Three Roads to Privacy — Mixers, Monero, Zcash

Everyone wants payment privacy. Almost nobody agrees on how to get it. Three big approaches dominate, and they’re not just different brands of the same thing — they hide different parts of a transaction, lean on different math, and fail in different ways.

Let’s walk all three roads, then draw the map.

Road 1 — CoinJoin: hiding in a crowd (on a glass chain)

Before you read — take a guess

Guess before you read: a CoinJoin mixes your coins with other people's. After the mix, where do all those transactions live?

Off-chain, in the coordinator’s private databaseIn an encrypted vault participants can decryptOn a transparent public chain anyone can read

Bitcoin was never built for privacy, so privacy got bolted on. The headline bolt-on is CoinJoin: a bunch of users team up to build one collaborative transaction. They throw their coins in together and the transaction pays out a pile of equal-denomination outputs — say 50 outputs of exactly 0.1 BTC.

Because every output looks identical, an outside observer can’t say which output belongs to which input. Your anonymity set is the number of indistinguishable peers you’re mixed with (Wasabi targets roughly 50–100).

The identical-envelopes room

CoinJoin is like 50 people walking into a room and swapping identical sealed envelopes. From the outside it’s chaos. But someone watching the doors can still count who came in and who left — and if your envelope was a weird size, they can follow it right out.

Here’s the catch, and it’s a big one:

Fixed denominations create change. Spend 0.13 BTC into a 0.1 mix and you’ve got 0.03 BTC left over. That leftover — toxic change — is deterministically linkable straight back to your input. No plausible deniability.
Address reuse shrinks the set. Sloppy pre-mix or post-mix address handling re-links your “anonymous” coins to your identity.
It’s obfuscation, not encryption. Every byte still sits on a transparent chain. You’re hiding in a crowd, not behind a wall.

Mixing ≠ Monero

A common myth: “CoinJoin gives me Monero-level privacy.” It doesn’t. CoinJoin is crowd-based obfuscation on a fully public ledger with linkable change. Useful, clever, but a different league.

Lock in the term that trips people up most:

The leftover from spending into a fixed-denomination mix — linkable straight back to your input — is called…

Pick the right option for each blank, then check.

The dangerous leftover is change, and it's linkable to your input because the mix uses denominations.

Road 2 — Monero: privacy by default, three pillars

Before you read — take a guess

Guess: in Monero, how often is privacy switched on?

Only when you tick a “private” checkboxAlways — on every transaction, no opt-outOnly on transactions above a set amount

Monero flips the model: privacy isn’t an add-on you opt into, it’s always on, for every transaction. It stands on three pillars — and the order matters, because together they hide all three things a payment leaks: sender, receiver, and amount.

Pillar 1 — Ring signatures (hide the SENDER). Your real input is hidden among a set of decoys pulled from the chain. That set is the ring. The current ring size is 16 (raised from 11). So per input, your anonymity set is about 16: small, but mandatory on every single transaction.
Pillar 2 — Stealth addresses (hide the RECEIVER). Each payment goes to a fresh, one-time destination address derived on the fly. The receiver stays anonymous and payments to the same person can’t be linked together.
Pillar 3 — RingCT (hide the AMOUNT). Ring Confidential Transactions hide the amount using Bulletproofs / Bulletproofs+ range proofs — cryptographic promises that the numbers add up without revealing what they are.

The lineup of look-alikes

Monero is hiding your signature in a lineup of 16 near-identical look-alikes — every single time you sign. No one round is bulletproof, but you never, ever step out of the lineup.

Match each pillar to the exact thing it conceals:

Which Monero pillar hides which part of a payment?

Pick a term, then click its definition.

The trade-off: the per-transaction set is small (16), and clever decoy-selection statistical attacks are an active research worry — if decoys are picked in a guessable way, the real input can sometimes be inferred. But the floor is high: privacy is never off.

Road 3 — Zcash: prove it without showing it

Before you read — take a guess

Guess: a fully shielded Zcash transaction hides you among how many other people?

The whole shielded pool — every note made in itThe 50–100 peers from your mixing roundA ring of exactly 16, the same as Monero

Zcash takes the boldest swing. Using zk-SNARKs (today via the Halo 2 proving system), a transaction comes with a zero-knowledge proof: math that proves the transaction is valid — inputs exist, nothing’s double-spent, amounts balance — without revealing the sender, receiver, or amount.

The mind-bending part is the anonymity set. A fully shielded Zcash transaction doesn’t hide among 16 decoys or 50 peers — it draws on the entire shielded pool: every note ever created in that pool. In principle, far larger than a Monero ring.

No lineup at all

Where Monero hides you in a lineup, Zcash skips the lineup entirely. It proves “a valid member of the whole club authorized this” — without ever naming, or even pointing at, which member.

But there’s a sharp asterisk: privacy in Zcash is opt-in, not the default.

Zcash isn't automatically private

Send a transparent Zcash transaction and it’s basically Bitcoin — fully public. Only shielded transactions get the zk magic. And because shielding is optional, your practical anonymity set is only as big as the pool of people actually shielding (recall the usage stats from the last lesson — theory and practice can diverge hard here).

Sort the details of a fully shielded (z→z) Zcash payment:

In a fully shielded Zcash transaction, which details are hidden and which stay public?

Place each item in the right group.

Sender address
Receiver address
Amount sent
That a valid transaction occurred

Now produce the key term from memory:

Fill in the cryptographic idea at the heart of Zcash.

Pick the right option for each blank, then check.

A proof convinces a verifier that a statement is true while revealing beyond its validity.

The cheat-sheet

Before you read — take a guess

Before the table: which road hides the AMOUNT? Pick all that apply.

CoinJoin (Wasabi)Monero (RingCT)Zcash (shielded)

One table to rule them all. Note where the “No”s live.

	CoinJoin	Monero	Zcash (shielded)
Hides amount	No (Wasabi)	Yes (RingCT)	Yes
Hides sender	Partially (mix set)	Yes (ring)	Yes
Hides receiver	No (transparent)	Yes (stealth)	Yes
Anonymity set	~50–100	ring = 16	whole shielded pool
Default-on	No	Yes	No (opt-in)
Mechanism	obfuscation	decoys / one-time addr	cryptographic proof

The one-line summary

CoinJoin obfuscates on a glass ledger. Monero hides every tx among decoys, by default. Zcash proves validity without revealing anything — biggest set in principle, smallest set in practice if nobody shields.

Sort each road by its core mechanism (spaced recall — pull from all three roads):

What's the core mechanism behind each road?

Place each item in the right group.

CoinJoin
Monero
Zcash (shielded)

Bust the myths

Before you read — take a guess

True or false (guess): 'Monero always has a bigger anonymity set than Zcash.'

False — it depends on theory vs. real shieldingTrue — ring size 16 always beats Zcash’s poolTrue — Zcash never reaches a usable set size

Per transaction, Monero hides among ring size 16. A fully shielded Zcash transaction draws on the entire shielded pool — potentially far larger. The twist is practical usage: Zcash’s real set is only as big as actual shielded activity. So “bigger” depends on whether you mean the math or the crowd.

No. CoinJoin is obfuscation on a transparent chain, complete with deterministically linkable toxic change. Monero encrypts amounts, hides receivers with stealth addresses, and rings every input — mandatorily.

Only shielded ones. Transparent Zcash transactions are Bitcoin-like and fully public. Privacy is opt-in.

Active recall — bust the CoinJoin myth in your own words:

Complete the correction to the 'CoinJoin = Monero' myth.

Pick the right option for each blank, then check.

CoinJoin is on a transparent chain, and its fixed denominations leave change that links back to you.

Where this is heading

Quick recall before we move on: what do Monero and Zcash both rely on under the hood?

A trusted central coordinator signing each txCoinJoin-style collaborative mixing roundsZero-knowledge proofs — amounts, or everything

Notice that two of our three roads lean on the same magic word: zero-knowledge proofs. Monero uses them to hide amounts; Zcash uses them to hide everything.

How can you possibly prove a transaction is valid — that the coins exist, that nothing’s double-spent, that the math balances — without revealing a single number? That’s not a metaphor. It’s real cryptography, and it’s coming up next.

Tie it together

Chunk the whole map into one picture, then take the mixed quiz.

Big picture

Three roads to privacy in one picture

Payment privacy
- CoinJoin
  - Obfuscation on a glass chain
  - Set ~50 to 100
  - Leak - toxic change, opt-in
- Monero
  - Rings hide sender, size 16
  - Stealth addresses hide receiver
  - RingCT hides amount
  - Always on by default
- Zcash
  - zk-SNARK via Halo 2
  - Hides sender, receiver, amount
  - Set - whole shielded pool
  - Leak - shielding is opt-in

Same goal — payment privacy — three different mechanisms, three different leaks.

Three roads, one quiz

Question 1 of 40 correct

What is 'toxic change' in a CoinJoin?

A decoy output the round adds to confuse observersThe slice of the mix the protocol holds in escrowOdd leftover that links deterministically to your inputA surcharge the mixing coordinator quietly collects

Check your answer to continue.