Loki search trends in Google
no incentive or reward for their work. This makes running a Monero node a costly and often
thankless exercise. We have made significant changes to the Monero source code to address these
issues and ensure that they don’t impact Loki.
Loki integrates a Service Node system similar to the masternode system used by DASH. This
means that a percentage of the block reward goes to a network of nodes, economically incentivis
ing them to operate. These Service Nodes have two key functions: they provide greater network
resilience, and also act as a secondary network that can perform various functions. The first
among these secondary services is Loki Messenger, which allows users to send encrypted mes
sages across a decentralised network.
Loki is not only a resilient medium of private exchange, but a platform for decentralised and
2 Basic statistics
Loki difficulty target (blocktime)
Emission speed factor
Figure 1 Ring signature generation in a Cryptonote transaction
3.2 Stealth addresses
Monero uses stealth addresses to ensure unlinkability, so that the true public key of the receiver
is never linked to their transactions. Every time a Monero transaction is sent, a one-time stealth
address is created and the funds are sent to this address. Using Diffie-Hellman Key Exchange, the
receiver of the transaction is able to calculate a private spend key for this stealth address, thereby
taking ownership of the funds without having to reveal their true public address
. Stealth address
es provide unparalleled protection to receivers of transactions and are adopted as a core privacy
feature in Loki.
3.3 RingCT and Range proofs
RingCT was first proposed by the Monero Research Lab as a way to obfuscate transaction
amounts. RingCT currently uses range proofs which leverage Pedersen commitments to prove
that an amount of Monero being sent is between 0 and 2⁶⁴
We propose a new usage of range proofs, specifically
(a more compact range proof
), to prove that a Service Node holds a predetermined amount of Loki. We call this meth
od a Bulletproof declaration; it is explained in section 4.5 of this paper.
Kovri is a C++ implementation of an I2P router that is currently in development by the Monero
open source project
. I2P is a peer-to-peer protocol that forms the basis for a decentralised net
work that is able to route traffic through the internet without revealing the true IP addresses of
connections. Kovri is still in development and has not yet been released.
Loki intends to implement Kovri through its own nodes to securely route traffic, removing the
possibility of a connection between IP addresses and transactions. The use of Kovri will allow
greater privacy when transacting and using Service Nodes.
3.5 ASIC resistant hashing algorithm
Loki prevents this by adopting the Cryptonote model, where a smooth emissions curve is fol
lowed. This means that the block reward decreases slightly every block, instead of abrupt reduc
tions that could cause hash rates to fluctuate.
The Loki emission curve is determined by the equation below, where
is the total supply ex
pressed in atomic units,
is the circulating supply expressed in atomic units, λ is the emission
M = 1.5 * 10⁸
A = Circulating supply
Figure 2 The Loki emissions curve
3.7 Tail emission and inflation
There has been much debate into whether a deflationary or inflationary model makes more sense
for a cryptocurrency that is targeted towards being used as a currency rather than a store of value.
We envision Loki as a currency that allows a private method of transacting value and purchasing
access to second layer services. It is generally accepted that deflationary currencies encourage
saving and disincentivize spending, which is negative for the growth of economies. Reserve
banks in most successful economies target annual inflation rates at 1-2% to stimulate spending
and increase the velocity of money.
Taking this into account, Loki’s tail emission differs from Monero’s in that it offers an inflation
ary rate of 0.5% per year, instead of having a fixed amount emitted per new block found. In prac
tice a steady reward every block does increase total supply over time, but the proportion of the
total supply growth lowers every year the fixed block reward c...
Monerolink published a paper in early 2017 exploring true unspent outputs in ring signatures
Monerolink found that, on average, in 80% of ring signatures the true unspent output was the out
put with the highest block height (i.e. the newest block) . The Monero Research Lab and others
have done extensive research on the best method to choose mixins appropriately
Monero allows users to choose the mixins to be used in each transaction. This is usually done
by the wallet software (as per the code below) which specifies that 50% of unspent outputs must
be chosen from the ‘recent’ zone (transactions from the last 1.8 days) and 50% of unspent out
puts must be chosen using a triangular distribution from the remaining pool of available unspent
outputs. While this method favours using ‘newer’ unspent outputs in rings, it still uses constant
values instead of sampling an actual distribution which would more accurately match the real
spending habits of Monero us...
Figure 3 Spend-time distributions in Bitcoin and Monero over multiple distributions
Using this data along with the pseudocode provided in the Monerolink paper (referenced be
low), Loki will sample mixins based on how users spend.This means that a third party analysing
the outputs in a ring signature cannot assume that the oldest ‘unspent’ output is a decoy output,
because the distribution at which the outputs were chosen reflects the appropriate chance that an
‘older’, unspent output would be included in the ring signature. This new sampling method will
increase Loki’s effectiveness against a temporal association attack.
Let TopGIdx be the index of the most recent
transaction output with denomination
BaseReqMixCount := b(NumMixins+1)×1.5+1c;
Let RecentGIdx be the index of the most recent
transaction output prior to 5 days ago with
denomination RealOut.amount prior to 5 days ago;
4.2 Ring signature size
The ‘size’ of a ring signature refers to how many mixins are used to construct the ring. Monero
currently has an enforced minimum ring signature size of five, meaning that four mixins are used
alongside the real unspent output in a transaction.
In January 2016, Monero introduced a minimum ring size of three. This was done to defend the
network against the negative impacts of zero mixin transactions, that is rings where the only out
put signed in the ring is the true output. In September 2017 the Monero development team again
raised the ring size to a minimum of five. This was part of a gradual move to slowly increase the
ring size once the effects of a ring size of three was observed.
The effect of larger ring sizes has been sparsely studied, however in paper 0001, published by
the Monero Research Lab, the effect of differing ring sizes was analysed versus an attacker who
owned a large amount of outputs on the blockchain
. It was found that higher ring...
Service Nodes Up
Loki Messenger Release
SNApp Open Source SDK