Monero: The Privacy Coin Explained
Privacy coins built on their own blockchains have a firm hold within the larger cryptocurrency community, even as regulators and exchanges seek to limit their adoption. This post is part of CoinDesk's Privacy Week series.
Bitcoin’s pseudonymity was originally a big part of its appeal to new users, but that pseudonymity has become strained over the years as government regulators, blockchain analytics firms and others began surveilling the Bitcoin public blockchain.
In a bid to restore balance, various developers and organizations are working to improve bitcoin privacy and make it easier to implement using techniques such as CoinJoins and coin burns.
This article is part of CoinDesk's Privacy Week series.
But privacy coins built on their own blockchains, such as Monero's XMR, still have a firm hold within the larger cryptocurrency community, even as regulators and exchanges seek to limit their adoption.
Read More: What Are Privacy Coins and Are They Legal?
What is Monero?
Monero launched in 2014 as Bitmonero and was a fork of the codebase of Bytecoin.
When Bitcointalk forum user thankful_for_today released Bitmonero, community backers were frustrated over changes that hadn’t taken place. Thankful_for_today was eventually usurped and replaced by volunteers from the community, including a handful of developers who helped maintain and develop the project. Many of them remained pseudonymous.
As one of the few original alternative coins (altcoins) that didn’t rely on Bitcoin’s code, Monero chose not to have a limited supply for XMR. Unlike other privacy coins, it embeds privacy into the protocol rather than making it an optional feature, or relying on a second layer to be developed and added later.
Monero’s privacy protections also set it aside from competitors, not just because they aren’t optional but because of the ways they hide the sender, the receiver and even the amount being sent. While Zcash chiefly uses zero-knowledge proofs, among other features, to add privacy functionality, Monero’s main privacy feature includes:
- Ring confidential transactions (Ring CTs.)
- Stealth addresses.
- Dandelion ++.
The underlying technology is so effective that, in 2020, the Internal Revenue Service called upon experts to help crack Monero’s privacy features; issuing a $625,000 reward to anyone who could successfully do it.
Its technology makes monero one of the most private cryptocurrencies, appealing to advocates of privacy while attracting scrutiny from regulators over concerns about that privacy.
What makes Monero unique?
If zcash is the Blink-182 of privacy coins, monero is the Sex Pistols – an older, grittier counterpart.
It’s certainly not for the faint of heart. Monero makes no attempt to comply with know-your-customer/anti-money laundering (KYC/AML) procedures and values privacy above all else. This has not only led to it being delisted from a number of exchanges including BitMEX and Kraken, but the project’s casual disregard for customer due diligence (CDD) measures also means it has found itself in the crosshairs of many financial regulators around the world.
On the other hand, if you’re distrustful of the government or centralized authority, Monero’s rebellious ethos may appeal to you.
The two main criteria Monero achieves are:
- Untraceability: This means it’s impossible to determine where something came from – in this instance, a transaction made using XMR, the native cryptocurrency of Monero.
- Unlinkability: This refers to the inability to establish a connection between people involved in a transaction or to prove various transactions were sent to the same person.
“Monero has continuously iterated on its tech,” said the organizer of the Monero Space workgroup, Justin Ehrenhofer. Ehrenhofer is also vice president of operations at Cake Wallet, an open-source wallet that originally focused solely on monero but has since added support for bitcoin and litecoin.
“There haven't been any sweeping changes in terms of what Monero does and why. It's sort of tried to stay true to what it does and just keeps hammering at it,” he added.
Ring Confidential Transactions (Ring CTs)
A ring confidential transaction is made up of two parts: One is a Multilayered Linkable Spontaneous Anonymous Group (MLSAG) ring signature, which obscures the amounts, origins, and destinations of transactions; the second is confidential transactions, which uses a cryptographic technique called the Pederson commitment to obscure transaction amounts.
The Pedersen commitment allows cryptography to be performed on a transaction such that the transaction can be verified while only the sender and receiver see the amount being exchanged.
Ring CTs allow “decoy” coins to be added to transactions, meaning the true amounts aren’t visible except to the parties involved. Even so, with multiple inputs, the transactions balance out such that it ensures no new monero tokens are minted in the process.
In October, Monero adopted CLSAGs, which is just a more efficient form of its ring signature; they were approximately 10% to 15% faster to verify, as well as smaller, according to Ehrenhofer.
Stealth addresses create an additional layer of privacy for Monero users. Stealth addresses essentially create burner addresses – or one-time public keys – for each transaction, with a sender generating a new address to send XMR tokens with a bit of additional data attached.
Those bits of data are then used by the owner of the address to create the private keys used to access the funds in the address.
Only the parties involved know the stealth address corresponds to the actual Monero address. Because new stealth addresses are generated by each sender, transactions on the blockchain don’t link back to the actual address. Think of it as calling someone repeatedly using a different phone number each time. This would make it impossible for anyone on the outside to know who was calling, and whether it was the same person or not.
Bulletproofs and Dandelion ++
In 2018, Monero implemented bulletproofs, a protocol that made confidential transactions faster and more scalable. It cut the data size of confidential transactions, which were quite large given the decoy coins involved, by about 80%.
“Blockchain bloat was definitely an issue for Monero,” said pseudonymous Monero cryptographer Sarang Noether, who assisted with the bulletproofs integration. “They’re not about anonymity; they are about assuring that the other stuff we do for anonymity works correctly.”
So while bulletproofs weren’t about adding new privacy functionality, they were key to speeding up Monero transactions while lowering the fees associated with them.
Finally, in 2020 Monero implemented Dandelion ++, a feature for hiding the IP addresses associated with nodes (computers that help to validate the Monero blockchain), so that it cut down the risk of such identifying information being used to deanonymize transactions. IP addresses could be used by internet service providers (ISP) or even virtual network providers (VPN) to identify you. Which is not ideal when you’re running a node in order to help maintain a privacy-focused network.
While originally designed for Bitcoin, Dandelion ++ was implemented for Monero. It essentially finds a proxy node to broadcast from and then spreads “fluff” information symmetrically, such that adversaries looking to track transactions are unable to do so.
“Even if you're not using Tor or the Invisible Internet Project (I2P), it's a good way for all users to have a much higher degree of base protection when broadcasting their transaction out,” said Ehrenhofer.
Room for improvement
Monero focuses on not making privacy a huge lift; rather, it attempts to make it easy for people who might not use it otherwise.
“We want to provide privacy and just clog some of the basic holes that are present in most cryptocurrency protocols,” said Ehrenhofer. “So to that end, monero really is the only coin that hides the sender, receiver and amount – which is really the bare minimum for you to even think of it as a private transaction.”
In terms of differentiating it from other coins such as bitcoin and zcash, Ehrenhofer said the proof is really just in how much Monero is used compared to other privacy-focused cryptocurrency blockchains.
“Monero has more private transactions than Bitcoin and Zcash combined,” he said.
So to him, it’s just a matter of continuing to drill down on what it does well, rather than trying to add on all sorts of other functionalities.
Even so, while Monero is a highly competent solution for protecting individuals against mass financial surveillance, it’s not as effective when authorities or blockchain surveillance teams are investigating you directly.
Ehrenhofer is the creator of the Breaking Monero series, which outlines a variety of ways in which Monero can be compromised or come up short.
He says that three challenges come to the top of mind within that series:
- Poisoned outputs
- A Janus attack (known fixes haven't been deployed, so only mitigations exist for now)
- Metadata concerns (such as the masking of network and timing)
Poisoned outputs pose a serious threat to the privacy of onero users because they present a human-based, rather than a technology-based, problem.
Essentially, poisoned outputs involve two colluding parties that target a third party and attempt to learn about them by sending outputs and then analyzing their transaction graphs. A transaction graph is a representation of one or more transactions and the addresses that cryptocurrencies were sent to. These could be users, mixers or exchanges, for example.
In the series “Breaking Monero,” where Monero devs stress-tested and outlined vulnerabilities for the cryptocurrency, one pseudonymous developer called Surae Noether (a common surname used among Monero developers as a homage to the famous mathematician and physicist, Emmy Noether) likens a poisoned output to how cops might track the sale of banned books within society by making a purchase and tracking the transaction to see where the funds end up.
“The essential idea is that someone is buying a book and there’s going to be a chain of custody of the money that will eventually end up in some know-your-customer bank’s hands,” said Surae in the accompanying video. “Once that money ends up in the bank’s hands, they can start linking real-life identities with those original purchases and find the interior hops of those transactions. Unfortunately, this is a problem that Monero faces.”
The reason this is a tricky problem to fix is it's not dependent so much on fixing a technical problem, but on taking care of a collusion one. More specifically, while you might be able to provide a patch to a technical issue, you can't prevent people from working together to identify who the owner of a particular crypto wallet is. That, ultimately, is outside of a coin’s control.
Another is what’s known as a Janus attack. Named after the ”two-faced god” from Greek mythology, the Janus attack allows an incoming transaction to appear to be addressed to one wallet subaddress while having actually been addressed to a different wallet subaddress, said Ehrenhofer in an email.
The goal of the attack is not to steal XMR, but to compromise the address owners' privacy by tricking them into revealing control of the two subaddresses.
“In plain English, the subaddress system is designed to allow a wallet to efficiently scan for incoming outputs to multiple subaddresses within the same wallet (i.e., where the subaddresses share the same private view key),” said Ehrenhofer. “A side effect of the way in which the subaddress system was designed to allow this efficient scanning is that the wallet will trust the sender to inform the wallet of the particular destination subaddress. This trust was an oversight during the design of the subaddress system.”
While there are several ways to mitigate such an attack, one has not yet been decided on from the development perspective.
Ehrenhofer said one way is for an update to the transaction construction to include a signature that proves the transaction was properly constructed for a particular subaddress destination.
“Since this modification will add perhaps 64 bytes to the size of a transaction, there will be careful consideration of a mitigation to ensure it is done in the most space-efficient way possible,” he said.
Metadata concerns are generally an issue because they’re somewhat dependent on the rails the internet rides. Obscuring things like network traffic and timing require the use of other tools and go beyond the scope of what Monero, or any privacy coin blockchain, is capable.
The case for Monero
Privacy is not just for people with “something to hide” – it is a fundamental right that people should be able to exercise without needing to justify why they choose to do so. Privacy-focused cryptocurrencies like monero are one way that people are exercising that choice.
The very fact that XMR is best known as the currency of the dark web is, in itself, a testament to its success as a privacy coin. If it didn't do such a good job of protecting its users' identities, it would have been abandoned by those users.
Of course, the trade-off with these sorts of open-access technologies is that anyone can use it, for good or ill. But the more that people understand the value of preserving the privacy of their data and online transactions, the more we can expect the ratio of nefarious usage to diminish compared to all other use cases.
“Monero transaction volumes are way up, with increased adoption primarily coming from the recognition that people should use Monero to protect their private payments and donations,” said Ehrenhofer. “This means that more cryptocurrency transactions than ever before are private, so we're making progress.”
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.