Help in understanding the construction of a multi input transaction, and a monero coinjoin transaction.

I would like help or reassurance that I understand these aspects about monero.

Let’s say I have a subaddress that has received 1 XMR, and another subaddress that has received 5 XMR.

I spend all 6 XMR in the same transaction.

How does this work?
As I understand it, each subaddress effectively has its own private key for themselves, which are derived from the master private key, and both of them would need to sign the same transaction/ring signature?

Say I wanted to create a coinjoin, two separate people participating in the creation of the same transaction but with their own private keys: could this be done without either party revealing their private keys to one another, and ensure both sends their coins if the transaction is included in a block?

If I understand monero correctly, it could be done like this:

1. Alice provides a list of 4 decoy outputs + their actual output which holds 1 XMR
2. Bob provides a list of 5 decoy outputs + their actual output which holds 5 XMR?

This creates a ring signature of 9 decoy outputs and 2 outputs that actually correspond to Alice and Bob’s output and subsequent private keys.

Once this ring signature is generated, bob signs it and sends it to Alice, who also signs it. It is submitted to the network to send funds from both Alice and bobs wallets.

However: what would stop the partially signed transaction from being submitted and being valid so that only bobs and not Alice’s transactions sends?

Would it be the range proof? I.e the transaction would only be valid if the amount of monero is equal to 6 XMR?.

What do you think?

10 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


  1. Coinjoins don’t exist in Monero. Coinjoins are an *active* process, where member interaction/participation is required; and you actively mix various outputs together in an onchain transaction, and then create new outputs afterwards in another onchain transaction.

    Ring signatures with decoy inputs is what Monero uses. It doesn’t require the interaction or participation of anyone else. The sender of a specific output is the only one required; and they select 10 other outputs as decoys. Those decoy outputs never actually move; but any onlooker is unable to tell which was the actually selected output, and which were the decoys.

    On to your next question about multiple output selection …

    First of all, it sounds like you might have some confustion regarding the difference between an output and a subaddress. Each output on the Monero blockchain is unique, and never duplicated. Even if you give the same subaddress to multiple people, when they send a transaction, the output address will be different every time. No one except for you and the person who sent the specific transaction will know that output is associated with that subaddress. These are called *One Time Stealth Addresses*.

    Next: If you need to use two unspent outputs in your wallet (in order to reach the required amount for your transaction); it requires two separate ring signatures, each of which will be included in the transaction. For example, you have unspent_output_A with 1 XMR, and unspent_output_B with 5 XMR. Your transaction will look like this:

    [unspent_output_A + 10 decoys] + [encrypted amount of 1 XMR] + [Signature] +
    [unspent_output_B + 10 decoys] + [encrypted amount of 5 XMR] + [Signature] ==
    == [new_output with encrypted amount of 6 XMR] + [change_output with encrypted amount of 0 XMR]

    Notice that you always get a change output, even if there is no change to receive back. This is a privacy measure to ensure there’s always at least 2 outputs for every transaction.

    Hopefully that makes sense. If you require more unspent outputs to reach the amount you’re trying to send, then the wallet will grab other unspent outputs; and create a separate ring signature for each one. This is all bundled together as a single transaction. Everything must be valid, or the entire transaction is rejected.

    Please read the Mastering Monero book, and perform additional searches if you want even more details on the nuts and bolts. All of this information is publicly available on youtube, books, and elsewhere.

D000M | Token for The End Times | Join The Rocket to Uranus 🚀 | This is your Chance DXSALE starts Friday | NFT INCLUDED WITH PRESALE

HOW TO TRADE CRYPTO: Chart Settings, Indicators, Orderbook & TA!