Ring signatures in Bitcoin: Run Monero on Bitcoin

This post was first published on Medium

We have implemented the first-ever Ring signature in Bitcoin.

Ring Signatures

Anyone in the ring can sign and no one can tell who signed

ring signature is a type of digital signature that allows a message to be signed by a single member in a group, or a ring. It proves that someone in the ring indeed signs, but there is no way to identify the actual signer amongst the ring members.

Its increased privacy enables many applications, such as:

  • whistleblowing: a government whistleblower wants to leak that his agency is secretly collecting citizens’ private data, yet wants to remain anonymous due to the risk of being fired. By using a ring signature, he can demonstrate that he works for the agency and thus add credibility to the claim, while concealing his identity.
  • e-voting: a voter signs his vote on behalf of all the people eligible to vote. She proves she has registered and is eligible to vote, without disclosing her vote¹.
  • private membership authentication: a user proves to an application she is registered without disclosing who she is.

It has been used by many blockchains to preserve privacy, most notably in Monero.

Ring signatures in Bitcoin

There are multiple ways to implement ring signatures. We choose a scheme called Spontaneous Anonymous Group signatures², because it is based in elliptic curve and amenable for implementation in Bitcoin.

Signing

Given a message, a group/ring of public keys, and a private key, a signature is produced as follows:

Signature from a group/ring of public keys with a given message
Signing

Verifying

Given a signature, a message, and a ring of public keys, the following algorithm determines if the signature is created by a private key corresponding to a public key in the ring, in two steps:

algorithm from a message, and a ring of public keys with a given signature
Verifying

Implementation

We have implemented Ring signature verification, using elliptic curve library. Anyone who knows a private key of the group of public keys can sign and spend the coins locked in the contract. No one can tell which one signed, even the group members.

Contract RingSig

Line 21 to 31 iteratively update c, as in step 1. Line 34 checks step 2.

***

NOTES:

[1] A ring signature that is linkable, which allows identifying whether two signatures belong to the same signer, is needed to detect double-voting.

[2] Section 3.3 of Zero to Monero.

Watch: CoinGeek New York presentation, Smart Contracts & Computation on Bitcoin

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.