Ring signatures in Monero — anonymity at the protocol level

18.03.2022 |

About ring signatures in Monero

One of the main disadvantages of bitcoin and other similar cryptocurrencies is the low level of anonymity. Monero was one of the first to solve this problem and make anonymity basic by embedding it in the protocol. This was achieved thanks to the use of ring signatures.

What is a ring signature?

In the mathematical meaning of cryptography, a ring signature is a separate type of signature created by any network participant, where everyone has their own key. In fact, it turns out that the message is signed with a ring signature by any of the members of a certain group. At the same time, because of the features of the protocol, it is possible to achieve the highest degree of security, because it is impossible to determine not only the owner of the signer’s key, but also to calculate this key itself.

If we talk about the general use of ring signatures, then we can give the following example:

In a democratic state, a government is created on the basis of popular vote, each of the elected receives a ring signature. However, even with a high degree of democratization of society, not all the necessary decisions can be made by one or another share of society. In order to not be able to determine who exactly made a particular decision, you can use a ring signature. That is, the authenticity of the decision can be verified, but who ultimately accepted it is impossible.

Implementation of Monero ring signatures

The ring digital signature in Monero is implemented using the private keys of its own wallets, which is similar in principle to other cryptocurrencies. However, in addition to the private key, a certain number of public keys are selected from the blockchain. The latter are also commonly referred to as exits. Thus, in the future, past and present outputs can be used several times, which further confuses the chain of transfers.

When organizing a ring signature, each of the rings is endowed with equal rights and is certainly considered valid. Thus, it is impossible to determine with any high degree of probability the original initiator of the transaction.

At the same time, Monero decided to go even further, and made it impossible to track the outputs of transfers. To do this, it was decided to introduce the principle of plausible deniability, so even the network itself cannot determine exactly which of the outputs was spent.