Paper 2023/321

A Holistic Security Analysis of Monero Transactions

Cas Cremers, CISPA Helmholtz Center for Information Security
Julian Loss, CISPA Helmholtz Center for Information Security
Benedikt Wagner, CISPA Helmholtz Center for Information Security, Saarland University
Abstract

Monero is a popular cryptocurrency with strong privacy guarantees for users’ transactions. At the heart of Monero’s privacy claims lies a complex transaction system called RingCT, which combines several building blocks such as linkable ring signatures, homomorphic commitments, and range proofs, in a unique fashion. In this work, we provide the first rigorous security analysis for RingCT (as given in Zero to Monero, v2.0.0, 2020) in its entirety. This is in contrast to prior works that only provided security arguments for parts of RingCT. To analyze Monero’s transaction system, we introduce the first holistic security model for RingCT. We then prove the security of RingCT in our model. Our framework is modular: it allows to view RingCT as a combination of various different sub-protocols. Our modular approach has the benefit that these components can be easily updated in future versions of RingCT, with only minor modifications to our analysis. At a technical level, we split our analysis in two parts. First, we identify which security notions for building blocks are needed to imply security for the whole system. Interestingly, we observe that existing and well-established notions (e.g., for the linkable ring signature) are insufficient. Second, we analyze all building blocks as implemented in Monero and prove that they satisfy our new notions. Here, we leverage the algebraic group model to overcome subtle problems in the analysis of the linkable ring signature component. As another technical highlight, we show that our security goals can be mapped to a suitable graph problem, which allows us to take advantage of the theory of network flows in our analysis. This new approach is also useful for proving security of other cryptocurrencies.

Note: v1.0: initial version; v1.01: editorial improvements, introduction revisited, more explanations.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A minor revision of an IACR publication in EUROCRYPT 2024
Keywords
MoneroRingCTAlgebraic Group ModelNetwork FlowsTransaction Scheme Security
Contact author(s)
cremers @ cispa de
loss @ cispa de
benedikt wagner @ cispa de
History
2024-02-27: revised
2023-03-04: received
See all versions
Short URL
https://ia.cr/2023/321
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/321,
      author = {Cas Cremers and Julian Loss and Benedikt Wagner},
      title = {A Holistic Security Analysis of Monero Transactions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/321},
      year = {2023},
      url = {https://eprint.iacr.org/2023/321}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.