The Curve: Ed25519 & Monero's Keys

Most lessons explain Monero with analogies. This course throws them out. We're going to the actual mathematics and protocol — the stuff that's "too easy" elsewhere. If you've found Monero explanations shallow, start here: everything in Monero is built on one elliptic-curve group, and once you're fluent in it, stealth addresses, ring signatures and RingCT all fall out naturally.

The Group: Ed25519

Monero's cryptography lives on the twisted-Edwards curve Ed25519 (the same curve as EdDSA signatures), defined over the prime field 𝔽_q with q = 2²⁵⁵ − 19. We work in its prime-order subgroup of order:

ℓ = 2²⁵² + 27742317777372353535851937790883648493

Two kinds of objects matter, and keeping them straight is everything:

• Scalars — integers taken modulo ℓ. Private keys are scalars.
• Points — elements of the curve group. Public keys are points. There is a fixed base point G that generates the subgroup.

The only operations you need: adding two points, and scalar multiplication (a scalar times a point, i.e. repeated addition), written xG. Scalar multiplication is a one-way trapdoor: given x and G you can compute xG easily, but recovering x from xG is the elliptic-curve discrete log problem — believed infeasible. That asymmetry is public-key cryptography.

Two Hash Functions You'll See Everywhere

Monero (from CryptoNote) uses Keccak (the original SHA-3 submission) to build two helpers:

• Hash-to-scalar, written Hs(x): hash some bytes and reduce modulo ℓ to get a scalar.
• Hash-to-point, written Hp(P): deterministically map bytes/a point to a curve point nobody knows the discrete log of. Used for key images and the second commitment generator.

Your Keys Are Two Scalars

A Monero account is built from two private scalars and their public points:

• Private spend key b (scalar) → public spend key B = bG.
• Private view key a (scalar) → public view key A = aG. By default a = Hs(b), which is why your 25-word seed (which encodes b) is enough to derive everything.

This split is the source of Monero's "view-only" superpower: hand someone a (and B) and they can detect and decode your incoming funds but cannot spend them, because spending needs b.

How an Address Encodes the Keys

A standard address is not random text — it's a structured blob in CryptoNote Base58 (a base-58 variant that encodes in 8-byte blocks → 11 characters each). Concatenated and encoded:

[network byte] ‖ [public spend key B] ‖ [public view key A] ‖ [4-byte Keccak checksum]

The network byte is why mainnet addresses start with 4 (and integrated/subaddresses differ). The checksum catches typos. So an address is literally your two public points wrapped with a tag and a check — decode one and you can read B and A straight out.

The 25th Word

Your mnemonic encodes the 256-bit spend key b as 24 words (each word ≈ 11 bits over a 1626-word list); the 25th word is a checksum derived from the first 24. From b the wallet derives a = Hs(b), then B = bG and A = aG — your whole identity from one scalar.

That's the foundation: a prime-order group, scalars vs points, two hashes, and a four-key account. Every privacy feature is now just clever arithmetic on top. Next we use it to make addresses that never appear on-chain — Stealth Addresses: The Math.