How Monero Ring Signatures Work
How Monero Ring Signatures Work
Every time a Bitcoin transaction confirms, the sender's address, the receiver's address, and the exact amount are stamped onto a public ledger that anyone can read forever. Monero was built to break that model, and the ring signature is the piece doing most of the heavy lifting on the sender's side. As of the 2025 network rules, every Monero transaction hides the true sender among 16 possible spenders — a fixed ring size enforced for all users since the August 2022 hard fork. That uniformity is not a detail; it is the entire point. When you acquire XMR through a no-log service like MoneroSwapper, the coins inherit this protection automatically, with nothing for you to toggle on.
This guide walks through what a ring signature actually is, how Monero builds one for each spend, why the key image stops double-spending without unmasking you, and how the upcoming FCMP++ upgrade plans to push the anonymity set from 16 to the entire blockchain. No prior cryptography background is assumed — just a willingness to follow how the pieces fit together.
Why Sender Privacy Is the Hard Problem
Hiding the amount in a transaction is comparatively easy with modern math. Hiding who is paying whom is much harder, because a blockchain has to let everyone verify that the coins being spent are real and have not already been spent — without a trusted referee. Monero solves this with three independent layers that work together:
- Stealth addresses hide the recipient. Every payment goes to a fresh one-time address derived on-chain, so the receiver's public address never appears in the ledger.
- RingCT hides the amount. Confidential transactions wrap the value in a cryptographic commitment, proven valid by range proofs rather than a readable number.
- Ring signatures hide the sender. This is the layer that makes it ambiguous which past output is actually being spent.
Take away any one layer and the other two leak. If the sender were visible, knowing the recipient's stealth address would be enough to reconstruct a payment graph. This is why Monero treats all three as mandatory rather than optional features — the result is fungibility, the property that every XMR is interchangeable with every other XMR because none carries a traceable history.
What a Ring Signature Actually Is
The concept predates Monero. A ring signature, first formalized by Rivest, Shamir, and Tauman in 2001, lets one member of a group sign a message so that any verifier can confirm "someone in this group signed it" while learning nothing about which member. There is no group leader, no setup ceremony, and no way to revoke the ambiguity later — the signer "spontaneously" forms an ad-hoc group from existing public keys.
Monero adapts this idea to spending. When you spend an output (a chunk of XMR you received earlier), your wallet does not point at it directly. Instead it assembles a ring: your real output plus 15 decoys pulled from other people's past outputs on the blockchain. The signature proves that one of those 16 outputs is genuinely yours to spend, but an observer cannot tell which one.
Decoys and how they are chosen
The 15 decoys are not random. If they were drawn uniformly across the chain's full history, the real output — almost always a recent one — would stand out statistically. Monero's wallet instead samples decoys from a gamma distribution tuned to mimic real spending behavior, which favors recently created outputs at roughly the rate people actually spend them. Researchers have repeatedly stress-tested this selection algorithm, and the Monero Research Lab has refined it several times to close timing-based heuristics.
Because every wallet uses the same algorithm and the same ring size of 16, your transaction looks identical in structure to everyone else's. Uniformity is a privacy feature: an outlier is easy to track, but a member of a perfectly homogeneous crowd is not.
The key image: stopping double-spends without revealing the spender
Here is the clever part. If a verifier cannot tell which output you are spending, how does the network stop you from spending the same output twice? The answer is the key image — a unique cryptographic tag deterministically derived from your output's one-time private key.
Each output can produce exactly one valid key image, and that image reveals nothing about which ring member generated it. When your transaction is broadcast, every node records the key image. If the same key image ever appears again, the network rejects the second transaction as a double-spend. So the system gets the integrity guarantee of a UTXO ledger while preserving sender ambiguity — the key image is linkable to itself but not to your identity.
CLSAG: the signature scheme Monero uses today
The specific algorithm Monero runs is CLSAG — Concise Linkable Spontaneous Anonymous Group signatures. It replaced the older MLSAG construction in the October 2020 hard fork. The upgrade was not cosmetic: CLSAG cut the signature size by roughly 25% and shaved verification time by around 10–20%, which means smaller transactions, lower fees, and a lighter load on every node validating the chain.
"Linkable" refers to the key image behavior described above; "spontaneous" and "anonymous group" capture the ad-hoc, leaderless ring. Combined with RingCT for amounts and Bulletproofs+ for compact range proofs (activated in the same August 2022 fork that fixed ring size at 16), CLSAG is what makes a modern Monero transaction both private and small.
Building a Ring Signature, Step by Step
It helps to see the sequence your wallet runs through when you hit "send." The cryptography is involved, but the workflow is straightforward:
- Select the real output. Your wallet identifies an output you control and own the spend key for, large enough to cover the payment plus fee.
- Gather 15 decoys. Using the gamma-distribution sampler, the wallet picks 15 other outputs from the blockchain to sit alongside yours in the ring.
- Compute the key image. Derived from the real output's private key, this tag will let the network detect any future double-spend of the same output.
- Construct the CLSAG signature. The wallet builds a single signature over the whole ring that is valid only because you hold the key to one member — without marking which one.
- Attach RingCT commitments and range proofs. Bulletproofs+ prove the hidden amounts are non-negative and balance correctly, all without revealing the values.
- Broadcast through Dandelion++. The transaction propagates with a privacy-preserving relay pattern that obscures which node first originated it, frustrating IP-level deanonymization at the mempool layer.
The ring signature does not encrypt your transaction — it makes your transaction indistinguishable from 15 plausible alternatives. Privacy here comes from ambiguity, not from hiding the data.
Ring Signatures Compared to Other Privacy Approaches
Monero is not the only project tackling on-chain privacy, but its approach has distinct trade-offs against the main alternatives. The table below summarizes how ring signatures stack up.
| Approach | Strengths | Limitations |
|---|---|---|
| Monero ring signatures (CLSAG + RingCT) | Private by default for every transaction; no trusted setup; mature and battle-tested since 2017 | Anonymity set capped at the ring size (16); larger transactions than transparent chains |
| zk-SNARKs (e.g. Zcash shielded pools) | Very large anonymity set when shielded; small proofs | Privacy is opt-in, so most transactions stay transparent; some designs required a trusted setup |
| CoinJoin / mixing (Bitcoin overlays) | Works on an existing transparent chain; no protocol change needed | Optional and coordinated; chain-analysis firms actively cluster and unmix participants |
| Transparent ledgers (Bitcoin, Ethereum) | Fully auditable; simple to verify | No sender, receiver, or amount privacy; permanent public payment graph |
The defining difference is the word default. With CoinJoin or shielded pools, privacy is something a user has to actively choose, and the minority who choose it stand out. In Monero, there is no transparent mode to opt out into — every spend uses a ring signature, so the privacy-seeking crowd is the entire user base. That is what underpins fungibility.
The honest weakness is the anonymity set. Sixteen members is dramatically better than zero, but it is finite. A sufficiently resourced adversary who can rule out decoys through external information narrows the field. That limitation is precisely what the next protocol upgrade is designed to erase.
The Road Ahead: FCMP++ and a Chain-Sized Anonymity Set
The most significant change coming to Monero's sender privacy is FCMP++ — Full-Chain Membership Proofs. Instead of proving "my output is one of these 16," the spender proves "my output is one of every output that has ever existed on the chain." With well over 100 million outputs recorded to date, that turns an anonymity set of 16 into an anonymity set of the entire blockchain.
FCMP++ uses a different cryptographic structure — a Curve Trees construction that lets a prover demonstrate membership in an enormous set with a compact, efficiently verifiable proof. Crucially, like Monero's existing tools, it avoids any trusted setup, which has historically been a sticking point for SNARK-based designs.
Throughout 2025, FCMP++ moved through code review and independent cryptographic audits funded by the community, and it is slated to arrive alongside the broader Seraphis transaction-protocol overhaul and the Jamtis addressing scheme. Together these aim to retire the bounded ring entirely. Until the relevant hard fork activates on mainnet, the 16-member ring described in this guide remains exactly how live transactions work — so nothing about acquiring or holding XMR today changes.
For a practical sense of scale: a chain-wide anonymity set means decoy-selection heuristics, gamma distributions, and the long-running debate over the "right" ring size all become moot. The question "which of the 16 is real?" is replaced by "which of the hundred-million-plus is real?" — a question with no useful answer for an analyst.
FAQ
Can a Monero ring signature be traced back to the real sender?
Not from the signature itself. The signature proves one of 16 ring members is the true spender without marking which, and the key image cannot be linked to your identity. Deanonymization attempts generally rely on external metadata — IP leaks, exchange KYC records, or poor decoy-era heuristics — rather than breaking the cryptography. Using a no-KYC acquisition path and a well-maintained node closes most of those side channels.
What is the current Monero ring size?
Sixteen. Every transaction includes your real output plus 15 decoys, and this size has been fixed and mandatory for all users since the August 2022 hard fork. A uniform ring size is itself a privacy measure, because variable ring sizes would let transactions be fingerprinted by their structure.
How is a ring signature different from RingCT?
They protect different things. The ring signature hides who is spending, while RingCT (Ring Confidential Transactions) hides how much is being spent. They operate together in every transaction, alongside stealth addresses that hide the recipient. All three layers are required for full privacy.
Why can't I just spend a Monero output directly without decoys?
You technically could in protocol terms, but doing so would publicly reveal exactly which output you are spending and link it to your prior transaction, destroying privacy for you and for anyone whose output had previously used yours as a decoy. Monero therefore enforces the ring at the consensus level — there is no way to send a "transparent" Monero transaction.
Will FCMP++ make my existing XMR more private automatically?
Yes, once it activates. Because privacy in Monero is a property of the protocol rather than of individual coins, a future upgrade to full-chain membership proofs would extend the larger anonymity set to spends made after the fork, with no action required from holders. Coins you hold today are not "marked" — they simply spend under whatever rules are current at the time of the transaction.
Conclusion
Ring signatures are the reason a Monero sender can prove they own the right to spend without revealing which output they are spending — a single CLSAG signature over a ring of 16, anchored by a key image that blocks double-spends without unmasking anyone. Paired with stealth addresses and RingCT, they make privacy the default rather than a feature you opt into, and that default is what gives XMR its fungibility. With FCMP++ on the horizon, the anonymity set is poised to grow from a fixed ring to the whole chain.
Understanding the mechanism is the first step; the second is acquiring XMR without surrendering the privacy you just learned about. MoneroSwapper lets you buy Monero anonymously with no account and no logs, so your coins arrive already protected by every layer described here — the moment they land in your wallet, the ring closes around them.
🌍 Read in