How Monero Works

The problem: transparent money

On a transparent blockchain like Bitcoin, every payment is public forever. Anyone can read three things off the chain:

That means your balance, your counterparties, and your history are open to employers, exchanges, chain-analysis firms, and anyone who cares to look. Monero hides all three:

And because the history is hidden, every coin stays interchangeable, so that 1 XMR = 1 XMR. That property, fungibility, is the whole point, and we come back to it at the end.

1. Stealth addresses: hiding the recipient

You publish one address, but it never appears on the blockchain. Instead, every payment to you lands on a fresh, single-use one-time address that an outside observer cannot link to your published address or to your other payments.

Here is the real math. Your address holds two public keys: a spend key B = b·G and a view key A = a·G (lowercase letters are your private keys; G is the curve's base point). When someone pays you:

• The sender picks a random secret r and publishes R = r·G with the transaction.
• Both sides derive a shared secret: the sender computes 8·r·A, and you compute 8·a·R. These are equal, because a·R = a·r·G = r·A.
• The on-chain one-time address is P = Hs(shared secret)·G + B. Only you can compute the matching private key, so only you can spend it.

Try it. This generates a throwaway demo wallet and "receives" payments to it, computing every value for real:

The demo wallet's keys are random and for illustration only. Never use a browser-generated key for real funds.

Watch-only: the view key

Your wallet has two private keys that do different jobs. The view key a lets you detect incoming payments; the spend key b lets you spend them. Share only a and someone gets a read-only window into your wallet, useful for an accountant or auditor and useless for theft. This scans a batch of outputs with the view key alone:

Subaddresses: one wallet, many faces

You can hand out a fresh address to every payer without making new wallets. A subaddress is derived from your main keys, looks completely unrelated on-chain (they start with 8), yet your single view key still finds payments to all of them. Derive one:

2. Ring signatures: hiding the sender

When you spend an output, Monero mixes your real input with decoys pulled from the chain, and signs in a way that proves "one of these outputs is being spent" without revealing which. A verifier sees a ring of plausible sources (currently 16) and cannot pick out the real one.

Below is a ring of outputs. One of them is really being spent. Click any to try to identify it:

If the network cannot tell who is spending, how does it stop someone spending the same output twice? Each output, when spent, reveals a unique key image derived from its private key. The key image is deterministic, so a second spend of the same output produces the same key image and is rejected, yet it cannot be linked back to the output it came from. Privacy and double-spend protection at the same time.

How decoys are chosen

Decoys are not picked uniformly. Real spends tend to be recent, so Monero samples decoys from a gamma distribution over output age that mimics real spending: mostly young outputs, with a long tail of older ones. That way your real input blends in. Sample the distribution:

What's next: Monero is moving to Full-Chain Membership Proofs (FCMP++), which drop decoys entirely and hide each spend among the entire set of outputs ever created. Same idea as a ring, but the anonymity set becomes the whole chain instead of 16.

3. RingCT: hiding the amount

Amounts are not written in the clear. Each is replaced by a Pedersen commitment C = a·G + v·H, where v is the amount, a is a random blinding factor, and G and H are two independent generators. The blinding makes C reveal nothing about v, yet commitments still add, so the network can verify that inputs and outputs balance without seeing a single amount.

This runs the real commitments live, using Monero's actual H generator. Set the amounts and build them:

The hex commitments hide the amounts completely. Change an output so the totals no longer match and the balance check fails, exactly as the network would reject it. A Bulletproof range proof (not shown here) additionally proves each hidden amount is non-negative, blocking the "send -100" trick.

So the chain stays fully auditable for soundness, the supply is provable, while individual amounts stay private.

Range proofs (Bulletproofs)

Hiding amounts creates a new risk: a cheater could commit to a negative or absurdly large amount and break the supply. A range proof rules that out by proving each hidden amount is a normal non-negative number without revealing it. The idea: write the amount in binary, commit to each bit, and prove every committed bit is really 0 or 1. The bit commitments add up to the amount commitment:

Committing to every bit separately would be large. Bulletproofs prove the same statement in a proof that grows only logarithmically with the range, which is why Monero transactions stay small.

Putting it together: a whole transaction

Each mechanism above does one job. A real Monero transaction uses all of them at once. This assembles one for real: it spends an input (hiding the sender with a ring and a key image), pays a recipient (hiding them with a stealth address), and hides the amounts (with commitments that still balance). Only the fee is public.

4. Fungibility: why all of this matters

Put the three pieces together and a Monero output has no visible history: no traceable origin, no linked recipient, no amount trail. That means every XMR is identical to every other XMR.

On a transparent chain, coins carry their past. A coin that once touched a sanctioned address or a hack can be flagged, frozen, or refused by an exchange, even after passing through innocent hands. That is a loss of fungibility: not all units are worth the same in practice.

Monero restores the property cash always had. One unit is as good as any other, because nobody can tell them apart. For a currency, that is not a feature on the side. It is the difference between money you control and money that can be turned against you.

What Monero does not hide

Strong privacy is not the same as invisibility, and being honest about the edges matters:

• The fee is public. You saw it in the transaction above; fees let miners prioritize and verify.
• That a transaction happened, and roughly when. The chain shows a transaction occurred at a given time, just not who, whom, or how much.
• The number of inputs and outputs. The shape of a transaction is visible and can leak weak hints in some cases.
• Your IP address, unless you take care. Whoever you broadcast to could log your IP. Monero blunts this at the network layer with Dandelion++, which relays a new transaction along a random stem before broadcasting it widely, so the true origin is obscured. For stronger protection, use Tor (this site runs an onion service).
• On and off ramps. A KYC exchange knows the coins are yours when you buy or sell. On-chain privacy does not undo identity collected off-chain.
• Heuristic edge cases. Researchers study attacks like known-spent-output and timing analysis. Monero's defenses (larger rings, better decoy selection, and soon FCMP++) keep raising the bar, but no system is magic.

None of this undermines the core: by default, the sender, recipient, and value of a payment stay private. Knowing the limits is how you use it well.

Go deeper

• Moneropedia: the official concept glossary.
• Zero to Monero: the rigorous, math-complete reference (PDF).
• Mastering Monero: a free, approachable book.
• Monero Stack Exchange: questions and deep dives.
• Try the real thing here: address validator, mnemonic tool, integrated address generator.