Ring Signatures in Bitcoin

Run Monero on Bitcoin

We have implemented the first-ever Ring Signature in Bitcoin.

Ring Signatures

Anyone in the ring can sign and no one can tell who signed

A ring signature is a type of digital signature that allows a message to be signed by a single member in a group, or a ring. It proves that someone in the ring indeed signs, but there is no way to identify the actual signer amongst the ring members.

Its increased privacy enables many applications, such as:

  • whistleblowing: a government whistleblower wants to leak that his agency is secretly collecting citizens’ private data, yet wants to remain anonymous due to the risk of being fired. By using a ring signature, he can demonstrate that he works for the agency and thus add credibility to the claim, while concealing his identity.
  • e-voting: a voter signs his vote on behalf of all the people eligible to vote. She proves she has registered and is eligible to vote, without disclosing her vote¹.
  • private membership authentication: a user proves to an application she is registered without disclosing who she is.

It has been used by many blockchains to preserve privacy, most notably in Monero.

Ring Signatures in Bitcoin

There are multiple ways to implement ring signatures. We choose a scheme called Spontaneous Anonymous Group signatures², because it is based in elliptic curve and amenable for implementation in Bitcoin.


Given a message, a group/ring of public keys, and a private key, a signature is produced as follows:



Given a signature, a message, and a ring of public keys, the following algorithm determines if the signature is created by a private key corresponding to a public key in the ring, in two steps:



We have implemented Ring signature verification, using elliptic curve library. Anyone who knows a private key of the group of public keys can sign and spend the coins locked in the contract. No one can tell which one signed, even the group members.

Contract RingSig

Line 21 to 31 iteratively update c, as in step 1. Line 34 checks step 2.

[1] A ring signature that is linkable, which allows identifying whether two signatures belong to the same signer, is needed to detect double-voting.

[2] Section 3.3 of Zero to Monero.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

sCrypt (https://scrypt.io) is a company with a mission to provide integrated on-chain smart contracting solutions on Bitcoin SV