Monero (XMR) is a new privacy-centric coin using the CryptoNote protocol (see below for more information). The open source reference implementation of CryptoNote was coded from scratch based on the CryptoNote reference implementation, and is not a fork of Bitcoin.
Monero aims to be a fungible and untraceable digital medium of exchange. It intrinsically has a higher degree of privacy than Bitcoin or any of its various forks. It was launched on April 18, 2014 (preannounced and no premine/IPO/etc.).
The official core team members are (in no particular order) - tacotime, eizh, smooth, fluffypony, othe, davidlatapie, NoodleDoodleAnnouncementsDecember 15
- Monero Missives #21
bug fixes; MyMonero copy-to-clipboard helpers and transaction details; ForkGuard adds MoneroClub & MyMonero; I2PD makes progress on SU3 router update supportDecember 8
- Monero Missives #20
Version 0.8.8.6; 25 words seed (checksum); external project section; smart mining; security improvements and bugfixes on MyMonero.com; i2p progressing.November 24
- Monero Missives #19
First webwallet, MyMonero
; version 0.8.8.5 progressing steadily; DB bugfixing continues; new start for QA, CI and Gitian.November 17
- Monero Missives #18
Version 0.8.8.5 delayed because of Windows issues; download binaries from the ANN or the official forum lest you may get bad surprises; MRL (Monero R&D) meetup for improving difficulty retargeting algorithm, simpler and stealthier payment ID, secure use of viewkey during remote access.Monero Missives Archives: #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 #14 #15 #16 #17
- Longer summary of each missive
by Globb0Other Archives:
Blockchain Spam Attack post-mortem (part I
and part II
) - Block 202612 attack (update 1
, technical update
) - Partial funding of Privacy Solutions
for the C++ version of the I2P router (IP obfuscation)Features
- Untraceable payments
- Unlinkable transactions
- Blockchain analysis resistance
- Adaptive parameters
Details in the CryptoNote white paper
(Review of the CryptoNote white paper
- PoW algorithm: CryptoNight 
- Max supply: ~18.4 million 
- Block reward: Smoothly varying 
- Block time: 60 seconds
- Difficulty: Retargets at every block
CPU + GPU mining (about 1:1 performance for now). Memory-bound by design using AES encryption and several SHA-3 candidates.
Actual number of atomic units is M = 264
- 1. A minimum subsidy may be implemented in the future with <1% annual inflation to preserve mining incentives.
Uses a recurrence relation. Block reward = (M - A) * 2-20
, where A = current circulation. Roughly 86% mined in 4 years (see graph
).Official downloads and linksGetting Started
- Follow the guide to set up the software and start mining.Official forumSource and binariesAlso see below for optional GUI.
Latest release: 0.8.8.6Blockchain (faster sync)All updated live and always current.GiveawaysPetitioning Cryptsy, Btc-e and others for Monero(XMR)Donations for general developmentXMR:
address (OpenAlias) donate.getmonero.orgBTC:
address (full) 46BeWrHpwXmHDpDEUmZBWZfoQpdc6HaERCNmx1pEYL2rAcuwufPN9rXHHtyUA4QVy66qeFQkn6sfK8aHYjA3jk3o1Bv16em
1FhnVJi2V1k4MqXm2nHoEbY5LV7FPai7bbMonero Community Hall of FameExternal ProjectsMEW (Monero Economy Workgroup)Web Wallets
Alternative ClientsThe first two GUIs are in beta and the third is in alpha, but they should be fairly safe to use because they work through bitmonerod and simplewallet from the main code.MinersBlockchain explorerOthersExchangesPoolsSpread around the hashrate! Join the smaller pools to improve network health.
- MyMonero.com - operated by a Core Team member, fluffypony, 100% client side, never knows your spend key and thus cannot spend or steal your funds
Only open-source pools are mentioned, sorted by donation then fees. Fees include
the donation, so miners won't pay more than the fees listed on the "fees" column. Misleading advertisement = undetermined ban ("undetermined" doesn't mean "forever", just "as long "as we deem it necessary"). Manager's note is a list with 100 character max, no exclamation points and no links. For updates, please contact Quanttek
(same on IRC)
Beware: we are doing our best to stay current regarding fees, but always double-check on the pool itself.We recommend to use only the bolded pools, which are up-to-date on important updates and security fixes. (When none are bolded, all are up-to-date)
|URL||Country||Manager (IRC)||Donations (% of fees)||Total Fees||Manager's note|
|backup-pool.com||Canada||triplef||Total: 73%||Fees: 1.1%|| #backuppool IRC-channel, Charts ,10 minutes payout , instant support french/english|
|monerohash.com||US||osensei||Total: 37.5%||Fees: 1.6%||20Gbps DDOS protected, reliable, secure (https), up-to-date pool - USA - NY|
|pool.cryptoescrow.eu||Lithuania||mind-less||Total: 20%||Fees: 1%||Fast & helpful support, DDOS protected, Well maintained server.|
|xmr.hashinvest.net||France||sammy007||Total: 10%||Fees: 2%||Transparent and stable pool with regular payouts. Desktop notifications, instant online support.|
|mro.poolto.be||Belgium||PCFil||Total: 8%||Fees: 1.3%||Stable dedicated server, hosted in datacenter, fast link, fast support|
|crypto-pool.fr||France||onishin, superresistant||Total: 5%||Fees: 2%|
|minexmr.com||France||xnbya||Total: 5%||Fees: 2%|
|coolmining.club||Hungary||hegemoOn||Total: 3%||Fees: 1.5%||#cmc-pool on freenode|
|monero.xminingpool.com||Germany||xmining||Total: 0%||Fees: 0%||First cryptonote-universal-pool implementation. FCN/MCN support.|
|cryptonotepool.org.uk||UK||CryptonotepoolUK||Total: 0%||Fees: 1%||Long running pool with reputation for reliability and support, all fees donated to xmr dev fund|
|xmr.prohash.net||Netherlands||trampk||Total: 0%||Fees: 1.5%|
last updated: 2015-02-11FAQ
For a longer FAQ, check Community FAQWhat is CryptoNote?
CryptoNote is the technology that allows creation of privacy-centric cryptocurrencies. You can visit their website here. The level of anonymity provided by CryptoNote isn't possible with Bitcoin code base by design. Bytecoin (BCN) was the CryptoNote reference implementation, and XMR is based on BCN's code.
Two of the main features of CryptoNote are ring signatures that mask sender identities by mixing and one-time keys that make transactions unlinkable. Their combined effect gives a high degree of anonymity without any extra effort on the part of the user.
Unlike Bitcoin, your funds are not held in the address you give out to others. Instead, every time you receive a payment it goes to an unlinkable address generated with random numbers. When you decide to spend the funds in that one-time address, the amount will be broken down and the components will be indistinguishable from identical outputs in the blockchain.
For example if 556.44 XMR are sent, the protocol will break it down into 500 + 50 + 6 + 0.4 + 0.04 and a ring signature will be performed with other 500's, 50's, 6's, 0.4's, and 0.04's in the blockchain. Unlike the "CoinJoin" mixing method, CryptoNote mixes outputs not transactions. This means no other senders need to be participating with you at the same time or with the same amounts. Any arbitrary amount sent at any time can always be rendered fundamentally indistinguishable (a mathematical proof is given in the white paper).
The degree of anonymity is also a choice rather than decided by the protocol: do you want to be hidden as one among five or one among fifty? The size of the signature grows linearly as O(n+1) with the ambiguity so greater anonymity is paid for with higher fees to miners.
Ring signatures are explained below. Reproduced from CryptoNote:
A normal signature looks like this. There's only one participant, which allows one-to-one mapping.
A ring signature obscures identities because it only proves that a signer belongs to a group.
This allows a high level of anonymity in cryptocurrency transactions. You can think of it as decentralized and trustless mixing.How does this compare to other anonymous solutions?
Ring signatures originate from the work of Rivest et al. in 2001 and the implementation in CryptoNote relies in particular on Fujisaki and Suzuki's work on traceable ring signatures. There are two other anonymity implementations currently available or in development. One is ZeroCoin/ZeroCash's use of zero-knowledge proofs. The others are based on gmaxwell's CoinJoin idea (such as mixing services for Bitcoin or the altcoin Darkcoin).1. Comparison with ZeroCoin and ZKP-based approaches:
You can read about ZeroCoin and zero-knowledge proofs (ZKP) here. The ZK environment allows an anonymity set that includes everyone in the network because the validity of an output can be proven without knowing the corresponding public key until it is spent. The largest risk is that this is recent research-level cryptography that hasn't been subjected to years of cryptanalysis, so exploits may emerge down the road. Ring signatures are much simpler and more mature, with many peer-reviewed papers published over more than a decade.
Other issues with ZKP include the RSA private key used to initiate the accumulator, which must be trusted to be destroyed by the generating party. It also obscures the entire economy, not just sender/receiver identities. If the ZK system is compromised, then an attacker can continuously spend coins that don't exist using false proofs. This damage is hidden from everybody due to total blinding and consequently at any given time it's not possible to know if the network has already been compromised. There is a tradeoff between these inherent risks and the maximal anonymity set provided by ZKP. CryptoNote aims for a different balance through the dual layers of privacy provided by one-time keys and ring signatures.2. Comparison with CoinJoin-based approaches:
XMR is more qualitatively similar to mixing implementations like CoinJoin. The differences arise in the departure from the Bitcoin protocol, which allows XMR to use new cryptography to provide decentralized and trustless mixing of superior quality. The critical problem with mixing services is the need to trust the operators. As an example, blockchain.info's mixer gives the following disclaimer: "However if the server was compromised or under subpoena it could be force to keep logs. If this were to happen although you haven't gained any privacy you haven't lost any either."
The CoinJoin-inspired Darkcoin performs mixing with selected "masternodes" since it still uses ordinary signatures that can be mapped one-to-one. The motivation is that a randomly selected node is less likely than a single service to exhibit bad faith (such as keeping logs) . In practice, a few VPS companies host the vast majority of nodes and this approach relies on the integrity and good behavior of these nodes. XMR's more fundamental cryptographic approach doesn't have these vulnerabilities and the quality of anonymity is much higher.
XMR's ring signatures are also far more secure and convenient than CoinJoin because they mix outputs not transactions. This means a transaction doesn't involve waiting around for other senders to mix with. Nor is a user restricted to mixing only if others are sending the same amount. Arbitrary amounts can be sent at any time without anyone else's participation. This feature makes a timing analysis of the blockchain useless.Overview of a transaction
Bob decides to spend an output, which was sent to the one-time public key. He needs Extra (1)
, TxOutNumber (2)
, and his Account private key (3)
to recover his one-time private key (4)
When sending a transaction to Carol, Bob generates its Extra value by random (5)
. He uses Extra (6)
, TxOutNumber (7)
and Carol's Account public key (8)
to get her Output public key (9)
In the input Bob hides the link to his output among the foreign keys (10)
. To prevent double-spending he also packs the Key image, derived from his One-time private key (11)
Finally, Bob signs the transaction, using his One-time private key (12)
, all the public keys (13)
and Key Image (14)
. He appends the resulting Ring Signature to the end of the transaction (15)
(QQ Group: 272729907) Русский Português Français Español