RingCT, Pedersen Commitments & Bulletproofs+

Hiding sender and receiver is useless if the amounts are public — you could deanonymize by following the money. RingCT (Ring Confidential Transactions, mandatory since Sept 2017) hides amounts while still letting every node verify that no coins were created from thin air. The trick is a commitment scheme with a magical algebraic property, plus a proof that hidden numbers are in range.

Pedersen Commitments

An amount a is committed as:

C = a·H + x·G

where G is the usual base point, x is a random blinding factor (mask), and H = Hp(G) is a second generator whose discrete log with respect to G is unknown to everyone. Two properties matter:

• Hiding: the random x makes C reveal nothing about a — any amount is equally consistent with a given C.
• Binding: because nobody knows log_G(H), you can't find a second (a', x') opening to the same C. You're committed.

The Balance Equation (homomorphic addition)

Pedersen commitments are additively homomorphic: C₁ + C₂ = (a₁+a₂)·H + (x₁+x₂)·G. So the network can check a transaction balances without seeing any amount:

Σ C_inputs  −  Σ C_outputs  −  fee·H  =  0·H + (Σx_in − Σx_out)·G

The signer arranges the output masks so the H components cancel (inputs = outputs + fee). What's left is a known multiple of G — and proving you can open that to the zero amount is folded into the CLSAG signature (this is the second "layer" CLSAG proves). If amounts didn't balance, the H term wouldn't vanish and verification fails. The fee is published in the clear so the equation can include it.

Why You Still Need a Range Proof

The balance check has a fatal gap: arithmetic is modulo ℓ. A cheater could output a negative amount (a huge value that wraps around) so the books still "balance" while minting coins. To stop this, every output amount must be proven to lie in a sane range:

0 ≤ a < 2⁶⁴

…without revealing a. That's a zero-knowledge range proof.

Bulletproofs and Bulletproofs+

The original RingCT used Borromean range proofs — correct but huge (kilobytes per output). Bulletproofs (Oct 2018) replaced them with a logarithmic-size proof based on an inner-product argument: it expresses "a is in range" as a statement about the bit-decomposition of a and proves it with a proof that grows only O(log n) in the bit-length, and aggregates across all of a transaction's outputs into one object. That cut proof sizes ~80% and fees with them.

Bulletproofs+ (the v15 upgrade, Aug 2022) is a refinement using a weighted inner-product argument: slightly smaller proofs and meaningfully faster verification — which is what nodes spend time on. Same security model, no trusted setup (a key advantage over SNARK-style systems).

Putting RingCT Together

A modern Monero output therefore carries: the one-time key P, the amount commitment C, an encrypted amount for the receiver (ecdhInfo — the 8-byte masked amount), and a view tag. The transaction carries one aggregated Bulletproof+ for all outputs, and per-input CLSAG signatures binding key images. Verification = check each ring closes, check the commitments balance, check the range proof. No amount, sender, or receiver is ever exposed, yet inflation is impossible.

Next we lay all of this out byte by byte: Anatomy of a Monero Transaction.