Monero (XMR) is, with ZCoin, one of the most used privacy-focused coin. Lately, it seems to be getting some traction from people willing to send funds using cryptocurrencies, but wishing to stay under the radar. Among other things, it is often recommended on some dark web forums as an alternative to Bitcoin mixers and was used by WannaCry authors to launder funds.
This article aims to give a relatively high-level overview of how Monero works, and what are the mechanisms that allow it to be more anonymous than Bitcoin and other currencies. We will not go into the mathematical and mining details, and while the article will be relatively high level, it will assume that you are at least a bit familiar with Bitcoin.
Launched in April 2014, Monero is based on a Bytecoin (yes, Bytecoin, not Bitcoin) fork, but started from the Genesis block (i.e., XMR ledger does not contain Bytecoin transactions). It is based on Proof of Work, but unlike Bitcoin, the algorithm is CPU friendly, making mining a bit more accessible to everyone. The coin supply is infinite. It will reach about 18 million coins by May 2022, and then 0.6 XMR will be generated per block (vs about 1.5 now). One block takes on average two minutes to mine and does not have any fixed maximum size.
Addresses and Keys
First things first, to transact with Monero, we will need an address. With most of the other cryptocurrencies, when creating an address, we would have a pair of public/private keys. With Monero, things are a bit more complicated, as four keys (two pairs) are generated:
- The public view key is the second half of the Monero address. It will be used by people wishing to send us funds.
- The private view key allows scanning the ledger to find the transactions people are sending us. This key can be made public, but it means everyone will be able to see our transactions.
- The public spend key is the first half of the Monero address. It will be used in the ring phase (more details later)
- The private spend key is what we will use to sign the transactions we are making. This key must never be shared.
Executing a Transaction
Now that we have our keys, we can start receiving funds. Let's say Bob owes us money, and that he is going to repay us using Monero. The following will happen:
- We will give our address to Bob.
- Bob will use our public view and spend keys to create a one time use (or stealth) address where he will send the funds. This address will ensure that our real address is never displayed in the ledger, therefore, making it impossible for someone to know how much funds we are holding.
- Bob will then create the transaction. This is where the ring signature comes into action. Bob will take 10 (protocol requirement) outputs (or mixins) issued from other transactions in the ledger, and use then as inputs with the real input from where the funds are sent. That allows preventing any third party to know which input is the source of the funds for a transaction. Ring CT (Confidential Transaction) is also used and allows to hide how much is sent within the transaction.
- Using our private view key, we will scan the blockchain to find transactions that are sent to us, and we will be able to see the one time address generated by Bob, and therefore the payment. We will then be able to spend these funds using our private spend key.
When this is over, there is privacy for both Bob and us:
- Bob can't see how much funds we are holding, because he only knows the one time address he created, and can't scan the ledger to find our other addresses since he doesn't have our private view key.
- We can't know for sure where Bob is sending the funds from, because there are multiple inputs, and we can't be sure of which one is Bob's.
- Bob won't be able to know when we spend the funds, and where. The reason is that our address can be used in other users' ring signature rounds.
Some More Details
Ring Signature and Ring CT
If you've read everything until there, you will probably ask yourself this question: "If the amounts sent are hidden, and if we can't know which input is the origin of the funds, then how can the miners know if the transaction is valid?"
To fix this issue, two things will be generated based on mathematics and cryptology:
- The Key Image is a public key generated for the transaction. It allows confirming that one input of the transaction is valid, without saying which, therefore preventing double spends from occurring.
- A Pedersen Commitment will tell the network that the sums of the inputs and outputs values are equal and that the transaction is therefore valid.
Inputs and Outputs
Like Bitcoin, Monero requires all the inputs to be spent in a transaction, therefore requiring the creation of change addresses. It is also allowing to pay to multiple outputs and to use multiple inputs.
For each real input we are using in a transaction, threre will be a ring signature. Therefore, there will always be at least ten false and one true output.
Source and Interesting Resources
Here is a list of sources I used when writing this article, as well as some interesting resources. Some are also offering a higher level of details on some things like the ring signatures, so if you're interested in that, you should check them out.
- A low-level explanation of the mechanics of Monero vs Bitcoin in plain English
- Understanding Monero Cryptography, Privacy -- Introduction
- Understanding Monero Cryptography, Privacy Part 2 -- Stealth Addresses
- Cryptonote protocal Whitepaper
- Breaking Monero 06: Unusual Ringsize
- Zcash VS Monero: Comparative Privacy Coin Guide
- Monero Documentation
- What is Monero? (XMR)
- Stack Exchange: What is a key image?
- Introduction to Monero and how it’s different
- Stack Exchange: Monero terminologies
- Addresses Generation and Checking Tool
- Transaction Checker Tool