Ring Confidential Transactions

Introduction

Ring confidential transactions are version 2 Monero transactions which keep amounts hidden. They were activated at hard-fork 4. There are multiple types of RingCT transactions that were activated and deprecated at different hard-forks.

Definitions

OutPK: A pedersen commitment to the output amount.

Pseudo-outs: A pedersen commitment to the true spends amount with a different mask, such that the sum of the pseudo-outs is the same as the sum of the outPKs + fee * H.

Index

  1. Rules That Apply To All Types
  2. Simple Types Rules
  3. Borromean Rules
  4. MLSAG Rules
  5. Bulletproofs Rules
  6. CLSAG Rules
  7. Bulletproofs+ Rules

Rules That Apply To All Types

Type

RingCT type define the proofs used in the transaction, the ringCT types allowed depend on the hard-fork:

Type (Name)Short descriptionHard Fork allowedHard Fork disallowed
0 (NULL)No ringCT signatures, used for coinbase transactions4 (only miner transactions) 1Still allowed
1 (Full)A single aggregate MLSAG signature with borromean range proofs4 19 2
2 (Simple)MLSAG signatures per input with borromean range proofs4 19 2
3 (Bulletproof)MLSAG signatures per input with a single bulletproof for all outputs8 211 3
4 (Bulletproof2)Uses the same signatures as type 310 314 (except 2 transactions) 4
5 (CLSAG)CLSAG signatures per input with a single bulletproof for all outputs13 416 5
6 (Bulletproof+)CLSAG signatures per input with a single bulletproof+ for all outputs15 5Still allowed
6+Future type not currently allowedNot allowed 6Not allowed

There are 2 type 4 RCT transactions that are allowed after hard-fork 13, this was due to a bug in which transactions added to the txpool before a fork were not being checked for new fork rules they are: c5151944f0583097ba0c88cd0f43e7fabb3881278aa2f73b3b0a007c5d34e910 and 6f2f117cde6fbcf8d4a6ef8974fcac744726574ac38cf25d3322c996b21edd4c7.

OutPKs Valid Points

All outPKs must be canonically encoded points8.

Simple Types Rules

These rules apply to all RCT "simple" types, which are all except type "FULL".

Pseudo-outs Valid Points

This rule applies to the pseudo-outs, from type 3 (Bulletproof) the pseudo-outs field moved to the prunable RCT section from the non-prunable section.

The pseudo-outs must all be canonically encoded points9.

Pseudo-outs OutPKs Balance

The sum of the pseudo-outs must equal the sum of the OutPKs + fee * H:10

\(\sum PseudoOuts == \sum outPK + fee * H \)


1

There is no direct code allowing these types of RingCT, these are the original types that got activated when version 2 transactions got activated