Objective: allow a user to publish a single address and receive unconditional unlinkable payments. The destination of each output (by default) is an unique public key, derived from the recipient's address and the sender injecting random data.

1) Bob sends his public keys (A,B) to Alice;
2) Alice generates a random r and computes the ephemeral public key P = H1(rA)G + B;
3) Alice sends the money to the key P and publishes R = rG;
4) Bob recovers the corresponding ephemeral private key:
x = H1(aR) + b, so as P = xG

Note: H1() is a crypto hash function {0,1}* -> F_q


Objective:make the proof-of-work pricing function most suitable for general purpose CPUs, and special-purpose devices production the least profitable possible.

1) A memory-bound function with an exponential "memory - calculations" trade-off
2) 2+ MB used memory per thread (to deter ASIC pipelining)
3) Big Math (available in most recent CPUs)


Objective: allow a user to produce a ring signature which can be checked not by a single public key, but a set of keys. The real signer is indistinguishable from the other key owners until he produces the second signature under the same keypair.

1) Bob possesses a private key x and a corresponding public key P = xG. He computes the key image I = X(H2(P));
2) Bob selects foreign public keys {P_i | i = 1..n-1}; his secret index in this set is s
3) Bob picks a random {q_i, w_i | i = 1..n} and makes the following commitments:
— if i == s:
L_i = q_i*G and R_i = q_i*H2(P_i);
— if i != s:
L_i = q_i*G + w_i*P_i and R_i = q_i*H2(P_i) + w_i*I;
4) Then he gets the non-interactive challenge:
c = H1(m,L_1..L_n,R_1..R_n);
5) Finally he computes the response:
— if i !=s:
c_i = w_i and r_i = q_i;
— if i == s:
c_i = c - SUM(c_i) and r_i = q_s - c_s*x;
6) The resulting signature is tuple (I,c_1..c_n,r_1..r_n);
7) To verify this signature Alice should reconstruct the commitments:
L_i = r_i*G + c_i*P_i
R_i = r_i*H2(P_i) + c_i*I
Then Alice checks if SUM(c_i) == H1(m,L_1..L_n,R_1..R_n);
8) Alice rejects the signature if it has been used before

Note: H2() is a deterministic hash function E(F_q) -> E(F_q)


Objective: make the emission process smooth to avoid reward decrease shocks.

Each block reward is calculated as follows:
R = (MSupply - A) >> 18
where A is amount of previously generated coins. Overall limit is uint64_max.


Objective: make all the parametres not hardcoded, but adapting with each new block.

1) Max_block_size = median(last N blocks)
2) New diff = work/time, where
work = sum(last N blocks diffs)
time = timestamp_(-1) - timestamp_(-N-1)
in sorted timestamps' set.

Further readings

For more details check the CryptoNote whitepaper (signature | PGP key).
Join CryptoNote Bytecoin, the first CryptoNote currency.