US Homeland Security Can Now Track Privacy Crypto Monero

jamesd at echeque.com jamesd at echeque.com
Wed Sep 9 21:19:42 PDT 2020


On 2020-09-10 02:44, Lee Clagett wrote:
> A Monero contributor/developer for a few years now ...
> > There are lots of cryptographers vastly better than I am, but they
> > tend to suffer from the mighty unbreakable fortress wall syndrome.
> > They build crypto that is utterly unbreakable against the threat
> > as defined, and all the ways around their unbreakable wall are
> > declared to be out of scope.

> No actual critique here, some vague accusation of ivory tower
> engineering.

Monero's blockchain necessarily leaks quite a bit of information.
Perhaps the information is completely useless to an attacker.
It is certainly useless to an attacker who attempts to to figure
out who is transacting with whom by performing the attacks
specifically defined and addressed.  Monaro is clearly invulnerable
to the bitcoin problem.

Whether the attacker can put the bits and pieces together and
frequently make a good guess as to what is happening behind the
curtain is unclear to me, and I doubt it is much clearer to
the developers of Monero.

I don't see a survey and and analysis looking for the gaps between
the  mighty unbreakable fortress walls, and am disinclined to
perform such an analysis.

If _I_ was a Monero contributor and developer, I would have such
a survey and analysis at my fingertips.  What _can_ an attacker do
by analyzing the blockchain, and what patterns in the blockchain
would he notice?  In what ways do your activities when you use
Monero cause the blockchain to differ from white noise to someone
without your private keys?

> Its worth mentioning that the original cryptonote authors were aware of
> the twist issues (or blindly/luckily followed DJB's advice) as the
> codebase has mul8 (the cofactor) in two key areas since the first
> commit. These authors came up with an entirely new ring-signature
> design - it was not as simple as "using academic literature"

It is really hard to do new stuff securely while using a group of
composite order.

It did not seem to me that they were aware of how hard it is.

The problem was not that their algorithms were necessarily new.  The
problem was that these new algorithms were necessarily implemented on a
group of composite order.

> I doubt you can claim more competence than this person, if any. The
> problem is some operations do not require a sub-group check or cofactor
> multiply, and either mitigation strategy uses non-trivial number of CPU
> cycles.

We know he screwed up.  Would I have screwed up?   You don't know and
I am not sure, but I know I would have sweated bullets, being aware
of how difficult it is to avoid such screw ups, and having studied
other people's efforts to work around the problem.

> The problem is no worse than Bitcoin

The problem is vastly less worse than Bitcoin.  Monaro is better
in this regard than Bitcoin.  Whether it is enough better to make
a big important difference is disturbingly unclear.

> - did you intend to promote Zcash here?

I have not attempted to scrutinize Zcash, which uses cryptography well
beyond my limited competence.

But I am sufficiently competent to understand Wasabi, which is what I am
indeed promoting.

> There's some negatives to that project that can be found via
> websearch, but the z-address transactions are (assuming no bugs or math
> errors) not leaking the information you describe.

If zcash works as described, the blockchain should look like white
noise to an attacker without the private keys.

Whether it _does_ look like white noise is beyond my abilities
to determine.

> Wasabi is not an improvement over Monero, there is far more information
> leakage. I can't even think of a single privacy related benefit to
> Wasabi over Monero transaction constructions off-hand. Every transaction
> has a publicly visible amount, which aids in tracing "through" the
> mixing process - outputs are frequently broken into fixed sized-amounts,
> mixed, then re-assembled into nearly the same size as the original
> output.

This is the sudoko attack.

When Wasabi was issued, it was vulnerable to the sudoko attack,
which could typically track about half the coins through a
transaction, but _now_ countermeasures have been applied against
that attack.

The sudoko attack should have been foreseen, and it was not.  But
_now_ there is an effort to check the mighty fortress walls to make
sure there are no gaps between the mighty fortress walls that an
attacker who declines to play by your security model can use.

> Every Monero transaction requires the ring-signature
> construction, so they do not "stand out" like Wasabi transactions.

Yes, this is an important vulnerability of Wasabi transactions.  They
can detect that you have laundered money, though once the money has been
laundered, they can track it no further. But Monaro _itself_ stands out,
while Wasabi transactions are just more bitcoin transactions.

If everyone used Monaro, Monaro would not stand out, and if everyone
used Wasabi, Wasabi transactions would not stand out.

To use crypto currency, you are apt to wind up laundering bitcoin by
converting it to Monaro, which transaction tends to be highly traceable,
and then converting it back to Bitcoin, which transaction tends to be
highly traceable, and then actually paying someone with bitcoin, whereas
if you are using wasabi, you are paying with the equivalent of crumpled
used notes that the mafia collected from the laundry.


More information about the cypherpunks mailing list