Same Tools, Different Trade-offs
Bitcoin, Ethereum, Zcash and Monero side by side: the shared foundation, the Zcash-vs-Monero assumption trade-off, why mandatory privacy matters, and the FCMP++ roadmap.
19 lessons with this tag.
Bitcoin, Ethereum, Zcash and Monero side by side: the shared foundation, the Zcash-vs-Monero assumption trade-off, why mandatory privacy matters, and the FCMP++ roadmap.
Pedersen commitments C = xG + aH, the homomorphic balance check, the overflow loophole, and how Bulletproofs+ prove amounts in range with no trusted setup.
Stealth addresses via ECDH (P = Hs(rA)G + B), ring signatures that hide which key signed, and key images I = x·Hp(P) that stop double-spends without naming the output.
What a transparent transaction reveals, why pseudonymity isn't privacy, the three things a private chain must hide, and the two schools that solve it.
How all blockchain signatures descend from Schnorr, why ECDSA names the spender, and how Monero generalizes one signature into a privacy-preserving ring.
Why Bitcoin and Ethereum use secp256k1, Monero uses Ed25519, and Zcash adds pairing curves — and how the curve choice follows from each chain's goals.
SHA-256 vs Keccak across Bitcoin, Ethereum and Monero, the hash-to-scalar and hash-to-point maps Monero adds, and how hashing becomes commitment.
The four ideas every cryptocurrency is built from — finite fields, groups and the discrete-log problem, one-way hashes, and signatures — and why Monero invents almost no new math.
Where the protocol is heading: full-chain membership proofs via curve trees that replace ring signatures, the Seraphis transaction protocol, and the Jamtis addressing scheme.
M-of-N key aggregation and its rounds, plus two subtle failure modes every contributor must know — the Janus subaddress-linking attack and the burning bug — and their mitigations.
Generators, the Fiat-Shamir transcript, the weighted inner-product that shrinks the proof, batch verification, and the transaction-weight clawback.
The aggregation coefficients, the domain-separated challenge hashes, and how one ring proves both key ownership and commitment opening — with the round-robin written out.
Why decoys must mimic the real spend-age distribution (a gamma fit), how the selection algorithm works, and the deanonymization that a naive selector causes.
Ed25519 has cofactor 8, so points can carry a torsion component. Why key images must be checked for the prime-order subgroup, the hash-to-point map, and the bugs that ignoring this caused.
A byte-level tour: inputs with key images, outputs with one-time keys and view tags, ecdhInfo, the range proof, tx_extra, fees and the balance proof.
Hiding amounts with commitments C = aH + xG, the balance equation, and how Bulletproofs+ prove a value is in range without revealing it.
How Monero proves you own one ring member without revealing which — LSAG → MLSAG → CLSAG — and how the key image I = x·Hp(P) stops double spends.
One-time output keys via ECDH: R = rG, P = Hs(rA)G + B, how the receiver recovers the one-time private key, subaddresses, and view tags.
The twisted-Edwards group Monero is built on, scalars mod ℓ, points, and how spend/view keypairs and addresses are actually derived.
🎓 Graduate from Monero Academy
Create a free account, ace every quiz across all courses, and earn your place on the Graduates wall — with your own Monero address for donations. An account also tracks your progress through the courses, and graduating is the prize for finishing.