Monero RingCT Confidential Transactions Explained

Open any Bitcoin block explorer and you can read the exact amount of every transaction ever made — to the satoshi. Type in an address and you can watch its balance, trace where the coins came from, and follow where they went. That transparency is by design, and it's also why a paycheck, a donation, or a single careless deposit can deanonymize an entire wallet. Monero takes the opposite stance: on its chain, the amount itself is hidden. The technology that makes that possible is RingCT, short for Ring Confidential Transactions.

RingCT is the reason a Monero transaction shows up on the public ledger as a cryptographic commitment instead of a readable number. It went live in January 2017 and became mandatory for all transactions later that year, and every XMR you send through a wallet — or acquire through a no-account service like MoneroSwapper — is protected by it. This article unpacks what RingCT does, the math that lets the network verify a transaction without seeing the amounts, how it has evolved through Bulletproofs and Bulletproofs+, and where it's heading next with FCMP++.

Why hiding the amount matters

Privacy on a blockchain isn't one feature; it's three problems that all have to be solved at once. Leave any one of them exposed and the other two leak through it. Monero attacks all three, and RingCT owns the third.

• Who sent it: handled by ring signatures, which sign a transaction on behalf of a group of possible spenders so an observer can't tell which input is the real one.
• Who received it: handled by stealth address technology, which generates a unique one-time address for every payment so funds never land on a reusable public address.
• How much was sent: handled by RingCT, which encrypts the amount in a Pedersen commitment while still letting every node confirm the books balance.

Before RingCT existed, Monero hid the sender and receiver but left amounts in plaintext. To get any amount privacy at all, the protocol forced transactions into fixed denominations — think 0.01, 0.1, 1, 10 — the way you might pay for something with exact coins. That leaked a surprising amount of information. The set of plausible decoys for a 7.3 XMR output is far smaller than the set for a hidden output, because the decoys had to match the denomination. Visible amounts also let analysts link transactions by tracing equal values across the chain.

Confidential amounts close that hole. Once the value is encrypted, every output looks structurally identical to every other output, which is the foundation of fungibility — the property that one unit of XMR is interchangeable with any other, with no "tainted" history a merchant or exchange could refuse. That matters more every year. After Binance pulled XMR from its order books in early 2024 and several European exchanges followed, the case for a coin whose individual units can't be screened or blacklisted only got stronger.

What RingCT actually is and how it works

The "CT" half of RingCT — Confidential Transactions — is the part that hides amounts, and it rests on a piece of cryptography called a Pedersen commitment. The "Ring" half ties that amount hiding into Monero's existing ring signature scheme so the sender stays anonymous too. It helps to take the two ideas separately.

Pedersen commitments: encrypting a number you can still do math on

A commitment is a way to lock in a value so you can't change it later, without revealing what it is. A Pedersen commitment to an amount looks like C = xG + aH, where a is the actual amount, x is a random secret called a blinding factor, and G and H are fixed points on an elliptic curve. The blinding factor is what makes the commitment opaque: without it, two outputs of the same value produce completely different-looking commitments, so you can't tell that they're equal.

The magic property is that these commitments are additive, or homomorphic. Add up the commitments for all the inputs to a transaction, add up the commitments for all the outputs plus the fee, and if the real amounts balance, the two sums are commitments to the same total. The sender arranges the blinding factors so that inputs minus outputs equals a commitment to zero. Every node on the network can check that equation — confirming that no coins were created or destroyed — without ever learning a single amount in the transaction.

The whole trick of RingCT is that the network can prove the books balance to the satoshi while being mathematically unable to read any individual line item.

Range proofs: stopping someone from minting coins out of nothing

Homomorphic balance has one dangerous loophole. Because the amounts are hidden, a malicious sender could try to commit to a negative amount, which thanks to modular arithmetic would wrap around to an enormous positive number and let them conjure XMR from thin air. To prevent this, every confidential output ships with a range proof: a cryptographic guarantee that the committed amount sits inside a valid range — between zero and 2⁶⁴ — without revealing where in that range it falls.

Range proofs are where most of RingCT's size and cost has lived, and where the biggest improvements have happened. The original 2017 implementation used Borromean ring signatures, which were correct but bulky: a typical two-output transaction carried roughly 13 KB of range-proof data, making Monero transactions large and fees relatively high. Replacing that machinery has been the main optimization story of the protocol ever since.

The evolution of RingCT: Bulletproofs, Bulletproofs+, and CLSAG

RingCT is not a fixed thing — it's been re-engineered several times through Monero's roughly biannual hard forks, each time getting smaller and faster while keeping the same privacy guarantees. The headline upgrades:

Bulletproofs, deployed in the October 2018 hard fork, was the turning point. By switching to a logarithmic-size range proof, the data attached to each transaction collapsed, and median fees fell from dollars to fractions of a cent. It's the single change most responsible for Monero being cheap to use today. Bulletproofs+ in August 2022 squeezed out another margin and sped up verification, which matters because every node has to check every proof.

The ring signature side evolved in parallel. CLSAG (Concise Linkable Spontaneous Anonymous Group signatures) replaced the older MLSAG construction in October 2020, making the sender-hiding component about a quarter smaller and faster to verify. The same August 2022 fork that brought Bulletproofs+ also lifted the mandatory ring size from 11 to 16 — meaning each spent output is now hidden among 15 decoys instead of 10 — and introduced view tags, a small optimization that lets wallets skip most of the work when scanning the chain for incoming funds.

How a RingCT transaction is built, step by step

It helps to see how the pieces assemble when your wallet sends XMR. None of this requires action from you — the wallet does it in a second or two — but understanding the sequence demystifies what's actually on the chain.

1. Select the real input and decoys. The wallet picks the output you're actually spending and pulls 15 other real outputs from the chain to serve as decoys, forming a ring of 16 plausible sources.
2. Generate a key image. A unique key image is derived from the real output. It's what lets the network detect a double-spend, yet it can't be linked back to which ring member it came from.
3. Create stealth outputs. For each recipient, the wallet computes a one-time stealth address so the payment can't be tied to the receiver's public address.
4. Commit the amounts. Each output amount is wrapped in a Pedersen commitment with a random blinding factor, and the blinding factors are balanced so inputs minus outputs minus fee commit to zero.
5. Attach the range proofs. A Bulletproofs+ range proof is generated for each output, proving the hidden amount is non-negative and in range.
6. Sign with CLSAG and broadcast. The CLSAG ring signature authorizes the spend on behalf of the whole ring, and the transaction is relayed — propagated through Dandelion++ to obscure the originating IP before it hits the public mempool.

The result that lands on the blockchain contains no readable sender, no readable receiver, and no readable amount — only commitments, proofs, and a ring of possibilities — yet it is fully verifiable by every node.

What confidential transactions mean for you in practice

The practical payoff of RingCT is fungibility and resistance to surveillance, and it shows up in concrete situations. Consider a freelancer who gets paid in crypto. On a transparent chain, every client can see the wallet's full balance and every other payment it has ever received; a single doxxed address exposes the lot. On Monero, the incoming payment is a stealth output with a hidden amount — the client learns nothing beyond the transaction they sent.

It also changes how "chain analysis" works against you. Firms that sell blockchain forensics built their business on clustering addresses and following amounts. RingCT removes the amount signal entirely, ring signatures muddy the source, and stealth addresses break the destination link. There's no balance to look up and no clean money trail to follow, which is exactly why privacy-coin tracing remains an unsolved problem rather than a product feature.

This is also why acquisition matters. If you buy XMR on a heavily-surveilled venue that ties your identity to a specific on-chain output, you've created a known starting point even though the chain itself is private. Using a swap service such as MoneroSwapper that doesn't hold an account or demand identity documents keeps that first hop clean, so the confidentiality RingCT provides on-chain isn't undermined by a paper trail off-chain. None of this is tax advice — in the US the IRS still treats crypto disposals as taxable events regardless of how private the chain is — but it does mean the network itself isn't broadcasting your finances to anyone with a block explorer.

Where RingCT goes next: FCMP++

RingCT's amount hiding is rock-solid, but its sender anonymity has a theoretical ceiling: a ring of 16 means the real spend is one of 16 candidates, and statistical analysis can occasionally chip at those odds. Monero's answer, in active development through 2025 and 2026, is FCMP++ — full-chain membership proofs. Instead of hiding a spend among 15 decoys, FCMP++ would hide it among every eligible output that has ever existed on the chain, expanding the anonymity set from 16 to tens of millions.

Crucially, FCMP++ replaces the ring signature component, not the confidential-transaction component. The Pedersen commitments and Bulletproofs+ range proofs that hide amounts stay in place; what changes is how membership in the spendable set is proven. Further out, the Seraphis transaction protocol and the Jamtis addressing scheme are designed to build on this foundation. The lesson for users is simple: amount privacy via RingCT is a settled, mature part of Monero, and the protocol keeps strengthening the parts around it.

FAQ

What does RingCT actually hide?

RingCT hides the amount of a Monero transaction. It encrypts each value in a Pedersen commitment so the figure is never written in plaintext on the blockchain, while still letting every node verify that inputs equal outputs plus the fee. The sender and receiver are hidden by separate mechanisms — ring signatures and stealth addresses — that RingCT works alongside.

If amounts are hidden, how does the network stop fake coins?

Two safeguards. The homomorphic property of Pedersen commitments lets nodes confirm that the hidden inputs and outputs balance to zero, so no value is created or destroyed. And a range proof attached to every output guarantees the committed amount is non-negative and within a valid range, blocking the overflow trick that hidden negative amounts would otherwise allow.

What's the difference between RingCT and ring signatures?

They solve different problems and are often confused because the names overlap. Ring signatures hide who sent a transaction by signing on behalf of a group of possible spenders. RingCT hides how much was sent using confidential commitments. RingCT integrates the two so both protections apply to the same transaction.

Did Bulletproofs replace RingCT?

No. Bulletproofs and Bulletproofs+ are upgrades within RingCT — specifically to the range-proof component. They replaced the older, bulkier Borromean range proofs, cutting transaction size by roughly 80% and fees by well over 90%, but the overall RingCT framework and its hidden amounts remained the same.

Is RingCT being removed when FCMP++ ships?

No. FCMP++ is set to replace Monero's ring signatures with full-chain membership proofs, dramatically enlarging the sender anonymity set. The confidential-amount machinery — Pedersen commitments and Bulletproofs+ range proofs — is expected to stay. In other words, FCMP++ strengthens sender privacy without undoing the amount privacy RingCT provides.

Conclusion

RingCT is the quiet workhorse of Monero's privacy: it turns every amount on the chain into a commitment that the network can verify but no one can read, and it does so while range proofs keep the supply honest. Combined with ring signatures hiding the sender and stealth addresses hiding the receiver, it's why a Monero output looks identical to every other and can't be screened, blacklisted, or traced by value. Through Bulletproofs, Bulletproofs+, and CLSAG it has only gotten cheaper and faster, and with FCMP++ on the horizon the privacy around it keeps deepening. If you want coins that carry this protection from the moment you get them, you can buy Monero anonymously through MoneroSwapper and let RingCT do the rest the instant you transact.