Monero (Esperanto for "coin", ticker XMR) is a permissionless, proof-of-work cryptocurrency where privacy is the default, not an opt-in. Every transaction hides the sender, receiver, and amount automatically — using cryptography described in the prior schemas. Launched April 18, 2014 with no premine, no ICO, no founder reward. This schema is the bird's-eye view: what XMR is as money, how the system works end-to-end, and how the three deep-dives — P2P, CLSAG/RingCT, and the mining stack — snap together.
Strip away the marketing and Monero is one thing: a distributed cash ledger you can audit without being able to read. The chain is fully public — every block, every transaction, every commitment is downloadable by anyone. What's missing from each transaction is the linkable information: which output is being spent, who's receiving the new one, and how much is moving. The cryptography is what protects those three facts; the network is what stops anyone from cheating despite not being able to see them.
A whitepaper by the pseudonymous Nicolas van Saberhagen proposing a Bitcoin alternative built around ring signatures and one-time keys. Never deployed by its author.
First CryptoNote implementation. Marred by an 80% premine — most coins were already mined before the public ever heard of it. The community refused to back it.
A user "thankful_for_today" forks Bytecoin into BitMonero with a fresh genesis block. Seven community devs then fork that into "Monero" days later. No premine, no ICO, no founder allocation.
Most cryptocurrencies make broadly similar choices: fixed supply, transparent ledger, ASIC mining, static block size. Monero made four deliberately different ones. Each is a load-bearing wall of the system — change any one and you no longer have Monero.
Every tx uses stealth addresses, CLSAG ring signatures, and Pedersen commitments. There is no transparent mode. Even the IP layer hides via Dandelion++. You can't accidentally leak; the chain doesn't carry the data.
Proof-of-work designed for general-purpose CPUs and hostile to ASICs. ~2 GB dataset, JIT-compiled random programs. Anyone with a laptop can meaningfully participate in consensus.
No fixed 1 MB / 2 MB / 4 MB cap. Block size floats with demand — miners may exceed the rolling median, but pay a quadratic penalty in block reward. Fees stay sane regardless of load.
After the initial ~18.4M XMR were mined (May 2022), the reward floors at 0.6 XMR per block forever. ~1% yearly inflation, asymptotically declining. Miners never starve, security never relies on fees alone.
Three roles, one chain. Wallets build and sign transactions. Daemons (monerod) run the network — they hold the chain, gossip txs, validate, and stitch the world together. Miners burn electricity to extend the chain and earn the reward. Everything you've seen across the prior three schemas is some interaction between these three roles.
Everything in the diagram above corresponds to one of the prior schemas — each is a microscope on a different part of this same machine.
Trace one transaction from intent to settlement. Each step below is something the previous schemas explain in depth; this is the connective tissue.
Wallet picks unspent outputs she owns, pulls Bob's public address, derives a fresh P_out from it, encrypts the amount, builds Pedersen commitments. Nothing on chain yet.
For each input: sample 15 decoys, assemble the ring, compute the key image I = x·Hp(P*), run CLSAG to get σ = {s, c1, D}. Add a Bulletproof+ range proof. Pay a tiny fee.
Wallet sends the tx via RPC to its local monerod. Daemon runs the seven validation checks, drops it in tx_pool. Pool sorts by fee-per-byte.
Daemon forwards to one random outbound peer (no broadcast). That peer forwards to one more, and so on — anonymity hops break the IP link to Alice.
At some hop, a node rolls into "fluff" mode and broadcasts to all its peers with Poisson-delayed timing. Within seconds the tx is in mempools across the network.
Mining pools watching the chain see the tx in mempool. When they assemble the next block template, this tx (with its fee) gets included.
Pool dispatches the block template as jobs to all connected miners. Miners burn through nonces. Some lucky XMRig instance finds a hash below the network target.
Pool submits the full block to its monerod. Block propagates network-wide via fluffy block. Each node validates, accepts, removes confirmed txs from its mempool.
Bob's wallet (running or syncing) walks each new block. For every output, it runs the recognition equation P =? Hs(kv·R)·G + Ks. Match → his payment.
Bob's wallet decrypts the amount + blinding mask via r·Kv. After ~10 block confirmations, the output is mature. Bob can now spend it as an input in his own ring.
The transaction stays on chain forever — but observers can never recover Alice, Bob, or the amount. Only the key image I is added to the global "spent set" to prevent re-spend.
End-to-end latency: ~2 min to first confirmation, ~20 min to maturity. Cost: usually under a few cents. Privacy guarantees: mandatory, baked in, no opt-out.
Monero's monetary policy is deliberately boring and predictable. There was a smoothly decreasing main emission for ~8 years, no halvings, no surprises. In May 2022 the curve flattened to a constant 0.6 XMR per block forever. This is called tail emission — the explicit choice to never let block subsidy reach zero.
A fixed cap forces a chain to eventually rely on fees alone to pay miners. Monero's designers argue that's a security cliff — once subsidies vanish, fee markets get volatile and security with them. Tail emission is the floor under that cliff.
~157,680 XMR/year (0.6 × 720 blocks/day × 365). Against an ~18.4M supply, that's about 0.86% the first year, dropping each year as the denominator grows — asymptotically toward 0% but never reaching it.
No fixed limit. A miner can include more txs than the 100-block median if they want — but the block subsidy is reduced quadratically. This anti-spams the chain while letting it grow with real demand.
Easier to understand Monero by what it inverts. Same UTXO model, same proof-of-work category, completely different choices on the four big questions.
| Question | Monero answers | Bitcoin answers |
|---|---|---|
| Privacy | Mandatory, on-chain. Stealth addresses + ring sigs + RingCT + Dandelion++ baked in. Pseudonyms are impossible — there's nothing to pseudonymize. | Transparent. Every address and amount is public. Privacy requires opt-in tools (CoinJoin, Lightning) layered on top. |
| Mining | CPU-friendly. RandomX with a 2 GB random-program-execution dataset designed to neutralize ASIC advantage. | ASIC-dominated. SHA-256d is trivial to specialize in silicon; participation requires custom hardware. |
| Supply | Uncapped with tail emission. ~18.4M plus 0.6 XMR per block forever (~0.86% → 0% inflation). | Fixed cap at 21M. Block reward halves every 210k blocks until zero around year 2140. |
| Block size | Dynamic. Floats with demand; miners pay a quadratic penalty to exceed the 100-block median. No hard cap. | Hard cap (~1 MB base / 4 MB weight via SegWit). Fee market is the rationing mechanism. |
| Block time | ~2 minutes. Difficulty retargets every block (rolling 720-block median). | ~10 minutes. Difficulty retargets every 2016 blocks (~2 weeks). |
| Fungibility | Strong. Every XMR is indistinguishable from every other — you cannot taint or blacklist a specific unit. | Weak. Coin history is fully traceable; tainted or "dirty" UTXOs exist and exchanges screen for them. |
| Auditability of supply | Possible. Pedersen commitment sums let anyone prove total supply on chain without seeing individual amounts. | Trivial. All amounts are plaintext; running total is a single scan. |
Monero's protocol is a moving target. Hard forks happen roughly every six months by design, with the explicit goal of improving privacy and efficiency rather than maintaining backward compatibility for its own sake. The key inflection points:
μP, μC. Transaction size drops another ~25%, verification ~10% faster.