Monero Presentation @ Bitcoin Meetup Geneva
-
Upload
arnuschky -
Category
Economy & Finance
-
view
954 -
download
2
Transcript of Monero Presentation @ Bitcoin Meetup Geneva
An Introduction to MoneroIntro
Who are we?
I Three guys with a PhDI We help you build blockchain-based applicaionsI Specializations
I cryptocurrencies down to the nuts and boltsI scalable algorithms and scalable systemsI security and dev ops
I Experience: Several crypto apps deployed
2 / 45
An Introduction to MoneroIntro
Disclaimer
I We own bitcoins and moneros
I We’re geeks and computer scientists, not economists
3 / 45
An Introduction to MoneroOutline
Outline
Privacy, Fungibility, and Bitcoin
Monero’s Privacy Improvements
Summary
XMR.TO
4 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Outline
Privacy, Fungibility, and BitcoinPrivacy in BitcoinFungibility?Fungibility in decentralized currencies
Monero’s Privacy Improvements
Summary
XMR.TO
5 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Financial Privacy
I Financial privacy is important for a payment system
I Anti-money laundering laws, taxation, etc. are possibleeven when the payment system ensures privacy
6 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Privacy in Bitcoin
Privacy in Bitcoin
Bitcoin is not anonymous, it is pseudonymous. Pseudonymity isvery fragile in daily life:
I Linking of transactions reduces privacy;
I Usage leaves traces everywhere on the Internet;
I Privacy-enhancing measures (tumblers/CoinJoin etc.) arecostly.
As a result, the analysis of the Bitcoin blockchain can revealidentities.
7 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Privacy in Bitcoin
Practical ways to analyse the blockchain
I Change addresses
I Correlation of transactions
I Addresses of publicservices (pools,exchanges, merchants,etc.)
I Leaked business records
I Scraping of web resources
I . . .
8 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Privacy in Bitcoin
Bitcoin blockchain analysis: a booming field
I Network-focused blockchain analysis is a thriving researchfield since a few years already.
I Today, an increasing number of high-level analysis toolsare available:
I https://bitiodine.net/I http://coinalytics.co/I http://www.quantabytes.com/I . . .
I Permanent nature of blockchain ensures that privacy onlyever decreases!
9 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Fungibility?
What is fungibility?
Formal definitionFungibility is the property of a good or a commodity whoseindividual units are capable of mutual substitution.That is, it is the property of essences or goods which are“capable of being substituted in place of one another.”
TL;DR: Fungibility means that units are interchangable.
10 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Fungibility?
Why do we care?
Fungibility is a fundamental property of currencies.
I In centralized currencies, fungibility is guaranteed by thegovernment.
I . . . and in decentralized currencies?
11 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Fungibility in decentralized currencies
The formal description of Bitcoin:
Information exchange protocol, that allows the transfer of unitsof account; These units behave like the money we are used to,having these properties:
I DurabilityI PortabilityI DivisibilityI Relatively rareI Fungibility
12 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Fungibility in decentralized currencies
Is Bitcoin really fungible?I Social pressure not to accept tainted coins (theft/fraud. . . )
I If privacy can be broken, fungibility is voluntary.
The lack of privacy in Bitcoin threatens its fungibility.
Services that track taint render bitcoins non-fungible, eg.:
I http://www.coinvalidation.com/
I http://coinalytics.co/
I https://chainalysis.com/
13 / 45
An Introduction to MoneroPrivacy, Fungibility, and Bitcoin
Fungibility in decentralized currencies
What can we learn from Bitcoin?
I Voluntary fungibility does not work.
I Fungibility in cryptocurrencies requires privacy.
I People becoming more aware of the fungibility issue inBitcoin.
I Many approaches to fix this exist nowadays.
14 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Outline
Privacy, Fungibility, and Bitcoin
Monero’s Privacy ImprovementsUnlinkability and UntraceabilityStealth AddressesRing SignaturesViewkeys
Summary
XMR.TO
15 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Unlinkability and Untraceability
16 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Unlinkability and Untraceability
17 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Unlinkability and Untraceability
Simple analogy
I Unlinkability: I don’t know who are the children of XI Untraceability: I don’t know who are the parents of X
18 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Unlinkability and Untraceability
Monero’s approach
I Unlinkability: I don’t know who are the children of X
→ Monero uses stealth addresses
I Untraceability: I don’t know who are the parents of X
→ Monero uses ring signatures
19 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Stealth Addresses
Outline
Privacy, Fungibility, and Bitcoin
Monero’s Privacy ImprovementsUnlinkability and UntraceabilityStealth AddressesRing SignaturesViewkeys
Summary
XMR.TO
20 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Stealth Addresses
Stealth addresses (1)
I The “destination” for each output is derived from theMonero address, it is different everytime
I Only the owner of the Monero address knows that anoutput is for him
21 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Stealth Addresses
Stealth addresses (2)
Now Charlie can give his Monero address to everybody:
I Each output sent to Charlie will look to observers ashaving different destinations
I Nobody can tell these outputs are going to Charlie
I Nobody can even tell these outputs are going to the sameperson
22 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Stealth Addresses
Stealth addresses (3)
Side remark:
I Stealth addresses discussed and proposed for Bitcoin too.
I Feasible but not very practical: requires exchange ofinformation beforehand (either with a secure channel or anelaborated use of OP_RETURN).
23 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Outline
Privacy, Fungibility, and Bitcoin
Monero’s Privacy ImprovementsUnlinkability and UntraceabilityStealth AddressesRing SignaturesViewkeys
Summary
XMR.TO
24 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
A ring signature
I A group of cryptographic signatures with at least one realparticipant, but no way to tell which in the group is the realone as they all appear valid.
25 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Real world analogy
“Say some unpopular military attack has to be ordered, butnobody wants to go down in history as the one who ordered it.If 10 leaders have private keys, one of them could sign theorder and you wouldn’t know who did it.”
I Can you find the author of this quote?
26 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Real world analogy
“Say some unpopular military attack has to be ordered, butnobody wants to go down in history as the one who ordered it.If 10 leaders have private keys, one of them could sign theorder and you wouldn’t know who did it.”
I Can you find the author of this quote?
26 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Brilliant idea: apply it to cryptocurrencies!
“Crypto may offer a way to do "key blinding". I did someresearch and it was obscure, but there may be somethingthere. "group signatures" may be related.”
I And now, can you find the author of the quotes?
27 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Brilliant idea: apply it to cryptocurrencies!
“Crypto may offer a way to do "key blinding". I did someresearch and it was obscure, but there may be somethingthere. "group signatures" may be related.”
I And now, can you find the author of the quotes?
27 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Foreseen in 2010 by... Satoshi Nakamoto!
Satoshi on ring signatures, 13/08/2010:
Source: https://bitcointalk.org/index.php?topic=770#msg9074
28 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ring signatures to achieve untraceability?You want to spend output O of amount X, and send it all to Bob.
I In Bitcoin:I You construct a transaction saying “I use output O, and
create a new output going to Bob’s address”I You sign this transaction with the private key of the address
that received the output O
I In Monero:I You find some outputs in the blockchain with the same
amount X as your output OI You construct a transaction saying “I use one of these
outputs, and create a new output going to <stealthdestination>”
I You sign this transaction using a ring signature
29 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Usual Bitcoin signature
30 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Monero equivalent
31 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ring signatures achieve untraceability
I Not only you are “mixing” your output when actuallyspending it: everybody is constantly using other people’soutput in ring signatures, they will use yours too
I No need for people controlling the other outputs in the ringsignature to be online or active
I Combinatorial explosion kicks in very quickly and renderimpractical forensic analysis of the blockchain
32 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ok, ring signatures are cool! But...I Output spent using ring signature is not “spent for sure”:
how to prevent double-spend?
I Signatures are deterministic, so spending the same outputtwice can be detected easily
I To spend my output of amount X using a ring signature, Imust find other outputs with the same amount X! Isn’t itdifficult?
I Outputs are automatically broken down into commondenominations. For instance, sending 11.5 XMR actuallycreates an output of 10, plus another one of 1, plus anotherone of 0.5.Thus, always plenty of outputs with proper amount. And allof them use their own ring sig!
33 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ok, ring signatures are cool! But...I Output spent using ring signature is not “spent for sure”:
how to prevent double-spend?
I Signatures are deterministic, so spending the same outputtwice can be detected easily
I To spend my output of amount X using a ring signature, Imust find other outputs with the same amount X! Isn’t itdifficult?
I Outputs are automatically broken down into commondenominations. For instance, sending 11.5 XMR actuallycreates an output of 10, plus another one of 1, plus anotherone of 0.5.Thus, always plenty of outputs with proper amount. And allof them use their own ring sig!
33 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ok, ring signatures are cool! But...I Output spent using ring signature is not “spent for sure”:
how to prevent double-spend?
I Signatures are deterministic, so spending the same outputtwice can be detected easily
I To spend my output of amount X using a ring signature, Imust find other outputs with the same amount X! Isn’t itdifficult?
I Outputs are automatically broken down into commondenominations. For instance, sending 11.5 XMR actuallycreates an output of 10, plus another one of 1, plus anotherone of 0.5.Thus, always plenty of outputs with proper amount. And allof them use their own ring sig!
33 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ok, ring signatures are cool! But...I Output spent using ring signature is not “spent for sure”:
how to prevent double-spend?
I Signatures are deterministic, so spending the same outputtwice can be detected easily
I To spend my output of amount X using a ring signature, Imust find other outputs with the same amount X! Isn’t itdifficult?
I Outputs are automatically broken down into commondenominations. For instance, sending 11.5 XMR actuallycreates an output of 10, plus another one of 1, plus anotherone of 0.5.Thus, always plenty of outputs with proper amount. And allof them use their own ring sig!
33 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Summary of privacy aspects
I Monero hides destination of transactions
I Monero hides origin of transactions
I Monero hides precise amount being transferred
I There is no “rich list”: nobody can see the amountassociated to each address
34 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Ring Signatures
Ok, privacy is cool. But?...
I Having a fully-private decentralized ledger is useful, butalso problematic
I No way to comply in many tax jurisdictions
I No way to prove a transaction was made in case of dispute
I No way to be transparent about donations for a non-profit
I No way to prove certain holding to ask for loans, etc.
35 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Viewkeys
Outline
Privacy, Fungibility, and Bitcoin
Monero’s Privacy ImprovementsUnlinkability and UntraceabilityStealth AddressesRing SignaturesViewkeys
Summary
XMR.TO
36 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Viewkeys
Viewkeys
A clever cryptographic mechanism, the “viewkey”. For eachaddress, you have:
I A spend key (≈ Bitcoin private key)
I Plus a viewkey
I Give viewkey to somebody: they can see which outputs youcontrol (= what you received, and your balance).
Viewkey mechanism exists also for one single transaction only.
37 / 45
An Introduction to MoneroMonero’s Privacy Improvements
Viewkeys
Viewkey: transparency or privacy, user’s choice!
I With optional, voluntary use of viewkeys, Monerotransparency becomes close to Bitcoin’s one
I Monero provides high privacy by default whilst stillproviding opt-in full transparency when desired
I It does all of this at the (very elegant) cryptographic layer
38 / 45
An Introduction to MoneroSummary
Outline
Privacy, Fungibility, and Bitcoin
Monero’s Privacy Improvements
Summary
XMR.TO
39 / 45
An Introduction to MoneroSummary
More Cool Tech Stuff
Example: Monero has an adaptive block size.
I Bitcoin: the maximum block size is hardcoded(Ever heard of 1MB vs. 20MB debate?...)
I Monero adapts the maximum block size with a simple rule(very similar to mining difficulty adjustments).
Idea is that the size is determined by free marketmechanism.
40 / 45
An Introduction to MoneroSummary
Conclusion
Monero: a great future?I Demand for more fungible/private cryptocurrencies
I Bitcoin is a decentralized fully transparent public ledgerI We now have a technology for a decentralized
private-by-default/transparent-on-demand public ledger
I Monero is the best contender currently for that role
- Electronic cash is easy. Facebook could do it.- Private electronic cash is harder, but Chaum
figured out how to do it in the early 90s.- Decentralized electronic cash is even harder.
That’s Bitcoin.- Decentralized private electronic cash is even
harder. That’s the next step.
– pdtmeiwn on /r/bitcoin41 / 45
An Introduction to MoneroSummary
Conclusion
Ressources
I Online: http://getmonero.org
I In real life, upcoming Monero meetups in Europe:
I Brussels – 19th of May
I Paris – 21th of May
I Amsterdam – 23th of May
I Berlin – 24th of May
42 / 45
An Introduction to MoneroXMR.TO
Motivation
Main problem of Monero
I Theory, usage practices and software are quite differentfrom Bitcoin
I Few merchants support Monero
I Few Monero-specifc services exist
I Getting started is difficult
43 / 45
An Introduction to MoneroXMR.TO
Motivation
Our goal
I Make Monero usable in many places
I Low barrier of entry
I Maintain primary advantage of Monero (privacy)
44 / 45