Hacker News new | ask | show | jobs
by kobeya 3220 days ago
I wouldn't trust in Monero's privacy. Most of the techniques uses to defeat CoinJoin would also work against Monero's ring signatures, which amount to effectively the same thing.

ZCash is definitely a different tier of privacy... or it would be if they made ZCash proofs required for every transaction. But instead they made anonymous payments opt-in and therefore your privacy can be defeated by people upstream or downstream of you.
2 comments
ianmiers 3219 days ago
I'm not sure I follow on the "your privacy can be defeated by people upstream or downstream of you." In ZCash, your transaction is completly indistinguishable from the other shielded transactions. The only thing the person you are paying learns is they were paid e.g. $10 by a shielded TX user. So they learn nearly nothing from upstream, and know nearly nothing to share downstream. In particular, this seems to completely negate the attack described in this paper. (Which coinjoin does not).

The limitation for ZCash is that shielded tx's are only 1/5th of the total number of TXs by volume, so your anonymity set is not as large as it could be. But it's likely considerably larger than the anonymity you get by mixing < 10 TX's and then doing this repeatedly both because of intersection attacks (which the attack here is) and because of the impossibility of correctly sampling the TXs to mix with.

link
kobeya 3219 days ago
There are a LOT of factors that could be used to de-anonymize you including frequency and time of day of transactions, wallet application identifying signatures in the transaction itself (e.g. use of fee sniping protections vs not, type of multi-sig used), patterns of usage in non-block chain services such as exchanges, etc.

You could identify a dozen or a hundred different features about a transaction or the transaction graph, then run standard machine learning tools to find clusters of usage patterns. You could then probabilistically infer connections between upstream and downstream usage patterns that implicate you.

I'm not arguing against the cryptography of zcash, which is solid as far as I'm aware. But while it does such a thorough job of bolting the front door, the window is left wide open.

link
ianmiers 3219 days ago
So there definitely are other attack options that Zcash on its own does not protect against and in some cases cannot. The biggest being timing. Usage patterns fall seem to fall into that.

But do you think the fact that 1/5th of transactions are shielded actually enables more attacks on shielded TXs?

link
kobeya 3219 days ago
Yes because 4/5 of the transactions are revealing a LOT more than they otherwise would, thereby greatly increasing the signal to noise of other analysis techniques.
link
ringaroundthetx 3220 days ago
Monero uses ring signatures in conjunction with one-time stealth addresses, so even if you figured out a transaction's link to a previous transaction, you would still be stuck with stealth addresses.

This is further hardened with RingCT

Please explain how this is undermined, using techniques applicable within the last 9 months.

link