You Can Link Monero Transactions – But Which? And What's the Impact?
A new paper provides a technique to link transactions from the privacy-centric cryptocurrency. Should users be worried?
The world's sixth-largest cryptocurrency network, monero, celebrated its third birthday this Tuesday, but not without having weathered a storm in the preceding days.
On Twitter, Reddit and across social media, a heated discussion has been playing out over findings published on MoneroLink.com. Launched on 14th April, the website provides a block explorer that lets users follow the inputs and outputs of a majority (62%) of transactions conducted before January 2017, a feat that was widely thought to be impossible.
The explorer is a practical implementation of techniques published in a research paper by Andrew Miller and Kevin Lee of the University of Illinois at Urbana-Champaign, and Arvind Narayanan and Malte Möser of Princeton University.
Since its publication, much debate has taken place over whether the findings of the paper have been presented accurately, and equally, whether the monero team's own research – which founder Riccardo Spagni says highlighted the same findings in 2015 – was communicated well enough to give users of the network a clear understanding of its limitations.
Transaction linking
The central finding of the paper centers around 'mixins' – dummy inputs and outputs used to obscure the true sender and recipient in transactions.
According to the research findings, mixins can be identified with certainty in almost two-thirds of cases, because they have been spent elsewhere in transactions that did not contain mixins (meaning that the input and output were sure to be genuine).
Further, 80% of the time, the real input among mixins can be guessed by looking for the 'newest' coin; ie that which was most recently committed to the blockchain as the output of a prior transaction.
The technical proofs behind the paper have gone unchallenged and, in fact, findings were echoed in another paper from a group of researchers at Singapore University published just days later.
But the caveat is that the findings presented in the paper and website only apply to the monero blockchain from 2014 to 2016, and no longer hold from the point at which monero transactions implemented the RingCT method (January 2017) – a clarification which supporters of monero believe was downplayed in order to increase the paper's impact.
Further complicating the matter is Miller's position on the board of the Zcash Foundation, which is seen as showing allegiance to a similarly privacy-focused cryptocurrency often positioned as a rival to monero.
While this position draws no salary, Miller confirmed to CoinDesk that he has holdings in zcash which provide a financial benefit.
Miller's involvement with zcash is no secret (it's disclosed in his Twitter bio, university staff page and elsewhere), yet it's easy to see how his claim that this professional and financial link has no bearing on his academic research is a tough pill to swallow for a business competitor.
"In order for zcash to succeed, monero needs to be a small user base comparatively, so there's an undeniable conflict of interest to [the research]," monero founder Riccardo Spagni told CoinDesk.
At the same time, judged by the standard of how accurately research has been presented, Spagni's main rebuttal – that Miller's findings had already been exposed by Monero Research Labs (MRL) – has also been subject to scrutiny.
Spagni and others in the monero camp have pointed to papers MRL-0001 and MRL-0004 (titled "A Note on Chain Reactions in Traceability in CryptoNote 2.0" and "Improving Obfuscation in the CryptoNote Protocol" and published in 2014 and 2015, respectively), saying they highlight the same security flaws Miller, Arayanan, Möser and Lee have claimed as new discoveries.
But the level of attention which the MoneroLink traceability proofs have attracted in the cryptocurrency community make it clear that even though the MRL papers were already available, the implications for transaction analysis were not widely understood.
Miller told CoinDesk:
Miller expanded on this view in a post on Hacking, Distributed, arguing that the existence of the MRL reports has at some points stifled rather than encouraged further research (albeit unintentionally), by giving the impression that the outcomes of the noted vulnerabilities had been explored in greater depth than was the case.
Talking to CoinDesk, Spagni conceded that the MRL findings were for the most part listed in technical documents, but also defended the need to put forward a clear message to users who were less familiar with the cryptocurrency.
He said:
Which users were affected?
A second key question to ask of both the MoneroLink paper and the Monero team's response is to what degree the research findings have a bearing on monero users who would have expected anonymity during the 2014–2016 time period.
In a Reddit post, monero developer smooth_xmr writes:
It's hard to confirm the accuracy of the 80-90% figure, but self-evidently users opting not to use any transaction mixin were not expecting to benefit from transaction obfuscation, and are unlikely to suffer a serious loss of privacy from a blockchain analysis for this period.
From Spagni's perspective, techniques that might deanonymise some of monero's early adopters retrospectively have little bearing on the currency's users today.
"The entire userbase has changed in the last six months," he said. "Academically this [report] is an interesting piece of information, but it doesn't give us much additional learning that will help monero's current users."
As the security implications of the report continue to be studied, focus is likely to fall on the late 2016 period, during which time monero grew well beyond the initial pool of enthusiasts – largely driven by darknet market AlphaBay's decision to offer it as a payment option in August.
From August 2016 until the adoption of ring signatures in January 2017, monero users making purchases on AlphaBay would have been vulnerable to transaction linking, though at this stage it's difficult to say how many people are affected and what the risk of deanonymisation is.
"Our message is that users should have been warned earlier, especially if you were relying on an untraceability guarantee and did not in fact have it during this range," Miller said.
Though the tense rounds of claim and counterclaim have generated a lot of attention, it would be wrong to characterise the process as unproductive.
The monero community has compiled an unofficial response to the paper which, while disputing some of authors' claims, also cites the importance of the work for the continued improvement of the currency.
Miller also acknowledged that discussions with some members of the monero community had been very productive, and that feedback would be incorporated into future updates to the research.
For anyone with a prior sympathy for either monero or zcash, there are certainly actions on both sides that can perhaps be read as bias, but from a detached viewpoint, rigorous and widely publicized research is always a net gain for cryptocurrency as a whole.