“Ring Confidential Transactions” is a paper by Shen Noether (researcher at the Monero Research Lab), published in 2016 in the Ledger journal (a peer-reviewed cryptocurrency research journal). It introduces Ring Confidential Transactions (RingCT) — the cryptographic construction that extends Monero’s CryptoNote-based ring signatures with confidential amount hiding, completing Monero’s full-stack privacy.

Before RingCT, Monero hid sender identity (via ring signatures) and receiver identity (via stealth addresses) — but transaction amounts were visible on-chain. With RingCT (mandatory for all Monero transactions since January 2017), amounts are now hidden using Pedersen commitments on top of MLSAG ring signatures.

> PDF hosting: The RingCT paper is at eprint.iacr.org/2015/1098 (IACR ePrint archive). Published in Ledger (2016) at ledgerjournal.org.

---

Publication and Context

Monero launched in April 2014 as a CryptoNote-based currency (originally Bitmonero, forked from Bytecoin). Its initial privacy properties were meaningful but incomplete:

• ✅ Sender: Hidden via ring signatures
• ✅ Receiver: Hidden via one-time stealth addresses
• ❌ Amounts: Visible on-chain

This amount visibility was a significant limitation. An observer who figured out “Alice paid Bob” (e.g., through other means) would know the exact amount. RingCT closed this gap.

Shen Noether was one of several researchers at the Monero Research Lab (MRL), the volunteer academic research arm of the Monero project. The RingCT design draws on earlier work by Adam Back (Confidential Transactions) and Gregory Maxwell.

---

Confidential Transactions: Amount Hiding

The mechanism builds on Pedersen commitments:

$$C = r cdot G + v cdot H$$

Where $r$ is a blinding factor (secret to sender/receiver), $v$ is the amount, and $G$, $H$ are elliptic curve generators.

For a transaction to be valid, commitments must sum correctly:

$$sum C_{inputs} = sum C_{outputs} + C_{fee}$$

Because Pedersen commitments are additively homomorphic, this equation can be checked without revealing any amounts. Verifiers confirm no new money was created without knowing what was sent.

Range proofs: To prevent negative amounts (which could be used to create money), each output includes a Borromean ring signature-based range proof (later replaced by Bulletproofs in Monero’s 2018 upgrade) proving 0 ≤ v < 2^64 without revealing v.

---

MLSAG: Multi-Layered Linkable Spontaneous Anonymous Group Signatures

RingCT requires a ring signature scheme that works with multiple inputs (each with its own commitment) simultaneously. The original CryptoNote LSAG (Linkable Spontaneous Anonymous Group) signature only handles a single input.

Noether’s paper introduces MLSAG — a matrix-based extension that handles m inputs in a ring of n members:

• Signs over a matrix of keys (n rows × m columns)
• Produces m key images (one per input)
• The ring signature covers all inputs simultaneously
• Computational cost: O(n × m) — linear in both ring size and input count

MLSAG was replaced by CLSAG (Concise Linkable Spontaneous Anonymous Group) in 2020 — a more efficient construction reducing signature size and verification time.

---

Sections of the Paper

Section	Content
1. Introduction	Motivation; the amount-hiding gap; CT background
2. Ring Signatures	Review of LSAG and CryptoNote’s use
3. Confidential Transactions	Pedersen commitments; additive homomorphism
4. MLSAG	Multi-layered ring signature construction
5. RingCT	Combining CT with MLSAG; full protocol
6. Efficiency	Transaction size analysis; range proof costs
7. Security	Informal proof of unforgeability and linkability

---

Deployment in Monero

RingCT was deployed on Monero mainnet in January 2017 as an opt-in feature. By September 2017, it became mandatory for all transactions. This removed the pre-RingCT amounts-visible period from the ongoing blockchain (though historical pre-RingCT transactions remain readable).

Monero’s full privacy stack post-RingCT:

Property	Mechanism
Sender hidden	Ring signatures (MLSAG → CLSAG)
Receiver hidden	One-time stealth addresses
Amount hidden	Pedersen commitments + range proofs
Transaction graph	Cut-through not used (unlike Grin); ring signatures instead
Network-level privacy	Dandelion++ (transaction propagation privacy)

---

Reality Check

RingCT significantly improved Monero’s privacy, but researchers have continued identifying partial weaknesses:

• Ring size limitations: Monero’s ring sizes (11 as of 2022) are still relatively small; statistical analysis can sometimes identify the most likely real input
• Tracing services: CipherTrace and others claimed capabilities to trace some Monero transactions, though independently verified evidence is limited
• Regulatory pressure: Monero was delisted from many major exchanges (Binance, Kraken in some regions) due to privacy coin regulatory concerns

In 2022, Monero began transitioning to Seraphis + Jamtis — a next-generation transaction protocol that would further improve privacy and scalability.

---

Legacy

RingCT became Monero’s defining upgrade — the point at which Monero could credibly claim full-stack transaction privacy. The Bulletproofs range proof (replacing Borromean proofs) in 2018 reduced average Monero transaction size by ~80%. CLSAG in 2020 reduced verification time by ~20%. Monero remains the gold-standard privacy coin referenced in regulatory discussions globally.

---

Related Terms

• Monero
• CryptoNote Whitepaper
• Ring Signature
• Zcash Whitepaper
• Mimblewimble Whitepaper

---

Research

• Noether, S. (2016). Ring Confidential Transactions. Ledger, Vol. 1, 1–18.

— Primary source. Section 4 (MLSAG) and Section 5 (RingCT construction) are the technical core.

• Bünz, B., et al. (2018). Bulletproofs: Short Proofs for Confidential Transactions and More. IEEE S&P 2018.

— Replaces RingCT’s Borromean range proofs; the mathematical upgrade adopted by Monero.

• Goodell, B., & Noether, S. (2019). Concise Linkable Ring Signatures and Forgery Against Adversarial Keys. IACR ePrint 2019/654.

— CLSAG: the 2020 efficiency upgrade to MLSAG used in production Monero today.