How Monero Ring Signatures Work: Privacy Guide
How Monero Ring Signatures Work: A Plain-English Guide to the Math Behind Real Privacy
In April 2024, a German court ordered the takedown of a Bitcoin mixing service that had processed more than $700 million in transactions, freezing assets and arresting two of its operators within a week. That same year, several blockchain analytics firms publicly claimed they could de-anonymize a large share of Wasabi 2.0 CoinJoin outputs given enough flow analysis. Monero, by contrast, kept doing what it has done since 2017: bundling every transaction with a crowd of cryptographic decoys and letting the math do the hiding. That hiding mechanism is called a ring signature, and despite years of academic and commercial pressure, it remains one of the most stubborn obstacles in mainstream chain analysis. This guide unpacks how it actually works — not as marketing copy, but as a sequence of mathematical commitments you can reason about. We will trace the path from a wallet keystroke to a confirmed transaction, examine what changed when CLSAG replaced MLSAG in October 2020, and look at where FCMP++ is taking Monero in 2026. If you have ever wondered why MoneroSwapper can match a deposit to a withdrawal without ever learning your wallet history, this is the underlying technology.
Why Monero Needed a New Kind of Signature in the First Place
Most blockchains are radically transparent. When you send Bitcoin or Ethereum, the network records three pieces of public information forever: which address paid, which address received, and how much moved. Anyone with a block explorer can reconstruct that flow years later, and modern heuristics cluster addresses into wallets and wallets into people with frightening accuracy. The 2024 enforcement wave against centralized mixers showed how fragile "pseudonymity" turns out to be once transaction graphs become permanent forensic artifacts.
Monero was designed by people who took that threat model seriously from day one. To deliver real fungibility — the property that one unit is interchangeable with any other — the protocol had to hide all three of the items a transparent chain reveals. Three different primitives do that work, and they are easy to confuse:
- Stealth addresses hide the recipient. Every payment lands on a one-time public address derived from your main keys, so the receiver shown on chain is never the address you shared.
- RingCT (Confidential Transactions) hides the amount. Pedersen commitments and range proofs (now Bulletproofs+) prove the sender is not creating money out of thin air without revealing the numbers.
- Ring signatures hide the sender. They prove that one of a group of plausible spenders authorized the transaction, without revealing which one.
This article focuses on the third pillar. Stealth addresses and RingCT are essential, but the ring signature is the part that breaks the most fundamental assumption of forensic analysis: that you can follow a coin from input to output. Once that link is cryptographically scrambled, the entire timing-and-flow toolkit blockchain investigators rely on degrades from "near-perfect" to "statistical guesswork".
How a Ring Signature Actually Works Under the Hood
The core idea sounds almost too simple. When you spend a Monero output, your wallet pulls in 15 other outputs from the chain as decoys, mixes them with your real one to form a "ring" of 16 candidates, and produces a signature that proves one of those 16 is the genuine spender — without saying which. A verifier can confirm the signature is valid; what they cannot do is point to the true input.
Decoy Selection: Where the Ring Members Come From
Decoys are not random outputs from anywhere in the chain. Random selection would actually be terrible, because real spends concentrate near the present while truly old outputs are rarely moved. A naive uniform random pick would make the youngest input in every ring look suspicious. Monero instead uses a carefully tuned probability distribution that mimics observed spending patterns: most decoys come from the recent past, with a long tail reaching back years. The current parameters were last revisited in the Fluorine Fermi hard fork and are deliberately tuned so a decoy is statistically indistinguishable from a genuine recent spend.
This matters because every weakness in the decoy distribution becomes a privacy leak. Researchers have published several papers tightening the model over the years, and each one has landed in a network upgrade. The 16-member ring size that has been mandatory since the August 2022 protocol bump is not arbitrary; it is a compromise between transaction size, verification cost, and the entropy needed to defeat known clustering heuristics.
The Cryptographic Magic: Linkable Ring Signatures
The signing scheme Monero uses is a descendant of the 2004 paper by Liu, Wei, and Wong on linkable spontaneous anonymous group signatures. "Spontaneous" means the signer can pull any public keys off the chain to form their ring; nobody needs to opt in to be a decoy. "Linkable" means the protocol can detect if the same output is spent twice, even though no observer knows which output that is.
Underneath, the math operates on Ed25519, the same elliptic curve used by many modern crypto systems. The signer holds a private spend key corresponding to exactly one public key in the ring. They construct a sequence of intermediate values that, when chained around the ring, can only close into a valid signature if they hold one of the private keys. Mathematically, only the real spender can produce the closing value; for every other ring position, the math is forced. A verifier checks the chain closes, accepts the signature, and learns nothing else.
Key Images: The Anti-Double-Spend Trick
The linkability part is where the protocol earns its "no inflation" guarantee. For each output spent, the signer must publish a key image — a deterministic value derived from their private key and the output being spent. Two different spends of the same output produce the same key image; two different outputs produce different key images. The network keeps a list of every key image ever seen and rejects any transaction whose key image is already there.
The brilliance is that the key image reveals nothing about which output was spent. It is bound to the private key through a one-way function, so an outside observer cannot reverse it back to a public key. They can only check membership in a sorted set of past key images. Double-spend prevention without identity exposure — that is the headline feature that made Monero possible at all.
If you remember one thing: the ring proves "someone in this group spent something legitimately" and the key image proves "whatever they spent has not been spent before". Neither tells the verifier which output or which signer.
From MLSAG to CLSAG: Why the 2020 Upgrade Mattered
Monero's signing scheme has been replaced twice since the chain launched in 2014. The original ring signatures had no amount hiding; the January 2017 hard fork introduced RingCT and with it MLSAG (Multilayered Linkable Spontaneous Anonymous Group signatures), which signed over both the spend authorization and the amount commitment in one structure. MLSAG worked, but it was bulky. Every additional ring member added roughly 32 bytes per layer, and transactions ballooned as the mandatory ring size climbed from 5 to 7 to 11.
In October 2020, the network upgraded to CLSAG (Concise Linkable Spontaneous Anonymous Group), designed by Goodell, Noether, and RAIR Lab. CLSAG is mathematically equivalent in security guarantees but produces signatures roughly 25% smaller and verifies about 10% faster. The savings compound: smaller transactions mean lower fees, faster block propagation, and more room in each block for legitimate use.
| Scheme | Active period | Ring size | Signature size (16-ring) | Key feature |
|---|---|---|---|---|
| Original CryptoNote rings | 2014 – Jan 2017 | Variable, often 3 | ~1.5 KB | No amount hiding |
| MLSAG (with RingCT) | Jan 2017 – Oct 2020 | 5 → 7 → 11 | ~2.5 KB | First confidential amounts |
| CLSAG (with Bulletproofs+) | Oct 2020 – present | 16 (fixed) | ~1.9 KB | Smaller, faster, same security |
| FCMP++ (Full-Chain Membership Proofs) | Planned 2026 hard fork | Effectively all outputs | Constant (~3 KB total) | Anonymity set = entire chain |
The numbers in that table are why CLSAG was not a cosmetic change. Pair it with the Bulletproofs+ upgrade that landed in August 2022 and the average Monero transaction now weighs in around 2.0 KB — only a few times larger than a transparent Bitcoin transaction, despite hiding sender, receiver, and amount simultaneously.
Step-by-Step: What Happens When You Hit Send
It helps to walk through a real transaction in order. Suppose you want to pay 0.7 XMR to a merchant who has shared a stealth address-capable public address. Here is the sequence your wallet executes, with the privacy primitive that is doing the work at each step:
- Construct the recipient's one-time address. Your wallet generates a random transaction key, combines it with the merchant's public view key and spend key, and produces a fresh stealth address that only the merchant can identify as belonging to them. Nobody else watching the chain can link this one-time address back to the merchant's published address.
- Select inputs to fund the payment. Your wallet finds outputs in your own balance that sum to at least 0.7 XMR plus the network fee. For each one, it queries the daemon for a candidate set of decoys drawn from the chain using the age-weighted distribution described earlier.
- Build the rings. For each input you are spending, the wallet mixes your real output with 15 decoys to form a 16-member ring. The position of your real output inside the ring is randomized so the index itself leaks nothing.
- Compute commitments and range proofs. The amounts are encoded as Pedersen commitments — homomorphic values that prove sums balance without revealing individual numbers. A Bulletproofs+ range proof confirms each output is non-negative and under a maximum, defeating overflow tricks.
- Generate the CLSAG signature. Using your private spend key and view key, the wallet produces the linkable ring signature plus one key image per input. This is the heaviest cryptographic step locally, but it still runs in milliseconds on a modern phone.
- Broadcast through Dandelion++. The signed transaction enters the network not via direct gossip but through a randomized "stem" phase that routes it through several peers before going public. This frustrates anyone trying to correlate transactions with the IP address that originated them.
- Verification by every node. Each Monero node independently checks: the ring signature is valid, no key image has been seen before, the Pedersen commitments balance, and the range proofs verify. If anything fails, the transaction is dropped. If everything passes, it lands in the mempool and shortly afterward in a block.
That entire workflow, from button press to first confirmation, typically completes in about two minutes on the live network. Every privacy property is enforced at the protocol layer; there is no opt-out, no transparent mode, and no way for a user to accidentally produce a traceable transaction. This is one of the design choices that most clearly separates Monero from optional-privacy chains, and it is the property that makes platforms like MoneroSwapper viable as a no-account swap layer: every coin that flows in is statistically indistinguishable from every other coin, so there is no risk of receiving a "tainted" output that exchanges later refuse to honor.
Where Ring Signatures Still Leak — and What FCMP++ Fixes
Pretending the current scheme is invulnerable would be dishonest. Researchers have published several attacks over the years that nibble at the edges of the anonymity set. The most famous early one was the "EAE attack" exploiting reused outputs across multiple transactions before the protocol enforced minimum ring sizes. Another class of analyses uses timing windows: if 15 of 16 ring members are clearly too old to plausibly be the spender (because the same wallet just received the real output minutes ago), the effective anonymity set shrinks.
The Monero research community has responded to each of these with parameter tweaks: bigger rings, refined decoy distributions, output spendability windows, and protocol changes that enforce healthier mixing. The Krypton et al. paper and subsequent Möser-Soska updates from 2023 to 2025 collectively pushed real-world ring effectiveness from "good" to "very hard to attack at scale". Commercial chain-analysis firms have repeatedly downgraded Monero from "analyzable with effort" to "not commercially tractable" in their internal capability matrices.
The next step is more radical. FCMP++ — Full-Chain Membership Proofs with extensions — replaces the 16-member ring with a zero-knowledge proof that the spent output belongs to the set of all unspent outputs in Monero's entire history. Instead of hiding among 15 decoys, every spender will hide among tens of millions of outputs simultaneously. The proof remains constant size regardless of how big that set grows. This is the kind of upgrade that does not just narrow the attack surface; it removes most of the surface. Scheduled for a hard fork in 2026, it represents the most significant privacy improvement to Monero since RingCT itself.
A Practical Example: Buying Monero Without Touching a Custodian
Imagine a freelancer in Argentina who needs to convert USDT earnings into something the local government cannot freeze on a whim and that still provides real privacy on chain. Going through a centralized exchange means KYC, withdrawal limits, and an account that can be shut overnight — a scenario that played out repeatedly in 2024 and 2025 as several Latin American jurisdictions tightened their grip on stablecoins.
Using a non-custodial swap layer such as MoneroSwapper, the same freelancer can send USDT (on Tron, BNB Chain, or Ethereum) and receive XMR directly to a self-custody wallet address. Nothing is held overnight; nothing requires an account; the inbound stablecoin and outbound Monero share no on-chain link beyond the swap engine itself. From that point on, every onward payment the freelancer makes is shielded by the ring signature mechanics described above. The privacy properties of the destination chain — not the swap interface — are what carry forward, which is why understanding ring signatures matters for anyone using Monero for real-world payments rather than speculation.
FAQ
Does a bigger ring size always mean better privacy?
Up to a point, yes — but with diminishing returns and rising costs. The jump from 11 to 16 ring members in 2022 meaningfully reduced certain clustering attacks while keeping transaction sizes manageable. Going to 32 or 64 would shrink fees-per-byte usefulness and slow verification on lightweight nodes more than it would improve effective anonymity against modern heuristics. The FCMP++ approach sidesteps this trade-off entirely by switching to a constant-size proof over the full output set, which is why the Monero research community has prioritized that path over simply enlarging the ring.
Can blockchain analysis firms trace Monero transactions?
Public claims from analytics vendors are usually carefully worded. They can sometimes narrow the candidate inputs in a ring under specific historical conditions — old transactions from before ring sizes were enforced, transactions with poor decoy selection in early wallets, or cases where off-chain metadata (exchange logs, IP addresses) leaks information the chain itself does not contain. They cannot, in general, point to a specific input in a modern CLSAG ring with cryptographic certainty. Anyone marketing a "Monero tracer" is selling probabilistic guesses, not deterministic resolution.
How is a ring signature different from a CoinJoin?
A CoinJoin is a coordinated, opt-in mix where multiple users combine real inputs and outputs into one transaction to obscure who paid whom. It requires participation, coordination, and often a coordinator service that becomes a single point of regulatory pressure. A ring signature is unilateral — the signer picks decoys from the public chain without those decoy owners knowing or consenting. There is no coordinator, no opt-in step, and no participation requirement. Every Monero transaction is privacy-protected by default, which is a structural advantage no Bitcoin-style mixing protocol can match.
Does Monero's privacy depend on enough users transacting?
Less than people assume. Because decoys are drawn from the entire historical output set, even a low-volume period still gives spenders access to millions of plausible decoys. Once FCMP++ ships, the dependence on current network activity for privacy drops nearly to zero — the anonymity set becomes the lifetime output set. That said, more real transactions always strengthen the decoy distribution against statistical attacks, so healthy ongoing usage does help at the margins.
Are ring signatures quantum resistant?
Not in their current Ed25519 form. A sufficiently large quantum computer running Shor's algorithm could in principle recover private keys from public keys, breaking both the spend authorization and key image binding. This is not a Monero-specific problem; nearly every elliptic-curve scheme in production crypto faces it. The Monero research community is tracking post-quantum signature candidates, but the practical timeline for quantum machines large enough to threaten Ed25519 is widely estimated at a decade or more, which leaves room for staged upgrades. FCMP++ groundwork also moves the codebase closer to schemes where swapping the underlying primitive becomes feasible.
Can I see my own ring signature on a block explorer?
You can see the ring — meaning the 16 public outputs that were referenced as candidates — for any Monero transaction in any explorer. What you cannot see is which one was the real spender, even for your own transactions, unless you happen to be the one who built it and still have the wallet that did. The chain simply does not store that information, which means even subpoenas to node operators cannot extract it; the data was never written down anywhere.
Conclusion
Ring signatures are not magic; they are a careful application of decades-old cryptographic ideas to a problem that transparent blockchains created and refused to solve. Every time you spend XMR, your wallet quietly does the work of pulling 15 decoys from history, weaving them into a CLSAG signature, and producing a key image that proves no double-spend without naming you as the spender. That mechanism is what makes Monero usable as actual money rather than a tracked digital asset, and it is the foundation everything else — RingCT, stealth addresses, the upcoming FCMP++ upgrade — builds on. If you are ready to put the theory into practice, you can swap into XMR without an account at MoneroSwapper and start sending payments that benefit from every layer of privacy this guide just walked through.