What Are The Ring Signatures In Monero?

Ring Signatures is one of the key technology solutions that Monero employs to achieve confidentiality. We are going to tell you what it is and why you need it. 

The idea behind a Ring Signature scheme is quite simple but very efficient: the sender of a message combines their signature with numerous other signers thus creating a unified digital signature, which represents a group. The group for a ring signature can be improvised (requires no preliminary setup).

Suppose, you want to send someone XMR. Your signature (permission for a transaction) will then be automatically merged with an X number of other signatures that serve as a derivation. It is then not possible for the recipient to see which of the many signatures actually belongs to the sender. This allows the actual sender to hide the origin of the transaction.

Here’s a simple example of how the structure of a ring signature works:

• Alice wants to send Bob 10 XMR so she initiates a transaction through her Monero wallet.

• Alice’s signature for this transaction is a one-time spending key that starts with an output being spent from her wallet.

• The non-signers of the signature are past transaction outputs that are randomly picked from the blockchain and act as snares in the transaction.

• All ring members are probable signers of the transaction and it is computationally non-realizable for a third party to detect the actual signer.

• All of the outputs of the signature together make up the input of the transaction.

• Alice is verifiably capable to spend the envisaged transaction amount without distinguishing her identity from the others in the ring.

• Although Alice’s public key is used in her transaction, it may be randomly used in other transactions in the Monero network as a muddling factor.

A prototype of Ring Signatures, termed “group signatures”, was first expounded in a 1991 paper, by cryptographer Eugene van Heyst and computer scientist David Chaum. 

In 2001, researchers Yael Tauman, Adi Shamir, and Ronald Rivest expanded the concept of group signatures in a paper entitled “How to Leak a Secret”. In this paper, the notion of a ring signature was first formalized. The scheme was similar to that of group signatures, but there was no way to identify the actual signer of a transaction and a randomly chosen group of users could be included in the signature without any secondary setup.

Later it turned out that Ring Signatures could also be applied to digital currencies. The ring signature model conceptually similar to the model described above was presented in the seminal whitepaper of CryptoNote, an application layer protocol.

CryptoNote uses an implementation of Traceable Ring Signatures proposed by Koutarou Suzuki and Eiichiro Fujisaki in a 2006 paper. An optimized version of this type of ring signature is currently employed in several privacy-oriented cryptocurrencies, including Monero.

Later, the concept of Ring Confidential Transactions (Ring CTs) was presented and implemented by Bitcoin Core developer Gregory Maxwell and formally proposed by Monero Research Labs in 2015. 

This was a significant divergence from Monero’ CrytpoNote origins. It should be stressed that the original Ring Signature described in the CryptoNote paper is not what is used in the Monero protocol nowadays.

EdDSA scheme developed and implemented by Daniel J. Bernstein serves as the basic ring signature algorithm. Like Bitcoin's ECDSA, it is based on elliptic curves, so it can be applied to Bitcoin in the future.

The Ring Signatures concept continues to evolve. Currently, Monero’s developers work on the possible implementation of Ring CT 3.0 which improves Ring Confidential Transactions enabling Monero’s Ring Signatures to run on a reduced block size more securely.