Monero's Decoy Selection Algorithm: How Ring Members Are Chosen

Why Decoy Selection Matters

Monero's ring signatures work by mixing a real spent output with a set of decoy outputs drawn from the blockchain. When a user spends Monero, their wallet selects several other outputs that plausibly could be the real one and constructs a cryptographic proof that the spender owns one of them without revealing which. The security of this scheme depends critically on how those decoys are chosen. If the selection algorithm has predictable biases, statistical analysis can narrow down which output is the real spend, potentially deanonymizing the sender.

Consider a naive approach where decoys are selected uniformly at random from all outputs on the blockchain. This seems fair, but it creates an immediate problem. Real spends tend to occur relatively soon after outputs are received. People receive Monero and spend it within days or weeks, not years. If decoys are selected with equal probability from the entire blockchain history, most decoys will be old outputs, and the one recently created output in the ring will stand out as the most likely real spend. An attacker who knows the spending behavior distribution can assign probabilities to each ring member and significantly reduce the effective anonymity.

This is why Monero uses a carefully designed probability distribution for decoy selection rather than uniform random sampling. The goal is to make the decoy selection pattern match the actual spending pattern so closely that statistical analysis cannot distinguish real spends from decoys.

The Gamma Distribution Model

Monero's current decoy selection algorithm uses a modified gamma distribution to determine the age of decoy outputs. The gamma distribution is a continuous probability distribution that, when parameterized appropriately, produces a curve that assigns higher probability to recent outputs and lower probability to older ones, closely mimicking how people actually spend their Monero.

The specific parameters of the gamma distribution used by Monero have been calibrated through empirical analysis of spending patterns on the blockchain. Researchers studied the distribution of time intervals between when outputs are created and when they are actually spent across a large sample of transactions. The gamma distribution was found to provide a good fit for this observed spending behavior.

When your wallet constructs a transaction, it samples from this gamma distribution to determine the age offset for each decoy. It then selects an actual output from the blockchain that matches this age as closely as possible. The result is a set of ring members whose ages are statistically indistinguishable from a set of real spends, making it difficult for an observer to determine which one is genuine based on timing alone.

Why Even Distribution Is Not Optimal

Intuitively, one might think that selecting decoys with equal probability from all outputs would provide the best anonymity since every output looks equally likely. However, this reasoning is flawed because it ignores the attacker's knowledge of spending patterns.

An attacker who knows that most real spends occur within a few days of output creation can immediately assign very low probability to ring members that are months or years old. If the decoy selection process chose uniformly, most rings would contain many old outputs and one or two recent ones, making the recent outputs obvious candidates for the real spend. By instead selecting decoys according to the same distribution as real spends, every member of the ring has a plausible age profile, and the attacker's prior knowledge of spending patterns provides no advantage.

Ring Size Evolution

The number of ring members in Monero transactions has increased several times over the project's history, reflecting the community's ongoing commitment to strengthening privacy.

• Early Monero (2014-2016) - Ring sizes were optional and variable. Users could choose their own ring size, with a minimum as low as 3. Many users chose the minimum, and some even used ring size 1, which provided no sender privacy at all.
• Mandatory minimum ring size 5 (2016) - A hard fork established a mandatory minimum ring size, ensuring that all transactions provided at least basic sender privacy.
• Ring size 7 (2018) - The mandatory ring size was increased to 7, providing stronger anonymity guarantees.
• Ring size 11 (2019) - A further increase brought the ring size to 11, which was the standard for several years.
• Ring size 16 (2024) - The most recent increase expanded rings to 16 members, significantly increasing the anonymity set for each transaction.

Each increase in ring size makes statistical deanonymization harder by expanding the set of plausible real spends. However, larger rings also increase transaction sizes and verification times, creating a trade-off between privacy and efficiency. The community carefully evaluates these trade-offs before each increase.

The Poisoned Output Attack

One of the most studied attacks against Monero's ring signature scheme is the poisoned output attack, also known as the flooding attack or the Heuristic attack. In this attack, an adversary creates a large number of outputs on the blockchain that they control. Because the adversary knows which of their outputs are spent and which are unspent, they can eliminate their own outputs from consideration when they appear as decoys in other users' rings.

Here is how it works in practice. An adversary generates thousands of transactions sending Monero to themselves, creating a large pool of outputs they control. When a regular user creates a ring signature, some of the randomly selected decoys may be outputs belonging to the adversary. The adversary knows whether their own outputs have been spent, so they can determine that those outputs are decoys in the victim's ring. By eliminating their known decoys, the adversary reduces the effective ring size, potentially identifying the real spend.

Mitigations

Several factors mitigate the effectiveness of poisoned output attacks. First, executing the attack at scale is expensive because it requires creating many transactions with real Monero, incurring transaction fees. Second, the larger the ring size, the more outputs the attacker must control to meaningfully reduce anonymity. With a ring size of 16, an attacker would need to control a very large fraction of all blockchain outputs to have a significant impact. Third, Monero's community has implemented output age restrictions and other heuristics that make it harder for recently created flood outputs to be selected as decoys.

Temporal Analysis Risks

Even with a well-designed selection algorithm, temporal analysis remains a concern. Temporal analysis exploits the timing of transactions and outputs to make inferences about which ring member is the real spend.

For example, if a transaction is broadcast immediately after a specific output is created, and that output appears in the transaction's ring, there is a higher probability that this output is the real spend. The wallet software mitigates this by ensuring that rings always contain a mix of ages consistent with the gamma distribution, but timing correlations at the network level can still provide clues.

Another temporal analysis vector involves watching the memory pool. If an observer sees an output arrive in the mempool and then shortly afterward sees a new transaction that includes this output in its ring, the timing correlation suggests the output may be the real spend. Dandelion++, Monero's network-level privacy protocol, helps mitigate this by obscuring the origin and timing of transaction broadcasts.

Known Weaknesses in Historical Decoy Selection

Research has identified several weaknesses in earlier versions of Monero's decoy selection algorithm. Before the gamma distribution model was adopted, the selection algorithm had biases that allowed statistical deanonymization of a significant fraction of transactions. Academic papers demonstrated that by analyzing the age distribution of ring members across many transactions, researchers could identify the real spend with accuracy significantly better than random chance.

These findings prompted the switch to the gamma distribution model and motivated ongoing research into improving the selection algorithm. The Monero Research Lab actively collaborates with academic researchers to identify and address weaknesses before they can be exploited in practice.

Current Research and Improvements

The Monero research community continues to study and refine the decoy selection process. Active areas of investigation include better modeling of real spending behavior using larger datasets, adaptive selection algorithms that adjust their parameters as spending patterns change over time, and techniques for making the selection process more resistant to adversarial manipulation.

One promising line of research involves binning outputs by age brackets and selecting from within these bins to create more natural-looking distributions. Another approach considers the transaction graph structure, avoiding selections that create statistically unusual patterns when multiple transactions are analyzed together.

FCMP++: Eliminating the Decoy Problem Entirely

The most exciting development in Monero's privacy roadmap is Full-Chain Membership Proofs, known as FCMP++. This protocol upgrade will fundamentally change how sender privacy works by eliminating the concept of decoys entirely.

With FCMP++, instead of selecting a small ring of 16 decoy outputs, each transaction proves that the real spent output belongs to the set of all outputs on the entire blockchain. The anonymity set expands from 16 to millions, making statistical analysis of ring composition completely infeasible. There are no decoys to analyze because every output on the blockchain is equally a candidate.

FCMP++ achieves this using advanced cryptographic techniques including curve trees and zero-knowledge proofs that can efficiently prove membership in very large sets. The computational and storage overhead is manageable despite the enormous anonymity set, making this approach practical for real-world deployment.

When FCMP++ is activated, the entire category of attacks based on decoy selection analysis becomes obsolete. Poisoned output attacks, temporal analysis of ring composition, and statistical deanonymization through spending pattern matching will all be rendered ineffective. This represents a quantum leap in Monero's privacy guarantees and demonstrates the project's commitment to continuous improvement.

Until FCMP++ arrives, the current decoy selection algorithm with its gamma distribution model and 16-member rings provides strong practical privacy. For those who want to transact with Monero today, MoneroSwapper offers anonymous exchanges that complement the on-chain privacy provided by ring signatures and decoy selection.