Monero Subaddresses Explained: Privacy Best Practices

Why Monero Address Types Matter

Privacy in cryptocurrency is not just about hiding transaction amounts or obscuring the sender. It is equally critical that an observer cannot link multiple payments to the same recipient. If someone knows your Monero address and can scan the blockchain to find all payments to that address, your financial privacy is severely compromised regardless of other protections.

Monero solves this problem through its address system, with subaddresses being the primary tool for receiving privacy. Understanding how subaddresses work and why you should use them is fundamental to getting the most out of Monero's privacy guarantees.

Monero Address Types

Primary Address

Every Monero wallet has one primary address, derived directly from the wallet's private keys. This address starts with the number 4 and is 95 characters long. The primary address is the "root" of your wallet and should ideally be used sparingly, since sharing it widely creates a single identifier that could be used to correlate your activities.

Subaddresses

Subaddresses are the recommended way to receive Monero. They start with the number 8 and are also 95 characters long. Each wallet can generate an essentially unlimited number of subaddresses. The critical feature is that subaddresses are cryptographically unlinkable — without access to the wallet's private keys, it is mathematically impossible to determine that two subaddresses belong to the same wallet.

Integrated Addresses (Deprecated)

Integrated addresses combine a primary address with a payment ID into a single address starting with 4 (like primary addresses but longer). They were historically used by exchanges to identify deposits. Integrated addresses are now deprecated in favor of subaddresses, which provide better privacy and simpler user experience. Most modern wallets discourage or no longer support creating new integrated addresses.

How Subaddresses Work: The Cryptography

Understanding the technical foundation of subaddresses helps appreciate why they are so effective. Monero uses an elliptic curve cryptographic scheme where each wallet has a pair of private keys: a private spend key and a private view key.

Derivation Process

A subaddress is generated by taking the wallet's public spend key and public view key and combining them with an index number through a cryptographic hash function. The process works as follows:

• The wallet chooses a subaddress index (account index, address index)
• A scalar is derived: m = Hs(private_view_key || account_index || address_index)
• The subaddress public spend key becomes: D = B + m*G (where B is the primary public spend key and G is the generator point)
• The subaddress public view key is derived accordingly: C = a*D (where a is the private view key)

The resulting public keys form a valid Monero address that is mathematically independent of the primary address from an observer's perspective. Only someone with the private view key can compute the relationship between the primary address and any subaddress.

Unlinkability Guarantee

Because the derivation involves a one-way hash function combined with elliptic curve point addition, reversing the process — determining that two subaddresses share the same wallet — requires knowledge of the private view key. Without it, each subaddress appears to belong to a completely independent wallet. This is not merely obscurity; it is a cryptographic guarantee.

The Janus Attack and Its Mitigation

In 2019, researchers identified a theoretical vulnerability called the Janus attack that could allow a malicious sender to determine whether two subaddresses belong to the same wallet. The attack works by crafting a special transaction that can be detected differently depending on which subaddress the recipient uses to identify the payment.

The Monero development team addressed this vulnerability by modifying the transaction protocol. Modern Monero transactions include protections that prevent the Janus attack from being executed. Users running current wallet software are not vulnerable to this attack.

The Janus attack episode demonstrates the importance of active security research and responsive development — vulnerabilities are identified and patched before they can be exploited in practice.

Privacy Benefits of Subaddresses

Using subaddresses correctly provides several layers of privacy improvement:

• Unlinkable payments: Each subaddress appears to be an independent wallet, preventing merchants, exchanges, or other payers from correlating your transactions
• No address reuse: Generating a fresh subaddress for every incoming payment means no two payers share a common identifier for your wallet
• Compartmentalization: You can create separate subaddresses (or entire subaccounts) for different purposes — personal, business, donations — without any on-chain link between them
• Reduced metadata leakage: Even if an observer obtains two of your subaddresses (e.g., from two different services that are compromised), they cannot prove the addresses belong to the same person

Best Practices: Fresh Subaddress Per Transaction

The single most important practice for Monero receiving privacy is to generate a new subaddress for every incoming transaction. Here is why:

If you give the same subaddress to two different people, those two people can compare notes and confirm they are paying the same entity. While they still cannot see your other transactions on the blockchain, the off-chain linkability defeats the purpose of the subaddress system.

Modern Monero wallets make this easy. Most generate a new subaddress automatically each time you request a receiving address. Some wallets display the previously used subaddresses for reference but always offer a fresh one by default.

Practical Tips

• Never post a subaddress publicly unless you are comfortable with it being permanently associated with your identity (e.g., a donation address on your website)
• Use separate accounts (not just separate subaddresses) for genuinely distinct financial activities
• Label your subaddresses within your wallet to track which address was given to which counterparty
• For donations: If you must publish a static address, consider it a known public identifier and keep your other financial activity in separate subaddresses

Wallet Support for Subaddresses

Monero GUI Wallet

The official GUI wallet has full subaddress support. Navigate to the "Receive" tab to generate new subaddresses. The wallet automatically creates a fresh subaddress each time and maintains a list of previously generated addresses. You can also create multiple accounts, each with its own set of subaddresses.

Monero CLI Wallet

The CLI wallet supports subaddresses through the address new command, which generates a new subaddress in the current account. Use address all to list existing subaddresses and account new to create additional accounts.

Cake Wallet

Cake Wallet (available on iOS and Android) fully supports subaddresses. The app generates a new subaddress for each receiving request and provides an intuitive interface for managing multiple addresses. It is one of the most user-friendly options for mobile Monero use.

Feather Wallet

Feather Wallet, a popular desktop wallet for power users, offers excellent subaddress management with labeling, filtering, and batch generation capabilities. It is the preferred choice for users who need to manage many subaddresses efficiently.

Monerujo

The Android-native Monerujo wallet supports subaddresses and provides a clean interface for generating and managing them. It integrates well with hardware wallets like Ledger for additional security.

Merchant Use of Subaddresses

For merchants accepting Monero payments, subaddresses are essential. Each customer order should receive payment to a unique subaddress, enabling the merchant to identify which order has been paid without exposing their financial activity to customers or competitors.

Payment processing libraries and plugins for popular e-commerce platforms typically handle subaddress generation automatically. The monero-wallet-rpc interface provides programmatic access to subaddress creation, making it straightforward to integrate into custom payment systems.

FCMP++ and Future Improvements

The upcoming FCMP++ (Full-Chain Membership Proofs) upgrade will further enhance the privacy of all Monero transactions, including those involving subaddresses. With FCMP++, the anonymity set expands from the current ring size to the entire blockchain, making any analysis of transaction patterns — including attempts to correlate subaddresses through spending behavior — effectively impossible.

Additionally, ongoing research into Seraphis, a next-generation transaction protocol proposed for Monero, would introduce even more flexible address schemes with enhanced privacy properties. Seraphis addresses would support more efficient scanning for incoming transactions while maintaining or improving unlinkability guarantees.

Frequently Asked Questions

Can someone link my subaddresses if they have my primary address?

No. Without your private view key, it is cryptographically impossible to determine that a subaddress belongs to the same wallet as a given primary address. The two appear completely independent.

Is there a limit to how many subaddresses I can create?

Practically, no. The index space allows for billions of subaddresses per account. You will never run out, and generating new subaddresses is computationally trivial.

Do subaddresses cost anything to create?

No. Subaddresses are generated locally in your wallet using a mathematical derivation. They do not require any blockchain transaction and cost nothing to create.

Should I use the primary address or a subaddress for receiving?

Always use a subaddress. The primary address should be treated as the wallet's internal identifier, not a receiving address. Some privacy-conscious users never share their primary address at all.

Where can I get XMR to test subaddresses?

You can acquire Monero instantly through services like MoneroSwapper, which allows you to swap other cryptocurrencies for XMR without KYC verification. This lets you quickly fund your wallet and practice generating and using subaddresses.