RE: Is Monero’s (or All) Anonymity Broken?
Monerotard shilling, lies, and propaganda continues.
My rebuttal:
First of all, the fact the the author is using the term UTXO should be a big tipoff that they don't actualy understand how Monero works. Monero only has TXO sets as no one actually knows if a transaction has been spent or not making the differentiation of a TXO from a UTXO meaningless.
I quote from my blog to correct your blindness:
And the (risk of) instances of overlap for any UTXO increase indefinitely because no UTXO can ever be marked as spent, because it is supposed to be unknowable which of the UTXO was spent in each ring signature anonymity set.
Anyone incapable of understanding that the concept of a UTXO does not exist in Monero
You continue to repeat this false accusation. I already showed you where in my blog I had explained that transactions can never be marked as spent in Monero. UTXO is the standard terminology for an unspent transaction. If you Monerotards want to make up your private terminology that is okay, but it is not my problem nor my error. STFU retard.
…shilling backdoored nonsense like Zcash
My blog clearly explains that Zcash’s anonymity can’t be backdoored by the trusted private key setup. And that unlike the pitiful case for Monero/Cryptonote, Zcash’s anonymity doesn’tretroactively fail when ever current ECC security is cracked. Satoshi even relied on hash functions for security by hashing the public ECC key on the blockchain.
he'd be a millionaire now
At least I didn’t convince people to expose their $millions in a honeypot.
Second, This topic was discussed during Fluffypony's presentation at Coinbase in January. It turns out that for this type of attack to have a reasonable chance of succeeding the attacker needs to own a minimum of 80 to 90 percent of all the TXO's.
This incorrect misunderstanding of the prior Monero Research Labs report was already irrefutably and emphatically rebutted in the comment replies.
Third, it is never discussed how the attacker can magically guarantee that will will always be able to mine their own fake transactions.
It is explained in the blog that miners can do this. And it is explained that the income from selling your identities is what funds the complicit miner so that over time that miner gains more and more of the hashrate because they are more profitable than the non-complicit miners.
When you do not even read, how can anyone trust anything you Monerotards write?
wpalczynski wrote:
This was written by anonymint, the guy is not well in the head and never has been.
The pot calling the kettle black as self-evident by the facts juxtaposed against your disrespect for factual truthfulness herein.
dnale0r wrote:
There is a solution possible: if you run your own node, you could flag suspicious transactions and not use them as decoys…
Incorrect.
done: https://github.com/monero-project/monero/issues/2241
A miner can create a lot of transactions for free by mining them privately.
The perpetrator doesn’t need to keep their spam transactions private. They would gladly have other miners add them to the blockchain. There is no way to distinguish a spam transaction from a normal one.
technogymball wrote:
Is what the author is saying correct/likely to have happened?
Is the NSA not obligated by law to do it.
@smooth wrote and I responded:
after Monero implemented a minimum mix factor, the share of traceable transactions fell rapidly and would have eventually reached approximately zero had that process not be accelerated by the switch to RingCT.
@smooth you are being disingenuous here by obfuscating that your correct statement w.r.t. to the scenario in the Monero Research Labs report you allude to is argued to be false w.r.t. to the perpetrator scenario in my blog. And I believe willfully so (meaning you know it because you are too smart to not realize it, unless you didn’t read or agree with this yet).
In the Monero Research Labs report, the perpetrator does not continually add more spam transactions (which the report explicitly admits). Also the Monero Research Labs report admits it doesn’t model the mathematical fact that older (U)TXO had more opportunities to be selected into mixes (note however this might not be true if transaction volume is growing over time, but it my scenario doesn’t depend on this aspect anyway).
ArticMine wrote:
…since as the block reward falls to zero so does the cost of these attacks. What protects Monero here in the minimum block reward (tail emission).
Incorrect. As I explained in my blog, it is the low transaction revenue relative to the block reward which enables the honeypot, because the value of deanonymizing is greater than the 2% cost of the transaction fees relative to the income from the block reward.
Your argument amounts to that as the use of the blockchain diminishes so does the cost of mining it and thus spamming it with transactions. True, but so does the value of the honeypot decline too. Thus your logic is incorrect.
Incorrect. You are fighting the block reward itself via the penalty not the other transaction fees.
How do you propose to generate 80% - 90% of the TXOs on an ongoing basis without paying a fortune to feed Monero's adaptive blocksize penalty?
I did not claim that the Sybil attack needs to be 80%, because the metadata correlation and other vulnerabilities can combine (and the Monero Labs Research report claiming 80% is inapplicable for the reasons I have explained).
Monero’s block size readjustment algorithm scales to the transaction volume. There will be no penalty.
You may have been thinking that the perpetrating miner would send more than his share of the network hashrate in transaction volume, but I wasn’t proposing that as I explained in my blog quoted as follows:
Thus the perpetrator will own
X%
of the transactions in every anonymity set, whereX
is the perpetrator’s percentage of the network hashrate.…
Note that whether the block size is limited or not has nothing to do with the vulnerability, because if the perpetrator attempted to create for free more than
X%
of the transactions, the excess must go in the perpetrator’s blocks (else the transaction fees cost will not be offset) and thus users could choose to not mix with transactions from larger blocks.
You might have been thinking that the perpetrating miner had to issue all the spam transactions in his own block (and exceed the median block size). A quote from my blog explains that the perpetrating miner can send his spam transactions to non-complicit blocks by offsetting the transaction fees:
Thus the undetectable perpetrating miner can even recoup the transaction fees of sending transactions to blocks created by non-complicit miners, by including offsetting non-complicit transactions in the perpetrating miner’s blocks.
@smooth wrote and I responded:
There's still the cost of driving up the size of the chain to the point where not only does the spammer have to process all the added crap, but no one else can or will use it (so driving away the very victims the attack is trying to target).
Another disingenuous obfuscation of the facts.
My blog clearly explained that the deanonymization can be due also to contagion of metadata leakage and overlapping rings, which the Monero Research Report did not model.
Thus the spammer needs no where near the 80% levels unless the minimum ring count is greatly increased. We need to model it to know how large the ring count must be increased to handle realistic attack/honeypot scenarios. But in any case, we are just trying to emulate Zcash’s large anonymity set and doing it very inefficiently and never with 100% assurance. So it is much better to just use Zcash than try to fix a irreparably flawed concept known as Cryptonote ring signatures (and the RingCT variant).
Besides 80% (thus 4X increase in transactions) doesn’t necessarily bloat the chain enough to discourage use of the Monero/Cryptonote honeypot, even if every user runs a full node (and many probably don’t which is one of the myraid of reasons the metadate correlation factor is so important and Zcash doesn’t leak these onto diligent users).
For your point to have merit, we would need to be talking about perhaps 99% spam transactions which is a 98X increase in transaction volume. But clearly that isn’t required.
@smooth wrote and I responded:
Even ignoring transaction fees (in the case of a single dominant miner)
I show that the transaction fees are only 2% of the block reward as of now for Monero, so a dominant miner isn’t required.
it would require that the attacker bloat up the chain by an unreasonable degree to be even somewhat effective.
See my other reply to you today on this thread as a refutation.
An 80% attacker would only be able to trace 40% of transactions given the current ring-size 5 default (soon to be minimum).
Incorrect. Your model is not factoring in the contagion of combinatorial collision due to metadata correlation. That is one of the significant reasons that Zcash is superior.
That falls to 16% if it is necessary to trace two hops, 6% for three hops, etc.
Again an incorrect percentage because your 40% figure is not correct as already explained.
Your point is that by mixing multiple times (which is analogous to larger ring counts), then the honeypot can be avoided. True to some extent, but this is equivalent to just using Zcash which has the largest possible anonymity mix set and does it much more efficiently. My rebuttal to using larger ring counts is that it will bloat the block chain and then more people will not run full nodes, so then more metadata correlation and the larger ring counts to some extent defeats itself with a negative feedback effect on metadata correlation.
I mean yeah maybe a very diligent user can employ Monero with lots of duck tape and bubblegum to hold together some tenuous anonymity, but please stop pretending it is superior or even comparable to Zcash. And Btw, I have no affiliation whatsoever with Zcash.
The presence of an 80% attacker, even though not all that effective, would require that the chain be bloated by 5x
You have a math error. That would be 4X.
increasing not only everyone else's costs of running and node and using the coin, but the attacker/miner's costs as well. A stronger attack would require bloating up the chain and operating costs even more (10x for a 90% attacker and 100x for a 99% attacker).
In the end such an attacker would succeed in little more than driving away all the of the users of the coin where he was able to monopolize mining, attacking and mining a coin with no users. It doesn't hold together.
The was refuted in my other reply to your other comment.
I don't so much bother any more because as others have pointed out he goes in circles a lot and wastes others' time (his too, but that's his problem).
So nice to read this after sending you a private message last night thanking you for all your help over the years. As I told you in that message, I respect and appreciate you, but you play “follow the herd” politics. I don’t. That will always be a salient distinction between us. Nevertheless my word-of-honor and gratitude doesn’t diminish because of it. Politically affiliate with the retards if you wish, rendering yourself into a mutual sycophant with them. This is the last effort I will waste explaining this to you. If you forget, it is not my problem.
You’d be well advised to not confuse the effects of delirium from multiple years of disseminated Tuberculosis (c.f. the linked image) with the completion of my 6 months of very agonizing liver toxic antibiotics around my 52nd birthday on June 28. Liver dysfunction is approximately like your worst hangover more or less continuously since the worst of it kicked in 2013ish or surely by summer 2015 when I dropped from 75 to 55 kg. I didn’t know what that illness was because I had no cough, thus no one here in monkeyland suspected pulmonary TB. It was only when I had the funds ($6000 of which significantly due to you upvoting my Steemit blogs in 2016) to spend $1000s in Singapore for medical care did they suggest checking for something I never heard of before “gut TB”.
xmrscott wrote:
I can understand if folk downvoted the actual article, but the question is valid. If people downvote this post they might see the article by some other means, but not the rebuttal here.
Upvoted.
tyuvvdgzkp wrote:
what if blockchain analysis comes to monero?
What if blockchain analysis has been ongoing for years. How would you know? Why does someone have to announce publicly they are doing it. My blog is about using blockchain analysis combined with a Sybil attack, metadata correlation, and overlapping rings in conflagration of combinatorial analysis. You could even throw timing analysis into that.
in the last weeks there closed a bitcoin mixer, btc-e seized and also alphabay and hansa market
How do we know that secret analysis of Monero’s blockchain wasn’t contributing to those investigations.
also its very likely that every transaction from/to exchanges like coinbase/kraken/bitstamp are known for chain analysis. thats a lot of data. how could this affect monero if e.g. every exchange has to reveal tx to law enforcement and blockchain analysis companies (maybe its already the case) and future illegal services which support xmr get seized?
Put it together with the vulnerabilities I outlined in my blog and probably with all that combined pretty much everyone that has been trusting Monero is potentially screwed.
@cornholio wrote:
Quoted for posterity (just in case you decide to delete). Also I rather fancy the double-vision effect.