How Monero Subaddresses Prevent Identity Linking

By Diego Salazar

Monero has always found innovative ways to solve difficult privacy problems. Often times these innovations lead to other innovations, and sometimes these resulting technologies can even be used for usecases not previously considered. Nowhere is this exemplified more than in the case of Monero's subaddress technology.

Consider a hypothetical privacy problem, wherein usage of one address across multiple platforms from seemingly unrelated peoples can lead to the linkage and deanonymization of said peoples. Put simply, if you were a person named Billy Joe Bob and you sold apples for Bitcoin, you might post your Bitcoin address in a public place for customers to pay you. Let's say the address starts with the alphanumeric string 7XybV3... But tossing aside the obvious privacy risk of anyone being able to check your Bitcoin balance and see how much you have sold, there's a second, not often talked about privacy risk. Let's say you were also an underground hacker going by the name of l33tz0r. You do whistle blowing work, telling an unsuspecting populace about government corruption, and it's imperative that you keep your identity a secret. You accept Bitcoin donations for your work, and post the address on a public forum. It's the same address that you accept money from your apple customers. The 7XybV3... one.

A simple, but devastating deanonymization attack would be to use an internet search engine to search for your Bitcoin address. Putting the address of 7XybV3... in the engine brings up two different results. The apple business, and l33tz0r. This is enough to link the two identities and deanonymize l33tz0r, with potentially scary consequences from the powers that be.

It's important to note that this attack is ALSO possible with Monero. Even though Monero hides most on-chain data, this attack doesn't use any. It only uses the address, which must be shared in order to receive payment. Publicly in the case of anonymous donations. This is one potential way in which Monero users can unwittingly hurt their privacy, and is also an example of how, even though Monero is top tier in regards to privacy retention, it is not bulletproof.

The usual way of getting around this problem was owning multiple wallets. With different addresses posted for every identity (or usecase), they cannot be linked. But this privacy only holds if the user never mixes them up. Accidentally posting the incorrect address would have the same linkage effects. As well, the seed of each address must be kept secure, increasing the infosec work necessary with each new wallet made.

Monero's solution was subaddresses. The ability to create an absolutely massive number of addresses underneath the main address, using it as a seed of sorts. Every generated subaddress can accept Monero, and all of it goes to the same wallet. Using this method, the number of identities that can be operated under one address is huge while keeping the infosec work to a minimum. These addresses are also not mathematically linkable, so unless the user shouts their connection to the world, an outside observer will have great difficulty linking them.

But another interesting usecase emerged from subaddresses; as a replacement option of the universally hated payment IDs.

Payment IDs were a way for merchants to identify which customer sent which payment. Since Monero information is obscured on chain, the receiver of a transaction is not able to see which address sent it. This means that if there are similarly priced items and multiple orders, it can become impossible to identify who sent what. Payment IDs are a unique, random string generated by the merchant and given to the customer. The customer adds this as a separate field when sending the transaction. This random string is placed on the blockchain as part of the transaction, and in this way, the merchant is able to identify and sort through incoming transactions.

This method was flawed in several ways. Firstly, it detracts from the uniformity of on-chain data. Additional, unique metadata can make some transactions stand apart from the crowd, thereby allowing heuristic analysis. This is especially true when this metadata is not enforced as mandatory for all. Making this mandatory for everyone would add needless space to the blockchain though, and was not pursued. As well, if a payment ID was ever reused for any reason, it would be trivial to link two transactions as connected. This typically occurred with exchange deposits, and anyone could easily link transactions as both being a deposit on an exchange, and from one particular individual.

Secondly, from a UX perspective, payment IDs create a second step that cryptocurrency users coming from other coins are not used to, and if they are forgotten then it causes a massive headache to the merchant who must identify these transactions via other means. This was typically done by speaking directly with each customer who forgot to put the payment ID and confirming other identifying information that only they could know, such as a combination of the amount, date sent, and transaction ID.

This extra step was missed by many, and it got to the point where some exchanges started to charge money to customers if their money had to be manually retrieved because of forgetting a payment ID. Others grit their teeth and ate the extra support costs, but nobody was happy about it.

There was one solution to this, integrated addresses, which merged the address and the payment ID into one string, so it couldn’t be forgotten, but adoption was fairly weak, despite the benefits merchants would have received from including it.

In an interesting turn of events, subaddresses came in to save the day. The ability to generate large amounts of subaddresses per main address, and identify which transactions came into which subaddresses, allowed merchants to rid themselves of payment IDs in an elegant way, while adopting the next generation of Monero technology. Since then, most exchanges and merchant tools have switched to subaddresses as the primary way of transaction identification.

What started as a solution for a privacy problem turned into something much more, which solved a major UX issue for merchants and customers alike. Innovation begets more innovation, which can often snowball into unexpected wins for everyone. Monero has seen this time and time again, and puts great effort into innovating what is possible on the blockchain. Who knows what other things we can unlock together?

Further reading