Anonymous Transactions — RingCT

Privacy level: High (Transacting amounts and participants are hidden)

Transaction cost: Medium to high, depending on the number of mixins used in the ring signatures or the size of the rings

Transaction cost for low privacy setting: ~0.003232 PART

Transaction cost for high privacy setting: ~0.009032 PART

Segwit: Yes (Reduces transaction weight by ~47%)

Bulletproofs: Yes (Reduces rangeproofs size by ~70%)

Trusted setup: No

Programmable outputs: No

Whitepaper: https://eprint.iacr.org/2015/1098.pdf

A blinded transaction on the Particl blockchain (Fee: 0.005708 PART for 8 ring members and 2 inputs)

Anonymous transactions, or Anon transactions, as referred to in Particl Desktop, take privacy to the next level by not only hiding the transacting amounts but also the identity of the transacting parties (the sender and the receiver). This type of transaction uses the RingCT privacy protocol, a protocol made popular by Monero but adapted to work with the Bitcoin codebase by the Particl team. This allows the platform to benefit from the industry-leading privacy protocol that is RingCT but still leverage the security, stability, and developer community of Bitcoin. In other words, RingCT on the Bitcoin codebase is like having your cake and eating it too. The good, without the bad.

Sending an anon transaction (RingCT) with 22 ring members on Particl Desktop

Good examples of this include RingCT being able to be used, with the help of special scripts, on atomic swaps, decentralized applications (i.e. Particl’s Open Marketplace), the Lightning Network, and etc. It also enables RingCT to be directly linked to CT transactions so that it can reach full programmability, as we’ll see later in this article.

Just like blinded transactions, which use the CT protocol, anonymous transactions are entirely trustless and don’t rely on any sort of trusted setup. It’s important to note that RingCT transactions are also a bit bigger than Confidential Transactions, although not by a big margin. This is due to the addition of ring signatures (MLSAG) into the mix.

Fun fact: RingCT was initially implemented on top of the Cryptonote codebase (Monero). The Particl team is the first team to ever develop a custom implementation that could work on any other codebase, in this case, the Bitcoin codebase.

Ring Signatures (MLSAG)

Report from Quarkslab audit into Particl’s implementation of MLSAG: https://blog.quarkslab.com/resources/2019-07-05-audit-particl-bulletproof-mlsag/particl_audit_report.pdf

Multilayered Linkable Spontaneous Ad-Hoc Group Signatures (MLSAG), or ring signatures, is the Ring part of RingCT. It is a type of digital signature that is performed by many outputs at once within a given group of RingCT outputs (represented by Anon balances, on Particl Desktop). It is then impossible for any observer to tell which of the participating outputs within that signature is the output actually sending out the transaction.

Wikipedia describes ring signatures as follow: “A ring signature is a type of digital signature that can be performed by any member of a group of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular group of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the group members’ keys was used to produce the signature.”.

In RingCT’s case, the digital signature used to execute a transaction could have originated from any member of the ring group. Users put some of their funds within an Anon balance. Funds held within an Anon balance are used to execute RingCT transactions. Before a transaction is executed, the protocol anonymously signs it by using other RingCT outputs as decoys and produces a signature that, when verified, looks like it could have been initiated by any of the owners of the RingCT outputs used by the ring group. It is not possible to know who really made the transaction because it could be anyone that has an output that’s being used by the ring group as a decoy.

This effectively anonymizes all values contained within a transaction— the amount transferred as well as both the transaction’s sender and receiver. It also arms transacting parties with a very strong plausible deniability (1, 2).

How to Make an Anonymous Transaction (RingCT) on Particl Desktop

A RingCT transaction containing 24 ring members

On Particl Desktop, it is possible to pick the number of members you want to have within the ring group you’re going to use to anonymize your transactions. On the client, this is referred to as NO. OF RING SIGS .

What it means is simple, for every input used to generate your transaction, a number of other outputs will be used to create a digital signature that could have been signed by any of the 24 participants. In the screenshot just above, the value 24 is selected. This means 23 fake outputs, and 1 real one (the sender of the transaction) will be used to obfuscate the transaction (if it only has 1 input). If the transaction uses 3 inputs, it means 3 signatures, one for each input, with 3 different ring groups of 24 participants each, will be generated in order to execute the transactions. This may sound complicated, but don’t worry, Particl Desktop does everything for you and makes RingCT transactions as easy to send as any other type of transaction.

To make a RingCT transaction, simply go into your Send/Convert tab, choose the Anon transaction type, click the Advanced Options , and use the PRIVACY LEVEL (NO. OF RING SIGS) slider that appears at the bottom left corner of the page. The value you pick will be equal to the number of ring members that will be part of your ring group. In reality, you can just leave the slider untouched and use the default level of privacy (8 ring members). This represents a good balance between privacy and cost.

Note: The more inputs are consumed to execute a RingCT transaction, the more expensive it gets, but also the more private it is. Also, the more ring members (RING SIGS) is selected before executing a transaction, the more expensive it gets, but also the more private it is. If you don’t care about the cost of a transaction and just want maximum privacy, form transactions with as many ring members as possible and with as many inputs as possible.

Keeping a Good Level of Privacy

As a general rule of thumb and in theory, RingCT gets more private as more people convert their public balances into Anon balances, thus creating more Anon outputs to be used by ring groups for RingCT transactions. That’s because RingCT relies on other people’s outputs to plausibly deny which output actually signed a transaction, and the more RingCT outputs there are to sign transactions, the stronger the privacy and plausible deniability aspect of RingCT gets.

But, while outputs are randomly picked from any Anon outputs in the chain, they’re most often picked from the most recent RingCT transactions. The reason the protocol behaves this way is in response to this research paper which demonstrates that real inputs can be guessed to be the most recent ones if all the “mixins” are much deeper in the chain and haven’t had transactions for a while.

For this reason, it is recommended that all users keep with them an Anon balance which can be automatically put to use by the network (at no fee to the users, of course). Additionally, it is also recommended that users transact as much as possible with Anon transactions so that it can contribute to enhancing the entire network’s privacy. Note that none of this is required in order to execute a RingCT transaction, but the more people do it, the stronger and more resilient it becomes for everyone.

This is also one of the main reason why Particl’s Open Marketplace is going to use RingCT transactions, by default, on all marketplace transactions. The best way to increase the RingCT pool is through transactional activity and actual usage of the technology, so making it default on what will become the platform’s main application is only logical and will go a long way into making Particl’s RingCT protocol a very solid one.