Advanced

Monero Protocol Engineering Quiz (Contributor)

Built to gate real contributors. If you want to work on the Monero codebase, you should be able to answer every one of these.

Covers material from Monero Protocol Engineering: For Contributors.

Create a free account or log in to save your quiz scores and track your progress.

Q1

Ed25519 has cofactor 8, so a point may include a small-order (torsion) component. Why must a node validate the key image accordingly?

Q2

Why must the key-image generator be Hp(P) (hash-to-point) rather than a fixed multiple of G?

Q3

Why does Monero draw decoys from a distribution that mimics real spending behaviour (roughly a gamma distribution over output age) instead of uniformly at random?

Q4

How does CLSAG prove BOTH output-key ownership and commitment opening with a single ring (vs MLSAG's two parallel keys)?

Q5

What is the core primitive that makes Bulletproofs+ smaller/faster than Bulletproofs?

Q6

What is the 'burning bug', and how do wallets mitigate it?

Q7

What does the Janus attack attempt, and against what does it defend?

Q8

What do Full-Chain Membership Proofs (FCMP++) change versus today's ring signatures?

Q9

Alongside the key image I = x*Hp(P_pi), a CLSAG signature also publishes an auxiliary point D = z*Hp(P_pi), where z is the blinding-factor difference between the output commitment and the pseudo-out. What is D's role?

Q10

When a node batch-verifies many Bulletproofs+ it sums their verification equations into one multi-scalar multiplication, weighting each proof by a fresh random scalar. Why must those weights be freshly random per proof rather than fixed constants?

🎓 Graduate from Monero Academy

Create a free account, ace every quiz across all courses, and earn your place on the Graduates wall — with your own Monero address for donations. An account also tracks your progress through the courses, and graduating is the prize for finishing.