Paper 2023/321

A Holistic Security Analysis of Monero Transactions

Cas Cremers, CISPA Helmholtz Center for Information Security
Julian Loss, CISPA Helmholtz Center for Information Security
Benedikt Wagner, CISPA Helmholtz Center for Information Security, Saarland University

Monero is a popular cryptocurrency with strong privacy guarantees for users' transactions. At the heart of Monero's privacy claims lies a complex transaction system called RingCT, which combines several building blocks such as linkable ring signatures, homomorphic commitments, and range proofs, in a unique fashion. In this work, we provide the first rigorous security analysis for RingCT (as given in Zero to Monero, v2.0.0, 2020) in its entirety. This is in contrast to prior works that provided security arguments for only parts of RingCT. To this end, we provide the first holistic security model for Monero's RingCT. In our model, we then prove the security of RingCT. Our framework is modular in that it allows to view RingCT as a combination of various different sub-protocols. This has the benefit that these components can be easily updated in future versions of RingCT with only minor modifications to our analysis. At a technical level, we introduce several new techniques that we believe to be of independent interest. First, we need to make several subtle modifications to the syntax and security properties of existing building blocks (e.g., linkable ring signatures), which result from the unusual way in which they are combined within RingCT. Then, we show how these building blocks can be combined in order to argue security of the top level transaction scheme. As a technical highlight of our proof, we show that our security goals can be mapped to a suitable graph problem. This allows us to take advantage of ideas from the theory of network flows in our analysis.

Available format(s)
Cryptographic protocols
Publication info
MoneroRingCTAlgebraic Group ModelNetwork Flows
Contact author(s)
cremers @ cispa de
loss @ cispa de
benedikt wagner @ cispa de
2023-03-05: approved
2023-03-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cas Cremers and Julian Loss and Benedikt Wagner},
      title = {A Holistic Security Analysis of Monero Transactions},
      howpublished = {Cryptology ePrint Archive, Paper 2023/321},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.