RE: Is Monero’s (or All) Anonymity Broken?
some monero guy in irc says this is literally written to address exactly the point you’re making: https://lab.getmonero.org/pubs/MRL-0001.pdf
Ah I remember reading that Monero Research Labs document a long time ago. I had forgotten about it.
That document admits that their model does not apply to my blog. I quote from the above linked document as follows:
…simplest strategy for Burns would be to just spam the network as fast as possible with his own transactions. But with fees, this isn’t free.
…
Note that, as time goes on, a UTXO is more likely to be chosen for mixins, but is also more likely to have been exposed from previous users revealing their transactions by spending them with 0 mixins, complicating the wisdom of choosing UTXOs for the ring signature from a uniform distribution.
My blog explains how the fees can be free (actually 2% of the block reward cost, offset by the income of the honeypot) for the perpetrating miner. So that debunks that research paper.
Additionally, the authors admit their model doesn’t factor in the fact that older UTXO have a higher probability of having been chosen then new UTXO. Their model is too simplistic and thus is not applicable to the interaction of the 3 vulnerabilities I presented.
Their model for example assumed that the perpetrator wasn’t able to continue adding “black balls” (which btw in my blog are the “white sheep”, colors are transposed in our notations):
…Burns doesn’t have to take a single action after his initial seed transactions are planted in the UTXO set. This fixed initial cost for the attacker leading to a never-ending stream of information in the form of traceable transactions from other users…
That assumption makes their model inapplicable to my blog, because I show two vulnerabilities (Divide and Conquer and Metadata Correlation) that continue to add “black balls” (aka “white sheep”) ongoing.
Additionally that document says nothing about my other points that make Zerocash superior, such as that the anonymity of Zerocash only breaks if SHA256 breaks, but anonymity of Monero breaks if ECC does. And that the user of Zerocash doesn’t have to be concerned about the carelessness of other users (that he is not transacting with) impacting his own anonymity set. And other points about the disadvantages of explicit anonymity subsets such as fungibility being superior on Zerocash.
More comments from Monero private chats are being forwarded to me:
Needmoney90, [01.08.17 22:00]
Like, that was the first paper released by the MRL, and it describes why the 'attack' in this article doesnt work
Yes it was written because of I communicated the possible attack to @smooth who relayed it to their cryptographers. I caused that paper to be written. I explained that in my blog.
Needmoney90, [01.08.17 22:00]
Basic statisticsNeedmoney90, [01.08.17 22:01]
Its not even an intermediate paper, if this guy had done any research at all, he would know his method didnt work :/Needmoney90, [01.08.17 22:01]
He didnt even skim the first research paper published by us lol"
No you snobbish Monerotard. You asshurls never change. You didn’t read carefully the damn paper you’re citing and the model’s relationship to my blog.
"He claims miners can create outputs for free - MRL-001 established that it's pointless without owning like 80% of the outputs. We'd realize very quickly if a miner was creating 80% spurious outputs, because the tx growth would be insane, we'd outstrip Bitcoin."
No you would not realize an 80% increase if it was gradually raised or had been going on for a long time. You have no way to know whether the existing transaction volume already includes the 80%, i.e. if Monero has been a honeypot ongoing. Did you even read the Really? section of my blog wherein I made that point already! You Monerotards don’t even take the time to read carefully.
You can’t extrapolate that statistically derived 80% factor when the model they used doesn’t even apply as explained above. That chart they showed assumed that the perpetrator is not continuing to compromise more transactions ongoing, so it is inane to claim that it is pointless to do so, when the model doesn’t even factor in doing so. Once you factor in those things they didn’t model the quantitative results of the model can change. The authors even admit that the dynamic factors would need further study:
Technically, for any sort of “critical mass” sort of problem, there’s going to be a steady state problem lurking under the surface, and we definitely have some dynamical systems stuff flying about in this problem. Maybe some ambitious undergraduate wants to pick up where we leave off and contribute to the cryptocurrency community by expanding on all of this.
EDIT: @tie-warutho flagged this post and trying to hide it (and also thus trying to lower my 63 reputation score here).
Why would you flag this? If you have a rebuttal, then rebut with a reply. This comment post is not spam.
I'll be the carrier pigeon here.. from someone much smarter than me who doesnt appear to have a steemit account....
"You claim miners can create outputs for free - MRL-001 established that it's pointless without owning like 80% of the outputs. We'd realize very quickly if a miner was creating 80% spurious outputs, because the tx growth would be insane, we'd outstrip Bitcoin.
You cant get 80% of the outputs without being glaringly obvious, and if you did so, you cant do it for free without an excessive hashrate
Also, I think the 80% number was assuming a smaller number of ring members than we have now, and definitely a smaller number than we're planning on (10-20)
So even assuming the attacker can get 80% without being noticed is lenient"
Please re-read my comment to which you replied, as someone else had forwarded to me the first part of his inane comments, and I rebutted it already above.
Just because he uses technical words, doesn’t mean he has any understanding of the subject matter.
Incorrect. Already rebutted.
You mean that the attacker would need 80% of the network hashrate. But I’ve already explained that your 80% assumption is not valid.
When the statistical model is correctly reformulated to factor in what was not factored in, we will nearly certainly calculate that the level of mixins required to sufficiently squelch the perpetrator’s power is much higher making Monero transactions humongous. At extreme parameters we may need to approach Zerocash’s level of mixins which means nearly every transaction has to mix with nearly every transaction, so we could potentially be looking at 1 - 10 MB per transaction for squelching very powerful perpetrators (at the extremes of parameters). If you want large anonymity mix sets, then use Zerocash. Why mess around with ring signatures given they are not even as secure for protecting the anonymity against cracking of the cryptography as I explained in the blog?
And even if we can accept humongous transactions, Zerocash will still be superior for the other reasons I provided which the research paper you presented doesn’t address.
I warned you Monero folks back in late 2015 and early 2016 that Zerocash was superior and y’all needed to move on. But of course you never listen. All you know how to do is ridicule and ban me. Payback is a bitch and I’m just getting started on the actions I have planned (after having been so ill with TB for the past years and just completed my 6 months of very liver toxic, agonizing antibiotics in early July).
Thanks for the replies, glad your back at it (and now for coding)!
The Monero Stackexchange has deleted my answer that linked to this blog, removed some of my comments from that Q&A page that had refuted errors in other comments and answers, and closed the Q&A page to further answers from me to prevent me from telling the truth. So they are censoring the truth from their FAQs:
And the same retarded mod deleted my answer about Vtrash’s enigmatic “ChainBender” anonymity: