For most people, using Monero to maintain privacy and anonymity requires a leap of faith - few people understand exactly how the cryptography and security of the Monero blockchain protects them from being tracked. We hope this post demystifies the magical qualities of Monero and provides an increased sense of trust for users who aren't mathematicians or computer scientists.
Why Monero is Secure - 3 Pillars of Privacy
Monero's privacy technology is based on 3 core cryptographic techniques:
- Ring Confidential Transactions (RingCT) - Hides the amount being sent
- Ring Signatures - Hides the sender's address
- Stealth Addresses - Hides the receiver's address
Assuming the above statements are true, how do these features protect privacy?
Let's look at this from the perspective of someone trying to to trace Monero transactions. Imagine that Rodrigo is a state tax auditor for a failing South American socialist government, and desires to seize as much wealth as possible from whatever businesses still survive in their country. These businesses have switched to cryptocurrency because the state-backed fiat currency is worthless.
When businesses used Bitcoin, Rodrigo could trace every transaction using software sold to governments by Coinbase and Chainalysis. Many businessmen were arrested and Rodrigo's family received a few extra food rations as a bonus.
Unfortunately, businesses have recently switched from Bitcoin to Monero. Rodrigo called Coinbase, but they said they couldn't help him! He then went to the local prison to force Antonio, a university mathematician jailed for political dissent, to help him analyze the Monero blockchain.
Looking at the blockchain, Antonio is stumped. Every block indeed has a series of transactions, but he can't see any amounts or addresses!
Without the amount, Rodrigo doesn't know how much to steal. Without the sending address, Rodrigo doesn't know which person still has any wealth. And without the receiving address, Rodrigo doesn't know who to steal from.
By protecting the sender, receiver, and amount, Monero stops auditors dead in their tracks - they simply can't get any meaningful information from the blockchain!
Hiding the Amount - Ring Confidential Transactions (RingCT)
RingCT allows the amount to be secretly embedded in the blockchain. The amount exists, it just isn't visible to anyone but the receiver (in fact, if the sender's wallet history gets deleted, even he can't recover how much he sent historically). This is accomplished by encrypting the amount sent with the receiver's address (also known as the "public key"). The receiver can then decrypt the amount - and no one else.
How does everyone else know that the amount sent is valid? Why couldn't the sender make up 1 million XMR? Two tricks - first, the amount is proven to be positive using a "range proof" math technique, and second that all of the inputs balance all of the outputs. Therefore, if someone wanted to send 1 million XMR, they would have to use 1 million XMR unspent inputs. In this way, no Monero is created out of thin air.
Hiding the Sender Address - Ring Signatures
You now understand that all amounts are hidden using RingCT. But even if Bitcoin amounts were hidden, tracking software could still trace the flow of funds around the network. How does Monero prevent this tracing?
Just like Bitcoin, Monero uses an "Unspent Transaction Output" model, or "UTXO". Conceptually, this can be visualized as having various denominations of paper money - individual bills for 1.55, 723.2, 0.369, etc. - and when you pay someone for a specific amount you overpay them, and then the receiver gives you change for the amount you are over, creating a new specific size of bill representing the change. Let's refer to these unspent bills as "coins".
In Monero, rather than giving only the UTXOs (various coins in different sizes) you wish to pay with, you also mix up other coins you don't own! Your wallet software randomly selects a group of other inputs and puts them all together. This not only hides which specific coins are yours, but it also makes it impossible to know which coins are actually spent - the same coin can be included many times without ever being spent!
"Ring Signatures" are the mathematical technique where the private key that owns one of the coins is able to sign for a group of them. This proves to the network that the sender has the right to spend one of the coins in the group without revealing which specific coin is being spent. This obfuscation prevents the sender's address from being revealed.
This technique also prevents the same coin from being spent twice, because the signature produces a "key image" for the spent coin. The key image is a unique code that signifies a coin is spent, and is stored on the blockchain, but does not reveal who spent it or the amount. If the sender tried to spend the coin again, the key image would be identical and rejected by the network as a double-spend.
This can be confusing, but to summarize:
- Every transaction mixes together a group of inputs, with the unpent coins acting as decoys for the real coin being spent
- No one can tell which coin is actually spent
- No one knows who is sending the coin
- No one knows the amount of the coin
Hiding the Receiver Address - Stealth Addresses
Even if you use the same receiving address for every transaction, your address will never appear in the Monero blockchain. This is very different from Bitcoin. How does this happen?
Everyone's public address in Monero looks like text, but in reality it's a very long number. This is also known as a "public key".
When someone sends Monero, their wallet does a mathematical calculation that multiplies the receiving address (a long number) by a new random number and hashes it in such a way that only the person with the private key of the address can tell it was intended for them.
When someone receives Monero, they look at the stealth address, and decodes it with their private key in a way that only they can accomplish. This prevents anyone from knowing who the intended recipient is. (Side note - this is also why recovering a wallet requires re-scanning the blockchain - the only way to know which coins are yours is by scanning every stealth address in every transaction in every block!).
Putting it All Together
To summarize everything we've learned:
- The Monero blockchain hides the sender, the amount, and the receiver for every transaction.
- RingCT hides the amount by creating a range proof among all selected inputs to prove no new coins are created, and encrypts the true amount with the receiver's address so only the recipient can see it.
- Ring Signatures hide the sender's address by mixing up a lot of coins together and never definitively revealing which coins have ever been spent.
- Stealth Addresses hide the receiver's address with one-time use encryption that no one can ever decode except the true receiver.
- The Coinbase company cannot help Rodrigo steal from citizens because their blockchain analysis software is useless against Monero!
Hopefully you now have a better understanding of how Monero works, and more confidence in its privacy-preserving abilities! It isn't magic - it's just math.
Footnote - Running Your Own Monero Node
One final note - running your own Monero blockchain node helps the network stay resilient and further protects your privacy. Read more here.