Ring Signatures: How Monero Makes Transactions Untraceable

A deep technical analysis of ring signatures — from the original Rivest-Shamir-Tauman construction to CryptoNote, RingCT, and Monero's implementation. How ring signatures achieve signer ambiguity without a trusted setup and why they matter for financial privacy.

In 2001, Ron Rivest, Adi Shamir, and Yael Tauman published a cryptographic construction that let any member of a group produce a signature that proved membership without revealing which member signed. They called it a ring signature because the verification equation formed a ring structure, and because the scheme required no setup ceremony, no group manager, and no coordination among members. Any user could unilaterally form a “ring” from a set of public keys – including keys belonging to people who had no knowledge of the signature’s creation – and sign on behalf of the group.

Thirteen years later, the CryptoNote protocol adapted ring signatures for cryptocurrency transactions. Monero, launched in April 2014, became the most prominent implementation. By 2025, Monero had processed over 50 million ring-signature-based transactions, each one cryptographically obscuring which input was actually spent. A 2020 analysis by Moser et al. estimated that Monero’s ring signature implementation made definitive tracing of transaction inputs impossible for over 99% of post-2017 transactions (after the mandatory minimum ring size was increased to 7, later to 11, and then to 16).

Ring signatures solve a specific problem that standard digital signatures cannot: proving authorization without proving identity.

The Original Construction

Rivest, Shamir, and Tauman’s original ring signature uses trapdoor permutations (in practice, RSA). The idea is elegant.

Setup

Suppose there are n members with RSA public keys (e_1, n_1), (e_2, n_2), …, (e_n, n_n). The signer (say, member s) wants to sign a message m on behalf of the ring.

Signing Algorithm

Compute a hash k = H(m) to use as a symmetric encryption key.
Choose a random “glue value” v.
For each non-signer member i (where i != s), choose a random value x_i and compute y_i = g_i(x_i), where g_i is the RSA trapdoor permutation for member i’s public key.
Solve the ring equation: the signer needs to find y_s such that the XOR-chain of all the values, encrypted under the symmetric key k, closes into a ring:

C_k(y_1) XOR C_k(y_2) XOR ... XOR C_k(y_n) = v

Because the signer knows their own private key, they can invert their trapdoor permutation to find x_s from y_s: x_s = g_s^(-1)(y_s).
The signature is (v, x_1, x_2, …, x_n).

Verification

The verifier recomputes y_i = g_i(x_i) for all i, checks that the ring equation holds, and accepts the signature if it does. The verifier cannot determine which member inverted their trapdoor (i.e., used their private key) because all the other x_i values are indistinguishable from random values that happened to satisfy the ring equation.

The key insight: only one member needs their private key to close the ring. All other members contribute random values that are processed through their public-key operations. The ring equation is satisfied regardless of which member closes it, making all members equally plausible signers.

Properties

Signer ambiguity. Given a valid ring signature, a computationally unbounded adversary cannot determine which ring member produced it with probability better than 1/n (where n is the ring size). This is unconditional – it does not depend on computational assumptions.

Unforgeability. No one outside the ring can produce a valid signature. This depends on the hardness of the underlying trapdoor permutation.

No setup or coordination. Ring signatures require no trusted third party, no group manager, and no interaction between ring members. The signer unilaterally selects the ring members and uses their public keys.

Spontaneous formation. The ring can be formed from any set of public keys, including keys of people who do not know they are in the ring.

From RSA to Elliptic Curves: The CryptoNote Adaptation

The original construction used RSA, which produces large signatures (thousands of bytes per ring member). CryptoNote, published as a whitepaper in 2013 by “Nicolas van Saberhagen” (a pseudonym), adapted ring signatures to elliptic curves, dramatically reducing signature sizes and enabling use in a blockchain context.

CryptoNote uses a Schnorr-like ring signature over the Ed25519 curve. The construction works as follows:

One-Time Addresses

Every Monero transaction output creates a one-time public key (a “stealth address”). The recipient can compute the corresponding private key, but no external observer can link the output to the recipient’s public address.

The sender generates a one-time key P = H_s(r * A) * G + B, where r is a random scalar, A is the recipient’s public view key, G is the base point, and B is the recipient’s public spend key. Only the recipient, who knows the private keys a and b corresponding to A and B, can compute the private key x such that x * G = P.

Ring Signature for Spending

When spending, the signer constructs a ring from their actual output and n-1 decoy outputs (called “mixins”) selected from the blockchain.

Let the ring be public keys P_0, P_1, …, P_{n-1}, where P_s is the actual key being spent.
The signer generates random scalars alpha and c_i for i != s.
For each i != s, compute L_i = c_i * P_i + r_i * G and R_i = c_i * H_p(P_i) + r_i * H_p(P_i), where H_p is a hash-to-point function.
For the signer’s position s, compute L_s = alpha * G and R_s = alpha * H_p(P_s).
Compute the challenge c = H(m || L_0 || R_0 || … || L_{n-1} || R_{n-1}).
Set c_s = c - sum(c_i for i != s) mod q.
Set r_s = alpha - c_s * x_s mod q, where x_s is the signer’s private key.

The signature is the set {c_0, r_0, c_1, r_1, …, c_{n-1}, r_{n-1}} along with the key image I = x_s * H_p(P_s).

The Key Image: Preventing Double Spends

The key image I = x_s * H_p(P_s) is a deterministic function of the private key x_s. It is the same value regardless of which ring the signer constructs. The blockchain maintains a set of all used key images. If a key image appears twice, the second transaction is rejected as a double spend.

Crucially, the key image reveals nothing about which public key in the ring it corresponds to. An observer knows that the signer has spent a particular output (because the key image is unique to that output’s private key), but cannot determine which ring member is the signer.

This is a “linkable” ring signature: two signatures by the same signer are linkable (they share a key image), but neither is attributable to a specific ring member.

RingCT: Hiding Amounts

The original CryptoNote protocol hid the sender within a ring but left transaction amounts visible. In 2017, Monero implemented Ring Confidential Transactions (RingCT), based on a construction by Shen Noether that combines ring signatures with Pedersen commitments.

A Pedersen commitment to an amount a is C = a * H + r * G, where r is a random blinding factor and H is a second generator of the curve whose discrete logarithm with respect to G is unknown. The commitment is binding (the committer cannot change a without finding a different r, which requires solving the discrete logarithm) and hiding (the commitment reveals nothing about a to an observer).

For a transaction to be valid, the sum of input commitments must equal the sum of output commitments plus a commitment to the fee:

sum(C_inputs) = sum(C_outputs) + C_fee

This equality proves that no coins were created or destroyed, without revealing any individual amount.

To prove that each committed amount is non-negative (preventing the creation of coins through negative amounts), Monero uses Bulletproofs – a zero-knowledge proof system that proves a committed value lies within a range [0, 2^64) without revealing the value. Bulletproofs replaced the earlier range proofs in 2018, reducing transaction sizes by approximately 80%.

A 2022 upgrade to Bulletproofs+ further reduced proof sizes and verification times. The current Monero ring signature + Bulletproofs+ construction produces transaction proofs of approximately 1.4 KB for a typical 2-input, 2-output transaction with ring size 16.

Ring Size and Anonymity Set

The ring size (the number of public keys in the ring) directly determines the anonymity set. A ring of size n means the actual signer is one of n possibilities.

Monero’s minimum ring size has increased over time:

2014-2016: Optional (many transactions used ring size 1, providing no privacy)
2016: Minimum ring size 3
2017: Minimum ring size 5
2018: Minimum ring size 7
2019: Fixed ring size 11 (mandatory, not minimum)
2023: Fixed ring size 16

The “fixed” rather than “minimum” distinction matters. If users could choose different ring sizes, the choice itself would be metadata: a user choosing ring size 50 stands out from users choosing 11. Fixed ring sizes eliminate this fingerprinting vector.

The Decoy Selection Problem

Decoys (mixins) must be selected in a way that does not leak information about the real input. Early Monero implementations selected decoys uniformly at random from the blockchain. Researchers at Princeton and Carnegie Mellon showed in 2017 that this was flawed: the real input in a ring was frequently the newest output, because users tend to spend recently received funds. The age distribution of real inputs differed from the uniform distribution of decoys, allowing statistical tracing.

Monero addressed this by implementing a gamma distribution for decoy selection that mimics the actual spending pattern of real inputs. The distribution favors recent outputs (matching real spending behavior) while including older outputs (preventing attackers from ruling out old outputs). As of 2024, empirical analysis suggests that this distribution successfully prevents timing-based tracing for the vast majority of transactions.

Comparison with Other Privacy Approaches

Ring signatures represent one of three major approaches to cryptocurrency privacy:

Ring signatures (Monero): No trusted setup. Moderate anonymity set (16). On-chain privacy – every transaction is private by default. Transaction sizes are larger than transparent blockchains but manageable.

zk-SNARKs (Zcash): Requires a trusted setup ceremony. Anonymity set is the entire shielded pool (potentially millions of transactions). Smaller proof sizes than ring signatures. But shielded transactions are optional in Zcash – as of 2025, approximately 15% of Zcash transactions are fully shielded, significantly weakening the anonymity set for shielded users.

zk-STARKs and other ZK approaches: No trusted setup. Larger proof sizes. Not yet deployed in production cryptocurrency systems at Monero-like scale.

Monero’s design philosophy prioritizes privacy by default over maximum anonymity set size. A ring size of 16 provides weaker theoretical privacy than Zcash’s full shielded pool, but Monero’s mandatory privacy means every transaction contributes to every other transaction’s anonymity – there is no “opt-in” problem.

Attacks and Mitigations

Flood analysis (2017). By creating many transactions with known inputs, an attacker could identify decoy outputs in other transactions, gradually reducing the anonymity set. Monero’s increase in ring size and the adoption of a more realistic decoy selection algorithm mitigated this.

Chain-reaction analysis. If any transaction’s real input is identified (through external information), the identified output can be eliminated as a decoy in all other rings where it appears. This “peeling” can cascade, potentially deanonymizing other transactions. The mandatory minimum ring size limits the effectiveness of this attack: even if several decoys are identified, the remaining candidates still provide ambiguity.

EAE attack (2018). The Exchange-Attacker-Exchange attack exploits the fact that exchanges know which outputs they send to users. If an exchange sends output X to a user, and later that user sends output X (in a ring with decoys), the exchange can identify X as the real input. This is an inherent limitation of ring signatures when interacting with entities that have knowledge of specific outputs.

Beyond Monero: Ring Signatures in Practice

Ring signatures have applications beyond cryptocurrency:

Whistleblowing. A government employee could sign a document with a ring containing all employees in their department. The signature proves one of them signed it, but not which one.

Anonymous voting. Each voter signs their ballot with a ring containing all eligible voters. Linkability (via key images) prevents double voting. Signer ambiguity preserves ballot secrecy.

Anonymous credentials. A ring signature from a ring of all holders of a particular credential proves that the signer holds the credential without revealing their identity. This connects directly to blind signature schemes for anonymous credential issuance.

The Stealth Cloud Perspective

Stealth Cloud’s authentication model – Sign-In with Ethereum wallet signatures – creates a direct connection between a cryptographic identity and a service session. Ring signatures offer a theoretical path to decoupling this: a user could prove they belong to a set of authorized wallets without revealing which wallet they control.

The practical challenge is gas cost and verification complexity on Ethereum. But the principle aligns precisely with Stealth Cloud’s zero-knowledge architecture: prove authorization without revealing identity. The GhostPass authentication system already hashes wallet addresses before storing them, ensuring the server never holds the raw identity. Ring signatures would extend this principle to the authentication step itself – the server would know that a valid wallet signed the challenge, without knowing which wallet.

Whether implemented through ring signatures, zero-knowledge proofs, or a combination, the destination is the same: a system where proving you have the right to access a service reveals nothing about who you are. Ring signatures demonstrated, two decades before privacy-preserving AI systems existed, that this balance between accountability and anonymity is mathematically achievable.