Passer au contenu

Bitcoin accepté au paiement  |  Expédié depuis Laval, QC, Canada  |  Soutien expert depuis 2016

Ring Signature

Digital Sovereignty

Definition

A ring signature is a type of digital signature that can be produced by any member of a defined group of users, each holding their own keypair, in such a way that it is computationally infeasible to determine which member actually signed. The signature proves only that someone in the group authorized the message, providing signer ambiguity without any trusted group manager, setup ceremony, or cooperation from the other members. The construction was introduced by Ron Rivest, Adi Shamir, and Yael Tauman in their 2001 paper "How to Leak a Secret," whose motivating example remains the clearest explanation: a cabinet official wants to leak a document in a way that proves it came from a cabinet member, without revealing which one.

The anonymity set

The group of public keys assembled for a given signature is called the ring, and the set of plausible signers it represents is the anonymity set. The true signer combines their own private key with the public keys of the other ring members, who do not need to consent, participate, or even know they were included; any public key visible in the world can be conscripted as a decoy. A verifier can confirm the signature is valid for the ring as a whole, but the mathematics makes every member equally plausible as the author. A larger ring means more suspects and stronger privacy, at the cost of a larger signature, and the practical strength depends heavily on how decoys are chosen: statistically implausible decoys (coins too old, too new, or too unusual to be spent in that context) let analysts shrink the effective anonymity set well below its nominal size.

Use in privacy cryptocurrencies

Ring signatures are best known from the CryptoNote protocol family and Monero, where every transaction input is signed as a ring mixing the real spent output with decoy outputs sampled from the chain, so an outside observer cannot tell which output was actually consumed. This creates an obvious problem: if no one can tell which coin was spent, what stops it being spent twice? The answer is linkable ring signatures, which force every signature to expose a deterministic key image derived from the true signer's key. Spending the same output twice produces the same key image, so the network detects and rejects the double-spend, while the key image itself reveals nothing about which ring member produced it. It is an elegant trade: unlinkability of identity, linkability of reuse.

Bitcoin's different road

Bitcoin's base layer does not use ring signatures. Its transparent UTXO model favors global auditability, anyone can verify total supply, and privacy is pursued through other routes: collaborative constructions like CoinJoin that build an anonymity set from willing participants, zero-knowledge techniques, and the uniformity gains of Schnorr-based spending. Understanding ring signatures clarifies what each model trades away: decoy-based privacy buys default ambiguity at the cost of larger transactions and a supply that is harder to audit at a glance, while Bitcoin buys verifiability at the cost of making privacy an active discipline rather than a default. For sovereign users evaluating privacy tools of any stripe, the ring-signature lesson generalizes: the honest measure of a scheme is not its cryptography in isolation, but the realistic size and quality of its anonymity set under adversarial analysis.

The engineering history of ring signatures is a story about size. Early schemes grew linearly with the ring, so bigger anonymity sets meant proportionally bigger transactions and verification times, which pressured systems toward small rings and weaker privacy. Later research produced signatures that grow only logarithmically with ring size, allowing dramatically larger anonymity sets at acceptable cost, and the direction of travel across the field is toward hiding the spent output among ever larger portions of the chain. The lesson for evaluating any privacy system is that the constraint is rarely the cryptography alone; it is the cost curve of the cryptography at the anonymity-set size you actually need.

In Simple Terms

A ring signature is a type of digital signature that can be produced by any member of a defined group of users, each holding their…

Explore the Full Glossary

Browse all Bitcoin mining terms from A to Z. Whether you are a beginner or expert, deepen your understanding of the mining ecosystem.

Glossaire du minage

ASIC Miner Database

Compare 500+ miners with real-time profitability data, home mining scores, and detailed specs.

Comparer les mineurs