What Are Ring Signatures? Introduction to Monero Ring Signatures

Monero is secure, untraceable, electronic cash. It is open-source, decentralized, and freely accessible to all. In this video, Monero focuses on explaining ring signatures. Monero stealth addresses prevent outputs from being associated with the recipients’ public address. This is accomplished by the use of one-time destination public keys. One-time public keys are only spendable by the recipient and only the recipient is able to detect their designated output on the blockchain. Since all outputs are unlinkable, the privacy of the recipient is ensured.

On the input side of the transaction, the sender’s privacy is protected with the use of ring signatures. A ring signature is a type of digital signature in which a group of possible signers are fused together to produce a distinctive signature that authorizes a transaction. This is analogous to the signing of a check from a joint bank account but with the actual signer remaining unknown. The digital signature is made up of the actual signer combined with non-signers to form a ring where all member are equal and valid. The actual signer is a one-time spend key that corresponds with an output being sent from the sender’s wallet. The non-signers or past transaction outputs pulled from the blockchain which act as decoys. These outputs together make up the inputs of a transaction. To a third party, all of inputs appear equally likely to be the output being spent in the transaction. This feature helps the sender hide the origin of the transaction by making all inputs indistinguishable from each other.

You may now be asking yourself if these is no way for a third party to verify which output is being spent that would prevent someone from spending the same output twice. This potential issue is addressed by the use of key images. A key image is a cryptographic key derived from an output being spent and is made part of every sing signature transaction. There can exist only one key image for each output on the blockchain. Yet due to its cryptographic properties it is not possible to determine which output created which key image. A list of all used key images are maintained in the blockchain enabling miners to verify that no outputs are spent twice.

Here’s an example to see how all of this works. Alice wants to send Monero to Bob with a ring size value of five. One of the five inputs will come from Alice’s wallet which will be consumed in the transaction. The other four inputs are arbitrarily picked from the blockchain and they’re used as decoys. This forms a group of five possible signers where all ring members are plausibly the actual signer of the transaction to an outside observer including to Bob himself. It’s not clear which input was truly signed by Alice’s one time spend key; however, with the key image the network is able to securely confirm that the Monero being transferred to Bob has not been spent before. As you can see, by using ring signatures, Monero protects the privacy of the sender by obscuring the source of inputs and in doing so ensures that the origin of any Monero remains untraceable.