According to Monero’s site: Monero is a secure, private and untraceable currency system. Monero uses a special kind of cryptography to ensure that all of its transactions remain 100% unlinkable and untraceable. In an increasingly transparent world, you can see why something like Monero can become so desirable. In this guide, we will see the mechanics behind Monero and see what makes it so special.
The origins of Monero XMR
Back in July of 2012, Bytecoin, the first real life implementation of CryptoNote, was launched. CryptoNote is the application layer protocol that fuels various decentralized currencies. While it is similar to the application layer which runs bitcoin in many aspects, there a lot of areas where the two differ from each other.
While bytecoin had promise, people noticed that a lot of shady things were going on and that 80% of the coins were already published. So, it was decided that in April 2014, the bytecoin blockchain will be forked and the new coins in the new chain will be called Bitmonero, which is was eventually renamed Monero meaning “coin” in Esperanto. In this new blockchain, a block will be mined and added every two mins.
Monero is headed by a core development team of 7 developers of which 5 have chosen to remain anonymous while two have come out openly in public. They are – David Latapie and Riccardo Spagni aka “Fluffypony”. The project is open source and crowdfunded.
Image courtesy: Coinsutra
Special features of Monero XMR
So what is it about Monero that makes it so hot and in-demand. What are the unique properties that the CryptoNote algorithm gives it? Let’s check it out.
Property #1: Your currency is yours
You have complete control over your transactions. You are responsible for your money. Because your identity is private no one will be able to see what you are spending your money on.
Property #2: It is Fungible
Another interesting property that it gains, thanks to its privacy, is that it is truly fungible. What is fungibility? Investopedia defines fungibility as follows:
“Fungibility is a good or asset’s interchangeability with other individual goods or assets of the same type.”
So, what is fungible and what is non-fungible.
Suppose you borrowed $20 from a friend. If you return the money to him with ANOTHER $20 bill, then it is perfectly fine. In fact, you can even return the money to them in the form of 1 $10 bill and 2 $5 bills. It is still fine. The dollar has fungible properties (not all the time though).
However, if you were to borrow someone’s car for the weekend and come back and give them some other car in return, then that person will probably punch on the face. In fact, if you went away with a red Impala and came back with another red Impala then even that is not a done deal. Cars, in this example, are a nonfungible asset.
So, what is the deal with fungibility when it comes to cryptocurrency?
Let’s look at bitcoin for example. bitcoin prides itself in being an open ledger and an open book. But what it also means is that everyone can see the transactions in it and more importantly, everyone can see the trail of that transaction. What this basically means is that suppose you own a bitcoin which once was used in some illegal transaction, eg. buying drugs, it would forever be imprinted in the transaction detail. What this in essence does is that it “taints” your bitcoin.
In certain bitcoin service providers and exchanges, these “tainted” coins will never be worth as much as “clean” coins. This kills fungibility and is one of the most often used criticisms against bitcoin. After all, why should you suffer if one of the previous owners of your bitcoin used it to make some illegal purchases?
This is where Monero comes in. Since all their data and transactions are private, no one can know what transactions your Monero has gone through before and neither can they know what was used to buy with your Monero. Since its transaction history can never be known, it also means that the “transaction” trail is non-existent. As a result of this, the concept of “tainted” Monero and “clean” Monero doesn’t exist, and hence they are fungible!
Property #3: Dynamic Scalability
The bitcoin scalability issue has been a very hot topic in the crypto circles the past few months. So, to give you all a gist of the the situation, bitcoin was created with a self-imposed 1 Mb block size limit. In its early developments bitcoin didn’t have any block size limit, however, in order to prevent spam transactions, the size limit was enforced.
Monero uses a free block size mechanism with no “pre-set” size limit. However, this also means that malicious miners can clog up the system with disproportionately huge blocks. To prevent this from happening, a block reward penalty is built into the system. This is how it works:
Firstly, the median size of the last 100 blocks is taken which is called M100. Now suppose the miners mined a new block and it has a particular size which is called “NBS” aka New Block Size. If NBS > M100, then the block reward gets reduced in quadratic dependency of how much NBS exceeds M100.
This means that if NBS is [10%, 50%, 80%, 100%] greater than M100, the block reward gets reduced by [1%, 25%, 64%, 100%]. Generally, blocks greater than 2*M100 are not allowed, and blocks <= 60kB are always free of any reward penalties.
Property #4: ASIC (Application Specific Integrated Circuit) Resistant
Ok, before we get started, let’s just get this out of the way. Monero is not exactly “ASIC resistant”, but the cost of manufacturing ASICs for Monero would be so high that it simply won’t be worth it. Why is that the case? Remember, when we said that Monero was based on the CryptoNote system which makes it distinctly different from bitcoins? Well, the hashing algorithm used in CryptoNote based systems is called “CryptoNight”.
Cryptonight was created to build a fairer and more decentralized currency system. Cryptocurrencies which incorporate Cryptonight cannot be mined using. It was hoped that this would prevent the creation of mining pools and make the currency more evenly distributed.
So what are the properties of CryptoNight which makes it ASIC Resistant? (The following is taken from “user36303” answer in monero.stackexchange.com).
- Cryptonight requires 2 MB of fast memory to work. This means that parallelizing hashes is limited by how much memory can be crammed in a chip while keeping cheap enough to be worth it. 2 MB of memory takes a lot more silicon than the SHA256 circuitry.
- Cryptonight is built to be CPU and GPU friendly because it is designed to take advantage of AES-Ni instruction sets. Basically, some of the work done by Cryptonight is already being done in hardware when running on modern consumer machines.
- There have been talks of moving Monero on from proof of work algorithm to “Cuckoo Cycle” (a different form of proof of work hash). If a switch like this does happen, then the amount of work spent in the R&D of Monero friendly ASICs would be meaningless.
Property #5: Multiple keys
One of the more confusing aspects of Monero is its multiple keys. In bitcoin, ethereum, etc. you just have one public key and one private key. However, in a system like Monero, it is not quite as simple as that.
View Keys: Monero has a public view key and a private view key.
- The public view key is used to generate one-time stealth addresses where the funds will be sent to the receiver. (more on this later).
- The private view key is used by the receiver to scan the blockchain to find the funds sent to them.
That’s the general overview of the process.
The public view key makes the first part of the Monero Address.
Spend Keys: If the view key was mostly for the recipient of a transaction, the spend key is all about the sender. As above, there are two spend keys: public spend key and private spend key.
- The public spend key will help the sender take part in ring transactions and also verify the signature of the key image. (more on that later)
- The private spend key helps in creating that key image which enables them to send transactions.
The public spend key makes the second part of the Monero address.
The Monero address btw is a 95-character string that is made of the public spend and public view key.
This can be very confusing right now, but just keep this information in your head, and it will become clearer with subsequent sections.
What is the cryptography involved in Monero?
How does a transaction in a cryptocurrency work?
Every transaction has two sides to it, the input side and the output side. Suppose Alice needs to send some bitcoins to Bob how will it look like?
In order to make this transaction happen, Alice needs to get bitcoins which she has received from various previous transactions. Remember, as we said before, in bitcoins, each and every coin is accounted for via a transaction history. So Alice can make the outputs of her previous transactions the input of the new transaction. Later on, when we talk about “outputs”, especially in the ring signature section, we mean the outputs of the old transaction which become the inputs of the new transaction.
So, suppose Alice needs to pull bitcoins from the following transactions which we shall name TX(0), TX(1) and TX(2). These three transactions will be added together and that will give you the input transaction which we shall call TX(Input).
Diagrammatically, it will look like this:
So, that is it from the input side, let’s check out what the output side will look like.
The output basically will have a number of bitcoins that Bob will possess post transaction and any remaining change that is left over, which is then sent back to Alice. This change then becomes her input value for all future transactions.
A pictorial representation of the output side looks like this:
Now, this is a very simple transaction that has just one output (apart from the CHANGE), there are transactions that are possible with multiple outputs.
Image courtesy: FluffyPony presentation.
bitcoin transactions happen because of public key cryptography. To have a very basic understanding of how that works, check out this flowchart:
A bitcoin user first chooses their private key. The public key is then mathematically derived from the private key. The public key is then hashed to create a public address which is open to the world. So, if Alice were to send Bob some BTC, she simply has to send them to his public address.
Now, there is a problem with this system. The public address is well…public! Anyone on
the blockchain can know who that address belongs to and as a result checkout their entire transaction history and also a number of bitcoins that they own! While Bitcoin does a stellar job of being a decentralized cryptocurrency, it doesn’t really do a great job of being a private currency system.
This is the “Electronic cash triangle” as the Monero team puts it:
This is the “Electronic cash triangle” as the Monero team puts it:
Image courtesy: FluffyPony presentation.
As they put it, an ideal Electronic cash should fulfill three requirements:
- It should be electronic.
- It should be decentralized.
- It should be private.
With Monero, they are attempting to fulfill all these 3 criteria.
The underlying philosophy behind Monero is complete privacy and opaqueness.
- The privacy of the sender is maintained by Ring Signatures.
- The privacy of the recipient is maintained by Stealth Addresses.
- The privacy of the transaction is maintained by Ring CT aka Ring Confidential Transactions.
Monero Cryptography #1: Ring Signatures
In order to understand what ring signatures are and how they help maintain the sender’s privacy let’s take a hypothetical real-life example. When you are sending someone a check, you need to sign it off with your signature right? However, because of that, anyone who sees your check (and knows what your signature looks like) can tell that you are the person who has sent it.
Now think about this.
Suppose, you pick up 4 random people from the streets. And you merge your signatures with these 4 people to create a unique signature. Nobody will be able to find out whether it really is your signature or not.
That, in essence, is how ring signature works. Let’s see its mechanism in the context of Monero.
Suppose, Alice has to send 1000 XMR (XMR = Monero) to Bob, how will the system utilize ring signatures to hide her identity? (For simplicity’s sake, we are taking a pre- ringct implementation case..more on that later).
Firstly, she will determine her “ring size”. The ring size are random outputs taken from the monero network, which is of the same value as her output aka 1000 XMR. The bigger the ring size, the bigger the transaction and hence higher the transaction fees. She then signs these outputs with her private spend key and sends it to the blockchain. Another thing to note, Alice doesn’t need to ask the owners of these previous transactions their permission to use the outputs.
So, suppose Alice chooses a ring size of 5 i.e. 4 decoy outputs and her own transaction, for an outsider, this is what it will look like:
Image courtesy: Monero Youtube channel.
In a ring signature transaction, any of the decoys taken from the monero network is as likely of being an output as the actual output because of which any unintended third party (including the miners) won’t be able to know who the sender is.
Now, this brings us to a problem.
One of the many important roles that miners have is the prevention of “double spending”. Double spending basically means spending the exact same coin on more than one transactions at the same time. This problem is circumnavigated because of miners. In a blockchain, transactions happen only when miners put the transactions in the blocks that they have mined.
So suppose, A were to send 1 bitcoin to B and then he sends the same coin to C, the miners would put in one transaction inside the block and, in the process, overwrite the other one, preventing double-spending in the process. But this is possible only when the miners can actually see what the inputs of the transaction actually is and who the sender is. In Monero, this is all hidden and cloaked thanks to the ring signatures. So how do they prevent double spends?
The answer lies in more ingenious cryptography.
Every transaction in Monero comes with its own unique key image. (we will see the mathematics behind key image later on). Since the key image is unique for every transaction, the miners can simply check it out and know whether a Monero coin is being double-spent or not.
So, this is how Monero maintains the privacy of the sender by using ring transactions. Up next, we will see how Monero protects its receiver’s identity by the use of stealth addresses.
Monero Cryptography #2: Stealth Addresses
One of the biggest USP of Monero is transaction unlinkability. Basically, if someone sends you 200 XMR then, nobody should know that that money is coming to your addresses. Basically, if Alice were to send money to Bob, only Alice should know that Bob is the recipient of her money and no one else.
So, how does Monero ensure Bob’s privacy?
Remember, Bob has 2 public keys, the public view key, and the public send key. For the transaction to go through, Alice’s wallet will use Bob’s public view key and the public spend key to generate a unique one-time public key.
This is the computation of the one-time public key (P).
- P = H(rA)G + B
In this equation:
- r = Random scalar chosen by Alice.
- A = Bob’s public view key.
- G = Cryptographic constant.
- B = Bob’s public spend key.
- H() = The Keccak hashing algorithm used by Monero.
The computation of this one-time public key generates a one-time public address called “stealth address” in the block chain where Alice sends her Monero intended for Bob. Now, how is Bob going to unlock his Monero from the random distribution of data?
Remember that Bob also has a private spend key?
This is where it comes into play. The private spend key basically helps Bob scan the blockchain for his transaction. When Bob comes across the transaction, he can calculate a private key which corresponds to the one-time public key and retrieves his Monero. So Alice paid Bob in Monero without anyone getting to know.
The Calculation of Key Images (a slight detour)
Before we continue, let’s go back to key images. So how is a key Image (I) calculated?
Now we know how the one-time public key (P) was calculated. And we have private spend key of the sender which we will call “x”.
- I = xH(P).
Things to note from this equation.
- It is infeasible to derive the one time public address P from the key image “I”(it is a property of the cryptographic hash function) and hence Alice’s identity will never be exposed.
- P will always give the same value when it’s hashed, meaning H(P) will always be the same. What this means is, since the value of “x” is constant for Alice, she will never be able to generate multiple values of “I”. Which makes the key image unique for every transaction.
Monero Cryptography #3: Ring Confidential Transactions
So, now we have seen how the spender can be kept anonymous and we have seen how the receiver is kept anonymous. But what about the transaction itself? Is there a way to make sure that the transaction amount itself is hidden?
Before the implementation of Ring CT, the transactions used to happen like this:
If Alice had to send 12.5 XMR to bob, then the output will be broken down into 3 transactions of 10,2 and .5. Each of those transactions will get their own ring signatures and then added to the blockchain:
Image courtesy: Monero Youtube
While this did safeguard the sender’s privacy, what it did was that it made the transactions visible to everyone.
To address this issue, Ring CT was implemented which was based on the research done by Gregory Maxwell. What RingCT does is simple, it hides the transaction amounts in the blockchain. What this also means is that any transaction inputs don’t need to be broken down into known denominations, a wallet can now pick up ring members from any Ring CT outputs.
Think of what that does to the privacy of the transaction?
Since there are so many more options to choose rings from and the value is not even known, it is now impossible to be aware of any particular transaction.
These 3 factors work in harmony to create a system where total privacy is afforded. But this was still not enough for the Monero developers. They needed an extra layer of security.
Kovri and I2P
I2p or invisible internet project is a routing system that allows applications to send messages to each other privately without any outside interference. Kovri is a C++ implementation of I2P which is supposed to be integrated with the Monero code.
If you are using Monero then Kovri will hide your internet traffic such that passive network monitoring won’t reveal that you are using Monero at all. In order for this to function, all of your Monero traffic will be encrypted and routed through the I2P nodes. The nodes are like blind gatekeepers. They will know that your messages are passing through but will have no idea where exactly they are going and what are the contents of the messages.
It is hoped that the relationship between I2P and Monero will be a symbiotic once because:
- Monero will be getting an extra layer of protection.
- The number of nodes being used in I2P will significantly increase post-implementation.
Kovri is still in developmental stage (as of writing) and has not been implemented yet.
Monero value and transaction cap
Monero’s growth has been pretty amazing to watch. Check out their graph:
Image Courtesy: Coinmarketcap
As of writing, there are 15,054,759 XMR in circulation and each Monero is worth $114.83. The total market cap of Monero sits at $1,728,798,235.
In total there are 18.4 million XMR and mining is projected to go on until 31st May 2022. After that, the system is designed such that 0.3 XMR/min is fed continuously into it. This has been done so that miners would have the incentive to continue mining and won’t have to depend on just transaction fees after all the Monero has been mined out.
How to store Monero XMR cryptocurrency?
The simplest way to store Monero is by going to “mymonero.com”
Step 1: Click on “Create a new account”
Step 2: Take note of your private login key
Step 3: Type in your private login key to log in and find your public address!
And you are done!
Simple, wasn’t it?
Just be careful to never reveal your private login key.
If you ever forget your key, then click on Account and then click on “Review Login Key”.
And you can review the private login key:
How straightforward is that?
Monero Vs Bitcoin
So, comparisons can obviously not be avoided let’s look at how both these coins stack up.
bitcoin prides itself on its open transparency. The blockchain is literally an open ledger that anyone, anywhere can access the blockchain and read up on all past transactions. Bitcoins are relatively simple to access and use.
Monero, on the other hand, is built for complete and utter privacy. All the transactions are completely secret. Monero can be a little complicated to understand and access for beginners.
The following table by Lindia Xie in her Medium article makes a fine comparison between bitcoin and Monero:
Edit: Current market cap for BTC is $68,242,637,715 and the current market cap for Monero is $1,728,798,235
The pros and cons of Monero
- One of the best privacy features on any cryptocurrency.
- The transactions are not linkable.
- The transactions and addresses are not traceable.
- The blockchain doesn’t have a block limit and is dynamically scalable.
- Even when the Monero supply runs out there will be a continuous 0.3 XMR/min supply to incentivize the miners.
- It is selectively transparent. Anyone can make their transactions visible to their person of choice eg. an auditor by giving them their private view key. This also makes Monero auditable
- Has a very capable and strong developmental team leading the charge.
- Even though Monero was made ASIC resistant to prevent centralization, ~43% of hashrate of Monero is owned by 3 mining pools:
Image Courtesy: Monero Hash.
- Monero transaction are significantly larger than other cryptos like bitcoin because of the amount of encryption involved.
- There is not much digital currency wallet compatibility for Monero.
- It is not beginner-friendly and has not been as widely accepted and adopted.
- Because it is not a bitcoin-based cryptocurrency, Monero has faced difficult issues in the sense that it is harder to add things to it.