Advanced

Monero Protocol Engineering Quiz (Contributor)

Built to gate real contributors. If you want to work on the Monero codebase, you should be able to answer every one of these.

Covers material from Monero Protocol Engineering: For Contributors.

Create a free account or log in to save your quiz scores and track your progress.

Ed25519 has cofactor 8, so a point may include a small-order (torsion) component. Why must a node validate the key image accordingly?

It speeds up scalar multiplication Torsion points would let one output produce several valid key images, enabling double-spends It is only a wallet-side performance optimization Cofactor 8 makes signatures smaller

Why must the key-image generator be Hp(P) (hash-to-point) rather than a fixed multiple of G?

G cannot be used twice in one transaction Hashing is faster than scalar multiplication It makes key images shorter A known multiple of G would make I = c·P, linking the key image to the output

Why does Monero draw decoys from a distribution that mimics real spending behaviour (roughly a gamma distribution over output age) instead of uniformly at random?

So the real (usually recent) output isn't a statistical outlier among its decoys Because old outputs are cheaper to reference To make transactions smaller To reduce the block weight

How does CLSAG prove BOTH output-key ownership and commitment opening with a single ring (vs MLSAG's two parallel keys)?

It folds both rings into one using domain-separated aggregation coefficients It uses two key images per input It signs the amount in cleartext It drops the commitment proof entirely

What is the core primitive that makes Bulletproofs+ smaller/faster than Bulletproofs?

Switching from Keccak to SHA-256 A trusted setup ceremony A pairing-based SNARK A weighted inner-product argument

What is the 'burning bug', and how do wallets mitigate it?

Fees being set higher than the output A range-proof overflow that destroys coins Mining too fast burns the block reward Two outputs sharing one one-time key share a key image, so only one is spendable; wallets detect duplicates

What does the Janus attack attempt, and against what does it defend?

It double-spends via two faces of one key image It tries to prove two subaddresses belong to the same wallet (breaking unlinkability) It forges a range proof It reorders blocks to reverse a payment

What do Full-Chain Membership Proofs (FCMP++) change versus today's ring signatures?

They make amounts public again They remove the need for a view key The anonymity set becomes the entire chain (via curve trees), not a fixed 16-member ring They replace RandomX with a new PoW