How Secure is Monero?
The massive uptick in the public’s awareness of blockchain and cryptocurrency was recently driven home for me in an extremely personal way. I usually find myself dreading the mere mention of those words in social situations (with pretty much anyone) simply due to the fact that I know I will inevitably find myself in a thirty minute discussion about “distributed ledgers,” “trustless transactions,” and “mining” only to realize that the information I relayed in the first sentence or two is the only information that has registered with the other participants… if I’m lucky. So, when I recently found myself sitting across the dinner table from my soon-to-be-mother-in-law discussing the topic, I found it difficult to keep my jaw from dropping due to the fact that the septuagenarian pontificating on the matter actually “knew” about cryptocurrency and, more surprisingly, actually grasped a few of its key principles.
Consider that for a moment. DAG technology and cryptocurrency are complicated, even for those who are actually interested in them. Add to that the dismissive attitude of governments and banks across the globe and the fact that the media seems to revel in showcasing everything “wrong” with the technology, and generally, if people have even heard of the subject at all it is highly likely the only contribution they could make to the discussion will be something along the lines of pointing out that a not-insignificant number of early cryptocurrency adopters emerged from online black-markets in an attempt to engage in transactions while maintaining a heightened level of anonymity. These rare few would all point out that websites such as Silk Road and AlphaBay online black markets where users could exchange cryptocurrency for illegal drugs, items, and services.
So, I would count my interaction with my soon-to-be-mother-in-law as a major win for the sector, because it does show how far we have come. The sad part is that it also highlights just how far we have to go, because even those people who actually grasp the concepts enough to hold a conversation for more than fifteen seconds all seem to mistake blockchain’s ability to create “decentralized currency” for “anonymity.” What these people are about to find out is the same thing that some early Bitcoin users found out the hard way: Bitcoin expressly identifies what coin is used in every transaction on its blockchain. Every. Single. One. Ever. Why is that important I hear you asking? Allow me to paint the picture for you: the immutability of a blockchain that provides “decentralization” and “trustless transactions” can allow a hacker or government agency to trace every transaction on the chain back to the individuals (or at least their public keys) who made them and, because of the permanence of a distributed ledger (a blockchain in the case of bitcoin), this traceability is permanent and shall exist for as long as the blockchain remains in existence.
Obviously, this was not ideal for certain people, so in response to the understanding that Bitcoin was not as anonymous as originally perceived, a new currency called Monero was developed to mitigate the traceability issues associated with Bitcoin. Monero was developed for and has focused on protecting their user’s privacy through the use of “mixins.” When a traditional cryptocurrency transaction occurs, a user sends an “output” (crypto-language for the coin) to the recipient’s address with a set of instructions that allows the receiving user to unlock the amount. This allows the recipient to utilize and transfer the output to another user. This transaction is then recorded to the coin’s corresponding blockchain, effectively broadcasting the transaction to the public through a transaction graph. The public nature of verifiability is the foundation on which bitcoin and similar currencies are built, this is the feature that allows the currency to have value, to defeat copying, and to verify transactions without a centralized clearinghouse (i.e. banks). This process clearly presents a problem for individuals who want to engage in sensitive transactions without the rest of the world knowing.
To address this issue, Monero alters this process by recording a bundle of outputs to the blockchain when a transaction occurs; one of those outputs in the bundle is the real coin that is transferred to the recipient and the rest of the outputs are chaff outputs called mixins. Instead of creating a transaction graph, this creates a transaction ring. In theory, this would prevent an anyone looking at the blockchain from finding a clear history of the coin’s transactions, and therefore they would not be able to attach that transaction to a single individual. But as with any security protocol or “uncrackable safe,” where there is a will there is a way, and recently hackers have found a way to distinguish between the real coin and the mixins.
A paper released on March 28 by a group of computer scientists from five different universities discovered two weaknesses in Monero’s privacy measures that would give anyone seeking information from the blockchain a high probability of distinguishing the real coin from the mixins. The two most concerning things about this discovery is that Monero basically compromised their own privacy measures and every transaction on Monero’s blockchain is at risk.
The first weakness is called the deductibility method. When Monero was first created, it allowed users to opt-out of its privacy measures, so people could conduct transactions on the Monero blockchain without using mixins. This, in turn, recorded a transaction graph, and thus, the transaction history unencumbered by mixins. Although this is the way most other cryptocurrency blockchain’s operate, it is fatal to Monero’s privacy measures because hackers or government agencies can now identify which mixins have already been spent. This allows the attacker to label the already spent outputs as mixins and deduct them from the transaction ring. Eventually, the real coin is all that is left. This is especially problematic since 64% of all transactions on Monero’s blockchain do not include any mixins.
Furthermore, mining pools have created a similar deductibility problem. When a group of miners pool their mining activity, the pool owner receives its reward from creating the block, then distributes the reward to the miners based on their contribution. This process has been made transparent by pools publically announcing what blocks they found, and subsequently the reward distribution transactions. Attackers can use this information to determine whether a transaction belongs to the same block of the pools payout transaction. Most of the time, if the transaction does in fact belong to the same block as the pool payout, it is likely the real coin. This presents the same issues that zero mixin transactions created.
This method was just made dramatically easier by Monero’s hard fork on April 6th that created MoneroV. The hard fork duplicates the original blockchain that Monero is built upon, which in turn duplicates the ring signatures preciously created to obscure transactions. As coindesk describes, “if a key image (the ring signature) is repeated, it can expose the original transaction.” Essentially, the hard fork gives hackers more information about the ring signature, furthering their ability to deduce the mixins from the real coin.
The second weakness is called the temporal method, and it is much more straightforward than the deducibility method. For around 90% of the transactions using mixins, the real coin is usually the coin that was most recently moved prior to the transaction. Although the temporal method has been addressed by Monero, it only reduced its success rate from around 90% to 45%.
Due to the nature of blockchain technology, the information cannot be altered and the record remains on the blockchain forever for the public to see. Ultimately, as Wired said, this “shouldn’t just worry anyone trying to stealthily spend Monero today. It also means evidence of earlier not-quite-untraceable payments remain carved into Monero’s blockchain for years to come, visible for any snoop that cares to look.”
Although these weaknesses present major problems to Monero’s and its users, all is not lost. The paper’s authors not only identified these two weaknesses, but they also suggested that Monero take several countermeasures to cure them. The first measure is to improve the mixin sampling procedure to ensure that the mixins are not always older than the real coin. This can be achieved by changing the mixin sampling algorithm, or by “binned mixin sampling.”[1] Essentially, binned mixin sampling would place outputs, including mixins and real coins, in bins with outputs of similar age. As the paper describes, “binned mixin sampling ensures that all the outputs in a bin cannot be deduced as spent until the last unspent output in the bin is spent, preventing deduction attacks from reducing the effective untraceability of an output to less than the bin size.”[2]
Next, Monero could simply label transactions that do not include any mixins and “deanonymized,” and avoid using any deanonymized transactions as mixins in future transaction rings. This would greatly reduce the effectiveness of the deductibility method because an attacker cannot look at a transaction ring and clearly identify which coins have already been spent and deduce which output is the real coin.
Lastly, and perhaps most fatal to the future of Monero, is to warn users that their transactions are vulnerable to being tracked by hackers, security experts, or even government agencies. Since Monero’s success is largely due to its purported ability to keep transactions anonymous, many users will no longer have an incentive to use the currency if their privacy may be compromised. (Zcoin and Zcash have been waiting in the wings for a moment like this.)
For better or for worse, clear record keeping is the basis of blockchain. In order for it to remain decentralized, yet legitimate, its users must be able to track the history of the coin and ensure that the coin’s holders are in legitimate control of the currency. As mentioned earlier, this information is available to the public, and it can never be altered. Companies who claim to have created a coin that provides its users with privacy need to actually deliver on their promises. Wired quoted Riccardo Spagni, Monero’s core developer and spokesperson, stating that, “privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle.” However, for these companies to stay ahead of this cat-and-mouse battle, they need to be willing to spend the resources to develop the necessary technology to maintain privacy and be transparent to all of its users of potential risks. Cryptocurrency and blockchain technology is a way for individuals to gain independence from established banks and governments, so maintaining privacy and preventing hackers or governments from exploiting the blockchain to gain information on individuals must be on the top of the priority list for companies like Monero.
[1]Malte Möser et al., An Empirical Analysis of Traceability in the Monero Blockchain, Proceedings on Privacy Enhancing Technologies 13 (2018), https://arxiv.org/pdf/1704.04299/ (last visited Mar 28, 2018).
[2] Id. at 14
Read more here.
The information in this blog post (the “Blog” or “Post”) is provided as news and/or commentary for general informational purposes only. The information herein does not, and shall never, constitute legal advice and therefore cannot be relied upon as a legal opinion. Nothing in this Blog constitutes attorney communication and is not privileged information. Nothing in the Post creates any kind of attorney client relationship or privilege of any kind.
