10

I understand generally how ring signatures work, but I also realize they are sent to and from stealth addresses, and so I'm curious why ring signatures are needed in the first place. Doesn't a sender's stealth address make the transaction untraceable anyways?

kenshi84
  • 2,485
  • 1
  • 14
  • 33

3 Answers3

9

Stealth addresses mask a receiver, so 5 different people could all send XMR to the same address, but the construction of stealth addresses is such that none of the 5 people could tell that any of the other 5 people sent XMR to the same address. All they would see are five outputs to five random stealth addresses, and they only know the true address that their own transaction was sent to.

If we extend this to more people, they could all be sending coins between one another (B to D, D to A, C to E, E to B, etc) but no one would be able to tell any other pairs by looking at independent transactions (B couldn't see D and E even if B has traded with both D and E separately).

Ring signatures mask which outputs are used as inputs to create a new transaction output. So extending our previous example, ring signatures would hide when (if ever) any of those five outputs are spent. They do this by essentially saying "one of these X outputs is being spent as an input into a transaction, but you can't tell which one." This prevents anyone from knowing when an output is spent.

In addition, ring signatures prevent linking of multiple stealth outputs that are combined as multiple inputs into a transaction. Without ring signatures, you could tell "these X outputs are all from the same person" while ring signatures obfuscate that.

With stealth addresses, you can't link two different transactions to the same address, but you can link the path of outputs. aka, A to B to C to D. So if I send you coins, I could tell when you then spend them. Ring signatures block this by making the source of a transaction be "either A or G or K or P" instead of "definitely A", etc.

Example:

Putting all this together, this means that if person A spends outputs "aa" and "ab" to send coins to person B as new output "bb", and then person B spends output "bb" and some other output "bc" to send coins to person C as new output "cc", each person involved could only see the following bits of information:

  • Person A:

    • Outputs "aa" and "ab" were spent, send to the address of person B, as new output "bb".
    • I included outputs "ff", "hh", "kk", and "oo" in the ring signature for "aa" and "fg", "hi", "kl", and "op" for the signature for "ab".
    • No idea what happens to "bb"... there's a tx that included it in a ring rignature to output "cc", but there are also txs that included it to output "dd", "qq", "tt", and "zz". Maybe one of those outputs have the coins now?

  • Person B:

    • Some coins from somewhere (the ring signature says it's either "aa", "ff", "hh", "kk", or "oo") and other coins from somewhere else ("ab", "fg", "hi", "kl", and "op") are now my output "bb".
    • I spent them when I sent coins to person C as output "cc".
    • I included outputs "dd", "ee", "ii", and "jj" in the ring signature.
    • I also spent output "bc" which became part of "cc" as well. "bc" was ringed with "de", "ef", "ij", and "jk" to hide the origin.
    • I can't tell if they've been spent, but they have been included in these tx ring signatures: "rr", "ss", and "uu". So maybe he spent them.

  • Person C:

    • Some coins from somewhere (either "bb", "dd", "ee", "ii", or "jj") and somewhere else ("bc", "de", "ef", "ij", or "jk") were sent to me and are now my output "cc".
    • I haven't spent them, but my output was included in ring sigs txs "rr", "ss", and "uu" so now Person B doesn't know if I still have them ;)
bigreddmachine
  • 3,747
  • 1
  • 11
  • 30
7

Stealth addressing provides unlinkability (outputs are not associated with wallet addresses on the blockchain). Ring signatures provide untraceability.

Untraceability means that the source of funds in a transaction cannot be determined, even by the person or exchange that sent you the funds that you use in the transaction. It means that if a vendor's wallet is hacked, someone that sent you Monero cannot determine if you spent that Monero with the compromised vendor. It also means that if someone sends you Monero, they cannot tell if or when you then spend it.

Untraceability means that when you receive Monero, you do not need to worry that the Monero you receive may have been tainted by association with the previous holder of that Monero (their wallet could be exposed and the outputs they once owned can become public knowledge). There is no such thing as clean or dirty Monero, because the history of the Monero that you hold cannot be determined. This is a concept known as fungibility and is a critically important feature for a currency to have because it means that there is no such thing as being given 'bad' Monero.

knaccc
  • 8,518
  • 17
  • 23
1

If you want a more technical answer, the MRL-0004 research paper discusses many instances of likability when transactions are sent with a different number of fake inputs. Section 2 refers to traceability with zero mix-in spending, which has the same result as sending a transaction without a ring signature.

sgp
  • 8,836
  • 7
  • 43
  • 113