Ring Signature

What Is a Ring Signature?

A ring signature is a type of digital signature that allows any member of a group to sign a message on behalf of the group, without revealing which member actually produced the signature. The "ring" refers to the circular structure of the signing algorithm: a set of public keys arranged in a loop, with no beginning or end that would indicate the real signer.

The concept was introduced in 2001 by cryptographers Ron Rivest, Adi Shamir, and Yael Tauman Kalai in their paper "How to Leak a Secret." The original motivation was whistleblowing: a government official could sign a leaked document proving they held a legitimate position, without exposing which specific official did the leaking. Unlike group signatures, ring signatures require no group manager, no setup ceremony, and no coordination among members. The signer simply selects a set of public keys (including their own), uses their private key along with the others' public keys, and produces a signature that any verifier can check.

In cryptocurrency, ring signatures found their most prominent application in privacy-focused networks like Monero. By mixing the real transaction input with decoy inputs, ring signatures create plausible deniability for the sender: an observer can see that one of the keys in the ring authorized the transaction, but cannot determine which one.

How It Works

A ring signature scheme operates on a fundamental principle: one real signer, multiple decoy public keys, and a mathematical construction that binds them all into a single valid signature.

1. The signer selects a set of public keys from the network. These keys belong to other users who are unaware of their inclusion. The signer's own public key is placed randomly within this set.
2. Using their own private key and the collected public keys, the signer computes a series of values that form a "ring": a circular chain of cryptographic operations where the output of one feeds into the next.
3. The ring is "closed" using the signer's private key, which is the only key that can make the circular computation consistent. The result is a single signature value that encompasses all the public keys.
4. A verifier checks the signature by running the same circular computation using all the public keys in the ring. If the ring closes properly, the signature is valid. The verifier confirms that someone in the ring signed the message, but gains no information about which member.

Simplified Example

Consider a ring of three public keys (Alice, Bob, Carol), where Bob is the actual signer:

Ring = { PK_Alice, PK_Bob, PK_Carol }

1. Bob picks random values for Alice and Carol's "slots"
   v_Alice = random()
   v_Carol = random()

2. Bob uses a trapdoor function with each public key:
   e_Alice = Encrypt(PK_Alice, v_Alice)
   e_Carol = Encrypt(PK_Carol, v_Carol)

3. Bob computes his own slot using his PRIVATE key
   to "close" the ring:
   v_Bob = Solve(SK_Bob, e_Alice, e_Carol, message)

4. Output signature:
   σ = (message, Ring, v_Alice, v_Bob, v_Carol)

Verification: anyone can check that the ring closes
using only the three PUBLIC keys. No private key needed.

The key insight is that only the real signer can close the ring. Anyone else would need a private key to solve for their slot, but the verifier cannot tell which slot was solved versus randomly generated.

Ring Confidential Transactions (RingCT)

Basic ring signatures hide the sender, but the transaction amount remains visible. Monero addressed this in 2017 with Ring Confidential Transactions (RingCT), which combines ring signatures with Pedersen commitments to hide both the sender and the amount.

In RingCT, transaction amounts are replaced with cryptographic commitments. The network can verify that inputs equal outputs (no coins created from nothing) without knowing the actual values. Combined with ring signatures for sender privacy and stealth addresses for receiver privacy, RingCT provides a comprehensive privacy stack.

Ring Signatures in Monero

Monero is the most widely deployed implementation of ring signatures in cryptocurrency. Every transaction on the Monero network uses ring signatures by default: privacy is mandatory, not optional.

When a Monero user spends funds, their wallet selects decoy outputs from the blockchain and mixes them with the real spend. As of 2024, Monero uses a ring size of 16 (1 real input plus 15 decoys), meaning every transaction has a 1-in-16 chance of any given output being the real spend from the perspective of an observer.

Key Images: Preventing Double Spends

Ring signatures create a problem: if the network cannot identify which output was spent, how does it prevent double spending? Monero solves this with key images.

Each output can produce exactly one unique key image, derived from the sender's private key. When a transaction is broadcast, its key image is recorded on the blockchain. If the same output is spent again, it would produce the same key image, and the network would reject the transaction as a double spend. The key image proves an output has been spent without revealing which output it is.

FCMP++: Beyond Fixed Ring Sizes

A limitation of traditional ring signatures is the fixed ring size. With 16 members, there is still a bounded anonymity set. In early 2026, Monero activated Full Chain Membership Proofs (FCMP++), which replaces fixed-size rings with a proof that the spent output belongs to the entire set of unspent outputs on the blockchain: roughly 150 to 160 million outputs. This effectively eliminates the statistical weaknesses of small, fixed rings by making the anonymity set the entire UTXO set.

Comparison with Bitcoin Privacy Approaches

Bitcoin takes a fundamentally different approach to transaction privacy. Rather than hiding the sender at the protocol level, Bitcoin's base layer is transparent: all transactions, amounts, and addresses are publicly visible. Privacy is achieved through optional techniques layered on top. For a comprehensive analysis, see the Bitcoin privacy landscape overview.

CoinJoin

CoinJoin is Bitcoin's primary sender-privacy technique. Multiple users combine their inputs and outputs into a single transaction, making it difficult for observers to determine which inputs funded which outputs. Unlike ring signatures, CoinJoin requires active coordination among participants, typically through a centralized coordinator. All transaction data remains on the public ledger: the privacy comes from the ambiguity of many-to-many mappings, not from cryptographic hiding.

Silent Payments

Silent payments address receiver privacy on Bitcoin. They allow a sender to derive a unique, one-time address for the receiver without any interaction, similar to how Monero's stealth addresses work. Silent payments complement CoinJoin by protecting the receiving side of a transaction, while CoinJoin protects the sending side.

Use Cases

Ring signatures serve several purposes beyond basic payment privacy:

• Whistleblowing and anonymous attestation: the original use case from the 2001 paper. A signer can prove they belong to a specific group (such as a government department or corporate board) without identifying themselves individually.
• Privacy-preserving cryptocurrency: every Monero transaction uses ring signatures to decouple the sender from the transaction graph, making chain analysis significantly more difficult than on transparent blockchains.
• Fungibility preservation: because transaction histories are obscured, individual coins cannot be "tainted" by association with prior transactions. Every unit is interchangeable, which is a core property of sound money.
• Anonymous voting and authentication: ring signatures can prove membership in a voter registry without revealing which voter cast a particular ballot, enabling verifiable anonymous elections.

Why It Matters

Ring signatures represent one end of the privacy spectrum in cryptocurrency design. They demonstrate that strong sender privacy is cryptographically achievable, but they also highlight the tradeoffs involved. Bitcoin-based systems like Spark take a different path: rather than obscuring the entire ledger, Spark operates as a Layer 2 that moves transactions off-chain while preserving Bitcoin's transparent base layer. This approach avoids the supply-audit and regulatory challenges of opaque blockchains while still providing practical privacy benefits through off-chain settlement.

The design choice between ring-signature-style privacy and Bitcoin's layered approach reflects a deeper question in cryptocurrency: whether privacy should be mandatory at the protocol level or optional and composable. Both approaches have merit, and understanding ring signatures is essential for evaluating privacy guarantees across different systems.

Risks and Considerations

Transaction Size and Scalability

Ring signatures require including data for every decoy member in each transaction. A ring of 16 members means the signature portion of each transaction is roughly 16 times larger than a simple single-signer scheme. This directly impacts blockchain size, sync times, and verification costs. Larger rings provide better privacy but further increase these costs, creating a tension between anonymity set size and network efficiency.

Supply Audit Challenges

On transparent blockchains like Bitcoin, anyone can independently verify the total supply by summing all UTXOs. On blockchains using ring signatures with hidden amounts, supply verification relies on the correctness of the underlying cryptography (specifically Pedersen commitments). If a bug in the cryptographic implementation allowed someone to create coins from nothing, it could go undetected. While no such exploit has been confirmed on Monero, the theoretical risk is unique to opaque ledgers.

Decoy Selection Weaknesses

The privacy of ring signatures depends on the decoys being plausible alternatives. If decoys are selected poorly (for example, outputs that have already been spent in other visible transactions, or outputs with unusual timing patterns), statistical analysis can narrow down the real signer. Research has shown that older decoy selection algorithms in Monero were vulnerable to timing analysis, though newer algorithms have improved resistance. FCMP++ addresses this more fundamentally by expanding the anonymity set to the entire blockchain.

Regulatory and Exchange Friction

The strong privacy guarantees of ring signatures create compliance challenges. Exchanges subject to KYC/AML regulations struggle to perform transaction monitoring on opaque blockchains. Several major exchanges have delisted Monero and other privacy coins, reducing liquidity and accessibility. This regulatory pressure illustrates the tension between financial privacy and compliance requirements.

Quantum Computing Considerations

Current ring signature schemes rely on the hardness of problems like discrete logarithms, which are vulnerable to Shor's algorithm on sufficiently powerful quantum computers. While practical quantum threats remain distant, the migration path for ring-signature-based systems is more complex than for simpler signature schemes, because the privacy guarantees of past transactions could be retroactively broken if the underlying cryptographic assumptions are defeated.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.