Skip to main content

Glossary Cryptography and payment

Ring signature

Also: ring signatures, Monero ring signature

Origin: Rivest, Shamir, Tauman, 'How to Leak a Secret' (ASIACRYPT 2001); the Monero variant — Multilayered Linkable Spontaneous Anonymous Group signatures, MLSAG — was introduced in Noether et al. (2016) and refined to CLSAG in Goodell et al. (2020).

A cryptographic primitive permitting a signer to produce a signature on behalf of an ad-hoc group of public keys such that a verifier can confirm the signature was produced by some member of the group but cannot determine which. Foundational to Monero's transaction-input unlinkability.

Reviewed

A ring signature is a cryptographic primitive permitting a signer to produce a signature on behalf of an ad-hoc group of public keys — the “ring” — such that a verifier can confirm the signature was produced by some member of the group but cannot determine which. The original construction is due to Rivest, Shamir, and Tauman in their 2001 ASIACRYPT paper “How to Leak a Secret”; subsequent variants address linkability (so the same signer cannot double-sign undetected), efficiency, and integration with confidential-amount commitments.

In Monero, ring signatures are the primitive that obscures the input of a transaction. When a Monero sender constructs a transaction, the transaction’s input field references a ring of plausible candidate outputs drawn from the chain history — the actual output being spent is one of them; the others, the “decoys” or “mixins”, are drawn by the sender’s wallet under a recommended decoy-selection algorithm. A verifier — including a chain observer — can confirm the signature is valid, that some referenced output is being spent, and that the spent output has not been spent before (the linkability property), but cannot identify which output it was.

The Monero variant has evolved across several protocol upgrades. The original Cryptonote ring-signature was replaced in 2017 by the Multilayered Linkable Spontaneous Anonymous Group construction (MLSAG), which extended the scheme to handle the confidential-amount commitments introduced with RingCT. MLSAG was in turn replaced by Concise Linkable Spontaneous Anonymous Group signatures (CLSAG) in the August 2020 network upgrade, halving signature size and roughly halving verification time. The current minimum ring size, set in the August 2022 network upgrade, is sixteen members.

For an offshore-hosting operator that accepts Monero, the ring-signature mechanism is what makes the payment route privacy-preserving by default — the operator’s wallet observes the receiving subaddress and the amount (under the stealth address and RingCT layers respectively), but the chain-level input-linkage that would associate the payment with the subscriber’s other on-chain activity is not exposed. The publication describes the operational implications in the Monero payment dossier.