Skip to main content
Springer Nature Link
Log in

A Holistic Security Analysis of Monero Transactions

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2024 (EUROCRYPT 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14653))

Abstract

Monero is a popular cryptocurrency with strong privacy guarantees for users’ transactions. At the heart of Monero’s privacy claims lies a complex transaction system called RingCT, which combines several building blocks such as linkable ring signatures, homomorphic commitments, and range proofs, in a unique fashion. In this work, we provide the first rigorous security analysis for RingCT (as given in Zero to Monero, v2.0.0, 2020) in its entirety. This is in contrast to prior works that only provided security arguments for parts of RingCT.

To analyze Monero’s transaction system, we introduce the first holistic security model for RingCT. We then prove the security of RingCT in our model. Our framework is modular: it allows to view RingCT as a combination of various different sub-protocols. Our modular approach has the benefit that these components can be easily updated in future versions of RingCT, with only minor modifications to our analysis.

At a technical level, we split our analysis in two parts. First, we identify which security notions for building blocks are needed to imply security for the whole system. Interestingly, we observe that existing and well-established notions (e.g., for the linkable ring signature) are insufficient. Second, we analyze all building blocks as implemented in Monero and prove that they satisfy our new notions. Here, we leverage the algebraic group model to overcome subtle problems in the analysis of the linkable ring signature component. As another technical highlight, we show that our security goals can be mapped to a suitable graph problem, which allows us to take advantage of the theory of network flows in our analysis. This new approach is also useful for proving security of other cryptocurrencies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See https://www.getmonero.org.

  2. 2.

    Special care needs to be taken for corruptions, but we ignore them in this informal overview.

References

  1. Alonso, K.M., Joancomartí, J.H.: Monero - privacy in the blockchain. Cryptology ePrint Archive, Report 2018/535 (2018). https://eprint.iacr.org/2018/535

  2. Backes, M., Döttling, N., Hanzlik, L., Kluczniak, K., Schneider, J.: Ring signatures: logarithmic-size, no setup—from standard assumptions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 281–311. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_10

    Chapter  Google Scholar 

  3. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014). https://doi.org/10.1109/SP.2014.36

  4. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9

    Chapter  Google Scholar 

  5. Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_16

    Chapter  Google Scholar 

  6. Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The provable security of Ed25519: theory and practice. In: 2021 IEEE Symposium on Security and Privacy, pp. 1659–1676. IEEE Computer Society Press (2021). https://doi.org/10.1109/SP40001.2021.00042

  7. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018). https://doi.org/10.1109/SP.2018.00020

  8. Bünz, B., Maller, M., Mishra, P., Tyagi, N., Vesely, P.: Proofs for inner pairing products and applications. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 65–97. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_3

    Chapter  Google Scholar 

  9. Cao, T., Yu, J., Decouchant, J., Luo, X., Verissimo, P.: Exploring the Monero peer-to-peer network. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 578–594. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_31

    Chapter  Google Scholar 

  10. Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26

    Chapter  Google Scholar 

  11. Chung, H., Han, K., Ju, C., Kim, M., Seo, J.H.: Bulletproofs+: shorter proofs for a privacy-enhanced distributed ledger. IEEE Access 10, 42067–42082 (2022). https://doi.org/10.1109/ACCESS.2022.3167806

  12. Cremers, C., Loss, J., Wagner, B.: A holistic security analysis of Monero transactions. Cryptology ePrint Archive, Report 2023/321 (2023). https://eprint.iacr.org/2023/321

  13. Deuber, D., Ronge, V., Rückert, C.: SoK: assumptions underlying cryptocurrency deanonymizations. PoPETs 2022(3), 670–691 (2022). https://doi.org/10.56553/popets-2022-0091

  14. Dutta, A., Bagad, S., Vijayakumaran, S.: MProve+: privacy enhancing proof of reserves protocol for Monero. IEEE Trans. Inf. Forensics Secur. 16, 3900–3915 (2021). https://doi.org/10.1109/TIFS.2021.3088035

  15. Dutta, A., Vijayakumaran, S.: MProve: a proof of reserves protocol for Monero exchanges. In: 2019 IEEE European Symposium on Security and Privacy Workshops, EuroS &P Workshops 2019, Stockholm, Sweden, 17-19 June 2019, pp. 330–339. IEEE (2019). https://doi.org/10.1109/EuroSPW.2019.00043

  16. Eagen, L.: Bulletproofs++. Cryptology ePrint Archive, Report 2022/510 (2022). https://eprint.iacr.org/2022/510

  17. Egger, C., Lai, R.W.F., Ronge, V., Woo, I.K.Y., Yin, H.H.F.: On defeating graph analysis of anonymous transactions. PoPETs 2022(3), 538–557 (2022). https://doi.org/10.56553/popets-2022-0085

  18. Esgin, M.F., Steinfeld, R., Zhao, R.K.: MatRiCT\({}^{\text{+}}\): more efficient post-quantum private blockchain payments. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, 22-26 May 2022, pp. 1281–1298. IEEE (2022). https://doi.org/10.1109/SP46214.2022.9833655

  19. Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 567–584. ACM Press (2019). https://doi.org/10.1145/3319535.3354200

  20. Frost, L.: Monero developers disclose ‘significant’ bug in privacy algorithm. https://decrypt.co/76938/monero-developers-disclose-significant-bug-privacy-algorithm. Accessed 14 Feb 2023

  21. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2

    Chapter  Google Scholar 

  22. Fuchsbauer, G., Orrù, M.: Non-interactive Mimblewimble transactions, revisited. Cryptology ePrint Archive, Report 2022/265 (2022). https://eprint.iacr.org/2022/265

  23. Fuchsbauer, G., Orrù, M., Seurin, Y.: Aggregate cash systems: a cryptographic investigation of Mimblewimble. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 657–689. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_22

    Chapter  Google Scholar 

  24. Fujisaki, E., Suzuki, K.: Traceable ring signature. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 181–200. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_13

    Chapter  Google Scholar 

  25. Ganesh, C., Orlandi, C., Pancholi, M., Takahashi, A., Tschudi, D.: Fiat-shamir bulletproofs are non-malleable (in the algebraic group model). In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 397–426. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_14

  26. Ghoshal, A., Tessaro, S.: Tight state-restoration soundness in the algebraic group model. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 64–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_3

    Chapter  Google Scholar 

  27. Goodell, B., Noether, S., Blue, A.: Concise linkable ring signatures and forgery against adversarial keys. Cryptology ePrint Archive, Paper 2019/654 (2019). https://eprint.iacr.org/2019/654, https://eprint.iacr.org/2019/654

  28. Gugger, J.: Bitcoin-monero cross-chain atomic swap. Cryptology ePrint Archive, Report 2020/1126 (2020). https://eprint.iacr.org/2020/1126

  29. Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash Protocol Specification, Version 2022.3.8. https://zips.z.cash/protocol/protocol.pdf. Accessed 15 Feb 2023

  30. Jedusor, T.E.: Mimblewimble. https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.txt. Accessed 15 Feb 2023

  31. Jivanyan, A., Feickert, A.: Lelantus spark: Secure and flexible private transactions. Cryptology ePrint Archive, Report 2021/1173 (2021). https://eprint.iacr.org/2021/1173

  32. Klee, C.: Monero XMR: “Signifikanter” Privacy Bug entdeckt. https://www.btc-echo.de/schlagzeilen/monero-xmr-signifikanter-privacy-bug-entdeckt-123001/. Accessed 14 Feb 2023

  33. Koe, Alonso, K.M., Noether, S.: Zero to Monero v2.0.0. https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf (2020). Accessed 21 Nov 2022

  34. Kumar, A., Fischer, C., Tople, S., Saxena, P.: A traceability analysis of Monero’s blockchain. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 153–173. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_9

    Chapter  Google Scholar 

  35. Lai, R.W.F., Ronge, V., Ruffing, T., Schröder, D., Thyagarajan, S.A.K., Wang, J.: Omniring: scaling private payments without trusted setup. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 31–48. ACM Press (2019). https://doi.org/10.1145/3319535.3345655

  36. Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for Ad Hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28

    Chapter  Google Scholar 

  37. luigi1111, “fluffypony” Spagni, R.: Disclosure of a Major Bug in CryptoNote Based Currencies. https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html. Accessed 14 Feb 2023

  38. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 2111–2128. ACM Press (2019). https://doi.org/10.1145/3319535.3339817

  39. Morais, R., Crocker, P., de Sousa, S.M.: Delegated RingCT: faster anonymous transactions. Cryptology ePrint Archive, Report 2020/1521 (2020). https://eprint.iacr.org/2020/1521

  40. Moreno-Sanchez, P., Blue, A., Le, D.V., Noether, S., Goodell, B., Kate, A.: DLSAG: non-interactive refund transactions for interoperable payment channels in Monero. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 325–345. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_18

    Chapter  Google Scholar 

  41. Möser, M., et al.: An empirical analysis of traceability in the Monero blockchain. PoPETs 2018(3), 143–163 (2018). https://doi.org/10.1515/popets-2018-0025

    Article  Google Scholar 

  42. Nick, J.: A Problem With Monero’s RingCT. https://jonasnick.github.io/blog/2016/12/17/a-problem-with-ringct/. Accessed 14 Feb 2023

  43. Nick, J.: Exploiting low order generators in one-time ring signatures. https://jonasnick.github.io/blog/2017/05/23/exploiting-low-order-generators-in-one-time-ring-signatures/. Accessed 14 Feb 2023

  44. Noether, S.: Ring signature confidential transactions for Monero. Cryptology ePrint Archive, Report 2015/1098 (2015). https://eprint.iacr.org/2015/1098

  45. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9

    Chapter  Google Scholar 

  46. Project, M.: Monero-Project/Meta: List of Issues. https://github.com/monero-project/meta/issues. Accessed 11 Apr 2023

  47. Ronge, V., Egger, C., Lai, R.W.F., Schröder, D., Yin, H.H.F.: Foundations of ring sampling. PoPETs 2021(3), 265–288 (2021). https://doi.org/10.2478/popets-2021-0047

    Article  Google Scholar 

  48. Sui, Z., Liu, J.K., Yu, J., Qin, X.: MoNet: a fast payment channel network for scriptless cryptocurrency Monero. In: 42nd IEEE International Conference on Distributed Computing Systems, ICDCS 2022, Bologna, Italy, July 10-13, 2022, pp. 280–290. IEEE (2022). https://doi.org/10.1109/ICDCS54860.2022.00035

  49. Sun, S.-F., Au, M.H., Liu, J.K., Yuen, T.H.: RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency Monero. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 456–474. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_25

    Chapter  Google Scholar 

  50. Thyagarajan, S.A.K., Malavolta, G., Schmidt, F., Schröder, D.: PayMo: Payment channels for Monero. Cryptology ePrint Archive, Report 2020/1441 (2020). https://eprint.iacr.org/2020/1441

  51. Tsang, P.P., Wei, V.K.: Short linkable ring signatures for E-voting, E-cash and attestation. In: Deng, R.H., Bao, F., Pang, H.H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 48–60. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31979-5_5

    Chapter  Google Scholar 

  52. Van Saberhagen, N.: CryptoNote v2.0. https://www.bytecoin.org/old/whitepaper.pdf (2013). Accessed 21 Nov 2022

  53. Vijayakumaran, S.: Analysis of CryptoNote transaction graphs using the Dulmage-Mendelsohn decomposition. Cryptology ePrint Archive, Report 2021/760 (2021). https://eprint.iacr.org/2021/760

  54. Wijaya, D.A., Liu, J.K., Steinfeld, R., Liu, D.: Monero ring attack: recreating zero Mixin transaction effect. In: 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science And Engineering, TrustCom/BigDataSE 2018, New York, NY, USA, August 1-3, 2018, pp. 1196–1201. IEEE (2018). https://doi.org/10.1109/TrustCom/BigDataSE.2018.00165

  55. Yu, J., Au, M.H.A., Veríssimo, P.J.E.: Re-thinking untraceability in the CryptoNote-style blockchain. In: Delaune, S., Jia, L. (eds.) CSF 2019 Computer Security Foundations Symposium, pp. 94–107. IEEE Computer Society Press (2019). https://doi.org/10.1109/CSF.2019.00014

  56. Yuen, T.H., et al.: RingCT 3.0 for blockchain confidential transaction: shorter size and stronger security. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 464–483. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_25

    Chapter  Google Scholar 

Download references

Acknowledgments

Julian Loss and Benedikt Wagner are funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - 507237585, and by the European Union, ERC-2023-STG, Project ID: 101116713. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.

Author information

Authors and Affiliations

  1. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Cas Cremers, Julian Loss & Benedikt Wagner

  2. Saarland University, Saarbrücken, Germany

    Benedikt Wagner

Authors
  1. Cas Cremers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julian Loss
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benedikt Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cas Cremers .

Editor information

Editors and Affiliations

  1. Zama, Paris, France

    Marc Joye

  2. Ruhr University Bochum, Bochum, Germany

    Gregor Leander

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cremers, C., Loss, J., Wagner, B. (2024). A Holistic Security Analysis of Monero Transactions. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14653. Springer, Cham. https://doi.org/10.1007/978-3-031-58734-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58734-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58733-7

  • Online ISBN: 978-3-031-58734-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships