Skip to main content

Verifiable Timed Linkable Ring Signatures for Scalable Payments for Monero

  • 958 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13555)


Decentralized cryptocurrencies still suffer from three interrelated weaknesses: Low transaction rates, high transaction fees, and long confirmation times. Payment Channels promise to be a solution to these issues, and many constructions for cryptocurrencies, such as Bitcoin and Ethereuem, are known. Somewhat surprisingly, no solution is known for Monero, the largest privacy-preserving cryptocurrency, without requiring system-wide changes like a hard-fork of its blockchain like prior solutions.

In this work, we close this gap for Monero by presenting the first provably secure payment channel protocol that is fully compatible with Monero’s transaction scheme. Notably, the payment channel related transactions are identical to standard transactions in Monero, therefore not hampering the coins’ fungibility. With standard techniques, our payment channels can be extended to support atomic swap of tokens in Monero with tokens of several other major currencies like Bitcoin, Ethereum, Ripple, etc., in a fungible and privacy-preserving manner.

Our main technical contribution is a new cryptographic tool called verifiable timed linkable ring signatures (VTLRS), where linkable ring signatures can be hidden for a pre-determined amount of time in a verifiable way. We present a practically efficient construction of VTLRS which is fully compatible with the transaction scheme of Monero, and allows for users to make timed payments to the future which might be of independent interest to develop other applications on Monero.

Our implementation results show that even with high network latency and with a single CPU core, two regular users can perform up to 93500 payments over 2 min (the block production rate of Monero). This is approximately five orders of magnitude improvement over the current payment rate of Monero.


  • Timed signatures
  • Time-lock puzzles
  • Payment channels

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-17146-8_23
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-031-17146-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.


  1. 1.

    Fungibility is a property of a currency whereby two units can be substituted in place of one another: no coins are special irrespective of transactions acting on them.

  2. 2.

    A Monero transaction is based on RingCT [20] which additionally consists of commitments to hide the amounts and range proofs to prove that they are well-formed.

  3. 3.

    This assumption can be relaxed with the use of confidential transactions [25] where an account’s associated amount is hidden using commitments.






  5. Lightning Network.

  6. Payment Channels in Ripple.

  7. Raiden Network.

  8. curve25519-dalek (2019).

  9. Arcieri, T., de Valence, H., Lovecruft, I.: The ristretto group (2019).

  10. Aumayr, L., Thyagarajan, S.A., Malavolta, G., Monero-Sánchez, P., Maffei, M.: Sleepy channels: bitcoin-compatible bi-directional payment channels without watchtowers (2021). (To Appear at ACM CCS 2022)

    Google Scholar 

  11. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 S &P, pp. 459–474. IEEE (2014).

  12. Camenisch, J., Stadler, M.: Proof systems for general statements about discrete logarithms. Technical report/Department of Computer Science, ETH Zürich 260 (1997)

    Google Scholar 

  13. De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge proof systems. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 52–72. Springer, Heidelberg (1988).

  14. Dziembowski, S., Eckey, L., Faust, S., Malinowski, D.: Perun: virtual payment hubs over cryptocurrencies. In: 2019 S &P, pp. 106–123. IEEE (2019).

  15. Egger, C., Moreno-Sanchez, P., Maffei, M.: Atomic multi-channel updates with constant collateral in bitcoin-compatible payment-channel networks. In: ACM CCS 2019, pp. 801–815. ACM Press (2019).

  16. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194 (1987).

  17. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013).

  18. Green, M., Miers, I.: Bolt: anonymous payment channels for decentralized currencies. In: ACM CCS 2017, pp. 473–489. ACM Press (2017).

  19. Gugger, J.: Bitcoin-monero cross-chain atomic swap. Cryptology ePrint Archive, Report 2020/1126 (2020).

  20. Lai, R.W.F., Ronge, V., Ruffing, T., Schröder, D., Thyagarajan, S.A.K., Wang, J.: Omniring: scaling private payments without trusted setup. In: ACM CCS 2019, pp. 31–48. ACM Press (2019).

  21. Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for Ad Hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004).

  22. Malavolta, G., Moreno-Sanchez, P., Kate, A., Maffei, M., Ravi, S.: Concurrency and privacy with payment-channel networks. In: ACM CCS 2017, pp. 455–471. ACM Press (2017).

  23. Malavolta, G., Moreno-Sanchez, P., Schneidewind, C., Kate, A., Maffei, M.: Anonymous multi-hop locks for blockchain scalability and interoperability. In: NDSS 2019. ISOC (2019)

    Google Scholar 

  24. Malavolta, G., Thyagarajan, S.A.K.: Homomorphic time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019).

  25. Maxwell, G.: Confidential transactions (2015).

  26. Moreno-Sanchez, P., Le, D.V., Noether, S., Goodell, B., Kate, A.: Dlsag: non-interactive refund transactions for interoperable payment channels in Monero. Tech. rep., Cryptology ePrint Archive, Report 2019/595 (2019)

    Google Scholar 

  27. Poon, J., Dryja, T.: The bitcoin lightning network: Scalable off-chain instant payments (2016)

    Google Scholar 

  28. Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Tech. rep. (1996)

    Google Scholar 

  29. Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001).

  30. van Saberhagen, N.: Cryptonote v 2.0 (2013)

    Google Scholar 

  31. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    CrossRef  MathSciNet  Google Scholar 

  32. Thyagarajan, S.A.K., Bhat, A., Malavolta, G., Döttling, N., Kate, A., Schröder, D.: Verifiable Timed Signatures Made Practical, CCS 2020. Association for Computing Machinery (2020)

    Google Scholar 

  33. Thyagarajan, S.A.K., Castagnos, G., Laguillaumie, F., Malavolta, G.: Efficient CCA Timed Commitments in Class Groups. ACM CCS (2021)

    Google Scholar 

  34. Thyagarajan, S.A.K., Gong, T., Bhat, A., Kate, A., Schröder, D.: Opensquare: Decentralized Repeated Modular Squaring Service, CCS 2021 (2021)

    Google Scholar 

  35. Thyagarajan, S.A.K., Malavolta, G., Schmidt, F., Schröder, D.: Paymo: payment channels for monero. Cryptology ePrint Archive, Report 2020/1441 (2020)

    Google Scholar 

  36. Yuen, T.H., et al.: RingCT 3.0 for blockchain confidential transaction: shorter size and stronger security. Cryptology ePrint Archive, Report 2019/508 (2019).

Download references


The work was in part supported by THE DAVID AND LUCILLE PACKARD FOUNDATION - Award #202071730, SRI INTERNATIONAL - Award #53978 / Prime: DEFENSE ADVANCED RESEARCH PROJECTS AGENCY - Award #HR00110C0086 and NATIONAL SCIENCE FOUNDATION - Award #2212746. This work is also partially supported by Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) as part of the Research and Training Group 2475 “Cybercrime and Forensic Computing” (grant number 393541319/GRK2475/1-2019), and by the grant 442893093, and by the state of Bavaria at the Nuremberg Campus of Technology (NCT). NCT is a research cooperation between the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) and the Technische Hochschule Nürnberg Georg Simon Ohm (THN).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Sri AravindaKrishnan Thyagarajan .

Editor information

Editors and Affiliations


A APreliminaries

Time-Lock Puzzles. Time-lock puzzles [28] allow one to conceal a secret for a certain amount of time \(\textbf{T}\). Homomorphic Time-Lock Puzzles (HTLPs) [24] allow one to perform homomorphic computation on honestly generated puzzles. It consists of a setup algorithm (\(\textsf{PSetup}\)), that takes as input a time hardness parameter \(\textbf{T}\) and outputs public parameters of the system \( pp \), a puzzle generation algorithm \((\textsf{PGen})\) that, on input a message, generates the corresponding puzzle. One can then evaluate homomorphically functions over encrypted messages (\(\textsf{PEval}\)) and solve the resulting puzzle in time \(\textbf{T}\) (\(\textsf{PSolve}\)). The security requirement is that for every PRAM adversary \(\mathcal {A}\) of running time \(\le \textbf{T}^\varepsilon (\lambda )\) the messages encrypted are computationally hidden. Malavolta and Thyagarajan [24] show an efficient construction that is linearly homomorphic over the ring \(\mathbb {Z}_{N^s}\), where N is an RSA modulus and s is any positive integer. The scheme is perfectly correct and is secure under the sequential squaring assumption [28].

Non-interactive Zero-Knowledge. Let \(R:\{ 0,1\}^{*}\times \{ 0,1\}^{*}\rightarrow \{ 0,1\}\) be an \(\textsf{NP}\) relation with corresponding \(\textsf{NP}\)-language \(\mathcal {L}:= \{ stmt :\exists w \ { s.t.}\ R( stmt , w ) = 1\}\). A non-interactive zero-knowledge proof (NIZK) [13] system for \(\mathcal {L} \) is initialized with a setup algorithm \(\textsf{Setup} (1^\lambda )\) that outputs a common reference string \( crs \). A prover can show the validity of a statement \( stmt \) with a witness \( w \) by invoking \(\mathcal {P} _{\textsf{NIZK},\mathcal {L}}( crs , stmt , w )\), which outputs a proof \(\pi \). The proof \(\pi \) can be efficiently checked by the verification algorithm \(\mathcal {V} _{\textsf{NIZK},\mathcal {L}}( crs , stmt ,\pi )\). A NIZK proof for language \(\mathcal {L} \) is simulation extractable if one can extract a valid \( w \) from adversarially generated proofs, even if the adversary sees arbitrarily many simulated proofs. A NIZK must also be zero knowledge in the sense that nothing beyond the validity of the statement is leaked to the verifier.

Threshold Secret Sharing. Secret sharing is a method of creating shares of a given secret and later reconstructing the secret itself only if given a threshold number of shares. Shamir [31] proposed a threshold secret sharing scheme where the sharing algorithm takes a secret \(s\in \mathbb {Z}_q\) and generates shares \((s_1,\ldots ,s_n)\) each in \(\mathbb {Z}_q\). The reconstruction algorithm takes as input at least t shares and outputs a secret s. The security demands that knowing only a set of shares smaller than the threshold size does notreveal any information about s.

B BTransaction Scheme of Monero

We review the basic definitions of Linkable Ring Signatures (LRS) following Lai et al. [20]. In contrast to their work, our definitions do not consider the “confidential transaction” part, and only focus on the signature of the transaction scheme, for conceptual simplicity.

1.1 A.1 B.1Definition

A ring signature [29] scheme allows to sign messages such that the signer is anonymous within a set a possible signers, called the ring. The members associated to the ring are chosen “on-the-fly” by the signer using their public-keys. Linkability [21] means that anonymity is retained unless the same user signing key is used to sign twice. This is achieved by associating a unique linkability tag to each signing key that is revealed while generating a signature.

In a transaction scheme, we have a block of data referred to as a transaction, that determines the amount of coins transferred from one user address (source) to another user address (target) and it is accompanied by an authentication token (signature) of the sending user. Since the sending user is represented through the source address in the transaction, the signature is checked for validity with respect to the source account. Combining linkable ring signatures and a transaction scheme, we have a linkable ring signature based transaction scheme (LRS-TS), where the message signed is the transaction which consists of: A ring of addresses (LRS public keys) and their associated coins (out of which one of the addresses is the source account), and one or more target addresses. The authentication token of the transaction is a linkable ring signature on the transaction (as message), with the ring of addresses as the ring, and the secret authentication key of the source address as the signing key of the linkable ring signature scheme. To prevent leakage of the source address it is assumed that each address in the ring of addresses have the same amount of associated coinsFootnote 3.

Definition 4

A Linkable Ring Signature (LRS) transaction scheme \(\varSigma \) consists of the \(\textsf{PPT}\) algorithms \((\textsf{Setup}, \textsf{OTKGen}, \textsf{TgGen}, \textsf{Spend}, \textsf{Vf})\) which are defined as follows:

\(\underline{ pp \leftarrow \textsf{Setup} (1^\lambda )\textit{:}}\) outputs the public parameter \( pp \).

\(\underline{( pk , sk ) \leftarrow \textsf{OTKGen} ( pp )\textit{:}}\) The one-time key generation algorithm outputs a public-secret key-pair \(( pk , sk )\).

\(\underline{ tag \leftarrow \textsf{TgGen} ( sk )\textit{:}}\) The tag-generation algorithm takes as input a secret key \( sk \). It outputs a tag \( tag \).

\(\underline{( tx , \sigma ) \leftarrow \textsf{Spend}(\mathcal {R},\mathcal {I},\mathcal {O},\mu )\textit{:}}\) The spend algorithm takes as input a set \(\mathcal {R}\) of public keys with each key associated with c coins, a tuple \(I= (j, sk , tag )\) consisting of an index j, a secret key \( sk \), and a tag \( tag \), a set \(\mathcal {O} \) consisting of target public keys and some metadata \(\mu \). It outputs a transaction \( tx := \left( \mathcal {R}, tag , \mathcal {O}, \mu \right) \) and a signature \(\sigma \).

\(\underline{b \leftarrow \textsf{Vf}( tx , \sigma )\textit{:}}\) The verify algorithm inputs a transaction \( tx \) and a signature \(\sigma \). It outputs a bit b denoting the validity of \(\sigma \).

Security. We have three properties of LRS-TS, namely (1) Privacy: LRS-TS should ensure privacy of the source account, meaning an adversarial observer on the blockchain should not learn any information about the source address from a transaction other than the fact that it is a member of the ring of one-time addresses, (2) Non-Slanderability (Unforgeability): LRS-TS must ensure that an adversarial user cannot steal the coins of an honest user (unforgeability) or spend coins on behalf of an honest user (non-slanderability), and (3) Linkability: LRS-TS must ensure that an adversary cannot double spend his coins and any such attempts must be linkable. We refer the reader to [35] for the formal definitions.

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Thyagarajan, S.A., Malavolta, G., Schmid, F., Schröder, D. (2022). Verifiable Timed Linkable Ring Signatures for Scalable Payments for Monero. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)