It is well known in the crypto market that scalability remains an unresolved roadblock to mass market adoption. Bitcoin and Ethereum, the two largest cryptoassets by market capitalization, max at around 7 transactions per second (tps) and 15 tps, respectively. To put this into context, individuals often cite the Visa network\u2019s ability to process over 24,000 tps as a benchmark. CryptoKitties, a decentralized app where you can collect and trade digital kitties, nearly crashed Ethereum at the end of 2017 because of the congestion in processing trades. Without scalability, blockchains cannot function. So what\u2019s preventing blockchains from becoming as scalable as Visa\u2019s network? Their decentralized nature. Bitcoin and Ethereum are trustless because there are thousands of independent nodes across the world, run by independent companies and individuals, that maintain the security of the network. The more nodes there are, the more difficult it is for one node\/person\/nation\/enterprise to attack the network. However, the more nodes there are, the more servers decisions are processed through, and thus the longer it takes to agree on a decision. A direct democracy is a good analogy here\u200a\u2014\u200ahow long would it take to pass a bill if every American citizen had to vote on every bill proposed as a new law? Vitalik Buterin, co-founder of Ethereum, has coined this major problem the \u201cscalability trilemma\u201d: how can blockchains be scalable, secure, AND decentralized? Solving this trilemma remains the foremost objective in the industry today. If we cannot find solutions, adoption will never take off, and the complex challenges our industry addresses like non-sovereign money, individual data ownership, or banking the unbanked, may never be solved. For now, there are a few core ideas behind solving the scalability trilemma: \tReplace the \u201cdirect democracy\u201d approach blockchains use for governance with a representative democracy. The independent nodes all over the world elect a subset of nodes to manage the network. This way, decisions only have to pass through the delegates and can be made much faster. Three of the largest blockchains by market cap, EOS, Tron, and Tezos\u00a0use delegated governance. Critics of delegated blockchains argue that with fewer machines, the network will become less secure, and furthermore, these \u201celections\u201d are subject to manipulation, increasing the potential for corruption. \tUse a smaller number of trusted nodes run by corporations that have reputation at stake \tMaintain the fully decentralized (direct democracy) approach; instead, rely on technological improvements to increase the efficiency of the communication between the nodes in both time and space. \tSince not all transactions need such a high level of security, we can move\/validate those with lower security requirements off-chain or to side-chains. The last two options are complex. There are dozens of companies that are trying to solve this at the protocol layer using technology like sharding or complex calculus. There are many others tackling scalability via off-chain and side-chain solutions such as payment channels (lightning network, raiden) and other state channels, plasma. None of these are yet successfully operational at scale. You can time stamp the industry as being in the midst of a \u201cscalability race.\u201d But what\u2019s this have to do with Privacy? Many crypto enthusiasts were originally attracted to Bitcoin because they believed it was anonymous. This is not true; contrary to popular belief, Bitcoin is far from anonymous. While real-world identities aren\u2019t revealed, when users engage in a Bitcoin transaction, their public keys (public address), and transaction amounts are broadcasted to the public ledger. Anyone who has obtained a record of the blockchain over time can easily visit these users\u2019 wallet addresses to see how much Bitcoin they own. Furthermore, once someone transacts with a counterparty he\/she learns one of the counterparty\u2019s public keys, and thereafter can trace the holdings tied to that public key. In fact, law enforcement has previously used end-users\u2019 misperception of Bitcoin\u2019s transparency to its advantage. Kathryn Haun, who is a General Partner at Andreessen Horowitz, previously led a Ted Talk on how the US Government used full-nodes on Bitcoin to trace $13.4M to Ross Ulbricht, the mastermind behind the first modern darknet market, Silk Road. Nevertheless, there are multiple blockchains that have been engineered to be private. The major ones, based on their technical proficiency and the market cap of their associated cryptocurrencies, are Monero and Zcash. In addition, two new privacy coins, Grin and Beam, launched in January 2019 and are generating a lot of recent buzz in the industry. Privacy research continues to be at the forefront of the crypto space, as we\u2019ve seen with the most recent Zether whitepaper, published in late February 2019 as a collaboration between the senior research teams in applied cryptography from Stanford University and Visa. The purpose of these blockchains is self-explanatory: you can buy\/sell\/trade value and record the transaction on the blockchain, anonymously. Many view privacy coins as technology that supports the dark web; however, privacy is important for all users if crypto payments are to become mainstream\u200a\u2014\u200ado you want your coworkers to know how much you spent on your girlfriend\u2019s birthday present? These blockchains are working on protocols that fundamentally protect people\u2019s personal information but also can be audited\/examined by law enforcement if nefarious activity is suspected. So, what does privacy have to do with the scalability race? Think about it this way\u200a\u2014\u200awhen you don\u2019t tell everyone, everything, you theoretically can save time and space. Capitalizing on this interesting axiom, blockchain developers have been working hard to implement \u201czero-knowledge\u201d proofs, which are protocols within the blockchain code that allow independent nodes to verify transactions in a block without identifying the participants involved or the inputs and outputs of the transactions. There are ways, using math, to make this possible, which is an amazing and potentially game-changing concept. Thus privacy blockchains and scalability progress are intimately linked. We start with one of the oldest and largest privacy coins by market capitalization\u200a\u2014\u200aZcash. Zcash Zcash isn\u2019t the oldest privacy blockchain (it officially launched as a hard-fork of Bitcoin in October 2016), but its team and technology has led by example. Originally designed by cryptographers from some of the world\u2019s leading academic institutions (MIT, Technion, Johns Hopkins, Tel Aviv University and UC Berkeley), Zcash\u2019s anonymization is built entirely on zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which allows Zcash to hide almost all data from the validators in its network (the sender information, receiver information, and transaction amounts) except for time stamps and transaction fees. Many call Zcash\u2019s zk-SNARKs algorithm \u201cmoon math,\u201d because of its incredible complexity. Zcash has two main features that make it standout: \tIts zk-SNARKs technology \tIts anonymization is selective Zcash allows users, both senders and receivers, to choose whether they want their transaction information to be transparent or shielded. A fully transparent transaction, where both the sender and receiver opt out of hiding their information, looks and operates similar to that of Bitcoin. However, if any part of the transaction is shielded, Zcash uses its zk-SNARK algorithm to verify the transaction. Using a zero-knowledge algorithm rather than signature mixing makes it easier for Zcash to comply with law enforcement, as users can reveal their transaction history for a shielded address to a third party by providing their \u201cview key\u201d. Zcash also contains a memo field for shielded transactions, which you can think of as the description line on a check that only you, the recipient, and whichever third party to whom you\u2019ve sent your \u201cview key\u201d can see. What\u2019s the difference between Zcash\u2019s zk-SNARKs and Monero\u2019s RingCT bulletproof? They are different zero-knowledge algorithms that have trade-offs based on time, size and cost. Exploring the trade-offs can get quite technical and is outside the scope of this paper. (For the ambitious among you, you can start here). Nevertheless, there is one aspect of the comparison that is important to explore: Zcash\u2019s zk-SNARK implementation has, as founder Zooko Wilcox describes it, an unfortunate vulnerability in the math, where it requires a trusted setup, while Monero\u2019s bulletproofs do not. Zcash\u2019s trusted setup is similar to the sender\u2019s and receiver\u2019s selection of a \u201cblinding factor\u201d or secret key in Monero\u2019s RingCT. However, Zcash has one secret key and it holds significantly more importance. Because zk-SNARKs power the entire protocol, Zcash uses its blinding factor to generate the Zcash currency and launch its blockchain. On one hand, it\u2019s efficient that the blinding factor only needs to be chosen once, rather than per transaction like Monero. On the other, the security of the entire network is predicated on this blinding factor. If somebody got a hold of it, he or she could successfully make counterfeit Zcash tokens. And because of Zcash\u2019s privacy features, these counterfeit tokens could go undetected. Talk about a nightmare. So how did Zcash generate this blinding factor so that a) no one could steal it upon creation and b) they could prove to all potential future users of Zcash that no one knew, saw, learned or tampered with this number? Founding members held a ceremony right before the launch of the blockchain from October 22\u201323, 2016, where six independent teams in distributed locations all over the world generated and contributed a piece or \u201cshard\u201d of the private key, without knowledge of the others. The original Zcash \u201cSprout Ceremony\u201d was quite elaborate\u200a\u2014\u200ato hear the details, checkout journalist Morgan Peck\u2019s entertaining first-hand account here. Unfortunately for Zcash, their ceremonial days aren\u2019t behind them. Every time Zcash wants to hard-fork their protocol, they have to create a new blinding key and conduct another ceremony. On April 13, 2018, Zcash completed their second \u201cPower of Tau Ceremony,\u201d which was public and included hundreds of participants globally, in preparation for their Sapling hard-fork. One of the major problems with the optional privacy features of Zcash is that if the majority of the network opts out of the privacy feature, it becomes easier for surveyors to track the private users. So it is in Zcash\u2019s best interests for more users to opt into privacy. Zcash users\u2019 initial disinterest in shielding transactions might be attributed to its computational intensity\/cost and latency. Originally, Zcash\u2019s Sprout protocol took multiple gigabytes of memory and over 30 seconds to create a shielded transaction. Under Sapling, a shielded transaction can be created in a few seconds and use only 40 megabytes of memory, making it realistic for users to regularly transact with a shielded address. In fact, this significant decrease in cost and latency pushes Zcash closer to being able to conduct shielded transfers on smartphones\/mobile devices. Yet, the Zcash network has yet to reap the fruits of developers\u2019 labor, as only 15% of all transactions on the Zcash blockchain in the past month have been partially or fully shielded. All in all, Zcash\u2019s protocol design leads by technical example. However, their trusted setups are still a headache, and there remains risk to the underlying security of the network if someone were to obtain this blinding factor. This captures the trade-off between Zcash and Monero. One utilizes a trustless protocol (zk-SNARKs) reliant upon a trusted setup. The other has trustless features but is not trustless throughout, instead relying on obfuscation tricks whose success is correlated to its network size. Neither are perfect, which is why other privacy coins (Grin and Beam, for example) have continued to launch. -- This is an excerpt from a report that was originally\u00a0published by Wave Financial.