"Electronic cash is easy. Facebook could do it.
Private electronic cash is harder, but Chaum figured out how to do it in the early 90s.
Decentralized electronic cash is even harder. That’s Bitcoin.
Decentralized private electronic cash is even harder. That’s the next step...."
Capitalization: 14,224,547 XMR = $296,307,268 (6)
Inflation: Slowly decreasing block reward that levels out at a minimum of 157788 XMR annually. This is less than 1% annual inflation, tending towards 0%.
High privacy is achieved thanks to:
ring signatures to hide sending address
RingCT hides the amount of the transaction (currently enabled by default and mandatory by the end of the 2017)
stealth addresses hide the receiving address of the transaction.
(A planned fourth way) conceals the origin node for transactions in I2P (Kovri router)
August 13, 2010
"What we need is a way to generate additional blinded variations of a public key. The blinded variations would have the same properties as the root public key, such that the private key could generate a signature for any one of them. Others could not tell if a blinded key is related to the root key, or other blinded keys from the same root key. These are the properties of blinding. Blinding, in a nutshell, is x = (x * large_random_int) mod m.
When paying to a bitcoin address, you would generate a new blinded key for each use."
Private key = b
Public key (PK) = b.G
H(PK) = 01xxxx....
Spend key b
View key v
Spend public key B = b.G
View public key V = v.G
One time destination key
Random R = r.G
(publish R with Tx)
Tracking key v, B
August 13, 2010
"Then you need to be able to sign a signature such that you can't tell that two signatures came from the same private key. I'm not sure if always signing a different blinded public key would already give you this property. If not, I think that's where group signatures comes in. With group signatures, it is possible for something to be signed but not know who signed it.
You want to spend output O of amount X, and send it all to Bob.
Transaction size. This is not a major issue, but they are much larger than a Bitcoin transaction.
Limited use. Monero does not have the same level of adoption as Bitcoin. Although Monero has more volume than most coins similar in size, it is typically used as a tool to anonymize Bitcoin.
Why just Ed25519 elliptic curve scheme? (Because we trust in D.J. Bernstein? :-)
Development difficulty. Monero is harder to add things to than Bitcoin-based coins. For instance, may wallets added support for ZCash's non-anonymous coins very shortly after release. Edit: we have yet to have a hardware wallet support Monero.
Limited merchant tools. To accept Monero currently, a merchant still has to do a bit of work. Projects like PayBee are trying to mitigate this, but the project has not seen much public development in the past year.
Geographic limitations. No, Monero use is not limited to certain geographical areas. But certain areas have not seen significant adoption of Monero. These regions include South America, Africa, and Asia. Additional translations and resources are needed to help increase use in these regions.
Still regular hard-forks (because of heavy development)
(you can still ask at http://monero.stackexchange.com/)