• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Cryptonote Explained


Well-known member
Foundation Member
This was my question, how does cryptonote work? And below is my attempt to answer it from the input I received from some very nice people, thank you!

Edit: I'm including here input from people working on projects that use cryptonote as they understand it best. The purpose of this thread is to understand Cryptonote and it's applications and possibly applications that might be useful to DASH. Every solution has it's flaws but often, you can find a better use for certain techniques when applied to a different problem, so I feel the more people that learn about these techniques, the more great ideas will come out to the surface :D

These are quotes from luigi1111 on Bitcointalk.org. He was so nice to take the time to help me. I wanted to understand how cryptonote worked and these are the PMs he sent me. He said I could share :)


I read a few of your posts in the Peter Todd thread, and I think I can maybe help you out with understanding Cryptonote a bit.

You talked about tracing coins back to their source, and how you couldn't see how to do that in Cryptonote; that it seemed obscured and required trust.

If you look here: http://chainradar.com/bcn/transacti...2e309e9a458a5e03b31cf0d617e4129ca070681a54967 (that's a Bytecoin tx) you can see it has a "From transaction" link; this functions essentially identically to Bitcoin. This link exists because that particular TX was mixin=0, so no ring signature partners were chosen.

Consider if partners are chosen: there exists a number ( = mixin) of potential inputs that are equiprobable of being the one that was actually spent. In this case, chainradar has no "From transaction" link, because there is more than one possibility. They *could* list all the possible transactions, but they haven't implemented that for whatever reason. Moneroblocks similarly doesn't show previous transactions at all, even for mixin=0. This is only cosmetic, and on the actual blockchain you can be sure that all potential inputs are properly validated and accounted for.

Having the capability to "pretend" to spend others' inputs autonomously would cause you to be able to doublespend; Cryptonote gets around this by using "key images", which cannot be faked, but also cannot be traced back to the input they belong to.

Back to BTC-style transactions for a minute, whenever you group sign (as in, use multiple inputs), you obscure the outputs' origin; assuming size of outputs is less than inputs, any of the inputs could be the source of the funds for the outputs. In effect, you're getting two (or more) possible paths for the coins to have originated from.

This is technically different, but functionally somewhat similar to, the way ring signatures work.

Hope this helps!

Quote from: TanteStefana2 on Today at 05:09:35 PM
Thank you very much for that! I wasn't getting any help anywhere else, LOL. I'm still not clear on everything, and I suspect I need to study a flow chart at this point, which I'm sure exists. That the key signature can't be traced backward worries me because I just don't see how it can be verified to belong to actual coins and not counterfeited coins. I'm sure I'm missing something, it can take me a while of digesting to get that lightbulb moment

Seriously, thank you for taking the time. May I post your explanation in my dashtalk forum thread? Thanks again

Sure, I don't mind.

You know the inputs belong to actual coins because they do point back to previous transactions (this just isn't visible on the current explorers).

The final "key" piece is the key image. Basically one must be included for every input that is spent. A ring signature identifies which inputs *could* have been spent. The key image "identifies" the input that is *actually* spent, and therefore cannot be "respent", because the key image is unfakeable and would be duplicated. However, the "magic" of ring signatures means only the spender can normally know which input was actually spent.

Instead of marking outputs as spent like in Bitcoin, in Cryptonote a list of all key images ever used is kept to prevent double-spending.

Activity: 532


Trust: 0: -0 / +0
Re: (No subject)
« Sent to: TanteStefana2 on: Today at 06:00:54 PM »
« You have forwarded or responded to this message. »
Quote Reply Delete
Quote from: TanteStefana2 on Today at 05:44:34 PM
Oh, I just thought of another question. I just can't find simple enough diagrams to help me understand. I'm wondering about change. If Peter Paul and Mary are signers for a transaction, and each one, I presume, must have funds that are possible inputs, how is the change handled?

I know I'm missing something, but you seem to be able to explain very well
Can't let you go while I have you

Thanks again, you're such a nice person to take the time for an old lady!

Typically only one party would be a signer of a transaction. If there were say 3 parties, they'd all have to agree on the outputs (ie, change) before signing. I don't think a multiparty TX has ever been done in Cryptonote, though it should be possible.
Last edited by a moderator:
Are the previous transactions that were candidates to be spent simply random transactions? or do they belong to the signer? Is there any way to see the previous transaction being broken down (with change) or does it simply become a new random looking transaction with no link to the past, except for the key that created it, which nobody can replicate except the owner, who at the same time can not spend it twice?

Oh god, this is getting weird, LOL

They are random, and wouldn't typically belong to the signer, though they could. It is helpful to distinguish transactions from inputs and outputs. A transaction is a group of inputs and outputs. When a transaction's inputs reference prior "transactions", they are really referencing particular outputs from a prior transaction.

If you browse chainradar for 0 mixin TXs, you can for sure "follow the trail". I think I provided one example in my first PM. Think of non-0-mixin transactions (really inputs) as the same, but with X number of possible "trails" instead of only one, for each input. So you can't know the "real" trail, but you can verify (again, not visually on an explorer right now) all the possible trails are real, and that a particular trail can't be spent twice.

It gets confusing fast (even for "standard" BTC-like coins) with people referencing inputs and outputs, outputs as inputs, etc.

Hope this helps!

Quote from: TanteStefana2 on Today at 06:09:40 PM
Thank you again, just one last question. There are 3 key rings submitted (well, with a mix of 3) and only one is real. Can you tell me where or how the 2 fake ones are created?

LOL, I'm hoping you're not sorry you started helping me ;P

Sure, I'll give it a shot.

A "ring" is comprised of (usually) more than one signature, so any # mixin input is still one ring; you're not thinking about it quite correctly. A valid ring signature is created by one private key and any number of other public keys.

Now in that particular ring, all the inputs (ie, other public keys) are "real"; they all reference prior outputs on the blockchain. However, only one of those (all valid) inputs is really spent (the "one private key" above), which one is "identified" by the key image so that it cannot be spent again.
Last edited by a moderator:
So in the end, this is what I came up with, not sure if it's 100% correct, but I hope it's clear as mud to you as it is to me ;) JK
Last edited by a moderator:
My explanation on how Cryptonote, as in Monero works.

Mary wants to pay Bob 5.5 coins. To do this, she will submit her transaction with 2 other decoy transactions in order to obfuscate where the payment really came from.

But to start, all Mary knows is that she is using a combination of funds from a couple of her public addresses and sending them to Bob’s public address. In fact, she probably won’t even pay attention to which addresses are making up her transaction as this is done automatically. To be clear on where the funds really come from, I’ve made this diagram below to show how Mary’s account numbers can have different transaction numbers that are associated with them. Ultimately, it is the transaction numbers that matter, not the public address.

The transaction numbers are the coins. As can be seen in the diagram below, when Mary receives her change, it is either put into a new public address or an existing one. However, the coins themselves are identified via their TXID number (transaction number) alone, until they are merged or diverged into other TXID numbers.

Not shown in the diagram is how these “coins” which now have a new TXID number as well as value, are sent to Bob’s public address, which can be thought of as a pocket in his wallet that holds all the TXIDs under it. Basically, it’s the same as how the change is being handled in the diagram.


There is one additional step that I did not include in the graphic. This step is the same for all crypto currencies, and shows the main function of the wallet’s public address. Coins that are contained under this public address can only be spent if they can be signed off with a private address. This is a unique pair of numbers, public and private, that relate to each other via a cryptographic algorithm that can create only one solution. If the sender has the correct private address, they have the authority to spend the coins.

Next, we are going to take a step back and see how Cryptonote hides the details from prying eyes. You see, each time someone makes a payment, as demonstrated above, 2 payment decoys are created as well, by two arbitrary people on the network.

Those two arbitrary people create transaction keys for each of their inputs as does Mary, for each her TX inputs. These keys are generated by running the TXID through an algorithm that always gives the same result. Although you always get the same key result when you run the TXID number through it, you can not get the TXID by running the key back the other way. This is a one way algorithm.

Even so the fake keys generated by the decoys are indeed the keys you would get if you were to spend those TXIDs, the funds can not be spent because the owners have not signed off on the transaction. In fact, the decoy people are highly unlikely to even own the TXIDs that they are putting up as decoys.

If you were to look at the blockchain, you would see 3 groups of TXIDs that could possibly be the coins that were spent. On a normal blockchain, such as Bitcoin’s, you would see all the inputs on one side, and all the outputs on the other, and they would equal each other. Not so in cryptonote. In cryptonote, all potentially spent TXIDs that were signed with a key are shown, and only the person who signed off the transaction with their public/private account number would know which TXID key was the one used.
So at this point you might be asking yourself, if there is no record on the block chain that definitively shows which TXID was spent, how can we be sure it isn’t spent over and over again?

This is done by storing these keys, and checking any spends against that list. If it hasn’t been recorded before, then it can be spent. If It’s on the list, it can’t. Each transaction must be checked against the spent keys.

Finally, you may ask yourself, can’t you just see if a key was spent, to tell which TXID was the real TXID? I believe the answer is no because of possibly two things. 1st, the fake keys could be drawn from spent and unspent TXIDs, and second, I don’t believe the TXID keys in the spent file are time stamped.
A huge thanks to luigi1111 who helped me to understand at least I think I understand now? Please comment on any corrections! Thanks!
So if any of you want to ask questions or discuss cryptonote, it's advantages and disadvantages, lets do it! Here are a couple of thoughts I've had:

When thinking on this, I also have to question whether or not cryptonote actually does indeed obscure transactions better than DS. The reason I say that is because every transaction has a 1:3 chance of knowing which is the correct owner of the transaction. DS, on the other hand, can be told to mix many times so that the chances of following a transaction are almost nill.[ Of course both systems could have bad actors, especially early on. Note: I have since learned that you can choose to mix with as many decoys" as you like, so this is similar

A malicious entity could keep a separate list of the keys submitted, and used, and time stamp them. This would be the easiest way to unravel the transactions. But at the same time, the older the chain gets, the more transactions that go through unrecorded, the harder it becomes to nail down the keys. This would have to be done as early in the blockchain life as possible for the best results.

Also, is it possible that if the decoy transactions had never been used before, you could tell if their key were not placed on the list, you would know that it was a decoy?

Finally, the number 1 complaint for cryptonote is that you have to store all those keys, then check every transaction against them. That and because every transaction has 3 possible sets of inputs, causes the blockchain to bloat. At this time, monero, which is 1 year old, has a 4 gb blockchain, and Dash has a 1 gb blockchain and is over 1.5 years old. So that's pretty significant. If there ever are good solutions to trimming the block chain, then I would suspect all block chains will benefit from that, and probably in the same proportion. So this will still be a comparatively big issue for cryptonote.

Somebody mentioned that nearly all transactions in cryptonote are privatized, thus when comparing DASH's blockchain, it isn't the same. It would be interesting if someone could do a comparison with both mixing 100%

Because there are no blockchain explorers that give out all the information for a cryptonote coin that I could find, and because I'm not a programmer who can make my own blockchain analyzer, I am very curious to know if one could determain, from the actual output (the payee) and the change address, which combination of TXIDs were used to create the outputs. The more transactions in a block, the harder that would be to find, but it may not be hard for a computer to figure out if the inputs were highly individual. Dash broke inputs down in basic denominations so that all inputs look alike as a solution to that problem.

Well, those are the weaknesses I can think of at this point. I'm not trying to bring out the weaknesses to insult, only to compare with.
Last edited by a moderator:
Would be awesome if the conclusion of this discussion ended up as an article on the wiki. Just sayin :rolleyes:

You know, it's clever. I can see a solution like this working on a small disposable scale for something else. It just doesn't scale, and if the block doesn't have enough transactions in it, I'm pretty sure you could figure out which combinations were the real combinations used for that transaction. Just like DS is based off of coinjoin, and instantX is based off of greenaddresses (I think) we can learn from these brilliant little ideas. They're sometimes thought up for a solution that they don't solve perfectly, but can be used in another situation perfectly.

We still need to see if DS scales as well! But for DS, I can see trimming the blockchain of all the TXIDs that have had their day and no longer exist except in memory (unless they're instrumental in verifying the validity of future TXIDs?) In cryptonote, it is never determined that a TXID has been spent - except that you can check it against a database for it's key). Since the TXID can not be tagged in anyway as being spent on the blockchain (or you'd expose all the transactions,making the whole point of cryptonote mute), you can't cut it out.
Last edited by a moderator:
Ok, I think this helped to get a better understanding of cryptonote.

Appreciate the effort Tante.

If we manage to bring our mixing times down by a significant amount then Dash seems to be on top against cryptonote in almost all aspects.
To be honest, at this point, I don't see DASH having any competition as a daily use currency. Privacy and instant payments, just can't be beat. But I'm certain that there will be a super easy way of exchanging one coin for another that is decentralized in the not too distant future. And when that happens, many coins will have their uses. Even if they're only perceived as better. Maybe cryptonote is indeed better for privacy and some day better minds than mine will come to a consensus on what is most secure for privacy. In that case, I would use such a coin to pay for political donations, or really any donations. I don't like it that when I want to donate to something, that organization gets my email address at the minimum. Frankly, I'm even afraid to sign a petition. Heck, using something like this to prove you're a real person, but not revealing who you are, so you can sign a petition without fear of becoming a target would be great!

Anyway, now I have to learn about the different cryptonote based coins, see what makes them different. :)
I'm posting these corrections because I can't fix or redo anything at this time, but I got a few things wrong:

Hey there!

I've seen your efforts to understand and explain the ring-signatures use within Monero.
Looking at your diagrams (in the dash forum thread), you still got few things wrong. I thought maybe this will help:
(starting slide 25, it's about ring signatures).

Also, in your comments you say "if the block doesn't have enough transactions in it, I'm pretty sure you could figure out which combinations were the real combinations used for that transaction". It suggests you believe you mix with other people's outputs in the same block? If so, this is wrong: you mix with any output of the same amount in the blockchain, it can be 1 year old, it doesn't matter.
You also say: "Those two arbitrary people create transaction keys for each of their inputs as does Mary, for each her TX inputs.". This is again wrong, the arbitrary people don't create or do anything, they don't need to be online, their "participation" is completely passive. (Only Mary will be active).
That is also why people will mix with your own inputs, and you don't need to do anything.

This is important because contrary to coinjoin, you don't need the other peoples involved to be active or online, or to be willing to send at the same time as you.
With ring-signatures you can literally be the only user of the cryptocurrency for an entire day, there is no issue for mixing as this is done with the entire history, not with immediate co-signers. You since you don't need anyone else to do anything, so can sign your 100-mixin ring-signature completely offline on an airgap computer for instance.

Hope that clears things a bit!



Wow, that looks like a lot of work! I haven't read the whole thing yet, as I wanted to get some sleep last night.
I'll try to take a look at it soon.

To your PM 3 ago, actual amount are identified by public keys on the blockchain; in a transaction, they are identified by offsets, but that's not too important. It's better to think about them as belonging to public keys. A TXID is a hash of an entire transaction, the inputs and outputs are the "meat".

To this PM, I think I can clear this up: Cryptonote only allows creating a ring signature for a group of inputs (of which only one is actually spent) of the same denomination. You can't group a set of inputs of 10, 5, 2; they all have to be 10. Because of this, transaction logic automatically denominates everything in powers of 10 whole integers: this includes payment and change.

An example XMR transaction: Bob wants to send Mary 9.56 XMR. Bob has an output for 20 XMR. He uses this as the only input into his transaction, but specifies mixin=3. This means he will go to a table with a list of all the outputs on the blockchain of 20 XMR and choose 3 additional ones at random. Using the 3 public keys of those "fake" outputs and the private key of his own 20 XMR output, Bob constructs a ring signature with 4 "participants". An observer only knows that Bob owns 1 of the private keys of those participants. Now back to the denomination: using stealth addresses, Bob can generate any number of addresses belonging to Mary, with only her public keys (this is a different topic). Bob will create 3 outputs (all to different keys or "addresses") for Mary: 9 XMR, 0.5 XMR, and 0.06 XMR. Additionally, he'll create change outputs for himself for 11 XMR, 0.4 XMR, and 0.04 XMR (assuming no fees).

All this "auto-denominating" means normal transactions' inputs shouldn't have trouble finding partners to use in their rings. The standard (sum inputs) <= (sum outputs) still applies as in BTC.

Thanks guys! I haven't slept yet, so I'm getting too tired to work this, LOL.
TanteStefana, thanks for info, but I think it is better to move it here:

Cryptonote, Monero, ... - aren't parts of Dash project.
And we must show this fact for everybody - position them as alternative technology, not Dash related (maybe it is obvious for experienced Dashers, but not for everybody who reads this forum).
Oh, I thought here because it's just general, LOL. How do I move it?
I was thinking about it when I moved 2 other threads about maidsafe and ... (can't remember now) but cryptonote is a protocol and not a currency so I decided to keep it here.

Though alex-ru is right and this topic it's not related to Dash (yet? :rolleyes:) but I feel it could be very useful to get our head around and can bring some interesting ideas. There was not too much use of stealth addresses in any bitcoin related project afaik and I never thought of using stealth addresses this way, for example, and now it looks like this actually can have some benefits for us too. DS + stealth addresses used in such way (generating addresses for denominations instead of merging them together and sending to a single address) could obscure spending in blockchain - making DS transaction to stealth address to look much like regular mixing which is kind of nice feature to give more protection to both sender and receiver at the same time.

EDIT: how about moving to https://dashtalk.org/forums/development-tech-discussion.8/ and brainstorming a bit about what else we can borrow from cryptonote?

EDIT2: moved
Last edited by a moderator:
Sounds great, wherever you deem is good!

Errr, um, if you need me to do it, please tell me how, LOL
Last edited by a moderator:
Would be great if we could incorporate this protocol into Dash, seems like a great way to achieve send anonymity.

Well, you have to remember, fible1, that it comes at a price. For whatever reason, either because DS has a smaller foot print, or because people only use it if they have need, and use it as much (that is number of rounds) as needed. Either way, our blockchain is 1/4 the size of a similar coin, monero, which is 2/3 as old as Dash. And we would be destroying the ability to trim the blockchain in the future.

So, although it's very clever, it may not scale for long.

However, this could be used in some sort of side chain for other uses? What that might be, I don't know but it's important to keep these tools in the toolbox as you may have need for them in the future!

And frankly, I think us users, not the programmers, but users, are the ones that sometimes come up with the best ideas due to need, so we must educate ourselves :D

Ok, I'm still brain dead, I may need to step back before editing my attempt at explaining cryptonote, LOL In the meantime, please know it's not quite right, if you could read the expert comments afterwards, that should help :)
Well, you have to remember, fible1, that it comes at a price. For whatever reason, either because DS has a smaller foot print, or because people only use it if they have need, and use it as much (that is number of rounds) as needed. Either way, our blockchain is 1/4 the size of a similar coin, monero, which is 2/3 as old as Dash. And we would be destroying the ability to trim the blockchain in the future.

So, although it's very clever, it may not scale for long.

However, this could be used in some sort of side chain for other uses? What that might be, I don't know but it's important to keep these tools in the toolbox as you may have need for them in the future!

And frankly, I think us users, not the programmers, but users, are the ones that sometimes come up with the best ideas due to need, so we must educate ourselves :D

Ok, I'm still brain dead, I may need to step back before editing my attempt at explaining cryptonote, LOL In the meantime, please know it's not quite right, if you could read the expert comments afterwards, that should help :)

Hey :),

I'll grant I'm no expert on cryptonote but I've read pretty much everything there is to read on the net about it, including both white papers, core discussions and as much of the Monero forums as I could stomach.

The core benefit I see is that obfuscation is automatic. Anecdotal evidence suggests that a lot of people don't use DS and it most likely has to do with it being slow (days) and a bit confusing; both negative factors for on boarding.

I won't argue about blockchain bloat, that's pretty clear; but like I said on another thread, the era of normal users running full nodes is nearing it's end. You cant expect users to DL a a few dozen Terabytes of blockchain in ten years. I suspect that service providers will take on that burden and users will run "lite" clients so from my point of view blockchain bloat has clear solutions; and in the end, is the service providers issue, not the consumers.

I originally got on board Dash because of DS, but after having used the system for several months, I think it's pretty clear we need something more transparent. New users often complain "I've had DS on since yesterday and it still hasn't finished!", and "how does this work?". I myself stopped using DS when I tried to anonymity 600 Dash, 5 rounds deep, I stopped it after 1 week.

Wouldn't it be so much better if anonymity was built in?

So granted it may not be the cryptonote model, but I think we can likely do better than the current implementation in terms of it being more transparent for the user.

Hope that helps :)



PS: I have a strong feeling Monero is vaporware. My bullshit meter went "Code Red" every time I read so called "experts" who tried to explain the tech, so please don't think I want us to clone Monero tech, I am merely making the point that their vision of anonymity vis a vis it being transparent and automatic is better than our implementation. Granted ours works and theirs is in the air, but it's worth it to understand transparent and instantly untraceable payments are the future, not coinjoin.