The CryptoNote protocol, the core element of the Monero cryptocurrency and of many other altcoins, is an open-source protocol focused on the anonymity of transactions recorded on the blockchain.
It has been used by dozens of cryptocurrencies, including Electroneum, Aeon, ByteCoin, Turtlecoin and many others. In particular, it has often been appreciated for its Proof of Work, which was immune to ASICs until last year.
The CryptoNote protocol implements different mechanisms to guarantee the privacy and therefore the anonymity of transactions and wallets.
The CryptoNote philosophy
The CryptoNote protocol was born in 2013 after years of development by a team of mathematicians and programmers. It’s a completely open-source technology that allows for the creation of egalitarian cryptocurrencies with completely anonymous blockchains.
The goal of the original development team was to offer the world a decentralised tool, completely anonymous, secure and egalitarian, therefore without discrimination of the entities that execute the Proof of Work.
Unlike the implementation of the blockchain of bitcoin and other cryptocurrencies, CryptoNote uses additional tools to achieve the aforementioned results.
Ring signature: untraceable payments
Current systems for verifying digital signatures require the use of the public key of the sender of the transaction. This condition is necessary to verify that the author is in possession of the corresponding unique private key.
The Ring signature verification mechanism, on the other hand, requires that all transactions be signed on behalf of the group to which the individuals belong. In this way, during the verification process it is practically impossible to trace back to the original creator, since all the signatures of the members of the group are indistinguishable from each other.
The recipient of the transaction will be the only one able to collect the transaction, using the private key and the mathematical concept of an image – which is public – associated with it.
So, if there is a ring signature that includes the public keys of Alice, Bob and Carol, the verification mechanism can only declare that one of them has signed the message, but is not able to specify who. This concept can be used to render digital transactions on a network untraceable. The public keys of the other members will then be used for verification, as one and only one of them will confirm the transaction, i.e. the recipient’s transaction.
This approach ensures that the creator of the transaction is able to send the amount specified in the transaction while keeping the identity indistinguishable from other users, whose public keys were used in the verification phase of the ring signature.
It is worth noting that foreign transactions do not restrict the user’s ability to spend their money.
The public key, in fact, can appear in dozens of different ring signatures to add redundancy, even if the user has already used the private key to confirm a transaction.
Moreover, if two users were to create a ring signature with the same set of public keys, the signatures would be different, unless they had the same private key, but it would be a paradox as it would mean that the user is actually only one.
A completely anonymous signature system would allow users to spend the same funds several times. This complication is not in line with the principles of digital payment systems. The problem, known as double-spending, can be solved in the following way.
A ring signature system is a type of encryption that has different functions. The one used in CryptoNote requires the use of a modified version of the traceable Ring signature.
In fact, traceability is transformed into linkability. This property restricts the anonymity of the user in the following way: if the identity creates more than one ring signature using the same private key (foreign public keys are irrelevant), they would be connected, thus stopping a double-spending attempt.
To introduce the concept of linkability, CryptoNote has introduced a particular indicator created by the user at first access. This indicator is, in mathematical terms, the image of the private key, obtained through a one-way cryptographic function (a classic hashing function).
The term “one-way” indicates that using only the image it is practically impossible to recover the original private key (irreversible function).
Another advantage is that it is practically impossible to have a collision between two keys sharing the same image. Using any mathematical function, with the exception of the specified one, will result in an unverifiable signature.
Considering all the above concepts, it is possible to conclude that the image of the key is a practically inviolable and unambiguous indicator of the private key.
All users are in possession of the list of images of the keys used and can immediately reject any new ring signature with a duplicate image. This will avoid any attempt at double-spending but will not allow the user to be identified when behaving inappropriately. As opposed to the list of all transactions, this mechanism requires much less storage space.
Single-use keys and untraceable transactions
Usually, when the key is published, anyone can check incoming transactions, even if hidden by a ring signature. To avoid this problem it is possible to create hundreds of keys to be sent privately to users, but this deprives the user of the possibility of having a single public address.
CryptoNote solves this problem by automatically creating different keys that can only be used once. They are generated for each payment on the peer-to-peer network using the public keys. This solution is nothing more than a new version of the Diffie-Hellman protocol.
The original version of the protocol allowed two parties to produce a common secret key from their respective public keys. In CryptoNote, the sender uses the recipient’s public key and some random data to generate a disposable key to be used for payment.
The sender can only generate the public part of the key, while the private part is computed by the recipient. Therefore, the recipient is the only one who can collect the funds after the transaction has actually been generated. All the recipient has to do is perform a short check of the transactions to see whether they are intended for him/her or not. However, this process involves the private key, which means that no external user can perform the verification and discover the link between the disposable key and the public address of the recipient.
The use of random data for address generation means that they are all different even though they have the same sender and recipient This is why they are defined as single-use.
Resistance to user tracking on the blockchain
Since the blockchain is a distributed ledger, there are tools for analysing transactions that make it possible to trace the identities of the authors. This characteristic of the bitcoin blockchain and other cryptocurrencies is due to the fact that not all users generate new addresses for each transaction.
CryptoNote, using the mechanisms explained above, is practically immune to this phenomenon as all addresses can only be used once.
Consequently, an analysis tool is unable to identify the sender and the recipient, as the output shows hundreds of possible paths. These paths can be grouped in a tree graph consisting of a multitude of branches and nodes that make it impossible to trace back to the entities.
It should be noted that over the years Monero has implemented continuous improvements to its protocol, improving the scalability, privacy and performance of the network.
Scheme of a CryptoNote transaction
Egalitarian Proof of Work
The Proof of Work mechanism adopted by CryptoNote is nothing more than an egalitarian voting system. Users vote for the correct order of transactions, to enable new features of the protocol or to get fair and honest remuneration.
For this reason, it is important that during this process all participants have the same right and ability to vote. The CryptoNote mechanism allows obtaining equality through a Proof of Work function, perfectly suited for ordinary PCs. It uses the instructions of modern CPUs, which are generally difficult and expensive to implement in ASICs or specific products with fast or low-latency memories.
The memory management algorithm for the egalitarian function takes advantage of random access to memory and emphasises latency dependence. As opposed to Scrypt, each new block (64 bytes long) depends on all the previous blocks. This means that any mechanisms to reduce memory use must exponentially increase the computational speed.
This algorithm requires about 2 MB of memory for each instance because of the following reasons:
It can be contained in the L3 caches of modern processors;
GPUs can run tens or hundreds of threads but will be limited by GDDR5/6 memory, which is significantly slower in random access than L3 CPU caches despite high bandwidth;
A significant expansion of the scratchpad would require an increase in interactions. This would involve an increase in the time required. Continuous and prolonged calls to the p2p network could, therefore, compromise the network and lead to some vulnerabilities, as the nodes are forced to perform a PoW check of each block. If a node spent a considerable amount of time on the hash of a block, it could easily be overwhelmed by a flooding mechanism of false blocks causing a DDoS.
One of the Proof of Work algorithms used for CryptoNote mining is CryptoNight, created by Bytecoin developers in collaboration with the CryptoNote team.
It is designed to ensure similar efficiency in both CPU and GPU mining. It was designed to be immune to ASICs, but last year giants such as Bitmain and Baikal announced the first devices capable of mining coins based on CryptoNight.
CryptoNote protocol sources and documentation are available on the official page.