Ring Signatures

Users are giving great emphasis on the privacy within cryptocurrencies. No wonder, various crypto assets, and new protocols are consistently coming up around privacy. So far we’ve achieved an impressive level of anonymity in digital value exchange. Still, significant development is going on in the distributed networks.

Recently, a key technology known as ring signatures has been implemented in a lot of privacy first cryptocurrencies. Especially, CrytpoNote coins are among the leading players in the privacy space.

A Little Background on Ring Signatures

In 2001, Ron Rivest, Adi Shamir, and Yael Tauman invented Ring Signatures, a type of cryptographic digital signature and later on introduced it at AsiaCrypt. Ring Signature is similar to a joint bank account or group signatures. However, it is not possible to identify the actual signer of a ring signature transaction. Also, an arbitrary group of users can be included in the ring signature without any extra setup.

The concept of ring signatures was originally proposed as a way to leak secret information. As presented in the paper, the example shows how a piece of information can be leaked from a high ranking government official, without actually revealing who signed the message. The ring signature that is being used at present is not the same though, there have been various additions and feature optimizations to the technology.

In 2006, Eiichiro Fujisaki and Koutarou Suzuki proposed Traceable Ring Signatures. This was an update to fix some of the vulnerabilities in ring signature. It eliminated the concerns related to manipulation by malicious or irresponsible signers. An optimized version of this Traceable Ring Signatures is currently used in the CryptoNote coins. It is employed so that the P2P transactions can be made untraceable by obscuring the source of the inputs in the transaction. Such transactions cannot be traced back, providing complete privacy to the senders.

In 2015, Monero Research Labs proposed another version called Ring Confidential Transactions (Ring CTs). It was recently implemented by Bitcoin Core developer Gregory Maxwell. Confidential Transactions (a type of transaction which obfuscates the actual amount of the transaction from the public) and Ring Signature together make a powerful combo for privacy-focused coins. Ring CTs extend the anonymity capabilities by hiding the actual transaction amounts between two parties along with obfuscating the identity of the sender.

How Do Ring Signatures Work?

As discussed, ring signatures are a cryptographic digital signature equivalent of a joint bank account signature. However, ring signatures further the concept of group signature by providing privacy to the individual signers too. In case of a peer to peer transaction, ring signatures hide (protect) the sender by obscuring the input sides of a transaction, making it computationally infeasible to determine the individual who signed the transaction.

The ECDSA or Schnorr signatures, such typical digital signatures lags behind the sophistication of Ring Signatures. The word “ring” denotes that a group of individuals come together with their partial digital signatures and they are combined together to make a sign. This group is known as a “Ring”. The rings are made up of arbitrarily selected outputs from other users on the Blockchain. This also creates the need for multiple public keys for verification.

The structure of a ring signature, using Monero as an example, basically works as follows:

  1. 1. Alice wants to send Bob 10 Monero. She initiates a transaction through her Monero wallet to Bob.
  2. 2. For this transaction, Alice’s digital signature is a one-time spend key that starts with an output being spent from her wallet.
  3. 3. The group will be formed using past transactions outputs that are arbitrarily picked from the Blockchain. These other members are non-signers of the ring signature. These outputs (signatures) act as decoys in the transaction.
  4. 4. Anyone of the members can be a plausible signer of the transaction. But it is computationally infeasible for a third party to detect the actual signer.
  5. 5. The input of the transaction is made up of all of the outputs of the ring signature together.
  6. 6. Alice, the creator of the transaction is eligible to spend the specified transaction. Her identity will remain distinguishable from others in the ring.
  7. 7. The automatic creation of unique one-time keys prevents transaction linkability and is made possible through an optimization of the Diffie-Hellman key exchange.

Ring Signature in Monero

The privacy-focused cryptocurrency always faces a problem of double-spending in anonymous transactions. Cryptocurrencies cannot work without preventing double-spending. This was solved using key images in conjunction with the ring signature scheme.

A key image is nothing but a cryptographic key. The key image for a transaction is derived from an output being spent and is part of every ring signature transaction. For each output on the Blockchain, there is only one unique key image. And a list of all used key images is stored on the Blockchain. The cryptographic properties of key images make it infeasible to find a correlation between an output on the Blockchain and its key image. The key images are unavoidable, unambiguous, and yet an anonymous maker of the private key used in a transaction. Here is how a key image helps in the prevention of double-spending. Any random new ring signature that uses a duplicate of a key image will be rejected automatically. Therefore, the stored key images are not prunable.

Ring Confidential Transactions (Ring CTs)

Ring signatures only focus on providing privacy for the senders in a transaction. An extended implementation of it with confidential transactions i.e. Ring CTs focus on providing privacy to both the sender and recipient through obfuscating the amount being transacted between them. This is one major advancement among a few other modifications. Ring CTs are a great improvement in the earlier proposed ring signature technology.

Transactions in the Bitcoin are transparent rather than opaque. Implementing Ring CTs makes the stored transactions on the Blockchain opaque. But in the earlier version of Ring Signature, the outputs had to be broken up into separate rings and it could only contain outputs of the same value. This enabled third parties to see the actual amounts being transferred. The Ring CTs eliminates this problem easily.

With this update of Ring CTs, the transactions no longer need to be broken down to include them into different rings of equal sized outputs. Now, a cryptocurrency wallet using Ring CTs can arbitrarily select ring members from any output size. Ring CTs also utilizes a commitment scheme that is enabled by using range proof. A commitment is a 33-byte value that is used to replace and hide the amount in a transaction. The range proofs are used to make sure that the amount used in a transaction is more than zero and lesser than the amounts available without actually revealing the transaction details. This way, the verifiers can assure that the transactions are cryptographically valid but cannot actually see the transaction amount.

The concept of range proofs is an interesting one and it had some recent fascinating developments. Range proofs have great implications for the future iterations of platforms that are aiming to maintain user privacy.

CryptoNote coins and Monero

Moving forward, the ring signatures would be more relevant as a sort of standard implementation for digital signature schemes. Ring signatures are a vital element for any privacy-focused cryptocurrency that is looking to achieve a degree of anonymity for the users.
The CryptoNote coins are well known for their privacy because it comes equipped with ring signatures and Ring CTs. More prominent coins with ring signature implementation are Monero and Bytecoin. Bytecoin is the first CryptoNote-based implementation.

At present, various cryptocurrencies and companies are trying many components to create and maintain a network that provides anonymity to the users. Ring signatures and their corresponding enhancements such as Ring CTs are key to hiding sender identities and transaction amounts across a network.

With such emphasis placed on privacy, the mainstream adoption will continue and the digital assets will keep on becoming more efficient and lucrative than the traditional banking and currency. It will be exciting to observe the ongoing development and ultimate end results of these privacy-centric coins. Further advancement depends on the accelerated pace of innovation and how well the ecosystem adapts for the newer solutions.