Godyssey

Jamtis: Why a new address format? When Monero was created in 2014, it inherited the CryptoNote addressing scheme. Originally, each wallet only had a single public address and payments were disambiguated with payment IDs. In 2017, subaddresses were introduced, which allowed each wallet to generate a virtually unlimited number of seemingly unlinkable addresses. In 2019, a weakness of subaddresses was identified, which allows an attacker to link two subaddresses belonging to the same wallet. This is called the "Janus attack". In 2026, Monero will upgrade to a new transaction protocol called Carrot, which provides mitigations for the Janus attack and offers address-conditional forward privacy (i.e. forward privacy if addresses are kept secret). However, several issues with the legacy addressing scheme remain unresolved: 1. Wallets with publicly known addresses lose nearly all privacy against a quantum-enabled adversary. 2. Wallets that use a third party service for scanning the blockchain lose nearly all privacy. 3. Generating subaddresses requires keeping track of a global counter, which complicates implementations and may cause merchants to prefer legacy integrated addresses. 4. The detection of outputs received to subaddresses is based on a lookup table, which can sometimes cause the wallet to miss outputs. 5. Checking two addresses for equality is difficult for humans because CryptoNote addresses are long and case-sensitive. The goal of Jamtis is to tackle the shortcomings of CryptoNote addresses that were mentioned above. Specifically: 1. Jamtis wallets with publicly known addresses retain a certain level of privacy even against a quantum-enabled adversary. 2. Jamtis wallets using a third-party scanning service retain a certain level of privacy. 3. Jamtis addresses can be safely generated without keeping track of a global counter. 4. Balance recovery for Jamtis wallets can be done reliably without the need to use a precomputed table of keys. 5. Jamtis addresses can be quickly compared thanks to a "visual prefix" consisting of 30 lowercase characters. Jamtis focuses on post-quantum privacy because all past and present Monero transactions are vulnerable to quantum privacy-breaking attacks due to the "harvest now, decrypt later" strategy. Additional goals are: 1. Backward compatibility with Carrot without hard forking changes. 2. Enotes sent to Jamtis addresses are indistinguishable from enotes sent to legacy addresses. 3. Jamtis addresses retain existing security properties of Carrot, especially Janus attack protection. Jamtis also comes with a new 16-word mnemonic scheme called Polyseed that will replace the legacy 25-word seed for new wallets. Non-goals An explicit non-goal of Jamtis is post-quantum soundness. This includes preventing a quantum-enabled adversary from: 1. opening Pedersen commitments to arbitrary monetary values 2. forging spend authorization proofs and linking tags 3. forging membership proofs Past and present Monero transactions are safe from soundness-breaking quantum attacks, assuming no cryptographically relevant quantum computers exist at this moment. Both Carrot and Jamtis support a migration protocol that will be used in a future fully post-quantum upgrade. Read more: https://t.co/ErRZnZziaq