The Monero Building Blocks series is the result of a personal interest in the mathematical underpinnings of Monero. My interest is primarily derived from Monero’s ability to conceal information about senders, receivers and transacted amounts, all the while maintaining proper operation of the network. It is my hope that this typescript help the reader understand the technology better. We divide the work into a series of 10 parts:

- Part 1 – Prerequisites needed to construct and analyze
**digital signature schemes**. - Part 2 – Description of a generic signature scheme introduced by Pointcheval & Stern [5] and analysis of its security:
**correctness, unforgeability**. - Part 3 – Introduction to
**ring signature**schemes and their security analysis. - Part 4 – Description of a generic ring signature scheme by Herranz & Saéz [1] and analysis of its security: correctness, unforgeability,
**anonymity**. - Part 5 – Introduction to Cryptonote’s original
**linkable ring signature scheme**[6] and analysis of its security: correctness, unforgeability,**exculpability**, anonymity,**linkability**. - Part 6 – Description of a variant of the
**Linkable Spontaneous Anonymous Group (LSAG)**scheme by Liu, Wei, and Wong [2] and analysis of its security: correctness, unforgeability, exculpability, anonymity, linkability. - Part 7 – Description of the
**Multilayered Linkable Spontaneous Anonymous Group (MLSAG)**signature scheme used in Monero as introduced by Shen Noether [4], and analysis of its security: correctness, unforgeability, exculpability, anonymity, linkability. - Part 8 – Introduction to
**Confidential Transactions (CT)**and**Pedersen Commitments**as described by Gregory Maxwell [3]. - Part 9 – Combining MLSAG and CT into a single
**RingCT**signature scheme [4] (with 2 variants: RingCT Type Full and RingCT Type Simple) to mask the origins and the amount of funds transacted. - Part 10 – Introduction to Monero’s and Cryptonote’s
**Stealth Address**system [6] to ensure that any 2 transactions can not be proven to be destined to the same person. This protects the recipient of funds.

I assume that the reader is familiar with basic probability theory, modulo arithmetic, as well as group theoretic concepts including the notions of cyclic groups and elliptic curve groups over finite fields. A concise introduction to group and field theory can be found in this post, and an introduction to elliptic curve groups in this one.

## References

[1] J. Herranz and G. Saez. Forking lemmas in the ring signatures’ scenario. Proceedings of INDOCRYPT’03, Lecture Notes in Computer Science(2904):266-279, 2003.

[2] J. K. Liu, V. K. Wei, and D. S. Wong. Linkable spontaneous anonymous group signature for ad hoc groups. ACISP, Lecture Notes in Computer Science(3108):325-335, 2004.

[3] Greg Maxwell. Confidential transactions, 2015.

[4] S. Noether and A. Mackenzie. Ring condential transactions. Monero Research Lab, 2016.

[5] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 2000.

[6] N. Van Saberhagen. Cryptonote 2.0. , 2013.