:/

2300%, eh vtnerd

well, tweetnacl wasn't designed for performance

New preprint on transaction identification from known data: arxiv.org/abs/2001.03937

tldr non-uniform ring size was a big deal

as well as a `ring confidential transaction' which seeks to hide a real transaction among a variable number of spoofed transactions. derived features had been the most informative features in the ShapeShift analysis, we expect this change to greatly enhance privacy going forward

^^ incorrect c/p

but yeah

timing-related inference seems somewhat meaningful too

multiple inputs to tx are an issue as expected

"when a transaction contains multiple ring CTs, the real inputs within each ring are contributed by the same user or users exhibiting similar behavior"

i guess this is some support for the idea that monero could benefit from some form of coinjoin to break this assumption, at least the 'same user' pat

anyway interesting paper. short and easy to read

Very few details on method, though

Looks like their other work on cross-input correlations will also be interesting

Fortunately increasing the order of magnitude of the input sets, along with binning, might help mitigate this

well, initially the whole thing is invalidated by fixed ring size

Cross-input correlations? Not necessarily

They mention time correlations as one example relating to that

not the concept, but their actual results

it is clear that ring size plays a huge role

I wish there were more details on results, to be able to actually examine this

can only go by what is in the paper ofc

I mean figure 9 is pretty clear

I think they mean "number of rings" (i.e. number of inputs)

oh maybe so

Again, very few details

But that's never stopped reporting before =p

Too bad the title mentions transaction value, which implies they gained information about this (the paper says the opposite, in fact)

this is an odd comment though "It is noted that recent versions of Monero now enforce the RingCT size to be eleven; as ring number derived features had been the most informative features in the ShapeShift analysis, we expect this change to greatly enhance privacy going forward"

seems to contract the number of inputs thing

Unclear

yup, it would be nice if they actually defined the terms

they reference another apprently unpublished paper [13] Correlations of multi-input monero transactions

Yeah, that's what I meant earlier

hard to imagine what could be done about number of inputs. limiting that would have pretty serious usability issues

Yeah, the idea has been tossed around before

Input binning would be useful for this

maybe there is some usable middle ground like a cap

Since most txns are fairly standard 1-2 or 2-2, I'm not sure how much use this would be

it might be, but it woudln't be if the number of inputs is itself an important variable

This paper was about ShapeShift transactions, which may have much different structure

yes iirc they did some odds things and were not so cooperative in trying to address that (even to their benefit)

Such as?

I don't recall this

i dont recall, but i seem to remember some discussion about strange looking transactions and the answer always being "shapeshift; shrug"

could be misremebering too

It'd be interesting to see their ShapeShift txn dataset

I thought it was actually public

If the distinguishing characteristic is something like high input count that isn't typical among non-exchange transactions, that's useful to know

Right, but I haven't examined any such transactions

What I'm (poorly) getting at is that it isn't clear to me how/if their technique would apply to transaction sets that aren't ShapeShift or a similar entity

id guess that most txs are exchange tranasctions (either in or out)

so in this case distinguishing shapeshift is distinguishing them from other exchange txs, more so than non-exchange

separating exchange from non-exchange is probably easier, although harder to get ground truth training data

payment ids being one massive clue

Another good lesson on the importance of indistinguishability, I suppose

which circles back to number of inputs being a tough case for indistinguishability

The last dataset I saw (which was a while ago, admittedly) was highly skewed to 1-2 inputs

yes, but linkage with even rare many input txs could label a lot of those too

for example, exchange sends big withdraw with many inputs. if identified, that labels most or all of those inputs as deposits

Binning with large anonymity set size can at least help with cross-input correlations

Using the same large set across all inputs means less easy identification of the correlated inputs

And, depending on the signature/proof construction, can gain verification efficiency

maybe but how much woudln't be clear. it only helps with the time feature

yes

if the inputs have some other features in common then time-based binning doesn't help

yes

time has weird properties too

they mentioned seconds as a usable feature, that's probably because some exchange (maybe ss itself) runs txs on a timer

time zone also mentioned