Monero Part 1: Key Concepts

Key concepts for understanding Monero

Introduction

This article is an overview on key concepts in Monero. It assumes basic knowledge of blockchain properties and some other nerd stuff. Here’s an article I wrote on Bitcoin that might help. Also, here is a part 2 which is all about how Monero works; you can read that and use this one as a reference if you’d like.

Elliptic Curve Cryptography (ECC) Primer

Privacy is Monero’s “thing,” and to understand Monero it’s very important to understand how it achieves this privacy. To that end, here’s a short primer on ECC so you can be ready for the other concepts to come.

Image for post
Image for post
Pretty much this entire section, including this image, is ripped from here
  1. They cannot be multiplied/divided with each other.
  • Order (l): The order of the base point is the maximum number of points we can use in the curve. That is, f you “scalar multiplied” G l - 1 times, you’d wind up back at G.
Image for post
Image for post
Here
Image for post
Image for post
From here again
Image for post
Image for post
Repeated dotting
Image for post
Image for post
  1. Choosing a private key S––just a scalar value––and generating the public key P by dotting the G S times.

Stealth Addresses

Diffie-Hellman-Merkle Key Exchange

The next cryptographic algorithm I’m going to discuss before we get to fancier Monero stuff is the widely used Diffie-Hellman-Merkle (DHM) key exchange protocol, which enables 2 users to create a shared secret key (for symmetric cryptography) over a public channel. It is what enables stealth addresses, which Monero uses to hide the receivers of transactions.

Image for post
Image for post

Stealth Addressing for Unlinkability

Ok. Now that those are out of the way, let’s get to Monero.

Image for post
Image for post

Ring Signatures

Ring Signatures for Untraceability

Monero uses ring signatures to achieve untraceability: anonymizing transaction senders. A ring signature is a type of digital signature that is performed by a member of a group of users (or rather, a group of keys). By grouping keys together to sign, the identity of the sender of a transaction is hidden; to any onlookers the true signer could equiprobably be any member of the group (aka the “ring”).

Image for post
Image for post
Fig. 6 from the Cryptonote whitepaper

Commitment Schemes

Monero ring signatures are actually a little more complicated than what’s described in the previous section, because they also allow the transaction value to be masked. Before we get into that, though, we need to make sure we understand commitment schemes.

Pedersen Commitment

To be more specific, Monero uses a commitment scheme known as a Pedersen Commitment. In addition to hiding transaction input and output values (i.e. “committing” but not “revealing”), using them has the added property of allowing observers to verify that the sum of the input commitments is equal to the sum of the output commitments, without revealing the value of these sums. In this way, Monero users can still be sure that no Monero is being created out of thin air.

Multilayered Linkable Spontaneous Anonymous Group Signatures

Ring signatures on Monero are actually a little more complicated than I let on earlier. Instead of the basic ring signature I described in the previous section, Monero uses an improved version called multilayered linkable spontaneous anonymous group signatures, conveniently abbreviated as MLSAGs. They were introduced along with the Ring CT protocol, which I will get to later.

Ring CT: Hiding Transaction Amounts

In addition to masking transaction senders and receivers, the transaction amounts are also hidden in Monero through the use of “Ring CT,” which stands for “Ring Confidential Transactions.” This is important for a few reasons:

  1. Forming a ring signature for a transaction with input amount A would require the sender to find other public keys with that same amount A. For uncommon amounts this may be difficult, and the potential anonymity may be smaller than desired.

RingCT Transaction Types

RingCT has 3 transaction types: null, full, and simple.

Project Kovri

Project Kovri is yet another privacy feature offered by Monero (well, to be offered; it’s still in alpha). It will make it so Monero’s users will not be able to be identified as Monero users by looking at their internet traffic.

  • Onion routing is where messages are encrypted with several layers of encryption (like layers of an onion). Routers known as onion routers each peel off a layer to uncover the data’s next destination. Thus, each node only knows the identities of the nodes immediately preceding/following it & the IP addresses of peers are kept hidden from one another.
Image for post
Image for post
Onion routing

Key Images

All these privacy features are fine and dandy, but they don’t handle one of the fundamental issues faced by cryptocurrencies: how to prevent double-spending. That’s where key images come in.

Image for post
Image for post
Fig 7 from the whitepaper: ring signature generation in a Monero transaction

CryptoNote

CryptoNote is the application layer protocol that powers Monero, along with a number of other privacy-oriented cryptocurrencies. While Monero was based on the CryptoNote protocol, it has diverged in a number of ways over the past few years (for example, Ring CT). It’s good to know what CryptoNote is, though, and to not confuse it with CryptoNight, which is the proof-of-work algorithm used by Monero and CryptoNote.

Conclusion

That’s it for key concepts in Monero. Hopefully that’s enough for you to join a conversation or read my part 2.

Software Engineer in SF

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store