“CryptoNote v 2.0” is a whitepaper by the pseudonymous author Nicolas van Saberhagen, published October 17, 2013. It describes a new cryptocurrency design philosophy centered on privacy by default — constructing a system where sender identity, receiver identity, and transaction amounts are hidden from all parties except the direct participants.

The paper introduced two cryptographic primitives that became foundational:

1. Ring signatures — to hide the true sender among a ring of decoys
2. One-time stealth addresses — to ensure each transaction goes to a fresh, unlinkable address

These primitives became the basis for Bytecoin (the first CryptoNote implementation, 2012) and Monero (the most successful CryptoNote-based coin, launched 2014).

> PDF hosting: The CryptoNote v2.0 paper is maintained at bytecoin.org/old/whitepaper.pdf and mirrored at many academic and community sites.

---

Publication and Context

The true identity of Nicolas van Saberhagen has never been established. The name is widely believed to be a pseudonym, similar to Bitcoin’s Satoshi Nakamoto. The paper was published to the Bitcoin Talk forum in 2013 and cited Bitcoin’s privacy limitations as its motivation.

Bitcoin’s pseudonymity is a known limitation: all transactions are permanently visible on-chain. Once a Bitcoin address is linked to a real-world identity (e.g., via exchange KYC), the entire transaction history of that address becomes traceable. The CryptoNote paper argued this was not sufficient for true financial privacy.

---

Ring Signatures: Hiding the Sender

A ring signature allows a user to produce a digital signature on behalf of a “ring” (group) of public keys — where verifiers can confirm that one of the ring members signed the transaction, but cannot determine which one.

In CryptoNote’s implementation:

1. When Alice sends funds, her transaction references her own key plus N decoy outputs (randomly selected past transaction outputs from the blockchain)
2. The ring signature proves that someone among the N+1 ring members authorized this spend — but not who
3. On-chain, the transaction appears as: “one of these N+1 addresses spent some funds” — with no way to determine which one

Key image: Each ring signature includes a unique key image derived mathematically from the signer’s private key. Key images prevent double-spending: if Alice signs two different transactions spending the same output, both will share the same key image, and the second will be rejected.

Ring size determines privacy level:

• Ring size 1 = no privacy (transparent transaction)
• Ring size 11 (Monero default as of 2022) = sender hidden among 11 possible sources

---

One-Time Stealth Addresses: Hiding the Receiver

In Bitcoin, if you publish your address, anyone can see all funds ever received by that address. CryptoNote’s one-time stealth addresses solve this:

1. Bob publishes a public key pair: (view key, spend key)
2. When Alice sends to Bob:
   Alice generates a random scalar r
   Computes a one-time address P = H(r·B_view)·G + B_spend
   Includes r·G in the transaction (the “transaction public key”)
3. Bob scans the blockchain using his view key: computes P for each transaction and checks if it matches his wallet
4. Each payment to Bob generates a different address P — completely unlinkable to his public profile or previous payments

Result: Bob can receive thousands of payments and an outside observer cannot link any of them to each other or to Bob’s public key.

---

Sections of the Whitepaper

Section	Content
1. Introduction	Motivation; Bitcoin’s privacy limitations
2. Bitcoin drawbacks	Address reuse, transaction graph analysis, taint tracking
3. Transactions	One-time stealth address construction
4. Ring signatures	The signing scheme; preventing double-spending via key images
5. Standard CryptoNote	Difficulty adjustment (Egalitarian PoW, ASIC-resistant mining)
6. Untraceable payments	End-to-end analysis of privacy guarantees

---

What CryptoNote Does NOT Cover

The original CryptoNote paper does not hide transaction amounts — a significant privacy gap. Monero later added Ring Confidential Transactions (RingCT) in January 2017 to hide amounts using Pedersen commitments (see the Monero RingCT whitepaper). Only after RingCT did Monero achieve full-stack privacy (sender, receiver, AND amount private).

---

Reality Check

Ring signatures provide computational privacy but not unconditional privacy. Research has identified weaknesses:

• Early Monero ring sizes of 3–5 were vulnerable to statistical tracing — the true input could sometimes be inferred from output patterns
• “Temporal decoy analysis”: if one ring member was spent recently, it’s statistically more likely to be the actual spend
• IETF and academic researchers (Möser et al., 2018) estimated that 40–50% of Monero transactions in 2017 could be traced using these techniques

These concerns motivated Monero’s increase of default ring sizes and refinements to decoy selection.

---

Legacy

The CryptoNote paper established the academic framework for practical on-chain privacy. It spawned an entire class of cryptocurrencies (Monero, Bytecoin, Aeon, Electroneum) and influenced privacy research broadly. Monero’s subsequent evolutions (RingCT, Bulletproofs, Dandelion++) extended the CryptoNote foundation while addressing its limitations.

---

Related Terms

• Monero
• Ring Signature
• Stealth Address
• Zero-Knowledge Proof
• Zcash Whitepaper

---

Research

• van Saberhagen, N. (2013). CryptoNote v 2.0. bytecoin.org.

— Primary source. Sections 3–4 define the cryptographic primitives; Section 5 the proof-of-work design.

• Möser, M., et al. (2018). An Empirical Analysis of Traceability in the Monero Blockchain. PETS 2018.

— Comprehensive measurement study; evaluates ring signature effectiveness at various ring sizes.

• Noether, S., et al. (2016). Ring Confidential Transactions. Ledger (journal).

— Introduces RingCT (Monero’s amount-hiding upgrade); extends CryptoNote’s privacy model.