CLSAG Ring Signatures & Key Images

Stealth addresses hide the receiver. Ring signatures hide the sender. The problem they solve is subtle: prove you own the private key to one output in a set, and prove you haven't spent it before, without revealing which output is yours. Monero's current scheme is CLSAG. Let's build up to it.

The Setup

To spend, your wallet picks your real output plus decoys (other real outputs from the chain) to form a ring of n members (Monero fixes the ring size — 16 since v15). Each member is a one-time public key P₀ … P₋₁; exactly one, at secret index π, is yours, with private key x such that P_π = xG (from the stealth-address derivation). A verifier must be convinced the signer knows some ring member's key, learning nothing about π.

The Key Image: Stopping Double-Spends

A ring signature alone would let you spend the same output repeatedly with different rings. The fix is the key image:

I = x · Hp(P_π)

where Hp is hash-to-point. Properties that make it work:

• Deterministic & unique: a given output has exactly one valid key image (it depends on x and P_π).
• Unlinkable: I reveals nothing about which P it came from — you can't map it back to an output.
• One-time: the signature binds I, and every node keeps a set of spent key images. A transaction whose key image is already in the set is rejected — that's the entire double-spend defense, and why Monero needs no visible "this output is now spent" marker.

From LSAG to MLSAG to CLSAG

• LSAG (Linkable Spontaneous Anonymous Group signature): the original CryptoNote idea — a ring signature that's linkable via a key image, so reuse is detectable. Signs one key per ring.
• MLSAG (Multilayer LSAG): generalizes to ring members that are vectors of keys, so one signature can simultaneously prove ownership of the output key and the amount commitment (needed once RingCT arrived). Monero used MLSAG from 2017.
• CLSAG (Concise LSAG, live since Oct 2020): proves the same two things — knowledge of the output private key and of the commitment's blinding factor — but collapses them into a single ring rather than MLSAG's two-key matrix. Result: signatures ~25% smaller and ~20% faster to verify, with the same security.

How a Ring Signature Closes (the shape of it)

CLSAG is a Schnorr-style ring. Intuitively it forms a ring of challenges that must close on itself:

1. Start at your secret index π with a random nonce; compute a challenge c_{π+1} that commits to the message and a point built from your nonce.
2. For every other (decoy) index, choose a random response s_i and derive the next challenge c_{i+1} from s_i, the ring key, and the key image — walking around the ring.
3. When you return to π, solve for your response s_π using your real private key x so that the final challenge matches the one you started with — the ring closes.

A verifier recomputes the whole loop from the published (c₀, s₀…s₋₁, I) and checks it closes. It closes only if the signer knew one real key — but every s_i looks identically random, so π is hidden. The message being signed includes the transaction, binding the signature to this spend and to the key image I.

Why "plausible deniability" is real here

Because decoys are indistinguishable from the real spend and the signature reveals only that one member signed, an observer sees 16 equally-likely candidates per input. Combined with hidden amounts and stealth addresses, there's no sender, no receiver, and no amount to follow.

Next, the piece CLSAG also has to prove: that the hidden amounts balance — RingCT, Pedersen Commitments & Bulletproofs+.