DERO Payload Proofs: Privacy That Actually Works
Privacy Success: Only YOU (with your private keys) can prove you sent a transaction. Third parties can only make guesses - exactly as designed for maximum privacy!
Why DERO Privacy Works
DERO uses ring signatures to provide class-leading transaction privacy. When you send a transaction, your real output is hidden among 2-128 decoy outputs. This creates plausible deniability: observers cannot determine who actually sent the transaction.
This is a feature, not a bug. If third parties could easily prove who sent what, privacy would be broken.
How This Compares to Other Privacy Coins
| Feature | DERO | Zcash (Shielded) | Bitcoin/Ethereum |
|---|---|---|---|
| Ring Signatures | β 2-128 members | β No rings | β No privacy |
| Third-party Proof | β Ambiguous (private) | β Transparent (viewkeys) | β Fully public |
| Explorer Verification | β οΈ Probabilistic | β Exact (less private) | β Exact (no privacy) |
| Sender Privacy | β Maximum | π‘ Opt-in viewkeys | β None |
DERO's privacy model: Third parties cannot definitively prove who sent a transaction. This is the entire point of privacy technology!
Two Proof Types (Standard in Privacy Blockchains)
| Proof Type | What It Does | Security Level |
|---|---|---|
| Transaction Proof | Validates blockchain consensus | π Cryptographically secure |
| Payload Proof | Shows metadata (amount, recipient) | β οΈ Convenience only, not cryptographic |
Important: Explorers show payload proofs (convenience), not transaction proofs (cryptographic). This is standard across all privacy blockchains with ring signatures.
Two Proof Types
| Feature | Transaction Proofs | Payload Proofs |
|---|---|---|
| Verified By | All network nodes | Explorer software only |
| Security | Cryptographically secure | Math consistency only |
| Can Be Faked? | β No | β οΈ Yes |
| Checks | Bulletproofs, range proofs, signatures | Commitment matching |
| Purpose | Blockchain consensus | Display convenience |
| Shows | Transaction validity | Amounts, addresses, comments |
| Trust Level | Trustless | User-provided data |
For Certainty: Use your wallet with private keys. Payload proofs are convenience tools, not cryptographic guarantees.
How It Works
What this proves:
- β Address is in ring
- β Math is consistent
- β NOT that this address sent the transaction
How Ring Signatures Protect Privacy
Ring signatures hide the real sender among decoys (2-128 addresses)
All ring members use identical commitment structures with the same amount. This is mathematically required for privacy - if different amounts were visible, you could identify the sender.
Mathematical Privacy:
C[0] = (amount Γ G) + address[0]
C[1] = (amount Γ G) + address[1]
...
C[k] = (amount Γ G) + address[k] β Same amount for ALLResult: Plausible deniability for all ring members. This is how privacy works - ambiguity protects identity in all ring-signature-based privacy systems.
Technical Note: When an address is included as a ring member (decoy), its encrypted balance changes due to homomorphic operations, even though the address performed no actions. This is cryptographically required behavior - all ring members' encrypted balances participate in the transaction. Observing encrypted balance changes alone cannot identify the real sender, as this happens for all ring members by design.
Learn more: Ring Signatures - Encrypted Balance Changes
Recognizing Authentic Transaction Metadata
Real senders typically include encrypted metadata (destination address, comment, amount). This helps wallets display transaction history.
| Indicator | Authentic Sender | Ring Decoy |
|---|---|---|
| Payload | Encrypted data (random bytes) | Often empty or sparse |
| Decoded | Valid encrypted structure | Minimal data |
| Comment | Encrypted message | Usually absent |
| Metadata | Complete fields | Partial fields |
Note: This is an observation, not a guarantee. Privacy systems require uncertainty - that's the entire point.
What Explorers Can and Cannot Show
This applies to ALL privacy blockchains that use ring signatures
| Check Type | Explorer CAN Verify | Explorer CANNOT Verify (Privacy Protection) |
|---|---|---|
| Ring Membership | β Address is in the ring | β Which address actually sent (privacy!) |
| Math Consistency | β Commitment calculations | β Cryptographic proof of specific sender |
| Transaction Validity | β Transaction is on-chain | β Which ring member is real |
| Amount Bounds | β Amount is reasonable | β Proof cannot be for another member |
Why this is correct: Privacy requires plausible deniability. If explorers could prove the exact sender, ring signatures would be useless.
Why Payload Proofs Can Be Faked
Payload Proofs Are Wallet-Level Tools
Key Distinction:
| Proof Type | Scope | Validation | Can Be Faked? |
|---|---|---|---|
| Transaction Proof | Blockchain consensus | Cryptographic verification by all nodes | β No |
| Payload Proof | Explorer display | Math consistency check only | β οΈ Yes |
Why Payload Proofs Can Be Faked:
-
User-Provided Data
- Payload proofs contain user-submitted metadata
- Not cryptographically bound to transaction
- Anyone can create matching proof for any ring member
-
Math Consistency Only
- Explorer verifies:
commitment = amount Γ G + address - Does NOT verify: This address was the actual sender
- Any ring member can generate matching proof
- Explorer verifies:
-
No Cryptographic Binding
- Payload proofs are separate from transaction proofs
- They don't affect blockchain consensus
- Fake proofs don't invalidate transactions
From Source Code (proof/proof.go:34-149, cmd/explorer/explorerlib/explorerlib.go:689):
The payload proof system is designed for convenience and display, not cryptographic verification. The explorer checks if the proof's commitment matches any ring member's commitment, but this doesn't prove the sender identity.
Code Evidence:
// proof/proof.go:98-104
// Calculate commitment: x = amount Γ G + address
x.ScalarMult(crypto.G, new(big.Int).SetUint64(amount))
x.Add(new(bn256.G1).Set(&x), addr.PublicKey.G1())
// Check if commitment matches ANY ring member
if x.String() == tx.Payloads[t].Statement.C[k].String() {
// Proof "verified" - but this only proves math consistency, not sender identity
}Explorer Call (cmd/explorer/explorerlib/explorerlib.go:689):
addresses, amounts, raw, decoded, err := proof.Prove(tx_proof, info.Hex, info.Ring, mainnet)Why This Design is Correct:
- β If explorers could prove exact senders, ring signatures would be useless
- β Allows users to verify their own transactions
- β Users can generate proofs for any ring member (privacy feature)
- β All ring-signature privacy coins work this way
For Real Verification:
- Use your wallet with private keys (only you can prove you sent)
- Transaction proofs are cryptographically secure (network consensus)
- Payload proofs are convenience tools (explorer display)
Best Practices
For Users:
- β Certainty: Check YOUR wallet with private keys
- β Convenience: Use payload proofs for general verification
- β οΈ Understand: Explorers show possibilities, not proof of sender
For Developers:
- π Educate: Explain transaction vs payload proofs
- π Privacy First: Don't promise definitive sender identification
- β Standard Practice: Ring signature privacy requires plausible deniability
Technical Deep Dive
Why All Ring Members Use Same Amount
Privacy Requirement:
If different ring members showed different amounts:
β You could identify sender by amount
β Privacy would be broken
β Ring signature would be useless
Therefore, ALL commitments use same amount:
C[k] = (amount * G) + address[k]_pubkey
Same amount for ALL k (0 through 15)Result: Cannot identify sender by commitment inspection
Trade-off: Any ring member can generate "valid" proof
DERO's Privacy-First Design Choice
Privacy blockchains make a fundamental choice:
| Approach | Benefits | Trade-offs | Used By |
|---|---|---|---|
| Maximum Privacy | Complete sender anonymity | Third parties use own wallets to verify | DERO |
| Optional Privacy | User controls disclosure | Privacy only if used correctly | Zcash |
| Public Ledger | Full transparency | No privacy | Bitcoin, Ethereum |
DERO's Choice: Maximum privacy by default β
Why this matters: Privacy coins protect users from surveillance, financial tracking, and targeted attacks. Ambiguous proof verification is proof that privacy works.
The Bottom Line
DERO delivers real privacy:
β
Your transactions are private - Only you can prove what you sent
β
Industry-standard technology - Ring signatures proven in cryptography research
β
Mathematically secure - Homomorphic encryption + bulletproofs
β
Working as designed - Ambiguous proofs = successful privacy
Privacy through plausible deniability: Observers see possibilities, not certainties. This is mathematically enforced and prevents mass surveillance.
Comparison: Bitcoin/Ethereum explorers show exact senders (zero privacy). DERO explorers show possibilities (maximum privacy). You choose which model you prefer.
Related Pages
Privacy Features:
- Transaction Privacy - How transactions stay private
- Homomorphic Encryption - Why balances are encrypted
- Ring Signatures - Sender anonymity
Use Cases:
- DERO Tokens - Prove token transfers
- Private Smart Contracts - Prove SC interactions
For Developers:
- Wallet RPC API - Generate payload proofs
- Daemon RPC API - Verify proofs on-chain