1. Introduction
In part 7 we introduced the MLSAG ring signature scheme. Among other things, it safeguarded the anonymity of the signer. In part 8 we discussed the notions of Pedersen Commitments and Confidential Transactions. They were used to mask transaction amounts without compromising the proper bookkeeping of balances on the network. In this part, we combine the two in a new structure known as ring Confidential Transaction or ringCT.
It turns out that combining both concepts in a single mathematical construct requires additional work. In the first section, we explain why outright combination of the aforementioned concepts fails to preserve the anonymity of the sender.
In the second section we remedy the situation by introducing the notion of a nonzero commitment. This will form the basis of Monero’s ringCT scheme.
The last section goes over the mechanics of how a Monero transaction is created and includes references to relevant parts of the code base. We introduce two variants of ringCT, namely ringCT Type Full and ringCT Type Simple. We finally conclude with a breakdown of the components of a reallife Monero transaction.
2. A problem with preserving anonymity
A Monero transaction is a mathematical construct that is cryptographically signed. It details what unspent transaction outputs (UTXOs) the sender wants to use to conduct his transfer. In essence, a UTXO is an output associated with a previous blockchain transaction that hasn’t been spent yet. It can be subsequently used as an input to a future transaction. In addition, a Monero transaction encapsulates details about the recipients of the funds including the amount to be transferred to each recipient.
Consider the following hypothetical Monero transaction:
 The sender uses two of her UTXOs with respective amounts and (i.e., units of Monero currency).
 The sender transfers funds to three recipients including a transaction fee to the miners, funds destined to a counterparty, and change returned to the sender. Suppose the output amounts are respectively , ,
 All input and output amounts are replaced with a corresponding Pederson Commitment to hide the original value.
Suppose that we would also like to conceal the identity of the sender. This is tantamount to hiding the origin of the funds (i.e., hiding the sender’s UTXOs). Each UTXO is associated with a “onetime public key” and a corresponding “onetime private key” (the details will be explained in part 10 when we discuss the stealth address system). The sender embeds each UTXO in a set of other UTXOs. In this example we let The following is a representation of this scenario where each UTXO is identified by its transaction hash, commonly known as transaction id [1].
 First set of 5 UTXOs
 ( UTXO of ring member #1)
 ( UTXO of ring member #2)
 ( UTXO of ring member #3 (index of the signer))
 ( UTXO of ring member #4)
 ( UTXO of ring member #5)
 Second set of 5 UTXOs
 ( UTXO of ring member #1)
 ( UTXO of ring member #2)
 ( UTXO of ring member #3 (index of the signer))
 ( UTXO of ring member #4)
 ( UTXO of ring member #5)
To achieve the above, we can build an MLSAG ring signature where:
 The “onetime private keys” of all UTXOs used by the sender are grouped together to form his private key vector . Cleary, the private key vector will have an associated public key vector where
 The remaining 4 ring members will be associated with four additional public key vectors. Each vector consists of a pair of UTXOs that are pairwise different and different from the ones used by the sender. The total number of ring members, not including the sender, is known as the mixin count in Monero. Our hypothetical example has a mixin count of 4.
This setup can be summarized in a public key matrix given by:
As noted earlier, the transaction amounts associated with each UTXO are concealed using Pedersen Commitments. Following the logic outlined in part 8, the network will check if for some denoting the index of a ring member. Once it identifies a ring member whose UTXO pair satisfies this equality, it gets the assurance that the amounts balance out without knowing what the amounts are.
Note that the index of both UTXOs in a given pair must be the same. For example, the sender’s first UTXO appears in the 3rd position in the first UTXO set and also in the 3rd position in the second set. This is dictated by the construction of the private key and public key vectors in MLSAG.
However, by finding which pair of UTXOs satisfy the equation, the network would have also discovered the index of the signer. This is because it is extremely unlikely to select different ring members (i.e., pairs of UTXOs) such that the sum of their Pedersen Commitments (i.e., ) matches that of the sender (i.e., ). Consequently, only the Pedersen Commitments of the sender will satisfy the equation. By figuring out the index of the signer, the anonymity of the MLSAG gets jeopardized. In order to address this problem, we introduce an amendment to the MLSAG public key matrix.
3. Ring Confidential Transaction (RingCT)
Recall the following setup introduced in part 8:
 , let be the Pedersen Commitment associated with amount with blinding factor randomly chosen in
 Let be the miner’s transaction fee and let be the Pedersen Commitment associated with . The blinding factor is deliberatly chosen to be 0 (i.e., the identity element of ).
 , let be the Pedersen Commitment associated with amount with blinding factor randomly chosen in . We additionaly require that
By ensuring that:
 , and
 the amounts and remain confined to a predefined range (refer to part 8 for more information about the choice of ).
we got the following equivalence:
It is important to observe that the amounts balance out in actuality and not in the more relaxed modulo sense. This is due to the constraint we imposed on all transaction amounts being confined to the range. If this were not the case, one would be able to create or destroy Monero currency while still maintaining a balanced equation. To see this, suppose transaction amounts can take on any value in instead of being restricted to Moreover, suppose that the sender uses three UTXOs (i.e., ) with , , and There are two outputs (i.e., ) with , and
Clearly,
However,
If this transaction gets approved by the network, we would have effectively destroyed units of currency. Conversely, exchanging the input and output values would allow the creation of units of currency out of thin air. This example demonstrates the importance of having a balanced equation independent of modulo arithmetic. By confining all transaction amounts to the range, we ensure that this is the case. To prove that a transaction amount lies in a certain range, Monero makes use of the Borromean signature construct. A more sizeefficient alternative to Borromean signatures that is currently deployed on Monero’s testnet is Bulletproof. Bulletproof performs a range proof while potentially decreasing a Monero transaction size (and hence transaction fees) by up to 80%. Range proofs including the Borromean and Bulletproof constructs deserve an article on their own. We might dedicate an appendix to expain how they work in the future. For the time being, the interested reader can consult [2] and [9].
The problem encountered in section 2 was due to the high likelihood that only ring member had UTXOs whose Pedersen Commitments satisfy the equation (Note that we explicitly mention the index in to highlight that these specific Pedersen Commitments are the ones associated with the sender’s UTXOs. Other ring members have different UTXOs and hence different commitments). The culprit is the value which gave away the index of the sender. To remedy this shortcoming, we relax the condition: instead of requiring that , we let it take on any scalar value , as long as is only known to the sender . We highlight that the blinding factors are the ones associated with ‘s UTXO. Carrying over the notation from part 8, we get the following equalities:
(by definition of and )
(where we invoked the additive homomorphic property of the Pedersen Commitment map )
where and are addition and subtraction in modulo arithmetic over and where we used
If the transaction amounts don’t balance out, then:
And since the DL of in base is unknown, one can conclude that with overwhelming probability the sender would not know the DL of in base . The contrapositive statement ensures that if the sender can prove that he knows this DL, then with overwhelming probability, we must have
So by ensuring that:
 (only known to the sender ), and
 the amounts and remain confined to a predefined range (refer to part 8 for more information about the choice of ).
we can follow the same procedure outlined in part 8 and derive the following equivalence:
The expression showcases as the private key associated with public key No one knows the value of except the sender (note that this is possible since is fully defined by the blinding factors and which are only known to the sender – we will see how so when we allude to relevant portions of the Monero code in the next section). A signature that is verified using public key demonstrates that its signer knows the private key Consequently, this demonstrates that the transaction amounts are balanced. That leads us to amend the MLSAG scheme by introducing an additional key to the key vector of each user in the ring. The amended public key matrix becomes:
where denotes the sum of the Pedersen Commitments associated with all the UTXOs of ring member ringCT consists of conducting an MLSAG signature on the aforementioned public key matrix, where the privatekey vector of the sender is given by A valid signature on this public key matrix proves 2 things:
 That the sender holds the private key vector associated with all UTXOs used to source the funds (these are the first rows of the matrix).
 That the sender knows the secret key associated with (this is the second row of the matrix).
The resulting ringCT scheme hides transaction amounts and safeguards the anonymity of the signer at the same time [8].
4. Monero transactions in practice
Calculation of Pedersen Commitments: In the Monero code base,
 The Pedersen Commitment is known as outPk[].mask. The “Pk” suffix probably refers to “Public key” since Pedersen Commitments can be thought of as public keys (recall that they are scalar multiples of ).
 The blinding factor associated with is known as outSk[].mask. The “Sk” suffix probably refers to “Secret key” since blinding factors are scalars .
The calculation of these two values is conducted in the proveRange method which can be found in [5]
//proveRange and verRange //proveRange gives C, and mask such that \sumCi = C // c.f. http://eprint.iacr.org/2015/1098 section 5.1 // and Ci is a commitment to either 0 or 2^i, i=0,...,63 // thus this proves that "amount" is in [0, 2^64] // mask is a such that C = aG + bH, and b = amount //verRange verifies that \sum Ci = C and that each Ci is a commitment to 0 or 2^i rangeSig proveRange(key &amp;amp;amp; C, key &amp;amp;amp; mask, const xmr_amount &amp;amp;amp; amount) { sc_0(mask.bytes); identity(C); bits b; d2b(b, amount); rangeSig sig; key64 ai; key64 CiH; int i = 0; for (i = 0; i &amp;amp;lt; ATOMS; i++) { skGen(ai[i]); if (b[i] == 0) { scalarmultBase(sig.Ci[i], ai[i]); } if (b[i] == 1) { addKeys1(sig.Ci[i], ai[i], H2[i]); } subKeys(CiH[i], sig.Ci[i], H2[i]); sc_add(mask.bytes, mask.bytes, ai[i].bytes); addKeys(C, C, sig.Ci[i]); } sig.asig = genBorromean(ai, sig.Ci, CiH, b); return sig; }
proveRange takes three arguments:
 , which will hold the Pedersen Commitment value associated with a certain output amount. This corresponds to in our earlier notation.
 , which will hold the blinding factor value used in the calculation of this Pedersen Commitment. This corresponds to in our earlier notation.
 , which is the output amount for which the Pedersen Commitment will be calculated. This amount corresponds to in our earlier notation.
The method operates on and assigns the corresponding Pedersen Commitment and blinding factor to and respectively.
The first step consists in initializing to the identity element of the group . This is done by calling the identity method found in [4]
static const key I = { {0x01, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 , 0x00, 0x00, 0x00,0x00 } };
//Creates a zero elliptic curve point inline key identity() { return I; } inline void identity(key &amp;amp;amp;Id) { memcpy(&amp;amp;amp;Id, &amp;amp;amp;I, 32); }
The next step consists in decomposing into its binary digits. This is done by calling the d2b method found in [6]
//uint long long to int[64] void d2b(bits amountb, xmr_amount val) { int i = 0; while (val != 0) { amountb[i] = val &amp;amp;amp; 1; i++; val &amp;amp;gt;&amp;amp;gt;= 1; } while (i &amp;amp;lt; 64) { amountb[i] = 0; i++; } }
The method d2b takes two arguments, namely and an array to store the binary digits. The number of binary digits resulting from this decomposition is capped at a maximum of 64 (i.e., the highest transaction amount allowed is atomic units, where each unit corresponds to atomic units). The upper bound is stored in the variable ATOM found in [7].
//atomic units of moneros #define ATOMS 64
For each binary digit , the proveRange method generates a scalar by calling the skGen method found in [3].
//generates a random scalar which can be used as a secret key or mask void skGen(key &amp;amp;amp;sk) { sk = crypto::rand&amp;amp;lt;key&amp;amp;gt;(); sc_reduce32(sk.bytes); }
The skGen method randomly creates a secret key (i.e., a scalar ) and assigns it to its argument. As a result, the expression skGen() (which appears in the proveRange method) assigns a random scalar to variable . This variable plays the role of the blinding factor associated with binary digit
A binary digit can either be equal to or to . The method d2b stores digit in variable . If is 0, then the Pedersen Commitment associated with digit is set to which is equal to This calculation is performed by calling the scalarmultBase method found in [3]:
//does a * G where a is a scalar and G is the curve basepoint void scalarmultBase(key &amp;amp;amp;aG,const key &amp;amp;amp;a) { ge_p3 point; sc_reduce32copy(aG.bytes, a.bytes); //do this beforehand! ge_scalarmult_base(&amp;amp;amp;point, aG.bytes); ge_p3_tobytes(aG.bytes, &amp;amp;amp;point); }
If is 1, then the corresponding Pedersen Commitment is set to . Here, corresponds to the argument fed to the addKeys1 method invoked in the proveRange method. is retrieved in the table which can be found in [7]. The addKeys1 method is found in [3].
//addKeys1 //aGB = aG + B where a is a scalar, G is the basepoint, and B is a point void addKeys1(key &amp;amp;amp;aGB, const key &amp;amp;amp;a, const key &amp;amp;amp; B) { key aG = scalarmultBase(a); addKeys(aGB, aG, B); }
The blinding factor is finally set to . This is done in the proveRange method by calling the sc_add method.
Lastly, the Pedersen Commitment is calculated by adding all the computed for To see why this computation yields the desired Pedersen Commitment, note the following:
In the proveRange method, this is done by invoking the addKeys method found in [3]
//for curve points: AB = A + B void addKeys(key &amp;amp;amp;AB, const key &amp;amp;amp;A, const key &amp;amp;amp;B) { ge_p3 B2, A2; CHECK_AND_ASSERT_THROW_MES_L1(ge_frombytes_vartime(&amp;amp;amp;B2, B.bytes) == 0, "ge_frombytes_vartime failed at "+boost::lexical_cast&amp;amp;lt;std::string&amp;amp;gt;(__LINE__)); CHECK_AND_ASSERT_THROW_MES_L1(ge_frombytes_vartime(&amp;amp;amp;A2, A.bytes) == 0, "ge_frombytes_vartime failed at "+boost::lexical_cast&amp;amp;lt;std::string&amp;amp;gt;(__LINE__)); ge_cached tmp2; ge_p3_to_cached(&amp;amp;amp;tmp2, &amp;amp;amp;B2); ge_p1p1 tmp3; ge_add(&amp;amp;amp;tmp3, &amp;amp;amp;A2, &amp;amp;amp;tmp2); ge_p1p1_to_p3(&amp;amp;amp;A2, &amp;amp;amp;tmp3); ge_p3_tobytes(AB.bytes, &amp;amp;amp;A2); }
The and values are assigned to variables outPk[].mask and outSk[].mask through the genRct method by calling the proveRange method. The genRct (generate ringCT) method is found in [5]
//genRct: // creates an rctSig with all data necessary to verify the rangeProofs and that the signer owns one of the // columns that are claimed as inputs, and that the sum of inputs = sum of outputs. // Also contains masked "amount" and "mask" so the receiver can see how much they received //verRct: // verifies that all signatures (rangeProogs, MG sig, sum inputs = outputs) are correct //decodeRct: (c.f. http://eprint.iacr.org/2015/1098 section 5.1.1) // uses the attached ecdh info to find the amounts represented by each output commitment // must know the destination private key to find the correct amount, else will return a random number // Note: For txn fees, the last index in the amounts vector should contain that // Thus the amounts vector will be "one" longer than the destinations vectort rctSig genRct(const key &amp;amp;amp;message, const ctkeyV &amp;amp;amp; inSk, const keyV &amp;amp;amp; destinations, const vector&amp;amp;lt;xmr_amount&amp;amp;gt; &amp;amp;amp; amounts, const ctkeyM &amp;amp;amp;mixRing, const keyV &amp;amp;amp;amount_keys, const multisig_kLRki *kLRki, multisig_out *msout, unsigned int index, ctkeyV &amp;amp;amp;outSk, bool bulletproof, hw::device &amp;amp;amp;hwdev) { CHECK_AND_ASSERT_THROW_MES(amounts.size() == destinations.size()  amounts.size() == destinations.size() + 1, "Different number of amounts/destinations"); CHECK_AND_ASSERT_THROW_MES(amount_keys.size() == destinations.size(), "Different number of amount_keys/destinations"); CHECK_AND_ASSERT_THROW_MES(index &amp;amp;lt; mixRing.size(), "Bad index into mixRing"); for (size_t n = 0; n &amp;amp;lt; mixRing.size(); ++n) { CHECK_AND_ASSERT_THROW_MES(mixRing[n].size() == inSk.size(), "Bad mixRing size"); } CHECK_AND_ASSERT_THROW_MES((kLRki &amp;amp;amp;&amp;amp;amp; msout)  (!kLRki &amp;amp;amp;&amp;amp;amp; !msout), "Only one of kLRki/msout is present"); rctSig rv; rv.type = bulletproof ? RCTTypeFullBulletproof : RCTTypeFull; rv.message = message; rv.outPk.resize(destinations.size()); if (bulletproof) rv.p.bulletproofs.resize(destinations.size()); else rv.p.rangeSigs.resize(destinations.size()); rv.ecdhInfo.resize(destinations.size()); size_t i = 0; keyV masks(destinations.size()); //sk mask.. outSk.resize(destinations.size()); for (i = 0; i &amp;amp;lt; destinations.size(); i++) { //add destination to sig rv.outPk[i].dest = copy(destinations[i]); //compute range proof if (bulletproof) rv.p.bulletproofs[i] = proveRangeBulletproof(rv.outPk[i].mask, outSk[i].mask, amounts[i]); else rv.p.rangeSigs[i] = proveRange(rv.outPk[i].mask, outSk[i].mask, amounts[i]); #ifdef DBG if (bulletproof) CHECK_AND_ASSERT_THROW_MES(verBulletproof(rv.p.bulletproofs[i]), "verBulletproof failed on newly created proof"); else CHECK_AND_ASSERT_THROW_MES(verRange(rv.outPk[i].mask, rv.p.rangeSigs[i]), "verRange failed on newly created proof"); #endif //mask amount and mask rv.ecdhInfo[i].mask = copy(outSk[i].mask); rv.ecdhInfo[i].amount = d2h(amounts[i]); hwdev.ecdhEncode(rv.ecdhInfo[i], amount_keys[i]); } //set txn fee if (amounts.size() &amp;amp;gt; destinations.size()) { rv.txnFee = amounts[destinations.size()]; } else { rv.txnFee = 0; } key txnFeeKey = scalarmultH(d2h(rv.txnFee)); rv.mixRing = mixRing; if (msout) msout&amp;amp;gt;c.resize(1); rv.p.MGs.push_back(proveRctMG(get_pre_mlsag_hash(rv, hwdev), rv.mixRing, inSk, outSk, rv.outPk, kLRki, msout ? &amp;amp;amp;msout&amp;amp;gt;c[0] : NULL, index, txnFeeKey,hwdev)); return rv; }
Among other things, the genRct method takes a destinations vector as argument. Each element of the vector consists of the address of a relevant recipient of funds for this transaction. The length of the destinations vector corresponds to the total number of recipients (eg., in our earlier hypothetical example, it would be 3). The genRct method loops through all of them, each time making a call to the proveRange method with the following arguments:
 outPk[].mask which stores the Pedersen Commitment associated with the amount to be sent to the recipient. Note that the “mask” attribute in this case is not a blinding factor. This is a matter of Monero code convention where each key has 2 fields associated with it: 1) A field, and 2) A field
 In case the structure is a secret key (e.g., a Monero amount – recall that amounts are elements of and hence are scalars, a.k.a. secret keys), the field would contain the secret key, while the field would contain the randomly generated blinding factor as described earlier.
 In case the structure is a public key, would contain the address and would contain the Pedersen Commitment of the amount to be transferred to the address. The definitions can be found in [7]
//containers For CT operations //if it's representing a private ctkey then "dest" contains the secret key of the address // while "mask" contains a where C = aG + bH is CT pedersen commitment and b is the amount // (store b, the amount, separately //if it's representing a public ctkey, then "dest" = P the address, mask = C the commitment struct ctkey { key dest; key mask; //C here if public };
 outSk[].mask which stores the blinding factor associated with the amount to be transferred to the recipient.
 amounts[] which corresponds to the amount to be transfered to the recipient.
For each recipient , this assigns
 The relevant Pedersen Commitment to outPk[].mask
 The blinding factor or value to outSk[].mask
Finally, the blinding factor and the amount associated with each recipient are encoded so that they are only known to the sender and to the recipient of the funds. This ensures that the sender is the only entity that knows the value of all the blinding factors associated with UTXO amounts used to source the funds as well as blinding factors associated with the amounts destined to each recipient. In other words, only the sender would simultaneously know and As a result, the sender is the only entity that knows (introduced in the previous section) that makes ringCT work properly.
The encoding is done through a call to the ecdhEncode method in genRct. It is found in [3]
//Elliptic Curve Diffie Helman: encodes and decodes the amount b and mask a // where C= aG + bH void ecdhEncode(ecdhTuple &amp;amp;amp; unmasked, const key &amp;amp;amp; sharedSec) { key sharedSec1 = hash_to_scalar(sharedSec); key sharedSec2 = hash_to_scalar(sharedSec1); //encode sc_add(unmasked.mask.bytes, unmasked.mask.bytes, sharedSec1.bytes); sc_add(unmasked.amount.bytes, unmasked.amount.bytes, sharedSec2.bytes); }
The ecdhEncode method takes 2 arguments:
 unmasked, which has 2 attributes: 1) A blinding factor known as and 2) A transaction
 sharedSec, which is a a secret key only known to the sender and the recipient of the funds and used to encode the transaction’s blinding factor and amount.
The encryption is done as follows:
 The is mapped to , where keccak is the hash function used by Monero.
 is mapped to
Building ringCT ‘s amended public key matrix: Recall that the amended public key matrix used in ringCT and introduced in the previous section was given by:
where denotes the sum of the Pedersen Commitments associated with all the UTXOs of ring member
The calculation of this matrix is performed in the proveRctMG method found in [5]. (Note that in the code below, our variable corresponds to the code’s variable and our variable corresponds to the code’s variable
//Ringct MG sigs //Prove: // c.f. http://eprint.iacr.org/2015/1098 section 4. definition 10. // This does the MG sig on the "dest" part of the given key matrix, and // the last row is the sum of input commitments from that column  sum output commitments // this shows that sum inputs = sum outputs //Ver: // verifies the above sig is created corretly mgSig proveRctMG(const key &amp;amp;message, const ctkeyM &amp;amp; pubs, const ctkeyV &amp;amp; inSk, const ctkeyV &amp;amp;outSk, const ctkeyV &amp;amp; outPk, const multisig_kLRki *kLRki, key *mscout, unsigned int index, key txnFeeKey, hw::device &amp;amp;hwdev) { mgSig mg; //setup vars size_t cols = pubs.size(); CHECK_AND_ASSERT_THROW_MES(cols &amp;gt;= 1, "Empty pubs"); size_t rows = pubs[0].size(); CHECK_AND_ASSERT_THROW_MES(rows &amp;gt;= 1, "Empty pubs"); for (size_t i = 1; i &amp;lt; cols; ++i) { CHECK_AND_ASSERT_THROW_MES(pubs[i].size() == rows, "pubs is not rectangular"); } CHECK_AND_ASSERT_THROW_MES(inSk.size() == rows, "Bad inSk size"); CHECK_AND_ASSERT_THROW_MES(outSk.size() == outPk.size(), "Bad outSk/outPk size"); CHECK_AND_ASSERT_THROW_MES((kLRki &amp;amp;&amp;amp; mscout)  (!kLRki &amp;amp;&amp;amp; !mscout), "Only one of kLRki/mscout is present"); keyV sk(rows + 1); keyV tmp(rows + 1); size_t i = 0, j = 0; for (i = 0; i &amp;lt; rows + 1; i++) { sc_0(sk[i].bytes); identity(tmp[i]); } keyM M(cols, tmp); //create the matrix to mg sig for (i = 0; i &amp;lt; cols; i++) { M[i][rows] = identity(); for (j = 0; j &amp;lt; rows; j++) { M[i][j] = pubs[i][j].dest; addKeys(M[i][rows], M[i][rows], pubs[i][j].mask); //add input commitments in last row } } sc_0(sk[rows].bytes); for (j = 0; j &amp;lt; rows; j++) { sk[j] = copy(inSk[j].dest); sc_add(sk[rows].bytes, sk[rows].bytes, inSk[j].mask.bytes); //add masks in last row } for (i = 0; i &amp;lt; cols; i++) { for (size_t j = 0; j &amp;lt; outPk.size(); j++) { subKeys(M[i][rows], M[i][rows], outPk[j].mask); //subtract output Ci's in last row } //subtract txn fee output in last row subKeys(M[i][rows], M[i][rows], txnFeeKey); } for (size_t j = 0; j &amp;lt; outPk.size(); j++) { sc_sub(sk[rows].bytes, sk[rows].bytes, outSk[j].mask.bytes); //subtract output masks in last row.. } return MLSAG_Gen(message, M, sk, kLRki, mscout, index, rows, hwdev); }
For each ring member , the input Pedersen Commitments are added. Then the output Pedersen Commitments are subtracted.
RCTTypeFull vs. RCTTypeSimple: The signature scheme along with the ringCT amended public key matrix that we introduced thus far is known as RCTTypeFull or ringCT Type Full (referred to as Type 1 in Monero’s code base). It treats all UTXOs at once as part of a single ring signature structure: if we have UTXOs and a mixin count of , ringCT Type Full creates a public key matrix of size and signs the transaction in one go. As we previously noted in our hypothetical example, it is imperative that the index of each UTXO used by the sender be the same (recall that in our hypothetical example the index was equal to 3 for each of the 2 UTXOs). This is dictated by the structure of the public key matrix.
Monero uses a signature of type ringCT Type Full (i.e., of Type 1) when a transaction has only 1 UTXO. Whenever a sender uses more that 1 UTXO to conduct a transfer, Monero invokes a more efficient variant known as ringCT Type Simple (also known as Type 2). An enumeration of Monero’s ringCT Types is found in [7]
enum { RCTTypeNull = 0, RCTTypeFull = 1, RCTTypeSimple = 2, RCTTypeFullBulletproof = 3, RCTTypeSimpleBulletproof = 4, };
A ringCT Type 0 corresponds to a coinbase transaction. Simply put, it is a particular type of transaction issued by a miner whenever a new block is successfully created. It takes no input, but creates new currency units to reward the miner for her successful work. ringCT Types 0, 3, and 4 are not within the scope of this work. We now describe the ringCT Type simple variant of the ringCT signature.
We derived the following equality in section 3:
where is a scalar equal to
Let’s define a new set of commitments that we call pseudooutput commitments or We create one for each index as follows:

 Generate random scalar
 Compute
 For , set
The above construction ensures that
We can rewrite the original equality as:
Note the following:
If we can prove that , we can conclude that
If we can furthermore show that
then we can conclude that , and hence that the amounts are balanced modulo
If in addition, we can prove that the amounts and are confined to a predefined range (refer to part 8 for more information about the choice of ), then we can conclude that and hence that the amounts are balanced independent of modulo arithmetic.
We observe that if , we have such that , then will certainly hold. In essence, this corresponds to having a total of signatures, each signed with a relevant since can be thought of as a public key associated with secret key
So in ringCT Type Simple, we do not create a single public key matrix and hence do not apply MLSAG only once. Instead, we create different public key matrices with each having its own MLSAG. The public key matrices are elements of and are given by:
refers to the Pedersen Commitment associated with the UTXO ) of ring member ( Note that , the value of is the same We can think of this as being a separate MLSAG on each UTXO used by the sender. It proves 2 things:
 That the sender holds the private key associated with his UTXO (this is the first row of the matrix).
 That the sender knows the secret key associated with (this is the second row of the matrix).
In Monero’s code base, the creation of the pseudooutput commitments is done in the genRctSimple method found in [5]
//RCT simple //for postrct only rctSig genRctSimple(const key &message, const ctkeyV & inSk, const keyV & destinations, const vector<xmr_amount> &inamounts, const vector<xmr_amount> &outamounts, xmr_amount txnFee, const ctkeyM & mixRing, const keyV &amount_keys, const std::vector<multisig_kLRki> *kLRki, multisig_out *msout, const std::vector<unsigned int> & index, ctkeyV &outSk, bool bulletproof, hw::device &hwdev) { CHECK_AND_ASSERT_THROW_MES(inamounts.size() > 0, "Empty inamounts"); CHECK_AND_ASSERT_THROW_MES(inamounts.size() == inSk.size(), "Different number of inamounts/inSk"); CHECK_AND_ASSERT_THROW_MES(outamounts.size() == destinations.size(), "Different number of amounts/destinations"); CHECK_AND_ASSERT_THROW_MES(amount_keys.size() == destinations.size(), "Different number of amount_keys/destinations"); CHECK_AND_ASSERT_THROW_MES(index.size() == inSk.size(), "Different number of index/inSk"); CHECK_AND_ASSERT_THROW_MES(mixRing.size() == inSk.size(), "Different number of mixRing/inSk"); for (size_t n = 0; n < mixRing.size(); ++n) { CHECK_AND_ASSERT_THROW_MES(index[n] < mixRing[n].size(), "Bad index into mixRing"); } CHECK_AND_ASSERT_THROW_MES((kLRki && msout)  (!kLRki && !msout), "Only one of kLRki/msout is present"); if (kLRki && msout) { CHECK_AND_ASSERT_THROW_MES(kLRki>size() == inamounts.size(), "Mismatched kLRki/inamounts sizes"); } rctSig rv; rv.type = bulletproof ? RCTTypeSimpleBulletproof : RCTTypeSimple; rv.message = message; rv.outPk.resize(destinations.size()); if (bulletproof) rv.p.bulletproofs.resize(destinations.size()); else rv.p.rangeSigs.resize(destinations.size()); rv.ecdhInfo.resize(destinations.size()); size_t i; keyV masks(destinations.size()); //sk mask.. outSk.resize(destinations.size()); key sumout = zero(); for (i = 0; i < destinations.size(); i++) { //add destination to sig rv.outPk[i].dest = copy(destinations[i]); //compute range proof if (bulletproof) rv.p.bulletproofs[i] = proveRangeBulletproof(rv.outPk[i].mask, outSk[i].mask, outamounts[i]); else rv.p.rangeSigs[i] = proveRange(rv.outPk[i].mask, outSk[i].mask, outamounts[i]); #ifdef DBG if (bulletproof) CHECK_AND_ASSERT_THROW_MES(verBulletproof(rv.p.bulletproofs[i]), "verBulletproof failed on newly created proof"); else CHECK_AND_ASSERT_THROW_MES(verRange(rv.outPk[i].mask, rv.p.rangeSigs[i]), "verRange failed on newly created proof"); #endif sc_add(sumout.bytes, outSk[i].mask.bytes, sumout.bytes); //mask amount and mask rv.ecdhInfo[i].mask = copy(outSk[i].mask); rv.ecdhInfo[i].amount = d2h(outamounts[i]); hwdev.ecdhEncode(rv.ecdhInfo[i], amount_keys[i]); } //set txn fee rv.txnFee = txnFee; //TODO: unused ?? //key txnFeeKey = scalarmultH(d2h(rv.txnFee)); rv.mixRing = mixRing; keyV &pseudoOuts = bulletproof ? rv.p.pseudoOuts : rv.pseudoOuts; pseudoOuts.resize(inamounts.size()); rv.p.MGs.resize(inamounts.size()); key sumpouts = zero(); //sum pseudoOut masks keyV a(inamounts.size()); for (i = 0 ; i < inamounts.size()  1; i++) { skGen(a[i]); sc_add(sumpouts.bytes, a[i].bytes, sumpouts.bytes); genC(pseudoOuts[i], a[i], inamounts[i]); } rv.mixRing = mixRing; sc_sub(a[i].bytes, sumout.bytes, sumpouts.bytes); genC(pseudoOuts[i], a[i], inamounts[i]); DP(pseudoOuts[i]); key full_message = get_pre_mlsag_hash(rv,hwdev); if (msout) msout>c.resize(inamounts.size()); for (i = 0 ; i < inamounts.size(); i++) { rv.p.MGs[i] = proveRctMGSimple(full_message, rv.mixRing[i], inSk[i], a[i], pseudoOuts[i], kLRki ? &(*kLRki)[i]: NULL, msout ? &msout>c[i] : NULL, index[i], hwdev); } return rv; }
 For each recipient appearing in the destinations vector, genRctSimple makes a call to the proveRange method previouly introduced. It stores the Pedersen Commitment associated with output amount in variable outPk[j].mask. The corresponding blinding factor is stored in variable outSk[j].mask.
 genRctSimple will then call the sc_add method to sum all the the blinding factors outSk[j]. The result () is stored in variable sumout.
 Each output amount and its corresponding blinding factor are then encoded by calling the ecdhEncode method.
 The next step consists in calculating the pseudooutput commitments and their corresponding blinding factors This is done as follows:
 (where corresponds to inamounts.size()), the blinding factor is randomly generated by calling the method skGen and stored in variable
 The pseudooutput commitment is then calculated by calling the method genC on amount which is stored in variable inamounts[i] and blinding factor stored in variable . is stored in variable pseudoOuts[i].
 The method keeps track of in a variable called sumpouts. The sum is calculated by calling the method sc_add. Hence sumpouts
 is then set to sumout – sumpouts. This is done by calling the sc_sub method.
 Finally, the pseudooutput commitment is constructed by calling the genC method on amount (stored in variable inamounts[m]) and blinding factor (stored in variable ). is stored in variable pseudoOuts[m].
With pseudooutput commitments calculated, genRctSimple makes calls to the proveRctMGSimple method found in [5]
//Ringct MG sigs Simple // Simple version for when we assume only // post rct inputs // here pubs is a vector of (P, C) length mixin // inSk is x, a_in corresponding to signing index // a_out, Cout is for the output commitment // index is the signing index.. mgSig proveRctMGSimple(const key &message, const ctkeyV & pubs, const ctkey & inSk, const key &a , const key &Cout, const multisig_kLRki *kLRki, key *mscout, unsigned int index, hw::device &hwdev) { mgSig mg; //setup vars size_t rows = 1; size_t cols = pubs.size(); CHECK_AND_ASSERT_THROW_MES(cols >= 1, "Empty pubs"); CHECK_AND_ASSERT_THROW_MES((kLRki && mscout)  (!kLRki && !mscout), "Only one of kLRki/mscout is present"); keyV tmp(rows + 1); keyV sk(rows + 1); size_t i; keyM M(cols, tmp); sk[0] = copy(inSk.dest); sc_sub(sk[1].bytes, inSk.mask.bytes, a.bytes); for (i = 0; i < cols; i++) { M[i][0] = pubs[i].dest; subKeys(M[i][1], pubs[i].mask, Cout); } return MLSAG_Gen(message, M, sk, kLRki, mscout, index, rows, hwdev); }
The code is self explanatory and the calls generate different public key matrices as described earlier. Recall that each matrix is an element of
A validation of the signatures proves that there exists an element of the ring for which (refer to the observation made about earlier).
then leads us to conclude that
The next step is to validate , and show that
Once proven, it allows us to conclude that
and hence that the amounts are balanced modulo . The verification of this step is done as part of the verRctSimple method found in [5]. We include below the relevant portion of the method that does the verification.
if (semantics) { key sumOutpks = identity(); for (size_t i = 0; i < rv.outPk.size(); i++) { addKeys(sumOutpks, sumOutpks, rv.outPk[i].mask); } DP(sumOutpks); key txnFeeKey = scalarmultH(d2h(rv.txnFee)); addKeys(sumOutpks, txnFeeKey, sumOutpks); key sumPseudoOuts = identity(); for (size_t i = 0 ; i < pseudoOuts.size() ; i++) { addKeys(sumPseudoOuts, sumPseudoOuts, pseudoOuts[i]); } DP(sumPseudoOuts); //check pseudoOuts vs Outs.. if (!equalKeys(sumPseudoOuts, sumOutpks)) { LOG_PRINT_L1("Sum check failed"); return false; }
The variable sumOutpks is first initialized to the identity element of the elliptic group. It is then built up iteratively by calling the addKeys method. The final result is given by outPk[j].mask which is none other than
Next, the Pedersen Commitment associated with the miner’s and given by is added to sumOutpks.
A similar procedure is followed to calculate sumPseudoOuts pseudoOuts[i]. This is none other than
The 2 sums are subsequently compared and a boolean value returned.
Lastly, the Borromean signature construct (out of the scope of this series) is used to validate , and conclude that (i.e., ensuring that the equality holds independently of modulo arithmetic).
5. Example of a real Monero transaction
On moneroexplorer.com, we retrieve the transaction with tx hash given by
Here is a breakdown of the JSON representation of this transaction:
The transaction version field is equal to 2. This means that this transaction implements ringCT. This is in contrast to the earlier version 1 which implemented a regular ring signature scheme instead of ringCT.
 There are 2 Vin sets. This means that 2 UTXOs are used to source funds to transfer to recipients. The sender’s UTXOs are concealed in a ring of size 5 each. This means that the mixin count is equal to 4.
 The first Vin set is identified by the array of key_offsets , while the second is identified by
 A key offset is a relative index corresponding to a particular UTXO. In Monero, all UTXOs holding the same amount value are listed sequentially, and the key offset is a way to reference a specific UTXO in that list. The rationale for doing so has to do with the earlier version of Monero. Prior to ringCT, Monero’s ring signature scheme had to group UTXOs of the same amount together in order to safeguard the anonymity of the signer. If different amounts were allowed to be grouped together, it would be very likely for the index of the signer to be identified since it would be the only one for which the input/output amount equation balances out. The reasoning is similar to the one we employed earlier when we discussed the shortcoming of using a commitment to 0. The difference is that in the latter case, we operate on Pedersen Commitments, while in the former we operate on the actual amounts. With the advent of ringCT, all UTXO amounts became concealed and given the value 0 as an indication that they are hidden. This is reflected in the amount field.
 The key offsets associated with the first Vin set are then the relative indices of UTXOs with hidden amounts (i.e., whose amount field is set to 0). For the first Vin set, the first UTXO appears at index , the second at index , the third at index and so on.
 The k_image field holds the key image or tag associated with the signer’s UTXO. We will see in part 10 that a UTXO is associated with a “onetime private key” and a “onetime public key”. This unique pair is used to calculate the key image as described in part 7 of this series. The key image associated with the signer’s first UTXO (each ring member has 2 UTXOs in this example) is given by
where the superscript refers to the first set of Vin and refers to the index of the signer in the ring. Recall that the keyimage construct ensures that MLSAG is linkable, which in turn helps prevent the doublespending problem.
The above exerpt shows that there are 2 recipients of funds (probably a counterparty and a change address). Here too, the amounts are concealed and the amount field is set to 0. Note that the key field of each recipient holds a stealth address (i.e., unique address) that helps conceal his identity. We will introduce stealth addresses in part 10.
 The type field is set to 2. Type 1 is for ringCT Type Full, while type 2 is for ringCT Type Simple. Recall that type 1 is implemented if there is only one UTXO (i.e., Vin = 1). If there are more than a single Vin, then type 2 is implemented.
 The txnfee field specifies the transaction fee paid to the miners. It is expressed in picoNero or atomic units (recall that each Monero unit corresponds to atomic units).
 The pseudoOuts field contains the pseudooutput commitments which correspond to the introduced earlier. In this case, , since there are 2 Vin sets.
 The ecdhInfo section contains the encoded values of the blinding factor and amount associated with each Vout. Recall that
 mask , where keccak is the hash function used by Monero, and sharedSec is a shared secret as was introduced in the previous section.
 amount
where . In this case , since there are 2 Vout‘s.

The outPk field corresponds to the output Pedersen Commitments. These are the introduced in the previous section. Here , since there are 2 Vout‘s.
This portion contains information pertaining to the proof that transaction amounts are confined to a specific range (i.e., as was described previously). The mechanics of Borromean signatures and range proofs were not included in this work.
Since this transaction implements ringCT Type Simple, it creates 2 amended public key matrices and (1 for each Vin set). It then runs an MLSAG on each matrix. As we previously saw in part 7 of this series, an MLSAG signature issued by signer on message and public key matrix is of the form:
In this case (since the matrix has 2 rows) and (since the mixin count is equal to 4). Each of the 2 signatures will then be of the form:
 The ss values correspond to the ‘s where for example in the first MLSAG signature, corresponds to
 The cc value corresponds to that appears in the MLSAG signature
References
[1] knaccc. What is the transaction id.
[2] G. Maxwell and A. Poelstra. Borromean ring signatures. , 2015.
[3] Monero. rctops.cpp.
[4] Monero. rctops.h.
[5] Monero. rctsigs.cpp.
[6] Monero. rcttypes.cpp.
[7] Monero. rcttypes.h.
[8] S. Noether and A. Mackenzie. Ring condential transactions. Monero Research Lab, 2016.
[9] B. Bunz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell. Bulletproofs: Short proofs for condential transactions and more. Stanford, 2016.
Tags: confidential, MLSAG, Monero, Pedersen commitment, Privacy, ringCT, transaction
No comments
Comments feed for this article
Trackback link: https://delfr.com/monero/ringctmonerosbuildingblockspart9/trackback/