xmr.club
guides EN 中文 ES RU
← all guides

FCMP++ explained — the privacy upgrade replacing Monero's ring signatures

For a decade Monero's on-chain privacy floor has been ring signatures: every spend hides among 15 decoy outputs picked from the chain, so an observer faces 1-in-16 odds of guessing the real one. FCMP++ retires that scheme — anonymity set jumps from 16 to every spendable output that exists. This is the biggest privacy upgrade since RingCT, and the protocol-level engineering is being staged through 2026. Here's what FCMP++ is, what changes for you, and what doesn't.

Quick answer

FCMP++ replaces Monero's 16-decoy ring signature with a single zero-knowledge proof that says "the output I'm spending is somewhere in this huge set", where the set is every spendable output on chain. Nothing visible changes for normal users — same wallets, same UX, same XMR. Under the hood, the anonymity set grows from 16 to tens of millions, and several long-standing decoy-selection attacks stop working entirely.

Why decoy rings needed retiring

Ring signatures were a clever 2016-era trick: hide your real spend among decoys, force the verifier to accept any of them as plausible. The catch is that decoy selection is heuristic — wallets pick decoys based on chain age, recency curves, and other signals. Researchers have demonstrated a chain of attacks that nudge the odds away from 1-in-16:

  • EAE (Eve-Alice-Eve) attacks — an exchange tracking your deposits and withdrawals can narrow the real spend by intersecting both ends of the trail.
  • Decoy-distribution mismatch — if your wallet picks decoys with a slightly different curve than the network norm, the real spend stands out statistically.
  • Newer-output bias — the real spend is statistically more likely to be the most recent output in the ring; chain-analysis vendors exploit this.

None of these break Monero individually, but they erode the 1-in-16 floor toward 1-in-4 or worse in adversarial conditions. The community has been raising ring size and refining decoy selection for years; FCMP++ is the structural fix.

How FCMP++ actually works

FCMP stands for Full-Chain Membership Proof. Instead of selecting 15 decoys at random, the spender produces a single succinct zero-knowledge proof asserting "one output in this Merkle-tree-committed set is the one I have the spend key for". The set is a commitment to every spendable output on the Monero blockchain since the fork height.

The "++" denotes the specific construction Luke "kayabaNerve" Parker proposed in 2024 — a Bulletproof+-style proof system over an algebraic-group-action commitment scheme that's both verifier-fast and proof-compact enough to fit in a Monero block. Earlier full-chain proposals (Seraphis, Lelantus, RingCT-Spark variants) were either too large per-tx or too slow to verify; FCMP++ is the first proposal credibly cheap enough for mainnet.

The output you're spending stays cryptographically indistinguishable from the entire spendable set. There is no "ring size" anymore; the anonymity set IS the chain.

What changes for normal users

Almost nothing visible. You'll still:

  • Open Cake / Feather / Monero GUI the same way
  • Generate the same kind of addresses + subaddresses
  • Pay the same fees (slightly lower at the margin — proofs are more compact)
  • Wait the same ~20 minutes for 10 confirmations

What you won't have to worry about anymore:

  • Wallet decoy-selection quality (the "is my wallet picking decoys correctly?" anxiety goes away — there are no decoys)
  • "Churning" — moving funds to yourself repeatedly to grow effective anonymity set. The set is already maximal.
  • Worrying about ring-size bumps tightening over time. FCMP++ doesn't have ring size.

Carrot — the addressing upgrade riding along

FCMP++ ships alongside Carrot, a new addressing + scanning scheme. Carrot solves a separate problem: the way view-only wallets currently work, an attacker with your private view key can see all incoming transactions to your address. Carrot reworks the cryptography so view-only wallets see incoming receives without a master key that would also unmask the entire account history.

Practical effect: handing your view key to a tax accountant, a developer integrating payment, or a watch-only mobile app stops being a one-way disclosure that lasts forever. Carrot view-keys can be scoped, rotated, and disclosed without forfeiting historical privacy.

Carrot also brings view tags — small per-transaction hints that let wallet scanning skip most of the chain. The result: sync times on slow devices drop significantly, especially for new wallets restoring from seed.

Under the hood (skip if not curious)

  • Proof size: ~2 KB per input (vs ~1.5 KB for current RingCT-Bulletproofs+). Per-tx overhead grows slightly.
  • Verification cost: faster per-input than current rings under batch verification. Nodes verify blocks quicker on net.
  • Wallet sync: Carrot's view-tags let scanning skip ~95% of outputs. Restoring a 5-year-old wallet from seed will get noticeably faster on phones.
  • Pruned-node compatibility: retained — the Merkle commitment is small relative to chain data.
  • Hardfork-only deployment: there is no "soft" FCMP++ — every node must upgrade at fork height.

Timeline (moving target — last reviewed 2026-05-18)

FCMP++ is in active engineering, not yet on testnet at the time of writing. Best public-source estimates from Luke Parker and the Monero Research Lab:

  • 2026 Q2-Q3: reference implementation + testnet
  • 2026 Q4 / 2027 Q1: mainnet hard fork — earliest plausible window
  • Carrot: typically bundled with the same fork (separate code path, same release)

Dates have moved before. The MRL Issues tracker is the canonical authority. Watch monero-project/research-lab + the monero core repo for the engineering milestones.

What to do right now

  • Nothing urgent. Your XMR will fork through automatically. Wallets do the migration; you don't handle keys differently.
  • Track your wallet's changelog as the fork approaches — Feather, Cake, Monerujo and the Monero GUI will all flag the FCMP++/Carrot release. Update before the fork height, not after.
  • If you publish a view key (donation addresses, business view-only access), expect to need to refresh it post-Carrot. Plan the refresh as a one-time chore, not an emergency.
  • Don't pre-emptively churn. Once FCMP++ activates, anonymity-set max is already there. Spending pre-fork or post-fork — same privacy after the upgrade.

Where this fits in the wider privacy-tech landscape

Other privacy chains take different routes: Zcash uses zk-SNARKs (smaller proofs, opt-in privacy, trusted setup), Mimblewimble chains (Beam, Grin) use a different commitment model, Bitcoin's CoinJoin family is opt-in mixing on top of a transparent chain, Lelantus-Spark (Firo) is a Monero-style ZK approach with a different proof system. FCMP++ is Monero saying "we're not switching to zk-SNARKs or trusted-setup territory — we're scaling the existing privacy-by-default model to the largest possible anonymity set". See FCMP++ vs other privacy tech for the side-by-side.

Authority

FCMP++ is primarily the work of Luke "kayabaNerve" Parker, with peer review from the Monero Research Lab. This explainer is xmr.club's plain-language take; if you're looking for the canonical sources, start with:

xmr.club doesn't replace any of these as a cryptography source. We're here to translate research into "what does this mean for someone holding Monero this year". For the math, follow Luke's posts.