Ring Signatures
Ring Signatures are signatures that prove a message was signed by one member of a set without revealing which member signed it. In CryptoNote, this becomes the sender-privacy primitive behind Monero-style private payments.
The Core Intuition
A normal digital signature points to one public key. A verifier checks the message against that key and learns which key authorized the message. A ring signature changes the verification target. The signer assembles a set of public keys and produces a signature that verifies against the set as a whole.
The verifier learns that one of the keys in the ring signed. The verifier does not learn which one. The ring can be formed ad hoc, without a group manager or trusted anonymity administrator. That autonomy is why ring signatures fit the cypherpunk pattern: privacy comes from protocol structure rather than institutional discretion.
CryptoNote’s One-Time Variant
The CryptoNote paper uses a one-time ring signature. The signer spends an output using the private key for that output, but mixes it with foreign outputs of the same amount. Observers see a valid spend from the ring, not the actual input.
CryptoNote also needs double-spend detection. Its answer is the key image: a value derived from the signer’s private key that cannot be inverted to reveal the signer but repeats if the same private key is used twice. A transaction can therefore be rejected as a double spend without deanonymizing the original signer.
Sender Privacy in Monero
In the CryptoNote transaction model, receiver privacy and sender privacy are separate. One-time destination keys, often called stealth-address style outputs, make incoming payments unlinkable to a published address. Ring signatures hide which prior output is being spent when the recipient later sends funds onward.
Monero’s privacy design descends from this combination. The exact implementation has evolved, but the conceptual structure remains CryptoNote’s: hide recipients with one-time keys, hide senders with ring signatures, and preserve ledger validity with linkability against double spending.
Anonymity Set and Transaction Size
Ring signatures make privacy quantitative. A ring of one gives no meaningful sender ambiguity. A larger ring gives a larger anonymity set, but the signature grows with the number of ring members. CryptoNote states the trade-off directly: stronger ambiguity means larger transactions and higher fees.
This creates a protocol-design problem rather than a pure cryptography problem. If users choose small rings, privacy weakens. If the network requires large rings, transactions become heavier. A privacy coin must balance anonymity, verification cost, wallet usability, and chain growth.
Comparison With Blind Signatures and zk-SNARKs
Ring signatures are one branch of digital-cash privacy. Chaum’s Blind Signatures for Untraceable Payments hides the link between withdrawal and deposit by having a bank sign a blinded token. CryptoNote removes the bank but uses a visible ledger, so it must hide the spender among decoy outputs.
zk-SNARKs take a different path. In Zerocash, the proof shows that a ledger transition is valid without revealing the spent coin, receiver, or amount. Ring signatures leave an explicit anonymity set on chain. zk-SNARKs compress the validity claim into a zero-knowledge proof, at the cost of more complex assumptions and, in early systems, trusted setup.
See Also
- CryptoNote Whitepaper - work reference for the CryptoNote design using one-time ring signatures
- zk-SNARKs - contrasting privacy primitive used by Zerocash/Zcash
- Zerocash - privacy-coin design that hides ledger transitions with zk-SNARK proofs rather than visible rings
- Blind Signatures for Untraceable Payments - Chaumian digital-cash privacy lineage
- Public-Key Cryptography - signature and key-control foundation that ring signatures extend
- Proof of Work - CryptoNote pairs transaction privacy with an egalitarian proof-of-work design
- Praxeology of Privacy - privacy-as-selective-disclosure frame for transaction privacy tools
- Cypherpunk - movement context for private digital cash
- Privacy and Cryptography - broader topic map for privacy-preserving cryptographic systems
- Fungibility - The property that any one unit of a money is interchangeable with any other — a requirement of sound money that a transparent ledger puts under pressure, and that privacy technology exists to restore.
- Monero - The leading default-private cryptocurrency: Monero makes untraceability and unlinkability mandatory so every unit stays fungible
Sources
- CryptoNote v 2.0 - primary source for one-time ring signatures, key images, unlinkable payments, and the anonymity-set/size trade-off