Cryptoasset Research: Monero (XMR)
The origins of Monero date back to the CryptoNote white paper that was published in 2012 by a pseudonymous author by the name of Nicolas van Saberhagen. The first implementation of the protocol was Bytecoin, but after the controversy surrounding the timeline of launch as well as a pre-mine it was forked to Bitmonero, which shortly after was forked again into Monero.
Similar to Bitcoin, Monero seeks to be a distributed, censorship-resistant digital cash. However, Monero tries to improve on what are seen as core issues in Bitcoin, mainly the lack of privacy and fungibility. While Bitcoin transactions are pseudonymous meaning, in theory, you can transact without anyone knowing your identity, it allows anyone one in the world to see your account balance along with all inbound and outbound transactions. If you buy Bitcoin using fiat currency, then your identity becomes linked to that address and now your financial privacy is lost.
Even if you are not engaging in nefarious activities, there are obvious reasons why this is undesirable just as you would not wish to show you bank account statements to the entire world. Moreover, if enterprises are to one day transact using cryptocurrencies, then they would most certainly need more privacy such that competitors cannot see how they operate financially. The other issue, fungibility, becomes a problem when a bitcoin is used for illegal purposes and then makes its way into an honest person’s wallet. It is easily traceable so that it is known where that “tainted” bitcoin came from and now people can refuse to accept it forcing the honest person to potentially sell it for a discount.
While Monero has the same Unspent Transaction Output (UTXO) structure as Bitcoin, blocks are created, packaged, and broadcast in a different manner to enhance privacy and fungibility. Rather than a strict block size limit, Monero opts for a more dynamic system whereby there is a maximum block size of twice the median size of the last 100 blocks. To ensure miners aren’t constantly increasing the block size there is a penalty for mining a block greater than 300mb.
Penalty = BaseReward*[(BlockSize/median)-1]²
In the short term, if the marginal benefit (transaction fee) is greater than the marginal penalty then miners will include the extra transaction above the median size. In situations of high on chain volume when blocks are full, there is an added incentive of 0.013 XMR to incentivize miners to add more transactions per block with the goal of easing network congestion. Another key feature of Monero is its supply curve that provides an indefinite inflation schedule to incentivize miners to secure the network into perpetuity. Once the supply hits 18.132 million XMR, there will be a fixed 0.6 XMR released every 2 minutes to continue to incentivize miners to secure the network.
This runs contrary to Bitcoin’s hard cap of 21 million, which could pose an existential threat to the network once the cap is hit and honest miners get priced out when transaction fees fail to provide adequate revenue in an increasingly competitive market. While the 21 million cap won’t be reached until around 2140, you can see that it the cap is effectively hit around the year 2035, while Monero continues to reward miners indefinitely.
Proof of Work Algorithm
Monero uses effectively the same Sybil resistance mechanism as Bitcoin — Proof of Work (PoW), as well as the longest chain rule for determining consensus. However, Monero uses a memory-hard CrypoNight algorithm which deliberately makes optimization more difficult to prevent the specialized ASICs from controlling the majority of hash power. This is done by filling a segment of cache with random data corresponding to memory addresses, then hashing the resulting block after reading and writing to those addresses. Distributing the data across multiple caches prevents specialized ASICs from having the type of advantage they achieve in Bitcoin’s SHA-256. While ASICs increase the hash power and thus security of the network, it typically leads to centralization in two forms:
- Manufacturing: Only a few companies produce ASICs
- Mining: A few large mining farms tend to use ASICs on a large scale
This centralization has the potential to allow attackers or governments to exert power over the network as there exists a single point of failure in these companies. It is to be noted that while CryptoNight was created to be ASIC-resistant there has still been evidence of mining optimization. This is demonstrated by observing the graph below, where the hash rate rose precipitously in late 2017, early 2018. However, once discovered, the community proactively took steps to tweak the algorithm slightly to nullify the advantage ASICs had over GPU/CPU miners. As you can see after the implementation the hash rate dropped demonstrating the obsolete ASICs no longer mining on Monero.
Monero uses a variety of cryptographic techniques designed to obfuscate both the transacting parties as well as any other information on the transaction. When you receive a transaction, the address you share is not stored on the blockchain thanks to stealth addresses which allow a one-time destination for outputs, preventing address reuse. Every wallet includes both a public view key and a public spend key which are mathematically derived from your seed using Elliptic curve cryptography. If a party wants to send you XMR, they use the public keys along with some random data to create a unique one-time key. This makes it impossible to connect multiple payments to the same address from being associated.
Ring signatures are a feature designed to protect the sender’s identity by mixing the public keys of a group to give anyone member plausible deniability that they were the one to send the transaction. Each party in the group has an equally probable chance of being the authentic signer, so as the ring size increases, the probability of any one member being the real signer decreases. This does present a problem however, as it becomes impossible to verify if an output has been spent twice, something that is trivial in transparent blockchains. This issue is solved via the use of key images which are created through each signature and derived from the output being spent. It is still impossible to tell which output created the key image but if a user tried to spend the same output twice the network would recognize the second as a fraudulent transaction since it would generate the same key image.
While Stealth addresses hide the recipient’s identity, and ring signatures protect the sender’s identity, Ring Confidential Transactions (RingCT) obscure the amount of XMR being sent in a transaction. This is done using what are called Pederson commitments where the sender encrypts the values using a shared key such that the receiver can then decrypt using the same key as well as their private view key. Miners are then able to confirm the input commitments match the outputs without having to know the exact values. An important mechanism of RingCT is range proofs which create a range greater than zero in which outputs can be sent. This prevents someone from starting with 1 XMR and attempting to create two outputs of 2 XMR and -1 XMR effectively creating XMR out of thin air. Range proofs scale linearly in size with the number of outputs and the number of bits in the range making them comprise the majority of a transactions size.
An improvement on range proofs that was released in October, 2018 is Bulletproofs. Developed by Bunz et al. bulletproofs are a “a non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup…Bulletproofs are especially well suited for efficient range proofs on committed values.” Before bulletproofs, a typical two output transaction was around 13.2 kB, while the single-output bulletproofs are around 2.5kb. The smaller transaction size resulted in a decrease in transaction fees of around 95%. Further, the time to verify a bulletproof is lower resulting in faster blockchain validation.
The last piece of privacy needing to be concealed is the physical location of the sender that is trackable through their IP address. While their identity and transaction data is unknown, true privacy is not attained if it is possible to track down a user’s location. Luckily, there is a project called Kovri that can be implemented to make Monero compatible with the Invisible Internet Protocol (I2P), designed to obscure transmission sources using sophisticated routing techniques to create a private network. This network is spread across the internet whereby messages sent cannot be connected to their originating IP addresses. I2P nodes operate on a volunteer basis and pass encrypted data throughout the network, breaking the link between where a message came from and its end destination.
Monero lacks a hard governance structure for growth and development, rather opting for sovereign grade censorship resistance over a rapidly innovating protocol. This is due to the fragmented structure, absent of any hierarchal decision makers creating a system where progress is slow due to internal conflict. The Monero Core Development Team is the primary group tasked with overseeing governance, and according to a Core Team Announcement, their goal is to:
- Act as primary trusted arbiters of the Forum Funding System on behalf of the community, so as to ensure the completion of all projects to the satisfaction of the community
- Manage the codebase of the Monero Project, which includes merging code on Github, keeping backups, and ensuring the safety, security, and free access of the code from any party
- Steward the general donation fund, and spending the Monero on anything they see fit to further the Monero Project
- Act as trusted signers and distributors of reference clients for the Monero coin, and other related technologies
- Set a direction and vision for the Monero project
It should be stressed that the Core Team is not a centralized point of failure and the network would continue to run in their absence. Problems arise when there is conflict over the direction and vision the Core Team sets, and this is exemplified in the recent hard-fork in April 2018. As shown in the prior hash rate graph, evidence of ASIC usage was apparent which led to an alteration of the CryptoNight hash function. The Core Team spearheaded this response as they have been vocal about their stance to resist ASICs. To some, this demonstrated centralization concerns as a small group of developers were able to make significant impacts to the network. However, it shouldn’t be a surprise as the Core Team has held egalitarian mining as a core tenant and promised to actively fight against ASIC usage.
Monero is currently competing with other privacy centric cryptoassets to occupy that niche in the space. Given the network effects of cryptoassets, the outcome will most likely be a winner take all scenario or close to it as increased user base and liquidity increase functionality. Since these are scarce assets, this will result in an increase in the asset’s price and thus miners are more incentivized to secure the network. As the community grows, more developers will flock to the network creating a constantly self-reinforcing improvement mechanism.
Right now, the biggest competitor to Monero is Zcash, which offers strong privacy features through its use of zk-snarks. While Monero uses encryption schemes to protect the data of a transaction, Zcash avoids this problem by simply not including any sensitive data in the transaction itself. Zero knowledge proofs allow the sender to mathematically prove they have knowledge of this sensitive data without actually having to reveal it. In theory, this is a stronger privacy feature than in Monero, however private transactions are not default in Zcash while they are in Monero.
Since shielded transactions are more expensive and take longer to propagate through the network, most users do not opt for privacy. This diminishes the total privacy of the network as it becomes possible to learn information about private transactions by analyzing the public data. A University College London study analyzed the Zcash’s privacy guarantees and concluded that “most users are not taking advantage of the main privacy features of Zcash at all. Furthermore, the participants who do engage with the shielded pool do so in a way that is identifiable, which has the effect of significantly eroding the anonymity of other users by shrinking the overall anonymity set.”
Another facet in which these protocols diverge is in governance. As mentioned prior, Monero seeks to maintain a distributed structure, absent any true leadership where upgrades are slow to enact due to community consensus being sought. Zcash on the other hand exhibits a more centralized structure with the Zcash Company making most of the decisions surrounding updates to the protocol. While this allows for more rapid innovation, it comes at the cost of the users influence in the network. In addition, Zcash levies a 10% tax on their miners that goes to stakeholders in the Zcash Company. This could disincentivize miners to secure the network as they could easily provide hash power to a network that does not include this tax.
In 2016, another pseudonymous author released a whitepaper on a protocol called MimbleWimble. Currently there are two implementations of it, Grin and Beam, which are in their early stages and seek to have a fair launch to rival that of Bitcoin. Mimblewimble combines confidential transactions and CoinJoin in order to eliminate traditional public keys, private keys and addresses while only keeping inputs and outputs. By taking all transactions that would have been included in a block and outputting a combined transaction of all transactions it becomes indistinguishable to discern the destination and amounts sent. The truly novel design is that it allows old and new transaction data to be cancelled against each other. This is known as pruning, and significantly decreases the amount of data new nodes need to store. This new design does come with weaknesses, as the lack of scripts prevent programmability and wallets must interact to create a transaction since there are no addresses. While in early stages, it appears Mimblewimble protocols will not be able to match throughput of Bitcoin due to additional processing required for each block
Similar to Bitcoin, Grin is being developed pseudonymously and is funded through donations. However rather than a logarithmic supply schedule, miners will on average mine one grin per second and that will last indefinitely. This means inflation as a percentage of existing supply will be very high to begin but will asymptotically approach zero. Grin is expected to launch January 15th. Beam, which launched January 3rd, operates more like the Zcash model where there is a for-profit entity that receives 20% of the mining reward for the first 5 years, however, plans on transitioning to a non-profit model over time. These early stage protocols have garnered a lot of attention since being announced and have the potential to compete with Monero over the long term.
Monero is positioned to capture significant value as it seeks to become the de facto standard for private transactions. This is a large market as the open nature of most cryptoassets make it illogical for many enterprise use cases as well as transactions users don’t want open to the entire world. The innate grassroots, open nature of Monero closely aligns it to the core ethos and value proposition of the overall cryptoasset space making it likely to win out in the long term over more centrally governed competitors.
Network effects play a crucial role and as it stands, Monero is one of the oldest projects in existence with a large user base and subsequent network value. The reflexive nature of these assets will only increase the distance separating leading assets from lesser competitors as the increased network value strengthens its value proposition as a store of value further increasing the network value and so on. While there are many factors at play including pace of innovation, deployment of capital and adoption rates that will invariably impact which networks retain value, as it stands now Monero has the best chance of succeeding as a privacy token.