What is Monero's decoy selection algorithm?

When you send Monero, your wallet creates a ring signature with 16 outputs — 1 real (yours) and 15 decoys from the blockchain. The decoy selection algorithm determines WHICH 15 outputs are chosen. It uses a gamma distribution weighted toward recent outputs: newer outputs are more likely to be selected as decoys because real spending patterns show people tend to spend recent outputs more than old ones. This makes the real output statistically indistinguishable from decoys.

Why does decoy selection matter for privacy?

If decoys were selected randomly (uniformly), an analyst could notice that the real output tends to be newer than decoys (because people spend recent funds). This timing heuristic would narrow the anonymity set. The gamma distribution counteracts this: decoys are selected with the same age distribution as real spends, making statistical analysis much harder. Academic research (Möser et al., 2018) showed that early Monero versions had exploitable decoy selection — modern versions use improved distributions.

How does the gamma distribution work?

The gamma distribution is a probability curve that models real spending behaviour. Monero's implementation: most decoys are selected from recent blocks (matching how people tend to spend recent outputs), but a long tail includes older outputs (some people do spend old coins). The exact parameters are tuned to match observed on-chain spending patterns. The goal: an analyst looking at a ring signature cannot distinguish the real output by its age, because all 16 outputs follow the same statistical distribution.

Can chain analysis defeat decoy selection?

Academic papers have identified theoretical weaknesses: (1) Timing analysis — if decoy age distribution doesn't perfectly match real spending. (2) Output merging — if the same person creates many outputs and uses them together. (3) Known-spend analysis — if an attacker controls one party in a transaction, they can eliminate their known real output from other rings. In practice, these attacks are partial — they reduce the anonymity set from 16 to maybe 3-5, not to 1. FCMP++ eliminates ALL of these attacks by making the anonymity set the entire blockchain.

What changes with FCMP++?

FCMP++ (Full-Chain Membership Proofs) makes decoy selection completely obsolete. Instead of picking 15 decoys from the blockchain, FCMP++ proves your output exists SOMEWHERE in the entire chain — without selecting any specific decoys. The anonymity set becomes every output ever created (millions). There's nothing to analyze statistically: every output is equally likely. This is the fundamental fix for all decoy selection weaknesses.

Monero Decoy Selection (2026)

How ring signature decoys are chosen and why it matters

TL;DR: When you send XMR, your wallet picks 15 decoy outputs to mix with your real one (ring size 16). The selection uses a gamma distribution weighted toward recent outputs — matching real spending patterns so analysts can't distinguish real from fake by timing. FCMP++ will make this obsolete: the anonymity set becomes the entire blockchain.

The Problem: Choosing Good Decoys

If decoys were chosen randomly from the entire blockchain, an analyst could exploit a simple heuristic: people tend to spend recent outputs. The newest output in a ring would be the most likely real spend.

If decoys were all chosen from recent blocks, old real spends would stick out. The selection must match the statistical distribution of real spending.

The Solution: Gamma Distribution

Monero's wallet selects decoys using a gamma distribution that models real spending behaviour:

Output Age	Selection Probability	Rationale
< 1 day	High	Most real spends happen within hours/days of receiving
1-7 days	Moderate-high	Common spending window
1-4 weeks	Moderate	Regular spending cycle
1-6 months	Low-moderate	Savings being spent
6+ months	Low (long tail)	Some people HODL then spend old coins

The distribution isn't flat (uniform) or steep (only recent) — it follows the curve of real-world spending, making the real output indistinguishable from decoys by age alone.

Known Attack Vectors

Attack	How It Works	Effectiveness
Timing heuristic	Guess the newest output is real	Partial — gamma distribution counteracts this
Known-spend elimination	If you know an output was spent in another ring, eliminate it as a decoy here	Partial — reduces anonymity set by ~1 per known spend
Poisoned outputs	Flood blockchain with outputs you control, then identify them as decoys	Partial — expensive, reduces set slightly
Merge/split analysis	Track amounts despite RingCT by observing transaction graph patterns	Very weak — Bulletproofs hide amounts

None of these attacks reduce the anonymity set to 1 (full deanonymization). They might narrow it from 16 to 3-5 in theory. Combined with stealth addresses and Bulletproofs, practical tracing remains infeasible.

FCMP++ — The Final Fix

FCMP++ eliminates decoy selection entirely. Instead of picking 15 decoys, FCMP++ proves your output exists somewhere in the entire blockchain using zero-knowledge cryptography. No decoys needed. No statistical distribution to tune. No timing heuristics to exploit.

The anonymity set jumps from 16 to millions. Every academic attack on decoy selection becomes irrelevant.

Bottom Line

Decoy selection is the most-studied aspect of Monero's privacy. Academic papers have found theoretical weaknesses, but none that enable practical tracing.

The gamma distribution makes ring members statistically indistinguishable from real spends. Combined with stealth addresses and Bulletproofs, Monero's current privacy is robust.

FCMP++ is the permanent solution: no decoys to select, no distribution to tune, no attacks to defend against. The entire blockchain is your crowd.