US Homeland Security Can Now Track Privacy Crypto Monero

Lee Clagett forum at leeclagett.com
Wed Sep 9 09:44:04 PDT 2020


A Monero contributor/developer for a few years now ...

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, September 8, 2020 10:06 PM, <jamesd at echeque.com> wrote:

> On 2020-09-01 11:31, jim bell wrote:
>
> > https://decrypt.co/40284/us-homeland-security-can-now-track-privacy-crypto-monero
> > Jim Bell's comment:   I don't know if this is true, but true or not, we need to learn the truth.
> >               Jim Bell
> > | | Virus-free. www.avast.com |
>
> I have examined Monero's security.
>
> I did not find a way to break it, but it failed to inspire me
> with confidence.
>
> There are lots of cryptographers vastly better than I am, but they
> tend to suffer from the mighty unbreakable fortress wall syndrome.
> They build crypto that is utterly unbreakable against the threat
> as defined, and all the ways around their unbreakable wall are
> declared to be out of scope.

No actual critique here, some vague accusation of ivory tower
engineering.


> And there are lots of cryptographers, me being one of them, who
> are aware of the fact that you need walls on all sides, but are
> apt to screw up the crypto. Monero struck me as being of even
> less than my own regrettable level of cryptographic competence,
> (I would not have fucked up over non prime order elliptic points)

I'm going to assume that you are not god, and are in fact infallible.

Its worth mentioning that the original cryptonote authors were aware of
the twist issues (or blindly/luckily followed DJB's advice) as the
codebase has mul8 (the cofactor) in two key areas since the first
commit. These authors came up with an entirely new ring-signature
design - it was not as simple as "using academic literature" - the
technique requires one-time use stealth addresses. And the stealth
addresses _may_ have been the design of these same authors (its
ambiguous whether "ByteCoin" on bitcointalk is related to coin with the
same name).

The person who wrote the bulk of the ring-CT code (not associated with
the original cryptonote developers) was almost certainly aware of
cofactor issues. This person had to adapt the
"confidential-transactions" concept to work with Monero ring-signatures.
I doubt you can claim more competence than this person, if any. The
problem is some operations do not require a sub-group check or cofactor
multiply, and either mitigation strategy uses non-trivial number of CPU
cycles.


> and somewhat less than my level of awareness of the need for walls
> to properly link up with each other.
>
> The problem with Monaro, is that though it avoids the direct linking
> of transactions that bitcoin suffers from, it leaks a whole lot of
> data about networks of people transacting with each other, and I
> suspect that some of the time, the data that it does leak is
> sufficient to make a pretty good guess of what is going on behind
> the mighty fortress walls of cryptography, that sometimes it
> is bulletproof, and sometimes the bullets get through.

The problem is no worse than Bitcoin - did you intend to promote Zcash
here? There's some negatives to that project that can be found via
websearch, but the z-address transactions are (assuming no bugs or math
errors) not leaking the information you describe.


> I don't think anyone has broken it - I certainly could not -
> but I expect that the adversaries are making efficient use of
> what it does leak - that they can find interesting information in
> what is out of scope of its security model.
>
> I favor Wasabi wallet, which mingles your bitcoins with those of a
> large number of other people.
>

Wasabi is not an improvement over Monero, there is far more information
leakage. I can't even think of a single privacy related benefit to
Wasabi over Monero transaction constructions off-hand. Every transaction
has a publicly visible amount, which aids in tracing "through" the
mixing process - outputs are frequently broken into fixed sized-amounts,
mixed, then re-assembled into nearly the same size as the original
output. Also, every output in a "mix" operation is **definitely** spent,
where in Monero an output in a ring-signature is _possibly_ spent. This
makes tracking a bit more challenging because an output can appear any
number of times as an input. The technique by Monero is also
non-interactive, so there isn't any IP related data leakage to a mixing
server. Every Monero transaction requires the ring-signature
construction, so they do not "stand out" like Wasabi transactions. If
this "flipped" to where Wasabi style is the norm, then Bitcoin
transaction volume is massively increased, narrowing (or passing) the
gap to the larger Monero transactions.

The code for auditing the supply still remains more simple, but I cannot
think of a single benefit to privacy.


> The Lightning network solves the problem that bitcoin has of
> transaction linkability, but you then have the correspondence
> banking problem, that too many "trusted" intermediaries know
> who is transacting with whom.
>
> There is a flaw in the human user interface of the Lightning
> network's system of trust. We need a Lightning network that
> has less need for trust, and a human interface that is more human,
> so you know whom you are trusting.

Lee


More information about the cypherpunks mailing list