I want a "Red Teaming"
Michael Schneider
Use private transactions with Monero
This article assumes basic knowledge on blockchain technologies and how they are used by cryptocurrencies. Marc Ruef introduced the Blockchain technology in the article Blockchain is the future.
When preparing a transaction, the sender wallet will not generate outputs for the public address of the recipient. In order to hide the recipient on the blockchain, the sender derives a one-time, disposable stealth address from the recipient’s public address. The stealth-address cannot be linked back to the recipient’s public address. Multiple transactions for the same public address will all point to different, unlinkable stealth addresses. Another benefit is that funds are distributed across multiple stealth addresses and therefore even more difficult to track when inputs are pulled from multiple addresses. Monero uses 2 key pairs: View and spend keys. A public Monero address is made up of the public view key and the public spend key. Both keys are used when deriving the stealth address As:
As = Hs(r * PV | i) * G + PS
r is the sender’s transaction private key, PV is the recipient’s public view key and i is the output index. Hs is a hashing function which returns a scalar using the Keccak-256 hashing algorithm. G is the prime ED25519 basepoint. PS is the public spend key.
To register that funds were received, the recipient needs to scan every transaction and calculate the stealth address using his private view key and the public transaction key from the transaction currently being examined. The formula is simply:
As = Hs(R * pV | i) * G + PS
Where R is the transaction public key and pV is the recipients private view key.
Ring Confidential Transactions (RingCT) hide the transaction amount. This of course opens up some questions, such as how overspending is prevented if both the inputs and outputs of funds are hidden from everyone other than sender and recipient. One way to ensure that Monero is not created or destroyed, is to check if inputs and outputs of a transaction are the same. How are inputs and output compared if they are hidden? This is accomplished with Homomorphic Pederson Commitments, which have the following properties:
The transaction value is enclosed in a Pedersen Commitment, allowing the volume of transaction inputs and outputs to be compared without disclosing the transaction value. The math behind Pederson Commitments is significant and will not be included here. More information on the math can be found in the article Confidential Transactions from Basic Principles.
After hiding transaction recipients and amounts, the only thing left to anonymize are the transaction initiators. Here, Ring Signatures come into play. Ring Signatures authorize transactions in Monero. A Ring Signature allows a participant of a group to sign content on behalf of the group. The signature cannot be traced back to the signer, and there is no indication, which one of the group members created the signature. A public key of any group member will reveal a valid signature, if the signature was made by a group member. In Monero, this concept is used to add decoy public keys from the blockchain to the transaction. Only the funds from the true signer who contributed the private key will be used as transaction input, however this cannot be determined by outside observers.
Each Ring Signature includes a key image. A key image is derived from the transaction output and is used to detect double spending. If an output is spent more than once, the same key image would be generated and the network would reject the transaction.
Because of Monero’s surveillance evading properties, it is at risk of being targeted by oppressive governments through measures such as IP address blocking, similar to the Tor network for example. For this reason, an integration with I2P was planned in the past, however the project hasn’t been completed yet and may be dropped. I2P provides anonymous access to hidden services in a similar fashion to Tor, but its focus lies on hidden services. All traffic entering I2P should be contained and it is not intended to run exit nodes.
Monero’s privacy features are impressive and an indication of the talent involved in the project. It remains to be seen if Monero is able to be scaled up for more widespread adoption. Centralized exchanges are increasingly under pressure to de-list the coin from their marketplaces due to its popularity in non-government condoned circles. The advent of a next generation of more performant and cost effective decentralized exchanges is likely to alleviate this availability issue, however this may cause Monero to lose some adoption with more casual cryptocurrency users in the midterm.
We are going to monitor the digital underground for you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!