Monthly Archives: January 2016

Tying up loose ends with RingCT

Published by:

RingCT, as proposed in a paper by the MRL researcher Shen Noether, was announced just a few months ago and recently received enough funding for the implementation. Ring Confidential transactions is complicated new technology using math and cryptography to hide amounts in transactions using ring signatures. Not many people saw the implications of this innovation for XMR and even less people actually understood how it all works.

I can’t explain you how it works. If Shen’s paper will be published in Ledger, an academic journal on cryptocurrency and blockchain technology, RingCT will be subject to peer review. When the academic community decides it works, we’ll know for sure. But let’s just assume for now that it will actually work once it will be implemented.

What I can try to do is explain some of the implications of RingCT. Hiding amounts seems a nice feature to have, but why do we need it? After all, we have already the stealth addresses and ring signatures which provide us with privacy and fungibility.

If you read MRL-0004, you’ll notice that there are still some privacy concerns when using Monero. The issues raised in section 3.2 (Association by Use of Outputs Within a Transaction) can be solved by using RingCT.
In short, the problem is that when you want to spend 2 outputs that you received in the same transaction as an input for a new ring signature transaction, these outputs can be linked together. For an observer it’s very likely that these 2 outputs are the real inputs of your transaction, making your ring signature obsolete.

An example will hopefully clarify what I mean. I’ll ignore the fees for simplicity.
Transaction X: Alice sends 123 XMR to Bob with mixin 5.
This means that Bob receives 3 separate outputs: 100 XMR, 20 XMR and 3 XMR
Transaction Y1: When Bob wants to send 3 XMR to Charlie, he just chooses his 3 XMR output as the input for transaction Y1. He chooses a mixin level so Alice can’t trace the 3 XMR. She doesn’t know for sure that Bob actually spent the 3 XMR she sent to him. Oliver the observer just sees a regular private XMR transaction. He can’t determine identities.
Transaction Y2: When Bob wants to send 23 XMR to Charlie, he could choose to use the 20 XMR and 3 XMR outputs as inputs for Y2. But this would not be a great choice: even if Bob uses a high mixin level, it will still be possible for  Oliver the observer (and thus also for Alice) to see that 2 outputs who were both the result of transaction X are used together in a new transaction. Even if Bob used mixin 100, this is still visible. What a coincidence! Oliver will conclude that those 20 XMR and 3 XMR are the real outputs. Alice will know that it was Bob who spent 23 XMR.  The state of the outputs isn’t uncertain anymore: we know the 20 XMR and 3 XMR are spent.
Transaction Z2: Dave sends 3 XMR to Eve. Dave uses mixin 1* and by accident picks as a fake input to mix with the 3 XMR Bob received in transaction X. When Dave sends his transaction, Oliver can see the 3 XMR input received by Bob is already spent in transaction Y2. This actually means that Oliver now knows that this input in Dave’s transaction is fake. So Oliver immediately knows the real input that is spent in Dave’s transaction, revealing the state of Dave’s 3 XMR.
Also note that if transaction Z2 happened before transaction Y2, Dave will still be private when he sends his transaction, but his privacy will be weakened when Bob sends transaction Y2. So transaction Y2 creates a “chain reaction privacy problem”.
*the XMR protocol enforces a minimum mixin of 2, making this “chain reaction privacy problem” in transaction Z2 less likely.
Transaction Y3: Bob wants to prevent that the state of his 20 XMR and 3 XMR is revealed when he spends them, so he decides to spend the 100 XMR he received from Alice instead. Charlie will still receive a 20 XMR and a 3 XMR output, but a 70 XMR and 7 XMR output will be sent back to Bob. At this point, the situation is exactly the same as in Transaction Y1: Alice doesn’t know for sure that Bob actually spent the 100 XMR she sent to him due to the mixin. Oliver just sees a regular private XMR transaction. He can’t determine identities.
But… Charlie now knows something: he can see that 77 XMR used as change and that this change is probably sent to Bob. So Charlie knows Bob owns at least 77 XMR. Bob can attach an identity to both the 70 XMR and 7 XMR outputs.
Transaction Z3: Bob now wants to send 75 XMR to Eve. If Bob only owns the 77 XMR he received as change, he now faces an even bigger problem: he can’t select just one output as an input for his transaction to Eve! Bob has no choice but to use both the 70 XMR and 7 XMR as inputs for his transaction to Eve. Eve will receive 70 XMR and 5 XMR and Bob will receive 2 XMR as change. Sending this transaction does a lot of damage to Bob’s privacy:
– Charlie knows that Bob has sent 77 XMR and that it’s very likely the 2 XMR output in transaction Z3 is change to Bob.
– Eve knows that Bob received 2 XMR as change and can attach his identity to those 2 XMR.
– Oliver sees that the 70 XMR and 7 XMR are spent, making it not desirable for every XMR user to mix with those.
– If Oliver accidentally already mixed with the 70 XMR or the 7 XMR before transaction Z3 happened, his privacy is now weakened. This can create new “chain reaction privacy problems”.

In a nutshell, if 2 outputs who originated from the same transaction are used as inputs in a new transaction, we now can assume that those 2 outputs are spent. This has 2 main consequences:
– Some people can know in certain circumstances that you have spent a certain amount of XMR.
– It’s possible that by random chance some people’s ring signature is weakened when such linked outputs are used for mixing in a new transaction.

So how can the hiding of the amounts in a transaction with RingCT potentially solve the “association by use of outputs within a transaction” and the related “chain reaction privacy problems”?

Well, if you understood the example, this is quite easy: A RingCT doesn’t require to be mixed with outputs with the same denomination. So when you send a transaction using RingCT, you can use arbitrary amounts. This means that in general, you would only have 2 outputs in a transaction: one output is sent to the receiver and another one is the change that is sent back to you.

This obviously makes it impossible to use 2 outputs who originated from the same transaction as inputs for a new transaction which was exactly the issue described at the start of this article. It also hides the change amount for the receiver. the receiver only knows you received change, but doesn’t know how much.

As you can see, RingCT solves a lot of edge cases for XMR and adds additional privacy to the balance of your XMR account!

Addendum:

Reddit user /u/mWo12 found this transaction: txid ea8bca898505b0c4b2ee9ff08d44ff8a2d60f0d397d8987fb68cd0ff11a88a15.

If you expand the inputs and check from which blocks the inputs originate, you’ll see 4 “ring members” of the 4 inputs coming from block 1015051.
All the inputs seem to be outputs in this transaction: txid bb4d4142ede8e9b32d1d9b81274cfa9d934b9d931faa521d6e6eab1bf917fff4.

It is very likely that the 4 outputs in transaction bb4d…fff4 are spent in transaction ea8b…8a15.
This results in a “chain reaction”. We now for example can assume that the 100 XMR txo with public key e3a8ef35175c931ec811bcc1667e66ab691ed1ca2d971e044b394d02a24f38ad is spent.

All other people mixing with this txo are not adding any “real” plausible deniability to their 100 XMR, because we already know it is spent. If someone only used this txo in the ring signature, his txo can also be considered spent, and so on and so forth…

 

ShapeShiftOpenAlias