What is a ring signature in Monero?

A ring signature is a digital signature that proves someone in a group signed a message, without revealing which member. In Monero, when you spend XMR, your real transaction input is mixed with 15 decoy inputs from the blockchain. An observer sees 16 possible signers but cannot determine which one actually authorized the spending.

What is Monero's current ring size?

Monero's current mandatory ring size is 16, implemented in August 2024. This means every transaction includes 1 real input mixed with 15 decoys. Previously it was 11 (2018-2024), and before that it varied from 4-7. A larger ring size increases the anonymity set per transaction.

Can ring signatures be broken or traced?

The cryptography (CLSAG) is mathematically sound and has not been broken. However, statistical heuristics can sometimes narrow down the real input using timing analysis, output age patterns, or auxiliary information. This is why Monero is upgrading to FCMP++ which uses the entire blockchain as the anonymity set, making such heuristics irrelevant.

CLSAG (Concise Linkable Spontaneous Anonymous Group) is Monero's current ring signature scheme, activated in October 2020. It replaced MLSAG, reducing signature size by 25% and verification time by ~20%. CLSAG produces signatures that prove: (1) the signer owns one of the inputs, (2) the input hasn't been spent before (linkability via key images), (3) without revealing which input is real.

What will FCMP++ change about ring signatures?

FCMP++ (Full-Chain Membership Proofs) will replace ring signatures entirely. Instead of mixing with 15 decoys, FCMP++ proves your input belongs to the entire set of all Monero outputs (100+ million) without revealing which one. The anonymity set goes from 16 to the entire blockchain, making statistical deanonymization impossible.

Monero Ring Signatures — How XMR Hides Senders

Updated March 2026 · By arnoldnakamura · Technical deep-dive

TL;DR: Ring signatures are Monero's method of hiding who sent a transaction. Your real spending input is mixed with 15 decoys from the blockchain. The current scheme (CLSAG) is 25% smaller than its predecessor. FCMP++ (coming 2026) will replace rings with full-chain membership proofs — anonymity set goes from 16 to 100+ million.

What Is a Ring Signature?

A ring signature is a type of digital signature invented by Rivest, Shamir, and Tauman in 2001. It proves that a message was signed by someone in a defined group, without revealing which member.

In Monero's context: when you spend XMR, your wallet creates a ring containing your real input (the output you're spending) plus 15 decoy inputs (real outputs from other transactions on the blockchain). The ring signature proves you own one of these 16 inputs — but not which one.

What the sender sees:

YOU

D10

D11

D12

D13

D14

D15

You know which one is yours. Ring size = 16.

What everyone else sees:

One of these 16 is the real spender. Which one? Impossible to tell.

Ring Size Evolution

2014

Monero launches with variable ring size (minimum 3). Users choose their own ring size. Many use ring size 1 (no mixing) — effectively transparent.

2016

RingCT introduced (mandatory Jan 2017). Ring size minimum raised to 5.

2018

Ring size set to mandatory 11. No more user choice — everyone uses the same ring size. This is critical because variable ring sizes leak information.

2020

CLSAG replaces MLSAG. Ring signatures become 25% smaller and 20% faster to verify. Same ring size 11.

2024

Ring size increased to mandatory 16 (August hard fork). Larger anonymity set per transaction.

2026

FCMP++ expected. Ring signatures replaced by full-chain membership proofs. Anonymity set: entire blockchain (100+ million outputs).

CLSAG: The Current Ring Signature Scheme

CLSAG (Concise Linkable Spontaneous Anonymous Group signatures) is Monero's ring signature algorithm since October 2020. It's an improvement over MLSAG (Multi-Layered Linkable Spontaneous Anonymous Group).

What CLSAG Proves

Ownership: The signer controls the private key for exactly one of the 16 inputs in the ring.
Linkability: Via a key image (a deterministic, one-way derivation from the private key), the network detects double-spends. If the same output is spent twice, both transactions produce the same key image, and the second is rejected.
Anonymity: No observer can determine which of the 16 inputs corresponds to the real signer.

Key Image — Preventing Double-Spends

The key image is what makes Monero's ring signatures "linkable" — not to the signer, but to the spending event. Each output can only be spent once because spending produces a unique key image: I = x * Hp(P) where x is your private key and Hp is a hash-to-point function.

The key image is:

Deterministic: Same private key always produces the same key image.
One-way: You cannot derive the private key or public key from the key image.
Unique per output: Different outputs produce different key images, even if owned by the same person.

      Why this matters: Every node maintains a set of all used key images. When a transaction arrives, the node checks: "Have I seen this key image before?" If yes, reject (double-spend attempt). If no, accept and add the key image to the set. The network prevents double-spending without knowing who spent or what they spent.
    

Decoy Selection — The Gamma Distribution

The strength of ring signatures depends on the quality of decoy selection. If decoys are chosen poorly, statistical analysis can narrow down the real input.

Monero uses a gamma distribution (specifically, a truncated log-gamma) to select decoys. This distribution mimics real spending behavior:

Most real spending happens on recent outputs (people spend coins they just received).
Some spending happens on older outputs (long-held savings).
Very old outputs are rarely spent.

By matching decoy age distribution to real spending patterns, an observer cannot distinguish real inputs from decoys based on age alone.

Known weakness: The gamma distribution is a model, not reality. If your actual spending pattern differs significantly from the model (e.g., you always spend very old outputs), this creates a statistical signal. FCMP++ eliminates this attack vector entirely — with the full chain as your anonymity set, no distribution model is needed.

Known Attack Vectors

Attack	How It Works	Mitigation
Timing analysis	Outputs spent immediately after receipt are more likely to be real (shorter time between creation and spending)	Wait before spending. Gamma distribution accounts for this statistically.
Output merging	If you receive 5 outputs and spend all 5 in one transaction, the 5 rings share one real input each, leaking correlation	Wallet "churning" (send to yourself first). FCMP++ makes this irrelevant.
Poisoned outputs	Attacker sends you dust, then watches when that output appears in a ring — it's likely real	Don't spend dust. Modern wallets automatically exclude tiny outputs.
Chain reaction	If ring members are eliminated by other information (e.g., known spent in other transactions), the ring shrinks	Larger ring size (16 is more resilient). FCMP++ fully resolves this.
EAE attack	Exchange-to-exchange: if an exchange knows both sending and receiving addresses, they can correlate through timing + known outputs	Use non-KYC on-ramps. Churn between exchanges. Avoid direct exchange-to-exchange.

CLSAG vs MLSAG vs FCMP++

Property	MLSAG (2017-2020)	CLSAG (2020-present)	FCMP++ (upcoming)
Signature type	Multi-Layered Linkable	Concise Linkable	Full-Chain Membership Proof
Ring size	11	16	Entire chain (~100M+ outputs)
Signature size	~2.0 KB (11 ring)	~1.5 KB (16 ring)	~2.5 KB (full chain)
Verification speed	Baseline	~20% faster	Slightly slower (worth it)
Decoy model needed	Yes (gamma)	Yes (gamma)	No (entire set)
Statistical attacks	Vulnerable	Less vulnerable	Not applicable

Why Ring Size 16 Was Chosen

Ring size is a tradeoff:

Larger ring = better anonymity set, but larger transaction size, slower verification, higher fees.
Smaller ring = faster, cheaper, but weaker anonymity.

Ring size 16 was chosen as the optimal balance point for CLSAG. The jump from 11 to 16 increased the anonymity set by 45% while only increasing transaction size by ~12% (thanks to CLSAG's concise signatures).

The endgame: FCMP++ makes the ring size debate obsolete. The anonymity set becomes the entire blockchain — there is no larger set possible. Transaction size increases by ~1 KB versus CLSAG, but the privacy improvement is orders of magnitude better than any ring size increase could achieve.

Practical Implications for Traders

As a P2P trader, here's what ring signatures mean for you:

Your counterparty cannot trace where your XMR came from. Even if they know your address, they cannot see your other transactions or balance.
Wait before spending. Outputs spent immediately after receipt have a weaker anonymity set. Let a few blocks pass.
Don't merge many inputs at once. If possible, spend fewer inputs per transaction. Your wallet handles this automatically.
Use subaddresses. Different subaddresses for different counterparties prevents them from linking your receiving activity.
After FCMP++, all of these precautions become unnecessary. Full-chain membership proofs provide maximum privacy regardless of spending behavior.

Trade Monero Privately

arnoldnakamura — Cash by Mail (EU-wide) and Face-to-Face (SW Germany). 683 trades, 100% feedback.

Telegram: @arnoldnakamura