Ring Signatures

If stealth addresses hide who receives a payment, something else has to hide who sends it — otherwise privacy would only be half complete. That something is the ring signature. It is the technology that lets you prove you have the right to spend a coin without revealing which coin you actually spent. In this lesson you will see how mixing your real spend with decoys makes the true sender ambiguous to everyone watching the chain.

The Sender Problem

On a transparent blockchain, a transaction openly says "this specific coin moved from here to there." Anyone can follow the chain of ownership backward and forward forever. That traceability is exactly what destroys fungibility and lets coins be blacklisted by their history. Monero breaks the trail at the moment of spending so that no observer can say with certainty which past output funded a given transaction.

Mixing the Real Spend With Decoys

When your wallet spends an output, it does not point at that one output alone. Instead it gathers a group, called a ring, made up of:

• Your real output — the coin you are actually spending.
• Decoys — other genuine, pre-existing outputs pulled from the blockchain, chosen to look plausible.

A ring signature then proves, mathematically, that the signer owns one of the outputs in the ring — without revealing which one. To an outside observer, every member of the ring is an equally possible source. Your real spend is hidden in the crowd. Modern Monero uses a fixed ring size for every transaction, so all transactions look uniform and no one stands out by being different.

Stopping Double-Spends With Key Images

A fair question: if nobody can tell which output was really spent, what stops you from spending the same coin twice? The answer is the key image. Each output, when spent, produces one unique key image that the network records. The math guarantees a given output can only ever generate the same key image, and the network rejects any transaction whose key image has appeared before. So Monero prevents double-spending without revealing which ring member was real — the key image is unlinkable to the specific output to outside observers, yet still unique.

Where Ring Signatures Fit

Ring signatures are one of Monero's three privacy pillars, and they specifically protect the sender:

• Stealth addresses hide the receiver — see Stealth Addresses.
• Ring signatures hide the sender — this lesson.
• RingCT hides the amount while proving the books balance — see RingCT and Hidden Amounts.

Because all three apply automatically to every transaction, you do not opt in to privacy on Monero — it is the default and only mode.

Common Misunderstandings

• "Decoys are fake coins." No — decoys are real outputs that already exist on the chain. That is what makes them convincing.
• "Bigger rings always mean more privacy." Larger rings add ambiguity but also bloat transactions; Monero uses a sensible fixed size network-wide so everyone blends together uniformly.
• "Ring signatures hide the amount." No — that is RingCT's job. Ring signatures only obscure which output was the true source.

You can read a deeper, formal write-up in the community Moneropedia.

Ring signatures are the sender-side half of Monero's privacy: your real spend disappears into a ring of plausible alternatives, while key images quietly keep the system honest. With the receiver hidden by stealth addresses and the sender hidden here, only one thing is left exposed — the amount. Next we will close that gap with RingCT and Hidden Amounts.