Dero Stargate versus Monero, which one is more private?
Today, Dero and Monero are the only two privacy coins with strong decentralised communities of users and developers. I’ve come to appreciate both Dero and Monero more since I started to try and compare the two. Considering that misconceptions float in both camps, I believe a fair comparison is in order. In this article I will try to break down the tech of Dero and Monero for a side by side check based on the state of the respective techs.
1. Monero’s UTXO vs Dero’s Account Model
The first thing to understand is how balances are stored in the respective blockchains, this is known as the accounting model. Monero uses the UTXO model. If we think of a blockchain as a big ledger, where each entry consists of an address and balance, then in the UTXO model balances of each user are scattered among different addresses (UTXOs) controlled by the same private key (same user). The name is derived from the fact that whenever a zero balance address receives coins then the address becomes an Unspent transaction (TX) Output. In a transparent chain, since one private key holder can control more than one UTXO, it’s not possible to deduct the balance of a wallet from the outside. To find a wallet balance one would have to scan the blockchain for all the UTXOs owned by the same user which is not possible unless one has a private key. Monero uses the UTXO model but balances are obfuscated as Pedersen Commitments, so from the outside they appear as TXOs. Each Monero TXO can be spent only once, and when spent the key image of that TXO is published onchain. From the user side the balance of a wallet is the sum of the balances of all the TXOs a user controls. To come up with the total balance of a wallet, the wallet software has to scan the entire blockchain and sum the balances of all TXOs corresponding to the given private key.
The UTXO accounting model is a major handicap for Monero, making it susceptible to attacks that compromise TXO unlinkability. Balances of Monero wallets are fragmented among different TXOs, which are stored onchain and can be observed through their integer identifiers (which don’t show the balance). Moreover, since TXOs are formed as outputs of Monero transactions, by analyzing onchain activity we can also create sets of related TXOs. Sets of related TXOs can be either TXOs controlled by the same user or TXOs of users that share a lot together, such as being from a specific timezone and customers of a specific CEX. Because of wallet balance fragmentation and the possibility to compile sets of related TXOs, sender privacy is compromised when several of these TXOs (tracked through their integer identifiers) that have been flagged as likely to belong to the same entity or related entities are spent. Because while these TXOs do appear individually in other rings as decoy, the odds of them appearing together among the inputs of the same transaction (as they must do when a user needs to spend a balance bigger than what’s contained in the single TXOs) are astronomically low unless they are actually being spent. As result, the key images of the TXOs being spent are exposed which can then be used to deanonymize even more transactions by allowing to filter out decoys. This is possible because knowing where a TXO is spent tells us that that TXO is decoy in all the other transactions where it appears among inputs because TXOs can be spent only once. This process is known as key image analysis.
A major deanonymization case where this technique (in its basic form) was used was the tracing of Lazarus’s Wannacry monero. The process is well documented here. More recently a Chainalysis video was leaked showing a generalization of this deanonymization technique through a tool that aggregates key image data and can filter out decoys even in single input transactions. With the advent of AI and its capabilities to spot patterns, key image analysis of TXOs makes deanonymizing Monero trivial. For an in depth discussion of key image analysis I recommend reading this and this. Key image analysis is not possible on Dero because Dero uses the account model. In the account model each private key owns one address with one balance and every transaction involves updating this single balance. As result of this, whenever a user spends balance the account appears exactly once in the transaction ring (contrary to Monero’s where multiple user TXO can be part of the ring) and there is no way to tell whether an address in a transaction ring is decoy or an actual part in the transaction. Because contrary to Monero TXOs, Dero accounts can be updated multiple times and as result even if exposed in one single transaction as the spender or receiver of that transaction, we have no way of knowing if that account is spender/receiver or decoy in the other transactions where it appears among rings.
Which one is better for privacy? Contrary to widespread misconceptions in the Monero community, the UTXO model is a huge and unfixable vulnerability in Monero that is not present in Dero. Therefore the account model is a huge advantage Dero has over Monero. For proof it suffices to think that if Lazarus had used Dero instead of Monero (barring bugs), their coins wouldn’t have been traced if they had behaved the same way. Lazarus converted BTC to XMR in a cross chain swap and then wait 3 months before re-spending their XMR.
2. ElGamal vs Pedersen Commitments
In the Dero ledger each entry consists of a public account address and an El Gamal ciphertext. The El Gamal ciphertext registers the balance of the Dero tokens in the account. The blockchain states in Dero are updated homomorphically, which means the ciphertexts are updated in encrypted form without ever being decrypted. In the Monero ledger we find stealth addresses (for each UTXO) and Pedersen commitments. Pedersen commitments are the corresponding part in Monero of ElGamal ciphertext in Dero.
Which one is better for privacy? They’re both equally strong.
3. Rings & Transaction Confidentiality
In the input side of a monero transaction we have one key image for each TXO being spent, and each key image has a ring of sixteen TXOs where one is the real TXO being spent and fifteen of them are decoys. On the output side we have no rings, but at least two outputs: sender’s change and receiver’s TXO. In Dero we have both sender and receiver rings that consist of spender, receiver and randomly picked account addresses that are used as decoy. In Dero users can pick a ring size for their transactions from 2 (sender and receiver rings with one member each) to 128 (64 members for the sender ring and 64 members for the receiver ring).
View keys In Monero each wallet has a private and public view key. The public view key is meant to be shared with third parties such as auditors. In Dero Stargate there are no view keys. For auditability one would have to resort to a smart contract or L2.
Which one is better for privacy? The UTXO issue strikes again in Monero because in RingCT the real spender is often overrepresented with multiple TXOs. These clusters create a significant deanonymization vector. Moreover, Monero has no receiver rings so it’s much easier to find receiver’s TXO. Contrary to RingCT, Dero’s rings have only one member per spender and as result it’s not possible to have an overrepresentation of the spender in the input set of a transaction which makes deanonymizing senders through cluster analysis impossible (contrary to Monero). Dero also has receiver rings guaranteeing the same degree of privacy for the receiver. Therefore Dero’s rings are superior to RingCT.
4. Smart Contract Capability
Monero has no smart contract capability. Dero, on the other hand, has the Dero Virtual Machine. Dero’s VM makes Dero practically as expressive as Ethereum but with the privacy and censorship resistance of Dero. All accounts in Dero can interact with the VM, ie dapps, while their holdings remain in ElGamal ciphertext. As result, contrary to Eth, a user doesn’t have to reveal their holdings.
Which one is better for privacy? In the Ethereum paradigm programmability is a weakness, because the tokens are always owned by the smart contract owner that can freize/seize them. In Dero however tokens are first class citizens. Tokens are owned by the user account, not by the smart contract. Since smart contract capability opens the doors to more trustless set ups, such as DEXes, smart contracts are better for privacy. Trustless swaps are not possible in Monero as users always have to go through trusted 3rd parties.
5. Mining: AstroBWT vs RandomX
Dero uses AstroBWT, this is a mining algo created by Dero developers for Dero based on the BWT algorithm. AstroBTW was created to ensure mining is egalitarian and cannot be centralized around big farms. Monero’s algo is RandomX. The core difference is that building ASICs or FPGAs is practically impossible, whereas RandomX is still at the mercy of chip manufacturers. Should Monero’s price perform then we may see FPGAs & even ASICs.
Which one is better for privacy? AstroBWT is the winner because it makes Dero’s mining undetectable even at scale by always staying more profitable (at a cost per watt basis) for CPU miners. Monero’s RandomX, on the other hand, is much easier to optimize for GPU which makes Monero miners easily detectable and its mining bannable.
6. User Experience
The last and final metric is user experience. When you send or receive a transaction in Monero the UTXO stays frozen for 10 blocks. This means you have to wait around 20 minutes to be able to use that UTXO again. This is clearly even worse than BTC’s UX. On Dero, on the other hand, transactions take few seconds and are fast enough to even play Poker onchain. Since the ambition of both coins is to gain adoption as peer to peer untraceable digital cash, good UX is crucial to bring the masses onboard. Dero has a clear & huge advantage on the UX front as well.
Conclusion
Monero is obsolete today while Dero offers state of the art privacy because in Dero users can be deanonymized only by a quantum adversary that can break the underlying encryption scheme (El Gamal). In Monero, on the other hand, a quantum computer is not required and users can be deanonymized by tracking TXO clusters in transaction rings and conducting key image analysis.
Dero also has a clear advantage when it comes to additional utility through its smart contract capability, as well as mining and user experience. Privacy depends also on the behavior of users and the amount of trustless set ups. These properties make a huge difference at scale. Smart contracts translate into many trustless set ups (eg: Dexes, p2p trustless solutions), AstroBWT means unbannable mining even if hashrate grows exponentially, and ElGamal means unbreakable account privacy.
Disclaimer: I currently own only Dero because at $30M mcap I consider Dero to be extremely undervalued for its powerful privacy capabilities. None of this is financial advice.
