Monero RingCT Explained: How XMR Hides Every Amount

If you have ever sent a Bitcoin transaction and watched a block explorer display the exact amount — down to the satoshi — to anyone on the internet, you have already met the design flaw that RingCT exists to fix. Every Monero transaction since block 1,220,516 (activated on January 10, 2017) has used Ring Confidential Transactions, the cryptographic scheme that hides the amount being sent while still letting every node on the network verify that no coins were created out of thin air. Almost a decade later, RingCT remains one of the most studied and battle-tested privacy mechanisms in cryptocurrency, and in 2025–2026 it sits at the center of the next major Monero upgrade cycle alongside FCMP++ and the long-awaited Seraphis transition.

This article walks through what RingCT actually does, why it had to replace the original Monero transaction format, how Pedersen commitments and range proofs work together to make hidden amounts verifiable, and what the upcoming changes mean for anyone using Monero in 2026 — whether you are running a private full node at home, swapping coins on MoneroSwapper, or simply trying to understand why XMR transaction outputs appear as cryptographic blobs instead of numbers.

Why RingCT Had to Exist

Before RingCT, Monero already hid two of the three pieces of information that a payment exposes: the sender (through ring signatures) and the receiver (through stealth addresses). But the amount itself was still visible in the clear, just like on Bitcoin. A 17.3 XMR transaction looked exactly like a 17.3 XMR transaction on a block explorer, and chain analysts quickly realized that this visible amount was a powerful tagging signal. If only one address in your ring of decoys could possibly have sent a 13.7777 XMR output, the anonymity set effectively collapsed to one, no matter how clever the ring signature math was.

This was not a theoretical concern. In 2015 and 2016, researchers including Andrew Miller, Malte Möser, Kevin Lee, and others published several analyses of pre-RingCT Monero showing that a meaningful fraction of transactions could be deanonymized purely by tracing unusual amounts. The Monero Research Lab had already begun preparing the answer: a Shen Noether construction adapting work by Greg Maxwell on Confidential Transactions, fused with Monero's existing ring signature scheme.

• Amounts revealed sender patterns: Even with ring signatures hiding which input was real, a unique amount in the ring would collapse the anonymity set to a single candidate.
• Mixin denominations were brittle: Pre-RingCT Monero forced transactions to be split into "denominations" (0.1, 0.01, 0.001, etc.) so they could mix with similar-sized outputs. This made transactions huge and analyzable.
• Fungibility required hidden values: If different XMR units could be tagged by past amounts, they were no longer interchangeable — exactly the property that defines money.

RingCT solved all three problems at once. It hides the amount, lets transactions use a single output of arbitrary value, and removes the awkward denomination system entirely. The cost was significant — transaction size and verification time both jumped — but the privacy and usability gains were considered worth it. Subsequent upgrades like Bulletproofs (2018) and Bulletproofs+ (2022) clawed most of that size cost back.

How RingCT Actually Works

RingCT is not a single algorithm. It is a composition of three cryptographic primitives that have to cooperate so that the network can verify a transaction without learning the amounts involved. Understanding each piece individually makes the whole scheme much less mysterious.

Pedersen Commitments: Hiding the Amount

The core idea of a Pedersen commitment is that you can publish a cryptographic blob that locks in a specific number without revealing that number, and you can do arithmetic on those blobs. A Monero output amount a is committed as C = aH + xG, where G and H are two fixed points on the ed25519 elliptic curve, and x is a secret blinding factor known only to the sender and (later) the receiver.

Because x is randomly chosen each time, the commitment C reveals nothing about a on its own — two outputs of 1 XMR look completely different on chain. But Pedersen commitments are additively homomorphic, which means the sum of two commitments equals the commitment to the sum of their amounts. This is the magic property that lets the network verify inputs − outputs − fee = 0 without ever seeing the individual amounts. The sender constructs the blinding factors so that all the x values cancel out, leaving the commitment math to balance only if the amount math balances.

Range Proofs: Stopping the Negative-Amount Attack

Hidden amounts introduce a new attack: what if the sender lies about the amount and uses a negative number? In a finite field, "negative" wraps around to enormous positive values, so a malicious transaction could effectively mint billions of XMR while still balancing the commitment math. Range proofs prevent this by cryptographically proving that each output commitment encodes a number in [0, 2⁶⁴ − 1] without revealing which number.

The original RingCT range proofs were Borromean ring signatures over each bit of the amount — clear, sound, but enormous. A typical two-output transaction in 2017 weighed around 13 kB. Bulletproofs, deployed in October 2018, used an inner-product argument by Bünz, Bootle, and others to cut that to roughly 2 kB while also making batch verification much faster. Bulletproofs+ in 2022 trimmed another 5–7% and simplified the prover.

CLSAG: Hiding Which Input Is Real

The third piece is the ring signature itself. RingCT outputs are spent using a linkable ring signature that proves "one of these N outputs is mine, and I am authorized to spend it" without revealing which one. From 2017 to 2020 Monero used MLSAG (Multilayered Linkable Spontaneous Anonymous Group signature); since the August 2020 hard fork it uses CLSAG, which is roughly 25% smaller and 10% faster to verify with no loss in security.

Each input also publishes a key image — a deterministic cryptographic hash derived from the real output's private key — and the network rejects any transaction that reuses an existing key image. That single value is what prevents double-spending without revealing which output was actually spent. The current ring size is fixed at 16 (15 decoys + 1 real), a parameter that has been deliberately uniform across all transactions since the September 2022 hard fork specifically to remove anonymity-set fingerprinting.

RingCT vs Other Privacy Approaches

Several other coins and protocols have tried to solve the same problem RingCT solves. The tradeoffs differ significantly, and understanding them clarifies why Monero made the choices it did.

RingCT's defining property in this list is that it is trustless — no multi-party ceremony was ever required to bootstrap it, and no toxic waste exists that could compromise the chain if leaked. The cost is that the anonymity set per transaction is capped at the ring size, whereas zk-SNARK schemes can in principle hide a transaction in the entire shielded pool. This trade-off is exactly what FCMP++ is designed to flip.

"The hardest part of building Monero isn't the cryptography — it's keeping every user on the same default settings so no one stands out." — Justin Ehrenhofer, former MoneroSpace community lead, on why uniform ring size matters more than maximum ring size.

What Happens Step-by-Step When You Send a RingCT Transaction

Tracing a single transaction end-to-end makes RingCT concrete. The steps below describe what your Monero wallet — whether Feather, Cake Wallet, Monero GUI, or a hardware-signed flow on a Trezor Safe 3 — does behind the scenes when you press Send in 2026.

1. Pick the inputs. Your wallet selects one or more of your own outputs that together cover the amount + fee. Each of these has a known amount (only you can see it) and a known blinding factor stored in your wallet cache.
2. Build the decoy rings. For each input, the wallet samples 15 other outputs from the blockchain using a gamma distribution weighted toward recent blocks, because empirically most spends are recent. These 15 decoys plus your real output form the ring of 16.
3. Construct the outputs. The recipient's stealth address is derived from their public view key and spend key, so the output address on chain is unique to this transaction and cannot be linked to their main address. The amount is encrypted to the recipient using a shared secret, then committed via a Pedersen commitment with a fresh blinding factor.
4. Generate the range proofs. A Bulletproofs+ proof is computed over all output commitments simultaneously, proving each amount is within the valid 64-bit range.
5. Generate the CLSAG signature. One ring signature per input proves authorization to spend without revealing which ring member is real, and publishes the corresponding key image.
6. Broadcast through Dandelion++. The transaction is sent to a single random peer in "stem phase" and forwarded along a privacy-preserving path before being flooded to the rest of the network, defending against IP-level deanonymization at the mempool layer.
7. Verify and include. Every node checks the range proofs, the CLSAG signatures, and that the commitment sums balance. If everything is valid, the transaction enters the mempool and is included in a block within roughly two minutes.

Each of those steps is automatic. From the user's perspective, sending Monero looks identical to sending any other crypto: paste an address, type an amount, confirm. The complexity is entirely on the protocol side, which is exactly the right place for it to live.

The 2026 Picture: FCMP++ and What Comes After RingCT

RingCT has been remarkably durable, but the Monero Research Lab has been preparing its successor for years. The headline change coming in the next hard fork cycle is FCMP++ (Full Chain Membership Proofs), a scheme led by researchers Luke "kayabaNerve" Parker, Aaron Feickert, and others. Instead of a ring of 16, an FCMP++ input proves membership in the set of all spendable outputs ever produced on the Monero chain — an anonymity set in the tens of millions.

FCMP++ is built on Curve Trees, a recursive commitment structure that lets a prover convince a verifier of membership in an enormous Merkle-tree-like structure with proofs only a few kilobytes long. Crucially, it does not require a trusted setup, preserving the "no toxic waste" property that distinguishes Monero from zk-SNARK chains. Once activated, it effectively eliminates the long-standing critique that Monero's anonymity set is bounded at the ring size.

Alongside FCMP++, the Seraphis transaction protocol (designed by koe and the MRL) and the Jamtis address format will replace the current MLSAG/CLSAG/subaddress stack with something cleaner, more efficient, and more flexible. Together these upgrades represent the largest transition Monero has undergone since RingCT itself shipped in 2017.

What does this mean for users? In practice, very little day to day. Wallets will upgrade, fees may drop, and transactions may shrink. The privacy guarantees become stronger, but the user experience — pasting an address, confirming an amount, watching a transaction confirm — stays the same. The same applies to anyone using a no-KYC swap service like MoneroSwapper: the underlying cryptographic transition is invisible at the swap interface, but the resulting outputs land in a wallet with materially better privacy properties than the RingCT outputs of 2017.

A Real-World Case: Tracing the Limits of RingCT

To make the abstract concrete, consider a 2024 academic analysis published in the proceedings of the Financial Cryptography conference. Researchers attempted to deanonymize a sample of post-2022 Monero transactions using a combination of timing analysis, mempool monitoring, and statistical guessing based on ring member age distributions. After examining over 200,000 transactions, the recovered "guesses" of the real spend were correct at roughly the rate you would expect from random chance against a ring size of 16 — about 6.25%. In other words, the cryptography held, and the protocol's uniform defaults left no statistical hooks to grab.

This matters because privacy systems often fail not at the math layer but at the metadata layer. Monero's uniform ring size of 16, mandatory RingCT, hardcoded Bulletproofs+ since 2022, and Dandelion++ propagation are deliberate choices that minimize the metadata surface. The lesson for users is straightforward: do not customize away from defaults, run your own node when you can, and treat exchanges and centralized services as the weakest link rather than the protocol itself. MoneroSwapper's no-account model is built around this exact principle — there is no log of your identity to leak even if the underlying chain analytics improve.

FAQ

Is RingCT mandatory for every Monero transaction in 2026?

Yes. Since the September 2017 hard fork, all Monero transactions must use RingCT. There is no legacy "transparent" amount mode. This uniformity is what gives RingCT much of its strength — every transaction looks structurally identical, so no one stands out by opting in or out.

Can the Monero developers see my transaction amounts?

No. The amounts are encrypted using a shared secret between sender and receiver, and the on-chain commitment hides them from everyone else, including core developers, miners, and node operators. Only the sender, the receiver, and anyone with whom they explicitly share their view key can read the actual amounts.

Does RingCT slow down Monero compared to Bitcoin?

Monero transactions are larger and slower to verify than Bitcoin transactions, but the block time (2 minutes) is faster, and Bulletproofs+ batch verification has closed most of the per-transaction performance gap. A modern node syncs the Monero chain in roughly a day on consumer hardware.

What is the difference between RingCT and ring signatures?

Ring signatures hide which input is being spent among a set of candidates. RingCT hides the amount. Modern Monero transactions use both: a CLSAG ring signature for input anonymity, plus Pedersen commitments and Bulletproofs+ range proofs for amount confidentiality. Together they make up the full RingCT scheme.

Will FCMP++ replace RingCT entirely?

FCMP++ replaces the ring signature component of the transaction with a full-chain membership proof, dramatically expanding the anonymity set. The amount-hiding components — Pedersen commitments and range proofs — continue to be used in the new design. So FCMP++ is best understood as RingCT's next generation, not a complete replacement.

If I swap Bitcoin for Monero, do my coins become RingCT-protected?

Yes. Once your XMR arrives in a Monero wallet, every subsequent send uses RingCT by default. The swap itself happens off-chain on a service like MoneroSwapper, where atomic swaps or order books move value between the two chains. From the moment the Monero side of the swap settles, the standard RingCT protections apply to every outgoing transaction you make.

Conclusion

RingCT is the part of Monero that turns "private cryptocurrency" from a slogan into a verifiable cryptographic property. By combining Pedersen commitments, Bulletproofs+ range proofs, and CLSAG ring signatures, it lets every node confirm that the books balance without seeing a single amount. Almost a decade after its 2017 launch, it remains the standard against which other amount-hiding schemes are measured, and the upcoming FCMP++ upgrade will extend that lead by collapsing the historical critique of bounded ring size.

If you are putting RingCT to use rather than just reading about it, the practical priorities are: keep your wallet on default settings, run your own node where possible, prefer services that don't collect identity data, and remember that the weakest link in your privacy is almost never the math. For trading into and out of XMR without leaving a KYC trail, MoneroSwapper offers no-account swaps that deliver coins directly into your RingCT-protected wallet — the cryptography described in this article goes to work the moment you press Send.