US Homeland Security Can Now Track Privacy Crypto Monero
https://decrypt.co/40284/us-homeland-security-can-now-track-privacy-crypto-m... Jim Bell's comment: I don't know if this is true, but true or not, we need to learn the truth. Jim Bell | | Virus-free. www.avast.com |
On 2020-09-01 11:31, jim bell wrote:
https://decrypt.co/40284/us-homeland-security-can-now-track-privacy-crypto-m...
Jim Bell's comment: I don't know if this is true, but true or not, we need to learn the truth. Jim Bell
| | Virus-free. www.avast.com |
I have examined Monero's security. I did not find a way to break it, but it failed to inspire me with confidence. There are lots of cryptographers vastly better than I am, but they tend to suffer from the mighty unbreakable fortress wall syndrome. They build crypto that is utterly unbreakable against the threat as defined, and all the ways around their unbreakable wall are declared to be out of scope. And there are lots of cryptographers, me being one of them, who are aware of the fact that you need walls on all sides, but are apt to screw up the crypto. Monero struck me as being of even less than my own regrettable level of cryptographic competence, (I would not have fucked up over non prime order elliptic points) and somewhat less than my level of awareness of the need for walls to properly link up with each other. The problem with Monaro, is that though it avoids the direct linking of transactions that bitcoin suffers from, it leaks a whole lot of data about networks of people transacting with each other, and I suspect that some of the time, the data that it does leak is sufficient to make a pretty good guess of what is going on behind the mighty fortress walls of cryptography, that sometimes it is bulletproof, and sometimes the bullets get through. I don't think anyone has broken it - I certainly could not - but I expect that the adversaries are making efficient use of what it does leak - that they can find interesting information in what is out of scope of its security model. I favor Wasabi wallet, which mingles your bitcoins with those of a large number of other people. The Lightning network solves the problem that bitcoin has of transaction linkability, but you then have the correspondence banking problem, that too many "trusted" intermediaries know who is transacting with whom. There is a flaw in the human user interface of the Lightning network's system of trust. We need a Lightning network that has less need for trust, and a human interface that is more human, so you know whom you are trusting.
A Monero contributor/developer for a few years now ... ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, September 8, 2020 10:06 PM, <jamesd@echeque.com> wrote:
On 2020-09-01 11:31, jim bell wrote:
https://decrypt.co/40284/us-homeland-security-can-now-track-privacy-crypto-m... Jim Bell's comment: I don't know if this is true, but true or not, we need to learn the truth. Jim Bell | | Virus-free. www.avast.com |
I have examined Monero's security.
I did not find a way to break it, but it failed to inspire me with confidence.
There are lots of cryptographers vastly better than I am, but they tend to suffer from the mighty unbreakable fortress wall syndrome. They build crypto that is utterly unbreakable against the threat as defined, and all the ways around their unbreakable wall are declared to be out of scope.
No actual critique here, some vague accusation of ivory tower engineering.
And there are lots of cryptographers, me being one of them, who are aware of the fact that you need walls on all sides, but are apt to screw up the crypto. Monero struck me as being of even less than my own regrettable level of cryptographic competence, (I would not have fucked up over non prime order elliptic points)
I'm going to assume that you are not god, and are in fact infallible. Its worth mentioning that the original cryptonote authors were aware of the twist issues (or blindly/luckily followed DJB's advice) as the codebase has mul8 (the cofactor) in two key areas since the first commit. These authors came up with an entirely new ring-signature design - it was not as simple as "using academic literature" - the technique requires one-time use stealth addresses. And the stealth addresses _may_ have been the design of these same authors (its ambiguous whether "ByteCoin" on bitcointalk is related to coin with the same name). The person who wrote the bulk of the ring-CT code (not associated with the original cryptonote developers) was almost certainly aware of cofactor issues. This person had to adapt the "confidential-transactions" concept to work with Monero ring-signatures. I doubt you can claim more competence than this person, if any. The problem is some operations do not require a sub-group check or cofactor multiply, and either mitigation strategy uses non-trivial number of CPU cycles.
and somewhat less than my level of awareness of the need for walls to properly link up with each other.
The problem with Monaro, is that though it avoids the direct linking of transactions that bitcoin suffers from, it leaks a whole lot of data about networks of people transacting with each other, and I suspect that some of the time, the data that it does leak is sufficient to make a pretty good guess of what is going on behind the mighty fortress walls of cryptography, that sometimes it is bulletproof, and sometimes the bullets get through.
The problem is no worse than Bitcoin - did you intend to promote Zcash here? There's some negatives to that project that can be found via websearch, but the z-address transactions are (assuming no bugs or math errors) not leaking the information you describe.
I don't think anyone has broken it - I certainly could not - but I expect that the adversaries are making efficient use of what it does leak - that they can find interesting information in what is out of scope of its security model.
I favor Wasabi wallet, which mingles your bitcoins with those of a large number of other people.
Wasabi is not an improvement over Monero, there is far more information leakage. I can't even think of a single privacy related benefit to Wasabi over Monero transaction constructions off-hand. Every transaction has a publicly visible amount, which aids in tracing "through" the mixing process - outputs are frequently broken into fixed sized-amounts, mixed, then re-assembled into nearly the same size as the original output. Also, every output in a "mix" operation is **definitely** spent, where in Monero an output in a ring-signature is _possibly_ spent. This makes tracking a bit more challenging because an output can appear any number of times as an input. The technique by Monero is also non-interactive, so there isn't any IP related data leakage to a mixing server. Every Monero transaction requires the ring-signature construction, so they do not "stand out" like Wasabi transactions. If this "flipped" to where Wasabi style is the norm, then Bitcoin transaction volume is massively increased, narrowing (or passing) the gap to the larger Monero transactions. The code for auditing the supply still remains more simple, but I cannot think of a single benefit to privacy.
The Lightning network solves the problem that bitcoin has of transaction linkability, but you then have the correspondence banking problem, that too many "trusted" intermediaries know who is transacting with whom.
There is a flaw in the human user interface of the Lightning network's system of trust. We need a Lightning network that has less need for trust, and a human interface that is more human, so you know whom you are trusting.
Lee
On 2020-09-10 02:44, Lee Clagett wrote:
A Monero contributor/developer for a few years now ...
There are lots of cryptographers vastly better than I am, but they tend to suffer from the mighty unbreakable fortress wall syndrome. They build crypto that is utterly unbreakable against the threat as defined, and all the ways around their unbreakable wall are declared to be out of scope.
No actual critique here, some vague accusation of ivory tower engineering.
Monero's blockchain necessarily leaks quite a bit of information. Perhaps the information is completely useless to an attacker. It is certainly useless to an attacker who attempts to to figure out who is transacting with whom by performing the attacks specifically defined and addressed. Monaro is clearly invulnerable to the bitcoin problem. Whether the attacker can put the bits and pieces together and frequently make a good guess as to what is happening behind the curtain is unclear to me, and I doubt it is much clearer to the developers of Monero. I don't see a survey and and analysis looking for the gaps between the mighty unbreakable fortress walls, and am disinclined to perform such an analysis. If _I_ was a Monero contributor and developer, I would have such a survey and analysis at my fingertips. What _can_ an attacker do by analyzing the blockchain, and what patterns in the blockchain would he notice? In what ways do your activities when you use Monero cause the blockchain to differ from white noise to someone without your private keys?
Its worth mentioning that the original cryptonote authors were aware of the twist issues (or blindly/luckily followed DJB's advice) as the codebase has mul8 (the cofactor) in two key areas since the first commit. These authors came up with an entirely new ring-signature design - it was not as simple as "using academic literature"
It is really hard to do new stuff securely while using a group of composite order. It did not seem to me that they were aware of how hard it is. The problem was not that their algorithms were necessarily new. The problem was that these new algorithms were necessarily implemented on a group of composite order.
I doubt you can claim more competence than this person, if any. The problem is some operations do not require a sub-group check or cofactor multiply, and either mitigation strategy uses non-trivial number of CPU cycles.
We know he screwed up. Would I have screwed up? You don't know and I am not sure, but I know I would have sweated bullets, being aware of how difficult it is to avoid such screw ups, and having studied other people's efforts to work around the problem.
The problem is no worse than Bitcoin
The problem is vastly less worse than Bitcoin. Monaro is better in this regard than Bitcoin. Whether it is enough better to make a big important difference is disturbingly unclear.
- did you intend to promote Zcash here?
I have not attempted to scrutinize Zcash, which uses cryptography well beyond my limited competence. But I am sufficiently competent to understand Wasabi, which is what I am indeed promoting.
There's some negatives to that project that can be found via websearch, but the z-address transactions are (assuming no bugs or math errors) not leaking the information you describe.
If zcash works as described, the blockchain should look like white noise to an attacker without the private keys. Whether it _does_ look like white noise is beyond my abilities to determine.
Wasabi is not an improvement over Monero, there is far more information leakage. I can't even think of a single privacy related benefit to Wasabi over Monero transaction constructions off-hand. Every transaction has a publicly visible amount, which aids in tracing "through" the mixing process - outputs are frequently broken into fixed sized-amounts, mixed, then re-assembled into nearly the same size as the original output.
This is the sudoko attack. When Wasabi was issued, it was vulnerable to the sudoko attack, which could typically track about half the coins through a transaction, but _now_ countermeasures have been applied against that attack. The sudoko attack should have been foreseen, and it was not. But _now_ there is an effort to check the mighty fortress walls to make sure there are no gaps between the mighty fortress walls that an attacker who declines to play by your security model can use.
Every Monero transaction requires the ring-signature construction, so they do not "stand out" like Wasabi transactions.
Yes, this is an important vulnerability of Wasabi transactions. They can detect that you have laundered money, though once the money has been laundered, they can track it no further. But Monaro _itself_ stands out, while Wasabi transactions are just more bitcoin transactions. If everyone used Monaro, Monaro would not stand out, and if everyone used Wasabi, Wasabi transactions would not stand out. To use crypto currency, you are apt to wind up laundering bitcoin by converting it to Monaro, which transaction tends to be highly traceable, and then converting it back to Bitcoin, which transaction tends to be highly traceable, and then actually paying someone with bitcoin, whereas if you are using wasabi, you are paying with the equivalent of crumpled used notes that the mafia collected from the laundry.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, September 10, 2020 12:19 AM, <jamesd@echeque.com> wrote:
On 2020-09-10 02:44, Lee Clagett wrote:
A Monero contributor/developer for a few years now ...
There are lots of cryptographers vastly better than I am, but they tend to suffer from the mighty unbreakable fortress wall syndrome. They build crypto that is utterly unbreakable against the threat as defined, and all the ways around their unbreakable wall are declared to be out of scope.
No actual critique here, some vague accusation of ivory tower engineering.
Monero's blockchain necessarily leaks quite a bit of information. Perhaps the information is completely useless to an attacker. It is certainly useless to an attacker who attempts to to figure out who is transacting with whom by performing the attacks specifically defined and addressed. Monaro is clearly invulnerable to the bitcoin problem.
Invulnerable -> "impossible to harm or damage". "Monaro is clearly invulnerable to the bitcoin problem" ... ? What does that even mean in this context? You seem to be stating that Monaro has solved bitcoin's problems?
Whether the attacker can put the bits and pieces together and frequently make a good guess as to what is happening behind the curtain is unclear to me, and I doubt it is much clearer to the developers of Monero.
I don't see a survey and and analysis looking for the gaps between the mighty unbreakable fortress walls, and am disinclined to perform such an analysis.
If I was a Monero contributor and developer, I would have such a survey and analysis at my fingertips. What can an attacker do by analyzing the blockchain, and what patterns in the blockchain would he notice? In what ways do your activities when you use Monero cause the blockchain to differ from white noise to someone without your private keys?
You've provided no clear examples of data leakage, and assumed that there no people within the Monero community researching such topics. There are several in the #monero-research-lab doing exactly what you describe in various ways. Funding for this is somewhat low so its difficult to have the major press releases and landing pages describing it. There's been a few changes and possibly a few more based on analysis from a people that "hang around" that IRC room. There's a few videos on youtube for this topic as well.
Its worth mentioning that the original cryptonote authors were aware of the twist issues (or blindly/luckily followed DJB's advice) as the codebase has mul8 (the cofactor) in two key areas since the first commit. These authors came up with an entirely new ring-signature design - it was not as simple as "using academic literature"
It is really hard to do new stuff securely while using a group of composite order.
It did not seem to me that they were aware of how hard it is.
The problem was not that their algorithms were necessarily new. The problem was that these new algorithms were necessarily implemented on a group of composite order.
I take exception with the phrasing "really hard", but certainly there is more to think about with non-prime groups. However, framing this as a mishap resulting from ignorant people that should've simply used a prime order group is also incorrect. When the coin first launched, Ristretto didn't exist and Ed25519 was an interesting choice for a curve on a new coin. The original implementation also has no issues resulting from this choice, but unfortunately a modification to the original design did. And changing the curve of a production-used coin isn't trivial. Its easy for outside critics to boast about things "they would've done" when they aren't considering all of the details.
I doubt you can claim more competence than this person, if any. The problem is some operations do not require a sub-group check or cofactor multiply, and either mitigation strategy uses non-trivial number of CPU cycles.
We know he screwed up. Would I have screwed up? You don't know and I am not sure, but I know I would have sweated bullets, being aware of how difficult it is to avoid such screw ups, and having studied other people's efforts to work around the problem.
The problem is no worse than Bitcoin
The problem is vastly less worse than Bitcoin. Monaro is better in this regard than Bitcoin. Whether it is enough better to make a big important difference is disturbingly unclear.
- did you intend to promote Zcash here?
I have not attempted to scrutinize Zcash, which uses cryptography well beyond my limited competence.
But I am sufficiently competent to understand Wasabi, which is what I am indeed promoting.
There's some negatives to that project that can be found via websearch, but the z-address transactions are (assuming no bugs or math errors) not leaking the information you describe.
If zcash works as described, the blockchain should look like white noise to an attacker without the private keys.
Whether it does look like white noise is beyond my abilities to determine.
Wasabi is not an improvement over Monero, there is far more information leakage. I can't even think of a single privacy related benefit to Wasabi over Monero transaction constructions off-hand. Every transaction has a publicly visible amount, which aids in tracing "through" the mixing process - outputs are frequently broken into fixed sized-amounts, mixed, then re-assembled into nearly the same size as the original output.
This is the sudoko attack.
When Wasabi was issued, it was vulnerable to the sudoko attack, which could typically track about half the coins through a transaction, but now countermeasures have been applied against that attack.
The sudoko attack should have been foreseen, and it was not. But now there is an effort to check the mighty fortress walls to make sure there are no gaps between the mighty fortress walls that an attacker who declines to play by your security model can use.
The attack cannot be sufficiently addressed with public amounts in the transaction. The wallet user typically also has to be careful about their usage patterns. The "opt-in" privacy is a primary issue.
Every Monero transaction requires the ring-signature construction, so they do not "stand out" like Wasabi transactions.
Yes, this is an important vulnerability of Wasabi transactions. They can detect that you have laundered money, though once the money has been laundered, they can track it no further. But Monaro itself stands out, while Wasabi transactions are just more bitcoin transactions.
If everyone used Monaro, Monaro would not stand out, and if everyone used Wasabi, Wasabi transactions would not stand out.
This is ignoring my other point - if everyone used Wasabi the efficiency gains touted by Bitcoin are reduced.
To use crypto currency, you are apt to wind up laundering bitcoin by converting it to Monaro, which transaction tends to be highly traceable, and then converting it back to Bitcoin, which transaction tends to be highly traceable, and then actually paying someone with bitcoin, whereas if you are using wasabi, you are paying with the equivalent of crumpled used notes that the mafia collected from the laundry.
I'm not sure what you mean here. Lee
On Wed, 9 Sep 2020 12:06:25 +1000 jamesd@echeque.com wrote:
The problem with Monaro, is that though it avoids the direct linking of transactions that bitcoin suffers from, it leaks a whole lot of data about networks of people transacting with each other,
what data does it leak?
I favor Wasabi wallet, which mingles your bitcoins with those of a large number of other people.
isn't 'wasabi wallet' an attempt at mixing that is WAY WORSE than monero? Are you sure you know what you're talking about, or are you blatantly lying as usual, promoting a piece of crap software which prolly comes straight from the NSA?
The Lightning network solves the problem that bitcoin has of transaction linkability,
how?
but you then have the correspondence banking problem, that too many "trusted" intermediaries know who is transacting with whom.
There is a flaw in the human user interface of the Lightning network's system of trust. We need a Lightning network that has less need for trust, and a human interface that is more human, so you know whom you are trusting.
participants (4)
-
jamesd@echeque.com -
jim bell -
Lee Clagett -
Punk-BatSoup-Stasi 2.0