Bitcoin is not private. Due to its transparent ledger and modern blockchain analysis techniques, the tracing of transactions on its network is relatively simple. Transactions and wallet addresses can be tied to real world identities due to Know Your Customer (KYC) laws. It is currently completely impractical to use Bitcoin anonymously.
Monero and its relevance to CTI
Monero, formerly BitMonero, was originally created as a derivative of the proof-of-concept cryptocurrency CryptoNote. A White Paper detailed a theoretical cryptocurrency that could transact anonymously through the usage of one-time addresses and ring signatures. The aim was to create a cryptocurrency where every transaction on the blockchain is publicly verifiable, while providing sender and receiver anonymity and hiding transaction amounts. With this information, it should be clear how Monero becomes very relevant in the field of Cyber Threat intelligence (CTI). In order to attempt to tackle something like Monero, it is vital to understand how it utilises several cutting-edge cryptographic techniques to achieve this anonymity.
Transparent blockchain analysis
The blockchains used in most popular cryptocurrencies, such as Bitcoin and Ethereum, are transparent, meaning that anyone can view transaction details and verify those that have been made. Wallet addresses and the exact amount of currency that was transferred are both visible. Modern blockchain analysis techniques utilise this transparency heavily, and it is relatively simple to follow transaction “paths” along to figure out exactly where funds are being sent, and exactly how much. This would not usually be a problem; however, most exchanges that currently trade cryptocurrencies and fiat currencies follow KYC laws, meaning every customer must give up their government identity as well as their address, sometimes recent bank statements and their banking information. Therefore, every transaction that passes through an exchange address can be linked to a person. This also means that it is possible to trace the point of origin for every coin. Jumping ahead one step further, as wallets can be linked to individuals, or even organisations, a transaction could be tied to some criminal activity, which can affect the public desire to interact and transact for fear of being associated with ‘dirty coin’.
Monero’s Opaque Blockchain
Blocks on Monero’s blockchain are variable in size and all contain a set of transactions. Each of these includes one or more recipient addresses, the values the recipients are being sent, and a ring signature. (Ring signatures will be clarified in a later section.) One-time recipient addresses are generated; the funds sent are obfuscated and the source of the funds could be any of the transaction outputs in the ring.
Monero uses two sets of private/public keys, unlike Bitcoin’s single key pair. The address is made up of the pair of public keys, and the user has private keys comprising the corresponding pair. One private key is the view key, and another is the spend key, and these can be used to determine if their address owns an output or allows them to spend that output, respectively.
Stealth addresses (or sub-addresses) are aliases for a wallet address that can be generated from the main address or other corresponding stealth addresses. Funds sent to a stealth address belong to the owner of the wallet from which they are derived. One wallet can have a multitude of stealth addresses. As noted in the Zero to Monero White Paper, it is helpful to think of this like an online bank account. “It may have multiple balances corresponding to credit cards and deposits, but they are all accessible and spendable from the same point of view – the account holder”.
Linking stealth addresses to each other or the main address is computationally infeasible. However, off-chain analysis could allow the linking of receiving addresses if the user’s OPSEC is poor, as they may have reused a stealth address in both an incriminating and a deanonymising context, such as an individual broadcasting the same address on an illicit forum and on a social media profile.
Transaction value ranges
Monero transaction amounts are obfuscated, only exposing a very wide range of values that the real amount falls within. Output amounts are stored as Pedersen commitments, which the property of being additively homomorphic (C(a + b) = C(a) + C(b), where C is the commitment function, and a and b are transaction values). This is a useful property as it is possible to verify that an input is equal to an output without knowing the specific value of either. However, this alone would not provide information-theoretic privacy. A mask and another generator are added, redefining our function C(a) as C(a, x) where x is a mask. These are added to prevent observers from just being able to guess a. It holds that this new commitment function is truly private as there are multiple possible combinations that would output the same commitment. If x is truly random, there would be literally no way an attacker could figure out a. The Zero To Monero White Paper goes more in detail about this in Chapter 5.
In transparent blockchain analysis, by following transaction volumes through wallets, or even mixers to an extent, an observer can infer the purpose of these transactions. By obfuscating the transaction amounts, it is not possible to link transactions by following their volumes, excluding this analysis technique for Monero.
Ring signatures are used to sign transactions in a way that obfuscates their origin. This works by using a one-time key generated from an account’s public key, and a number of public keys from past transactions on the blockchain to co-sign a transaction. A transaction signed with a ring signature is endorsed by a member of the ring, but the specific individual who does this is not discernible to an external observer. The public keys that are pulled from past transactions are randomly selected using a triangular distribution and are known as “decoys”. This can be thought of as like signing a cheque from a joint bank account. Due to the implementation of this, no observer would be able to discern who owns a transaction within the ring; however, the transaction is verifiably owned by one of the members who signed it in the ring.
The size of the ring signature refers to the total number of public keys within the ring. It used to be the case that a user could determine their own ring size, and 1 was a valid ring size. However, this was standardised to 11 as of release 0.13.0, and has since been increased to 16. This makes transactions appear more uniform. It is highly likely that this will increase again in the future.
The topic of double spending has been overlooked so far. If all inputs are equally likely to be the origin, then what prevents a user from spending the same input twice? This is done using key images, which are unique keys derived from the output being spent. Only one key image can exist for each output on the blockchain, and its inclusion prevents it from being spent in the future. It is not possible to determine which key image corresponds to any given output. This means that only the true output is spent, but no outside observer can know which, and the decoy transactions remain unspent.
Monero usage in the real world
Despite all the obfuscation, there is actually a way to view a user’s income in their account. There is a catch though: the user must allow you to see this. Earlier, part of a user’s private key was referred to as a “view key”. If a user were to share their view key, it would be possible not only to verify that an address belongs to the corresponding user, but also to view the exact amount of Monero transferred into that wallet. Therefore, it is indeed possible for a business to trade in Monero and still be taxed on income. All a business would have to do is publicly announce that they own a receiving address, and reveal their view key to the revenue agency.
Following this, it is also possible for users to assign a payment ID, in the form of a note, to transactions. This is obfuscated, visible only to the sender and receiver. For instance, a one-time code could be generated to use as the payment ID by the receiver for a sender to apply to the transaction, and the receiver could verify the payment by checking the payment ID to ensure the correct amount has been paid in full by the correct party.
It should be noted that outgoing transactions cannot be viewed through the view key alone, so this cannot determine an account’s balance, only its income.
As one could imagine, Monero’s core features make it very unpopular with a lot of governments. Many cryptocurrency exchanges have delisted Monero or never traded it to begin with due to regulatory issues or pressure from governments. For example, the Kraken exchange had to delist Monero in late 2021 to continue trading in the United Kingdom.
There is a solution to this issue, however. Atomic swaps is a trustless peer-to-peer method of trading cryptocurrencies between separate blockchains, for instance trading Bitcoin with Monero. As trading networks grow, it will become fairly simple to purchase your favourite cryptocurrency through any exchange and swap that for Monero.
Chapter 10 of Zero To Monero details the features Monero has in place for utilisation in an escrowed marketplace.
Human Error with Monero usage
Despite the high level of obfuscation that Monero provides, it is still technically possible to de-anonymise an individual based on their own competency through certain off-chain analysis techniques. For example, there is no obligation for a user to create multiple stealth addresses for different purposes; That is completely down to the user. Let’s say Bob gives out his primary receiving address to his friends and family to send him Monero instead of traditional fiat gifts. Bob then also uses the same address on a hidden service marketplace that sells illegal goods as a means of receiving payment for his product. It doesn’t matter that Bob is using Monero, because all it takes is for one of his friends or family to identify that he does indeed own that address. This weakness lies within Bob’s OPSEC, not the technology.
Difficulty with tackling Monero
It has become somewhat of a running joke in blockchain analysis that if Monero is thrown into the mix, you just “give up” as you have already lost. No blockchain analysis tools support Monero, for obvious reasons. Some analysis techniques may reveal identifying information, but largely depend on a person of interest’s poor OPSEC.
As the ledger is public, if any weaknesses are found in Monero’s implementation, it may become possible to deobfuscate historic transactions. Quantum computers, for example, may one day threaten the usefulness of the cryptographic techniques applied in Monero, and may allow analysts to deobfuscate parts of the blockchain or even the entire thing. This threatens the privacy of today’s users, but who knows how far into the future this lies (if ever).
Monero, in isolation, is a truly anonymous currency for both senders and receivers. It prevents outside observers from discerning any useful information about transactions from the blockchain, yet it is a publicly verifiable decentralised cryptocurrency. However, just like any tool, it must be used correctly to maintain privacy.
If anyone reading this blog wishes to learn more about how Monero uses specific technologies, the White Paper is the number one place. Zero To Monero: Second Edition is available at https://www.getmonero.org/library/Zero-to-Monero-2-0-0.pdf
For more information about Monero’s historic and current privacy limitations, we highly recommend the Breaking Monero video series: Breaking Monero
Jake Keast and Aiden Gall