Next lesson →

Monero's Math II: Hiding Amounts

Pedersen commitments C = xG + aH, the homomorphic balance check, the overflow loophole, and how Bulletproofs+ prove amounts in range with no trusted setup.

Hiding the sender and receiver still leaves the amount in the open, and amounts alone leak a startling amount: payroll-sized round numbers, exact invoice matches, balance fingerprints. The third secret — how much — is the hardest, because a node must still verify that a transaction creates no money from nothing, all while the amounts are invisible. The tool that squares this circle is the Pedersen commitment, and it's the most beautiful re-use of the shared toolkit in all of Monero.

The Core Trick: A Commitment You Can Add

Back in the hashing lesson we met commitments: lock in a value now, reveal later, can't change it. A hash commitment hides a value but you can't compute with it. Monero needs a commitment that is additively homomorphic — one where adding the commitments adds the hidden values. The Pedersen commitment delivers exactly that. Take two curve generators G and H, where H = Hp(G) is chosen so nobody knows its discrete log relative to G. Commit to an amount a with a random blinding factor x as:

C = x·G + a·H

The blinding x·G term makes C reveal nothing about a (it's perfectly hiding), and because nobody knows the discrete log between G and H, you can't open C to a different amount (it's computationally binding). Crucially, C₁ + C₂ commits to a₁ + a₂ under blinding x₁ + x₂. Addition of secrets, done in public, on hidden values.

Proving Balance Without Revealing Amounts

This homomorphism is what lets a node verify a transaction balances. Every input and output amount is a Pedersen commitment. For the transaction to be valid (ignoring the visible fee), the committed inputs must equal the committed outputs:

Σ C_inputs  −  Σ C_outputs  =  0

If the blinding factors are arranged so they cancel, this difference collapses to (Σa_in − Σa_out)·H, which is the identity point only when the amounts balance. A node checks one elliptic-curve equation and learns "inputs equal outputs" while never learning a single amount. Compare this to Bitcoin, where the node checks the same balance by simply reading the plaintext numbers. Same verification goal; Monero just does it through a homomorphic veil.

The Loophole: Negative and Overflow Amounts

There's a catch. Curve arithmetic is modular, so a cunning spender could commit to a "negative" amount — really a huge number that wraps around — and make the balance equation hold while secretly minting coins. The commitment hides the amount, so the node can't just eyeball that it's sane. We need a way to prove each hidden amount is a genuine, in-range value without revealing it. That's a job for a zero-knowledge range proof.

Bulletproofs+: Range Proofs Without Trusted Setup

Monero uses Bulletproofs+, a zero-knowledge proof that each committed amount lies in [0, 2⁶⁴) — a real 64-bit value, no overflow tricks. Its key properties:

  • No trusted setup. Unlike Zcash's original zk-SNARKs, Bulletproofs need no secret ceremony that could be subverted to forge coins. The generators come from public hash-to-point maps.
  • Logarithmic size. A proof for a 64-bit range is only a few hundred bytes and shrinks logarithmically, and several outputs' proofs aggregate into one — the upgrade from the original Bulletproofs that slashed Monero's transaction sizes and fees.
  • Batch verification. Nodes verify many proofs together in one multi-scalar multiplication, weighting each by fresh randomness so invalid proofs can't cancel out.

With commitments proving balance and Bulletproofs+ proving range, the amount is fully hidden yet fully verified.

How This Differs From Zcash's Approach

Both Monero and Zcash hide amounts, but they make opposite bets. Zcash wraps the entire validity statement in one zk-SNARK: extremely compact and expressive, but historically dependent on a trusted setup and on pairing-based assumptions. Monero composes a Pedersen commitment with a Bulletproof+ range proof: somewhat larger transactions, but conservative assumptions (plain discrete log), no trusted setup, and privacy applied to every transaction by default. Neither is strictly "better" — they're different points on a trade-off curve between proof size, assumption strength, and trust. Monero's choice favors not having to trust anyone's setup.

The Whole Picture

Stack the three lessons and Monero's transaction is complete: stealth addresses hide the receiver, ring signatures with key images hide the sender and block double-spends, and Pedersen commitments with Bulletproofs+ hide the amount while proving it's honest. Not one of these required new foundational math — they're all finite fields, the discrete-log problem, hashes, and commitments, recombined with privacy as the goal. The final lesson zooms out to put Monero, Bitcoin, Ethereum and Zcash side by side and weigh the trade-offs each chose.

Comments

Log in or create a free account to comment.

No comments yet — be the first.

🎓 Graduate from Monero Academy

Create a free account, ace every quiz across all courses, and earn your place on the Graduates wall — with your own Monero address for donations. An account also tracks your progress through the courses, and graduating is the prize for finishing.