Network confidentiality related parameters
Hi people. I was wondering if someone could help me debug my understanding of the parameters that make the de-anonymization harder on Particl. Here is my limited understanding of those parameters:
A. Higher % of the non-staking supply being held in anon balances is better.
Reasoning: This is not helpful on it own, right? We also need a large number of anon outputs. e.g. if say that all the non-staking supply was transferred to anon balances by 10 wallets that each did a single convert anon->public. Would that result into 10 anon outputs and consequently lead into a privacy disaster ?
B. Higher total number of anon outputs is better.
Reasoning: More anon outputs available to select for participation in a confidential ring groups the harder it is to de-anonymize txs, right? Here is not clear to me is if the size of the anon outputs matters. I mean what is better when transferring 100 Parts anon2anon, 100,000 anon outputs with 100 part each or 10,000,000 anon outputs with 1 Part each ?
C. Higher number of anon txs on the network is better.
Reasoning: For each anon2anon transaction there is single CT ring formed, comprised by your and other random anon outputs. The sender, receiver and amount are always obfuscated but one can see the participants of the group, right? So the more of these rings formed the higher your chances are that your anon outputs have participated in other peoples CT rings, thus making it much harder to track any potential targeted de-anonymization and tracking of specific outputs, correct ?
D. The anon2blind txs also harden the confidentiality of the network in similar way as anon2anon txs do.
Reasoning: anon2blind still creates a CT ring indistinguishable at this step from any other CT rings, right?
I would be forever grateful if someone could debug or maybe provide a more complete picture.
Some very interesting questions and I certainly can’t give you a technical skilled answer on any of them. From my understanding I would guess that every anon2anon transaction helps to increase the number of outputs, which might be used as a later input for other Rings. Since the amount of each tx supposed to be hidden, it shouldn’t be a problem having maybe 5 other anon-tx with originally only 1 Part for hiding your transaction of maybe 1.000.000 Part.
I could imagine the number of anon-tx as crucial, since an attacker could spam the network with many, many anon outputs, and when forming a ring, then there’s the risk of having your transaction together with 5 transactions of this attackers outputs. So I would guess that in general the number of anon-tx is more important than the amount of Part hold on anon balances.
I don’t know whether blind-tx also creating CT rings. I thought only the amounts are hidden and the addresses are public In Monero tx from pre-RingCT also can not be used to form a ring with RingCT tx
Here are some links to videos on RingCT:
Would be really interesting for the community to know how to set up their balances and transactions to improve the overall network anonymity.
Here’s an answer @kewde gave on July 10th 2020 in regards to this topic on discord:
PoS is made out to be contradictory because it motivates holding coins in the public circuit while the privacy benefits the most of having many potential RingCT outputs in the system. But the only correct statement you can make is that the system benefits from having lots of potential RingCT outputs available to mix with, but to take it further and say that “the system benefits from having lots of balances stored in RingCT outputs” isn’t the same. Once a RingCT output is created, it doesn’t get destroyed from a third party perspective and it remains a potential mixin, and that’s the only counter that matters. The aggregate sum of funds in the public circuit can be used to calculate the funds in the private system, you could argue that the changes in this amount allow you to track abnormally large transactions (given that they happen in a relatively small timespan so you can attribute them temporally to someone) and that’s a fair argument but can technically be solved by moving PoS to the blind circuit and removing the public circuit as a whole. That way no amounts get leaked and completely eliminates any amount correlation attacks.
The problem is not related to PoS, although it’s being made out to be like that, the issue is rather the existence of the public circuit. Moving funds from the anonymous circuit to the public circuit does reveal the amount and can be used in a correlation attack, against you and others. But most of that risk resides in how you pick the inputs, a simplistic input selection mechanism may reveal more information than desired but as soon as you start having multiple inputs (> 1), the problem becomes exponentially harder.
D : Almost, anon2anon still generates a new potential RingCT input that can be used, so it is slightly better for the security of the system overal
In a german article there has been an interessting comment from “Paul Janowitz” in regards to the current state of privacy for monero.
It also covers a part with potential privacy issues when dealing with RingSignatures. Following you find an auto-translated part of his comment:
"If your life depends on privacy, you should definitely know what you are doing, because there are certain edge cases where you invade your privacy yourself, among them
- E-A-E (Exchange - Alice - Exchange): Assuming that the Exchanges are even different but regulated, you can assume that they share existing data with third parties. Exchange 1, of course, knows what output Alice got, and if it appears in a ring that moves to Exchange 2, it is a hit with a probability of 1:11, or a hit that can be clearly ruled out if the output of E1 was smaller than the input at E2.
- Summary of outputs: If a user makes daily payouts from a marketplace and this marketplace is infiltrated, the respective outputs (UTXO) are known and if a transaction is propagated, which summarizes these outputs in rings (e.g. 10 rings with 11 possible outputs each), but in each ring exactly one known output is present, one can say with almost 100% certainty, who created it.
- Very old outputs: The Monero Wallet warns if you want to combine several very old outputs, because statistically, younger UTXOs are used in Bitcoin much more often than old ones and the selection of mixin outputs in Monero is based on this. If I combine two old outputs close to each other into one transaction, it is very likely that these two are the correct ones, even if the ring size is currently 11.
- IP Address of Propagation: IP addresses are a very strong metadata and are now protected by Dandelion++ by default by first forwarding the transaction to one node only and only after some hops wide. Additional protection is provided by Tor and I2P support, which is not active by default.
Against most of the potential attacks mentioned above, the generally known “churning”, where you send a transaction to yourself, already helps. An automatic churning of old outputs similar to Samourai’s liquidity providers is currently being discussed, because with each churn you remove your output further from potentially logging exchanges and other players."
PS. It’s also being mentioned, that Triptych will further increase the anon-set while remaining the size of the RingSignatures constant.