The privacy-centric cryptocurrency Monero includes unlinkable transactions in its main offering, meaning that a single coin cannot have its entire transaction history revealed. On Friday, a research called that assertion into question.
The research paper, authored by Andrew Miller, Malte Moser, Kevin Lee and Arvind Narayanan, details research into how Monero transactions obfuscate their origins. It reveals how Blockchain analysis could potentially lead to transactions, particularly those taking place before 2017, being linked, showing the transaction history of certain coins.
In his reddit comment, Monero developer Riccardo Spagni, aka FluffyPony, says the problem is well understood and 80% of transactions are not traceable.
Meanwhile, Cointelegraph spoke with Andrew Miller, assistant professor at the University of Illinois at Urbana-Champaign and associate director for the Initiative for Cryptocurrencies and Contracts, and one of the researchers cited in the Monero link paper, about the implications of these findings.
Cointelegraph: What, in one sentence, were the findings of the paper?
Andrew Miller: We found that a significant number of Monero transactions, mostly transactions made in 2014 through 2016, can be linked.
CT: Can you define "linked" for the layperson?
AM: In Bitcoin, each transaction points to a previous transaction, which is the coin that it spends. Monero is designed to obscure this linkage by including a bunch of fake coins, called mixins, along with the real coin.
CT: How could this linking be done? Does software exist that could make this possible?
AM: Yes, the linking can be done with a really simple algorithm. Anyone with a copy of the Blockchain could run this themselves. But it seems like no one has done it yet.
CT: But this is not feasible with current versions of Monero, correct?
AM: So to be more clear, we analyzed two ways of linking Monero transactions. The first one leads to “conclusive” linking like we can tell with 100 percent certainty that a particular transaction is linked to another. This method only applies to older transactions.
The second way involves some uncertainty.
There is a bias in how the "mixins" are chosen. You can guess that the "newest" coin is the real one and be right much more than if you guessed randomly.
CT: Say I downloaded a Monero wallet right now and got some and tried to send them for a transaction. How linkable would a transaction be today?
AM: I think it’s hard to speculate here, I don't want to take a guess and say things outside what's supported by the evidence reported in our paper!
If you downloaded a wallet today and withdrew coins from an exchange today and then created a transaction to spend them, you would probably use RingCT and the default number of four mixins.
That means that for the transaction you created, you would probably expect that an attacker would have a 1/5 chance of linking your "spend" transaction to the withdrawal.
But actually, it's worse than that, closer to 1/2 instead of 1/5.
CT: Not so with old transactions though, right? Say I used Monero for some purchases in late 2015. Those might be linkable?
AM: If you made a Monero purchase in late 2015, or even late 2016, there is unarguably a very good chance your transaction could be linked.
Whether this de-anonymizes you or not depends on what other information the attacker has, like if they have records from where you received the coins (e.g. an exchange) or if they have records from where you spent the coins (e.g. a merchant).
CT: I know hypotheticals are tough, but let's say I bought some Bitcoin on an AML/KYC compliant exchange, exchanged it for Monero and made a purchase during that time period. One could theoretically track that purchase back to my identity?
AM: If one could seize the logs from the merchant, then almost certainly.
CT: You're linked to Zcash, aren't you? Why should anyone trust this research and not dismiss it as attempts to smear a competitor?
AM: A fine question! Yes, I'm linked to Zcash, I've been a consultant for them for years, as well as Tezos, I've also consulted for Ethereum, and made sure to disclose this on the first page. It's trite, but I think everyone should be distrustful of every claim and try to reproduce claims as much as possible. In this case, it should be straightforward.
Here's what I think is going on: The reaction I've seen from Monero folks is mostly "this is not new, we've known this since 2014" with reference to the MRL reports, which discuss the fundamental problems underlying our analysis. But I do not think that anyone yet has actually looked at the Blockchain to see how bad it is. I have not seen any software that does this analysis, nor seen a block explorer that reveals this, until ours.
Monero comment
Monero developer Riccardo Spagni, aka FluffyPony, commented on Reddit:
“The problem is not the paper. In fact, I offered to run an FFS so that they get paid for their work, and I suggested we publish it as an MRL paper so that it forms part of the body of Monero research. They took us up on neither of those.
The problem is that it was presented as a "Monero deanonymisation" paper, released an hour before a hard fork, and even lauded itself by one of the authors as "New research: serious anonymity weaknesses in privacy-centric cryptocurrency Monero; 80% of transactions linkable". It's not new research, it's additional research on a problem that is well understood. 80% of transactions are not traceable. etc. etc.
It wasn't researchers trying to improve the ecosystem, it was a paid-for hit piece by the president of the ZCash foundation and his cronies. Their reaction to us betrays their motives, not the other way around.”