What is Monero (XMR)? How Does It Protect You from Transaction Surveillance?
1. What is Monero?
Monero is actively encouraged to those seeking financial privacy, since payments and account balances remain entirely hidden, which is not the standard for most cryptocurrencies.
2. Why Monero? (as explained by getmonero.org)
Monero uses cryptography to shield sending and receiving addresses, as well as transacted amounts.
Monero transactions are confidential and untraceable. Every Monero transaction, by default, obfuscates sending and receiving addresses as well as transacted amounts. This always-on privacy means that every Monero user's activity enhances the privacy of all other users, unlike selectively transparent cryptocurrencies (e.g. Z-Cash). Monero is fungible. By virtue of obfuscation, Monero cannot become tainted through participation in previous transactions. This means Monero will always be accepted without the risk of censorship. Dandelion++ allows transactions to be propagated without the origin being certain. This will obfuscate a transactor's IP address and provide further protection against network monitoring.
Monero is a grassroots community attracting the world's best cryptocurrency researchers and engineering talent. Over 420 developers have contributed to the Monero project, including 30 core developers. Forums and chat channels are welcoming and active.
Monero's Research Lab, Core Development Team and Community Developers are constantly pushing the frontier of what is possible with cryptocurrency privacy and security.
Monero is electronic cash that allows fast, inexpensive payments to and from anywhere in the world. There are no multi-day holding periods and no risk of fraudulent chargebacks. It is safe from ‘capital controls’ - these are measures that restrict the flow of traditional currencies, sometimes to an extreme degree, in countries experiencing economic instability.
Privacy as priority
As a cryptocurrency, Monero might seem very boring to the naked eye. It doesn’t have a big claim to fame such as being a ‘world computer’ or ‘revolutionizing xyz industry’. It’s just trying to be a private, digital, fungible money, and every upgrade and new technology just furthers this end.
Those that deem this goal as too narrow or uninteresting generally don’t understand how difficult it is to achieve meaningful privacy, especially on a permanent, open ledger like a blockchain. Any avenue for metadata leakage is a potential for privacy erosion.
Monero takes precautions to obfuscate on-chain data, such as the receiver, sender, and amounts, via stealth addresses, ring signatures, and Pedersen commitments respectively. This minimizes the chances of a casual observer from deducing critical info after transactions have already been sent and are now just a part of recorded history. There are, however some attacks that can be done the moment a transaction occurs that cannot be performed any time later.
Attack to reveal IP address
The good news is, that if this information is not gleaned the moment the transaction is made, then it cannot be learned at a later date, since IP addresses are not stored on the blockchain. It is also comforting to know that such an attack is unlikely to be seen in the wild, as, in order to pull it off, the attacker would need a large majority of nodes on the network. If a person was able to command this large majority, however, they would be able to identify the “direction” a transaction came from.
This may be confusing, so we’ll explain some background info here. Each node connects to other nodes on the network, so that they can keep their blockchain up to date, as well as share what they know with others. These connections allow them to learn about new transactions, propagate them, and send their own. Since a node can only tell their peers about transactions they know about, it stands to reason that the very first node that propagates a transaction is the node that is actually sending Monero.
If an attacker owns a large majority of nodes on the network, each node will hear about a transaction from one of their peers, and based on the timing in which each node receives this information, they can deduce likely candidates for where the transaction started.
If this is still confusing, we offer this example. Suppose we both have a mutual friend that is hiding from our vision. This friend calls out loudly. I hear his call first, and I hear it louder than you do. From this information, we can know that I am likely closer to our friend than you are. The fact that you hear the sound later (even by just a split second) and the sound is fainter means that we should start our search around my area, not yours.
If an attacker is able to successfully guess which of their peers sent the transaction, since they have the IP address that is connected to their node and forwarded it to them, they can be certain of the IP address that sent it. This is powerful information, as IP addresses contains information about the country and internet service provider (ISP) of the user, and the ISP themselves know which user is linked to which exact IP address, effectively deanonymizing the Monero user.
The mitigation(s)
This solution is Dandelion++ (DPP), which is an upgraded protocol to the original Dandelion proposal for Bitcoin. In this protocol, there are two phases, the stem phase, and the fluff phase; both of them together are supposed to represent the form of a dandelion.
In the stem phase, every few minutes, the sending node randomly chooses two peers out of all of the nodes it’s connected to. When the sending node sends a transaction, either on behalf of itself or just forwarding the transaction from another node in the stem phase, it randomly chooses one of these two selected peers and sends the transaction to it.
The fluff phase is when a node receives a transaction and broadcasts it to every outgoing connection, rather than just to one randomly chosen one, this allows true transaction propagation. Every few minutes a node defines itself as one that will either propagate via stem or via fluff at random, so a stem phase can be quite long if each connecting node has defined itself as a stem node, but once the transaction hits the fluff phase, it stays there.
This means that an attacker will not be able to simply listen for the direction of a transaction anymore, because before it was propagated to everyone, it underwent the stem phase, and the originating node of the fluff phase is not the node the transaction originated from, and it is unknown how many hops along the stem the transaction underwent.
Of course, combining the solutions above (DPP plus an overlay network) will give even stronger guarantees of privacy and protection against IP tracing. It should also be noted, that DPP does not defend against another form of network tracing attack that can be done with ISPs, but this is beyond the scope of this article.
Dandelion++ is set to go live on the Monero network, and be used by default on the reference client, in the 0.16 release. This small change will further mitigate the attacks possible on the Monero network, and exemplifies why Monero leads the pack in practical, applied privacy technologies.
Ring Signatures
Monero is known far and wide across the crypto space as being the king of privacy coins. While everyone knows Monero offers good privacy, not as many understand just how the privacy operates.
Many other privacy coins publish comparison chart infographics, which list off the names of each coin’s privacy technology, and in most they label Monero’s tech as RingCT, but this is only partially true. Monero actually has a three-prong approach to privacy. One technology to hide the receiver of a transaction, one to hide the amount sent, and one to hide the output used, these are stealth addresses, RingCT, and ring signatures respectively.
This three-pronged approach means that if one of the technologies is broken, the others do not necessarily share the same fate. Ring signatures are the weakest link in the privacy scheme; the word weak here meaning the most susceptible to heuristic attacks. Let’s take some time to explore them, shall we?
As mentioned above, the goal of ring signatures is to obscure an output used in a transaction. If the 'input/output' terminology of cryptocurrency is confusing to you, don’t worry. It’s actually not that complicated. When you hear 'output' just think a check. One of those things, not quite so common anymore, that people use to pay with. Like a check, it can be denoted in any amount - $10, $32.50, etc - and is exchanged between transacting parties. For cryptocurrencies, outputs serve these functions.
When someone pays you 10 Monero, you receive a 10 XMR output. This output has a value (10), and is what is taken from the sender’s wallet, in the same way when you pay for a service, a bill leaves your physical wallet and is given to the person you are purchasing from.
The way the output is hidden is by constructing a ring (hence the name) of decoy outputs. But these decoys are not 'fake' outputs’. They are real past outputs from the blockchain that have nothing to do with the present transaction, but to an outside observer, each of these outputs might look equally probable as the real one. The size of the set of decoy outputs, plus the real one is called the ringsize, and currently Monero’s is eleven. So there are ten decoy outputs and one real one.
Why don’t we just increase this number to 100 or even 1000? The more the better, right? Well, from a privacy perspective, yes, but there are other things to consider. Let’s go back to a physical example to see what I mean. If you wanted to hide one of your dollar bills among ten decoys, you would need to carry around eleven dollars in your wallet for each dollar you wanted to spend. One real dollar, and ten fake ones. This already gets pretty cumbersome if you want to spend even a few dollars. Now imagine we increased the decoy amount to 1000. For every one dollar you wanted to spend, you would need to carry around 1001 dollars. You’d need to carry around a briefcase just to buy one candy bar! It's important to note that ring signatures don't work quite this way, for example, the decoys themselves are not a part of the signature, only references to them, but we hope this analogy can be somewhat helpful in picturing the basic concepts.
The decoys on the blockchain work similarly. Each added decoy increases the time and verification cost of the transaction. Every node has to download the entire ring signature for each transaction, and each ring signature contains the real output, as well as the decoys. Not only that, but it has to verify the math that at least one of these outputs is real, and the math verification time also increases with each decoy. This means we have to find a happy middle ground, where the ringsize is large enough to adequately obscure the real output, even against many heuristic attacks, but small enough so as not to cause the blockchain to increase at a massive rate. It’s not enough to pick an arbitrary number, or to just increase the ringsize when we make the signature smaller (such as with CLSAG). The Monero community wants concrete, mathematical evidence on which ringsize offer the best trade offs. A number too small, and the privacy will not be strong enough against heuristic attacks. Too large, and we may be getting only marginal benefit on the privacy side, and needlessly suffering in regards to scaling.
One last thing to mention. Some Monero literature simplifies and says that ring signatures hide the sender, but this is not entirely true, and the difference is not just pedantic. The difference between the sender (a human) and an output (a bill) is a big one when it comes to preserving privacy. While an output may have ties to a sender, an output itself does not equal a sender. So even if a ring signature was to be broken, it does not necessarily link to a person’s identity, and both the amount and the receiver are still hidden, minimizing the damage done to the privacy of all parties.
That’s not to say that a broken ring signature is insignificant. Any leaked metadata is bad, and does have the potential to reveal more information than we think, especially when used in conjunction with other metadata. So we do our best to ensure that the ringsize chosen has academic rigor behind the decision, other metadata leakage is minimized, and the user experiences defaults to the best possible actions.
But if the probability of a broken signature is still worrying to you, well, there is some incredible news on the horizon. The next generation of privacy protocols that are being worked on, such as Triptych, Arcturus, and Lelantus, have really neat capabilities. In these protocols, the size scales logarithmically, not linearly, as ringsize increases. This means that we can fit 100 decoys, but the space used is closer to ringsize 10 in the old tech. That’s quite the difference, and will significantly improve privacy all around.
In the cat and mouse game that is privacy, Monero continuously innovates to stay ahead of the curve and ensure the best practical privacy for all.