Decoy Selection & the Output Distribution

Ring signatures only provide privacy if the decoys are indistinguishable from the real spend. Get the decoy-selection algorithm wrong and you can deanonymize transactions without breaking any cryptography at all — by statistics alone. This is one of the highest-leverage, most-scrutinized pieces of wallet code.

The Core Problem: Real Spends Aren't Uniform

Empirically, people spend recently-received outputs far more often than ancient ones. So the age of a real input follows a characteristic, heavily-recency-weighted distribution. Now suppose your wallet picked decoys uniformly at random over all outputs ever created. In most rings, the real input would be the only recent member among 15 old decoys — a glaring outlier. An analyst applying "guess the newest" would be right a large fraction of the time. Uniform decoys are a privacy disaster.

The Fix: Mimic the Spend-Age Distribution

The wallet must select decoys whose ages follow the same distribution as real spends, so the real output blends in. Monero models this with a gamma distribution fitted to observed spending behaviour: it samples an age from that distribution, then maps that age onto an actual output via the chain's output-creation timeline. Key implementation points contributors must respect:

• Sample in time, then map to outputs. Because output density varies over time, the algorithm converts a sampled "age" into a concrete output index using the distribution of outputs per block, so picks are uniform within a time bucket but weighted across buckets by the gamma.
• Respect the lock. Outputs younger than the 10-block lock can't be spent and must not be selected as decoys either (or the real one would be distinguishable by being old enough while decoys aren't).
• Determinism vs. fingerprinting. The selector must match what other wallets do; a wallet with a different decoy distribution is itself fingerprintable, shrinking the effective anonymity set for everyone using the odd wallet.

Why "Just Use a Bigger Ring" Isn't the Whole Answer

Ring size (currently 16) sets the maximum theoretical anonymity, but a biased selector collapses the effective set well below that. The protocol fixes ring size at consensus so every transaction looks identical (uniformity is itself privacy); the quality of the decoys then determines how close the real privacy gets to the theoretical maximum. This is also exactly why the long-term roadmap moves to full-chain membership proofs — they remove decoy selection as a problem entirely.

Heuristics a Contributor Must Defend Against

• Newest-output bias (above) — the big one.
• Output merging / common-input heuristics — these mostly don't apply to Monero (inputs aren't linkable), but timing and amount metadata around a transaction can still leak; the selector can't fix careless wallet behaviour elsewhere.
• Decoy reuse across forks/chains — a key-image or decoy correlated across chain splits can deanonymize; historically relevant when a coin forks from Monero.

Decoy selection is where cryptography meets statistics, and where a "small" change can quietly erode everyone's privacy. Next, the exact signature that consumes those rings — CLSAG: Exact Construction & Domain Separation.