than non-Coinbase outputs, because people typically spend them in different ways. So, ultimately, I made the joke of you're not the money printer, because I'll cover who actually prints these Coinbase outputs, whoever handles or touches them. And I'm also going to be keeping a note of the live chat

so I will be able to answer questions on YouTube. Hopefully, the quality is working well for everyone here and the stream is going really well. Lots of really good talks today. Thank you, Daniel Kim, for everything you did at this slide before. So, first, let's get started about what, let's first cover what is an output period, right?

So, outputs are simply piggy banks. I heard this example from someone else. I can't take credit for considering outputs piggy banks. I previously have called them pots of gold or bills or many different other things. But I like the idea of you taking an amount of money,

you put it in a container, this piggy bank, and then in order to spend this amount, the receiver needs to break open the piggy bank and put it in a new set, you know, a new output, a new piggy bank. They are single use. So, unlike the pot example, it definitely stresses the idea of these being single use.

You can not continue to keep, you know, putting these outputs elsewhere. So, as a result, an output you can think of just as a container of money. It's a really horrible name, output, honestly, just because, you know, there's many things that, you know, else you should be referring to.

Sorry, I'm checking the stream again, making sure it's working just fine. Sorry. Sunday live stream. Okay, perfect. So, output's a bad example because the source of funds could either be going in or out of a transaction. So, it definitely is misleading.

With Bitcoin, outputs do have connections to addresses. However, you would have, you know, a specific source of funds that is tied to a public address and you would be able to search that on the blockchain. However, for Monero, you need to not think of outputs as tied to addresses.

You'll see a specific output on the blockchain. You should think about these as having ties to the date they were created, not to the address that they are associated with. Because, of course, with Monero, we do not have addresses to concern ourselves with. Sure, you send and receive funds with addresses, but the blockchain,

from a perspective of what it shares publicly, does not reveal addresses anywhere. They are never present. So, therefore, do not think of outputs as addresses. Think of them as containers of funds that are single use. It's important that you understand what an output is before I go through the rest of this presentation.

Okay, next, what are ring signatures? Well, ring signatures are an important privacy feature of Monero that obfuscates the source of funds. They're often, you know, inconsiderately referred to as mixing, but it really is very, very different than a Bitcoin mixing process.

So the idea is, if you want to spend one of your sources of funds, let's say you go to a store with a $10 bill and a $5 bill, and you want to spend $11, of course you would give the teller both bills, and they would give you $4 back in change. So in this case, what you would do is you take your Monero output,

which contains a certain number of Monero, and you would include it in a single ring, and then you would include other possible outputs, which we call decoys in Monero. These are not money that you're actually spending, but funds that you ideally convincingly seem to spend, and you include them all in this one ring.

So you would say in the top example there, that perhaps the Monero transaction would conceivably spend one of these 11 outputs. Only one is actually spent, but the outside observer does not know which source of funds is actually being spent. However, granted, we're able to verify that someone is actually spending funds that they have the right to.

They're not just pretending to spend, you know, spend other people's money, because that would be absurd. So if a transaction is trying to spend two bills, like I described in the $10 and $5 case, there would be two ring signatures, two independent amounts. They're each spending one of these piggy banks, let's say, and for each piggy bank, we grab 10 other piggy banks,

and we say, hey, that might be a source. That might be where the money's coming from, and an outside observer ideally would not know any better. However, a ton of Monero research in history has shown that in many cases, people are able to learn information more than what we expect based off how these inputs are selected.

One of these is whether or not outputs are Coinbase outputs or not, which is an additional point of metadata that you can use to determine whether or not an individual is convincingly spending certain outputs. So what are Coinbase outputs? And of course, just to get it out of the way, I should very clearly state that Coinbase outputs,

in this example, are not in reference to outputs that are associated with Coinbase decentralized exchange, not at all. Coinbase outputs refer to the idea of money that is from the block reward.

So if you are taking coins and you successfully, sorry, not taking coins, but if you successfully mine a block, let's say, you have the right to make yourself a Coinbase output that consists of a few things. It consists of the block reward. This is basically money that's coming out of thin air, but it's coming out of thin air according to a very set regulated process

that the network agrees on. Dr. Daniel Kim talked about this in the earlier talk, of course. And then of course, you are able to pull in the transaction fees that people say that you're entitled to include if people mine them. Of course, fees are included as an incentive for people to choose certain transactions over others.

And of course, in Monero's case, they help compensate for the decreased block reward if you are putting in a substantial number of transactions. So those are Coinbase outputs. Again, not Coinbase the exchange, Coinbase outputs refer to outputs that are generated with the mining process.

If a coin, let's say use proof of stake or something, it would be through the staking process, but really you can think of it as coins that are generated new into the system or based off whoever the person who is authorized to sign the transaction in this case, sign the block, sorry, which would be the miner.

So you can see on the, I have sets of piggy banks going through here just to try and simplify things. But on the left there, that's the initial source of funds in the piggy bank. Those are generated from the block reward. They are highlighted that yellow there. And then the funds in all actuality are passed along further,

their histories are no longer Coinbase outputs, they're other outputs, non-Coinbase outputs, let's say. Of course, just because Monero is Monero and we obfuscate all this information, you don't necessarily know that there's this nice lovely straight line going through in all actuality, it looks super, super messy and really looks like this nonsense

where transactions may appear to go a bunch of different ways, of course, but that's not the point of this talk. Instead, we're gonna talk about who the actual money printers are. Who has the ability to print money in Monero? Those are the miners. Here is a chart showing who the miners are.

You can see that mine XMR and support XMR are the two dominant pools on the Monero network, but you have a few others. You have ones like XMR pool, F2 pool, nano pool, small pools, two miners. So small pools consists of like everything, like a substantial number of really small pools that in sum equal 7% of the total network.

And then you have that 5% of unknown. So this is something that mine XMR is not able to associate with a specific mining pool. These can be solo miners, these can be private pools. Ultimately, it's just network hash rate that's coming out of an unknown situation

from people that might either just not bother sharing information publicly or care about mining privately or who knows what. So these are who the money printers are in Monero. And a lot of them reveal a lot of information for quite a few reasons. We have a Breaking Monero episode about public mining pool data that I strongly recommend you watch,

but support XMR, for example, they show the list of all the blocks that they mine. So if someone appears to spend funds that appears to spend a Coinbase output that you know was mined by support XMR, the only convincing way that that output could have actually been spent in that transaction

is if it was support XMR, like actually spending it. So if your friend, for example, sent you a transaction that spent funds that support XMR publicly describes as mining, your friend either better run support XMR or they are not actually sending you that money.

That's a fake decoy and it's known to you to be fake given the information that the public mining pool publishes. So I put it red there because it does reveal a pretty substantial amount of metadata. Most pools will show the blocks that they mine. I only looked up support XMR, mine XMR, nano pool

because they're the largest, but this continues for many pools. Mine XMR also shows the blocks mine, so does nano pool. And then a few also reveal information about what transactions they make to users. And as I show in other talks, this allows outsiders to pretty reliably form a list

of all transactions, really all outputs that the pool has controlled. So as a result, support XMR does not actually show the specific payouts as far as the transactions are concerned. They don't say, this is the specific transaction we sent. Instead they say, we sent this much money,

which is much better than revealing the exact transactions. It makes things much more difficult, but it's still likely incurs possible limitations related to timing attacks where, okay, well, what if it's the only transaction that gets mined around this time period? Well, then it would be more visible. It still reveals more information, but it's not as bad.

Nano pool, for example, shows all payout details. You can see who the specific miners are. You can see how the payments are specifically made. You can see the exact Monero transactions that go to these users. So they reveal a ton of information. So within nano pool,

they are making a lot of information public. Mine XMR is only showing payouts to users that are the actual miners. You have to put in your mining address first, and then it will show what payouts were made. This makes it more difficult for someone who's trying to track this sort of information, reveal a lot of information, learn a lot about pool held outputs.

So this is really who the money printers are. But of course you also have this unknown portion here that I talked about, like who these potentially could be. Well, we really do not, to all intents and purposes, know anything about who's mining these funds. But at the maximum, this unknown refers to, again, the maximum amount of solo miners

or private miners that might be potentially impacted if we start meddling with Coinbase outputs, because clearly these exchange, sorry, these mining pools don't really care about revealing information publicly because they have done so for ages and continue to do so. So the only people that do care about their privacy

from this perspective happen to actually be those that are mining in unknown pools or solo mining, right? So we need to talk about who actually owns these outputs. Who is the one that's actually likely to spend, control, et cetera, these outputs? Well, Coinbase outputs are only spent by two groups of people, mining pools

or people that are solo mining or mining on a private pool. And there's only about like 10 total mining pools that like consistently mine blocks. And for solo miners aren't that many of those either. There's a relatively small number, let's say.

Well, there's also the next set. So instead of just funds that come from Coinbase, there's also, okay, what's the from Coinbase outputs, let's say, the next set. Once they're spent from Coinbase, who convincingly may actually hold these outputs? Well, it's still the mining pools because mining pool mines a block,

they send a transaction to someone, the Coinbase block, sorry, the Coinbase output, and then they receive change back to the mining pool. So they still will hold onto these blocks. So they are convincing holders of the from Coinbase outputs. But solo miners are still also convincing holders, but really the extra layer of protection for users

comes in the idea that pool miners, not just the pool operators, but the pool miners are likely recipients of these from Coinbase outputs. Because a mining pool, again, will mine a block and they'll send a payout to someone. They need to send that payment somehow. So they need to spend that Coinbase output.

They might give the output that's generated next to specific users. And so therefore the entropy set of who actually may touch these outputs, even though on chain it's only one level away from the mining, so the Coinbase outputs, in all actuality, holding one of these outputs covers a much wider scope of activity.

And so it's much more convincing. If your friend, let's say, sends you a decoy that includes one of these outputs, they perhaps might've just been mining with their laptop on a mining pool and eventually got a tiny fraction of a payout. That's possible. That's certainly much more possible

than them sending you an actual Coinbase output. It's completely different. It's much, much more convincing. So it's important to consider who actually touches these outputs. And this is, you know, wraps around to the scope of the talk or name of the talk again in saying that, are you a convincing money printer? Are you a convincing person to actually touch these initial Coinbase outputs?

For the vast majority of people, the answer is no. Very, very few predictable people are the ones that typically touch these Coinbase outputs. So what can we do? Well, we can handle Coinbase outputs differently. We can optionally decide to say, hey, we would like Coinbase rings

to remain separate from non-Coinbase rings. One thing we can also do with consensus changes is say that Coinbase rings must be a certain size and non-Coinbase rings must be a certain size. Of course, for my narrow transactions right now, we mandate a ring size of 11 for all transactions,

whether they're spending Coinbase outputs or not spending Coinbase outputs. But we could say, well, since there's so much information available public anyway for Coinbase outputs, because mining pools make so much information public, we can instead say, well, let's just say that these can have a smaller ring size. We'll drop them down to three. We will inform network participants

that Coinbase outputs themselves are not reasonably protected because it's predictable to figure out who actually owns them. So therefore we can save transaction efficiency, network efficiency for these specific outputs. And those who are actually solo mining or mining on private pools will just be told,

well, don't specifically send these funds you generate to someone else. You will at least want one level of separation. So you include a much wider scope of activity there. And then of course, with the non-Coinbase ring, we can say, oh, well, we can keep this at size 11, let's say, or maybe we can pop it up to size 12 or 13

just to take advantage of those additional efficiency benefits. So the network overall is still as efficient as it was before to verify, but the users who do care about privacy are actually getting it. And the people who don't care are not having efficiency wasted on them in a way. So yeah, again, in the Coinbase rings,

the only ones that actually would construct these are mining pools and solo miners. For the non-Coinbase rings, these would be constructed by everyone, including mining pools and solo miners, of course. So the whole network is constructing these, but we can make separate rules for Coinbase rings. And that might be warranted if network activities suggest that it will actually be impacting

certain users' behavior. So Sarang Noethra looked at the actual spend distribution of Coinbase and non-Coinbase outputs in Monero. Now, granted, the only way we were actually able to look at these is by looking at Monero's traceable old history. So Monero from 2014 to 2017

definitely did not have very strong ring signature protections. And so we were able to determine when certain outputs were spent. And then we, you know, Dr. Sarang Noethra broke them down to whether or not they were Coinbase or non-Coinbase outputs. And as you can see, there's very little difference. So we have the option too to say,

oh, well, we can have different time selection periods for whether or not we're selecting decoys for Coinbase or non-Coinbase rings. But the evidence so far shows that there's no need to actually do this. But if there was a need to do that, then the benefit to overall privacy for people would be far greater because we're able to segregate by this required point of network metadata,

whether or not an output is a Coinbase output or not. So just something to think about, that's something we can do, but there's no need to, given current research so far. So I know the point of the talk is like, you know, why we should, but ultimately one of the big takeaways I want is you don't need to panic as a result of this.

Coinbase outputs are increasingly rare as a portion of, sorry, proportion of total network activity. And ring sizes are pretty large already, and they will most likely get substantially larger in the future. So looking at some transaction data on total number of transactions per block, there are about two outputs per transaction. There are at least two. So actually the output,

the average is a little bit more than two, but to all intents and purposes, let's just consider it two. Over the past month, year, there's been about 13 Monero transactions per block, which is quite a bit, a lot more than in Monero's, you know, early history. So that means 13 transactions times two outputs per transaction, we're generating 26 outputs per block

just by non-Coinbase related transactions. And then of course we have that one Coinbase output that's being generated per block. So really the total proportion of Coinbase outputs that are being in generated is a pretty low 3.7%. So all things being equal, if you are selecting decoys from the blockchain,

the likelihood you're gonna choose a new Coinbase output is much lower than choosing a non-Coinbase output. In the past with a smaller transaction amount, this used to be closer to 20% even a year or so ago. So it really has changed with the additional adoption of Monero activity.

That is really what has changed, you know, the discussion here is based off Monero having far more transactions that will make the absolute impact of Coinbase outputs, you know, or proportional, sorry, the proportional impact be small and the absolute for each transaction be smaller too.

So that's pretty exciting to think about. Also large ring sizes still minimize, like pretty much for all things Monero attack related. One solution is always, well, why don't we just bump the ring size? Just increase the ring size, you know, just keep bumping the ring size, right? So with the current situation, you have 11 ring members and on average,

you're probably gonna select one or zero Coinbase outputs per transaction. Again, it used to be more like one to three, but really at the moment it's zero or one for most transactions. So you can say that, oh, well, if one Coinbase output is selected, really unless you know that they're a miner, you know, a mining pool operator,

not even just a miner, the effective ring size is actually 10, it's reduced by one. Well, if we do not segregate Coinbase rings, well, we still will have a proportional scale where the total proportion of Coinbase outputs are still going to be selected for even larger ring sizes. And so more outputs are gonna be compromised,

but ultimately at the end of the day, the effect of ring size is still going to increase quite substantially, right? Where, you know, the difference between 128 and 116 is far lower, even though it's a proportional same than the difference between 11 and 10, right? The actual decoy difference is much bigger in practice

for smaller numbers than bigger numbers. So in conclusion, you are not the money printer, right? You are not actually spending Coinbase outputs. There's no convincing way that you would ever control these for any reason, but this only materially matters if Monero has small adoption.

If Monero has only a handful of transactions per block, then yes, it does matter. The proportion of Coinbase outputs would be quite significant. However, if you have the tune of dozens of Monero transactions per block on average, then really Coinbase outputs

aren't getting in the way that much. They just aren't. So, you know, the most important thing for resolving this problem is making sure that Coinbase outputs are rare, proportional to the total number of transaction amounts. And really the total number of Coinbase outputs

is not changing per day. That's like stagnant. Every two minutes on average, a block is gonna be mined. That's predictable. So network activity for all other transactions needs to be substantial in order to cover users, right? So really, we should, in my opinion,

still separate Coinbase outputs because in all reality, if you see a transaction still that appears to spend a Coinbase output, the likelihood it actually is spending this is very, very low, very, very low. It's not super likely.

So we should still separate it, but at the end of the day, it's also not the end of the world if we don't. And so that's one of those good problems to have, I guess. And then as ring sizes increase too, you likely will have, or you also will have an increase in the absolute protection provided by the rings anyway,

even if a few of them are going to be selecting from these toxic Coinbase output pools. So ultimately, that's the main takeaway from this whole talk. Okay, so if you wanna get more educated on Monero, learn more, get started, join the communities, you can get educated by going to masteringmonero.com.

You can get a read a free book there, buy a print version. You can go to moneromeans.money and watch a movie that Dr. Daniel Kim was the star in. It was actually number one box office in the United States for two days and number two for the week and weekend back in April. You can download cakewallet.com and get the app there.

You can go to getmonero.org and download that wallet. There's also other great wallets like Monero you can download or you can join the Monero communities. The Monero community work group is communityworkgroup.org. It will actually be changing shortly to monerocommunity.org and the other communities are listed on getmonero.org. My specific information is contact there at above.

Just really was interested in Coinbase outputs and felt that it was necessary to have a talk about them at some point. I know it's kind of niche, but it's important to think about certain points of metadata on the Monero blockchain and then try and connect these points of metadata to user behavior to see if anything is revealing

and will potentially degrade Monero privacy. So it's important to think about these things going forward. All right, that's the end of my talk. We have some wonderful other talks coming up. So I'm going to hand it off to the rest of the Monero village and hope you enjoy the rest of your time here. Take care.