Monero Ring Signature Explained
Last Updated: 1st November 2018
Monero utilizes ring signature technology to protect a user’s privacy in the input side of a transaction. A ring signature is a type of digital signature in which a group of possible signers are merged together to produce a distinctive signature that can authorize a transaction.
A Monero ring signature is composed of the actual signer, who is then combined with non-signers to form a ring. The actual signer and non-signers in this ring are all considered to be equal and valid. The actual signer is a one-time spend key that corresponds with an output being sent from the sender’s wallet. The non-signers are past transaction outputs that are drawn from the Monero blockchain. These past transaction outputs function as decoys in the ring signature transaction, by forming part of the inputs of a transaction. From the perspective of an outside party, all of the inputs appear equally likely to be the output being spent in a transaction. Monero utilizes ring signature technology to help the sender mask the origin of a transaction by ensuring that all inputs are indistinguishable from each other.
Because Monero makes use of ring signature technology, it must include a feature that allows for the verification of outputs that are being spent in a ring signature transaction, or else, a user would be able to spend the same transaction output twice i.e. a double-spend. This potential issue is addressed by Monero’s use of key images.
A key image is a cryptographically secure key that is derived from an output transaction being spent, and is made part of every ring signature transaction. Only one key image exists for each transaction output on the Monero blockchain. Due to the cryptographically secure nature of key images, it is not possible to determine which output created which key image. A list of all used key images is maintained on the Monero blockchain, allowing all miners to verify that no transaction output has been spent twice.
For example, if Bob wishes to send Monero to Alice, with a ring size value of five, one of the five inputs will be pulled from Bob’s wallet, which will then be added to the ring signature transaction. The other four inputs are past transaction outputs that are pulled from the Monero blockchain. These four inputs are decoys, and when fused with the input from Bob’s wallet, forms a group of five possible signers. A third party would not be able to determine which input was actually signed by Bob’s one time spend key. However, with the use of a key image, the Monero network is able to verify that the Monero being transferred to Alice has not been spent before.