Intellectually and academically dishonest hitpiece by peddlers of a competing cryptocoin.
That this subset of transactions is not safe is not news, nor is it even original research - it was covered in research more than 2 years ago by The Monero Project itself - and is something the project has addressed since and is working to further improve even beyond the recommendations of this paper.
Andrew Miller does not hide his ties to Zcash; I believe none of the other authors are associated with Zcash. I do not think he needs to recuse himself from academic study of competing currencies, just because he has loose ties to Zcash.
Also, the authors do not hide the fact that the vulnerability is not new. Most science is incremental; I haven't seen any evidence of 'academic dishonesty'.
>The Zcash Foundation will now be endowed with 273,000 zcash, worth more than $13m at press time. As part of the network’s rules, 10% of the cryptocurrency’s mining rewards are automatically awarded to stakeholders.
>The four-person board of directors includes chair and president Andrew Miller, associate director of the Initiative for Cryptocurrencies and Contracts (IC3), and Matthew Green, assistant professor of computer science at Johns Hopkins University.
This paper is akin to me publishing a paper noting how insecure Windows for Workgroups 3.11 is, providing advice for securing it, and then Tweeting out that that the paper found that "Windows is trivially insecure out the box". Sure, the paper would technically be correct, and my Tweet might even technically be correct, but it would be irrelevant since nobody uses Windows for Workgroups 3.11.
Nobody CAN use mixin-0 transactions in Monero, because they've been banned since a March 2016 hard fork that took over a year for them to plan and roll out. Nobody can be affected by down-chain use of those mixin-0 transactions because RingCT doesn't allow you to create ring sigs form them, which was added in the December 2016 hard fork.
It's no wonder, then, that the paper, and accompanying website, only go up to the end of 2016 - they have no valid data from the beginning of 2017 onwards, and have published the paper seemingly only as a 'hit piece'.
This paper is an empirical analysis. The Monero reports introduced a theoretical attack with conditions, e.g. “a critical loss in untraceability across the whole network if parameters are poorly chosen and if an attacker owns a sufficient percentage of the network.”
The news is that our research confirms, for the first time, that this is actually the case, and it affects actual transactions.
The core of this paper's claim seems to be that 0-mixin transactions leave user's exposed, however Monero has since prohibited these types of transactions. So yes, these types of transactions going backwards are exposed, but moving forward they will not be.
This appears to be the Monero's team main response. Am I missing any other substantive arguments from the paper?
> Am I missing any other substantive arguments from the paper?
The second half of the paper, "Linking with temporal analysis". If you read the second half of the introduction, you will find that the primary technique they use for tracing 80% of transactions is found in the current version.
The sloppiness of this code is really shocking, "when the Monero client chooses mixins, it does not take into account whether the potential mixins have already been spent."
> The sloppiness of this code is really shocking, "when the Monero client chooses mixins, it does not take into account whether the potential mixins have already been spent."
That's because RingCT removed the ability to create a ring signature with those outputs, so adding a complex whitelist / blacklist mechanism would have been a massive waste of time.
> The sloppiness of this code is really shocking, "when the Monero client chooses mixins, it does not take into account whether the potential mixins have already been spent."
I'm not thoroughly familiar with monero's internals, so someone please correct me if I'm wrong, but I thought it was well known that this was a deliberate design decision. Previously spent amounts don't actually run a risk of being double spent as they're only used anonymization purposes, as far as I understand. So why is this is considered "sloppy"?
It was a deliberate design decision as the issue was mitigated in a different manner starting in early 2016 (and introducing that check wouldn't be very effective anyway for other reasons).
The results of the mitigation are shown in the paper as Figure 5. The success of the techniques in the paper decline rapidly over the course of 2016 and would effectively reach zero if the dataset were extended (this is noted in the text when it states that RingCT transactions are immune, although even without RingCT it would still effectively reach zero)
The technique in the second half of the paper is not able to trace any transactions at all, as I explained in more detail in another reply. It identifies a partial weakness in the ring signatures but it is not capable of breaking them.
It is not true that this result was previously known. Please see the section “Comparison with related work on Monero linkability.” in the paper (https://monerolink.com), which starts "We note that earlier reports from Monero Research Labs(MRL-0001 [10] and MRL-0004 [7]) have previously discussed concerns about such deduction, called a “chain-reaction,” based on similar insights as described above. However, our results paint a strikingly different picture than these." and then goes on to show those striking differences in the new results and the previous knowledge.
That this subset of transactions is not safe is not news, nor is it even original research - it was covered in research more than 2 years ago by The Monero Project itself - and is something the project has addressed since and is working to further improve even beyond the recommendations of this paper.
Lengthy discussion on reddit here: https://www.reddit.com/r/Monero/comments/65dj7u/an_empirical...