The Monero Research Lab (MRL) has released Triptych in a Jan. 6 paper proposing trustless logarithmic-size ring signatures. As Monero’s core anonymity mechanism, research aimed at decreasing their size could improve the coin’s privacy significantly.
Monero (XMR) is a privacy coin that uses several distinct mechanisms to obfuscate parts of a transaction. The primary line of defense against transaction tracing comes from ring signatures. These work by aggregating a sender’s true coins with a set of decoys, picked semi-randomly from other points in the blockchain. There are currently 10 decoys added by default to any transaction, an amount that has been fixed for all users since late 2018.
Triptych’s primary innovation is making the byte size of ring signatures scale logarithmically with the number of decoys, instead of linearly. This would allow a dramatic increase in ring size without major performance issues. Despite being a major innovation, verification time for ring signatures remains linear. Increasing size too much could overwhelm nodes that have to verify transactions.
In a Reddit thread, MRL member Sarang Noether theorized that verification time would amount to about 45 ms for a standard Monero transaction with 511 decoys. According to preliminary tests, this is comparable to verification times currently implemented in Monero — while increasing the number of decoys by an order of magnitude.
Nevertheless, Triptych is a preprint paper that has yet to undergo peer review. When asked by Cointelegraph about a possible time table of its live implementation, Noether replied:
“I can’t reasonably speculate on the likelihood of projects implemented Triptych, since it’s still early work that has not undergone any formal review.”
Noether has also teased an even better version of Triptych that “would allow for signing with multiple keys in the same proof, while also directly including a balance test, leading to even smaller overall transactions.” However, this new approach requires more research due to roadblocks posed by unspecified technical questions.
Ongoing Work to Increase Anonymity
Monero’s small ring sizes have often been a target of criticism by the community, starting with a 2017 paper claiming that some transactions can be fully de-anonymized. The practice of churning — sending transactions to oneself — is recommended within the Monero community to increase privacy.
Research efforts in this direction have produced solutions such as Lelantus, Omniring and RingCT 3.0. Though Noether highlighted that all of these options feature different tradeoffs and security models, he emphasized the importance of this work:
“Being able to increase the size of the input anonymity set in a big way would be a great step in the right direction.”
Update Jan 8. 18:00 UTC: This article has been revised with correct decoy numbers and verification times.