Monero is the most popular privacy-focused cryptocurrency available today. It stands for security, privacy, and decentralization. Monero’s ambitious privacy claims are often met with surprise by newcomers, followed by a questioning of how the seemingly magic privacy features are achieved. This article takes a look at Monero’s remarkable combination of privacy features and some of their implementations.

Monero

This article assumes basic knowledge on blockchain technologies and how they are used by cryptocurrencies. Marc Ruef introduced the Blockchain technology in the article Blockchain is the future.

Stealth Addresses

When preparing a transaction, the sender wallet will not generate outputs for the public address of the recipient. In order to hide the recipient on the blockchain, the sender derives a one-time, disposable stealth address from the recipient’s public address. The stealth-address cannot be linked back to the recipient’s public address. Multiple transactions for the same public address will all point to different, unlinkable stealth addresses. Another benefit is that funds are distributed across multiple stealth addresses and therefore even more difficult to track when inputs are pulled from multiple addresses. Monero uses 2 key pairs: View and spend keys. A public Monero address is made up of the public view key and the public spend key. Both keys are used when deriving the stealth address As:

As = Hs(r * PV | i) * G + PS

r is the sender’s transaction private key, PV is the recipient’s public view key and i is the output index. Hs is a hashing function which returns a scalar using the Keccak-256 hashing algorithm. G is the prime ED25519 basepoint. PS is the public spend key.

To register that funds were received, the recipient needs to scan every transaction and calculate the stealth address using his private view key and the public transaction key from the transaction currently being examined. The formula is simply:

As = Hs(R * pV | i) * G + PS

Where R is the transaction public key and pV is the recipients private view key.

Ring Confidential Transactions

Ring Confidential Transactions (RingCT) hide the transaction amount. This of course opens up some questions, such as how overspending is prevented if both the inputs and outputs of funds are hidden from everyone other than sender and recipient. One way to ensure that Monero is not created or destroyed, is to check if inputs and outputs of a transaction are the same. How are inputs and output compared if they are hidden? This is accomplished with Homomorphic Pederson Commitments, which have the following properties:

• Once a commitment is made, the content cannot be changed
• A commitment does not disclose the source value
• Meaningful computations can be performed on the derivative

The transaction value is enclosed in a Pedersen Commitment, allowing the volume of transaction inputs and outputs to be compared without disclosing the transaction value. The math behind Pederson Commitments is significant and will not be included here. More information on the math can be found in the article Confidential Transactions from Basic Principles.

Ring Signatures

After hiding transaction recipients and amounts, the only thing left to anonymize are the transaction initiators. Here, Ring Signatures come into play. Ring Signatures authorize transactions in Monero. A Ring Signature allows a participant of a group to sign content on behalf of the group. The signature cannot be traced back to the signer, and there is no indication, which one of the group members created the signature. A public key of any group member will reveal a valid signature, if the signature was made by a group member. In Monero, this concept is used to add decoy public keys from the blockchain to the transaction. Only the funds from the true signer who contributed the private key will be used as transaction input, however this cannot be determined by outside observers.

Each Ring Signature includes a key image. A key image is derived from the transaction output and is used to detect double spending. If an output is spent more than once, the same key image would be generated and the network would reject the transaction.

Invisible Internet Project

Because of Monero’s surveillance evading properties, it is at risk of being targeted by oppressive governments through measures such as IP address blocking, similar to the Tor network for example. For this reason, an integration with I2P was planned in the past, however the project hasn’t been completed yet and may be dropped. I2P provides anonymous access to hidden services in a similar fashion to Tor, but its focus lies on hidden services. All traffic entering I2P should be contained and it is not intended to run exit nodes.

Conclusion

Monero’s privacy features are impressive and an indication of the talent involved in the project. It remains to be seen if Monero is able to be scaled up for more widespread adoption. Centralized exchanges are increasingly under pressure to de-list the coin from their marketplaces due to its popularity in non-government condoned circles. The advent of a next generation of more performant and cost effective decentralized exchanges is likely to alleviate this availability issue, however this may cause Monero to lose some adoption with more casual cryptocurrency users in the midterm.

About the Author

Ahmet Hrnjadovic is working in cybersecurity since 2017. There he is focused in topics like Linux, secure development and web application security testing. (ORCID 0000-0003-1320-8655)

Links

• https://cryptoservices.github.io/cryptography/2017/07/21/Sigs.html
• https://geti2p.net/en/