A ring signature is a digital signature scheme in cryptography that allows any single member of an ad-hoc group to sign a message on behalf of the group. The signature proves the message comes from someone within that group, called a "ring," without revealing which member produced it. This property, signer ambiguity, defines the scheme and distinguishes it from conventional digital signatures, where the signer's identity is directly verifiable.
Ring signatures were introduced in 2001 by cryptographers Ronald L. Rivest, Adi Shamir, and Yael Tauman in a seminal paper titled "How to Leak a Secret," presented at ASIACRYPT 2001. The name comes from the ring-like algebraic structure of the signature algorithm. The authors' motivation was to enable authoritative anonymous disclosures. For example, a high-ranking government official could sign and release sensitive information, proving authenticity within a group of plausible signers without being identified as the source.
A second application described in the original paper involves deniable signatures. When the ring consists of only the sender and recipient, the signature convinces the recipient of the sender's authorship but offers no transferable evidence to others. The anonymity of a ring signature cannot be revoked, and the ring can be assembled informally on a per-signature basis without prior coordination or awareness among members.
Each participant in a ring holds a public/private key pair. When a member wants to sign a message, they supply their private key along with the public keys of all other members they include in the ring. The signing algorithm combines these inputs to produce a signature consistent with all public keys in the group. A verifier can confirm the signature is valid and originated from the ring, but it reveals no information about which key produced it.
Formally, the scheme defines two core procedures. The first, ring-sign, takes the message, the public keys of all ring members, and the secret key of the signer, and outputs a ring signature. The second, ring-verify, takes the message and the signature (including all ring members' public keys) and returns true or false. In most constructions, the signature size grows linearly with the number of ring members, so larger rings offer stronger anonymity but increase computational and storage overhead.
Ring signatures resemble group signatures, another anonymity-preserving scheme introduced by David Chaum and Eugene van Heyst in 1991. Both allow a group member to sign on behalf of the group without revealing their identity. They differ in two key ways. Group signatures require a designated group manager who can revoke a signer's anonymity under certain conditions. Ring signatures have no manager and offer unconditional anonymity. Also, group signatures require a formal setup where members enroll and receive credentials, while ring signatures let any users with public keys form a ring spontaneously without prior agreement or knowledge of each other.
The security of a ring signature scheme rests on three main properties. First, correctness: any legitimately produced ring signature must pass verification. Second, signer ambiguity: given a valid signature, an outside observer cannot identify the actual signer with probability greater than 1 divided by the ring size, even with all members' public keys. Third, unforgeability: no attacker outside the ring can produce a valid signature for that ring.
Early formal security definitions were later found to be insufficient against certain realistic attack models. In 2006, Adam Bender, Jonathan Katz, and Ruggero Morselli proposed stronger definitions and constructed schemes that satisfied them without relying on the random oracle model, a cryptographic idealization that had underpinned nearly all earlier constructions.
The most prominent real-world use of ring signatures is in Monero, a privacy-focused cryptocurrency. Monero is built on the CryptoNote protocol, which adapts a traceable ring signature scheme proposed by Fujisaki and Suzuki. When a Monero user sends a transaction, their wallet constructs a ring by selecting unspent transaction outputs from the blockchain via a gamma distribution method and combines them with the sender's own output. To any outside observer, the transaction could have come from any member of that ring, making the true sender indistinguishable from the decoys.
To address the double-spend problem without breaking anonymity, CryptoNote introduced the key image: a signer-specific value derived from the sender's private key. Two signatures sharing the same key image show they were produced by the same private key, allowing the network to reject duplicate spends without exposing the sender's identity.
Monero extended this foundation with Ring Confidential Transactions (RingCT), introduced by Shen Noether of the Monero Research Lab. RingCT uses a Multi-layered Linkable Spontaneous Anonymous Group (MLSAG) signature scheme that also conceals the transaction amount using Pedersen commitments, addressing a privacy gap in the original CryptoNote protocol where amounts were visible on the blockchain.
Beyond the foundational scheme, several variants have been developed for specialized use cases. Linkable ring signatures add a tag or key image, letting observers tell if two signatures come from the same private key without identifying the signer. Traceable ring signatures enable full identity disclosure if a signer signs two messages with the same tag, supporting double-vote detection in electronic voting. Threshold ring signatures require a minimum number of genuine ring members to collaborate on a valid signature instead of a single signer. Recent constructions using elliptic curve cryptography and bilinear pairings have greatly reduced signature sizes compared to the original RSA-based scheme, making them more practical for large-scale deployment.
Ring signatures apply across domains where anonymity and verifiability must coexist. In whistleblowing, the scheme lets a member publish verified information while attributing the signature to the broader group, protecting identity. Electronic voting proposals have explored linkable variants to prevent double voting while preserving ballot secrecy. Confidential communication channels and anonymous authentication systems use ring signatures to let users prove membership in an authorized set without revealing which member they are.
.webp)