00:47:08 :/ 00:52:24 2300%, eh vtnerd 00:52:45 well, tweetnacl wasn't designed for performance 03:22:15 New preprint on transaction identification from known data: https://arxiv.org/abs/2001.03937 03:30:50 tldr non-uniform ring size was a big deal 03:36:03 as well as a `ring confidential transaction' which seeks to hide a real transaction among a variable number of spoofed transactions. derived features had been the most informative features in the ShapeShift analysis, we expect this change to greatly enhance privacy going forward 03:37:09 ^^ incorrect c/p 03:37:42 but yeah 03:39:08 timing-related inference seems somewhat meaningful too 03:40:16 multiple inputs to tx are an issue as expected 03:40:18 "when a transaction contains multiple ring CTs, the real inputs within each ring are contributed by the same user or users exhibiting similar behavior" 03:41:28 i guess this is some support for the idea that monero could benefit from some form of coinjoin to break this assumption, at least the 'same user' pat 03:41:50 anyway interesting paper. short and easy to read 03:43:41 Very few details on method, though 03:43:56 Looks like their other work on cross-input correlations will also be interesting 03:45:34 Fortunately increasing the order of magnitude of the input sets, along with binning, might help mitigate this 03:46:15 well, initially the whole thing is invalidated by fixed ring size 03:47:09 Cross-input correlations? Not necessarily 03:47:23 They mention time correlations as one example relating to that 03:47:39 not the concept, but their actual results 03:47:48 it is clear that ring size plays a huge role 03:47:55 I wish there were more details on results, to be able to actually examine this 03:48:05 can only go by what is in the paper ofc 03:48:23 I mean figure 9 is pretty clear 03:49:14 I think they mean "number of rings" (i.e. number of inputs) 03:49:40 oh maybe so 03:49:52 Again, very few details 03:50:03 But that's never stopped reporting before =p 03:50:23 Too bad the title mentions transaction value, which implies they gained information about this (the paper says the opposite, in fact) 03:52:47 this is an odd comment though "It is noted that recent versions of Monero now enforce the RingCT size to be eleven; as ring number derived features had been the most informative features in the ShapeShift analysis, we expect this change to greatly enhance privacy going forward" 03:53:41 seems to contract the number of inputs thing 03:54:21 Unclear 03:54:45 yup, it would be nice if they actually defined the terms 03:59:05 they reference another apprently unpublished paper [13] Correlations of multi-input monero transactions 04:00:27 Yeah, that's what I meant earlier 04:02:40 hard to imagine what could be done about number of inputs. limiting that would have pretty serious usability issues 04:03:14 Yeah, the idea has been tossed around before 04:03:32 Input binning would be useful for this 04:03:37 maybe there is some usable middle ground like a cap 04:04:16 Since most txns are fairly standard 1-2 or 2-2, I'm not sure how much use this would be 04:04:18 it might be, but it woudln't be if the number of inputs is itself an important variable 04:04:30 This paper was about ShapeShift transactions, which may have much different structure 04:05:10 yes iirc they did some odds things and were not so cooperative in trying to address that (even to their benefit) 04:05:24 Such as? 04:05:26 I don't recall this 04:05:52 i dont recall, but i seem to remember some discussion about strange looking transactions and the answer always being "shapeshift; shrug" 04:06:07 could be misremebering too 04:06:22 It'd be interesting to see their ShapeShift txn dataset 04:06:38 I thought it was actually public 04:06:50 If the distinguishing characteristic is something like high input count that isn't typical among non-exchange transactions, that's useful to know 04:07:30 Right, but I haven't examined any such transactions 04:08:10 What I'm (poorly) getting at is that it isn't clear to me how/if their technique would apply to transaction sets that aren't ShapeShift or a similar entity 04:08:25 id guess that most txs are exchange tranasctions (either in or out) 04:08:47 so in this case distinguishing shapeshift is distinguishing them from other exchange txs, more so than non-exchange 04:09:22 separating exchange from non-exchange is probably easier, although harder to get ground truth training data 04:10:51 payment ids being one massive clue 04:11:47 Another good lesson on the importance of indistinguishability, I suppose 04:12:37 which circles back to number of inputs being a tough case for indistinguishability 04:14:09 The last dataset I saw (which was a while ago, admittedly) was highly skewed to 1-2 inputs 04:15:11 yes, but linkage with even rare many input txs could label a lot of those too 04:15:44 for example, exchange sends big withdraw with many inputs. if identified, that labels most or all of those inputs as deposits 04:16:26 Binning with large anonymity set size can at least help with cross-input correlations 04:17:08 Using the same large set across all inputs means less easy identification of the correlated inputs 04:17:31 And, depending on the signature/proof construction, can gain verification efficiency 04:17:38 maybe but how much woudln't be clear. it only helps with the time feature 04:17:47 yes 04:17:53 if the inputs have some other features in common then time-based binning doesn't help 04:17:57 yes 04:18:21 time has weird properties too 04:18:42 they mentioned seconds as a usable feature, that's probably because some exchange (maybe ss itself) runs txs on a timer 04:19:36 time zone also mentioned