Public blockchains are inherently transparent. For blockchains to function in a decentralized environment, any peer must be able to independently verify all of its transactions. A quick look at Bitcoin or Ethereum is enough to see just how public their databases are.
Such an infrastructure provides several advantages, but it often compromises privacy and anonymity. Observers can link blockchain transactions and addresses to potentially deanonymize address owners.
These so-called pseudonymous cryptocurrencies are useful for a myriad of applications. However, privacy coins may be more desirable for those seeking true financial confidentiality. And when it comes to private cryptocurrencies, few are as well-known as Monero.
Monero (the Esperanto word for "money") is a cryptocurrency built on the principles of unlinkability and untraceability. In plain English, this means that you should not be able to make a connection between two Monero transactions, nor should you be able to determine the source or destination of funds.
This is Monero's appeal. It still uses a blockchain to track the movement of funds, but it leverages some neat cryptography to obscure transaction sources, amounts, and destinations. Let's illustrate this by comparing it with the Bitcoin ledger, which looks something like this:
In contrast, the Monero blockchain looks like this:
We'll get into what makes this kind of obfuscation possible shortly.
Monero is a fork of Bytecoin, a privacy-oriented cryptocurrency released in 2012. Bytecoin was the first protocol based on CryptoNote, an open-source technology that aimed to solve some of Bitcoin's shortcomings. Namely, those shortcomings are ASIC mining (the use of specialized mining hardware) and lack of privacy in transactions. CryptoNote now forms the basis of many cryptocurrencies seeking to emphasize confidentiality.
In 2014, developers that were unhappy with the initial distribution of Bytecoin forked it into a new project known as Bitmonero. The name was later changed, dropping the "Bit" to reach what we know today as Monero.
When researching Monero, you'll stumble across the terms "ring signature" and "stealth address." These are two of the key innovations that underpin the anonymity of Monero transactions. In this section, we'll give a high-level overview of both concepts.
A ring signature is a digital signature created by someone in a specified group. Given the signature and the group members' public keys, anyone can verify that one of the participants provided the signature. But they can't tell which one did.
The 2001 How to Leak a Secret paper that detailed this construct uses the example of a government cabinet. Suppose that a member of this cabinet – Bob – has some incriminating evidence about the Prime Minister. Bob wants to prove to a journalist that he is indeed a member of the cabinet, but he wants to remain anonymous.
Bob wouldn't be able to do this with a regular digital signature. By comparing it with his public key, anyone could say with certainty that only Bob's private key could have produced the signature. He could face severe consequences for blowing the whistle on the Prime Minister's activities. However, if the other cabinet members' keys were used in a ring signature scheme, you couldn't determine which one sent the message. Still, you could say that a cabinet member leaked the information, thus proving its authenticity.
This technique is used every time you create a transaction, providing you with plausible deniability. While constructing it, your Monero wallet pulls other users' keys from the blockchain to form a ring. These keys effectively act as decoys – it appears to an observer that anyone in the ring could have signed your transaction. As a result, an outsider can never determine whether an output has been spent or not. At best, they can tell that one of the eight outputs in the image below might have been spent. We refer to the number of dummy outputs as the mixin.
A ring with seven mixins.
In the above image, the green output is the one you're really spending, and the red ones are the decoys you've gathered from the blockchain. To an observer, it looks like you could be spending any of the eight outputs.
It used to be that the outputs included in the ring had to be the same size. Otherwise, it would be easy to figure out what was going on, as transaction amounts were visible. For instance, you might have a ring where only outputs of 2 XMR were included or one where only 0.5 XMR forms the ring.
The upgrade to RingCT (Ring Confidential Transactions) changed that. It incorporated Confidential Transactions, a technique where transaction amounts are obfuscated. Its integration into the Monero protocol was a major privacy boost, as it means that you no longer need to work with set denominations. You can now construct a ring with outputs of different sizes without revealing any information that could be used to deanonymize you.
Ring signatures hide where funds are coming from, but with regular public addresses, you'd still be able to see where they're going. That could be problematic if your identity is tied to one of your blockchain addresses.
Suppose that you use the same address for your e-commerce store for every order. Anyone that made an order could see the balance you're holding and tell other people that it's your business's address. This could make you a target.
Stealth addresses hide the destination of funds. They do this by having the sender generate a one-time address based on a public address used solely for that transaction. The public address might look something like this:
If you search for the address in a Monero block explorer, you'll see that you can't tie any transactions to it. That's because when a sender wants to send you funds, they create a stealth address by doing some mathematics with the one above. When they send XMR, they send it to a new address on the blockchain. Each created address will be different from the previous one, and they cannot be linked together.
However, you have two pieces of information that you can use: the private view key and the private spend key. As the names indicate, the view key allows you to see all of the transactions associated with your address. You can give this to others (your accountant, for instance) to audit the funds you've received. The spend key is what you'd normally think of as your private key – you use it to spend your coins.
Monero has a privacy by default policy, meaning that you can't opt out of using a stealth address. So while the public ledger is automatically obscured, you can still make your transactions transparent to parties of your choosing.
As cryptocurrencies, Monero and Bitcoin present some similarities. But in reality, there are many aspects unique to both.
Fungibility is a source of major disagreement in the Bitcoin sphere. It refers to the interchangeability of a good with another good of a similar kind. Gold, for example, is considered fungible because you can swap an ounce of yours with someone else's, and it will still be functionally identical. The same goes for cash – you can exchange a ten-dollar bill for another. Conversely, a unique piece of art like the Mona Lisa isn't fungible as there isn't another unit like it.
In many digital currencies, it gets a bit more challenging to determine fungibility. Units in Bitcoin are fungible at the protocol level, as the software doesn't make any distinction between each BTC unit. Where it gets more ambiguous is at the social and political levels. Some contend that Bitcoin is non-fungible because each output is unique, whereas others argue that it doesn't matter.
Because Bitcoin's blockchain is transparent, transaction details like amounts and destinations can be tracked. Suppose that you received a five-dollar bill as change at a grocery store. That bill could have been used in a criminal transaction ten transactions ago, and it wouldn't have any impact on the usability of the bill now. With Bitcoin, there have been incidents where coins have been refused or confiscated based on their "tainted" history. Even if users are unaware of past transactions, chain surveillance can blacklist coins and impact their usability as currency. And this is why some consider Bitcoin a non-fungible asset.
In some circles, it's thought that these practices could break some of the properties that make public ledger cryptocurrencies appealing. "Clean" coins that have been freshly mined (and thus, have no history) could be seen as more valuable than older "dirtier" ones.
Those that oppose coin profiling believe that it uses unreliable and subjective techniques for analysis. Indeed, tools for coin mixing and CoinJoining are being made increasingly accessible to end-users, both of which obfuscate the source of funds.
Monero avoids these shortcomings from the get-go. Since observers can't tell where funds came from or where they're going, it's perhaps more akin to cash than to non-privacy coins. Even in businesses with rigorous analysis policies, XMR from questionable transactions can be exchanged without issue.
Monero's added privacy does come at a cost, though. Transactions are much larger in size, meaning that there are some significant hurdles to overcome before the system can scale to accommodate the masses.
Interestingly, its strong fungibility has even earned the cryptocurrency a certain degree of notoriety, surpassing Bitcoin as the money of choice for cybercriminals engaging in cryptojacking, ransomware, and dark web transactions.
Like Bitcoin, Monero uses Proof-of-Work to add blocks of transactions to the blockchain. As with all CryptoNote-based protocols, though, it's designed to be ASIC-resistant. The aim behind this is to prevent the dominance of mining pools running specialized, high-performance mining hardware.
Monero's Proof-of-Work algorithm (recently changed from CryptoNight to RandomX) aims to make the system fairer by favoring CPU mining and weakening GPUs' effectiveness. The logic behind this is that mining will be better distributed as consumer-grade PCs remain competitive. Despite this, hashing power remains relatively concentrated in a handful of mining pools.
Regarding block size, Monero does not have a fixed cap, unlike Bitcoin's 4 million in block weight units. Instead, it has a dynamic block size, meaning that blocks can expand to accommodate increased demand. Accordingly, if demand is reduced, the permitted size will shrink. The size is calculated by looking at the median size of the previous hundred blocks (which are mined every two minutes, on average). Miners can produce blocks that exceed the limit, but they'll be penalized with a reduced reward.
It's worth noting that the supply is not finite, as is the case in Bitcoin. Monero has a decreasing block reward schedule, too, but it doesn't tend towards zero over time. Instead, the block subsidy will indefinitely remain at a fixed amount to incentivize participants to keep mining blocks.
You can observe another interesting difference between Bitcoin and Monero at the governance level. Bitcoin is somewhat averse to forks to the extent that even simple upgrades are discussed for a long time before they're implemented. But there is a reason for this. Bitcoin developers need to be conservative at times to ensure the system remains stable, secure, and decentralized.
Of course, forks are just protocol upgrade mechanisms. They're often necessary to resolve critical bugs or to add new features. In Bitcoin, though, users prefer to avoid them as they can cause division, and may pose a threat to decentralization. Generally, hard forks in Bitcoin arise when a group wants to create a new cryptocurrency from the existing network. Other than that, they're usually reserved for patching urgent vulnerabilities.
In Monero, however, frequent hard forks are very much a part of the roadmap. This ensures that the software can quickly adapt to changes and roll out security upgrades. Some view "mandatory" protocol updates as a weakness, though Monero hard forks don't really carry negative connotations as they sometimes do in other cryptocurrencies. That's not to say that they're foolproof – frequent hard forks increase the risk of a vulnerability going unnoticed, and can push non-upgraded users off the network.
As with Bitcoin, Monero's development is open to all. Anyone can contribute to the source code and documentation. The community decides which features to add, remove, or amend. At the time of writing, the project has over 500 contributors. The Core development team is made up of developers such as Riccardo Spagni (aka FluffyPony), Francisco Cabañas (ArticMine), and pseudonymous devs NoodleDoodle, othe, and binaryFate.
Alongside sponsorships, the Community Crowdfunding System (CCS) is used to fund development. Users can pitch ideas that, if selected by the community, undergo a crowdfunding period. Once certain milestones have been hit in bringing the project to fruition, the funds are paid out to those responsible.
For years, Monero (XMR) has been the go-to cryptocurrency for those seeking strong privacy assurances. It has a dedicated community of developers committed to increasing the confidentiality of its users' transactions. New upgrades (such as Kovri integration) seek to further the mission of providing unlinkability and untraceability in cryptocurrency.