Bitcoin right now is not really anonymous. While Bitcoin addresses aren’t necessarily linked to real-world identities, they can be. Monitoring the unencrypted peer-to-peer network, analyses of the public blockchain and Know Your Customer (KYC) policy or Anti-Money Laundering (AML) regulations can reveal a lot about who’s using Bitcoin and for what.
This is not great from a privacy perspective. For example, Bitcoin users might not necessarily want the world to know where they spend their money, what they earn or how much they own; similarly, businesses may not want to leak transaction details to competitors.
Additionally, the fact that the transaction history of each bitcoin is traceable puts the fungibility of all bitcoins at risk. “Tainted” bitcoins, for example, may be valued less than other bitcoins, possibly even calling into question Bitcoin’s value proposition as money.
There are potential solutions that may increase privacy and improve fungibility in Bitcoin. But most of these solutions are either partial, works-in-progress or just largely theoretical.
The Bitcoin Scenario
Perhaps the main reason Bitcoin does not offer a whole lot of privacy is that different transactions are easily linked together.
This is because all Bitcoin transactions consist of inputs and outputs. Inputs refer to addresses bitcoins are sent “from” and outputs refer to addresses bitcoins are sent “to”. Naturally, then, outputs from one transaction become inputs in the next. The receiver of one output and the sender of the subsequent input are usually the same person.
Moreover, since most transactions are made by one person only, all input addresses typically belong to that same person as well. Meanwhile, that one person usually sends bitcoins to only one other person per transaction. That means that if there are two different outputs, one of these must be a change address, used by the sender to send excess bitcoins back to himself.
All these links in the chain make individual bitcoins traceable; it’s possible to determine in which transactions a certain bitcoin was previously used, thereby potentially harming fungibility and decreasing privacy, as all these links allow blockchain analysts to figure out which bitcoins likely belong(ed) to whom.
The Monero Scenario
As opposed to the majority of altcoins, Monero is not based on Bitcoin’s code-base or protocol. Instead, the cryptocurrency, launched in 2014, is based on the CryptoNote reference implementation, an altcoin that was designed from scratch.
Monero was created by the pseudonymous developer thankful for today, who was himself effectively “fired” by the community less than a month after Monero’s launch, as the project was forked away from him. It has since been led by a core team of seven developers, including Riccardo “fluffypony” Spagni and Francisco “ArticMine” Cabañas. Its native curreny, XMR, is one of the top altcoins by market cap, and is now accepted as payment on several dark net markets.
In Monero, the basic structure of Bitcoin transactions still holds up: each consists of inputs (“from”) and outputs (“to”). But there are two key differences. For one, outputs can only consist of rounded decimal numbers. So instead of an output worth 15.7 XMR, there will be three outputs, worth 10, 5 and 0.7 XMR. And the change outputs are also rounded. So if the input was worth, say, 60 XMR, the change outputs will be worth 40, 4 and 0.3 XMR for a combined output total of 60. Six outputs (40, 10, 5, 4, 0.7 and 0.3), where only the sender and receiver know which ones are payments and which are change. This already makes blockchain analysis a bit harder.
But this is really only the setup of the trick.
The actual magic comes from a cryptographic signature scheme called “ring signatures,” based on the older concept of “group signatures.” Ring signatures exist as several iterations and variations, but all share the property of obfuscating whichcryptographic key signed “which” message, while still proving “that” a cryptographic key signed “a” message. The version used by Monero is called “Traceable Ring Signatures,” invented by Eiichiro Fujisaki and Koutarou Suzuki.
Taking the example above, where an input worth 60 XMR was used to create six outputs, Monero utilizes ring signatures as follows.
The sender who created the 60 XMR input must have previously received these 60 XMR as an output of an earlier transaction. After all, he can only create a 60 XMR input if he controls a 60 XMR output first.
But with ring signatures, the sender can obfuscate “which” 60 XMR output he controlled. Instead, he can take several 60 XMR outputs from different transactions, and bundle them together in such a way that proves he owns “one” of these outputs — without revealing “which one”. And since Monero only works with round numbers, there should be plenty of 60 XMR outputs available on the blockchain to mix with.
As a result, Monero transactions are almost completely unlinkable. At best, blockchain-analysts can calculate the odds that transactions are linked, based on how many outputs were used in the mix to create an input. (This is configurable by the sender, with a minimum of three.)
And Back Again…
So how does any of this help Bitcoin or Bitcoin users?
Simple: Monero is used to “unlink” Bitcoin transactions in much the same way that Monero transactions are themselves unlinked.
Specifically, Bitcoin users sell bitcoin for XMR, ideally on a Tor-friendly exchange that does not require AML/KYC, like Shapeshift or Bitsquare. Later, they simply sell these XMR back for bitcoin on a different platform, which can also be done on XMR.to. If the buys and sells are spread over time a bit (since low transaction volume on Monero can be a slight giveaway in some cases), this leaves virtually no link on any blockchain at all.
For more information on Monero — which includes additional privacy options as well as other features — visit getmonero.org. Using Monero in itself does not always guarantee full privacy; the more precautions taken, the better.