The Roadmap: Seraphis, Jamtis & FCMP++
Where the protocol is heading: full-chain membership proofs via curve trees that replace ring signatures, the Seraphis transaction protocol, and the Jamtis addressing scheme.
#cryptography
11 lessons with this tag.
Multisig, the Janus Attack & the Burning Bug
M-of-N key aggregation and its rounds, plus two subtle failure modes every contributor must know — the Janus subaddress-linking attack and the burning bug — and their mitigations.
Bulletproofs+: The Weighted Inner-Product Argument
Generators, the Fiat-Shamir transcript, the weighted inner-product that shrinks the proof, batch verification, and the transaction-weight clawback.
CLSAG: Exact Construction & Domain Separation
The aggregation coefficients, the domain-separated challenge hashes, and how one ring proves both key ownership and commitment opening — with the round-robin written out.
Decoy Selection & the Output Distribution
Why decoys must mimic the real spend-age distribution (a gamma fit), how the selection algorithm works, and the deanonymization that a naive selector causes.
Cofactor 8 & Point Validation
Ed25519 has cofactor 8, so points can carry a torsion component. Why key images must be checked for the prime-order subgroup, the hash-to-point map, and the bugs that ignoring this caused.
Anatomy of a Monero Transaction
A byte-level tour: inputs with key images, outputs with one-time keys and view tags, ecdhInfo, the range proof, tx_extra, fees and the balance proof.
RingCT, Pedersen Commitments & Bulletproofs+
Hiding amounts with commitments C = aH + xG, the balance equation, and how Bulletproofs+ prove a value is in range without revealing it.
CLSAG Ring Signatures & Key Images
How Monero proves you own one ring member without revealing which — LSAG → MLSAG → CLSAG — and how the key image I = x·Hp(P) stops double spends.
Stealth Addresses: The Math
One-time output keys via ECDH: R = rG, P = Hs(rA)G + B, how the receiver recovers the one-time private key, subaddresses, and view tags.
The Curve: Ed25519 & Monero's Keys
The twisted-Edwards group Monero is built on, scalars mod ℓ, points, and how spend/view keypairs and addresses are actually derived.