Zero To Monero 1 0 0 PDF
Zero To Monero 1 0 0 PDF
Zero To Monero 1 0 0 PDF
Kurt M. Alonso
[email protected]
Documentation is scarce. Donating allows us to maintain this project as Monero changes and grows
(e.g. bulletproofs), and to assemble new reports (e.g. Kovri). Your support makes a big difference.
Cryptography. It may seem like only mathematicians and computer scientists have
access to this obscure, esoteric, powerful, elegant topic. In fact, many kinds of
cryptography are simple enough that anyone can learn their fundamental concepts.
It might seem at first glance that transactions need to be sent and stored in
plain text format in order to make them publicly verifiable. In fact, it is possible
to conceal participants of transactions, as well as the amounts involved, using
cryptographic tools that nevertheless allow transactions to be verified and agreed
upon by observers [64]. This is exemplified in the cryptocurrency Monero.
We endeavor here to teach anyone who knows basic algebra and simple com-
puter science concepts like the ‘bit representation’ of a number not only how
Monero works at a deep and comprehensive level, but also how useful and beautiful
cryptography can be.
1 Introduction 1
1.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Readership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.5 Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Basic Concepts 5
iii
2.3.2 Public key cryptography with elliptic curves . . . . . . . . . . . . . . . . . . 12
3 Ring Signatures 20
4 Pedersen Commitments 29
5 Monero Transactions 34
5.3 Subaddresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
iv
5.6.1 Amount commitments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.6.2 Commitments to zero . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.6.3 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.6.4 Transaction fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.6.5 Avoiding double-spending . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.6.6 Space and verification requirements . . . . . . . . . . . . . . . . . . . . . . 45
5.7 Ring Confidential Transactions of type RCTTypeSimple . . . . . . . . . . . . . . . . 46
5.7.1 Amount commitments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.7.2 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7.3 Space and verification requirements . . . . . . . . . . . . . . . . . . . . . . 48
5.8 Concept summary: Monero transactions . . . . . . . . . . . . . . . . . . . . . . . . 50
5.8.1 Storage and verification requirements . . . . . . . . . . . . . . . . . . . . . 51
v
Bibliography 66
Appendices 69
C Block Content 80
D Genesis Block 83
vi
CHAPTER 1
Introduction
In the digital realm it is often trivial to make endless copies of information, with equally endless
alterations. For a currency to exist digitally and be widely adopted, its users must believe its supply
is strictly limited. A money recipient must be able to verify they are not receiving counterfeit
coins, or coins that have already been sent to someone else. To accomplish that without requiring
the collaboration of any third party like a central authority, its supply and complete transaction
history must be publicly verifiable.
We can use crytographic tools to allow data registered in an easily accessible database - the
blockchain - to be virtually immutable and unforgeable, with legitimacy that cannot be disputed
by any party.
Cryptocurrencies store transactions in the blockchain, which acts as a public ledger1 of all the
currency operations. Most cryptocurrencies store transactions in clear text, to facilitate verifica-
tion of transactions by the community of users.
Clearly, an open blockchain defies any basic understanding of privacy, since it virtually publi-
cizes the complete transaction histories of its users.
To address the lack of privacy, users of cryptocurrencies such as Bitcoin can obfuscate trans-
actions by using temporary intermediate addresses [50]. However, with appropriate tools it is
possible to analyze flows and to a large extent link true senders with receivers [62, 31, 53].
1
In this context ledger just means a record of all currency creation and exchange events. Specifically, how much
money was transferred in each event and to whom.
1
CHAPTER 1. INTRODUCTION 2
In contrast, the cryptocurrency Monero (Moe-neh-row) attempts to tackle the issue of privacy
by storing only single-use addresses for receipt of funds in the blockchain, and by authenticating
the dispersal of funds in each transaction with ring signatures. With these methods there are no
effective ways to link receivers or trace the origin of funds [7].
Additionally, transaction amounts in the Monero blockchain are concealed behind cryptographic
constructions, rendering currency flows opaque.
1.1 Objectives
Monero is a cryptocurrency of recent creation [63, 10], yet it displays a steady growth in pop-
ularity2 . Unfortunately, there is little comprehensive documentation describing the mechanisms
it uses. Even worse, important parts of its theoretical framework have been published in non
peer-reviewed papers which are incomplete and/or contain errors. For significant parts of the
theoretical framework of Monero, only the source code is reliable as a source of information.
Moreover, for those without a background in mathematics, learning the basics of elliptic curve
cryptography, which Monero uses extensively, can be a haphazard and frustrating endeavor.3
We intend to palliate this situation by introducing the fundamental concepts necessary to under-
stand elliptic curve cryptography, reviewing algorithms and cryptographic schemes, and collecting
in-depth information about Monero’s inner workings.
To provide the best experience for our readers, we have taken care to build a constructive, step-
by-step description of the Monero cryptocurrency.
In the first edition of this report we have centered our attention on version 7 of the Monero
protocol, corresponding to version 0.12.x.x of the Monero software suite. All transaction related
mechanisms described here belong to those versions. Deprecated transaction schemes have not
been explored to any extent, even if they may be partially supported for backward compatibility.
1.2 Readership
We anticipate many readers will encounter this report with little to no understanding of discrete
mathematics, algebraic structures, cryptography, and blockchains. We have tried to be thorough
enough that laymen from all perspectives may learn Monero without needing external research.
2
As of June 14th , 2018, Monero occupies the 14th position as regards market capitalization; see
https://coinmarketcap.com/
3
A previous attempt to explain how Monero works did not elucidate elliptic curve cryptography, was incomplete,
and is now almost four years outdated: [52].
CHAPTER 1. INTRODUCTION 3
The cryptocurrency Monero, originally known as BitMonero, was created in April, 2014 as a
derivative of the proof-of-concept currency CryptoNote [63]. Monero means ‘money’ in the lan-
guage Esperanto, and its plural form is Moneroj (Moe-neh-rowje, similar to Moneros but using
the -ge from orange).
CryptoNote is a cryptocurrency devised by various individuals. A landmark whitepaper describing
it was published under the pseudonym of Nicolas van Saberhagen in October, 2013 [64]. It offered
receiver anonymity through the use of one-time addresses, and sender ambiguity by means of ring
signatures.
Since its inception, Monero has further strengthened its privacy aspects by implementing amount
hiding, as described by Greg Maxwell (among others) in [46] and integrated into ring signatures
based on Shen Noether’s recommendations in [61].
1.4 Outline
As mentioned, our aim is to deliver a self-contained and step-by-step description of the Monero
cryptocurrency. This report has been structured to fulfill this objective, leading the reader through
all parts of the currency’s inner workings.
In our quest for comprehensiveness, we have chosen to present all the basic elements of cryptog-
raphy needed to understand the complexities of Monero, and their mathematical antecedents. In
Chapter 2 we develop essential aspects of elliptic curve cryptography.
Chapter 3 outlines the ring signature algorithms that will be applied to achieve confidential trans-
actions.
In Chapter 4 we introduce the cryptographic mechanisms used to conceal amounts.
With all the components in place, we explain the transaction schemes used in Monero in Chapter
5.
We unfold the Monero blockchain in Chapter 6.
While not essential to the operation of Monero, there is a lot of utility in multisignatures that
allow multiple people to send and receive money collaboratively. Simple multisignatures (N-of-N
CHAPTER 1. INTRODUCTION 4
and (N-1)-of-N, with naive key aggregation) are currently available in the source code. However,
the Monero Research Lab is currently writing a technical paper on the subject, with several
improvements and a security proof ‘in the works’. Readers can find our writeup (subject to change)
on multisignatures here: https://github.com/UkoeHB/Monero-RCT-report, or look forward to
its inclusion in future editions.
Appendices A and B explain the structure of sample transactions from the blockchain. Appendix
C explains the structure of blocks (including block headers and miner transactions) in Monero’s
blockchain, while Appendix D brings our report to a close by explaining the structure of Monero’s
genesis block. These provide a connection between the theoretical elements described in earlier
sections with their real-life implementation.
We use margin notes to indicate where Monero implementation details can be found in the Isn’t this
source code.4 There is usually a file path, such as src/ringct/rctSigs.cpp, and a function, such as useful?
genBorromean(). Note: ‘-’ indicates split text, such as crypto- note → cryptonote.
1.5 Disclaimer
All signature schemes, applications of elliptic curves, and Monero implementation details should
be considered descriptive only. Readers considering serious practical applications (as opposed
to a hobbyist’s explorations) should consult original sources and technical specifications (which
we have cited where possible). Signature schemes need well-vetted security proofs, and Monero
implementation details can be found in Monero’s source code. In particular, as a common saying
goes, ‘don’t roll your own crypto’. Code implementing cryptographic primitives should be well
reviewed by experts, and have a long history of solid performance.
Zero to Monero is an expansion of Kurt Alonso’s master’s thesis ‘Monero - Privacy in the Blockchain’
[24].
4
These margin notes are accurate for version 0.12.x.x of the Monero software suite, but may gradually become
inaccurate as the code base is constantly changing. However, the code is stored in a git repository (https://github.
com/monero-project/monero), so a complete history of changes is available.
CHAPTER 2
Basic Concepts
One focal objective of this report was to collect, review, correct and homogenize all existing
information concerning the inner workings of the Monero cryptocurrency. And, at the same time
supply all the necessary details to present the material in a constructive and single-threaded
manner.
An important instrument to achieve this was to settle for a number of notational conventions.
Among others, we have used:
• lower case letters to denote simple values, integers, strings, bit representations, etc
For items with a special meaning, we have tried to use as much as possible the same symbols
throughout the document. For instance, a curve generator is always denoted by G, its order is l,
private/public keys are denoted whenever possible by k/K respectively, etc.
Beyond that, we have aimed at being conceptual in our presentation of algorithms and schemes.
A reader with a computer science background may feel we have neglected questions like the bit
representation of items, or, in some cases, how to carry out concrete operations. Moreover, students
of mathematics may find we disregarded explanations of abstract algebra.
5
CHAPTER 2. BASIC CONCEPTS 6
However, we don’t see this as a loss. A simple object such as an integer or a string can always
be represented by a bit string. So-called endianness is rarely relevant, and is mostly a matter of
convention for our algorithms.
Elliptic curve points are normally denoted by pairs (x, y), and can therefore be represented with
two integers. However, in the world of cryptography it is common to apply point compression
techniques, which allow representing a point using only the space of one coordinate. For our con-
ceptual approach it is often accessory whether point compression is used or not, but most of the
time it is implicitly assumed.
We have also used cryptographic hash functions freely without specifying any concrete algorithms. src/crypto/
In the case of Monero it will typically be a Keccak 1 variant, but if not explicitly mentioned then keccak.c
it is not important to the theory.
A cryptographic hash function (henceforth simply ‘hash function’, or ‘hash’) takes in some message
m of arbitrary length and returns a hash h (or message digest) of fixed length, with each possible
output equiprobable for a given input. Cryptographic hash functions are difficult to reverse, have
an interesting feature known as the large avalanche effect which can cause very similar messages to
produce very dissimilar hashes, and it is hard to find two messages with the same message digest.
Hash functions will be applied to integers, strings, curve points, or combinations of these objects.
These occurrences should be interpreted as hashes of bit representations, or the concatenation of
such representations. Depending on context, the result of a hash will be numeric, a bit string, or
even a curve point. Further details in this respect will be given as needed.
Most modern cryptography begins with modular arithmetic, which in turn begins with the modulus
operation (denoted ‘mod’). We only care about the positive modulus, which always returns a
positive integer.
The positive modulus is here defined for a (mod b) = c as a = bx + c, where 0 ≤ c < b and x is a
signed integer which gets discarded (note that b is an integer bigger than zero).
Let’s imagine a number line. We stand at point a, then walk toward zero with each step = b until
we reach an integer ≥ 0 and < b. That is c. For example, 4 (mod 3) = 1, −5 (mod 4) = 3, and
so on. Readers may recognize c is similar to the ‘remainder’ after dividing (a/b).
In computer science it is important to avoid large numbers when doing modular arithmetic. For
example, if we have 29 + 87 (mod 99) and we aren’t allowed variables with three or more digits
(such as 116 = 29 + 87), then we can’t compute 116 (mod 99) = 17 directly.
To perform c = a + b (mod n), where a and b are each less than the modulus n, we can do this:
The total number of + point operations falls from 6 to 4 because we only need to find (8 + 8) once.
Let’s make an array A = [0111] and index it 0,1,2,3. A[0] = 0 is the first element of A and is the
most significant bit. We set a result variable to be initially r = 0, and set a sum variable to be
initially s = 8 (more generally, we start with s = b). We follow this algorithm:
1. i = 3
2. i = 2
CHAPTER 2. BASIC CONCEPTS 8
3. i = 1
4. i = 0
5. r = 2 is the result
It’s obvious that 87 (mod 9) is the same as 8 ∗ 8 ∗ 8 ∗ 8 ∗ 8 ∗ 8 ∗ 8 (mod 9). Just like double-and-add,
we can do square-and-multiply. For ae (mod n):
Sometimes we need to calculate 1/b (mod n), or in other words b−1 (mod n).
In the equation a ≡ b (mod n), a is congruent to b (mod n), which just means a (mod n) = b
(mod n).
The modular multiplicative inverse is defined as an integer c such that, for c = a−1 (mod n),
ac ≡ 1 (mod n) for 0 ≤ c < n and for a and n relatively prime. Relatively prime just means they
don’t share any divisors except 1. We could also say the fraction a/n can’t be reduced/simplified.2
2
We want to point out the modular multiplicative inverse has a rule stating:
If ac ≡ b (mod n) with a and n relatively prime, the solution to this linear congruence is given by c = a−1 b
(mod n).[9]
This means we can do c = a−1 b (mod n) → ca ≡ b (mod n) → a ≡ c−1 b (mod n).
CHAPTER 2. BASIC CONCEPTS 9
We can use square-and-multiply to compute the modular multiplicative inverse when n is a prime
number because of Fermats’ little theorem:
an−1 ≡ 1 (mod n)
a ∗ an−2 ≡ 1 (mod n)
n−2 −1
c≡a ≡a (mod n)
More generally (and more rapidly), the so-called extended Euclidean algorithm finds c like this
(short and sweet just to expose it):
1. Set r = 0; r0 = 1; q = n; q 0 = a.
• (q, q 0 ) = (q 0 , q − quotient ∗ q 0 )
The same principle would apply to something like x = (a − b ∗ c ∗ d)−1 (e ∗ f + g h ) (mod n).
3
We use r and r0 from the previous round to compute the current round’s r and r0 at the same time.
CHAPTER 2. BASIC CONCEPTS 10
A finite field Fq , where q is a prime number greater than 3, is the field formed by the set fe: field
{0, 1, 2, ..., q − 1}. Addition and multiplication (+, ·) and negation (−) are calculated (mod q). element
“Calculated (mod q)” means (mod q) is performed on any instance of an arithmetic operation
between two field elements, or negation of a single field element. For example, given a prime field
Fp with p = 29, 17 + 20 = 8 because 37 (mod 29) = 8. Also, −13 = −13 (mod 29) = 16.
Typically, an elliptic curve with a given (a, b) pair is defined as the set of points (x, y) satisfying
a Weierstraß equation [37]:4
y 2 = x3 + ax + b where a, b, x, y ∈ Fq
The cryptocurrency Monero uses a special curve belonging to the category of so-called Twisted
Edwards curves [28], which are commonly expressed as (for a given (a, d) pair):
ax2 + y 2 = 1 + dx2 y 2 where a, d, x, y ∈ Fq
In what follows we will prefer this second form. The advantage it offers over the previously men-
tioned Weierstraß form is that basic cryptographic primitives require fewer arithmetic operations,
resulting in faster cryptographic algorithms (see Bernstein et al. in [30] for details).
Let P1 = (x1 , y1 ) and P2 = (x2 , y2 ) be two points belonging to a Twisted Edwards elliptic
curve (henceforth known simply as an EC). We define addition on points by defining P1 + P2 =
(x1 , y1 ) + (x2 , y2 ) as the point P3 = (x3 , y3 ) where
x1 y2 + y1 x2
x3 = (mod q)
1 + dx1 x2 y1 y2
y1 y2 − ax1 x2
y3 = (mod q)
1 − dx1 x2 y1 y2
These formulas for addition also apply for point doubling; that is, when P1 = P2 . To subtract a
point, invert its coordinates over the y-axis, (x, y) → (−x, y) [28], and use point addition. When-
ever a ‘negative’ element −x of Fq appears in this report, it is really −x (mod q).
It turns out that elliptic curves have abelian group structure5 under the addition operation de-
scribed. Each time two curve points are added together, P3 is a point on the ‘original’ elliptic
curve, or in other words all x3 , y3 ∈ Fq .
Each point P in EC can generate a subgroup of order (size) u out of some of the other points
in EC using multiples of itself. For example, some point P ’s subgroup might have order 5 and
4
Notation: the phrase a ∈ F means a is some element in the field F.
5
A concise definition of this notion can be found under https://brilliant.org/wiki/abelian-group/
CHAPTER 2. BASIC CONCEPTS 11
contain the points (0, P, 2P, 3P, 4P ), each of which is in EC. At 5P the so-called point-at-infinity
appears, which is like the ‘zero’ position on an EC, and has coordinates (0, 1).
Another example: a subgroup with order 6 (0, P, 2P, 3P, 4P, 5P ). Multiples of point 2P :
2P, 4P, 6P, 8P, 10P, 12P → 2P, 4P, 0, 2P, 4P, 0
Here 2P has order 3. Since 6 is not prime, not all of its member points recreate the original
subgroup.
Each EC has an order N equal to the total number of points in the curve (including the point-
at-infinity), and the orders of all subgroups generated by points are divisors of N (by Lagrange’s
theorem). We can imagine a set of all EC points {0, P1 , ..., PN −1 }. If N isn’t prime, some points
will make subgroups with orders equal to divisors of N .
ECs selected for cryptography typically have N = hl, where l is some sufficiently large prime ge: group
number (such as 160 bits) and h is the so-called cofactor which could be as small as 1 or 2.7 One element
point in the subgroup of size l is usually selected to be the generator G as a convention. For every
other point P in that subgroup there exists an integer 0 < n ≤ l satisfying P = nG.
Let’s expand our understanding. Say there is a point P 0 with order N , where N = hl. Any
other point Pi can be found with some integer ni such that Pi = ni P 0 . If P1 = n1 P 0 has order l,
any P2 = n2 P 0 with order l must be in the same subgroup as P1 because lP1 = 0 = lP2 , and if
l(n1 P 0 ) ≡ l(n2 P 0 ) ≡ N P 0 = 0, then n1 & n2 must both be multiples of h. Since N = hl, there are
only l multiples of h, implying only one subgroup of size l is possible.
In other words, the subgroup formed by multiples of (hP 0 ) always contains P1 and P2 . Furthermore,
h(n0 P 0 ) = 0 when n0 is a multiple of l, and there are only h variations of n0 (mod N ) (including
the point at infinity for n0 = hl) because when n0 = hl it cycles back to 0: hlP 0 = 0. So, there are
only h points P in EC where hP will equal 0.
6
Cyclic subgroup means, for P ’s subgroup with order u, and with any integer n, nP = [n (mod u)]P .
7
EC with small cofactors allow relatively faster point addition, etc. [28].
CHAPTER 2. BASIC CONCEPTS 12
A similar argument could be applied to any subgroup of size u: any two points P1 and P2 with
order u are in the same subgroup, which is composed of multiples of (N/u)P 0 .
With this new understanding it is clear we can use the following algorithm to find points in
the subgroup of order l:
1. Find N of the elliptic curve EC, choose subgroup order l, compute h = N/l.
3. Compute P = hP 0 .
Calculating the scalar product between any integer n and any point P , nP , is not difficult, whereas sc: scalar
finding n such that P1 = nP2 is known to be computationally hard. By analogy to modular
arithmetic, this is often called the discrete logarithm problem (DLP). In other words, scalar mul-
tiplication can be seen as a one-way function, which paves the way for using elliptic curves for
cryptography.
The scalar product nP is equivalent to (((P + P ) + P ). . . ). Though not always the most efficient
approach, we can use double-and-add like in Section 2.2.1. To get the sum R = nP , remember we
use the + point operation discussed in Section 2.3.1.
Public key cryptography algorithms can be devised in a way analogous to modular arithmetic.
Let k be a randomly selected number satisfying 0 ≤ k < l, and call it a private key.8 Calculate
the corresponding public key K (an EC point) with the scalar product kG = K.
Due to the discrete logarithm problem (DLP) we can not easily deduce k from K alone. This
property allows us to use the values (k, K) in common public key cryptography algorithms.
8
The private key is sometimes known as a secret key. This lets us abbreviate: pk = public key, sk = secret key.
CHAPTER 2. BASIC CONCEPTS 13
A basic Diffie-Hellman [33] exchange of a shared secret between Alice and Bob could take place
in the following manner:
1. Alice and Bob generate their own private/public keys (kA , KA ) and (kB , KB ). Both publish
or exchange their public keys, and keep the private keys for themselves.
An external observer would not be able to easily calculate the shared secret due to the DLP, which
prevents them from finding kA or kB . Since the output of hash functions is ‘random’, the message
m is information-theoretic secure from adversaries who know x, KA , and KB .9
In 1989 Charles Schnorr published a now famous interactive authentication protocol [58], general-
ized by Maurer in 2009 [44], that allowed someone to prove they know the private key k of a given
public key K without revealing any information about it [46]. It goes something like this:
1. The prover generates a random integer α ∈R Zl ,10 computes αG, and sends αG to the
verifier.
The verifier can compute R0 = αG+c∗K before the prover, so providing c is like saying “I challenge
you to respond with the discrete logarithm of R0 .” A challenge the prover can only overcome by
knowing k (except with negligible probability).
9
A cryptosystem with information-theoretic security is one where even an adversary with infinite computing
power could not break it, because they simply wouldn’t have enough information.
10
Notation: the R in α ∈R Zl means α is randomly selected from {0, 1, 2, ..., l − 1}. In other words, Zl is all
integers (mod l).
CHAPTER 2. BASIC CONCEPTS 14
If α was chosen randomly by the prover then r is randomly distributed [59] and k is information-
theoretically secure. However, if the prover reuses α to prove his knowledge of k, anyone who
knows both challenges in r = α + c ∗ k and r0 = α + c0 ∗ k can compute k (two equations, two
unknowns).11
r − r0
k=
c − c0
If the prover knew c from the beginning (i.e. if the verifier secretly gave it to her), she could
generate a random response r and compute αG = rG − cK. When she later sends r to the verifier,
she ‘proves’ knowledge of k without ever having known it. Someone observing the transcript of
events between prover and verifier would be none the wiser. The scheme is not publicly verifiable.
[46]
In his role as challenger, the verifier spits out a random number after receiving αG, making him
equivalent to a random function. Random functions, such as hash functions, are known as random
oracles because computing one is like requesting a random number from someone [46].12
Using a hash function, instead of the verifier, to generate challenges is known as a Fiat-Shamir
transform [34], because it makes an interactive proof non-interactive and publicly verifiable [46].
Non-interactive proof
Verification
2. Compute R = rG and R0 = αG + c0 ∗ K.
Why it works
rG = (α + c ∗ k)G
= (αG) + (c ∗ kG)
= αG + c ∗ K
R = R0
An important part of any proof/signature scheme is the resources required to verify them. This
includes space to store proofs, and time spent verifying. In this scheme we store one EC point and
one integer, and need to know the public key - another EC point.
Since hash functions are comparatively fast to compute, verification time is mostly a function src/ringct/
of elliptic curve operations. For this proof scheme there are (based on operations available in rctOps.cpp
Monero’s code):
Signing messages is a staple of Internet security. One common signature scheme is called ECDSA.
See [39], ANSI X9.62, and [37].
The signature scheme we present here is an alternative formulation of the transformed Schnorr
proof from before. Thinking of signatures in this way prepares us for exploring ring signatures in
the next chapter.
Signature
Assume that Alice has the private/public key pair (kA , KA ). To unequivocally sign an arbitrary
message m, she could execute the following steps:
2. Calculate the challenge using a cryptographically secure hash function, c = H(m, [αG]).
Verification
Any third party who knows the EC domain parameters D (specifying which elliptic curve was
used), the signature (c, r) and the signing method, m and the hash function, and KA can verify
the signature:
In this signature scheme we store two scalars, need one public EC key, and verify with: src/ringct/
rctOps.cpp
DVBA Double-variable-base addition for some integers a, b, and point B: aG + bB [1]
Why it works
Therefore the owner of kA (Alice) created (c, r) for m: she signed the message. The probability
someone else, a forger without kA , could have made (c, r) is negligible.
Monero uses a particular Twisted Edwards elliptic curve for cryptographic operations, Ed25519,
the birational equivalent13 of the Montgomery curve Curve25519.
Both Curve25519 and Ed25519 were released by Bernstein et al. [28, 29, 30].14
13
Without giving further details, birational equivalence can be thought of as an isomorphism expressible using
rational terms.
14
Dr. Bernstein also developed an encryption scheme known as ChaCha [27, 65], which the primary Monero src/wallet/
implementation uses to encrypt certain sensitive information related to users’ wallets. ringdb.cpp
CHAPTER 2. BASIC CONCEPTS 17
The curve is defined over the prime field F2255 −19 (i.e. q = 2255 − 19) by means of the following
equation:
121665 2 2
−x2 + y 2 = 1 − x y
121666
This curve addresses many concerns raised by the cryptography community. It is well known that
NIST15 standard algorithms have issues. For example, it has recently become clear the random
number generation algorithm PNRG is flawed and contains a potential backdoor [36]. Seen from
a broader perspective, standardization authorities like NIST lead to a cryptographic monoculture,
introducing a point of centralization. This was illustrated when the NSA used its influence over
NIST to weaken an international cryptographic standard [14].
Curve Ed25519 is not subject to any patents (see [42] for a discussion on this subject), and the
team behind it has developed and adapted basic cryptographic algorithms with efficiency in mind src/crypto/
[30]. crypto ops
builder/
Twisted Edwards curves have order expressable as N = 2c l, where l is a prime number and c a
positive integer. In the case of curve Ed25519, its order is a 76 digit number (l is 253 bits):16
23 · 7237005577332262213973186563042994240857116359379907606001950938285454250989
Elements of F2255 −19 are encoded as 256-bit integers. In other words, they can be represented
using 32 bytes. Since each element only requires 255 bits, the most significant bit is always zero.
Consequently, any point in Ed25519 could be expressed using 64 bytes. By applying point com-
pression techniques, described here below, however, it is possible to reduce this amount by half,
to 32 bytes.
The Ed25519 curve has the property that its points can be easily compressed, so that representing
a point will consume only the space of one coordinate. We will not delve into the mathematics
necessary to justify this, but we can give a brief insight into how it works [57]. Point compression
for the Ed25519 curve was first described in [29], while the concept was first introduced in [48].
This point compression scheme follows from a transformation of the Twisted Edwards curve equa-
tion (assuming a = −1, which is true for Monero): x2 = (y 2 − 1)/(dy 2 + 1),17 which indicates there
are two possible x values (+ or −) for each y. Field elements x and y are calculated (mod q), so
there are no actual negative values. However, taking (mod q) of –x will change the value between
15
National Institute of Standards and Technology, https://www.nist.gov/
16
This means private EC keys in Ed25519 are 253 bits.
17 121665
Here d = − 121666 .
CHAPTER 2. BASIC CONCEPTS 18
odd and even since q is odd. For example: 3 (mod 5) = 3, −3 (mod 5) = 2. In other words, the
field elements x and –x have different odd/even assignments.
src/crypto/
If we have a curve point and know its x is even, but given its y value the transformed curve crypto ops
equation outputs an odd number, then we know negating that number will give us the right x. builder/
One bit can convey this information, and conveniently the y coordinate has an extra bit. ref10Comm-
Assume we want to compress a point (x, y). entedComb-
ined/
Encoding We set the most significant bit of y to 0 if x is even, and 1 if it is odd. The resulting ge to-
value y 0 will represent the curve point. bytes.c
Decoding ge from-
1. Retrieve the compressed point y 0 , then copy its most significant bit to the parity bit b bytes.c
before setting it to 0. That will be y.
2. Let u = y 2 − 1 (mod q) and v = dy 2 + 1 (mod q). This means x2 = u/v (mod q).
3. Compute18 z = uv 3 (uv 7 )(q−5)/8 (mod q).
(a) If vz 2 = u (mod q) then x0 = z.
(b) If vz 2 = −u (mod q) then calculate x0 = z ∗ 2(q−1)/4 (mod q).
4. Using the parity bit b from the first step, if b 6= the least significant bit of x0 then
x = −x0 (mod q), otherwise x = x0 .
5. Return the decompressed point (x, y).
Implementations of Ed25519 (such as Monero) typically use the generator G = (x, 4/5) [29], where
x is the ‘even’, or b = 0, variant based on point decompression of y = 4/5 (mod q).
Bernstein and his team have developed a number of basic algorithms based on curve Ed25519.19
For illustration purposes we will describe a highly optimized and secure alternative to the ECDSA
signature scheme which, according to the authors, allows producing over 100 000 signatures per
second using a commodity Intel Xeon processor [29]. The algorithm can also be found described
in Internet RFC8032 [40]. Note this is a very Schnorr-like signature scheme.
Among other things, instead of generating random integers every time, it uses a hash value derived
from the private key of the signer and the message itself. This circumvents security flaws related
to the implementation of random number generators. Also, another goal of the algorithm is to
avoid accessing secret or unpredictable memory locations to prevent so-called cache timing attacks
[29].
We provide here an outline of the steps performed by the algorithm for illustration purposes only.
A complete description and sample implementation in the Python language can be found in [40].
18
Since q = 2255 − 19 ≡ 5 (mod 8), (q − 5)/8 and (q − 1)/4 are integers.
19
See [30] for efficient group operations in Twisted Edwards EC (i.e. point addition, doubling, mixed addition, src/crypto/
etc). See [26] for efficient modular arithmetic. crypto ops
builder/
ref10Comm-
entedComb-
ined/
CHAPTER 2. BASIC CONCEPTS 19
Signature
1. Let hk be a hash H(k) of the signer’s private key k. Compute α as a hash α = H(hk , m) of
the hashed private key and message. Depending on implementation, m could be the actual
message or its hash [40].
Verification
The 2c term comes from Bernstein et al.’s general form of the EdDSA algorithm [30]. According
to that paper, though it isn’t required for adequate verification, removing 2c provides stronger
equations.
The public key K can be any EC point, but we only want to use points in the generator G’s
subgroup. Multiplying by the cofactor 2c ensures all points are in that subgroup. Alternatively,
?
verifiers could check lK = 0, which only works if K is in the subgroup. We do not know of any
weaknesses caught by these precautions, though as we will see the later method is important in
Monero.
In this signature scheme we store one EC point and one scalar, have one public EC key, and verify src/ringct/
with: rctOps.cpp
PA Point addition for some points A, B: A + B [1]
KBSM Known-base scalar multiplications for some integer a: aG [1]
VBSM Variable-base scalar multiplications for some integer a, and point P : aP [1]
Why it works
2c rG = 2c (α + H([αG], K, m) · k) · G
= 2c αG + 2c H([αG], K, m) · K
Binary representation
By default, an EdDSA signature would need 64 + 32 bytes for the EC point αG and scalar r.
However, RFC8032 assumes point αG is compressed, which reduces space requirements to only
32 + 32 bytes. We include the public key K, which implies 32 + 32 + 32 total bytes.
CHAPTER 3
Ring Signatures
Ring signatures are composed of a ring and a signature. Each signature is generated with a single
private key and a set of unrelated public keys. Each ring is the set of public keys comprising the
private key’s public key, and the set of unrelated public keys. Somebody verifying a signature
would not be able to tell which ring member corresponds to the private key that created it.
Ring signatures were originally called Group Signatures because they were thought of as a way to
prove a signer belongs to a group, without necessarily identifying him. In the context of Monero
they will allow for unforgeable, signer-ambiguous transactions that leave currency flows largely
untraceable.
Ring signature schemes display a number of properties that will be useful for producing confidential
transactions:
Signer Ambiguity An observer should be able to determine the signer must be a member of
the ring (except with negligible probability), but not which member.1 Monero uses this to
obfuscate the origin of funds in each transaction.
1
Anonymity for an action is usually in terms of an ‘anonymity set’, which is ‘all the people who could have
possibly taken that action’. The largest anonymity set is ‘humanity’, and for Monero it is the so-called mixin level
v plus the real signer. Mixin refers to how many fake members each ring signature has. If the mixin is v = 4 then
there are 5 possible signers. Expanding anonymity sets makes it progressively harder to find real actors.
20
CHAPTER 3. RING SIGNATURES 21
Linkability If a private key is used to sign two different messages then the messages will become
linked.2 As we will show, this property is used to prevent double-spending attacks in Monero
(except with negligible probability).
Unforgeability No attacker can forge a signature except with negligible probability.3 This is
used to prevent theft of Monero funds by those not in possession of the appropriate private
keys.
Originally (Chaum in [32]), group signature schemes required the system be set up, and in some
cases managed, by a trusted person in order to prevent illegitimate signatures, and, in a few
schemes, adjudicate disputes. Relying on a group secret is not desirable since it creates a disclosure
risk that could undermine anonymity. Moreover, requiring coordination between group members
(i.e. for setup and management) is not scalable beyond small groups or within companies.
Liu et al. presented a more interesting scheme in [43] building on the work of Rivest et al.
in [56]. The authors detailed a group signature algorithm characterized by three properties:
anonymity, linkability, and spontaneity. In other words, the owner of a private key could produce
one anonymous signature by selecting any set of co-signers from a list of candidate public keys,
without needing to collaborate with anyone.4
Signature
Ring signature schemes are very Schnorr-like. In fact, our signature scheme in Section 2.3.5 can
be considered a one-key ring signature. We get to two keys by, instead of defining r right away,
generating a decoy r0 and creating a new challenge to define r with.
Let m be the message to sign, R = {K1 , K2 , ..., Kn } a set of distinct public keys (a group/ring),
and kπ the signer’s private key corresponding to his public key Kπ ∈ R, where π is a secret index.
Assume the existence of two hash functions, Hn and Hp , mapping to integers from 1 to l,5 and
curve points in EC,6,7 respectively.
2
The linkability property does not apply to non-signing public keys. That is, a ring member whose public key
has been mixed into different signatures will not be linked.
3
Certain ring signature schemes, including the one in Monero, are strong against adaptive chosen-message and
adaptive chosen-public-key attacks. An attacker who can obtain legitimate signatures for messages and correspond-
ing to specific public keys in rings of his choice cannot discover how to forge the signature of even one message. This
is called existential unforgeability; see [61] and [43].
4
In the LSAG scheme linkability only applies to signatures using rings with the same members and in the same
order, the ‘exact same ring’. It is really “one anonymous signature per ring”. Linkable signatures can be attached
to different messages.
5
In Monero, the hash function Hn (x) = sc reduce32(Keccak (x)) where Keccak is the basis of SHA3 and
sc reduce32() puts the 256 bit result in the range 1 to l.
6
It doesn’t matter if points from Hp are compressed or not. They can always be decompressed.
7
Monero uses a hash function that returns curve points directly, rather than computing some integer that is
then multiplied by G. Hp would be broken if someone discovered a way to find nx such that nx G = Hp (x).
CHAPTER 3. RING SIGNATURES 22
2. Generate random number α ∈R Zl and fake responses ri ∈R Zl for i ∈ {1, 2, ..., n} but
excluding i = π.
3. Calculate
cπ+1 = Hn (R, K̃, m, [αG], [αHp (R)])
The ring signature contains the signature σ(m) = (c1 , r1 , r2 , ..., rn ), the key image K̃, and the ring
R.
Verification
Verification means proving σ(m) is a valid signature created by a private key corresponding to a
public key in R, and is done in the following manner:
?
1. Check lK̃ = 0.
3. If c01 = c1 then the signature is valid. Note that c01 is the last term calculated.
?
We must check lK̃ = 0 because it is possible to add an EC point from the subgroup of size h (thesrc/crypto-
cofactor) to K̃ and, if all ci are multiples of h (which we could achieve with automated trial and
note core/
error using different α and ri values), make h unlinked valid signatures using the same ring andcryptonote
signing key.8 This is because an EC point multiplied by its subgroup’s order is zero.9 core.cpp
To be clear, given some point K in the subgroup of order l, some point K h with order h, and an check tx
integer c divisible by h: inputs key-
c ∗ (K + K h ) = cK + cK h images do-
main()
= cK + 0
In this scheme we store (1+n) integers, have one EC key image, use n public keys, and verify with: src/ringct/
rctOps.cpp
VBSM Variable-base scalar multiplications for some integer a, and point P : aP [1]
DVBA Double-variable-base addition for some integers a, b, and point B: aG + bB [n]
VBA Variable-base additions for some integers a, b, and points A, B: aA + bB [n]
8
We are not concerned with points from other subgroups because the output of Hn is confined to Zl . For EC
order N = hl, all divisors of N (and hence, possible subgroups) are either multiples of l (a prime) or divisors of h.
9
In Monero’s early history this was not checked for. Fortunately, it was not exploited before a fix was implemented
in April, 2017 (v5 of the protocol) [55] .
CHAPTER 3. RING SIGNATURES 23
Why it works
We can informally convince ourselves the algorithm works by going through an example. Consider
ring R = {K1 , K2 , K3 } with kπ = k2 . First the signature:
4. Iterate:
c1 = Hn (..., [r3 G + c3 K3 ], [r3 Hp (R) + c3 K̃])
c2 = Hn (..., [r1 G + c1 K1 ], [r1 Hp (R) + c1 K̃])
We can substitute α into c3 to see where the word ‘ring’ comes from:
c3 = Hn (..., [(r2 + c2 k2 )G], [(r2 + c2 k2 )Hp (R)])
c3 = Hn (..., [r2 G + c2 K2 ], [r2 Hp (R) + c2 K̃ ])
Then verification using R, K̃, and σ(m) = (c1 , r1 , r2 , r3 ):
2. From when we made the signature, we see c02 = c2 . With r2 and c02 we compute
3. We can easily see that c03 = c3 by substituting c2 for c02 . Using r3 and c03 we get
Linkability
Given a fixed set of public keys R and two valid signatures for different messages,
σ(m) = (c1 , r1 , ..., rn ) with K̃, and
σ 0 (m0 ) = (c01 , r10 , ..., rn0 ) with K̃ 0 ,
if K̃ = K̃ 0 then clearly both signatures come from the same signing ring and private key.
While an observer could link σ and σ 0 , he wouldn’t know which Ki in R was the culprit without
solving the DLP or auditing R in some way (such as learning all ki with i 6= π, or learning kπ ).10
10
LSAG is unforgeable, meaning no attacker could make a valid ring signature without knowing a private key.
CHAPTER 3. RING SIGNATURES 24
In the LSAG signature scheme, linkability of signatures using the same private key can only be
guaranteed if the ring is constant. This is obvious from the definition K̃ = kπ Hp (R).
In this section we present an enhanced version of the LSAG algorithm where linkability is inde-
pendent of the ring’s co-signers.
The modification was unraveled in [61] based on a publication by A. Back [25] regarding the
CryptoNote [64] ring signature algorithm (previously used in Monero, and now deprecated), which
was inspired by Fujisaki and Suzuki’s work in [35].
Signature
2. Generate random number α ∈R Zl and random numbers ri ∈R Zl for i ∈ {1, 2, ..., n} but
excluding i = π.
3. Compute
cπ+1 = Hn (m, [αG], [αHp (Kπ )])
The signature will be σ(m) = (c1 , r1 , ..., rn ), with key image K̃ and ring R.
As in the original LSAG scheme, verification takes place by recalculating the value c1 .
Just like LSAG, in this scheme we store (1+n) integers, have one EC key image, use n public keys, src/ringct/
and verify with: rctOps.cpp
VBSM Variable-base scalar multiplications for some integer a, and point P : aP [1]
DVBA Double-variable-base addition for some integers a, b, and point B: aG + bB [n]
VBA Variable-base additions for some integers a, b, and points A, B: aA + bB [n]
Correctness can also be demonstrated (i.e. ‘how it works’) in a way similar to the LSAG scheme.
The alert reader will no doubt notice the key image K̃ only depends on the true signer’s keys. In
other words, two signatures will now be linkable if and only if the same private key was used to
If he invents a fake K̃ and seeds his signature computation with cπ+1 , then, not knowing kπ , he can’t calculate a
number rπ = α − cπ kπ that would produce [rπ G + cπ Kπ ] = αG. A verifier would reject his signature. Liu et al.
prove forgeries that manage to pass verification are extremely improbable [43].
CHAPTER 3. RING SIGNATURES 25
create them. In bLSAG, rings are just involved in obfuscating each signer’s identity. bLSAG also
simplifies the scheme by removing R and K̃ from the hash that calculates ci .
This approach to linkability will prove to be more useful for Monero than the one offered by the
LSAG algorithm, as it will allow detecting double-spending attempts without putting constraints
on the ring members used.
In order to sign multi-input transactions, one has to sign with m private keys. In [61], Shen
Noether et al. describe a multi-layered generalization of the bLSAG signature scheme applicable
when we have a set of n · m keys; that is, the set
R = {Ki,j } for i ∈ {1, 2, ..., n} and j ∈ {1, 2, ..., m}
where we know the private keys {kπ,j } corresponding to the subset {Kπ,j } for some index i = π.
Such an algorithm would address our multi-input needs if we generalize the notion of linkability.
Linkability: if any private key kπ,j is used in 2 different signatures, then these signatures will be
automatically linked.
Signature
1. Calculate key images K̃j = kπ,j Hp (Kπ,j ) for all j ∈ {1, 2, ..., m}.
2. Generate random numbers αj ∈R Zl , and ri,j ∈R Zl for i ∈ {1, 2, ..., n} (except i = π) and
j ∈ {1, 2, ..., m}.
3. Compute11
cπ+1 = Hn (m, [α1 G], [α1 Hp (Kπ,1 )], ..., [αm G], [αm Hp (Kπ,m )])
The signature will be σ(m) = (c1 , r1,1 , ..., r1,m , ..., rn,1 , ..., rn,m ), with key images (K̃1 , ..., K̃m ).
11
Monero MLSAG uses so-called ‘key prefixing’, which, when implemented, was thought to allow better security src/ringct/
proofs for multi-user Schnorr-like signatures. Recent research suggests it isn’t necessary. [41] Each challenge contains rctSigs.cpp
an explicit public key like this: MLSAG gen()
cπ+1 = Hn (m, Kπ,1 , [α1 G], [α1 Hp (Kπ,1 )], ..., Kπ,m , [αm G], [αm Hp (Kπ,m )])
CHAPTER 3. RING SIGNATURES 26
Verification
?
1. For all j ∈ {1, ..., m} check lK̃j = 0.
Why it works
Just as with the original LSAG algorithm, we can readily observe that
• If i 6= π, then clearly the values c0i+1 are calculated as described in the signature algorithm.
Linkability
If a private key kπ,j is re-used to make any signature, the corresponding key image K̃j supplied in
the signature will reveal it. This observation matches our generalized definition of linkability.12
In this scheme we store (1+m ∗ n) integers, have m EC key images, use m ∗ n public keys, and src/ringct/
verify with: rctOps.cpp
VBSM Variable-base scalar multiplications for some integer a, and point P : aP [m]
DVBA Double-variable-base addition for some integers a, b, and point B: aG + bB [m ∗ n]
VBA Variable-base additions for some integers a, b, and points A, B: aA + bB [m ∗ n]
12
As with LSAG, linked MLSAG signatures do not indicate which public key was used to sign it. However, if the
key image’s sub-loops’ rings have only one key in common, the culprit is obvious.
CHAPTER 3. RING SIGNATURES 27
We will see in later sections of this report it is necessary to prove transaction amounts are within
an expected range. This can be accomplished with ring signatures. However, linkable signatures
here would allow observers to link outputs using common amounts, or guess and check the entire
transaction history. Fortunately, excluding linkability allows us to select more efficient algorithms
in terms of space consumed and verification speed.
In this context, and for the singular purpose of proving amount ranges, Monero uses a signature
scheme developed by G. Maxwell, which he described in [46].13 We present here a complete version
of the scheme for educational purposes.
Assume we have a set R of public keys {Ki,ji } for i ∈ {1, 2, ..., n} and ji ∈ {1, 2, ..., mi }. In other
words, {Ki,ji } is like a bookshelf of public keys with n shelves, and on each ith shelf are mi public
keys ordered from 1 to mi . The amount of keys mi can be different for each shelf i, hence the
subscript.14
Furthermore, assume for each i there is an index πi (which can be different for each i) such that
the signer knows private key ki,πi corresponding to Ki,πi . Following the analogy, a signer knows
one private key for the ji = πi th public key on each shelf i in the bookshelf.
Signature
1. For each shelf i ∈ {1, ..., n} [skip this entire step for any i where πi = mi ]:
2. For i ∈ {1, ..., n} generate random numbers ri,mi ∈R Zl . Instead of making separate chal-
lenges with the last key on each shelf, take all ri,mi , ci,mi , and Ki,mi , and combine them in
the connector
c1 = Hn (m, [r1,m1 G + c1,m1 K1,m1 ], ..., [rn,mn G + cn,mn Kn,mn ])
(a) build second half of loop from connector: if πi = 1 skip this, otherwise for ji = 1, ..., πi −1
generate random numbers ri,ji ∈R Zl and compute [we interpret references to ci,1 as c1 ]
ci,ji +1 = Hn (m, [ri,ji G + ci,ji Ki,ji ])
(b) tie loop ends together: set ri,πi such that αi = ri,πi + ci,πi ki,πi .
The signature is
σ = (c1 , r1,1 , ..., r1,m1 , r2,1 ..., r2,m2 , ..., rn,mn )
Using the connector lets us tie many subloops together, instead of a separate ring signature for
each. This means n − 1 fewer scalars to store these signatures. Note this signature scheme reduces
to our Schnorr-like signature from Section 2.3.4 when R only contains one key.
Verification
Why it works
1. For ji 6= πi and for all i we can readily see that c0i,ji +1 = ci,ji +1 .
Therefore we can conclude the verification step identifies valid signatures (except in the case of a
forgery, which can only occur with negligible probability).
CHAPTER 4
Pedersen Commitments
For example, in a coin-flipping game Alice could privately commit to one outcome (i.e. ‘call it’)
before Bob flips the coin by publishing her committed value hashed with secret data. After Bob
flips the coin, Alice could declare which value she committed to and prove it by publishing her
secret data. Bob could then verify her claim.
In other words, assume that Alice has a secret string blah and the value she wants to commit
to is heads. She could simply hash h = H(blah, heads) and give h to Bob. Bob flips a coin,
Alice tells Bob about blah and informs him she committed to heads, and then Bob calculates
h0 = H(blah, heads). If h0 = h, then he knows Alice called heads before the coin flip.
Alice uses the so-called ‘salt’ blah so Bob can’t just guess H(heads) and H(tails) before his coin
flip, and figure out she committed to heads.
A Pedersen commitment [54] is a commitment that has the property of being additively ho-
momorphic. If C(a) and C(b) denote the commitments for values a and b respectively, then
C(a + b) = C(a) + C(b).1 This property is useful when committing transaction amounts, as one
1
Additively homomorphic in this context means addition is preserved when you transform scalars into EC points
by applying, for scalar x, x → xG.
29
CHAPTER 4. PEDERSEN COMMITMENTS 30
could prove, for instance, that inputs equal outputs, without revealing the amounts at hand.
Fortunately, Pedersen commitments are easy to implement with elliptic curve cryptography, as
the following holds trivially
aG + bG = (a + b)G
Clearly, by defining a commitment as simply C(a) = aG, we could easily create cheat tables of
commitments to help us recognize common amounts a.
To attain information-theoretic privacy, one needs to add a secret blinding factor and another
generator H, such that it is unknown for which value of γ the following holds: H = γG. The
hardness of the discrete logarithm problem ensures calculating γ from H is infeasible. In the case
of Monero, H = Hp (G).2
We can then define the commitment to an amount a as C(x, a) = xG + aH, where x is a blinding
factor that prevents observers from guessing a (for example: if you just commit C(a = 1), it is
trivial to guess and check).
Commitment C(x, a) is information-theoretically private because there are many possible combi-
nations of x and a that would output the same C.3 If x is truly random, an attacker would have
literally no way to figure out a [45, 59].
Owning cryptocurrency is not like a bank account, where a person’s balance exists as a single
value in a database. Rather, a person owns a bunch of transaction outputs. Each output has an
‘amount’, and the sum of amounts in all unspent outputs owned is considered a person’s balance.
Since it is rare for input amounts to equal intended output amounts, most transactions include
‘change’, an output that sends excess back to the sender. We will elaborate on these topics in
Chapter 5.
In Monero, transaction amounts are hidden using a technique called RingCT, first implemented
in January, 2017 (v4 of the protocol). While transaction verifiers don’t know how much Monero
2
The Monero codebase has a function to point() that maps scalars to EC points. For commitments, H = src/ringct/
to point(Keccak (G)). rctTypes.h
3
Basically, there are many x0 and a0 such that x0 + a0 γ = x + aγ. A committer knows one combination, but an
attacker has no way to know which one. Furthermore, even the committer can’t find another combination without
solving the DLP for γ.
CHAPTER 4. PEDERSEN COMMITMENTS 31
is contained in each input and output, they still need to prove the sum of input amounts equals
the sum of output amounts.
In other words, if we had a transaction with inputs containing amounts a1 , ..., am and outputs
with amounts b1 , ..., bp , then an observer would justifiably expect that:
X X
aj − bt = 0
j t
Since commitments are additive and we don’t know γ, we could easily prove our inputs equal
outputs to observers by making the sum of commitments to input and output amounts equal
zero:4 X X
Cj,in − Ct,out = 0
j t
To avoid sender identifiability, Shen Noether proposed [61] verifying that commitments sum to a
certain non-zero value:
X X
Cj,in − Ct,out = zG
j t
X X
(xj G + aj H) − (yt G + bt H) = zG
j t
X X
xj − yt = z
j t
The reasons why this is useful will become clear in Chapter 5 when we discuss the structure of
transactions.
Note that C = zG is called a commitment to zero because we can make a signature with z, which
proves that there is no H component to C (assuming γ is unknown). In other words C = zG+0H.
One problem with additive commitments is that, if we have commitments C(a1 ), C(a2 ), C(b1 ), and
C(b2 ) and we intend to use them to prove that (a1 + a2 ) − (b1 + b2 ) = 0, then those commitments
would still apply if one value in the equation were ‘negative’.
Since −10 = l − 10, we have effectively created l more Moneroj (over 7.2x1074 !) than we put in.
4
Recall from Section 2.3.1 we can subtract a point by inverting its coordinates. If P = (x, y), −P = (−x, y).
Recall also that negations of field elements are calculated (mod q), so (–y (mod q)).
CHAPTER 4. PEDERSEN COMMITMENTS 32
The solution addressing this issue in Monero is to prove each output amount is in a certain range
using the Borromean signature scheme described in Section 3.4. This method treats each bit in
the binary representation of the amount as a separate amount which we can commit to zero.
Given a commitment C(b) with blinding factor yb for amount b, use the binary representation
(b0 , b1 , ..., bk−1 ) such that
b = b0 20 + b1 21 + ... + bk−1 2k−1
Generate random numbers y0 , ..., yk−1 ∈R Zl to be used as blinding factors. Define also Pedersen
commitments for each bi , Ci = yi G + bi 2i H, and derive public keys {Ci , Ci − 2i H}.
Clearly one of those public keys will equal yi G:
if bi = 0 then Ci = yi G + 0H = yi G
if bi = 1 then Ci − 2i H = yi G + 2i H − 2i H = yi G
In other words, a blinding factor yi will always be the private key corresponding to one of the
points {Ci , Ci − 2i H}. The point that equals yi G is a commitment to zero, because either bi 2i = 0
or bi 2i − 2i = 0. We can prove a transaction output’s amount b is in the range [0, ..., 2k − 1] by
signing it using the Borromean Ring Signature scheme of Section 3.4 with the ring of public keys: src/ringct/
rctSigs.cpp
{{C0 , C0 − 20 H}, ..., {Ck−1 , Ck−1 − 2k−1 H}}
genBor-
where we know the private keys {y0 , ..., yk−1 } corresponding to each pair.
romean()
In the context of Monero we will use range proofs to prove there are valid amounts in the outputs
of each transaction.
Transaction verifiers will have to check that the sum of each output’s range proof commitments
Ci equals its amount commitment Cb . For this to work we need to modify our definition of the
blinding factor yb : set y0 , ..., yk−1 ∈R Zl and define yb = k−1
P
i=0 yi . The following equation now src/ringct/
holds rctSigs.cpp
k−1
X prove-
Ci = Cb
i=0
Range()
We will store only the range proof commitments/keys Ci , the output amount’s commitment Cb ,
and the signature σ’s terms in the blockchain. The mining community can easily calculate Ci −2i H
and verify the Borromean ring signature for each output.
It will not be necessary for the receiver nor any other party to know the blinding factors yi , as
their sole purpose is proving a new output’s amount is in range.
CHAPTER 4. PEDERSEN COMMITMENTS 33
Since the Borromean signature scheme requires knowledge of yi to produce a signature, any third
party who verifies one can convince himself that each loop contains a commitment to zero, so total
amounts must fall within range and money is not being artificially created.
In this scheme we store (1+2 ∗ k) integers, use k public keys (commitments), and verify with:
Monero Transactions
Unlike Bitcoin, Monero users have two sets of private/public keys, (k v , K v ) and (k s , K s ), generated
as described in Section 2.3.2.
The address of a user is the pair of public keys (K v , K s ). Her private keys will be the correspond-
ing pair (k v , k s ).
Using two sets of keys allows function segregation. The rationale will become clear later in this
chapter, but for the moment let us call private key k v the view key, and k s the spend key. A person
can use their view key to determine if an output is addressed to them, and their spend key will
allow them to send that output in a transaction (and retroactively figure out it has been spent).1
To verify a transfer of money, observers need to know the money starts off being owned by the
spender. How do they own it in the first place? Every Monero user has a public address which
1
It is currently most common for the view key kv to equal Hn (ks ). This means a person only needs to save their src/wallet/
spend key ks in order to access (view and spend) all of the outputs they own (spent and unspent). The spend key api/wallet.cpp
is typically represented as a series of 25 words (where the 25th word is a checksum). Other, less popular methods create()
include: generating kv and ks as separate random numbers, or generating a random 12-word mnemonic a, where wallet2.cpp
ks = sc reduce32(Keccak (a)) and kv = sc reduce32(Keccak (Keccak (a))). [3] generate()
get seed()
34
CHAPTER 5. MONERO TRANSACTIONS 35
they may distribute to other users, who can then send money to that address via transaction
outputs.
The public address is never used directly. Instead, a Diffie-Hellman-like exchange is applied to it,
creating a unique one-time address for each transaction output to be paid to the user. In this way,
even external observers who know all users’ public addresses will not be able to identify which
user received any given transaction output.
A recipient can spend their received outputs by signing a message with the one-time addresses,
thereby proving they know the private keys and must therefore own what they are spending. We
will gradually flesh out this concept.
Let’s start with a very simple transaction, containing exactly one input and one output — a
payment from Alice to Bob.
Bob has private/public keys (kB v , k s ) and (K v , K s ), and Alice knows his public keys. A transac-
B B B
tion could proceed as follows [64]:
1. Alice generates a random number r ∈R Zl , and calculates the one-time public key2 src/crypto/
crypto.cpp
K o = Hn (rKB
v s
)G + KB
derive pu-
o
2. Alice sets K as the addressee of the payment, adds the value rG to the transaction data, blic key()
and submits it to the network.
3. Bob receives the data and sees the values rG and K o . He can calculate kB v rG = rK v . He src/crypto/
B
0s o v
can then calculate KB = K − Hn (rKB )G. When he sees that KB = KB 0s s , he knows the crypto.cpp
spend key K s ) can calculate K 0s for every transaction output in the blockchain (record of public key()
B B
transactions), and ‘view’ which ones are addressed to Bob.
While Alice can calculate the public key K o for the one-time address, she can not compute the
corresponding private key k o , since it would require either knowing Bob’s spend key kB
s , or solving
s s
the discrete logarithm problem for KB = kB G, which we assume to be hard. As will become clear
2
In Monero, every instance of rkv G is multiplied by the cofactor 8, so in this case Alice computes 8 ∗ rKBv
and src/crypto/
v
Bob computes 8 ∗ kB rG. As far as we can tell this serves no purpose (but is a convention that users should follow). crypto.cpp
Multiplying by cofactor ensures the resulting point is in G’s subgroup, but if R and K v don’t share a subgroup to generate
begin with, then the discrete logs r and kv can’t be used to make a shared secret regardless. key deri-
3 0s
KB is computed with derive subaddress public key() because normal address spend keys are stored at index 0 vation()
in the spend key lookup table, while subaddresses are at indices 1,2... This will make sense soon: see Section 5.3.
CHAPTER 5. MONERO TRANSACTIONS 36
later in this chapter, without k o Alice can’t compute the output’s key image, so she can never
know for sure if Bob spends the output she sent him.4
A third party with Bob’s view key can verify an output is addressed to Bob, yet without knowledge
of the spend key this third party would not be able to spend that output nor know when it has
been spent. Such a third party could be a trusted custodian, an auditor, a tax authority, etc.
Somebody who could be allowed read access to the user’s transaction history, without any further
rights. This third party would also be able to decrypt the output’s amount (to be explained in
Section 5.6.1).
Most transactions will contain more than one output. If nothing else, to transfer ‘change’ back to
the sender.
Monero senders generate only one random value r. The value rG is normally known as the trans-
action public key and is published in the blockchain.
To ensure that all output addresses in a transaction with p outputs are different even in cases src/crypto/
where the same addressee is used twice, Monero uses an output index. Every output from a trans- crypto.cpp
action has an index t ∈ {1, ..., p}. By appending this value to the shared secret before hashing it, derive pu-
one can ensure the resulting one-time addresses are unique: blic key()
5.3 Subaddresses
Monero users can generate subaddresses from each address [51]. Funds sent to a subaddress can
be viewed and spent using its main address’ view and spend keys. By analogy: an online bank
account may have multiple balances corresponding to credit cards and deposits, yet they are all
accessible and spendable from the same point of view – the account holder.
Subaddresses are convenient for receiving funds to the same place when a user doesn’t want to link
his activities together by publishing/using the same address. As we will see, an observer would
4
Imagine Alice produces two transactions, each containing the same one-time output address K o that Bob can
spend. Since K o only depends on r and KB v
, there is no reason she can’t do it. Bob can only spend one of those
outputs because each one-time address only has one key image, so if he isn’t careful Alice might trick him. She
could make transaction 1 with a lot of money for Bob, and later transaction 2 with a small amount for Bob. If he
spends the money in 2, he can never spend the money in 1. In fact, no one could spend the money in 1, effectively
‘burning’ it. Monero wallets have been designed to ignore the smaller amount in this scenario.
CHAPTER 5. MONERO TRANSACTIONS 37
have to solve the DLP in order to determine a given subaddress is derived from any particular
address [51].5
They are also useful for differentiating between received outputs. For example, if Alice wants to
buy an apple from Bob on a Tuesday, Bob could write a receipt describing the purchase and make
a subaddress for that receipt, then ask Alice to use that subaddress when she sends him the money.
This way Bob can associate the money he receives with the apple he sold. We explore another
way to distinguish between received outputs in the next section.
th
Bob generates his i subaddress (i = 1, 2, ...) from his address as a pair of public keys (K v,i , K s,i ): src/device/
device de-
K s,i = K s + Hn (k v , i)G
fault.cpp
K v,i = k v K s,i
get sub-
So,
address
K v,i = k v (k s + Hn (k v , i))G
secret key()
K s,i = (k s + Hn (k v , i))G
v,1 s,1
Let’s say Alice is going to send Bob money via his subaddress (KB , KB ) with a simple one-input,
one-output transaction.
1. Alice generates a random number r ∈R Zl , and calculates the one-time public key
v,1 s,1
K o = Hn (rKB )G + KB
s,1
2. Alice sets K o as the addressee of the payment, adds the value rKB to the transaction
data, and submits it to the network.
s,1 v rK s,1 = rK v,1 . src/crypto/
3. Bob receives the data and sees the values rKB and K o . He can calculate kB B B
0s,1 v,1 0s,1 s,1
He can then calculate KB = K o − Hn (rKB )G. When he sees that KB = KB , he knows crypto.cpp
the transaction is addressed to him. derive
Bob only needs his private view key kB v and subaddress public spend key K s,1 to find trans- subaddress
B
public key()
action outputs sent to his subaddress.
s,1
Now, Alice’ transaction public key is particular to Bob (rKB instead of rG). If she creates a src/crypto-
p-output transaction with at least one output intended for a subaddress, Alice needs to make a note core/
unique transaction public key for each output t ∈ 1, ..., p. In other words, if Alice is sending to cryptonote
v,1 s,1
Bob’s subaddress (KB , KB ) and Carol’s address (KCv , KCs ), she will put two transaction public tx utils.cpp
s,1
keys {r1 KB , r2 G} in the transaction data.6 construct
tx with
tx key()
5.4 Integrated addresses
In order to differentiate between the outputs they receive, a recipient can request senders include
a payment ID in transaction data.7 For example, if Alice wants to buy an apple from Bob on a
Tuesday, Bob could write a receipt describing the purchase and ask Alice to include the receipt’s
ID number when she sends him the money. This way Bob can associate the money he receives
with the apple he sold.
Senders can communicate payment IDs in clear text, but manually including the IDs in transac-
tions is inconvenient, and a privacy hazard for recipients, who might inadvertently expose their
activities. In Monero, recipients can integrate payment IDs into their addresses, and provide those
integrated addresses, containing (K v , K s , payment ID), to senders. Payment IDs can technically be src/common/
integrated into any kind of address, including normal addresses, subaddresses, and multisignature base58.cpp
addresses.8 encode
Senders addressing outputs to integrated addresses can encode payment IDs using the shared secret addr()
rKtv and a XOR operation, which recipients can then decode with the appropriate transaction
public key and another XOR procedure [6]. Encoding payment IDs in this way allows senders to
prove they made particular transaction outputs (i.e. for audits, refunds, etc.).
The binary operator XOR evaluates two arguments and returns true if one, but not both, of the
arguments is true [19]. Here is its truth table:
A B A XOR B
T T F
T F T
F T T
F F F
6
In Monero subaddresses are prefixed with an ‘8’, separating them from addresses, which are prefixed with ‘4’.
This helps senders choose the correct procedure when constructing transactions.
7
Currently, Monero only supports one payment ID per transaction.
8
Since an observer can recognize the difference between transactions with and without payment IDs of any kind,
using them is thought to make the Monero transaction history less uniform. Subaddresses (‘disposable addresses’
more generally) can be used for the same purpose, so payment IDs may be superfluous. Based on these ideas, there is
some effort in the Monero development community to deprecate all forms of payment ID [4]. However, cryptocurrency
exchanges find them useful and are slow to change, so payment IDs might remain a feature indefinitely. Also note
integrated addresses have only ever been implemented for normal addresses.
CHAPTER 5. MONERO TRANSACTIONS 39
In the context of computer science, XOR is equivalent to bit addition modulo 2. For example, the
XOR of two bit pairs:
XOR({1, 1}, {1, 0}) = {1 + 1, 1 + 0} (mod 2)
= {0, 1}
Examining the previous example, each of these produce the same output: XOR({1, 1}, {1, 0}),
XOR({0, 0}, {0, 1}), XOR({1, 0}, {1, 1}), or XOR({0, 1}, {0, 0}). There are 2b combinations of
XOR inputs (with b bits each) for the same output, so if input A ∈R {1, ..., 2b }, an observer who
learned C = XOR(A, B) could not gain any information about B.
At the same time, anyone who knows two of the elements A, B, C, where C = XOR(A, B), can
calculate the third element, such as A = XOR(B, C). XOR indicates if two elements are different
or the same, so knowing C and B is enough to expose A. A careful examination of the truth table
reveals this to be true.
Encoding
The sender encodes the payment ID for inclusion in transaction data9 src/device/
device de-
kmask = Hn (rKtv , pid tag)
fault.cpp
kpayment ID = kmask → reduced to bit length of payment ID encrypt
encoded payment ID = XOR(kpayment ID , payment ID) payment
id()
The output of a cryptographic hash function H is uniformly distributed across the range of possible
outputs. In other words, for some input A, H(A) ∈D R SH where SH is the set of possible outputs
D
from H. We use ∈R to indicate the function is deterministically random. H(A) produces the same
thing every time, but its output is equivalent to a random number.
We include pid tag to ensure kmask is different from the component Hn (rKtv , t) in one-time output
addresses.10
Decoding
Whichever recipient t the payment ID was created for can find it using his view key and the src/device/
transaction public key rG:11 device.hpp
9
In Monero payment IDs for integrated addresses are conventionally 64 bits long, while independent, clear text
decrypt
payment IDs are usually 256 bits long. payment
10
In Monero, pid tag = ENCRYPTED PAYMENT ID TAIL = 141. In, for example, multi-input transactions id()
v
we compute Hn (rKt , t) (mod l) to ensure we are using a scalar less than the EC subgroup order, but since (mod l)
is 253 bits and payment IDs are only 64 bits, taking the modulus for encoding payment IDs would be meaningless,
so we don’t.
11
Transaction data does not indicate which output a payment ID ‘belongs’ to. Recipients have to identify their
own payment IDs.
CHAPTER 5. MONERO TRANSACTIONS 40
Similarly, senders can decode payment IDs they had previously encoded by recalculating the shared
secret kmask = Hn (rKtv ).
Monero is a cryptocurrency under steady development. Transaction structures, protocols, and src/crypto-
cryptographic schemes are always prone to evolving as new objectives or threats are found. note core/
cryptonote
In this report we have focused our attention on Ring Confidential Transactions, a.k.a. RingCT,
tx utils.cpp
as they are implemented in the current version of Monero. RingCT is mandatory for all new
construct
Monero transactions, so we will not describe any deprecated transaction types, even if they are
tx()
still partially supported.12
The transaction types we will describe in this chapter are RCTTypeFull and RCTTypeSimple. The
former category (Section 5.6) closely follows the ideas explained by Shen Noether at al. in [61].
At the time that paper was written, the authors most likely intended to fully replace the original
CryptoNote transaction scheme.
However, for multi-input transactions, the signature scheme formulated in that paper was thought
to entail a risk on traceability. This will become clear when we supply technical details, but in
short: if one spent output became identifiable, the rest of the spent outputs would also become
identifiable. This would have an impact on the traceability of currency flows, not only for the
transaction originator affected, but also for the rest of the blockchain.
To mitigate this risk, the Monero Research Lab decided to use a related, yet different signa-
ture scheme for multi-input transactions. The transaction type RCTTypeSimple (Section 5.7) is
used in those situations. The main difference, as we will see later, is that each input is signed
independently.
12
RingCT was first implemented in January, 2017, (v4 of the protocol). It was made mandatory for all new
transactions in September, 2017 (v6 of the protocol). [12]
CHAPTER 5. MONERO TRANSACTIONS 41
An actual example of a RCTTypeFull transaction, with all its components, can be inspected in
Appendix A.
Recall from Section 4.2 that we had defined a commitment to an output’s amount b as:
C(b) = yG + bH
In the context of Monero, output recipients should be able to reconstruct the amount commitments.
This means the blinding factor y and amount b must be communicated to the receiver.
The solution adopted in Monero is a Diffie-Hellman shared secret rKB v . For any given transaction
in the blockchain, each of its outputs t ∈ {1, ..., p} has two associated values called mask and
amount satisfying13
v
mask t = yt + Hn (Hn (rKB , t)) src/ringct/
v
amount t = bt + Hn (Hn (Hn (rKB , t))) rctOps.cpp
The receiver Bob will be able to calculate the blinding factor yt and the amount bt using the ecdhEn-
transaction public key rG and his view key kBv . He can also check that the commitment C(y , b ) code()
t t
b
provided in the transaction data, henceforth denoted Ct , corresponds to the amount at hand.
More generally, any third party with access to Bob’s view key could decrypt his output amounts,
and make sure they agree with their associated commitments.
13
As with the one-time address K o , the output index t is appended to the hash in each mask/amount pair. src/crypto-
This ensures outputs directed to the same address do not have similar masks and amounts, except with negligible note core/
probability.Yes, that is three hashes for the amount. The extra hash ensures a different value is used for one-time cryptonote
addresses and the two ECDH exchange parts. tx utils.cpp
construct
tx with
tx key() calls
derivation
to scalar()
CHAPTER 5. MONERO TRANSACTIONS 42
Assume a transaction sender has previously received various outputs with amounts a1 , ..., am
o , ..., K o
addressed to one-time addresses Kπ,1 a a
π,m and with amount commitments Cπ,1 , ..., Cπ,m .
o , ..., k o
This sender knows the private keys kπ,1 π,m corresponding to the one-time addresses (Section
5.2). The sender also knows the blinding factors xj used in commitments Cπ,j a (Section 5.6.1).
m
P p
P
A transaction consists of inputs a1 , ..., am and outputs b1 , ..., bp such that aj − bt = 0.
j=1 t=1
The sender re-uses the commitments from the previous outputs, Cπ,1 a , ..., C a , and creates com-
π,m
mitments for b1 , ..., bp . Let these new commitments be C1b , ..., Cpb .
As hinted in Section 4.2, the sum of the commitments will not be 0, but a curve point zG:
X X
a b
Cπ,j − Cπ,t = zG
j t
The sender will know z, allowing him to create a signature on this commitment to zero.
Indeed, z follows from the blinding factors if and only if input amounts equal output amounts
(recalling Section 4.1, we don’t know γ in H = γG).
m
X p
X
a b
Cπ,j − Cπ,t
j=1 t=1
X X X X
= xj G − yt G + ( aj − bt )H
j t j t
X X
= xj G − yt G
j t
=zG
5.6.3 Signature
The sender selects v sets of size m, of additional unrelated addresses and their commitments from
the blockchain, corresponding to apparently unspent outputs.14 She mixes the addresses in a ring
with her own m unspent outputs’ addresses, adding false commitments to zero, as follows:
14
In Monero it is standard for the set of ‘additional unrelated addresses’ to be selected from this distribution: CRYPTO-
50% from 1.8 days ago up to the default transaction spendable age, which is usually 10 blocks ago, 50% from the NOTE DE-
remaining blockchain. Each segment has a triangle probability aimed at the 1.8 day mark, where an output 1.8 FAULT TX
days old is twice as likely to be chosen as an output 0.9 days old. To spend an output of type X, we find all other SPEND-
outputs of type X (e.g. RingCT outputs) and choose its ring members from that set based on the distribution. The ABLE AGE
triangle probabilities are achieved by rolling a random number for each decoy ring member, normalizing it, taking src/wallet/
the square root, multiplying it by the number of eligible type X outputs, and using the output at that index in the wallet2.cpp
group (flip the index if the triangle faces backward by computing [#eligible - index]). get outs()
CHAPTER 5. MONERO TRANSACTIONS 43
X X
o o
R = {{K1,1 , ..., K1,m ,( C1,j − Ctb )},
j t
...
X X
o o a
{Kπ,1 , ..., Kπ,m ,( Cπ,j − Ctb )},
j t
...
X X
o o
{Kv+1,1 , ..., Kv+1,m ,( Cv+1,j − Ctb )}}
j t
With this observation made we can see the utility of zG. All commitment terms in R return some
EC point, and the π th such term is zG. This allows us to create an MLSAG signature (Section
3.3) on R.
o , ..., K o , (
P a
Cπ,j − Ctb )} are
P
MLSAG signature for inputs The private keys for {Kπ,1 π,m src/ringct/
j t
o , ..., k o , z, which are known to the sender. MLSAG in this scenario does not use a key rctSigs.cpp
kπ,1 π,m
prove-
image for the commitment to zero zG. This means building and verifying the signature
RctMG()
excludes the term ri,m+1 Hp (Ki,m+1 ) + ci K̃z .
The message m signed in the input MLSAG is essentially a hash of all transaction information
except for the MLSAG signature itself.15 This ensures transactions are tamper-proof from
the perspective of both transaction authors and verifiers.
k o is the essence of Monero’s transaction model. Signing m with k o proves you are the
owner/recipient of the amount committed to in C a . Verifiers can be confident that transac-
tion authors are spending their own funds.
Range proofs for outputs To avoid the amount ambiguity of outputs described in Section 4.3, src/ringct/
the sender must also employ the Borromean signature scheme of Section 3.4 to sign amount rctSigs.cpp
ranges for each output t ∈ {1, ..., p}. No message m is signed by the Borromean signatures. prove-
Range()
15
The actual message is m = H(H(tx pref ix), H(ss), H(range proof signatures)) where: src/ringct/
tx pref ix ={transaction era version (i.e. ringCT = 2), inputs {key offsets, key image}, outputs {one-time rctSigs.cpp
addresses}, extra {transaction public key, payment ID or encoded payment ID, misc.}} get pre mlsag
ss ={signature type (simple vs full), transaction fee, pseudo output commitments for inputs, ecdhInfo (masks hash()
and amounts), output commitments}.
See Appendices A & B regarding this terminology.
CHAPTER 5. MONERO TRANSACTIONS 44
Range proofs are not needed for input amounts because they are either expressed clearly
(as with transaction fees and block rewards), or were proven in range when first created as
outputs.
In the current version of the Monero software, each amount is expressed as a fixed point
number of 64 bits. This means the data for each range proof will contain 64 bit commitments
and 2 · 64 + 1 signature terms.
Typically transaction outputs are lower in total than transaction inputs, in order to provide a
fee that will incentivize miners to include the transaction in the blockchain.16 Transaction fee
amounts are stored in clear text in the transaction data transmitted to the network. Miners can
create an additional output for themselves with the fee. This fee amount must be converted into
a commitment so verifiers can confirm transactions sum to zero.
The solution is to calculate the commitment of the fee f without the masking effect of any blinding
factor. That is, C(f ) = f H, where f is communicated in clear text.
X X
( Cπ,j − Ctb ) − f H = zG
j t
An MLSAG signature (Section 3.3) contains images K̃j of private keys kπ,j . An important prop- src/crypto-
erty in any cryptographic signature scheme is that it should be unforgeable with non-negligible note core/
probability. Therefore, to all practical effects, we can assume a signature’s key images must haveblock-
been deterministically produced from legitimate private keys. chain.cpp
have tx
The network need only verify that key images included in MLSAG signatures (corresponding to
keyimges
inputs and calculated as K̃jo = kπ,j
o H (K o )) have not appeared before in other transactions.17 If
p π,j
a addressed
as spent()
they have, then we can be sure we are witnessing an attempt to re-spend an output Cπ,j
o .
to Kπ,j
16
In Monero there is a minimum base fee per kB of transaction data. It is semi-mandatory because while you
can create new blocks with tiny-fee transactions, most Monero nodes won’t relay such transactions to other nodes.
We go into more detail on this in Section 6.3.3.
17
Verifiers must also check the key image is a member of the generator’s subgroup (recall Section 3.1).
CHAPTER 5. MONERO TRANSACTIONS 45
If someone tries to spend Cπ,ja twice, they will reveal the index π for both transactions where it
appears. This has two effects: 1) all outputs at index π in the first transaction are revealed as
its real inputs, and 2) all outputs at index π in the second transaction are revealed as not having
been spent before. The second is a problem even considering miners would reject the double-spend
transaction.
These effects could weaken the network benefits of ring signatures, and are part of the reason
RCTTypeFull is only used for single-input transactions. The other main reason is that a cryptan-
alyst would know that, in general, all real inputs share an index.
From Section 3.3 we recall that an MLSAG signature in this context would be expressed as
σ(m) = (c1 , r1,1 , ..., r1,m+1 , ..., rv+1,1 , ..., rv+1,m+1 ) with (K̃1o , ..., K̃m
o)
As a legacy of CryptoNote, the values K̃jo are not referred to as part of the signature, but rather as
o . These key images are normally stored separately in the transaction
images of the private keys kπ,j
structure, as they are used to detect double-spending attacks.
With this in mind and assuming point compression, an MLSAG signature will require ((v + 1) ·
(m + 1) + 1) · 32 bytes of storage, where v is the mixin level and m is the number of inputs. In other
words, a transaction with 1 input and a total ring size of 32 would consume (32 · 2 + 1) · 32 = 2080
bytes.
To this value we would add 32 bytes to store the key image of each input, for m · 32 bytes of
storage, and additional space to store the ring member offsets in the blockchain (see Appendix
A). These offsets are used by verifiers to find each MLSAG signature’s ring members’ output keys
and commitments in the blockchain, and are stored as variable length integers, hence we can not
exactly quantify the space needed.18
Including the computation of ( Ci,j − Ctb ) − f H, and verifying key images are in G’s subgroup src/ringct/
P P
j t
?
rctSigs.cpp
with lK̃ = 0, we verify a RCTTypeFull transaction’s MLSAG (Section 3.3) with: verRctMG()
PA Point addition for some points A, B: A + B [m ∗ (v + 1)]
PS Point subtraction for some points A, B : A − B [(v + 1) ∗ (p + 1)]
VBSM Variable-base scalar multiplications for some integer a, and point P : aP [m]
KBSM Known-base scalar multiplications for some integer a: aG [1]
DVBA Double-variable-base addition for some integers a, b, and point B: aG+bB [(m+1)∗(v+1)]
VBA Variable-base additions for some integers a, b, and points A, B: aA + bB [m ∗ (v + 1)]
18
Imagine the blockchain contains a long list of transaction outputs. We report the indices of outputs we want to src/crypto-
spend. Now, bigger indexes require more storage space. We just need the ‘absolute’ position of one index, and the note basic/
‘relative’ position of the other indices. For example, with real indices {7,11,15,20} we just need to report {7,4,4,5}. cryptonote
Verifiers can compute the last index like (7+4+4+5 = 20). format
utils.cpp
absolute out-
put offsets
to relative()
CHAPTER 5. MONERO TRANSACTIONS 46
From Section 3.4, Section 4.3, and Section 5.6.3, we know that a Monero Borromean signature for src/ringct/
range proofs takes the form of an n-tuple ringCT.cpp
genBor-
σ = (c1 , r0,1 , r0,2 , r1,1 ..., r63,2 )
romean()
Ring keys are considered part of ring signatures. However, in this case it is only necessary to store
the commitments Ci , as the ring key counterparts Ci − 2i H can be easily derived (for verification
purposes).
Respecting this convention, a range proof will require (1 + 64 · 2 + 64)32 = 6176 bytes per output.
Including Ci − 2i H and checking i Ci = C, range proofs for p outputs will require this to verify src/ringct/
P
The main characteristic of this approach is that instead of signing the entire set of inputs at once,
the sender signs each input separately.
Among other things, this means we can’t use commitments to zero in the same way as for
RCTTypeFull transactions. It’s really unlikely that we could match an input amount to an output
amount, and in most cases each individual input will be less than the sum of outputs. So, we
cannot directly commit inputs − outputs = 0.
In more detail, assume that Alice wants to sign input j. Imagine for a moment we could sign an
expression like this
X X X
Cja − Ctb = (xj − yt )G + (aj − bt )H
t t t
P
Since aj − bt 6= 0, Alice would have to solve the DLP for H = γG in order to obtain the private
t
key of the expression, something we have assumed to be computationally difficult.
As explained, if inputs are decoupled from each other then the sender can’t sign an aggregate
commitment to zero. On the other hand, signing each input individually implies an intermediate
approach. The sender could create new commitments to the input amounts and commit to zero
CHAPTER 5. MONERO TRANSACTIONS 47
with respect to each of the previous outputs being spent. In this way, the sender could prove the
transaction takes as input only the outputs of previous transactions.
In other words, assume the amounts being spent are a1 , ..., am . These amounts were outputs in
previous transactions, in which they had commitments
Cja = xj G + aj H
The sender can create new commitments to the same amounts but using different blinding factors;
that is,
Cj0a = x0j G + aj H
Clearly, she would know the private key of the difference between the two commitments:
Hence, she would be able to use this value as a commitment to zero for each input. Let us say
(xj − x0j ) = zj , and call each Cj0a a pseudo output commitment.
Similarly to RCTTypeFull transactions, the sender can include each output’s encoded blinding
factor (mask) for yt and amount for bt in the transaction (see Section 5.6.1), which will allow each
receiver t to decode yt and bt using the shared secret rKtv .
Before committing a transaction to the blockchain, the network will want to verify that the transac-
tion balances. In the case of RCTTypeFull transactions, this was simple, as the MLSAG signature
scheme implies each sender has signed with the private key of a commitment to zero.
For RCTTypeSimple transactions, blinding factors for input and output commitments are selected
such that X X
x0j − yt = 0
j t
X m−1
X
x0m = yt − x0j
t j=1
CHAPTER 5. MONERO TRANSACTIONS 48
5.7.2 Signature
Each ring Rj contains (v + 1) · 2 keys. Using the point compression technique from Section 2.4.2,
o
an input signature σ will require (2(v + 1) + 1) · 32 bytes. On top of this is, the key image K̃π,j
0a
and the pseudo output commitment Cπ,j leave a total of (2(v + 1) + 3) · 32 bytes per input.
CHAPTER 5. MONERO TRANSACTIONS 49
A transaction with 20 inputs using rings with 32 total members will need ((32·2+3)·32)20 = 42880
bytes.
For the sake of comparison, if we were to apply the RCTTypeFull scheme to the same transaction,
the MLSAG signature and key images would require (32 · 21 + 1) · 32 + 20 · 32 = 22176 bytes.
0a ) and (
P 0a ? P b
Including the computation of (Ci,j − Cπ,j j Cj = t Ct + f H), and verifying key images src/ringct/
are in G’s subgroup with lK̃, we verify all of a RCTTypeSimple transaction’s MLSAGs with: rctSigs.cpp
verRctMG-
PA Point addition for some points A, B: A + B [m + p + 1] Simple()
PS Point subtraction for some points A, B : A − B [m ∗ (v + 1)] verRct-
VBSM Variable-base scalar multiplications for some integer a, and point P : aP [m] Simple()
KBSM Known-base scalar multiplications for some integer a: aG [1]
DVBA Double-variable-base addition for some integers a, b, and point B: aG + bB [m ∗ 2 ∗ (v + 1)]
VBA Variable-base additions for some integers a, b, and points A, B: aA + bB [m ∗ (v + 1)]
The size of range proofs remains the same for RCTTypeSimple transactions. As we calculated for
RCTTypeFull transactions, each output will require 6176 bytes of storage.
As before, each range proof will require this to verify (Section 4.4): src/ringct/
rctSigs.cpp
VRSF Verify range proof special function [p ∗ 64] verRange()
DVBA Double-variable-base addition for some integers a, b, and point B: aG + bB [p ∗ 2 ∗ 64]
CHAPTER 5. MONERO TRANSACTIONS 50
To summarize this chapter we present the main content of a transaction, organized for conceptual
clarity. Real examples can be found in Appendices A and B.
• Type: ‘0’ is RCTTpeNull (for miners), ‘1’ is RCTTypeFull, and ‘2’ is RCTTypeSimple
• Inputs: for each input j ∈ {1, ..., m} spent by the transaction author
– Ring member offsets: a list of ‘offsets’ indicating where a verifier can find input j’s
ring members i ∈ {1, ..., v + 1} in the blockchain (includes the real input)
z for i ∈ {1, ..., v + 1} and input j
– MLSAG Signature: σ terms c1 , and ri,j & ri,j
– Key image: the key image K̃jo,a for input j
– Pseudo output commitment [RCTTypeSimple only]: Cj0a for input j
• Outputs: for each output t ∈ {1, ..., p} to address or subaddress (Ktv , Kts )
– One-time address: Kto,b for output t
– Output commitment: Ctb for output t
– Diffie-Hellman terms: so receivers can compute Ctb and bt for output t
∗ Mask : yt + Hn (Hn (rKtv , t))
∗ Amount: bt + Hn (Hn (Hn (rKtv , t)))
– Range proof for output amount bt using a Borromean ring signature
∗ Signatures: σ terms c1 , and ri,j for i ∈ {0, ..., 63} and j ∈ {1, 2}
∗ Bit commitments: Ci for i ∈ {0, ..., 63}
• Transaction fee: communicated in clear text multiplied by 1012 (i.e. atomic units, see chapter
6), so a fee of 1.0 would be recorded as 1000000000000
• Extra: includes the transaction public key rG, or, if at least one output is directed to a
subaddress, rt Kts,i for each subaddress’d output t and rt G for each normal address’d output
t, and a payment ID or encoded payment ID (max one per transaction)19
19
No information stored in the ‘extra’ field is verified, though it is signed by input MLSAGs, so no tampering is
possible (except with negligible probability).
CHAPTER 5. MONERO TRANSACTIONS 51
For RCTTypeFull we need ((v + 1) · (m + 1) + 1) · 32 bytes of storage, and verify with: src/ringct/
rctOps.cpp
PA Point addition for some points A, B: A + B [m ∗ (v + 1)]
PS Point subtraction for some points A, B : A − B [(v + 1) ∗ (p + 1)]
KBSM Known-base scalar multiplications for some integer a: aG [1]
DVBA Double-variable-base addition for some integers a, b, and point B: aG+bB [(m+1)∗(v+1)]
VBA Variable-base additions for some integers a, b, and points A, B: aA + bB [m ∗ (v + 1)]
Output range proofs need p · 6176 bytes of storage, and verify with:
Miscellaneous requirements:
20
See [16] for an explanation of Monero’s varint data type.
CHAPTER 6
The Internet Age has brought a new dimension to the human experience. We can correspond
with people on every corner of the planet, and an unimaginable wealth of information is at our
fingertips. Exchanging goods and services is fundamental to a peaceful and prosperous society,
and in the digital realm we can offer our productivity to the whole world.
Media of exchange (moneys) are essential, giving us a point of reference to an immense diversity of
economic goods that would otherwise be impossible to evaluate, and enabling mutually beneficial
interactions between people with nothing in common. Throughout history there have been many
kinds of money, from sea shells to paper to gold. Those were exchanged by hand, and now money
can be exchanged electronically.
In the current, by far most pervasive, model, electronic transactions are handled by third party
financial institutions. These institutions are given custody of money and trusted to transfer it
upon request. Such institutions must mediate disputes, their payments are reversible, and they
can be censored or controlled by powerful organizations. [49]
It seems appropriate for the Internet Age to have its own unique currencies.
Note: this chapter includes more implementation details than previous chapters, as a blockchain’s
nature depends heavily on its parameters and specific structure.
52
CHAPTER 6. THE MONERO BLOCKCHAIN 53
Suppose two pals Jim and Dwight need a currency for their Secret Society of Stealthy Sleuths. Jim
sends an email to Dwight saying “As co-founder, I hereby conjure 5 Stealthbucks for myself and 5
Stealthbucks for you.” Later that day Dwight discovers Kevin had made 69 Stealthbucks for himself
and used them to buy Dwight’s bobblehead from Jim. There should only be 10 Stealthbucks, what
went wrong?
In the email model anyone can make Stealthbucks, and anyone can send their Stealthbucks over
and over. It does not have a limited supply, nor is it ‘double spend proof’.
Jim proposes a new system, Stealthbucks 2.0, where he keeps a record on his computer of who
owns all the Stealthbucks. To exchange them, people need to talk to Jim. Since Jim is the sole
custodian, there is no question the Stealthbucks on Kevin’s computer are bogus. Jim promises
Dwight they will start off with 100 Stealthbucks each and that’s it - no more. Dwight tries to buy
his bobblehead back and Jim says “You need to prove your identity!” What went wrong?
In the video game model, where the entire currency is stored on one central database, users
rely on the custodian to be honest. The currency’s supply is unverifiable for observers, and the
custodian can change the rules at any time, or be censored by powerful outsiders.
Since Jim can’t be trusted to manage Stealthbucks, Dwight suggests setting up a bunch of com-
puters that each have a record of every Stealthbuck transaction. When a new transaction is made
on one computer, it is broadcast to the other computers, which only accept it if it follows the
rules.
Rule 5: Only the person who owns a piece of money can spend it.
Rules 2-6 are already covered by the transaction schemes discussed in Chapter 5, which add the
benefits of ambiguous signing, anonymous receipt of funds, and unreadable amount transfers. We
explain Rule 1 later in this chapter.
What if one of the computers goes rogue and starts making a bunch of Stealthbucks for itself?
Users only benefit from Stealthbucks when other users accept it in exchange, so no one will accept
transactions spending counterfeit Stealthbucks if they expect other users only want legitimate
coins. Each user must act honestly and follow the same rules as everyone else if they want to
CHAPTER 6. THE MONERO BLOCKCHAIN 54
spend their money. We call this situation a ‘social minima’, ‘Schelling point’, or ‘social contract’.
Simply storing all transactions has a problem. If two computers receive legitimate transactions
spending the same money, before they have a chance to send the information to each other, how
do they decide which is correct? There is a ‘fork’ in the currency, because two different copies
that follow the same rules exist.
It seems obvious the earliest legitimate transaction spending a piece of money should be canon-
ical. This is easier said than done. As we will see, obtaining consensus for transaction histories
constitutes the raison d’être of blockchain technology.
First we need all of the computers, henceforth referred to as nodes, to agree on the order of
transactions.
Let’s say Stealthbucks started with a ‘genesis’ declaration by Jim and Dwight: “Let the Stealth-
bucks begin!”. We call this message a ‘block’, and its block hash is
BH G = H(Let the Stealthbucks begin!)
Every time a node receives some transactions, they use those transactions’ hashes, TH , as mes-
sages, along with the previous block’s hash, and compute new block hashes
BH 1 = H(BH G , TH 1 , TH 2 , ...)
BH 2 = H(BH 1 , TH 1 , TH 2 , ...)
And so on, publishing each new block of messages as it’s made. Each new block references the
previous, most recently published block. In this way a clear order of events extends all the way
back to the genesis message. We have a chain of blocks: a very simple ‘blockchain’.1
Nodes can include a timestamp in their blocks to aid record keeping. If most nodes are honest with
timestamps then the blockchain provides a decent picture of when each transaction was recorded.
What if different transactions spending the same money are added to blocks referencing the same
previous block, which are published at the same time? The network of nodes will fork again, as
each node receives one of the new blocks before the other (for simplicity, imagine about half the
nodes have each side of the fork). Let’s keep improving our blockchain.
6.2 Difficulty
If nodes can publish new blocks whenever they want, the network will tend to fracture and diverge
into many different, equally legitimate, chains. Say it takes 30 seconds to make sure everyone in
1
A blockchain is technically a ‘directed acyclic graph’ (DAG), with Bitcoin-style blockchains a one-dimensional
variant. DAGs contain a finite number of nodes and one-directional edges (vectors) connecting nodes. If you start
at one node, you will never loop back to it no matter what path you take. [5]
CHAPTER 6. THE MONERO BLOCKCHAIN 55
the network gets a new block. What if transactions are made every 31 seconds? New blocks would
just barely make it everywhere before another one gets sent out.
Now what if new blocks are every 15 seconds, 10 seconds, etc? Since message transmission time
is a function of distance, the network would fracture into small clumps circumscribed by the time
it takes for a new block to propagate before a new one is produced.
We can avoid this by controlling how fast the entire network makes new blocks. If the time it
takes to make a new block is much higher than the time for the previous block to reach every
node, the network will tend to remain intact.
The output of a cryptographic hash function is uniformly distributed. This means, for any given
input, its hash is equally likely to be every single possible output. Furthermore, it takes a certain
amount of time to compute a single hash.
Let’s imagine a hash function Hi (x) which outputs a number from 1 to 100: Hi (x) ∈D R {1, ..., 100}.
We use ∈DR to say the output is deterministically random. Given some x, H i (x) selects the same
‘random’ number from {1,...,100} every time you calculate it. It takes 1 minute to calculate Hi (x).
Say we are given a message m and so-called ‘nonce’ n = 1, and told to find an n such that Hi (m, n)
outputs a number less than or equal to the target t = 10 (i.e. Hi (m, n) ∈ {1, ..., 10}). Guessing
and checking by incrementing n for each new hash, how many hashes will it probably take?
It should be around 10 hashes, for 10 minutes of hashing, because there is only a 1/10th chance
any given input will output a good answer. This isn’t to say n = 10 is the right answer, just that
if we take a lot of messages and do this process for each one, n = 10 will be the average value.
We call searching for a useful nonce mining, and publishing the message with its nonce is a proof
of work because it proves we looked for a useful nonce (even if we were lucky and it needed just
one hash to find), which anyone can verify by computing Hi (m, n).
Now say we have a hash function for generating proofs of work, HP oW ∈D R {0, ..., m}, where m is src/crypto-
its maximum possible output. Given a message m (a block of information), a nonce n to mine, note basic/
and a target t, we can define the difficulty d, or expected number of hashes, like this: d = m/t. If diffi-
HP oW (m, n) ∗ d ≤ m, then n is accepted. culty.cpp
check hash()
As the target gets smaller, the difficulty rises and it takes a computer more and more hashes, and
therefore longer and longer periods of time, to find useful nonces.
Assume all nodes are mining nonces at the same time, but quit on their ‘current’ block when they
receive a new one from the network. They immediately start mining a fresh block that references
the new one.
CHAPTER 6. THE MONERO BLOCKCHAIN 56
Suppose we collect a bunch b of blocks from the blockchain (say, with index u ∈ {1, ..., b}) which
each had a difficulty du . For now, assume the nodes who mined them were honest, so each
block timestamp T S u is accurate. The total time between the earliest block and most recent
block is totalTime = T S b − T S 1 . The approximate number of hashes to mine all the blocks is
P
totalDifficulty = u du .
Now we can guess how fast the network, with all its nodes, can compute hashes. If the actual
speed didn’t change much while the bunch of blocks was being produced, it should be effectively2
hashSpeed ≈ totalDifficulty/totalTime
If we want to set the target time to mine new blocks, so blocks are produced at a rate
(one block)/(target time), then from the hash speed we can calculate how many hashes it should
take for the network to spend that amount of time mining.
miningHashes = hashSpeed ∗ targetTime
Since difficulty is approximately how many hashes it takes to generate a proof of work, we can set
the new difficulty equal to miningHashes. Note: we round up so difficulty never equals zero.
newDifficulty = (totalDifficulty/totalTime) ∗ targetTime
There is no guarantee the next block will take newDifficulty amount of hashes to mine, but over
time and many blocks and constantly re-calibrating, the difficulty will track with the network’s
real hash speed and blocks will tend to take targetTime.3
Now we have a mechanism to resolve conflicts between chain forks. Since difficulty represents how
much work was spent to mine a block, higher difficulty means more work performed.
By convention, the chain with highest cumulative difficulty (from all blocks in the chain), and
therefore with most work spent constructing, is considered the real, legitimate version. If a chain
splits and each fork has the same cumulative difficulty, nodes continue mining on their fork until
one branch gets ahead of the other, at which point the weaker branch is discarded (‘orphaned’).
If nodes wish to change or upgrade the basic protocol, i.e. the set of rules a node considers when
deciding if a blockchain copy or new block is legitimate, they may easily do so by forking the
chain. Whether the new branch has any impact on users depends on how many nodes switch and
how much software infrastructure is modified.4
2
If node 1 tries nonce n = 23 and later node 2 also tries n = 23, node 2’s effort is wasted because the network
already ‘knows’ n = 23 doesn’t work (otherwise node 1 would have published that block). The network’s effective
hash rate depends on how fast it hashes unique nonces for a given block of messages. As we will see, since miners
include a miner transaction with one-time address K o ∈E R Zl (E = effectively) in their blocks, blocks are always
unique between miners except with negligible probability.
3
If we assume network hash rate is constantly, gradually, increasing, then since new difficulties depend on past
hashes (i.e. before the hash rate increased a tiny bit) we should expect actual block times to, on average, be slightly
less than targetTime. The effect of this on the emission schedule (Section 6.3.1) could be canceled out by penalties
from increasing block sizes, which we explore in Section 6.3.2.
4
Monero has successfully changed its protocol 7 times, with nearly all users and miners adopting the changes
each time. v1 April 18, 2014 [63]; v2 March, 2016; v3 September, 2016; v4 January, 2017; v5 April, 2017; v6
September, 2017; v7 April, 2018; see src/cryptonote core/blockchain.cpp mainnet hard forks
CHAPTER 6. THE MONERO BLOCKCHAIN 57
For an attacker to convince honest nodes to alter the transaction history, perhaps in order to
respend/unspend funds, he must create a chain fork (on the current protocol) with higher total
difficulty than the main chain (which meanwhile continues to grow). This is very hard to do unless
you control over 50% of the network hash speed and can outwork other miners. [49]
To make sure chain forks are on an even footing, we don’t sample the most recent blocks (for
calculating new difficulties), instead lagging our bunch b by l. For example, if there are 29 blocks
in the chain (blocks 1,...,29), b = 10, and l = 5, we sample blocks 15-24 in order to compute block
30’s difficulty.
If mining nodes are dishonest they can manipulate timestamps so new difficulties don’t match
the network’s real hash speed. We get around this by sorting timestamps chronologically, then
chopping off the first o outliers and last o outliers. Now we have a ‘window’ of blocks w = b − 2 ∗ o.
From the previous example, if o = 3 and timestamps are honest then we would chop blocks 15-17
and 22-24, leaving blocks 18-21 to compute block 30’s difficulty from.
Monero is somewhat bizarre. Instead of sorting block difficulties so they correspond with their
blocks’ sorted timestamps, we use an array of the original bunch’s blocks’ cumulative difficulties,
src/crypto-
leave it unsorted, and chop off the o outliers from that. Cumulative difficulty for a block is that
note core
block’s difficulty plus the difficulty of all previous blocks in the chain.
block-
Using the chopped arrays of w timestamps and cumulative difficulties (indexed from 1,...,w), we chain.cpp
define get diff-
totalTime = choppedSortedTimestamps[w] − choppedSortedTimestamps[1] iculty for
totalDifficulty = choppedCumulativeDifficulties[w] − choppedCumulativeDifficulties[1] next block()
In Monero the target time is 120 seconds (2 minutes), l = 15 (30 mins), b = 720 (one day), and src/crypto-
o = 60 (2 hours).5 note config.h
Block difficulties are not stored in the blockchain, so someone downloading a copy of the blockchain
and verifying all blocks are legitimate needs to recalculate difficulties from recorded timestamps.
There are a few rules to consider for the first b + l = 735 blocks. src/crypto-
note basic
Rule 1: Ignore the genesis block (block 0, with d = 1) completely. Blocks 1 and 2 have
diffi-
d = 1.
culty.cpp
Rule 2: Before chopping off outliers, try to get the window w to compute totals from. next diff-
iculty()
Rule 3: After w blocks, chop off high and low outliers, scaling the amount chopped until
b blocks. If the amount of previous blocks (minus w) is odd, remove one more low outlier
than high.
Rule 4: After b blocks, sample the earliest b blocks until b + l blocks, after which everything
proceeds normally - lagging by l.
5
In March, 2016, (v2 of the protocol) Monero changed from 1 minute target block times to 2 minute target block
times [11]. Other difficulty parameters have always been the same.
CHAPTER 6. THE MONERO BLOCKCHAIN 58
Monero uses a proof of work hash algorithm known as Cryptonight, designed to be relatively src/crypto/
inefficient on GPU, FPGA, and ASIC architectures [60] compared to standard hash functions like slow-hash.c
SHA256. In April, 2018, (v7 of the protocol) it was slightly modified to counter the advent of
Cryptonight ASICs [22].
Obviously a digital currency needs a supply of money for users to transact with. There are
two basic mechanisms for creating money in a blockchain-based cryptographic currency (a.k.a.
cryptocurrency).
First, the currency’s creators can simply conjure a set amount and distribute it to people in
the genesis message. This is often called an ‘airdrop’. Sometimes cryptocurrency creators give
themselves a large amount of money in a so-called ‘pre-mine’. [17]
Second, the currency can be automatically distributed as reward for mining a block, much like
mining for gold. There are two types here. In the Bitcoin model the total possible supply is
capped. Block rewards slowly decline to zero, after which no more money is ever made. In the
inflation model the supply continues to rise indefinitely.
Some cryptocurrencies employ both mechanisms for money creation. In fact, Monero is based on
a currency known as Bytecoin that had a large pre-mine, followed by block rewards [10]. Monero
had no pre-mine, and as we will see, its block rewards slowly decline to a small amount after which
all new blocks reward that same amount, making Monero an inflationary currency.
The block reward concept is straightforward. Block miners, before mining for a nonce, make
a ‘miner transaction’ with no inputs and one output. The output amount is equal to the block
reward, plus transaction fees from all transactions to be included in the block, and is communicated
in clear text. Nodes who receive a mined block must verify the block reward is correct, and can
calculate the current money supply by summing all past block rewards together.
Besides distributing money, block rewards incentivize mining. If there were no block rewards
(and no other mechanism), why would anyone mine new blocks? Perhaps altruism or curiosity.
However, few miners makes it easy for a malicious actor to assemble >50% of the network’s hash
rate, with which they can easily rewrite recent chain history.6
With block rewards, competition between miners drives total hash rate up until the marginal cost
of adding more hash rate is higher than the marginal reward of obtaining that proportion of mined
6
As an attacker gets higher shares (beyond 50%) of the hash rate, it becomes easier and easier to rewrite older
and older blocks.
CHAPTER 6. THE MONERO BLOCKCHAIN 59
blocks (which appear at a constant rate) (plus some premiums like risk and opportunity cost).
This means as a cryptocurrency becomes more valuable, its total hash rate will increase and it
becomes progressively more difficult and expensive to gather >50%.
Bit shifting
Bit shifting is used for calculating the base block reward (as we will see in Section 6.3.2, the block
reward can sometimes be reduced below the base amount).
Suppose we have an integer A = 13, which has a bit representation [1101]. If we shift the bits of
A down by 2, denoted A >> 2, we get [0011].01, which equals 3.25. In reality that last .01 outside
the array, equal to 0.25, gets thrown away - ‘shifted’ into oblivion, leaving us with [0011] = 3.
This operation is equivalent to floor (13/4) = 3, or floor (A/2ˆ2), where floor rounds the number
down - chopping off the 01 part of [0011].01.
Let’s call the current total money supply M, and the ‘limit’ of the money supply L = 264 − 1
(in binary it is [11....11], with 64 bits). In the beginning of Monero, the base block reward
B = (L-M) >> 20, or in other words floor ((L-M)/2ˆ20). If M = 0, then, in decimal format,
L = 18, 446, 744, 073, 709, 551, 615
B0 = (L − 0) >> 20 = 17, 592, 186, 044, 415
These numbers are in ‘atomic units’ - 1 atomic unit of Monero can’t be divided (there is no
0.5 atomic units). Clearly atomic units are ridiculous - L is over 18 quintillion! We can divide
everything by 10ˆ12 to move the decimal point over, giving us the standard units of Monero (a.k.a.
XMR, Monero’s so-called ‘stock ticker’).
L
= 18, 446, 744.073709551615
1012
(L − 0) >> 20
B0 = = 17.592186044415
1012
And there it is, the very first block reward, dispersed to pseudonymous thankful for today (who
was responsible for starting the Monero project) in Monero’s genesis block [63], was about 17.6
Moneroj! See Appendix D to confirm this for yourself.7
As more and more blocks are mined block rewards accumulate and M grows, continuously lowering
future block rewards. Initially (since the genesis block in April, 2014) Monero blocks were mined
once per minute, but in March, 2016, it became two minutes per block [11]. To keep the ‘emission
schedule’, i.e. the rate of money creation,8 the same, block rewards were doubled. This just means,
7
Monero amounts are stored in atomic-unit format in the blockchain.
8
For an interesting comparison of Monero and Bitcoin’s emission schedules see [15].
CHAPTER 6. THE MONERO BLOCKCHAIN 60
after the change, we use (L-M) >> 19 instead of >> 20 for new blocks. Currently the base block
reward is
(L − M ) >> 19
B=
1012
It would be nice to mine every new transaction into a block right away. However, what if someone
submits a lot of transactions maliciously? The blockchain, storing every transaction, would quickly
grow unpleasantly large.
One mitigation is a fixed block size, so the number of transactions per block is limited. What
if honest transaction volume rises? Each transaction author would bid for a spot in new blocks
by offering fees to miners. Miners would mine transactions with the highest fees in order to earn
maximum money. As transaction volume increases, fees would become prohibitively large for
transactions of small amounts (such as Alice buying an apple from Bob). Only people willing to
outbid everyone else would get their transactions into the blockchain.
Monero avoids those extremes (limited vs unlimited block size) with a dynamic block size. Miners
can make blocks bigger than typical blocks from the recent past, but they have to pay a penalty
in the form of reduced block reward. It’s the price of making a bigger block.
To calculate a new block’s size penalty, we sample the most recent 100 blocks in the blockchain
and find the median block size, median 100blocks. We set the variable M100 to the larger value in
the set {median 100blocks, 300kB}.9 Only blocks larger than M100 pay a penalty, but the median
can slowly rise, allowing progressively bigger blocks with no penalty. The maximum block size is
2*M100.
If the intended block size is greater than M100, then, given base block reward B, the block reward
penalty is
P = B ∗ ((block size/M100) − 1)2
The actual block reward is therefore src/crypto-
note basic/
Bactual = B − P
cryptonote
Bactual = B ∗ (1 − ((block size/M100) − 1)2 ) basic
Using the ˆ2 operation means penalties are sub-proportional to block size. A block size 10% larger impl.cpp
than M100 has just a 1% penalty, and so on. [15] get block
reward()
We can expect miners to create blocks larger than M100 when the fee from adding another trans-
action is bigger than the penalty incurred.
9
In the beginning of Monero it was 20kB, then increased to 60kB in March, 2016, (v2 of the protocol) [11], and
has been 300kB since April, 2017 (v5 of the protocol) [1]. This non-zero ‘floor’ on the dynamic block size helps with
transient transaction volume changes, especially in the early stages of Monero adoption.
CHAPTER 6. THE MONERO BLOCKCHAIN 61
To prevent malicious actors from flooding the blockchain with transactions, which could be used
to pollute ring signatures, and generally bloat it unnecessarily, Monero requires a minimum fee
per kB of transaction data. Originally this was simply 0.002 XMR/kB, then in January, 2017, (v4
of the protocol) a formula was added to mitigate some security risks from transaction fees higher
than block rewards, and to deincentivize miners from pushing M100 above 300kB during transient
high volumes of submitted transactions [8].
First we say the base dynamic fee is fbkB = 0.0004/kB,10 then we compute Bactual and M100 from
the previous sections.
The minimum fee per kB is11 src/crypto-
f kB
= fbkB ∗ (300kB/M100) ∗ (B actual
/10) note core
block-
Note: we round transaction size up to the nearest kB.
chain.cpp
get dyna-
6.3.4 Emission tail mic per
kb fee()
Let’s suppose a cryptocurrency with fixed maximum supply and dynamic block size. After a while
its block rewards fall to zero. With no more penalty on increasing block size, miners will simply
add any transaction with a non-zero fee to their blocks.
Block sizes will stabilize around the average rate of transactions submitted to the network, and
transaction authors will have no compelling reason to use transaction fees above the minimum,
which would be zero according to Section 6.3.3.
This introduces an unstable, insecure situation. Miners will have little to no incentive to mine
new blocks, leading to a fall in network hash rate as returns on investment decline. Block times
will remain the same as difficulties adjust, but the cost of performing a double-spend attack may
become feasible for malicious actors.
Monero mitigates this by not allowing the block reward to fall below 0.6 XMR (0.3 XMR per src/crypto-
minute). This means when the following condition is met, note basic/
cryptonote
0.6 > ((L − M ) >> 19)/1012
basic
M > L − 0.6 ∗ 219 ∗ 1012
impl.cpp
M/1012 > L/1012 − 0.6 ∗ 219 get block
12
M/10 > 18, 132, 171.273709551615 reward()
then the Monero chain will enter a so-called ‘emission tail’, with constant 0.6 XMR (0.3 XMR/minute)
block rewards forever after.12
10
The base fee was changed from 0.002 XMR/kB to 0.0004 XMR/kB in April, 2017 (v5 of the protocol) [1].
11
To check if a given fee is correct, we allow a 2% buffer on f kB in case of integer overflow (we compute fee before
tx size is completely determined). This means the effective minimum fee is 0.98*f kB .
12
The Monero emission tail’s estimated arrival is May, 2022 [13].
CHAPTER 6. THE MONERO BLOCKCHAIN 62
Each block has a miner transaction that permits whoever mined a block to send himself the block src/crypto-
reward and any transaction fees from transactions included in the block (summed into one out- note core/
put).13 The output of a miner transaction is locked, unspendable, for 60 blocks after it is published cryptonote
[18].14 tx utils.cpp
construct
miner tx()
Since RingCT was implemented in January, 2017 (v4 of the protocol) [12], people downloading a
new copy of the blockchain compute a commitment to the miner transaction (a.k.a tx) amount
a, as C = 1G + aH, and store it for referral. This means block miners can spend their miner src/block-
transaction outputs just like a normal transaction’s output, mixing them into MLSAG rings with chain db/
other transaction outputs (both normal and miner tx’s are eligible). blockchain
db.cpp
add trans-
Blockchain verifiers store each post-RingCT block’s miner tx amount commitment, for 32 bytes
action()
each, and compute them with:
It starts with a genesis message of some kind (in our case basically a miner transaction dispersing
the first block reward), which constitutes the genesis block. The next block contains a reference to
the previous block, in the form of block ID. A block ID is simply a hash of: the block’s header (a
list of information about a block), a so-called ‘Merkle root’ that attaches all the block’s transaction
IDs (which are hashes of each transaction), and the number of transactions (including the miner
transaction).
To produce a new block, one must do proof of work hashes by changing a nonce value stored in src/crypto-
the block header until the difficulty target condition is met. The proof of work and block ID hash note basic/
the same information, except use different hash functions. cryptonote
13
The miner transaction output can theoretically be sent to a subaddress and/or use multisig and/or encoded (or
format
not) payment ID. We don’t know if any implementations have any of those features. Note that we need a transaction utils.cpp
public key as usual. get block
14
Any transaction’s author can lock its outputs, rendering them unspendable until after a specified block height.
He only has the option to lock all outputs to the same block height. It is not clear if this offers any meaningful hashing
utility to transaction authors. Locked outputs are only mandatory for miner transactions. blob()
CHAPTER 6. THE MONERO BLOCKCHAIN 63
6.4.1 Transaction ID
Transaction IDs are similar to the message signed by input MLSAG signatures (Section 5.6.3),
but include the MLSAG signatures too.
Transaction ID
In place of an ‘input’, a miner transaction records the block height of its block. This ensures the
miner transaction’s ID, which is simply a normal transaction ID except with Hn (Signatures) →
Hn (0), is always unique. No one can make different blocks with the same miner tx ID by setting
the miner transaction’s amount (i.e. with fees) and output one-time address the same, which could
confuse people looking for the ID.
Some users may want to discard unnecessary data from their copy of the blockchain. For example,
once you verify some transaction’s range proofs and input signatures, the only reason to keep that
signature information is so users who obtain it from you can verify it for themselves.
To facilitate ‘pruning’ transaction data, and to more generally organize it within a block, we use src/crypto/
a Merkle tree [47], which is just a binary hash tree of transaction IDs. Any branch in a Merkle tree-hash.c
tree can be pruned if you keep its root hash.15 tree hash()
15
We do not know of any Monero users who prune their blockchain, nor of any software able to do it. If
pruning were implemented, it would probably involve deleting all signature data after verification, and keeping
Hn (Signatures) for computing transaction IDs. Signatures constitute most of a block’s data, so this could allow a
substantial reduction in blockchain size.
CHAPTER 6. THE MONERO BLOCKCHAIN 64
An example Merkle tree based on four transactions and a miner transaction is diagrammed in
Figure 6.1.16
Hash A
Hash B Hash C
Merkle Root
We can use the Merkle root to reference all of a blocks transactions, while facilitating transaction,
or transaction component, pruning.
16
A bug in the code for computing Merkle trees led to a serious attack on Monero on September 4, 2014 [38].
CHAPTER 6. THE MONERO BLOCKCHAIN 65
6.4.3 Blocks
A block is basically a block header and some transactions. Block headers record important in-
formation about each block. A block’s transactions can be referenced with their Merkle root.
We present here the outline of a block’s content. Our readers can find a real block example in
Appendix C.
• Block header:
– Major version: Used to track hard forks (changes to protocol).
– Minor version: Previously used for voting, now just displays the major version again.
– Timestamp: UTC (Coordinated Universal Time) time of block. Added by miners, src/crypto-
timestamps are unverified but they won’t be accepted if lower than the median times- note core/
tamp of the last 60 blocks. block-
– Previous block’s ID: Referencing the previous block, this is the essential feature of chain.cpp
a blockchain. check block
timestamp()
– nonce: A 32 byte integer that miners change over and over until the PoW hash meets
the difficulty target. Block verifiers can easily recalculate the PoW hash.
• Miner transaction: Disperses block reward and transaction fees to the block’s miner. src/crypto-
• Transaction IDs: References to non-miner transactions added to the blockchain by this block. note basic/
Tx IDs can, in combination with the miner tx ID, be used to calculate the Merkle root, and cryptonote
to find the actual transactions wherever they are stored. format
utils.cpp
Block IDs are computed like this:17 calculate
Block ID = Hn (Block header, Merkle root, #transactions + 1) block hash()
And block mining is performed like this: get block
- while P oW output > target, keep changing the nonce and recalculating: longhash()
P oW output = HP oW (Block header, Merkle root, #transactions + 1)
In addition to the data in each transaction (Section 5.8), we store the following information:
•
Major and minor versions: variable integers ≤ 64 bits
•
Timestamp: variable integer ≤ 64 bits
•
Previous block’s ID: 32 bytes
•
nonce: 32 bytes
•
Miner transaction: 32 bytes for one-time address, 32 bytes for transaction public key, and
variable integers for unlock time, height, and amount. After downloading the blockchain, we
also need 32 bytes to store a commitment to post-RingCT miner tx amounts, C = 1G + aH,
which are computed with:
PA Point addition for some points A, B: A + B [1]
KBSM Known-base scalar multiplications for some integer a: aG [2]
• Transaction IDs: 32 bytes each
17
+1 accounts for the miner tx.
Bibliography
[1] Add intervening v5 fork for increased min block size. https://github.com/monero-project/monero/pull/1869
[Online; accessed 05/24/2018].
[2] cryptography - what is a cryptographic oracle? https://security.stackexchange.com/questions/10617/
what-is-a-cryptographic-oracle [Online; accessed 04/22/2018].
[3] Cryptonote address tests. https://xmr.llcoins.net/addresstests.html [Online; accessed 04/19/2018].
[4] Devmeeting 2018-05-06. https://monerobase.com/wiki/DevMeeting_2018-05-06 [Online; accessed
05/06/2018].
[5] Directed acyclic graph. https://en.wikipedia.org/wiki/Directed_acyclic_graph [Online; accessed
05/27/2018].
[6] How do payment ids work? https://monero.stackexchange.com/questions/1910/
how-do-payment-ids-work [Online; accessed 04/21/2018].
[7] How does monero’s privacy work? https://www.monero.how/how-does-monero-privacy-work [Online; ac-
cessed 04/04/2018].
[8] How does the dynamic fee calculation work? https://monero.stackexchange.com/questions/2531/
how-does-the-dynamic-fee-calculation-work [Online; accessed 05/25/2018].
[9] Modular arithmetic. https://en.wikipedia.org/wiki/Modular_arithmetic [Online; accessed 04/16/2018].
[10] Monero inception and history. https://monero.stackexchange.com/questions/475/
monero-inception-and-history-how-did-monero-get-started-what-are-its-origins-a/476#476 [On-
line; accessed 05/23/2018].
[11] Monero v0.9.3 - hydrogen helix - released! https://www.reddit.com/r/Monero/comments/4bgw4z/monero_
v093_hydrogen_helix_released_urgent_and/ [Online; accessed 05/24/2018].
[12] Ring ct; moneropedia. https://getmonero.org/resources/moneropedia/ringCT.html [Online; accessed
06/05/2018].
[13] Tail emission. https://getmonero.org/resources/moneropedia/tail-emission.html [Online; accessed
05/24/2018].
[14] Trust the math? an update. http://www.math.columbia.edu/~woit/wordpress/?p=6522 [Online; accessed
04/04/2018].
66
BIBLIOGRAPHY 67
[37] Darrel Hankerson, Alfred J. Menezes, and Scott Vanstone. Guide to Elliptic Curve Cryptography. Springer-
Verlag New York, Inc., Secaucus, NJ, USA, 2003.
[38] Surae Noether Jan Macheta, Sarang Noether and Javier Smooth. Counterfeiting via merkle tree exploits within
virtual currencies employing the cryptonote protocol, mrl-0002, September 2014. https://lab.getmonero.org/
pubs/MRL-0002.pdf [Online; accessed 05/27/2018].
[39] Don Johnson and Alfred Menezes. The elliptic curve digital signature algorithm (ecdsa). Technical Report
CORR 99-34, Dept. of C&O, University of Waterloo, Canada, 1999. http://citeseerx.ist.psu.edu/viewdoc/
download?doi=10.1.1.472.9475&rep=rep1&type=pdf [Online; accessed 04/04/2018].
[40] Simon Josefsson and Ilari Liusvaara. Edwards-Curve Digital Signature Algorithm (EdDSA). RFC 8032, January
2017.
[41] Eike Kiltz, Daniel Masny, and Jiaxin Pan. Optimal security proofs for signatures from identification schemes.
In Proceedings, Part II, of the 36th Annual International Cryptology Conference on Advances in Cryptology —
CRYPTO 2016 - Volume 9815, pages 33–61, Berlin, Heidelberg, 2016. Springer-Verlag.
[42] Alexander Klimov. ECC patents?, October 2005. http://article.gmane.org/gmane.comp.encryption.
general/7522 [Online; accessed 04/04/2018].
[43] Joseph K. Liu, Victor K. Wei, and Duncan S. Wong. Linkable Spontaneous Anonymous Group Signature for
Ad Hoc Groups, pages 325–335. Springer Berlin Heidelberg, Berlin, Heidelberg, 2004.
[44] Ueli Maurer. Unifying zero-knowledge proofs of knowledge. In Bart Preneel, editor, Progress in Cryptology –
AFRICACRYPT 2009, pages 272–286, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.
[45] Greg Maxwell. Confidential transactions. https://people.xiph.org/~greg/confidential_values.txt [On-
line; accessed 04/04/2018].
[46] Gregory Maxwell and Andrew Poelstra. Borromean ring signatures. 2015.
https://pdfs.semanticscholar.org/4160/470c7f6cf05ffc81a98e8fd67fb0c84836ea.pdf [Online; accessed
04/04/2018].
[47] R. C. Merkle. Protocols for public key cryptosystems. In 1980 IEEE Symposium on Security and Privacy,
pages 122–122, April 1980.
[48] Victor S Miller. Use of elliptic curves in cryptography. In Lecture Notes in Computer Sciences; 218 on Advances
in cryptology—CRYPTO 85, pages 417–426, Berlin, Heidelberg, 1986. Springer-Verlag.
[49] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system,” http://bitcoin.org/bitcoin.pdf, 2008.
[50] Arvind Narayanan and Malte Möser. Obfuscation in bitcoin: Techniques and politics. CoRR, abs/1706.05432,
2017.
[51] Sarang Noether and Brandon Goodell. An efficient implementation of monero subaddresses, mrl-0006, October
2017. https://lab.getmonero.org/pubs/MRL-0006.pdf [Online; accessed 04/04/2018].
[52] Shen Noether and Sarang Noether. Monero is not that mysterious, mrl-0003, September 2014. https://lab.
getmonero.org/pubs/MRL-0003.pdf [Online; accessed 06/15/2018].
[53] Michael Padilla. Beating bitcoin bad guys, August 2016. http://www.sandia.gov/news/publications/
labnews/articles/2016/19-08/bitcoin.html [Online; accessed 04/04/2018].
[54] Torben Pryds Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing, pages
129–140. Springer Berlin Heidelberg, Berlin, Heidelberg, 1992.
[55] luigi1111 Riccardo “fluffypony” Spagni. Disclosure of a major bug in cryptonote based currencies, May 2017.
https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.
html [Online; accessed 04/10/2018].
[56] Adi Shamir Ronald L. Rivest and Yael Tauman. How to leak a secret. C. Boyd (Ed.): ASIACRYPT 2001,
LNCS 2248, pp. 552-565, 2001. https://people.csail.mit.edu/rivest/pubs/RST01.pdf [Online; accessed
04/04/2018].
BIBLIOGRAPHY 69
[57] SJD AB S. Josefsson and N. Moeller. Eddsa and ed25519. Internet Research Task Force (IRTF), 2015.
https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03 [Online; accessed 05/11/2018].
[58] C. P. Schnorr. Efficient identification and signatures for smart cards. In Gilles Brassard, editor, Advances in
Cryptology — CRYPTO’ 89 Proceedings, pages 239–252, New York, NY, 1990. Springer New York.
[59] Paola Scozzafava. Uniform distribution and sum modulo m of independent random variables. Statistics &
Probability Letters, 18(4):313 – 314, 1993.
[60] Seigen, Max Jameson, Tuomo Nieminen, Neocortex, and Antonio M. Juarez. Cryptonight hash function.
CryptoNote, March 2013. https://cryptonote.org/cns/cns008.txt [Online; accessed 04/04/2018].
[61] Adam Mackenzie Shen Noether and Monero Core Team. Ring confidential transactions, mrl-0005, February
2016. https://lab.getmonero.org/pubs/MRL-0005.pdf [Online; accessed 06/15/2018].
[62] QingChun ShenTu and Jianping Yu. Research on anonymization and de-anonymization in the bitcoin system.
CoRR, abs/1510.07782, 2015.
[63] thankful for today. [ann][bmr] bitmonero - a new coin based on cryptonote technology - launched, April 2014.
Monero’s actual launch date was April 18th , 2014. https://bitcointalk.org/index.php?topic=563821.0
[Online; accessed 05/24/2018].
[64] Nicolas van Saberhagen. Cryptonote v2.0. [Online; accessed 04/04/2018].
[65] A. Langley Google Inc. Y. Nir, Check Point. Chacha20 and poly1305 for ietf protocols. Internet Research Task
Force (IRTF), May 2015. https://tools.ietf.org/html/rfc7539 [Online; accessed 05/11/2018].
Appendices
70
APPENDIX A
We present in this chapter a dump from a real Monero transaction of type RCTTypeFull, together
with explanatory notes for relevant fields.
The dump was obtained executing command print tx <TransactionID> +hex +json in the
monerod daemon run in non-detached mode. <TransactionID> is a hash of the transaction.
The first line printed shows the actual command run.
1. We need the Monero command line tool (CLI), which can be found at getmonero.org/
downloads (among other places). Get the ‘Command Line Tools Only’ for your operating
system, move the file to a useful location, and unzip it.
2. Open the terminal/command line and navigate into the folder created by unziping.
3. Run monerod with ./monerod. Now the Monero blockchain will download. Unfortunately,
there is currently no easy way to print transactions without downloading the blockchain.
4. After the syncing process is done, commands like print tx will work. Use help to learn
other commands.
For editorial reasons we have shortened long hexadecimal chains, presenting only the beginning
and end as in 0200010c7f[...]409.
1
Blockchain data can also be found with a web block explorer, such as https://moneroblocks.info/.
71
APPENDIX A. RCTTYPEFULL TRANSACTION STRUCTURE 72
Component rctsig prunable, as indicated by its name, is in theory prunable from the blockchain.
That is, once a block has been consensuated and the current chain length rules out all possibilities
of double-spending attacks, this whole field could be pruned and replaced with its hash for the
Merkle tree. This is something that has not yet been done in the Monero blockchain, but is
nevertheless a possibility, and would yield considerable space savings.
Key images and ring keys are stored separately, in the non-prunable area of transactions. These
components are essential for detecting double-spend attacks and can’t be pruned away.
Our sample transaction has 1 input and 2 outputs, and was added to the blockchain at timestamp
2017-12-18 20:28:11 UTC (as reported by its block’s miner).
31 114, 234, 211, 50, 41, 28, 92, 26, 249, 184, 228, 197, 64, 139, 5
32 ],
33 "rct_signatures": {
34 "type": 1,
35 "txnFee": 26000000000,
36 "ecdhInfo": [ {
37 "mask": "68f508c5515694ce5a33b316b990e8b67a944725c93d806767e61b2e0b13d300",
38 "amount": "913372a2424b22bd9712183f5a7c8027c8d9af89b52d1e7d06fd1f87a1e5d20d"
39 }, {
40 "mask": "fbc3e5bdb36fc58e5800ffc549ab7bd533fadb7e6b64898c82ea620d749fc80e",
41 "amount": "b9335c3dc0afb774f812f9f58a412c849f3c828d873f1c16ab102963799d9809"
42 }],
43 "outPk": [ "cf141f5dfe04df14afad6b451d600aa5826a9be44a76a1630850c1d5951d482e",
44 "e10bb69b66af5dabec765c7f5f7528926088877fa36746833828a0575896ae57"]
45 },
46 "rctsig_prunable": {
47 "rangeSigs": [ {
48 "asig": "b9b544a7[...]d4c5726e81c4c4b6205dacc05208",
49 "Ci": "bc7ae457[...]fe490458"
50 }, {
51 "asig": "9c457b41[...]545b60c",
52 "Ci": "ce9b4d8e[...]03a6752"
53 }],
54 "MGs": [ {
55 "ss": [[ "a8120b96f5f2ac5bceab37f7d6bf8d86554d87c4af3441007cad92f54a24d908",
56 "2e6bc016297a5d398936c9f45e7a80215138f69e55179b337922e2d51c1a9f00"],
57 ["1e1052a68c38bb88b6e8f257d999c13f1d5f4fa219cc23479ccbfa6b14b5960a",
58 "e914d35eed0d27344fbc3a89b91bd445d433b561efc844c9f466a61ebb5f6d09"],
59 ["e04d011f515461fdbd8d13536c23143dc365d87dd323defb1af834e540a8fc0e",
60 "f9b41a117a1415fec54f1cc16aeef859b2cab1494b9e26a95fc9eaf4f571fa00"],
61 ["de7a7b30795cab310b632f708c6c2546847a5cbcc27ff48e75c1556c3f6f180c",
62 "6218695558359d115e308b008d9aa368c38672732d2fc21c6317ad7d15918c05"],
63 ["0ca70bbdea0e391b1e24e2540f33b48dd9dc554c61ebf23bb3691aab5094e40f",
64 "dafecd436b2448504c0a3a1997b356c141f1d4b5977cc66e5f55592f13731501"]],
65 "cc": "5059757cf06216215955aaa108e8dd40be157856749a9d883bcac611e395a409"
66 }]
67 }
68 }
69
APPENDIX A. RCTTYPEFULL TRANSACTION STRUCTURE 74
Transaction components
• unlock time (line 6) - Prevents a transaction’s outputs from being spent until the time has
past. It is either a block height, or a UNIX timestamp if the number is larger than the
beginning of UNIX time.
• key offset (line 10) - This allows verifiers to find ring member keys and commitments in the
blockchain, and makes it obvious those members are legitimate. The first offset is absolute
within the blockchain history, and each subsequent offset is relative to the previous. For
example, with real offsets {7,11,15,20}, the blockchain records {7,4,4,5}. Verifiers compute
the last offset like (7+4+4+5 = 20) (Section 5.6.6).
• k image (line 12) - Key image K̃j from Section 3.3, where m = j = 1 for the 1 input here.
• key (line 19) - One-time destination key for output t as described in Section 5.2
• extra (lines 28-32) - Miscellaneous data, including the transaction public key, i.e. the share src/crypto-
secret rG of Section 5.2, and payment ID or encoded payment ID from Section 5.4. It works note basic/
like this: each number is one byte (it can be 0-255), and each kind of thing that can be in the tx extra.h
field has a ‘tag’ and ‘size’. Tag indicates which information comes next, and size indicates
how many bytes that info occupies. The first number is always a tag. Here, ‘2’ indicates an
‘extra nonce’ which is useful for mining pools, and then ‘33’ means the nonce has 33 bytes.
33 numbers go by, then we find a new tag, ‘1’, which means ‘transaction public key’. Tx
public keys are always 32 bytes, so we don’t need to include the size. 32 numbers later is
the end of this extra field. (note: in original specification the first byte indicated the size of
the field. Monero doesn’t use that.) [23]
• txnFee (line 35) - Transaction fee in clear, in this case 0.026 XMR
APPENDIX A. RCTTYPEFULL TRANSACTION STRUCTURE 75
• ecdhInfo (lines 36-42) - ‘elliptic curve diffie-hellman info’: Obscured mask and amount for
each of the outputs t ∈ {1, ..., p}; here p = 2
• asig (line 48) - List of Borromean signature terms (shortened for brevity) for the range
proof of output t = 1 (includes all c and r), see Section 5.6.6
• Ci (line 49) - List of commitments (shortened for brevity) for the range proof on output
t = 1, as described in Section 5.6.3. As explained in Section 5.6.6 only the commitments Ci
need to be stored, as the values Ci − 2i H can be easily derived by verifiers.
In this section we show the structure of a sample transaction of type RCTTypeSimple. The transac-
tion has 4 inputs and 2 outputs, and was added to the blockchain at timestamp 2017-12-21 11:36:20 UTC
(as reported by its block’s miner).
1 print_tx 3ebf45fc5f8fd683037807384122817d5debfa762c7a7845cb7ccfe9ee20940b
2 Found in blockchain at height 1469563
3 020004[...]923b3d70d
4 {
5 "version": 2,
6 "unlock_time": 0,
7 "vin": [ {
8 "key": {
9 "amount": 0,
10 "key_offsets": [ 1567249, 1991110, 349235, 15551, 3620
11 ],
12 "k_image": "9661119b4b54529e1be14ef97fbdc0504d17a6c8dfedd55d2455b93a6336bb41"
13 }
14 }, {
15 "key": {
16 "amount": 0,
17 "key_offsets": [ 2502375, 650851, 337433, 396459, 39529
18 ],
19 "k_image": "2102414d8edfa229f9ebf32ab90acd9cf23963a8c3b6ba0e181fc1d5782c046c"
76
APPENDIX B. RCTTYPESIMPLE TRANSACTION STRUCTURE 77
20 }
21 }, {
22 "key": {
23 "amount": 0,
24 "key_offsets": [ 1907097, 696508, 806254, 510195, 6709
25 ],
26 "k_image": "de14ec8958b311bd38a05aa3fb08fdd360001f1b9c060264eecdd8c08c9e83c4"
27 }
28 }, {
29 "key": {
30 "amount": 0,
31 "key_offsets": [ 1150236, 1943388, 788506, 37175, 7462
32 ],
33 "k_image": "e470f77dd5a4149210cb61ee107e73caea1ef9f61d05384e3bd4372fdc85bf17"
34 }
35 }
36 ],
37 "vout": [ {
38 "amount": 0,
39 "target": {
40 "key": "787cad1ebb181e1fc04b24d4d06c3d2882c38b262a7635de8ad487c536e40a12"
41 }
42 }, {
43 "amount": 0,
44 "target": {
45 "key": "faf4137928392b39ccf0a830c0261573009959787697f9d4fb769c25781fb911"
46 }
47 }
48 ],
49 "extra": [ 1, 20, 56, 120, 111, 89, 89, 64, 10, 98, 96, 255, 202, 235, 203,
50 255, 2, 197, 176, 147, 61, 60, 41, 145, 207, 178, 212, 71, 37, 69, 19,
51 147, 205],
52 "rct_signatures": {
53 "type": 2,
54 "txnFee": 558805800000,
55 "pseudoOuts": [ "64dea29ac5560f93773240d58ca5768b879fd3c95e0b3b50a80ec36a6ff3a6da",
56 "a60e7a00e65ff2a6299b92b166a629e9b0d62f6df50e40535140716757efe4c0",
57 "4c67403adbc9dc0ca5a1a6abc846ab6d232dc3fa295099b3c7a9d005bac60eba",
58 "635b26d78117d77899859ecb61e10125c3956a5c113b932f33c92c561acddaa3"],
59 "ecdhInfo": [ {
60 "mask": "ccffac42a86bec7b36ce9957cbdfe481d419bc5353335d0c236c347aea758d0c",
61 "amount": "c0d6cf3e1db55dd459b73faf34d7339c3fa1b3d3356cfb2adc3faf798264b00e"
APPENDIX B. RCTTYPESIMPLE TRANSACTION STRUCTURE 78
62 }, {
63 "mask": "62cc846003d9c5425c6cf33b30754a4c044f5d9d02621460e45664b886673109",
64 "amount": "726dbacad62022bf0f5af05c72482b3f040d631d3f576b5e2615ea72f84c5f06"
65 }],
66 "outPk": [ "cb3b729b4fca6e66736666201633e3f905c367a2f3d18e31fe3d3c18d2be93fd",
67 "1e8c86b7f211a99e1762bf62254efe65ea5c5328b62b0ea8d679b2e52800f633"]
68 },
69 "rctsig_prunable": {
70 "rangeSigs": [ {
71 "asig": "9bb7cce09[...]61de7ce0a",
72 "Ci": "50dfd2e8[...]b3a7c8fca1b1"
73 }, {
74 "asig": "e3905fa5c[...]b5213444908",
75 "Ci": "595c2cec5f2[...]72a628ab5c"
76 }],
77 "MGs": [ {
78 "ss": [ [ "3b2d26ea7628015fd8317e4e298ceda6b534ac894b83f7b6190a353cee6ec702",
79 "2d772ad7b7ff2ba8a1a66c8d69c0a0d49d72808eaf803c59f13c3d78b653440c"],
80 [ "c188891fb37d76305f0209222f52d22ede43018facfe91f949ecb8dcf709b30a",
81 "303896ca67ea7969544641d5bb94a436558bcf6522bb9bc77bd1abb5f2146c08"],
82 [ "e01c88b7308403a9dd023d9eacf1ade17ab0fa54250148431b5a33c98e636100",
83 "ba36e34e5245e89c7c21af845b949cf3e82188df639390f094e31c9ba773060c"],
84 [ "37175d72d2bef3f8bd9e65fb2861f7bce91e3b1e30278b2dcf26112831ac9405",
85 "8e77a5dd641a89e86dbe0708e8f59d0e2dc9fe4ddfd9b367c3a93522198a4706"],
86 [ "fbb4f94f9ce0f081421e63677a63d5914f0536a481d57b6e5fc5379c84dfcb05",
87 "1ec40aa3c8a94c6b1915b7796423b0d7d6011aa2d6af636aff309b832f193408"]],
88 "cc": "a03119e4257cca37f89ac3e97f0598b712c79162c73932d58ab4ce08c4ad6709"
89 }, {
90 "ss": [ [ "f7aedeec462d7588330c71589fde5f0f234a627a6e5ed72cff34825a04d41707",
91 "31d7a5ba4e782db5c0704ab751a2ef8c4732f3cf699bc8f9994e79a97cd3190e"],
92 [ "00e1d1ecdf31fdf7d57661f2234bfc859cfdc4dbfdfd0f5eec0576ef22592203",
93 "fdf08b803fa6de18bf0e0dc6855e877877bda0101eceb81e2223fe0175606300"],
94 [ "3397ba3f9e8db066e3c4911b896debefbc73efbac4988e6aff5731ff8db15405",
95 "43d2b03d5263de99f56c256e646be503edd63dd03d377a469379fbf487e8600e"],
96 [ "31afd1d5c3b07170ac127605fc35cbcc19cf963a35b2ff8f804e17e3b804000d",
97 "3a3bc124a10b0cf416656f8f682a427445140895440cca644c6aa38966399f0c"],
98 [ "f499f0e4922d5cba35e3cc033489b60ec7ea26ff19cc9dd29357670f4bf8790b",
99 "1a4732b31f0f1a7d3322be5c4baca098f0a032c192bf9f8a6b5fd83cbdd9d401"]],
100 "cc": "095fcab7ebf64c2ffecdacf11b70f97f0e709de0a84b3a13abca627f9df2c901"
101 }, {
102 "ss": [ [ "1808924b4154118c48f0b305562b6ffba86f38c64d4d8a087823f3383cddd006",
103 "4b18544be50aee8c4594b568d6be741c155a132cb83392d9b1a4cf35c3d5760c"],
APPENDIX B. RCTTYPESIMPLE TRANSACTION STRUCTURE 79
104 [ "9a95eeeecf3c3a48c43873a372c263357ff5f258a7bf8ed29a767237b0b0f202",
105 "4f1ea4d9d4b56db780dd078a3e8219d0f54eaccc197901671002a206f063cb0e"],
106 [ "2c800017cab2b8388f58fed0d61a46570f64cacd8fabc4e84ddee735b3135f0a",
107 "458016f6fdf58b329fae0f929226ee2b8e410a14db8c6ede9b74fb718de71507"],
108 [ "ea0fcaf793602dce25c8b2c4d17163f4298933b3fb09874307d8cde9a63c2c0c",
109 "df76fbcd336c07f37e90e1a0d0db1ba49519ba4325062228bc9242af2c525703"],
110 [ "e3a7a0477eeb602a9a8203a6a496cca90c4769d57410246c4c8d665df34df900",
111 "44d206154f0ca85e12a92eefdbc3784e17e701a32ff93b550467679f67500c0d"]],
112 "cc": "6f80de1c1d566776d2831f15c9a85fb1d8e8cecfd0d2753b318f0e84d89d3b08"
113 }, {
114 "ss": [ [ "5b82b4644b57e3d623de7c72c6ebd52959815c12c80b479e4cbe5437cf67640c",
115 "b70e0b69c75faba6a1630429f9f497db351347c210467f69e1b1c5f1a72afe02"],
116 [ "f25a93a98f980cf489eb8f69369f4ec63eaea91fd677decab9b6ca0fe2feb606",
117 "124536c374cb6023a6aa6f22ae6e115a1ba12cb36c48f5f5ad43ce90f471da02"],
118 [ "151ddc82322456d7f31b8b4b2290098c3bf2428370c7ef325660b5463ff26404",
119 "2fb9d2979e16c2b1131686bb85068ec559f9c6c64581e609b451bb2cd9d5740d"],
120 [ "c03bed01d6ad60b3da5d2c88cf2e5023b51133c37e4917511715a11f09d8740d",
121 "432e01c2075ab6361af8636cc1c9254e12db98f5c323088792dfb42a1c894401"],
122 [ "52206d801214e70d20ee7ca53823c143aa06c3d1b22b118cc8a15c9f861f0102",
123 "563c134f56f7a290e0980877e93bc4b08651e53dade079b1e6c066b70fb81406"]],
124 "cc": "4102cd245db3e0d7c0e2280cfdba38b9b7a7ad8715b8fe68c1170cf923b3d70d"
125 }]
126 }
127 }
128
129
130
Transaction components
What follows is a short explanation of the most important elements in this type of transaction. We
only mention components that are specific to, or differ from, the previous RCTTypeFull transaction
type.
• type (line 53) - Signature type, in this case the value 2, corresponding to RCTTypeSimple
transactions
Block Content
In this section we show the structure of a sample block, namely the 1582196th block after the
genesis block. The block has 5 transactions, and was added to the blockchain at timestamp
2018-05-27 21:56:01 UTC (as reported by the block’s miner).
1 print_block 1582196
2 timestamp: 1527458161
3 previous hash: 30bb9b475a08f2ea6fe07a1fd591ea209a7f633a400b2673b8835a975348b0eb
4 nonce: 2147489363
5 is orphan: 0
6 height: 1582196
7 depth: 2
8 hash: 50c8e5e51453c2ab85ef99d817e166540b40ef5fd2ed15ebc863091ca2a04594
9 difficulty: 51333809600
10 reward: 4634817937431
11 {
12 "major_version": 7,
13 "minor_version": 7,
14 "timestamp": 1527458161,
15 "prev_id": "30bb9b475a08f2ea6fe07a1fd591ea209a7f633a400b2673b8835a975348b0eb",
16 "nonce": 2147489363,
17 "miner_tx": {
18 "version": 2,
19 "unlock_time": 1582256,
80
APPENDIX C. BLOCK CONTENT 81
20 "vin": [ {
21 "gen": {
22 "height": 1582196
23 }
24 }
25 ],
26 "vout": [ {
27 "amount": 4634817937431,
28 "target": {
29 "key": "39abd5f1c13dc6644d1c43db68691996bb3cd4a8619a37a227667cf2bf055401"
30 }
31 }
32 ],
33 "extra": [ 1, 89, 148, 148, 232, 110, 49, 77, 175, 158, 102, 45, 72, 201, 193,
34 18, 142, 202, 224, 47, 73, 31, 207, 236, 251, 94, 179, 190, 71, 72, 251, 110,
35 134, 2, 8, 1, 242, 62, 180, 82, 253, 252, 0
36 ],
37 "rct_signatures": {
38 "type": 0
39 }
40 },
41 "tx_hashes": [ "e9620db41b6b4e9ee675f7bfdeb9b9774b92aca0c53219247b8f8c7aecf773ae",
42 "6d31593cd5680b849390f09d7ae70527653abb67d8e7fdca9e0154e5712591bf",
43 "329e9c0caf6c32b0b7bf60d1c03655156bf33c0b09b6a39889c2ff9a24e94a54",
44 "447c77a67adeb5dbf402183bc79201d6d6c2f65841ce95cf03621da5a6bffefc",
45 "90a698b0db89bbb0704a4ffa4179dc149f8f8d01269a85f46ccd7f0007167ee4"
46 ]
47 }
Block components
• (lines 2-10) - Block information collected by software, not actually part of the block properly
speaking.
• is orphan (line 5) - Signifies if this block was orphaned. Nodes usually store all branches
during a fork situation, and discard unnecessary branches when a cumulative difficulty winner
emerges, thereby orphaning the blocks.
• depth (line 7) - In a blockchain copy, the depth of any given block is how far back in the
chain it is relative to the most recent block.
• difficulty (line 9) - Difficulty isn’t stored in a block, since users can compute all block
difficulties from block timestamps and the rules in Section 6.2.
• major version (line 12) - Corresponds to protocol version used to verify this block.
• minor version (line 13) - Originally intended as a voting mechanism among miners, it
now merely reiterates the major version. Since the field does not occupy much space, the
developers probably thought deprecating it would not be worth the effort.
• timestamp (line 14) - An integer representation of this block’s UTC timestamp, as reported
by the block’s miner.
• prev id (line 15) - The previous block’s block ID. Herein lies the essence of Monero’s
blockchain.
• nonce (line 16) - The nonce used by this block’s miner to pass its difficulty target. Anyone
can recompute the proof of work and verify the nonce is valid.
• unlock time (line 19) - The miner transaction’s output can’t be spent until 60 more blocks
have been mined.
• vin (lines 20-25) - Inputs to the miner tx. There are none, since the miner tx is used to
generate block rewards and collect transaction fees.
• height (line 22) - The block height this miner tx’s block reward was generated for. Each
block height can only generate a block reward once.
• amount (line 27) - Amount dispersed by the miner tx, containing block reward and fees from
this block’s transactions. Recorded in atomic units.
• key (line 29) - One-time address assigning ownership of the miner tx’s amount.
• extra (lines 33-36) - Extra information for the miner tx, including transaction public key.
• type (line 38) - Type of transaction, in this case ‘0’ for RCTTypeNull, indicating a miner tx.
• tx hashes (line 41) - All transaction IDs included in this block (but not the miner tx ID).
APPENDIX D
Genesis Block
In this section we show the structure of the Monero genesis block. The block has 0 transactions
(it just sends the first block reward to thankful for today [63]). Monero’s founder did not add a
timestamp, perhaps as a relic of Bytecoin, the coin Monero’s code was forked from, whose creators
apparently tried to hide a large pre-mine [10].
Block 1 was added to the blockchain at timestamp 2014-04-18 10:49:53 UTC (as reported by the
block’s miner), so we can assume the genesis block was created the same day. This corresponds
with the launch date announced by thankful for today [63].
1 print_block 0
2 timestamp: 0
3 previous hash: 0000000000000000000000000000000000000000000000000000000000000000
4 nonce: 10000
5 is orphan: 0
6 height: 0
7 depth: 1580975
8 hash: 418015bb9ae982a1975da7d79277c2705727a56894ba0fb246adaabb1f4632e3
9 difficulty: 1
10 reward: 17592186044415
11 {
12 "major_version": 1,
13 "minor_version": 0,
14 "timestamp": 0,
83
APPENDIX D. GENESIS BLOCK 84
15 "prev_id": "0000000000000000000000000000000000000000000000000000000000000000",
16 "nonce": 10000,
17 "miner_tx": {
18 "version": 1,
19 "unlock_time": 60,
20 "vin": [ {
21 "gen": {
22 "height": 0
23 }
24 }
25 ],
26 "vout": [ {
27 "amount": 17592186044415,
28 "target": {
29 "key": "9b2e4c0281c0b02e7c53291a94d1d0cbff8883f8024f5142ee494ffbbd088071"
30 }
31 }
32 ],
33 "extra": [ 1, 119, 103, 170, 252, 222, 155, 224, 13, 207, 208, 152, 113, 94, 188,
34 247, 244, 16, 218, 235, 197, 130, 253, 166, 157, 36, 162, 142, 157, 11, 200, 144,
35 209
36 ],
37 "signatures": [ ]
38 },
39 "tx_hashes": [ ]
40 }
Since we used the same software to print the genesis block and the block from Appendix C, the
structure appears basically the same. We point out some unique differences.
• difficulty (line 9) - The genesis block’s difficulty is reported as 1, which means any nonce
could work.
• timestamp (line 14) - The genesis block doesn’t have a meaningful timestamp.
• prev id (line 15) - We use an empty 32 bytes for the previous ID, by convention.
• amount (line 27) - This exactly corresponds to our calculation for the first block reward
(17.592186044415 XMR) in Section 6.3.1.
APPENDIX D. GENESIS BLOCK 85
• key (line 29) - The very first Moneroj were dispersed to Monero’s founder thankful for today.
• extra (line 33) - Using the encoding discussed in Appendix A, the genesis block’s miner tx
extra field just contains one transaction public key.
• signatures (line 37) - There are no signatures in the genesis block. This is here as an
artifact of the print block function. The same is true for tx hashes in line 38.