Open main menu

Wikipedia β

CryptoNote is an application layer protocol that powers several decentralized privacy oriented digital currencies. It aims to be an evolution of the ideas behind Bitcoin.[1][unreliable source][2]

Development status Active
Written in C++
Operating system Windows, Unix-like, OS X
Type Cryptocurrency, anonymity
License MIT License

The main difference between the two technologies is that Bitcoin (and most digital currencies) is less opaque than CryptoNote-based currencies due to the latter's blockchain being almost anonymous, contrary to non-Cryptonote blockchains.[3][4] CryptoNote currencies use a distributed public ledger that records all balances and transactions of its in-built currency like Bitcoin. Unlike Bitcoin, CryptoNote's transactions cannot be followed through the blockchain in a way that reveals who sent or received coins. The approximate amount of a transaction can be known, but the origin, destination, or actual amount cannot be learned. The only information available is that the actual amount was lower than the displayed amount. The only people with access to the whole set of data about a transaction are the sender or receiver of the transaction and the person who possesses one or both secret keys.

Another significant difference is CryptoNote's hash-based proof-of-work algorithm. Bitcoin uses SHA256, which is a CPU-bound function. That means that participants (miners) are only limited by their calculation speeds, and it is relatively cheap to create an application-specific integrated circuit (ASIC) device, which will surpass an ordinary computer in hashes per unit of money.[5] CryptoNote uses memory bound function CryptoNight, which cannot be easily pipelined.[6]

CryptoNote codebase is not forked from Bitcoin's, so it also has other different inner algorithms, for things such as recalculating new difficulty level or new block size.[6]



CryptoNote technology was first described in a whitepaper CryptoNote v 1.0.[7][unreliable source] An updated version has been released under the name CryptoNote v 2.0[6][unreliable source] later. The Bytecoin cryptocurrency was the first one where the underlying cryptographic protocol has been implemented. CryptoNote was at first developed in Java for faster launch, and then re-written in C++ in 2013.[8][unreliable source]

CryptoNote is based on many early works and protocols and takes into consideration several issues raised formerly. Below is a list of the most important papers and events that influenced CryptoNote:[9]

  • 1983 – Blind signatures described by David Chaum;[10]
  • 1997 – HashCash (an instance of a proof-of-work system) invented by Adam Back;
  • 2001 – Ron Rivest, Adi Shamir, and Yael Tauman proposed ring signatures to the cryptographic community;[11]
  • 2004 – Patrick P. Tsang and Victor K. proposed using the ring signature system for voting and electronic cash;[12]
  • 2008 – Bitcoin whitepaper published by Satoshi Nakamoto;[13]
  • 2011 – An Analysis of Anonymity in the Bitcoin System, Fergal Reid and Martin Harrigan;[14]
  • 2012 – Destination Address Anonymity in Bitcoin (one-time addresses in CryptoNote).[15]

Anonymous transactions and ring signaturesEdit

The changes in the results of blockchain analysis after implementing the ring signatures.

Like Bitcoin, CryptoNote currencies use a public address consisting of pseudorandom numbers and letters that is derived from user's public keys. Addresses serve as public IDs of the users. However, unlike Bitcoin, CryptoNote transactions hide the connection between the sender's and the receiver's addresses.

Sender privacyEdit

To prevent sender identification, CryptoNote groups the sender's public key with several other keys (more precisely, it groups the sender's output with several other's outputs), making it impossible to tell who actually sent the transaction.[16] If ring signatures are used, all possible senders referenced in the transaction are equiprobable and there is no way to determine the exact private key used while signing.[17] This approach does not require dedicated master nodes for mixing coins and does not need other users to actively participate in transaction generation (see CoinJoin). It still assures the network that the original sender has the funds in his or her account to send the transaction like an ordinary signature scheme does. Instead of proving in zero knowledge manner the fact "I possess the private key which corresponds to this particular public key" the signer proves "I possess at least one of the private keys which correspond to this set of public keys".

Receiver privacyEdit

On the receiver's end, the technology generates a new public key for each money transfer,[18] even for the same sender and receiver. With sender's random data and receiver public address it is possible to create a pair of unique private and public keys via Diffie–Hellman key exchange. Sender generates one-time ephemeral key for each transfer and only the receiver can recover the corresponding private key (to redeem the funds). No third party can determine if two different transactions were sent to the same recipient.

Double spending protectionEdit

Anonymous transactions have a potential problem. Bitcoin and similar currencies use a public ledger to verify that each person sending funds actually has such funds in their account and have not sent it to another user previously. Since CryptoNote currencies are anonymous, the network must confirm the validity of transactions in another way.

CryptoNote solved this problem[19] by using more sophisticated scheme instead of usual ring signature: traceable ring signature. The algorithm originally proposed by Fujisaki and Suzuki in 2007[20] allows to trace the sender of two different messages if they contain the same tag and signed by the same private key.

CryptoNote authors slightly simplified the scheme, replacing tag with key image and discarding the traceability property. They called their algorithm one-time ring signature, "stressing the user’s capability to produce only one valid signature under his private key".[6] Two different signatures under the same key (a double spend attempt) can be easily linked together, and only one will be stored in the blockchain.

The key idea is in using the image of the private key in signing/verification formulas. These are not actual images that would contribute greatly to blockchain bloat, but rather a number, which corresponds to each private key one-to-one (deterministically derived from it by the cryptographic hash function). The key image cannot be used to derive the private key and public address, but since every key image spent is stored in the blockchain, the network will block any duplicates. Likewise, any attempt to create a key image would not fit into the mathematical formula during a transaction verification and will be denied. The downside to this is that it would be impossible to identify anyone who attempts to perform a double spend with fraudulent intent or as a result of software or human error. The system, however, will block such attempts.

Egalitarian proof of workEdit

The CryptoNote’s proof of work mechanism is actually a voting system where users vote for the right order of transactions, new features in the protocol and honest money supply distribution. It is important that during the voting process every participant have equal voting rights.[19] Most CryptoNote coins use the CryptoNight[21] algorithm to run their blockchain and secure their networks, the only exception being Boolberry. CryptoNight is a proof-of-work algorithm that mixes graphics processing unit (GPU) and central processing unit (CPU) mining to create a system resistant to both application-specific integrated circuits (ASICs) and fast memory-on-chip devices. This is designed to create a more uniform distribution of coins through the currency's life. However, there are some questions about its susceptibility to botnets.[citation needed]

The algorithm includes:[22]

Adaptive network limitsEdit

There are no hard-coded constants in CryptoNote code. Each network limit such as maximum block size, or minimum fee amount is adjusted based on the historical data of the system. Moreover, the difficulty and the maximum block size are automatically adjusted with each new block.[23]


CryptoNote philosophy is built on privacy as a fundamental human right, and egalitarianism.[24] According to the whitepaper, the CryptoNight algorithm is intended to make the coin adhere to Satoshi Nakamoto's original vision of “one-CPU-one-vote” system. Thus the tremendous advantage GPUs have over CPUs in most cryptocurrencies is considerably decreased in CryptoNight. Whether if this is a good thing or not is debatable.[25]

Current CryptoNote currenciesEdit

Forks tree for CryptoNote coins. February, 2016

The CryptoNote platform has been used in several cryptocurrencies. The CryptoNote Foundation encourages developers to clone the technology. Transaction confirmation time, total number of coins and proof-of-work logic are subject to be altered in forks. Several attempts has been performed to alter core protocol: Boolberry adds address aliases and DigitalNote introduced private messaging.

Bytecoin (BCN)Edit

Bytecoin (BCN), not to be confused Bitcoin (BTC), was the first implementation of the CryptoNote protocol launched in July 2012. Since launching, several improvements have been introduced including multisignature transactions[26] and several security updates. In 2013, the original CryptoNote Java implementation was rewritten using C++.[27][dubious ]

The Bytecoin blockchain contains some extra information not directly related to money transfers: several blocks include geographic coordinates of universities, educational facilities among other buildings.[28] Blocks generated since August 11, 2012 contain quotes from Cyphernomicon, Neuromancer by William Gibson and other authors.[29]

On March 31, 2015 Bytecoin developers announced their roadmap for several upcoming releases.[30] The following improvements were mentioned among others:-

  • payment gateway capable of receiving and sending thousands transactions simultaneously
  • desktop GUI cryptocurrency wallet software (released few weeks later in April 2015[31])
  • several API layers for integration with other software
  • blockchain-based aliases system
  • blockchain-based assets
  • smart contracts with embedded turing-complete language

Monero (XMR)Edit

Monero[32] is currently the most well known of all the cryptonotes and has ongoing support from the community.[33] Forked from Bytecoin in April 2014, it has a 2-minute block target and 50% slower emission speed. Monero has been praised by Bitcoin core developers Gregory Maxwell, Peter Todd, and Wladimir J. van der Laan.[34]

In September 2014, Monero was attacked when someone exploited a flaw in CryptoNote that permitted the creation of two subchains that refused to recognize the validity of transactions on each other; CryptoNote released a patch which Monero implemented.[35][36]

Along with simplewallet Monero has numerous GUI wallet applications as well as MyMonero that was launched on November 24, 2014. Monero has also teamed up with academic cryptographers,[37] implemented an extensive aliasing system, OpenAlias,[38] partially funded Privacy Solution for integrating I2P in Monero,[39] created an anonymous voting system, URS,[40] and implemented Electrum's mnemonic seeds.

Karbo(vanets) (KRB)Edit

Karbo [41] is a Cryptonote currency created initially by Ukrainian developers and spread among community all over the world. The currency had no premine or instamine, no hard fork and was hardforked from Bytecoin. Same as Monero it uses CryptoNite algorithm for it's CryptoNote blockchain but unlike it, has set low transaction fee of 0.0001 KRB per transaction.

The work on Karbo blockchain and its properties is being constantly carried on by a community to bring more secure features and values to the coin.

Boolberry (BBR)Edit

Boolberry[42] makes use of the Wild Keccak hash function, rather than using CryptoNight. Boolberry improves upon Ordinary CryptoNote technology in several ways. Boolberry offers improved anonymity through unlinkable outputs. Boolberry reduces the size of the block chain, the global ledger of all transactions, by pruning the ring-signatures. This provides over a 55% reduction in block chain size. These features are found in no other CryptoNote based cryptocurrency.

Daemon-wallet architectureEdit

Unlike in Bitcoin, all CryptoNote currencies have functionality of network node and wallet split into two separate executables: daemon and simplewallet. Wladimir J. van der Laan writes:

"To name an example of it done right, IMO: Monero's 'simplewallet'. It is a command-line utility wallet that communicates with the node software, and remembers where it was in the chain, and processes changes to the chain state since its last invocation when it 'refreshes'. What is nice is that one can run an arbitrary number of simplewallets against one node daemon, and unlike bitcoind's wallet it doesn't need to run as always-on daemon itself. It can be invoked when the user wants to do something with the wallet, or see if there are new transactions." Bitcoin Development (17 September 2015).

Blockchain bloat and ring signature sizeEdit

The kind of ring signature used in CryptoNote grows linearly with a number of public keys used in mixing.[43] The exact formula is   bytes, where   is the number of said keys (including the key of the sender). There were proposed another ring signature with a lesser size, for example Chandran signatures size is proportional to square root of  [44]. When   is quite large, the difference becomes more significant: under particular conditions, Chandran signature is 4KB while the CryptoNote ring signature is 36KB.[45] But as for 2015 none of the proposed algorithms are actually implemented in any cryptocurrency.

Developer of Boolberry, the CryptoNote-based coin, proposed another solution for this problem by going back and actually pruning the old signatures from the blockchain; however, said solution has not been implemented yet.[citation needed]

Nevertheless, an analogy to Bitcoin's simple payment verification is still possible: a user can avoid running full node and keeping the whole blockchain by querying the network for the Merkle branch of a transaction.


The author of the white paper went by the name Nicolas van Saberhagen, although like Satoshi Nakamoto (the author of the Bitcoin white paper) that name is likely a pseudonym. Saberhagen's true identity and location remains unknown. Some have claimed that the real creator is someone in the Bitcoin community. Adam Back, Nick Szabo and even Satoshi Nakamoto[46] himself have been floated as possible suspects,[47] but there is little to no evidence actually supporting those claims.

Stanford Bitcoin Group’s possible involvement in creation of the CryptoNote protocol has also been discussed.[48] Prior to CryptoNote cryptocurrency protocol, the domain hosted an encrypted message application also named CryptoNote.[49] This application was developed by the members of the Stanford Bitcoin Group but had not received wide recognition. This website currently hosts the CryptoNote technology.

Coin Mill conspiracy theoryEdit

Several CryptoNote-based coin launches look very similar in that their announcement threads on forum were created by "newbie" accounts and shared similar wording, stressing slogans such as 'CPU-only mining' and being 'ASIC resistant'. Moreover, the same file sharing service was used for releases. It is supposed that the only purpose of such launches was to earn easy money and creators were not intended to support and develop these forks.[50]

Faked versions of whitepaperEdit

Community activists discovered altered versions of CryptoNote whitepapers with digital signatures not corresponding to Nicolas van Saberhagen PGP key and missing PGP watermarks.[51][unreliable source?] This incident has been attributed to documents' forgery.[52][unreliable source] The possible goal of this action was to refute claims about public availability of CryptoNote since 2012 in order to gain competitive advantage.[51][dubious ][53][not in citation given] Modified whitepaper included link to discussion thread started in May, 2013 on forum and have been generated using TeX Live software released in 2013 with XMP date property set to 2014.

Bytecoin and CicadaEdit

Bytecoin Tor site included a hidden message with a reference to Cicada 3301. Users also noticed that Cicada-style pictures were used by Bytecoin developers or by somebody impersonating them. Bytecoin blockchain contains several riddles composed of multiple messages. One of these messages possibly refers to Cicada: "And it's the name of person you should give your key. To find it - follow little rabbit on land you've recently inhabit."[28]

See alsoEdit


  1. ^ Godwin. "CryptoNote".
  2. ^ "Infographics: Bytecoin and Bitcoin". Archived from the original on 2014-10-17. 
  3. ^ Lee Banfield. "Research Report: The Most Ethical and Genuine Altcoins".  Weekly Global Research
  4. ^ Antonopoulos, Andreas (April 2014). "Chapter 9. Alternative Chains, Currencies, and Applications". Mastering Bitcoin. Unlocking Digital Crypto-Currencies. ISBN 978-1-4919-0261-5. 
  5. ^ "Bitcoin mining hardware comparison". 
  6. ^ a b c d Nicolas van Saberhagen. "CryptoNote v 2.0" (PDF). 
  7. ^ Nicolas van Saberhagen (2012-12-12). "CryptoNote v 1.0" (PDF). 
  8. ^ "Programming Languages Comparison: Cryptocurrency Perspective". 
  9. ^ "Bytecoin development preconditions". 
  10. ^ Chaum, David (1983). "Blind signatures for untraceable payments" (PDF). Advances in Cryptology Proceedings of Crypto. 82 (3): 199–203. 
  11. ^ Ronald L. Rivest; Adi Shamir; Yael Tauman (2001-11-20). "How to Leak a Secret". 
  12. ^ Patrick P. Tsang; Victor K. Wei. "Short Linkable Ring Signatures for E-voting, E-cash and Attestation" (PDF).  Department of Information Engineering, The Chinese University of Hong Kong
  13. ^ Satoshi Nakamoto. "Bitcoin: A Peer-to-Peer Electronic Cash System *" (PDF).
  14. ^ Fergal Reid; Martin Harrigan. "An Analysis of Anonymity in the Bitcoin System". Anonymity in Bitcoin
  15. ^ SDLerner. "Destination Address Anonymization in Bitcoin". Bitslog
  16. ^ Tk Hamed (2014-04-27). "Bytecoin & Monero: Next Step to 2nd Generation Anonymity". Coins Source. Retrieved 2014-10-14. 
  17. ^ DeMartino, Ian (2014-06-24). "CryptoNote Offers More Anonymity For The Future Of Cryptocurrencies". CoinTelegraph. Retrieved 2014-10-14. 
  18. ^ "Untraceable payments".
  19. ^ a b Robert Tiger (2014-08-07). "CryptoNote Currencies – Anonymous 3rd Gen". CryptoCoinsNews. Retrieved 2015-01-16. 
  20. ^ Fujisaki, Eiichiro; Suzuki, Koutarou (2007). "Traceable Ring Signature". Public Key Cryptography: 181–200. 
  21. ^ Godwin. "CryptoNight".
  22. ^ "bytecoin / src / crypto / slow-hash.c". GitHub. 
  23. ^ Stanton, Andy. "Introducing CryptoNote". 
  24. ^ "CryptoNote Phylosophy". 
  25. ^ Andrew "Andytoshi" Poelstra (2014-10-26). "ASICs and Decentralization FAQ" (PDF). 
  26. ^ "Bytecoin (BCN) is Now Armed With Multisig". 
  27. ^ "History of Cryptocurrency, Part I: From Bitcoin's Inception to the Crypto-Boom". The CoinTelegraph. 2015-04-11. Retrieved 2015-04-21. 
  28. ^ a b Tk Hamed (2014-09-08). "Mysteries and Puzzles Behind the CryptoNote Technology (1/3)". Coins Source. Retrieved 2014-10-14. 
  29. ^ Tk Hamed (2014-09-09). "Mining Groups in the Blockchain (Part 2 of 3)". Coins Source. Retrieved 2014-10-14. 
  30. ^ Bytecoin (2015-03-31). "Bytecoin website and roadmap release (including CryptoNote protocol updates)". Retrieved 2015-04-01. 
  31. ^ "Bytecoin Releases GUI and Client Update". Coins Source. 2015-04-10. Retrieved 2015-04-21. 
  32. ^ "Monero Cryptonote". Retrieved 8 August 2017. 
  33. ^ "Monero (XMR) CoinGecko Community Statistics". Retrieved 29 September 2015. 
  34. ^ "Wladimir J. van der Laan". Retrieved 29 September 2015. 
  35. ^ Werner, Albert (September 8, 2014). "Monero network exploit post-mortem". Cryptonote forum. 
  36. ^ Macheta, Jan; Noether, Surae; Noether, Sarang; Smooth, Javier (12 September 2014). "MRL-0002: Counterfeiting via Merkle Tree Exploits within Virtual Currencies Employing the CryptoNote Protocol" (PDF). Monero Research Labs. 
  37. ^ "Monero Research Labs". 
  38. ^ "openalias". 
  39. ^ "The-Privacy Solutions Project". 
  40. ^ "Unique Ring Signatures using secp256k1 keys". 
  41. ^ "Karbo". 
  42. ^ "BoolBerry". 
  43. ^ "Can Anoncoin Be The Currency Of The Deep Web?". 
  44. ^ Chandran, Nishanth (2007). "Ring signatures of sub-linear size without random oracles" (PDF). Automata, Languages and Programming: 423–434. 
  45. ^ "StealthCoin Unique Kind Take On Crypto-Currency Anonymity". 
  46. ^ "Bytecoin: Satoshi's New Project". 2014-11-24. Archived from the original on 2014-12-05. Retrieved 2015-03-24. 
  47. ^ "Bytecoin Source of origin". Retrieved 2014-10-14. 
  48. ^ Ackerman, Ronald. "Stanford Wide Gate Steep Steps". 
  49. ^ "CryptoNote - Send and receive single-view, encrypted messages". Archived from the original on 2013-10-20. 
  50. ^ "How to invest in altcoins without losing everything". 
  51. ^ a b "Negative PR Techniques At Work: An Attack on CryptoNote". 2014-09-28. 
  52. ^ "Statement from the CryptoNote team". 2014-08-21. 
  53. ^ "Cryptocurrency 2.0 Basics: Protocols and Platforms Inspired by Bitcoin". 2014-06-17.