This article introduces a method of hiding transaction amounts in the strongly decentralized anonymous cryptocurrency Monero. Similar to Bitcoin,Monero is a cryptocurrency which is distributed through a proof of work “mining” process. The original Monero protocol was based on CryptoNote,which uses ring signatures and one-time keys to hide the destination and origin of transactions. Recently the technique of using a commitment scheme to hide the amount of a transaction has been discussed and implemented by Bitcoin Core Developer Gregory Maxwell. In this article,a new type of ring signature,A Multi-layered Linkable Spontaneous Anonymous Group signature is described which allows for hidden amounts,origins and destinations of transactions with reasonable efficiency and verifiable,trustless coin generation. Some extensions of the protocol are provided,such as Aggregate Schnorr Range Proofs,and Ring Multisignature. The author would like to note that early drafts of this were publicized in the Monero Community and on the bitcoin research irc channel. Blockchain hashed drafts are available in [14] showing that this work was started in Summer 2015,and completed in early October 2015. An eprint is also available at http://eprint.iacr.org/2015/1098.

We identify several blockchain analysis attacks available to degrade the untraceability of the CryptoNote 2.0 protocol. We analyze possible solutions,discuss the relative merits and drawbakcs to those solutions,and recommend improvements to the Monero protocol that will hopefully provide long-term resistance of the cryptocurrency against blockchain analysis. Our recommended improvements to Monero include a protocol-level network-wide minimum mix-in policy of n = 2 foreign outputs per ring signature,a protocol-level increase of this value to n = 4 after two years,and a wallet-level default value of n = 4 in the interim. We also recommend a torrent-style method of sending Monero output. We also discuss a non-uniform,age-dependent mix-in selection method to mitigate the other forms of blockchain analysis identified herein,but we make no formal recommendations on implementation for a variety of reasons. The ramifications following these improvements are also discussed in some detail. This research bulletin has not undergone peer review,and reflects only the results of internal investigation.

On 4 September 2014,an unusual and novel attack was executed against the Monero cryptocurrency network. This attack partitioned the network into two distinct subsets which refused to accept the legitimacy of the other subset. This had myriad effects,not all of which are yet known. The attacker had a short window of time during which a sort of counterfeiting could occur,for example. This research bulletin describes deficiencies in the CryptoNote reference code allowing for this attack,describes the solution initially put forth by Rafal Freeman from Tigusoft.pl and subsequently by the CryptoNote team,describes the current fix in the Monero code base,and elaborates upon exactly what the offending block did to the network. This research bulletin has not undergone peer review,and reflects only the results of internal investigation.

This research bulletin describes a plausible attack on a ring-signature based anonymity system. We use as motivation the cryptocurrency protocol CryptoNote 2.0 ostensibly published by Nicolas van Saberhagen in 2012. It has been previously demonstrated that the untraceability obscuring a one-time key pair can be dependent upon the untraceability of all of the keys used in composing that ring signature. This allows for the possibility of chain reactions in traceability between ring signatures,causing a critical loss in untraceability across the whole network if parameters are poorly chosen and if an attacker owns a sufficient percentage of the network. The signatures are still one-time,however,and any such attack will still not necessarily violate the anonymity of users. However,such an attack could plausibly weaken the resistance CryptoNote demonstrates against blockchain analysis. This research bulletin has not undergone peer review,and reflects only the results of internal investigation.

This document is not intended as financial advice; it is one mathematicians take on the white paper before digging into the code.