# FCMP++ explained — the privacy upgrade replacing Monero's ring signatures

> Plain-language explainer of FCMP++ (Full-Chain Membership Proofs Plus Plus): the proposed Monero protocol upgrade that retires the 16-decoy ring and replaces it with a zero-knowledge proof over every spendable output on chain.

Canonical URL: https://xmr.club/guides/fcmp-plus-plus-explained
Locales: https://xmr.club/llm/guides/fcmp-plus-plus-explained.txt · https://xmr.club/zh/llm/guides/fcmp-plus-plus-explained.txt · https://xmr.club/es/llm/guides/fcmp-plus-plus-explained.txt · https://xmr.club/ru/llm/guides/fcmp-plus-plus-explained.txt

## Overview

For a decade Monero's on-chain privacy floor has been ring signatures: every spend hides among 15 decoy outputs picked from the chain, so an observer faces 1-in-16 odds of guessing the real one. FCMP++ retires that scheme — anonymity set jumps from 16 to every spendable output that exists. This is the biggest privacy upgrade since RingCT, and the protocol-level engineering is being staged through 2026. Here's what FCMP++ is, what changes for you, and what doesn't.

## Body

Quick answer FCMP++ replaces Monero's 16-decoy ring signature with a single zero-knowledge proof that says "the output I'm spending is somewhere in this huge set" , where the set is every spendable output on chain. Nothing visible changes for normal users — same wallets, same UX, same XMR. Under the hood, the anonymity set grows from 16 to tens of millions, and several long-standing decoy-selection attacks stop working entirely. Why decoy rings needed retiring Ring signatures were a clever 2016-era trick: hide your real spend among decoys, force the verifier to accept any of them as plausible. The catch is that decoy selection is heuristic — wallets pick decoys based on chain age, recency curves, and other signals. Researchers have demonstrated a chain of attacks that nudge the odds away from 1-in-16: EAE (Eve-Alice-Eve) attacks — an exchange tracking your deposits and withdrawals can narrow the real spend by intersecting both ends of the trail. Decoy-distribution mismatch — if your wallet picks decoys with a slightly different curve than the network norm, the real spend stands out statistically. Newer-output bias — the real spend is statistically more likely to be the most recent output in the ring; chain-analysis vendors exploit this. None of these break Monero individually, but they erode the 1-in-16 floor toward 1-in-4 or worse in adversarial conditions. The community has been raising ring size and refining decoy selection for years; FCMP++ is the structural fix. How FCMP++ actually works FCMP stands for Full-Chain Membership Proof . Instead of selecting 15 decoys at random, the spender produces a single succinct zero-knowledge proof asserting "one output in this Merkle-tree-committed set is the one I have the spend key for". The set is a commitment to every spendable output on the Monero blockchain since the fork height. The "++" denotes the specific construction Luke "kayabaNerve" Parker proposed in 2024 — a Bulletproof+-style proof system over an algebraic-group-action commitment scheme that's both verifier-fast and proof-compact enough to fit in a Monero block. Earlier full-chain proposals (Seraphis, Lelantus, RingCT-Spark variants) were either too large per-tx or too slow to verify; FCMP++ is the first proposal credibly cheap enough for mainnet. The output you're spending stays cryptographically indistinguishable from the entire spendable set. There is no "ring size" anymore; the anonymity set IS the chain. What changes for normal users Almost nothing visible. You'll still: Open Cake / Feather / Monero GUI the same way Generate the same kind of addresses + subaddresses Pay the same fees (slightly lower at the margin — proofs are more compact) Wait the same ~20 minutes for 10 confirmations What you won't have to worry about anymore: Wallet decoy-selection quality (the "is my wallet picking decoys correctly?" anxiety goes away — there are no decoys) "Churning" — moving funds to yourself repeatedly to grow effective anonymity set. The set is already maximal. Worrying about ring-size bumps tightening over time. FCMP++ doesn't have ring size. Carrot — the addressing upgrade riding along FCMP++ ships alongside Carrot , a new addressing + scanning scheme. Carrot solves a separate problem: the way view-only wallets currently work, an attacker with your private view key can see all incoming transactions to your address. Carrot reworks the cryptography so view-only wallets see incoming receives without a master key that would also unmask the entire account history. Practical effect: handing your view key to a tax accountant, a developer integrating payment, or a watch-only mobile app stops being a one-way disclosure that lasts forever. Carrot view-keys can be scoped, rotated, and disclosed without forfeiting historical privacy. Carrot also brings view tags — small per-transaction hints that let wallet scanning skip most of the chain. The result: sync times on slow devices drop significantly, especially for new wallets restoring from seed. Under the hood (skip if not curious) Proof size: ~2 KB per input (vs ~1.5 KB for current RingCT-Bulletproofs+). Per-tx overhead grows slightly. Verification cost: faster per-input than current rings under batch verification. Nodes verify blocks quicker on net. Wallet sync: Carrot's view-tags let scanning skip ~95% of outputs. Restoring a 5-year-old wallet from seed will get noticeably faster on phones. Pruned-node compatibility: retained — the Merkle commitment is small relative to chain data. Hardfork-only deployment: there is no "soft" FCMP++ — every node must upgrade at fork height. Timeline (moving target — last reviewed 2026-05-18) FCMP++ is in active engineering, not yet on testnet at the time of writing. Best public-source estimates from Luke Parker and the Monero Research Lab: 2026 Q2-Q3: reference implementation + testnet 2026 Q4 / 2027 Q1: mainnet hard fork — earliest plausible window Carrot: typically bundled with the same fork (separate code path, same release) Dates have moved before. The MRL Issues tracker is the canonical authority. Watch monero-project/research-lab + the monero core repo for the engineering milestones. What to do right now Nothing urgent. Your XMR will fork through automatically. Wallets do the migration; you don't handle keys differently. Track your wallet's changelog as the fork approaches — Feather, Cake, Monerujo and the Monero GUI will all flag the FCMP++/Carrot release. Update before the fork height, not after. If you publish a view key (donation addresses, business view-only access), expect to need to refresh it post-Carrot. Plan the refresh as a one-time chore, not an emergency. Don't pre-emptively churn. Once FCMP++ activates, anonymity-set max is already there. Spending pre-fork or post-fork — same privacy after the upgrade. Where this fits in the wider privacy-tech landscape Other privacy chains take different routes: Zcash uses zk-SNARKs (smaller proofs, opt-in privacy, trusted setup), Mimblewimble chains (Beam, Grin) use a different commitment model, Bitcoin's CoinJoin family is opt-in mixing on top of a transparent chain, Lelantus-Spark (Firo) is a Monero-style ZK approach with a different proof system. FCMP++ is Monero saying "we're not switching to zk-SNARKs or trusted-setup territory — we're scaling the existing privacy-by-default model to the largest possible anonymity set". See FCMP++ vs other privacy tech for the side-by-side. Authority FCMP++ is primarily the work of Luke "kayabaNerve" Parker , with peer review from the Monero Research Lab. This explainer is xmr.club's plain-language take; if you're looking for the canonical sources, start with: Luke Parker's FCMP++ technical writeup on getmonero.org MRL issue tracker for the engineering thread Monero Observer for weekly progress digests xmr.club doesn't replace any of these as a cryptography source. We're here to translate research into "what does this mean for someone holding Monero this year". For the math, follow Luke's posts.

## License

CC-BY-4.0. Attribute "xmr.club".