Monero FCMP++ Upgrade Explained: The End of Ring Signatures

For nearly a decade, Monero's privacy has rested on a clever piece of mathematics called a ring signature: when you spend a coin, your real input is mixed with 15 decoys pulled from the chain, and an outside observer cannot tell which one is yours. That ring size of 16 has held up surprisingly well, but it is also the single most studied attack surface in the protocol. The 2026 hard fork changes the entire model. FCMP++ — short for Full-Chain Membership Proofs Plus Plus — replaces the 16-output ring with a cryptographic proof that your input belongs to the set of every spendable output Monero has ever produced, which today exceeds one hundred million. The anonymity set jumps from 16 to roughly the entire history of the chain. This guide walks through what FCMP++ actually does, why the existing CLSAG scheme needed retiring, how curve trees and the Helios/Selene cycle make the math tractable, and what swapping into XMR through services like MoneroSwapper will feel like once the upgrade ships.

Why CLSAG and Ring Signatures Had to Go

Monero's current signature scheme, CLSAG (Concise Linkable Spontaneous Anonymous Group), was activated in August 2020 and reduced transaction size by roughly 25 percent over the previous MLSAG construction. It is elegant, fast, and battle-tested. But its core premise — that an attacker cannot distinguish the real spend from 15 decoys — has always been an assumption that weakens as chain analysis improves.

Several published heuristics chip away at the 16-of-16 guarantee. The most cited is the Eve-Alice-Eve attack, in which a surveillance entity controls or observes two transactions involving the same target and uses temporal patterns, output age distributions, and known-spent inputs to narrow the effective anonymity set. Researchers have shown that, under realistic adversarial models, the effective ring size can drop well below 16 for certain transactions. Chain-analysis firms such as CipherTrace, Chainalysis, and the Internal Revenue Service's contractor Integra FEC have publicly claimed partial deanonymization capabilities, though the practical accuracy of those claims remains debated.

• Limited anonymity set: 16 inputs out of a 100M-output ledger is statistical privacy, not cryptographic privacy.
• Decoy selection bias: The gamma distribution used to pick decoys leaks information when the real output is unusually old or unusually new.
• Black marble attacks: An adversary who controls a large fraction of newly created outputs can poison future rings by knowing which of the 16 are theirs.
• Closed-set assumption: If a wallet's spending pattern is predictable, the effective set shrinks even when the cryptographic set does not.

FCMP++ removes the entire decoy model. There is no ring. There is no selection algorithm to bias. Instead, the spender produces a zero-knowledge proof that the input being spent is one of the outputs in a Merkle-tree commitment to the full chain — and that proof reveals nothing about which one.

How Full-Chain Membership Proofs Actually Work

The cryptographic challenge for FCMP++ is brutal: prove membership in a set of more than 100 million elements, do it in under a kilobyte, and verify it in milliseconds on a laptop. The Monero Research Lab solved this by stacking three primitives — curve trees, the Helios/Selene cycle, and Bulletproofs+ — into a single composite proof. The result is a signature roughly the size of the current CLSAG with an anonymity set six orders of magnitude larger.

Curve Trees: Merkle Trees for Elliptic Curve Points

A curve tree, introduced by Campanelli, Hall-Andersen, and Kamp in 2022, is a Merkle tree whose internal nodes are elliptic curve commitments rather than ordinary hashes. The leaves contain output public keys and amount commitments; each branch combines its children using a Pedersen commitment on a paired elliptic curve. Because the commitments are homomorphic, you can prove that a hidden leaf lies on a given path without revealing the leaf or the path. The tree for Monero is roughly 25 layers deep at current chain size, and rebalancing happens as part of consensus.

The Helios and Selene Curve Cycle

Curve trees need two elliptic curves that fit inside each other arithmetically — the base field of one curve is the scalar field of the other. The Monero Research Lab settled on a new pair called Helios and Selene, designed in 2024 specifically for this purpose. They were chosen over alternatives like the Pasta cycle (used in Mina) because they offer better constant-time arithmetic in Rust and C++ and play nicely with the existing Ed25519 keys Monero already uses. Crucially, existing outputs do not need to be migrated to the new curves; the proof system bridges Ed25519 to Helios at the leaf layer.

Bulletproofs+ for Range and Composition

Range proofs (proving that the output amount is non-negative without revealing it) still rely on Bulletproofs+, the same primitive used since the November 2022 fork. FCMP++ extends BP+ to also prove the composite statement: "I know the opening of a leaf at some position in the curve tree, and that leaf commits to an output I own, and I have not spent it before." The resulting proof clocks in at around 3 KB before aggregation and verifies in under 50 milliseconds on a modern CPU, according to benchmarks published by Luke "Kayaba" Parker in the reference implementation.

What Changes for Users and Wallet Operators

For ordinary Monero users, the day FCMP++ activates will look surprisingly mundane. Your wallet syncs, your subaddresses keep working, your seed phrase remains valid. The change is invisible in the UI but profound underneath. Below is a side-by-side of the practical differences.

Transaction fees will rise modestly — early estimates suggest 1.8x to 2.5x the current minimum fee per kilobyte — because proofs are larger. However, the dynamic block size mechanism absorbs most of the impact, and tail emission keeps miner revenue stable. The Monero Research Lab has published a calculator that estimates a typical wallet user will pay an extra two to four US cents per transaction.

"FCMP++ is the largest privacy upgrade in Monero's history. We are moving from 'probably anonymous among 16' to 'provably anonymous among everyone who ever used the chain.'" — Justin Berman, MRL contributor, at MoneroKon 2025

Step-by-Step: How to Prepare for the FCMP++ Hard Fork

The hard fork is scheduled tentatively for late 2026 pending final audit and code review. Here is what every Monero user should do to be ready, whether you self-custody, run a node, or swap into XMR through a service.

1. Update your wallet software at least one week before the fork. Watch the official monero-project GitHub releases page for the v0.19 → v0.20 jump that carries FCMP++ support. Old wallets will simply stop being able to broadcast valid transactions after the fork height.
2. If you run a node, plan for an initial resync of the curve tree. The first sync after the fork rebuilds the membership commitment from genesis. Allow 4–8 hours of CPU time on consumer hardware. Pruned nodes are supported but take roughly 30 percent longer.
3. Move funds off hardware wallets that have not yet shipped firmware updates. Trezor has committed to day-one support. Ledger users should expect a longer wait — historically Ledger has been 6–12 months behind Monero forks. If you cannot wait, sweep to a hot wallet running the latest CLI before the fork.
4. Verify mining pool readiness if you mine. P2Pool and the major centralized pools (SupportXMR, Nanopool, MineXMR successors) have all signaled support. Solo miners should rebuild their node from the official source after the release tag drops.
5. If you use an exchange or swap service, confirm fork support in advance. Reputable no-KYC swap platforms — including MoneroSwapper, which uses aggregated liquidity from several exchanges — have historically supported Monero forks within hours of activation. Check the service status page before fork day if you intend to swap.
6. Back up your seed before any major upgrade. Polyseed and the legacy 25-word mnemonic both remain valid post-fork; no migration of keys is required. But upgrades are an excellent forcing function to verify your backups still restore correctly.

Practical Example: A KYC-Free Swap Before and After the Fork

Consider a real-world workflow. Alice in Lisbon receives a freelance payment of 0.04 BTC and wants to convert it to XMR for a hardware purchase from a vendor who accepts only Monero. Before FCMP++, her workflow on MoneroSwapper looks like this: she pastes her Monero subaddress, gets a one-time BTC deposit address, sends, and within 30 minutes the XMR lands. The transaction joining her input to the broader chain is protected by a ring of 16 — strong, but not unbreakable against a determined adversary watching both endpoints.

After FCMP++ activates, the same swap completes through the same interface, but the underlying transaction the swap service broadcasts on Alice's behalf carries a proof that her output could be any of more than 100 million outputs in the chain. Even if a chain-analysis firm correlates the BTC deposit with Alice and watches the XMR exit, they cannot link Alice's specific output to the eventual spend by the hardware vendor — the cryptographic membership proof reveals nothing about which leaf in the curve tree was actually spent. The user experience is identical; the privacy guarantee is qualitatively different.

Regional context matters here. Portugal does not yet impose KYC on peer-to-peer crypto swaps below €1,000, and the EU's MiCA framework, fully in force since December 2024, explicitly carves out non-custodial wallet-to-wallet transfers from travel-rule reporting. FCMP++ does not change anything about regulatory status — it changes what an adversary can prove from chain data after the fact. For users in jurisdictions where financial surveillance is more aggressive, the upgrade is closer to existential.

The Roadmap: FCMP++, Seraphis, and Carrot

FCMP++ is not the endpoint of Monero's privacy roadmap; it is a stepping stone. The next major proposal, Seraphis, redesigns the transaction protocol from the ground up and pairs naturally with a new addressing scheme called Jamtis (and its lighter cousin, Carrot, proposed by user jeffro256 in 2024). Seraphis brings native multisignature support, smaller view-tag-based scanning, and better forward secrecy for view-only wallets.

The order of operations matters. By shipping FCMP++ first as a contained upgrade to the signature scheme, the Monero Research Lab buys time to finalize Seraphis without rushing two major changes into one fork. The historical analog is the path from MLSAG to CLSAG in 2020, which arrived 18 months before the Bulletproofs+ upgrade. Expect Seraphis activation no earlier than 2027, and only after the FCMP++ codebase has had at least one full release cycle in production.

There is also the parallel question of post-quantum security. Neither CLSAG nor FCMP++ are post-quantum safe in their current form — both rely on the discrete log assumption on elliptic curves. A quantum adversary with a sufficiently large fault-tolerant computer could, in principle, break either system retroactively. The MRL has begun research into lattice-based replacements, but production-ready post-quantum Monero is likely a 2030s project. FCMP++ buys headroom against today's adversaries; quantum-resistance is a separate roadmap item.

FAQ

When exactly does FCMP++ activate on mainnet?

As of mid-2026, the target activation height is tentatively scheduled for the October–November window, contingent on completion of two independent code audits (one funded by the Monero Community Crowdfunding System, one by an external firm not yet publicly named) and a successful testnet run lasting at least 90 days. The Monero Research Lab has consistently prioritized correctness over schedule, so a slip into early 2027 is plausible. Watch the monero-project repository for the v0.20 release tag, which will be the canonical signal.

Do I need to do anything with my existing XMR before the fork?

No. Your existing outputs, subaddresses, and seed remain valid. The curve tree is built from all spendable outputs at fork height, so coins you held before the fork are automatically included in the new anonymity set. There is no migration transaction, no token swap, and no risk of losing funds simply by holding through the fork. The only caveat is keeping your wallet software up to date so you can spend after the upgrade.

Will hardware wallets still work?

Trezor has committed to day-one support, with firmware in active development that has already been tested on the FCMP++ testnet. Ledger historically takes longer — the gap between Monero forks and Ledger support has averaged 6–12 months in past upgrades. If you rely on Ledger, plan to either accept a delay in spending capability or temporarily sweep funds to the official CLI wallet, which always has first-class support for the latest protocol version.

Does FCMP++ make Monero post-quantum secure?

No. FCMP++ improves the anonymity set against classical chain analysis but inherits Monero's existing reliance on the elliptic curve discrete logarithm problem. A future quantum computer of sufficient scale could, in theory, break the underlying signatures. Post-quantum Monero is a separate, longer-term research project. The Monero Research Lab has discussed lattice-based and isogeny-based candidates, but none are anywhere near production-ready.

How does this affect transaction fees?

Early estimates suggest base fees will rise roughly 1.8x to 2.5x because the proofs are larger than CLSAG signatures. In absolute terms, a typical 2-input/2-output transaction that costs around one US cent today would cost two to four cents post-fork. The dynamic block size and tail emission mechanisms cushion the impact, and aggregated fees per kilobyte of useful data remain among the lowest of any privacy coin.

Can I swap into XMR anonymously during or right after the fork?

Yes, provided the swap service you use supports the upgrade. MoneroSwapper and other no-KYC aggregators typically pause new Monero deposits for a few hours around the fork height to allow node operators to upgrade, then resume normal operation. Funds sent to a deposit address before the pause are processed once nodes catch up. There is no risk of losing funds, but there may be a brief window of delayed confirmations. Plan large swaps either well before or well after the fork window for the smoothest experience.

Conclusion

FCMP++ is the kind of upgrade that justifies Monero's reputation as the most actively researched privacy coin in production. It replaces a decade-old assumption — that 16 decoys are enough — with a cryptographic guarantee tied to the full chain. The math is hard, the audits are still in progress, and the rollout will not be instant or painless, but the destination is a Monero where the anonymity set is no longer a parameter to be tuned and weakened over time. For anyone who relies on private money, whether for compliant business reasons, personal financial privacy, or operating in jurisdictions where surveillance is the default, that destination is worth the wait. When the fork lands, swapping into XMR through MoneroSwapper will work exactly as it does today — only the underlying privacy will be qualitatively stronger. Bookmark the page, watch for the v0.20 release, and update your wallet before the fork height.