Introduction to truly anonymous cryptocurrency

Let me introduce myself

• Cryptoanarchist & voluntaryist focused on technology and society hacking
• IT security guy, founder of IT security hacking companies (Nethemba, Hacktrophy) & contemporary art (Satori)
• Co-founder of Bratislava's and Prague's hackerspaces (Progressbar & Paralelni Polis)
• Member of Czech contemporary anti-government artistic group Ztohoven
• Responsible for many anti-government & digital privacy projects www.nepracujemeprestat.sk, www.internetbezcenzury.sk

Why do we need financial freedom?

• Tracking & monitoring financial transactions by banks /governments represents a drastic intervention to citizens' digital privacy
• Above some cash limits, you cannot avoid using bank accounts even if you don't trust banks
  • There were many incidents in the past when bank employees misused sensitive customer's information

• Information exchanged by OECD CRS can be  leaked (by potential hacking attack or internal employees)
• Banks can block your transactions because they are suspicious, you have a burden to prove your innocence

Why do we need financial freedom II?

• Prohibition of anonymous cash in many countries above some limits including Czech and Slovak Republic, and it is becoming worse (India)
• Prohibition of anonymous prepaid cards (!) in the EU
• KYC, AML and other "financial dictatorship promoting" regulations
• The card payment companies, banks, government institutions - all of them can easily track your financial transactions
• When you receive a "suspicious" bank transaction or from a "suspicious" country (e.g. offshore), the bank sends automated notifications to the government officials...
• International payments (out of euro-zone) are thoroughly inspected, blocked by banks requiring a lot of bureaucracy

Why do we need financial freedom III?

• Monero Privacy is NOT a crime or something to feel guilty about
• If somebody can find personal information by researching about you, or you provide your home address for postage - then they could potentially target you in order to rob you of said Bitcoins
• This is a very dangerous situation that people should have the right to protect themselves from
• Please do not be made to feel guilty about privacy because privacy is simply safety. Safety for you and your family

Bitcoin is not anonymous

• Bitcoin is pseudo-anonymous (you can see all transactions in a public blockchain)
• Sensitive information can be revealed by
  • linking the transactions
  • correlations of transactions
  • leaked information from Business registers, Bitcoin exchanges (not only to the tax office :-), Bitcoin services (e.g. payment gateways)
  • crypto-markets (your used postal address can be associated with your BTC address)

Bitcoin blockchain analysis

• All bitcoins are equal, but some bitcoins are more equal than others (colored or taint coins), see http://coinvalidation.com/
• There are many companies doing blockchain analysis and this business is growing over time
  • https://www.chainalysis.com
  • http://www.quantabytes.com
  • https://www.elliptic.co
  • http://numisight.com
• Permanent nature of blockchain ensures that privacy only ever decreases! (maybe Onion routed micropayments for the Bitcoin Lightning Network will save us? :-) 

Interpol/Europol is killing your freedom

• Stricter Bitcoin Regulation and make anonymous use of the digital currency much more difficult
• Ban on Bitcoin Mixers - “Such services are designed exclusively to anonymize transactions and to make it impossible for Law Enforcement Agencies to detect and trace suspicious transactions. The existence of such companies should not continue to be tolerated.”
• The recommendations also suggest that law enforcement agencies should cooperate across borders in identifying “suspicious Bitcoin addresses that threaten economic stability” and even that “unexplained wealth” should be considered a crime.
• Mandatory KYC/AML required for all who are involved in crypto-currencies

– pdtmeiwn on /r/bitcoin

"Electronic cash is easy. Facebook could do it.

Private electronic cash is harder, but Chaum figured out how to do it in the early 90s.

Decentralized electronic cash is even harder. That’s Bitcoin.

Decentralized private electronic cash is even harder. That’s the next step...."

Monero basic facts

• the first fork of CryptoNote-based currency Bytecoin (2nd most developed cryptocurrency at github.com after Bitcoin in 2016)

• Capitalization:  14,224,547 XMR = $296,307,268 (6)

• Inflation: Slowly decreasing block reward that levels out at a minimum of 157788 XMR annually. This is less than 1% annual inflation, tending towards 0%.

• High privacy is achieved thanks to:

  • ​ring signatures to hide sending address

  • RingCT hides the amount of the transaction (currently enabled by default and mandatory by the end of the 2017)

  • stealth addresses hide the receiving address of the transaction.

  • (A planned fourth way) conceals the origin node for transactions in I2P (Kovri router)

Smooth emission

• Its main emission curve will issue about 18.4 million coins to be mined in approximately 8 years.[15][16] (more precisely 18.132 Million coins by ca. end of May 2022)
• After that, a constant "tail emission" of 0.6 XMR per 2-minutes block (modified from initially equivalent 0.3 XMR per 1-minute block) will create a sub-1% perpetual inflation (more precisely starting with 0.87% yearly inflation around May 2022)
• The emission uses a smoothly decreasing reward with no block halving
• The smallest resolvable currency unit is 10^-12 XMR (piconero)
• The proof-of-work algorithm, CryptoNight, is AES-intensive and "memory heavy", which significantly reduces the advantage of GPU over CPU.

Do we have 100% right to our financial freedom if no one is hurt?

So what Mr. Satoshi thinks?

https://bitcointalk.org/index.php?topic=770#msg9074

Stealth addresses mentioned by Satoshi

August 13, 2010

"What we need is a way to generate additional blinded variations of a public key.  The blinded variations would have the same properties as the root public key, such that the private key could generate a signature for any one of them.  Others could not tell if a blinded key is related to the root key, or other blinded keys from the same root key.  These are the properties of blinding.  Blinding, in a nutshell, is x = (x * large_random_int) mod m.
When paying to a bitcoin address, you would generate a new blinded key for each use."

Linkability

Alice

Bob

Charlie's address

Tx1

Tx2

Tx1 and Tx2 are going to the same address

Unlinkability

Alice

Bob

?

Tx1

Tx2

No idea where the transactions are going!

?

Stealth addresses

• Bob maintains one pre-generated public address
• To send money to Bob, Alice generates a one-time key based on Bob’s public address
• Bob monitors the blockchain for payments
• Bob can recognize payments to one-time keys from his address using his private key
  • to other observers it will look like having different destinations
• Only the owner of a monero address knows the output is for him
• Mallory cannot distinguish whether a payment belongs to Bob

Stealth addresses II

• Bob can now publish his stealth address to everybody
• Each output sent to Bob will look to observers as having different destinations
• Nobody can tell these outputs are going to Bob
• Nobody can tell these outputs are going to the same person

Bitcoin vs. Monero

Private key = b

Public key (PK) = b.G

H(PK) = 01xxxx....

Spend key b 

View key v

Spend public key B = b.G

View public key V = v.G

One time destination key

H(r.V).G+B, R

Random R = r.G

(publish R with Tx)

Tracking key v, B

Sending money to stealth address

• Alice wants to pay Bob (V, B)
• She generates random r and publishes R = rG
• She computes one-time key P = H(rV)G + B

Spending money from stealth address

• Bob can compute x = H(vR) + b such that P = xG
• xG = (H(vR) + b)G = H(vR)G + bG = H(vR)G + B = P
• Bob can spend by signing with x
• b is needed to spend money; b is a spending key

Viewing money on stealth address

• For every transaction on the blockchain, Bob computes P’ = H(vR)G + B
• Bob checks if P = P’. P’ = H(vR)G + B = H(vrG)G + B = H(rvG)G + B = H(rA)G + B = P
• Only v is needed to view money; v is a view key

https://bitcointalk.org/index.php?topic=770#msg9074

Ring Signature mentioned by Satoshi

August 13, 2010

Traceability

Tx A

Tx B

Tx C

Text

Some addresses

Tx1 is spending funds received in Tx A, B an C!

Tx 1

Untraceability

?

Text

Some addresses

Charlies's address

No idea which funds are spent in Tx 1!

Tx 1

Ring Signatures

Text

• A group of cryptographic signatures with at least one real participant, but no way to tell which in the group is real one as they all appear valid

Text

Spending Bitcoin vs Monero

You want to spend output O of amount X, and send it all to Bob.

• In Bitcoin:
  • You construct a transaction saying “I use output O, and create a new output going to Bob’s address”
  • You sign this transaction with the private key of the address that received the output O
• In Monero:
  • You find some outputs in the blockchain with the same cummulative amount X as your output O
  • You construct a transaction saying “I use one of these outputs, and create a new output going to <stealth destination>”
  • You sign this transaction using a ring signature

Achieving untraceability

• Not only you are “mixing” your output when actually spending it: everybody is constantly using other people’s output in ring signatures, they will use yours too
• Ring signatures are passive -  the wallet currently chooses outputs as follows: 25% are chosen randomly from "recent outs", presently the last five days; the remaining 75% are chosen from older outputs using a triangular distribution
• No need for people controlling the other outputs in the ring signature to be online or active
• Combinatorial explosion kicks in very quickly and render impractical forensic analysis of the blockchain

Bitcoin Signature vs. Monero Ring Signature

• Alice is sending X BTC to Bob
  • Input: reference (output O)
  • Output: Bob's address, amount=X
  • Digitally signed by Alice private key
• Alice is sending X XMR to Bob
  • Input: reference (output A, output O, output B, output C)
  • Output: Bob's stealth address, amount=X
  • Digitally signed by Ring signature

Ring signatures Q&A

• Output spent using ring signature is not “spent for sure”: how to prevent double-spend?
  • Signatures are deterministic, so spending the same output twice can be detected easily (For each utxo, keep list of public key images I)
• To spend my output of amount X using a ring signature, I must find other outputs with the same amount X! Isn’t it difficult?
  • Outputs are automatically broken down into common denominations. For instance, sending 11.5 XMR actually creates an output of 10, plus another one of 1, plus another one of 0.5. Thus, always plenty of outputs with proper amount. And all of them use their own ring sig!

Ring Confidential Transactions

• Hides the amount of the transaction (currently enabled by default and mandatory by the end of the 2017)
• A Multi-layered Linkable Spontaneous Anonymous Group signature which allows for hidden amounts, origins and destinations of transactions with reasonable efficiency and verifiable, trustless coin generation.
• More information at https://lab.getmonero.org/pubs/MRL-0005.pdf

Analogy with Family tree

Unlinkability:

I don't know who are children of X

(solved with Stealth Address)

Untraceability:

I don't know who are parents of X

(solved with Ring Signatures)

Fungibility

• Formal definition: Fungibility is the property of a good or a commodity whose individual units are capable of mutual substitution. That is, it is the property of essences or goods which are“capable of being substituted in place of one another.”
• TL;DR: Fungibility means that units are interchangable.
• Monero hides transactions destination (stealth), origin (ring signatures), precise amounts (denominations)
• Another popular cryptocurrencies with "fungibility" property:
  • ZCoin
  • ZCash
  • SDC / Particle.io
  • Dash(?)

Do you want to pay taxes or just be transparent?

• A clever cryptographic mechanism, the “viewkey”. For each address, you have spend key (part of Bitcoin private key) & viewkey
• Give viewkey to somebody: they can see which outputs you control (= what you received).
• Viewkey mechanism exists also for one single transaction only.
• Monero provides high privacy by default whilst still providing opt-in full transparency when desired
• View keys can be used to comply with taxation if we want
• Can be used to prove transaction was made in case of dispute, achieve transparency, in case of non-profits, in solvency proofs ...

Monero support

• Original wallet with GUI https://getmonero.org
• My Monero https://mymonero.com/
• Smartphone Monero wallet (suspicious, not recommend to use)
• Uquid.com and bitwa.la Monero debit cards (through Shapeshift.io)
• Monero exchanges (evercoin.com, Kraken.com, ..)
• Monero gambling site http://www.monerodice.net
• Monero Point of Sale Payment system https://github.com/amiuhle/kasisto
• XMR.TO - pay any BTC address using Monero (mixing service)
• monero-trader.com - anonymous exchange, both ways BTC to XMR, XMR to BTC

Still looking for

• Monero integrators:
  • Monero ATM + fully functional POS terminal
• Secure & trusted Monero smartphone Wallet
• Hardware wallet (there were some unsuccessful tries like Trezoro for Bitcoin Trezor, can we expect Ledger Nano S in September 2017?)

Monero in practice

• Some technical obstacles - you need 2 private keys (spend key + view key), to see a balance you need "key images" for each transaction (can be computed with spend key)
• You need a direct connection to Monero "blockchain" to be able to reveal your own transactions (able to spend them)
• More popular Monero will be, lower transaction fees will be
  • Release 0.10.1 added a dynamic fee system using the formula Fee=(R/R0)*(M0/M)*F0. As usage of Monero increases, the per-transaction fees will decrease while the total transaction fees will increase
• Monero does not have a fixed block size, it is adaptable determined by free market (with a potential penalization)

Monero challenges I

• Privacy. Monero is probably the most private currency around, but it is not perfect. There are still some privacy concerns. Most notably is an attack where one can figure out which node is the origin of a transaction. This is being mitigated with the development of Kovri, which is an I2P router in C++. Finally, the minimum mixin (being renamed to "ring size" to help avoid confusion with Bitcoin mixing services) of 2 is too low. Less than 25% of transactions use a mixin greater than 2. The minimum is supposed to be increased to 4 the same time RingCT will be made mandatory, but there is some discussion to increase this number further.
• Mining centralization. A large proportion of Monero mining is consumed by 4 large pools. As of writing, no single pool controls more than 20% of the total hashrate, but mining decentralization is extremely important.

Monero challenges II

• No phone wallets. It is quite difficult to use Monero on your phone. Right now the only options are wallets that hold your keys for you (see Freewallet, which the community heavily discourages the use of) or web wallets (MyMonero). Jaxx claimed to have the implementation finished in December, but they later said that Monero support was scrapped

• Transaction size. This is not a major issue, but they are much larger than a Bitcoin transaction.

• Limited use. Monero does not have the same level of adoption as Bitcoin. Although Monero has more volume than most coins similar in size, it is typically used as a tool to anonymize Bitcoin.

• Why just Ed25519 elliptic curve scheme? (Because we trust in D.J. Bernstein? :-)

Monero challenges III

• Development difficulty. Monero is harder to add things to than Bitcoin-based coins. For instance, may wallets added support for ZCash's non-anonymous coins very shortly after release. Edit: we have yet to have a hardware wallet support Monero.

• Limited merchant tools. To accept Monero currently, a merchant still has to do a bit of work. Projects like PayBee are trying to mitigate this, but the project has not seen much public development in the past year.

• Geographic limitations. No, Monero use is not limited to certain geographical areas. But certain areas have not seen significant adoption of Monero. These regions include South America, Africa, and Asia. Additional translations and resources are needed to help increase use in these regions.

• Still regular hard-forks (because of heavy development)

Impact of Monero on the world's economy

• Everybody can sell his products or services in a completely anonymous way (using OpenBazaar over Tor or Shadow/Particle.io market) with no intervention of 3rd parties (including the governments / tax office) and pay with truly anonymous cryptocurrencies (like Monero)
• The cryptoanarchist vision of Timothy C May has been accomplished
• It is possible to implement "Gamma system "(described by Paul Rosenberg's in the book "A lodging of wayfaring men" ) and create "the second realm" (described by Smuggler) or "Parallel Polis" (created by us) to the current government-controlled system
• The governments will have difficult times... :-)

References

• I re-used information/texts from the following sources:
  • https://en.wikipedia.org/wiki/Monero_(cryptocurrency)
  • http://corelab.ntua.gr/athecrypt2016/slides/Monero_zindros.pdf
  • https://www.slideshare.net/arnuschky/monero-geneva
  • http://www.nicolascourtois.com/bitcoin/paycoin_privacy_monero_6.pdf
  • https://www.reddit.com/r/Monero/comments/611jtu/lets_talk_about_moneros_disadvantages/
  • https://www.reddit.com/r/Monero/comments/6uldp2/monero_privacy_is_not_a_crime_or_something_to/
• as well as from official Monero papers / presentations:
  • The CryptoNote WhitepaperInitial Review of the CryptoNote Whitepaper
  • MRL-0001: A Note on Chain Reactions in Traceability in CryptoNote 2.0
  • MRL-0002: Counterfeiting via Merkle Tree Exploits within Virtual Currencies Employing the CryptoNote Protocol
  • MRL-0003: Monero is Not That Mysterious
  • MRL-0004: Improving Obfuscation in the CryptoNote Protocol
  • MRL-0005: Ring Signature Confidential Transactions

Thanks!

Q/A?

(you can still ask at http://monero.stackexchange.com/)