Monero Presentation @ Bitcoin Meetup Geneva

[ An introduction to ]

Jérémie Dubois-Lacoste – Arne Brutschy

jeremie|[email protected]

Geneva

An Introduction to MoneroIntro

Who are we?

I Three guys with a PhDI We help you build blockchain-based applicaionsI Specializations

I cryptocurrencies down to the nuts and boltsI scalable algorithms and scalable systemsI security and dev ops

I Experience: Several crypto apps deployed

2 / 45

An Introduction to MoneroIntro

Disclaimer

I We own bitcoins and moneros

I We’re geeks and computer scientists, not economists

3 / 45

An Introduction to MoneroOutline

Outline

Privacy, Fungibility, and Bitcoin

Monero’s Privacy Improvements

Summary

XMR.TO

4 / 45

An Introduction to MoneroPrivacy, Fungibility, and Bitcoin

Outline

Privacy, Fungibility, and BitcoinPrivacy in BitcoinFungibility?Fungibility in decentralized currencies


Summary

XMR.TO

5 / 45


Financial Privacy

I Financial privacy is important for a payment system

I Anti-money laundering laws, taxation, etc. are possibleeven when the payment system ensures privacy

6 / 45


Privacy in Bitcoin

Privacy in Bitcoin

Bitcoin is not anonymous, it is pseudonymous. Pseudonymity isvery fragile in daily life:

I Linking of transactions reduces privacy;

I Usage leaves traces everywhere on the Internet;

I Privacy-enhancing measures (tumblers/CoinJoin etc.) arecostly.

As a result, the analysis of the Bitcoin blockchain can revealidentities.

7 / 45


Privacy in Bitcoin

Practical ways to analyse the blockchain

I Change addresses

I Correlation of transactions

I Addresses of publicservices (pools,exchanges, merchants,etc.)

I Leaked business records

I Scraping of web resources

I . . .

8 / 45


Privacy in Bitcoin

Bitcoin blockchain analysis: a booming field

I Network-focused blockchain analysis is a thriving researchfield since a few years already.

I Today, an increasing number of high-level analysis toolsare available:

I https://bitiodine.net/I http://coinalytics.co/I http://www.quantabytes.com/I . . .

I Permanent nature of blockchain ensures that privacy onlyever decreases!

9 / 45


Fungibility?

What is fungibility?

Formal definitionFungibility is the property of a good or a commodity whoseindividual units are capable of mutual substitution.That is, it is the property of essences or goods which are“capable of being substituted in place of one another.”

TL;DR: Fungibility means that units are interchangable.

10 / 45


Fungibility?

Why do we care?

Fungibility is a fundamental property of currencies.

I In centralized currencies, fungibility is guaranteed by thegovernment.

I . . . and in decentralized currencies?

11 / 45


Fungibility in decentralized currencies

The formal description of Bitcoin:

Information exchange protocol, that allows the transfer of unitsof account; These units behave like the money we are used to,having these properties:

I DurabilityI PortabilityI DivisibilityI Relatively rareI Fungibility

12 / 45



Is Bitcoin really fungible?I Social pressure not to accept tainted coins (theft/fraud. . . )

I If privacy can be broken, fungibility is voluntary.

The lack of privacy in Bitcoin threatens its fungibility.

Services that track taint render bitcoins non-fungible, eg.:

I http://www.coinvalidation.com/

I http://coinalytics.co/

I https://chainalysis.com/

13 / 45



What can we learn from Bitcoin?

I Voluntary fungibility does not work.

I Fungibility in cryptocurrencies requires privacy.

I People becoming more aware of the fungibility issue inBitcoin.

I Many approaches to fix this exist nowadays.

14 / 45

An Introduction to MoneroMonero’s Privacy Improvements

Outline


Monero’s Privacy ImprovementsUnlinkability and UntraceabilityStealth AddressesRing SignaturesViewkeys

Summary

XMR.TO

15 / 45


Unlinkability and Untraceability

16 / 45



17 / 45



Simple analogy

I Unlinkability: I don’t know who are the children of XI Untraceability: I don’t know who are the parents of X

18 / 45



Monero’s approach

I Unlinkability: I don’t know who are the children of X

→ Monero uses stealth addresses

I Untraceability: I don’t know who are the parents of X

→ Monero uses ring signatures

19 / 45


Stealth Addresses

Outline



Summary

XMR.TO

20 / 45


Stealth Addresses

Stealth addresses (1)

I The “destination” for each output is derived from theMonero address, it is different everytime

I Only the owner of the Monero address knows that anoutput is for him

21 / 45


Stealth Addresses


Now Charlie can give his Monero address to everybody:

I Each output sent to Charlie will look to observers ashaving different destinations

I Nobody can tell these outputs are going to Charlie

I Nobody can even tell these outputs are going to the sameperson

22 / 45


Stealth Addresses


Side remark:

I Stealth addresses discussed and proposed for Bitcoin too.

I Feasible but not very practical: requires exchange ofinformation beforehand (either with a secure channel or anelaborated use of OP_RETURN).

23 / 45


Ring Signatures

Outline



Summary

XMR.TO

24 / 45


Ring Signatures

A ring signature

I A group of cryptographic signatures with at least one realparticipant, but no way to tell which in the group is the realone as they all appear valid.

25 / 45


Ring Signatures

Real world analogy

“Say some unpopular military attack has to be ordered, butnobody wants to go down in history as the one who ordered it.If 10 leaders have private keys, one of them could sign theorder and you wouldn’t know who did it.”

I Can you find the author of this quote?

26 / 45


Ring Signatures

Brilliant idea: apply it to cryptocurrencies!

“Crypto may offer a way to do "key blinding". I did someresearch and it was obscure, but there may be somethingthere. "group signatures" may be related.”

I And now, can you find the author of the quotes?

27 / 45


Ring Signatures

Foreseen in 2010 by... Satoshi Nakamoto!

Satoshi on ring signatures, 13/08/2010:

Source: https://bitcointalk.org/index.php?topic=770#msg9074

28 / 45


Ring Signatures

Ring signatures to achieve untraceability?You want to spend output O of amount X, and send it all to Bob.

I In Bitcoin:I You construct a transaction saying “I use output O, and

create a new output going to Bob’s address”I You sign this transaction with the private key of the address

that received the output O

I In Monero:I You find some outputs in the blockchain with the same

amount X as your output OI You construct a transaction saying “I use one of these

outputs, and create a new output going to <stealthdestination>”

I You sign this transaction using a ring signature

29 / 45


Ring Signatures

Usual Bitcoin signature

30 / 45


Ring Signatures

Monero equivalent

31 / 45


Ring Signatures

Ring signatures achieve untraceability

I Not only you are “mixing” your output when actuallyspending it: everybody is constantly using other people’soutput in ring signatures, they will use yours too

I No need for people controlling the other outputs in the ringsignature to be online or active

I Combinatorial explosion kicks in very quickly and renderimpractical forensic analysis of the blockchain

32 / 45


Ring Signatures

Ok, ring signatures are cool! But...I Output spent using ring signature is not “spent for sure”:

how to prevent double-spend?

I Signatures are deterministic, so spending the same outputtwice can be detected easily

I To spend my output of amount X using a ring signature, Imust find other outputs with the same amount X! Isn’t itdifficult?

I Outputs are automatically broken down into commondenominations. For instance, sending 11.5 XMR actuallycreates an output of 10, plus another one of 1, plus anotherone of 0.5.Thus, always plenty of outputs with proper amount. And allof them use their own ring sig!

33 / 45


Ring Signatures

Summary of privacy aspects

I Monero hides destination of transactions

I Monero hides origin of transactions

I Monero hides precise amount being transferred

I There is no “rich list”: nobody can see the amountassociated to each address

34 / 45


Ring Signatures

Ok, privacy is cool. But?...

I Having a fully-private decentralized ledger is useful, butalso problematic

I No way to comply in many tax jurisdictions

I No way to prove a transaction was made in case of dispute

I No way to be transparent about donations for a non-profit

I No way to prove certain holding to ask for loans, etc.

35 / 45


Viewkeys

Outline



Summary

XMR.TO

36 / 45


Viewkeys

Viewkeys

A clever cryptographic mechanism, the “viewkey”. For eachaddress, you have:

I A spend key (≈ Bitcoin private key)

I Plus a viewkey

I Give viewkey to somebody: they can see which outputs youcontrol (= what you received, and your balance).

Viewkey mechanism exists also for one single transaction only.

37 / 45


Viewkeys

Viewkey: transparency or privacy, user’s choice!

I With optional, voluntary use of viewkeys, Monerotransparency becomes close to Bitcoin’s one

I Monero provides high privacy by default whilst stillproviding opt-in full transparency when desired

I It does all of this at the (very elegant) cryptographic layer

38 / 45

An Introduction to MoneroSummary

Outline



Summary

XMR.TO

39 / 45


More Cool Tech Stuff

Example: Monero has an adaptive block size.

I Bitcoin: the maximum block size is hardcoded(Ever heard of 1MB vs. 20MB debate?...)

I Monero adapts the maximum block size with a simple rule(very similar to mining difficulty adjustments).

Idea is that the size is determined by free marketmechanism.

40 / 45


Conclusion

Monero: a great future?I Demand for more fungible/private cryptocurrencies

I Bitcoin is a decentralized fully transparent public ledgerI We now have a technology for a decentralized

private-by-default/transparent-on-demand public ledger

I Monero is the best contender currently for that role

- Electronic cash is easy. Facebook could do it.- Private electronic cash is harder, but Chaum

figured out how to do it in the early 90s.- Decentralized electronic cash is even harder.

That’s Bitcoin.- Decentralized private electronic cash is even

harder. That’s the next step.

– pdtmeiwn on /r/bitcoin41 / 45


Conclusion

Ressources

I Online: http://getmonero.org

I In real life, upcoming Monero meetups in Europe:

I Brussels – 19th of May

I Paris – 21th of May

I Amsterdam – 23th of May

I Berlin – 24th of May

42 / 45

http://getmonero.org

An Introduction to MoneroXMR.TO

Motivation

Main problem of Monero

I Theory, usage practices and software are quite differentfrom Bitcoin

I Few merchants support Monero

I Few Monero-specifc services exist

I Getting started is difficult

43 / 45

An Introduction to MoneroXMR.TO

Motivation

Our goal

I Make Monero usable in many places

I Low barrier of entry

I Maintain primary advantage of Monero (privacy)

44 / 45

Monero Presentation @ Bitcoin Meetup Geneva

Economy & Finance

Transcript of Monero Presentation @ Bitcoin Meetup Geneva