CryptoNote algorithm

CryptoNote is an application layer protocol that powers several decentralized privacy oriented digital currencies. It aims to be an evolution of the ideas behind Bitcoin.[1]



The main difference between the two technologies is that Bitcoin (and most digital currencies) is less opaque than CryptoNote-based currencies due to the latter’s blockchain being almost anonymous, contrary to non-Cryptonote blockchains. CryptoNote currencies use a distributed public ledger that records all balances and transactions of its in-built currency like Bitcoin. Unlike Bitcoin, CryptoNote’s transactions cannot be followed through the blockchain in a way that reveals who sent or received coins. The approximate amount of a transaction can be known, but the origin, destination, or actual amount cannot be learned. The only information available is that the actual amount was lower than the displayed amount. The only people with access to the whole set of data about a transaction are the sender or receiver of the transaction and the person who possesses one or both secret keys.

Another significant difference is CryptoNote’s hash-based proof-of-work algorithm. Bitcoin uses SHA-256, which is a CPU-bound function. That means that participants (miners) are only limited by their calculation speeds, and it is relatively cheap to create an application-specific integrated circuit (ASIC) device, which will surpass an ordinary computer in hashes per unit of money. CryptoNote uses memory bound function CryptoNight, which cannot be easily pipelined.[2]

CryptoNote codebase is not |forked from Bitcoin’s, so it also has other different inner algorithms, for things such as recalculating new difficulty level or new block size.


CryptoNote technology was first described in a whitepaper CryptoNote v 1.0. An updated version has been released under the name CryptoNote v 2.0 later. The Bytecoin cryptocurrency was the first one where the underlying cryptographic protocol has been implemented. CryptoNote was at first developed in Java for faster launch, and then re-written in C++ in 2013.[3]

CryptoNote is based on many early works and protocols and takes into consideration several issues raised formerly. Below is a list of the most important papers and events that influenced CryptoNote:

  • 1983 – Blind signatures described by David Chaum;
  • 1997 – HashCash (an instance of a proof-of-work system) invented by Adam Back;
  • 2001 – Ron Rivest, Adi Shamir, and Yael Tauman proposed ring signatures to the cryptographic community;
  • 2004 – Patrick P. Tsang and Victor K. proposed using the ring signature system for voting and electronic cash;[4]
  • 2008 – Bitcoin whitepaper published by Satoshi Nakamoto;
  • 2011 – An Analysis of Anonymity in the Bitcoin System, Fergal Reid and Martin Harrigan;[5]
  • 2012 – Destination Address Anonymity in Bitcoin (one-time addresses in CryptoNote).

Anonymous transactions and ring signatures

The changes in the results of blockchain analysis after implementing the ring signatures.

Like Bitcoin, CryptoNote currencies use a public address consisting of pseudorandom numbers and letters that is derived from user’s public keys. Addresses serve as public IDs of the users. However, unlike Bitcoin, CryptoNote transactions hide the connection between the sender’s and the receiver’s addresses.

Sender privacy

To prevent sender identification, CryptoNote groups the sender’s public key with several other keys (more precisely, it groups the sender’s output with several other’s outputs), making it impossible to tell who actually sent the transaction. This approach does not require dedicated master nodes for mixing coins and does not need other users to actively participate in transaction generation (see CoinJoin). It still assures the network that the original sender has the funds in his or her account to send the transaction like an ordinary signature scheme does. Instead of proving in zero knowledge manner the fact “I possess the private key which corresponds to this particular public key” the signer proves “I possess at least one of the private keys which correspond to this set of public keys”.

Receiver privacy

On the receiver’s end, the technology generates a new public key for each money transfer,[6] even for the same sender and receiver. With sender’s random data and receiver public address it is possible to create a pair of unique private and public keys via Diffie–Hellman key exchange. Sender generates one-time ephemeral key for each transfer and only the receiver can recover the corresponding private key (to redeem the funds). No third party can determine if two different transactions were sent to the same recipient.

Double spending protection

Creating your own cryptocurrency using CryptoNote

Anonymous transactions have a potential problem. Bitcoin and similar currencies use a public ledger to verify that each person sending funds actually has such funds in their account and have not sent it to another user previously. Since CryptoNote currencies are anonymous, the network must confirm the validity of transactions in another way.

CryptoNote solved this problem by using more sophisticated scheme instead of usual ring signature: traceable ring signature. The algorithm originally proposed by Fujisaki and Suzuki in 2007 allows to trace the sender of two different messages if they contain the same tag and signed by the same private key.

CryptoNote authors slightly simplified the scheme, replacing tag with key image and discarding the traceability property. They called their algorithm one-time ring signature, “stressing the user’s capability to produce only one valid signature under his private key”. Two different signatures under the same key (a double spend attempt) can be easily linked together, and only one will be stored in the blockchain.

The key idea is in using the image of the private key in signing/verification formulas. These are not actual images that would contribute greatly to blockchain bloat, but rather a number, which corresponds to each private key one-to-one (deterministically derived from it by the cryptographic hash function). The key image cannot be used to derive the private key and public address, but since every key image spent is stored in the blockchain, the network will block any duplicates. Likewise, any attempt to create a key image would not fit into the mathematical formula during a transaction verification and will be denied. The downside to this is that it would be impossible to identify anyone who attempts to perform a double spend with fraudulent intent or as a result of software or human error. The system, however, will block such attempts.

Egalitarian proof of work

The CryptoNote’s proof of work mechanism is actually a voting system where users vote for the right order of transactions, new features in the protocol and honest money supply distribution. It is important that during the voting process every participant have equal voting rights. Most CryptoNote coins use the CryptoNight algorithm to run their blockchain and secure their networks, the only exception being Boolberry. CryptoNight is a proof-of-work algorithm that mixes graphics processing unit (GPU) and central processing unit (CPU) mining to create a system resistant to both application-specific integrated circuits (ASICs) and fast memory-on-chip devices. This is designed to create a more uniform distribution of coins through the currency’s life. However, there are some questions about its susceptibility to botnets.

The algorithm includes:

  • Keccak sponge construction;
  • Scrypt-like 2 MB scratchpad with random look-ups (read-write);
  • 64-bit multiplications;
  • Advanced Encryption Standard (AES) encryptions
  • Hash functions BLAKE, Grøstl, JH,

Adaptive network limits

There are no hard-coded constants in CryptoNote code. Each network limit such as maximum block size, or minimum fee amount is adjusted based on the historical data of the system. Moreover, the difficulty and the maximum block size are automatically adjusted with each new block.[7]


CryptoNote philosophy is built on privacy as a fundamental human right, and egalitarianism. According to the whitepaper, the CryptoNight algorithm is intended to make the coin adhere to Satoshi Nakamoto’s original vision of “one-CPU-one-vote” system. Thus the tremendous advantage GPUs have over CPUs in most cryptocurrencies is considerably decreased in CryptoNight. Whether if this is a good thing or not is debatable.[8]

Current CryptoNote currencies

Forks tree for CryptoNote coins. February, 2016

The CryptoNote platform has been used in several cryptocurrencies. The CryptoNote Foundation encourages developers to clone the technology. Transaction confirmation time, total number of coins and proof-of-work logic are subject to be altered in forks. Several attempts has been performed to alter core protocol: Boolberry adds address aliases and DigitalNote introduced private messaging.

Bytecoin (BCN)

Bytecoin (BCN), not to be confused Bitcoin (BTC), was the first implementation of the CryptoNote protocol launched in July 2012. Since launching, several improvements have been introduced including multisignature transactions and several security updates. In 2013, the original CryptoNote Java implementation was rewritten using C++.

The Bytecoin blockchain contains some extra information not directly related to money transfers: several blocks include geographic coordinates of universities, educational facilities among other buildings.

On March 31, 2015 Bytecoin developers announced their roadmap for several upcoming releases.

The following improvements were mentioned among others:

  • payment gateway capable of receiving and sending thousands transactions simultaneously
  • desktop GUI cryptocurrency wallet software (released few weeks later in April 2015)
  • several API layers for integration with other software
  • blockchain-based aliases system
  • blockchain-based assets
  • smart contracts with embedded turing-complete language

Monero (XMR)

Monero is currently the most well known of all the cryptonotes and has ongoing support from the community. Forked from Bytecoin in April 2014, it has a 2-minute block target and 50% slower emission speed. Monero has been praised by Bitcoin core developers Gregory Maxwell, Peter Todd, and Wladimir J. van der Laan.

In September 2014, Monero was attacked when someone exploited a flaw in CryptoNote that permitted the creation of two subchains that refused to recognize the validity of transactions on each other; CryptoNote released a patch which Monero implemented.[9]

Along with simplewallet Monero has numerous GUI wallet applications as well as MyMonero that was launched on November 24, 2014. Monero has also teamed up with academic cryptographers, implemented an extensive aliasing system, OpenAlias, partially funded Privacy Solution for integrating I2P in Monero, created an anonymous voting system, URS, and implemented Electrum’s mnemonic seeds.

Karbo(vanets) (KRB)

Karbo is a Cryptonote currency created initially by Ukrainian developers and spread among community all over the world. The currency had no premine or instamine, no hard fork and was not hardforked from any CryptoNote coin. Same as Monero it uses CryptoNite algorithm for it’s CryptoNote blockchain but unlike it, has set low transaction fee of 0.0001 KRB per transaction.

The work on Karbo blockchain and its properties is being constantly carried on by a community to bring more secure features and values to the coin.

Boolberry (BBR)

Boolberry makes use of the Wild Keccak hash function, rather than using CryptoNight. Boolberry improves upon Ordinary CryptoNote technology in several ways. Boolberry offers improved anonymity through unlinkable outputs. Boolberry reduces the size of the block chain, the global ledger of all transactions, by pruning the ring-signatures. This provides over a 55% reduction in block chain size. These features are found in no other CryptoNote based cryptocurrency.

Daemon-wallet architecture

Unlike in Bitcoin, all CryptoNote currencies have functionality of network node and wallet split into two separate executables: daemon and simplewallet. Wladimir J. van der Laan writes:

“To name an example of it done right, IMO: Monero’s ‘simplewallet’. It is a command-line utility wallet that communicates with the node software, and remembers where it was in the chain, and processes changes to the chain state since its last invocation when it ‘refreshes’. What is nice is that one can run an arbitrary number of simplewallets against one node daemon, and unlike bitcoind’s wallet it doesn’t need to run as always-on daemon itself. It can be invoked when the user wants to do something with the wallet, or see if there are new transactions.” Bitcoin Development (17 September 2015).

Blockchain bloat and ring signature size

The kind of ring signature used in CryptoNote grows linearly with a number of public keys used in mixing. The exact formula is S = 64n + 32 bytes, where n is the number of said keys (including the key of the sender). There were proposed another ring signature with a lesser size, for example Chandran signatures size is proportional to square root of n. When n is quite large, the difference becomes more significant: under particular conditions, Chandran signature is 4KB while the CryptoNote ring signature is 36KB.[10] But as for 2015 none of the proposed algorithms are actually implemented in any cryptocurrency.

Developer of Boolberry, the CryptoNote-based coin, proposed another solution for this problem by going back and actually pruning the old signatures from the blockchain; however, said solution has not been implemented yet.

Nevertheless, an analogy to Bitcoin’s simple payment verification is still possible: a user can avoid running full node and keeping the whole blockchain by querying the network for the Merkle branch of a transaction.


The author of the white paper went by the name Nicolas van Saberhagen, although like Satoshi Nakamoto (the author of the Bitcoin white paper) that name is likely a pseudonym. Saberhagen’s true identity and location remains unknown. Some have claimed that the real creator is someone in the Bitcoin community. Adam Back, Nick Szabo and even Satoshi Nakamoto, but there is little to no evidence actually supporting those claims.

Stanford Bitcoin Group’s possible involvement in creation of the CryptoNote protocol has also been discussed. Prior to CryptoNote cryptocurrency protocol, the domain hosted an encrypted message application also named CryptoNote.[11] This application was developed by the members of the Stanford Bitcoin Group but had not received wide recognition. This website currently hosts the CryptoNote technology.

Coin Mill conspiracy theory

Several CryptoNote-based coin launches look very similar in that their announcement threads on forum were created by “newbie” accounts and shared similar wording, stressing slogans such as ‘CPU-only mining’ and being ‘ASIC resistant’. Moreover, the same file sharing service was used for releases. It is supposed that the only purpose of such launches was to earn easy money and creators were not intended to support and develop these forks.

Faked versions of whitepaper

Community activists discovered altered versions of CryptoNote whitepapers with digital signatures not corresponding to Nicolas van Saberhagen PGP key and missing PGP watermarks. This incident has been attributed to documents’ forgery. The possible goal of this action was to refute claims about public availability of CryptoNote since 2012 in order to gain competitive advantage. [12] Modified whitepaper included link to discussion thread started in May, 2013 on forum and have been generated using TeX Live software released in 2013 with XMP date property set to 2014.

Bytecoin and Cicada

Bytecoin Tor site included a hidden message with a reference to Cicada 3301. Users also noticed that Cicada-style pictures were used by Bytecoin developers or by somebody impersonating them. Bytecoin blockchain contains several riddles composed of multiple messages. One of these messages possibly refers to Cicada: “And it’s the name of person you should give your key. To find it – follow little rabbit on land you’ve recently inhabit.”

Cryptonote Universal Pool

The most powerful engine that allows to easily deploy mining pools for all CryptoNote currencies.

High performance Node.js pool with native C addons designed to be maintainable and secure.

It’s a relatively new tech that was forked out of zone117x’s work. It has an active ongoing development and a number of extended features[13]:

  • FCN/MCN mining support
  • Proper address validation
  • Significant usability improvements (customizable css, charts, landing page, etc.)
  • High usability admin panel
  • Fixed difficulty option
  • Readme file for CryptoNote Universal Pool deployment can be found github Node CryptoNote pool

External Links

See Also on BitcoinWiki


  1. Infographics: Bytecoin and Bitcoin
  2. CryptoNote v 2.0
  3. Programming Languages Comparison: Cryptocurrency Perspective
  4. Short Linkable Ring Signatures for E-voting, E-cash and Attestation Department of Information Engineering, The Chinese University of Hong Kong
  5. An Analysis of Anonymity in the Bitcoin System – Anonymity in Bitcoin
  6. } |“Untraceable payments” |”Untraceable payments” }}.
  7. Introducing CryptoNote
  8. ASICs and Decentralization FAQ
  9. MRL-0002: Counterfeiting via Merkle Tree Exploits within Virtual Currencies Employing the CryptoNote Protocol
  10. StealthCoin Unique Kind Take On Crypto-Currency Anonymity
  11. CryptoNote – Send and receive single-view, encrypted messages
  12. Cryptocurrency 2.0 Basics: Protocols and Platforms Inspired by Bitcoin
  13. Cryptonote Universal Pool