Monero CLSAG Signatures Explained

On 17 October 2020, at block 2,210,720, Monero quietly swapped out the cryptographic engine behind every single transaction. The "Oxygen Orion" hard fork retired the old MLSAG ring signature and replaced it with CLSAG — and the result was roughly 25% smaller transactions and 10–20% faster verification overnight. If you have ever sent XMR, or moved Bitcoin into Monero through a service like MoneroSwapper, your transaction was protected by a CLSAG signature without you ever noticing.

Most people treat Monero's privacy as a black box: coins go in, untraceable coins come out. But the magic that hides who sent what has a name and a structure. CLSAG is the piece that lets you prove "I own one of these outputs and I am spending it exactly once" — without revealing which output is yours. This article breaks down what CLSAG is, how it works, why it replaced its predecessor, and where it sits in Monero's roadmap as newer proofs like FCMP++ approach the network.

What CLSAG Actually Stands For

CLSAG is an acronym, and each letter describes a real property of the scheme. It is short for Concise Linkable Spontaneous Anonymous Group signatures. The design came out of a 2019 research paper by Brandon Goodell, Sarang Noether, and a contributor known as RandomRun, and it was peer-reviewed and audited before reaching mainnet.

• Concise: the signature is compact. A CLSAG produces far fewer scalars per ring member than the scheme it replaced, which is exactly where the size savings come from.
• Linkable: if the same output is ever spent twice, the network can detect it. This is done through a key image, a deterministic fingerprint that prevents double-spending without exposing the spender.
• Spontaneous: no setup ceremony and no cooperation between the people whose outputs appear in your ring. You can pull in decoys from the blockchain without their knowledge or consent.
• Anonymous: a verifier can confirm the signature is valid but cannot tell which of the ring members actually authorized it.
• Group: the signature is made on behalf of a group — the ring — rather than a single identifiable key.

Put those properties together and you get the core of Monero's sender privacy: a valid signature that proves authorization by someone in a set of plausible candidates, while keeping the real signer hidden and double-spends impossible.

How CLSAG Works Under the Hood

To understand CLSAG you need to understand what a ring signature is trying to achieve, and then see how CLSAG makes the proof smaller. Monero transactions use RingCT, which combines two things that must both stay private: who is spending (sender ambiguity) and how much (amount confidentiality). CLSAG handles the first half. Bulletproofs+ handles the second.

The ring signature problem

When you spend a Monero output, your wallet builds a ring: your real output plus a number of decoy outputs pulled from the chain. Since the August 2022 "Fluorine Fermi" upgrade the ring size has been fixed at 16, meaning every spend hides among 15 decoys. An outside observer sees 16 candidate outputs and cannot tell which one is genuinely being spent.

The challenge is signing in a way that proves "I control the private key for one of these 16 outputs" without leaking which one. A ring signature does exactly that. The trick is constructing a loop of cryptographic challenges that only closes if the signer knows one real private key, while every link looks identical from the outside.

Key images and double-spend protection

The danger with a hidden spender is double-spending: if nobody can see which output you spent, what stops you from spending it again? The answer is the key image. Each output has exactly one valid key image, computed as the private key multiplied by a hash-to-point of the public key. It is mathematically bound to the output but reveals nothing about which ring member produced it.

Every key image ever used is recorded on-chain. When a new transaction arrives, nodes check whether its key image has appeared before. If it has, the transaction is rejected as a double-spend. This is what makes Monero's hidden-sender model safe — the linkability property in the "L" of CLSAG.

How aggregation shrinks the signature

Here is the heart of why CLSAG is "concise." In a RingCT transaction, each ring member is associated with two public keys: the one-time output key (proving ownership) and an amount commitment (proving the input and output values balance). The previous scheme, MLSAG, signed across both keys separately, producing two response scalars for every ring member.

CLSAG collapses that into a single ring. It uses aggregation coefficients — derived deterministically by hashing the ring and its commitments — to fold the two keys into one combined verification equation. The result is one response scalar per ring member instead of two, plus a single initial challenge and the key image.

For a ring of 11, MLSAG needed about 22 response scalars per input; CLSAG needs roughly 12. That single change is what cut a typical two-input transaction by about a quarter.

Crucially, the security proof shows this aggregation does not weaken anything. CLSAG remains unforgeable and anonymous under the same assumptions as before, even against an adversary who can choose some of the keys in the ring. You get a smaller, faster signature with no privacy or security trade-off — a rare clean win in cryptography.

CLSAG vs MLSAG: What Changed

MLSAG (Multilayered Linkable Spontaneous Anonymous Group signatures) powered RingCT from its January 2017 launch until the 2020 fork. CLSAG is a direct, drop-in replacement that keeps the same trust model while trimming the fat. The table below summarizes the practical differences.

The smaller signatures matter for more than aesthetics. Lower transaction weight means lower fees, less blockchain bloat, and faster sync times for nodes. Because every Monero transaction looks structurally the same, those savings compound across the entire network and improve fungibility — no transaction stands out as cheaper or more expensive based on its history.

How CLSAG Fits Into a Monero Transaction

CLSAG never works alone. It is one component of a RingCT transaction, alongside stealth addresses, amount commitments, and range proofs. Here is the simplified lifecycle of a spend, from the moment your wallet decides to send to the moment a node accepts it.

1. Select decoys: the wallet picks 15 decoy outputs from the chain using a gamma distribution that mimics real spending patterns, then adds your real output to form a ring of 16.
2. Build commitments: input and output amounts are hidden behind Pedersen commitments, and a pseudo-output commitment is generated so the verifier can confirm inputs equal outputs without seeing the values.
3. Compute the key image: the wallet derives the key image for the output being spent, which the network will later check against its spent-key-image set.
4. Sign with CLSAG: the wallet produces a single aggregated ring signature over the ring of one-time keys and commitment keys, closing the cryptographic loop only because it holds one real private key.
5. Attach range proofs: Bulletproofs+ proves every output amount is in a valid range, so nobody can create coins out of thin air with a negative output.
6. Broadcast and verify: the transaction propagates via Dandelion++ to obscure its origin IP, and nodes verify the CLSAG signature, the commitments, the range proofs, and the key-image uniqueness before relaying it.

Tip: you never configure any of this. Ring size, decoy selection, and the signature scheme are all enforced by consensus, so two wallets on the same network version produce indistinguishable transactions.

A Real-World Example

Imagine you swap 0.5 BTC into XMR through MoneroSwapper and later send part of that Monero to a hardware wallet. The moment you hit send, your wallet assembles a ring of 16 outputs. Your genuine output is in there, but so are 15 unrelated outputs from other users who never agreed to participate and never will know they did.

The CLSAG signature your wallet generates proves to every node on Earth that you legitimately control one of those 16 — without saying which. An exchange watching the chain, a blockchain analytics firm, or a curious observer sees a valid transaction with 16 equally plausible sources. There is no heuristic that reliably picks out the real one, which is precisely the point.

Contrast this with a transparent chain like Bitcoin, where the exact input being spent is public. On Bitcoin, that 0.5 BTC carries a permanent, traceable history. On Monero, CLSAG severs the link at every hop, which is why privacy-conscious users route value through Monero in the first place.

The Road Ahead: FCMP++ and Seraphis

CLSAG is excellent, but it has a structural ceiling: the anonymity set is capped at the ring size. With 16 members, your real spend hides among 15 decoys — strong, but finite. Monero's research community has spent years building something larger.

FCMP++ (Full-Chain Membership Proofs) is the planned successor. Instead of hiding among 16 outputs, FCMP++ proves membership against every output that has ever existed on the chain — an anonymity set in the tens of millions rather than 16. Development and auditing advanced steadily through 2025, with the upgrade targeted for a future hard fork. When it lands, ring signatures as we know them, including CLSAG, will be retired.

Alongside FCMP++ sits the Seraphis transaction protocol and the Jamtis addressing scheme, which together modernize how Monero outputs are formed and addressed. The takeaway is not that CLSAG is obsolete — it secures the network right now and will for some time — but that Monero never stops improving its privacy guarantees. CLSAG was itself a successor to MLSAG, and the cycle continues.

FAQ

What does CLSAG stand for?

CLSAG stands for Concise Linkable Spontaneous Anonymous Group signatures. Each word describes a property: the signature is compact, double-spends are detectable, no coordination between ring members is required, the real signer is hidden, and the proof is made on behalf of a group rather than one identifiable key.

When did Monero start using CLSAG?

CLSAG activated on the Monero mainnet during the "Oxygen Orion" hard fork on 17 October 2020, at block height 2,210,720. It replaced MLSAG, which had secured RingCT transactions since January 2017.

How much smaller did CLSAG make Monero transactions?

A typical two-input transaction shrank by roughly 25%, and verification became about 10–20% faster. The savings come from aggregating two response scalars per ring member down to one, which reduces both the data stored on-chain and the work nodes do to verify it.

Does CLSAG weaken Monero's privacy or security?

No. CLSAG provides the same sender ambiguity and double-spend protection as MLSAG. Its security was formally proven and independently audited, including resistance to attacks where an adversary controls some of the keys in the ring. It is strictly a more efficient version of the same guarantees.

Will CLSAG be replaced?

Eventually, yes. The FCMP++ (Full-Chain Membership Proofs) upgrade is designed to replace ring signatures entirely, expanding the anonymity set from 16 ring members to the entire blockchain. It was in active development and auditing through 2025, targeting a future hard fork, but CLSAG secures the network until then.

Conclusion

CLSAG is one of those upgrades that proves good cryptography can be both invisible and impactful. It made every Monero transaction smaller, cheaper, and faster to verify while preserving the sender privacy and double-spend protection that define the coin — all without users having to lift a finger. Understanding it demystifies what "untraceable" actually means: not magic, but a carefully constructed ring signature with a key image bolted on.

If you want to put that privacy to work, the easiest path is to acquire Monero without handing over your identity in the first place. You can buy Monero anonymously through MoneroSwapper with no account and no KYC, and every output you receive will be defended by the same CLSAG signatures described here the moment you spend it.