RingCT לעומק: איך מונרו מסתיר סכומי עסקאות

Introduction to Ring Confidential Transactions

When Monero first launched in 2014, it inherited CryptoNote's ring signatures and stealth addresses, which concealed the sender and receiver of every transaction. However, there was a glaring gap in the privacy model: transaction amounts were fully visible on the blockchain. Anyone could see exactly how much XMR was being transferred, enabling sophisticated balance analysis and de-anonymization attacks. Ring Confidential Transactions, commonly known as RingCT, changed everything.

Implemented in January 2017 with the Monero hard fork at block 1,220,516, RingCT became mandatory for all transactions, ensuring that the amount transferred in every single Monero transaction is cryptographically hidden. This article provides a thorough technical exploration of how RingCT works, why it matters, and how subsequent upgrades like Bulletproofs and Bulletproofs+ have refined the system.

Why Hiding Transaction Amounts Matters

Before RingCT, Monero's privacy relied on two pillars: ring signatures obscured which output was the real spend, and stealth addresses ensured no two transactions sent to the same recipient shared an on-chain address. Yet visible amounts created serious vulnerabilities:

• Balance analysis: If an observer could see amounts, they could match inputs and outputs across transactions, gradually building a picture of fund flows even without knowing addresses.
• Amount fingerprinting: Unique or unusual amounts (like 7.31849 XMR) could link a sender to a recipient if both parties' amounts were known off-chain.
• Ring signature weakening: When amounts were visible, decoy outputs in a ring had to match the real output's amount exactly, drastically reducing the anonymity set and making statistical elimination possible.
• Commercial surveillance: Businesses receiving payments could be profiled by competitors observing incoming transaction amounts.

With RingCT, all of these attack vectors are neutralized. The amount field is replaced with a cryptographic commitment that proves mathematical validity without revealing the underlying value.

Pedersen Commitments: The Mathematical Foundation

At the heart of RingCT lies the Pedersen commitment scheme, a cryptographic primitive that allows someone to commit to a value without revealing it, while still enabling mathematical verification.

A Pedersen commitment to a value v takes the form:

C = vG + rH

Here, G and H are generator points on an elliptic curve (in Monero's case, the Ed25519 curve), v is the transaction amount, and r is a random blinding factor known only to the participants. The critical property is that given only C, it is computationally infeasible to determine v or r individually. The discrete logarithm problem ensures this security.

Homomorphic Properties

Pedersen commitments have a remarkable property: they are additively homomorphic. This means that if you add two commitments together, the result is a valid commitment to the sum of the original values. Specifically:

C1 + C2 = (v1 + v2)G + (r1 + r2)H

This property is what makes confidential transactions possible without revealing amounts. Miners and nodes can verify that the sum of input commitments equals the sum of output commitments (plus the transaction fee commitment), confirming that no XMR was created out of thin air, all without ever seeing the actual amounts.

For a transaction to be valid, the following must hold: the commitments to all inputs minus the commitments to all outputs minus the commitment to the fee must equal zero. If this equation balances, the transaction is mathematically proven to conserve value.

Range Proofs: Preventing Negative Amounts

There is a subtle but critical problem with Pedersen commitments alone. Because the commitment scheme works over a mathematical group, negative numbers are valid. An attacker could create a transaction with an output of, say, negative 1000 XMR and another output of positive 1000 XMR plus the input amount. The commitments would still balance, but the attacker would have effectively created XMR from nothing.

To prevent this, every RingCT transaction includes a range proof for each output. A range proof is a zero-knowledge proof that demonstrates the committed value lies within a specific range (typically 0 to 2^64 - 1) without revealing the value itself.

Original Borromean Range Proofs

The original RingCT implementation used Borromean ring signatures to construct range proofs. Each bit of the committed amount required its own ring signature, resulting in a proof size that scaled linearly with the number of bits. For a 64-bit range proof, this meant 64 individual ring signatures per output. While cryptographically sound, these proofs were large, typically around 6 KB per output, making transactions significantly heavier.

Bulletproofs: The First Major Optimization

In October 2018, Monero adopted Bulletproofs, a breakthrough in range proof technology developed by Benedikt Bunz and colleagues at Stanford. Bulletproofs are a type of non-interactive zero-knowledge proof with logarithmic size scaling rather than linear. This reduced range proof sizes by approximately 80%, bringing a typical two-output transaction's range proofs from around 13 KB down to roughly 2.5 KB.

Bulletproofs also introduced batch verification, allowing multiple range proofs within a single transaction to be aggregated. A transaction with two outputs does not require twice the proof size of a single-output transaction; the aggregated proof is only marginally larger. This made Monero transactions significantly cheaper and faster to verify.

Bulletproofs+: Further Refinement

In August 2022, with the Monero hard fork that also introduced the tail emission, Bulletproofs+ replaced the original Bulletproofs. This updated scheme, based on research by Heewon Chung and colleagues, achieved an additional size reduction of approximately 5-7% and improved verification speed. While the gains were more modest than the original Bulletproofs upgrade, they represented continued optimization of the protocol.

Pre-RingCT vs Post-RingCT: A Privacy Comparison

Understanding the difference between pre-RingCT and post-RingCT Monero reveals just how transformative this upgrade was:

• Amount visibility: Pre-RingCT transactions exposed exact amounts on-chain. Post-RingCT, all amounts are hidden behind Pedersen commitments.
• Ring signature flexibility: Before RingCT, decoys had to be outputs of the same denomination, severely limiting the anonymity set. After RingCT, any output can serve as a decoy regardless of its hidden amount, vastly expanding the pool of potential decoys.
• Transaction structure: Pre-RingCT transactions often required multiple denomination-matched inputs and outputs, creating identifiable patterns. Post-RingCT transactions have a uniform structure regardless of amounts.
• Chain analysis resistance: The combination of hidden amounts with ring signatures and stealth addresses closed the last major avenue for passive blockchain surveillance.

It is worth noting that pre-RingCT outputs still exist on the Monero blockchain. While they cannot be created in new transactions, old unspent outputs from before block 1,220,516 could theoretically still be spent. The Monero community has discussed various approaches to mitigating any residual privacy risks from these legacy outputs.

How RingCT Interacts with Ring Signatures

RingCT is not a standalone feature; it works in concert with Monero's ring signatures to provide comprehensive transaction privacy. When a user creates a transaction, the ring signature proves that one of the referenced outputs is being spent without revealing which one. RingCT extends this by proving that the hidden amounts balance without revealing them.

The key innovation is the multilayered linkable spontaneous anonymous group (MLSAG) signature scheme used in the original RingCT, which was later upgraded to CLSAG (Concise Linkable Spontaneous Anonymous Group) in 2020. CLSAG reduced signature sizes by approximately 25% while maintaining the same security guarantees. Both schemes integrate amount commitments directly into the ring signature structure, creating a unified proof of both sender anonymity and amount confidentiality.

Looking Forward: FCMP++ and Beyond

The Monero development community continues to advance the cryptographic foundations. The upcoming Full Chain Membership Proofs (FCMP++) protocol will replace ring signatures entirely, allowing every transaction output on the blockchain to serve as a potential decoy. When combined with RingCT's hidden amounts, this will provide an anonymity set equal to the entire set of Monero outputs rather than the current ring size of 16.

RingCT's Pedersen commitments and range proofs will continue to serve as the amount-hiding layer even under FCMP++. The mathematical elegance of the commitment scheme means it remains efficient and secure regardless of changes to the membership proof system above it.

Practical Implications for Users

For everyday users of MoneroSwapper and other Monero services, RingCT operates entirely behind the scenes. Every transaction you send or receive automatically benefits from hidden amounts. There is nothing to configure, no optional privacy to enable, and no way to accidentally send a transparent transaction. This mandatory privacy by default is a core design principle that distinguishes Monero from cryptocurrencies where privacy features are optional.

When you swap Bitcoin, Ethereum, or any other cryptocurrency for Monero through MoneroSwapper, the moment your XMR arrives in your wallet, the amount is hidden from all outside observers. No one monitoring the blockchain can determine how much you received, what your balance is, or how you subsequently spend your funds.

Conclusion

Ring Confidential Transactions represent one of the most important privacy innovations in cryptocurrency history. By combining Pedersen commitments with range proofs, RingCT solved the last major transparency problem in the original CryptoNote protocol. Subsequent optimizations through Bulletproofs and Bulletproofs+ have made the system increasingly efficient without compromising security. As Monero continues to evolve with technologies like FCMP++, RingCT's foundation of hidden amounts remains a permanent and essential layer of the privacy stack.