xmr.club
guides EN 中文 ES RU
← all guides

FCMP++ vs other privacy tech — Zcash, CoinJoin, Mimblewimble, Lelantus-Spark

Every "privacy crypto" makes the case differently. FCMP++ is Monero's 2026 answer to "how do we keep privacy default-on while scaling the anonymity set to the entire chain". This guide compares it against the four other approaches you'll see cited: zk-SNARKs (Zcash), CoinJoin (Bitcoin Wasabi/Samourai-style mixers), Mimblewimble (Beam, Grin), and Lelantus-Spark (Firo). Each does something different — and each has trade-offs FCMP++ doesn't.

Quick comparison

ApproachDefault-on?Anonymity setTrusted setup?Proof sizeChains
FCMP++YesAll chain UTXOsNo~2 KB / inputMonero (post-fork)
zk-SNARKsOpt-in (shielded pool)Shielded-pool onlyYes (per-circuit)~200 bytesZcash
CoinJoinNo (user-initiated)Mix participantsNon/a (just a tx)Bitcoin (Wasabi, etc.)
MimblewimbleYesCut-through outputsNoCompact (cut-through)Beam, Grin
Lelantus-SparkOpt-in (Spark pool)Spark-pool subsetNo~2-3 KB / inputFiro

"Default-on" matters a lot for the floor: opt-in privacy schemes have the well-known "the few transparent users stand out" problem.

FCMP++ in this lineup

FCMP++ is the only entry that combines all four: default-on privacy, no trusted setup, maximal-possible anonymity set, and a proof small enough for blockchain inclusion. The trade-off is per-input proof size — ~2 KB vs Zcash's ~200 bytes — but Monero accepts the bandwidth in exchange for keeping privacy default-on for every transaction without a trusted-setup ceremony.

zk-SNARKs (Zcash)

Zcash uses zero-knowledge SNARKs (Succinct Non-interactive Arguments of Knowledge) to prove transaction validity in encrypted form. Inside the "shielded pool", everything is encrypted — sender, recipient, amount — and the proof is tiny (~200 bytes).

Strengths:

  • Smallest proofs of any privacy scheme. Cheap bandwidth-wise.
  • Strong privacy inside the shielded pool — encrypted everything.

Trade-offs:

  • Opt-in. Most Zcash supply has historically lived in the transparent pool; only a fraction routes through shielded. The shielded users stand out by definition.
  • Trusted setup. Earlier Zcash versions required a multi-party "ceremony" to generate the proving parameters. If the ceremony was compromised, undetectable inflation became possible. Halo 2 (current Zcash) removes the trusted setup; older shielded pools predating Halo 2 had it. Reputation hangover persists.
  • Computational cost on the prover side. SNARK proving is slow — multi-second on phones. Wallet UX has caught up but it constrains design.

CoinJoin (Bitcoin)

CoinJoin is not a privacy chain — it's an opt-in mixing protocol on top of Bitcoin's fully transparent chain. Many users co-sign a single transaction with many inputs and many same-value outputs, so chain analysis can't straightforwardly link any specific input to any specific output.

Strengths:

  • Runs on Bitcoin — no new chain needed. Most-liquid base layer.
  • No new cryptography. Just clever use of standard signatures + scripts.
  • Coordinator-free designs (e.g. Wabisabi) avoid central trust.

Trade-offs:

  • Opt-in. Most Bitcoin spends are pseudonymous-but-traceable. CoinJoin participants are a tiny subset.
  • Anonymity set = participants in that specific round. Maybe 100, maybe 1000 — orders of magnitude smaller than chain-wide.
  • Heuristics still exist. Coin-control mistakes (mixing then immediately consolidating) re-link your outputs.
  • Regulatory pressure. Tornado Cash sanctions in 2022 + Wasabi/Samourai shutdowns in 2024 set a precedent that operators of mixing infrastructure can be prosecuted. The protocol survives; the user-facing services have churned.

Mimblewimble (Beam, Grin)

Mimblewimble is a different blockchain design entirely: no addresses, no scripting language, transactions are aggregated and "cut-through" so intermediate outputs disappear from the chain. The default is privacy + compact chain.

Strengths:

  • Smallest chain footprint of any privacy design — cut-through erases intermediate state.
  • Default-on privacy. No opt-in pool.
  • No trusted setup.

Trade-offs:

  • No on-chain addresses. Sender and receiver must do an interactive transaction-building step. Asynchronous payments (drop coins to an address while the recipient is offline) don't work the same way as in Bitcoin/Monero.
  • Limited script. No on-chain DeFi-style logic; Mimblewimble chose simplicity over expressiveness.
  • Smaller, less battle-tested communities. Beam and Grin both lost mining hashrate share over the years; ecosystem support thinned out.
  • Privacy is good on chain but harder to compose with other systems (wallets, exchanges, payment processors).

Lelantus-Spark (Firo)

Lelantus-Spark is Firo's privacy scheme: zero-knowledge proofs over a shielded pool with no trusted setup. Conceptually it sits between Monero's default-on privacy and Zcash's opt-in pool: you opt into the Spark pool, but inside the pool, all transactions are private.

Strengths:

  • No trusted setup. Better cryptographic posture than pre-Halo2 Zcash.
  • Strong privacy inside the Spark pool.
  • Direct intellectual lineage to Monero's research direction (similar primitives).

Trade-offs:

  • Opt-in pool model. Same problem as Zcash: most users are outside the pool. The pool itself is the anonymity set.
  • Smaller ecosystem than Monero or Bitcoin. Firo is a smaller chain by market cap, hashrate, and developer base.
  • Proof size similar to FCMP++ (~2-3 KB) but over a much smaller anonymity set, so the privacy-per-byte ratio is worse.

Where FCMP++ stands out

Comparing across the table:

  • Default-on + max anonymity set: Only FCMP++ and Mimblewimble are both default-on AND large anonymity set. Mimblewimble pays for it with no scripting and no async payments; FCMP++ keeps Monero's addressing model intact.
  • No trusted setup: FCMP++, CoinJoin, Mimblewimble, Lelantus-Spark all clean. Pre-Halo2 Zcash had the reputational shadow of its setup ceremony; current Zcash with Halo 2 removes it but the older shielded pool still exists.
  • Composability: FCMP++ + Monero's addressing means existing wallets, exchanges, payment processors, and Tor-friendly tooling keep working unchanged. The fork is internal. CoinJoin and zk-SNARK opt-in pools demand additional steps from users. Mimblewimble demands interactive transaction-building.
  • Liquidity: Bitcoin (CoinJoin venue) has the deepest liquidity by far. Monero (FCMP++) has the second-deepest privacy-coin liquidity. Zcash has shrunk; Firo and Mimblewimble chains have smaller pools still.

The summary: if you want default-on privacy without trusted setup, with the largest possible anonymity set and a working ecosystem, FCMP++ is the only entry that hits all four. The cost is per-input proof size (~2 KB vs Zcash's ~200 bytes). That's the deliberate trade Monero is making.

When is the comparison not relevant

None of these helps if you:

  • Use a custodial exchange. The exchange knows everything — protocol-layer privacy doesn't reach into their database.
  • Reveal your IP. All of the above leak at the network layer if you don't pair with Tor or I2P.
  • Reuse an address. CoinJoin and FCMP++ are about the chain layer; address reuse breaks both. See Receive XMR privately for hygiene.
  • Care more about identity-shielding than coin-flow-shielding. None of these change KYC at the on-ramp. See What is no-KYC?.

FCMP++ is a chain-layer privacy primitive. The rest of the stack (network, identity, operational) is independent and equally important.

See also