Hacker News new | ask | show | jobs
by ianmiers 387 days ago
This is by no means a comprehensive analysis. This analysis misses the most major limitation with Monero's decoy based approach to transaction obfuscation: Eve-Alice-Eve attacks (also known as ABA attacks). It also misses an analysis of the possible insecurity of churning and a significant history of randomness implementation errors and flooding attacks specific to Monero. The exact consequences of some of these attacks remain an open question, but worthy of mention.

A simple and surprising limitation of Monero and any other decoy-based approach is that if you repeatedly withdraw money from one exchange and then deposit it to another, those transactions are not private (edit: even if we ignore payment value). This is a form of Eve-Alice-Eve attack.

Monero uses decoy transactions to obscure the transaction history on-chain, but it does not remove the history. There's a reason every other major privacy protocol (Zcash, Tornado Cash, Railgun, Aleo, Penumbra, etc.) does not use Monero's decoy-based approach, and even the Monero developers are moving to the standard zero-knowledge proof over an accumulator (IIRC a merkle tree like everyone else) based approach that they call Full Chain Anonymity Proofs.

As a meta-comment, this is one of a genre of Monero "privacy" analysis documents that are circulated as a way to claim there are no known actively used exploits. This is little better than the classic "my scheme is secure; here's a bounty for anyone who breaks it" form of cryptographic analysis we often see with flawed encryption schemes. Breaks will not always be public.
3 comments
mike_d 386 days ago
I will word this carefully since I previously worked on crypto de-anonymization attacks, but nothing in this "analysis" seems to be grounded in more than the blockchain developers echo chamber of self congratulation.

Amusingly, assume the CIA has figured out a clever trick for opening up Acme Secure Envelopes in transit. If they publish a report detailing at length how amazing and tamper proof Acme products are, the world would take note and sales would plummet overnight. If, however, you publish the same report on a blog about how to mail documents securely...

link
Calwestjobs 386 days ago
Your point is correct, you sound like salty CIA spreading FUD because it is job of NSA to provide them with solution which did not came. :) So you are saying that ZKSnarks are CIA approved ? XD
link
duke_leto 386 days ago
100% agree that this is not a comprehensive analysis.

For instance, recently a core Monero dev published something called OSPEAD which is a proposed fix to the "Map Decoder Attack" which he also publicly disclosed at the same time : https://github.com/Rucknium/OSPEAD

The TLDR is that Monero has about 75% less privacy than anybody thought, and this attack is still "live" in production. It requires a mandatory upgrade by every node on the network to fix and as far as I know, no fix has been decided upon yet. The attack can be combined with other attacks to completely de-anonymize transactions. I recently wrote about the bug and my proposed mitigation that users can do to regain privacy here: https://duke.hush.is/memos/6/ . AMA, if you desire.

This attack (and mitigation) is not getting the attention it deserves, partially because it is technical and hard to explain and partially because it does not serve the interests of content marketers and Monero influencers.

Monero is indeed moving to ZK proofs because they are mathematically superior in every way. At a very high level, they are moving towards being more like Zcash but they are not using Zcash ZK machinery, they are rolling their own. They are called "Full Chain Membership Proofs" or FCMPs. You can read the paper about those here: https://github.com/kayabaNerve/fcmp-plus-plus-paper/blob/dev...

As another example, recently an anonymous researcher published http://maldomapyy5d5wn7l36mkragw3nk2fgab6tycbjlpsruch7kdninh... (you will need Tor Browser to access that) which explains how the Monero network is being spied on by malicious nodes, with the end result being that transaction id's can be linked to IP addresses.

There are various other examples of de-anonymization attacks on Monero but OSPEAD and network spying (which can be combined) are some of the worst, because they are very inexpensive and effective.

link
yieldcrv 387 days ago
Correct, I don't find these to be limitations for any user of Monero, its just a way not to use it.

> repeatedly withdraw money from one exchange and then deposit it to another

right, don't do that. Withdraw to your wallet. Wait several days. Transfer elsewhere in different denominations.

Problem solved for everything you wrote, and its been nearly the same for the entire lifespan of Monero, 11 years now.

> Breaks will not always be public.

There are court cases that give the confidence necessary. It is also something to stay abreast of. Always just ask yourself who the transaction is intended to be hidden from.

link
beeflet 387 days ago
>right, don't do that. Withdraw to your wallet. Wait several days. Transfer elsewhere in different denominations.

Unfortunately, it doesn't work like that. The EAE attacks only require that the end destination is colluding with the start destination.

Like everything with decoys, privacy is stochastic. So I wouldn't go around making absolute claims about the privacy as many proponents of monero like to do. The developers advise against making these sorts of claims. Monero makes privacy a lot easier, but it's not perfect.

>There are court cases that give the confidence necessary. It is also something to stay abreast of. Always just ask yourself who the transaction is intended to be hidden from.

In the free world, we have the concept of innocent-until-proven-guilty and evidence-beyond-a-reasonable-doubt. Decoy-based approaches give you plausible deniability, but this often isn't enough for more domains where a lower standard of proof is needed.

Fortunately, all this and more will be fixed in FCMP++ upgrade.

link
yieldcrv 386 days ago
Thats good FCMP++ will fix it

Right now it seems Eve just needs to do a dust attack and addresses she’s seen before

And wallets like Featherwallet just need to segregate dust from the pool of outputs, and that kind of attack is totally thwarted

Fortunately Eve doesnt know if an address is part of the same wallet and Featherwallet hides the ability to reuse addresses, although users are lazy and may rely on old addresses being accepted destinations for anyone sending them funds. It would be great if wallets notified of dust, or asked you to recognize transactions in.

link
bcoates 386 days ago
"right, don't do that."

As a non-user of Monero, how do I find out what the security properties are and what information is leaked when various actions are taken? The OP's analysis is deeply lacking in this and the apparent rule against repeated transactions is non-obvious

link
yieldcrv 386 days ago
At this point I’m not sure

there would be the monero subreddit where you could ask these questions

LLMs would be trained on them by now

Books like Mastering Monero exist, and will become obsolete if the proposed upgrades go through

Annual DNM OPSEC GUIDE will likely cover it (darknet market operational security guide)

link
Calwestjobs 386 days ago
"There are court cases that give the confidence necessary. " NO!

many times police will made up "plausible way" how they uncovered something, but this "plausible way" was constructed after the "secret" or illegal way was employed to do it.

rephrase : police will do illegal thing to obtain info where you stash your drugs. for example installing NGO Pegasus to your phone, gps tracker under car... so they already have that info. then they call anonymously 911 saying there is smell of gas on street. (maybe they even spray some of mercaptan to make it even more plausible) firefighters, etc will come investigate gas leak and police will say that they uncovered drug stash in investigation of gas leak... illegal way to obtain info, then brainstorming how to make that data available "lawfully". they will not tell in front of judge/court about first part... so no your assumption is not correct.

in computer world it is million time easier.

99% of youtube videos about criminals failing at operational security is intentionally bad information.

IF you are believed to be criminal / "bad person" police(men) will justify doing almost anything, because you are bad person IN THEIR EYES.

also they are trained to and expected to disinform :

For example, Ross Ulbricht. every news paper said that "closing his laptop lid will lock his computer and police will be unable to decrypt it" they pushed it and said it so many times that researchers jumped on LUKS and in 1.5 years there was almost complete rewrite of LUKS.... (not even talking about constant TOR effort)

Whole not closing his notebook also proves that they obtain data legally. It does not say they did not have that data already.

One info can mean multiple things to multitude of people.

link
yieldcrv 386 days ago
Parallel construction is possible and I agree that Ross got railroaded with some unanswered and questionable and paradoxical evidence gathering tactics

My confidence in Monero comes from following what the administrative state has said in court cases

Often times they don’t know the balance, location, and are unable to seize it. As designed

link