Please login or register.

MoneroMail, private messaging extension for Monero

Update: Someone has wisely recommended renaming this project to "MoneroPosto" in keeping with Monero's Esperanto leitmotif.


A private mailing application could be created utilizing Monero, couldn't it? It might work as follows

Important note: - Alternatives utilizing payloads and range proofs have been proposed by community members; these alternatives seem to be better solutions, thus we might use one of them instead of the original method I describe below).

  1. Alice wants to send a private message to Bob.

  2. Bob and Alice already have each others' public wallet addresses (and thus they can easily derive each others' public spend keys).

  3. Alice writes an ASCII message M that she wishes to send to Bob. M is also the concatenation of k substrings, IOW M = M_1 + M_2 + ... + M_k

  4. Let A_sign(x) mean "the result of Alice signing x with her private spend key".

  5. Let B_crypt(y) mean "the result of encrypting y using Bob's public spend key"

  6. Then for each i in [1..k], let PrivMsgChunk_i = B_crypt(A_sign(M_i)).

  7. We chose k large enough such that each PrivMsgChunk_i is small enough to fit in a payment ID.

  8. Alice stores an alphanumeric timestamp in variable A_Time

  9. Alice sends k transactions T_1, ... T_k to Bob, where the payment ID of T_i is (letting '+' denote concatenation) "MAIL" + PrivMsgChunk_i + A_Time + i, where i is just the integer index.

  10. Bob receives the transactions, extracts PrivMsgChunk_i, A_Time, and i from each payment ID, decrypts and verifies each PrivMsgChunk_i (yielding M_i), then arranges the message chunks according to i, yielding Alice's message M!

    • Note: The purpose of A_Time is to indicate that all "MAIL" transactions with that exact timestamp are part of the same message.

Notes from /u/gingeropolous:

I know various mail ideas have been discussed. apparently you can pack a message in the range proof of a ringct transaction. it could also be possibl to attach payloads to transactions that arent included in the blockchain

Notes from /u/knaccc

The best place to put messages is the range proof, and this storage is effectively free (if you're making a transaction anyway) because a range proof has to exist for each output. The payload that the range proof can carry will be automatically encrypted using the shared secret. Luigi is working on a new, more compact range proof. Therefore if you spend time adapting the current range proof to carry data, you might incur some wasted effort. It would be therefore worth dropping luigi1111 a message on IRC to coordinate. I'd imagine that after the range proof is adapted to carry an encrypted payload, all Monero wallets will allow for a freeform text area which will accompany each transaction. It will be able to contain a message, a payment ID, JSON text, whatever you want. It'd be about 1800 characters, and it would not add to the cost of a transaction. It'd also not make the transaction stand out on the blockchain, which it would if you'd put the message in the txextra.


  • Either a separate command line monero-mail utility or we build it as an extension of monero-wallet-cli, pending feedback.
  • GUI integration
  • An included "contacts list" allowing users to add/remove nicknames and their associated XMR addresses.


It seems that this is something only Monero can do, e.g. Bitcoin could encrypt a message and send from Alice's address to Bob's, but even if eavesdroppers cannot read the encrypted message contents they still see that Alice is sending mails to Bob. That in itself is a violation of Alice & Bob's privacy.


  • Riiume - A senior software developer with a bachelor's in pure mathematics from MIT (see signatures); creator of the "Monero Tracking Challenge" and the tool (from before Segwit was locked in) SegwitPoolsData.

  • Possibly other devs who express a commitment to work on the project.


Tentative estimate: 50 XMR


Hash: SHA256

This is [email protected] = /u/riiume = [email protected]
Email me to confirm.
PGP fingerprint: 394CCBC67B0EC0AA519AB6E62C2EBB579DD637C8
Version: GnuPG v2

Hash: SHA256

MoneroMail proposal, 2017/08/11 04:14 UTC
This is /u/riiume ([email protected])
PGP fingerprint: 394CCBC67B0EC0AA519AB6E62C2EBB579DD637C8
Version: GnuPG v2


Additional Discussions

Replies: 1
etam edited 7 months ago Weight: 64 | Link [ - ]

Hi, I'm interested in having a closer look at this topic.

> Luigi is working on a new, more compact range proof.

What's the status? Is it already described in chapter 4.4 of "Zero to Monero" v1.0.0?

Edit: I just learned about bulletproofs. How does that affect the proposal?