How Monero Diverges from Bitcoin to Achieve Fungibility: Part II of Our Review of Technical Approaches to Anonymity in Cryptocurrency
You're reading Part II, which covers the CryptoNote protocol and Monero. Part I introduced the concept of anonymous transactions, methods for deanonymizing Bitcoin transactions, and techniques to enhance Bitcoin privacy. Part III covers zero-knowledge proofs and Zcash.
How the Monero movement began
Much like Bitcoin, CryptoNote protocol was proposed by an enigmatic author with the pseudo-name Nicholas van Saberhagen. The design of CryptoNote is to solve two drawbacks of Bitcoin: privacy and concentration of mining power. For the purpose of this report, we will focus on the privacy aspect of the protocol.
The whitepaper defines two properties of privacy:
Untraceability: for each incoming transaction all possible senders are equiprobable.
Unlinkability: for any two outgoing transactions it is impossible to prove they were sent to the same person.
CryptoNote's transactions solve the privacy issues of Bitcoin transactions. With additional privacy enhancement features, CryptoNote is theoretically capable of hideing the identity of sender and recipient in the transactions.
The first implementation of CryptoNote is Bytecoin. However, the notorious crippled miner incident drove some community members to fork and create a new “Bitmonero”, which eventually renamed to Monero. Monero is very much a community-driven, grassroots project. Since its inception, Monero has managed to grow into one of the most robust community in the cryptocurrency space.
Utilizing several prominent privacy features on top of the CryptoNote design, Monero can achieve cryptographic privacy by default. According to the Monero site:
“Monero is a secure, private, and untraceable currency system. Monero uses a special kind of cryptography to ensure that all of its transactions remain 100 percent unlinkable and untraceable.”
The "special kind of cryptography" Monero uses is a combination of features: Ring Signatures, Dual-Key Stealth Addresses, Ring Confidential Transactions, and Kovri(under development).
How Monero hides the transaction sender
Ring Signature makes Monero transaction cryptographically untraceable. It employs a collection of old and new transactions from the blockchain to obfuscate the real transaction being spent. Every transaction output may or may not have been spent. Some historical transaction may even show up multiple times. The observer will not be able to tell if a transaction has been spent or not.
The idea behind ring signature is the same as the mixing technique introduced in Part I. The larger the ring size is, the greater the anonymity set is. This 1-of-N input model is passive, meaning the user does not need to connect with the creators of the foreign transactions to form the ring. Monero enforces a minimum ring size to guarantee untraceability. The increase in privacy also results in a larger transaction size, which may ultimately reflect in the transaction fee. The stats of the ring size are, as of March 8th, 2018:
By using the ring signature scheme to hide the real transaction, Monero cannot implement the same type of UTXO data structure as Bitcoin's, because a transaction would appear multiple times, making it difficult for the network to verify if a transaction has been completed. As a result, double-spending protection needs to be implemented cryptographically.
A special class of ring signature was proposed by Fujisaki and Suzuki in their paper Traceable Ring Signature. The scheme has a tag that consists of a list of ring members. If the member submits multiple signed "opinions," the identity of that member is immediately revealed. In CryptoNote implementation, public traceability is discarded, and the tag is replaced with Key Image, which is essentially a hash of the private key.
Instead of using the actual private key, the hash is employed to sign and verify transactions. Since the Key Image is stored on blockchain, any double-spending attack can be easily linked. In addition, if an adversary tries to figure out the real private key, they would need to decode the Key Image. As discussed in Part I, reversing the result of a cryptographic hash function requires significant amount of computational resources. In summary, the input of a Monero transaction is as such:
(Image Source:CryptoNote Whitepaper V2)
How Monero hides the recipient
Dual-Key Stealth Addresses make Monero transactions cryptographically unlinkable. In Bitcoin, a user just has one pair of public / private key. In Monero, the user has two pairs: View Key and Spend Key. Simply put, the View Key pair is for the receiver, and the Spend Key pair is for the sender.
On blockchain explorer, an observer will not be able to tell if the outgoing transactions are going to the same person. Only the recipient can decode. A view of the transaction output:
How Monero hides the transaction value
RingCT makes Monero transactions cryptographically valueless. RingCT is a modification on the original Confidential Transaction, first proposed by Bitcoin engineer Greg Maxwell for side-chains. Extending Confidential Transaction on the Ring Signature scheme can cloak the transaction value.
The transactions destination includes a cryptographic commitment public key, which hides the value of the transaction. A commitment is just like an envelope- it allows the participants to commit to a certain value without revealing it right away.
RingCT signs the difference between the commitments. Although commits look like random numbers, miners can confirm the amount being sent is the same as a number of funds available due to the nature of additive homomorphic encryption. The ratio of transactions that use RingCT:
An important part of Confidential Transaction is rangeproof. It is a specific type of zero-knowledge proof(see Part III for more) to prove a number is between 0 and 2^64. If a certain parameter in the commitment is set to negative, the malicious actor can create Monero from thin air. The drawback here is that rangeproofs are large. As a result the transaction size of a single Monero transaction is increased significantly. Currently a Monero transaction is about 12-15KB, much larger than the transaction size of Bitcoin, which, on average, is about 1KB. The size of rangeproof could potentially become a bottleneck for scaling. A team of cryptographers led by Stanford professor Dan Boneh worked on a new scheme for a year to improve its performance. The article Bulletproof: Short Proofs for Confidential Transactions and More introduces a method to narrow down the range of the proof. Monero is currently experimenting with Bulletproof on its Testnet and, according to the lead developer, transaction size could potentially be reduced by 80 percent.
The Ring Signature scheme in Monero's RingCT is based on Multilayered Linkable Spontaneous Anonymous Group Signatures. Rather than having a ring signature on a set of n keys, an MLSAG is a ring signature on a set of n key-vectors. A key-vector is just a collection of public keys with corresponding private keys. This design makes the probability of forging or linking signatures almost negligible.
How Monero intends to hide IP addresses, too
The next project on the Monero roadmap is Kovri. Right now attackers can infest the network with logging nodes to capture the origin of the transaction as it is being broadcasted to the rest of the network.
Kovri establishes another layer of connection between the nodes through an i2p network. The transactions will be broadcasted on Kovri layer while the blocks are still broadcasted on the main network. Anonymous connections are achieved by encrypting the user's traffic and sending it through a vast network distributed around the world. Given the high number of paths the traffic can use for transit, a third party watching a full connection is unlikely. Kovri is still under development.
Monero in summary
The privacy features in Monero cloak everything in a given transaction, from its sender, to the transaction value, to the address of the receiver. While their network-level privacy tool is still under construction, Monero is still considered a top project in the privacy-focused field.
Due to the level of privacy it achieves, Monero is also fungible, making it a more ideal "retail currency" compared to other tokens in the space.
However, scaling for Monero blockchain is challenging because of RingCT, as it makes transaction verification harder and also larger in size. Monero uses a dynamic block size, which means that, unlike Bitcoin's, Monero block size varies as demand increases or decreases. However, dynamic block size is not perfect and the dynamic block size feature does get abused.
As discussed earlier, Monero is also working with Bulletproof on testnet. Bulletproof is a highly-anticipated next generation cryptographic tool. It reduces the size of the old rangeproof from ~5KB to 700 bytes. It also supports aggregation. Combining several rangeproofs would only increase the size by several hundred bytes. Bulletproof is easy to use in protocols, and much less cumbersome to setup than SNARKs(we will discuss in Part III).
To learn more about it, read Andrew Poelstra's article here.
Besides on-chain solutions, developing Lightning Network, or side-chain solutions such as Mimblewimble protocol could be the ways to scale.
We're planning on building out a MimbleWimble system, probably as a layer 2 / sidechain. We'll likely do it in Rust, though, so we won't be able to inherit anything from grin except their learnings in building it:)— Riccardo Spagni (@fluffypony) November 30, 2017
Next: The Magic Behind ZK-SNARKs: Part III of Our Review of Technical Approaches to Anonymity in Cryptocurrency
Consider reading on, as Part III details how the Zcash network implements privacy.