/window 12

Dear sirs:

I extend the most convivial greetings to all.

Today I wanted to ascertain whether the use of multiple inputs could present a challenge to the ring signature scheme used by Monero. Consider the following: Alice wishes to send 1 XMR to another individual, Bob. Bob is a new user. For whatever reason, Alice decides to split up the 1 XMR into 10 individual outputs of 0.1 XMR. Alice subsequently transmits the transaction over the internet. After some time, the transaction is embedded into the

next block.

If Bob decides to spend an amount exceeding 0.1 XMR, two outputs of the prior transaction will be required as inputs. For example, if Bob sends 0.45 XMR, five outputs of his transaction with Alice will be spent. Naturally, Monero aptly selects numerous decoys (fifty). However, it remains true still that his transaction with Alice will appear five times, each time referencing another output of Alice's transaction, making correlational

inferences about the transactional history very plausible. Naturally, what happened before Alice's transaction remains unaffected.

I wrote a Python script to ascertain the gravity of the situation. It is available here: pastebin.com/BWZexpnu

When scanning the Monero blockchain from blocks 1990000 to 2016257, I found that of 287,192 transactions in total, 170,612 had more than one "proper" input (not counting decoys). Of those transactions, 7,373 (4%) referenced the same output transaction more than once as inputs/decoys, making the inference that the new transaction in fact derives from certain given outputs extremely likely and indeed reducing the power of the ring signature

scheme.

I am certain that you have previously considered this issue at length and that it has been discussed intensely, and that the conclusion was drawn that no further action is necessary. That I am posting here today is nothing more than an acknowledgment of my ignorance of your discussions, for which I apologize. Nevertheless, I wished to ensure that you are aware of this minor fact, and that Monero through its strong privacy protections remains

money of the people, by the people, and for the people.

Best regards,

SeventhAlpaca

You are right. The wallet warns when this happens, you can send an output to yourself and spend later, breaking the connection (though you could still have heuristics looking at a distance).

The wallet will also try to select inputs which aren't connected this way if it can, but it's not always possible (ie, if the only outputs you have are Alice's).

The long standing defense against this is the vague concept of "churning", which is a bodge, and not at all well defined. But basically sending to yourself like I said above.

but 4% is a lot

there is another way

you could select other txs with multi outputs as decoys in your tx

The wallet could plausibly scan history itself to make better picks based on each coins's history. It does not do so now. Like for instance not selecting change from a tx to Carol when sending back to Carol, etc.

You mean select outputs from txes which have more than two outs ?

yes lets say you got 10x 0.1 xmr and do a sweep all then you would know the key images that were used in this txs but if you select other decoys which are all part of another multi out txs there is no way in knowing

Feel free to suggest this and the attached reasoning to MRL. surae in particular is currently working on analyzing that problem.

Thank you. These are some very good points. If several outputs from individual txs were used as decoys, this would break the correlational connection (or at least make it worthless as it could not be determined who's who).

I didn't know that the wallet warns about this. Awesome!

Making inferences about true signers based on cross-input correlations is a known issue that's difficult to mitigate with small anonymity set sizes

The use of larger sets and/or binned inputs can be useful

but this does not solve everything, of course

Are you sure that the wallet warns about that? I just tested this on the cli wallet and there does not appear to be a warning (at least not before I confirm with "Y".)

I'm sure there is one for what I understood you to be saying :)

If you spend two outputs A and B, A was created at height HA, B at HB, and the difference HA and HB is less than 10.

Is that what you were saying ? HA==HB in your case.

i think he means if you receive a transaction with 10outputs and you do a sweep all now your tx contains all outputs in 10rings containing 11members but you can correlate the origin transaction with the sweep transaction

Thanks, Paule! Yes. So, in essence, that the same transaction id appars in several rings of a new tx.

and he says it happens in 4% of the time

Found it. You have to have print-ring-members set, and it seems to default to false.

"Warning: Some input keys being spent are from the same transaction, which can break the anonymity of ring signature. Make sure this is intentional!"

Thanks, moneromooo. That's a great option, and a great warning also!

I'll make it do the check regardless of the option. Thanks for making me find that.

Of course. And thank *you*!

SeventhAlpaca this article describes the same thing medium.com/@crypto_ryo/on-chain-tra…-and-other-cryptonotes-e0afc6752527

Thanks, koe!

6301

I'm not convined that 4% intersection means anything.

Decoys are weighted toward recent so a fair bit of intersection on recent txs is expected. Exactly numbers I don't know

The older the tx with multiple outputs being used the less likely it is random, but again real numbers would need more work

The idea of deliberately sending multiple outputs in one tx as a form of a attack is worth considering

Maybe the wallet should warn about *that* and consider remedial measures