An innovation which is moderately technically complicated, however very encouraging for both token anonymization and identity applications, is ring signatures. A ring signature is basically a signature that proves that the signer has a private key corresponding to one of a particular set of public keys, without revealing which one. The two-sentence explanation for how this functions mathematically is that a ring signature algorithm incorporates a mathematical function which can be computed normally with only a public key, but where knowing the private key allows one to add a seed to the input to make the output be whatever specific value wanted. The signature itself comprises of a list of values, where each value is set to the function applied to the previous value (in addition to some seed); creating a valid signature requires using knowledge of a private key to “close the loop”, forcing the last value that was computed to equal the first. Given a valid “ring” created in this way, anybody can verify that it is without a doubt “ring”, so each value is equivalent to the function computed on the previous value in addition to the given seed, however there is no way to tell at which “link” in the ring a private key was used.
There is also an upgraded version of a ring signature called a linkable ring signature, which adds an extra property: if a sign is done twice with the same private key, that fact can be detected – yet no other data is revealed. On account of token anonymization, the application is fairly basic: when a user needs to spend a coin, rather than having them give a regular signature to prove ownership of their public key directly, public keys are combined together into groups and ask the user to simply prove membership in the group. Due to the linkability property, a user that has a single public key in a group can just spend from that group once; clashing signatures are rejected.
Ring signatures can also be used for voting applications: instead of using ring signatures to validate spending from a set of coins, they are used to validate votes. They can also be used for identity applications: if one wants to prove that he belongs to a set of authorized users, without revealing which one, ring signatures are well-suited for just that. Ring signatures are more mathematically involved than simple signatures, but they are quite practical to implement; some sample code for ring signatures on top of Ethereum can be found here.
The structure of a ring signature, using Monero for instance, essentially works as follows:
- Alice needs to send Bob 10 Monero so she starts a transaction through her Monero wallet to Bob.
- Alice’s digital signature for this transaction is a one-time spend key that begins with an output being spent from her wallet.
- The non-signers of the ring signature are past transaction outputs that are arbitrarily picked from the blockchain and go about as fakes in the transaction.
- All ring members are conceivable signers of the transaction and it is computationally infeasible for an outsider to identify the actual signer.
- The majority of the ring signature together make up the input of the transaction.
- The creator of the transaction (Alice) is provably eligible to spend the specified transaction amount without distinguishing her identity from the others in the ring.
- Despite the fact that Alice’s public key is used in her own transaction, it might be arbitrarily used in other transactions in the Monero network as a tangling factor.
Further, the automatic creation of unique one-time keys prevents transaction linkability and is made possible through an optimization of the Diffie-Hellman key exchange.
A problem with having anonymous transactions across a privacy-focused cryptocurrency network such as Monero is that prevention of double-spending would be very difficult and thus make the network useless as a digital currency if full double-spend protection wasn’t ensured. This is keenly solved with the use of key images related to the ring signature scheme.