Research Lab

This technical note describes an algorithm used to prove knowledge of the same discrete logarithm across different groups. The scheme expresses the common value as a scalar representation of bits, and uses a set of ring signatures to prove each bit is valid.

We present threshold ring multi-signatures (thring signatures) for collaborative computation of ring signatures, present a game of existential forgery, and discuss uses in digital currencies including spender-ambiguous cross-chain atomic swaps for confidential amounts.

This bulletin describes a modification to Monero's linkable ring signature scheme that permits dual-key outputs as ring members. Key images are tied to both output one-time public keys, preventing both keys from being spent separately.

This technical note generalizes the concept of spent outputs using basic set theory. The definition captures a variety of earlier work on identifying such outputs. We quantify the effects of this analysis on the Monero blockchain.

We document a new address scheme that allows a user to maintain a single master wallet address and generate an arbitrary number of unlinkable subaddresses. Each transaction needs to be scanned only once to determine if it is destined for any of the user's subaddresses.

This article introduces a method of hiding transaction amounts in Monero. A new type of ring signature, A Multi-layered Linkable Spontaneous Anonymous Group signature, is described which allows for hidden amounts, origins and destinations with reasonable efficiency.

We identify several blockchain analysis attacks available to degrade untraceability of CryptoNote 2.0. We analyze solutions, discuss merits and drawbacks, and recommend improvements including protocol-level minimum mix-in policies.

The purpose of this note is to clear up misconceptions and remove mystery surrounding Monero Ring Signatures. We compare the mathematics in CryptoNote ring signatures to the original paper on which it is based.

This research bulletin describes deficiencies in the CryptoNote reference code allowing for an attack on 4 September 2014, describes the solution, and elaborates upon what the offending block did to the network.

This research bulletin describes a plausible attack on ring-signature based anonymity systems. It demonstrates that untraceability can be dependent upon all keys used in composing a ring signature, allowing for chain reactions in traceability.

This paper has been retracted, but it's possible to view it clicking on 'All versions of this report'.

We extend Triptych to build Arcturus, a proving system that proves knowledge of openings of multiple commitments to zero within a single set, correct construction of a verifiable random function, and value balance across a separate list of commitments within a single proof.

We introduce Triptych, a family of linkable ring signatures without trusted setup based on generalizations of zero-knowledge proofs of knowledge of commitment openings to zero. Signatures are logarithmic in the anonymity set size and can be efficiently verified in batches.

We demonstrate that a version of non-slanderability is a natural definition of unforgeability for linkable ring signatures. We present a linkable ring signature construction with concise signatures and multi-dimensional keys.

We introduce a general, low-cost, low-power statistical test for transactions in transaction protocols with small anonymity set authentication (TPSASAs), such as Monero. The test classifies transactions as ad hoc or self-churned. We extend these tests to exploit prior information about user behavior and discuss test parameterization.

Unpublished

Monero uses a unique hash function that transforms scalars into elliptic curve points. This document translates its code implementation into mathematical expressions.

Nicolas van Saberhagen's 2013 whitepaper introducing the CryptoNote protocol — the cryptographic foundation Monero is built on, defining one-time keys, ring signatures, and untraceable transactions.

An annotated edition of the CryptoNote whitepaper produced by the Monero Research Lab, with marginal notes and corrections clarifying the original document's notation and cryptographic claims.

Brandon Goodell's formal review of the CryptoNote whitepaper, examining its cryptographic claims and identifying open questions for further research.