post a garbage ciphertext and inform the recipient some other way.